VLAN stands for Virtual Local Area Network. The best way to think about VLANs is to think of each VLAN as a physical network. Only it's logical. Here's how you can visually think of VLANs:

You can see we have 3 networks - RED, BLUE, and GREEN. Each has its own subnet, router, and switch. There are 3 computers attached to each of these networks. Now imagine we combine these three separate networks into one physical network, but we still keep the RED, BLUE, and GREEN networks separate.

And just like that, we now have 3 independent networks running on a single physical network. Each of these networks is a virtual LAN inside the main LAN, or rather each of these networks is a VLAN inside the LAN. The only difference is that these LANs share existing equipment (such as the switch and router) but are logically isolated from each other.

UniFi supports VLANs like you would expect. However, they do work differently than what you're probably used to. If you're a network administrator in a corporate environment, you're probably used to the way Cisco handles VLANs. The way UniFi handles VLANs is different but similar. If you have any Cisco proprietary knowledge in your head, forget it. CDP does not work in UniFi. Instead, you need to use LLDP. There are no “trunk” ports in UniFi - that's a Cisco term. Same with “access”.

To create a VLAN, login to your UniFi controller, go to your site, and then go to Settings > Networks > Local Networks. Click on the button “Create New Local Network.”

If you're prompted to create a Standard or Advanced network, click on Advanced.

Here's where things differ a little bit. In the Cisco world, you just create VLANs and worry about the details later. With UniFi, you need to decide if this is a VLAN-only (just a pain old 802.11q tag) or you're creating a new VLAN complete with subnet. Here's a hint - if you have a USG acting as your router, you want the latter. VLAN only gives you a rather simple set of options. Use this option if you have another firewall/router doing routing. Give it a name, enter the VLAN ID (tag/number), and if you want IGMP snooping and DHCP guarding. If you want the latter, select the network purpose as “corporate”. Corporate will give you the option to set a VLAN ID, subnet, DHCP range, etc. You're essentially creating “router-on-a-stick” with this method - your USG will be the gateway.