Skip to content

What Is a VLAN? How Network Segmentation Protects Your Business

Updated

If your business runs everything on one flat network — staff laptops, guest WiFi, printers, CCTV, and payment terminals all sharing the same connection — you have a security problem. A single compromised device could give an attacker access to your entire infrastructure.

VLANs solve this. They're one of the most effective and affordable ways to strengthen your network security, and virtually every business-grade switch and router supports them.

What Is a VLAN?

VLAN stands for Virtual Local Area Network. It's a way of dividing one physical network into multiple isolated logical networks. Devices on one VLAN cannot communicate with devices on another VLAN unless you explicitly allow it through your router or firewall.

Think of it like dividing an open-plan office into separate rooms with locked doors. Everyone is still in the same building (the same physical network), but each room (VLAN) is private and access between them is controlled.

How VLANs Work

VLANs operate at Layer 2 of the network (the data link layer). When you configure a VLAN on a managed switch, each port is assigned to a specific VLAN ID. Traffic is tagged with that ID as it moves through the network, and switches only forward traffic to ports belonging to the same VLAN.

Key concepts:

  • Access ports — connect to end devices (laptops, printers) and carry traffic for a single VLAN
  • Trunk ports — connect switches to each other (or to a router) and carry traffic for multiple VLANs simultaneously, using 802.1Q tagging
  • Inter-VLAN routing — if you need controlled communication between VLANs, your router or Layer 3 switch handles this, applying firewall rules to decide what's allowed

Why Your Business Needs VLANs

Network segmentation isn't just for large enterprises. Any business with more than a handful of devices benefits from VLANs. Here's why:

1. Security

The most compelling reason. VLANs contain breaches. If a guest connects to your WiFi and their device is infected with malware, it can't spread to your accounting server or customer database — because those systems are on a different VLAN with no direct path between them.

This is a core principle of zero trust security — never assume any device or user is safe just because they're on the network.

2. Compliance

If you process card payments, PCI DSS requires that your payment systems are isolated from the rest of your network. VLANs are the standard way to achieve this. Similarly, GDPR best practice recommends segregating systems that handle personal data.

3. Performance

Broadcast traffic (ARP requests, DHCP discovery, network announcements) goes to every device on a VLAN. On a large flat network, this broadcast traffic can consume significant bandwidth. VLANs limit broadcast domains, so each segment only handles its own broadcasts.

4. Easier Management

VLANs make it simpler to apply different policies to different groups. Your IoT devices might need internet access but no access to internal servers. Your CCTV system might need its own isolated segment with access only from the security office. VLANs let you enforce these rules cleanly.

Common VLAN Configurations for UK Businesses

A typical small business might use four or five VLANs:

  • VLAN 10 — Corporate: staff laptops, desktops, and business applications
  • VLAN 20 — VoIP: IP phones and video conferencing equipment, with QoS priority
  • VLAN 30 — Guest: visitor WiFi with internet access only, no access to internal resources
  • VLAN 40 — IoT/CCTV: cameras, sensors, smart devices — isolated from everything else
  • VLAN 50 — Servers: file servers, application servers, with tightly controlled access

Your firewall rules then control exactly which VLANs can talk to each other and on which ports. For example, the corporate VLAN can access the server VLAN on specific ports, but the guest VLAN can only reach the internet. Read more in our guide to business firewall solutions.

What Hardware Do You Need?

VLANs require managed switches — unmanaged (basic plug-and-play) switches don't support VLAN tagging. The good news is that managed switches are affordable for small businesses, starting from around £50–£100 for an 8-port model.

You'll also need:

  • A VLAN-capable router or firewall — to handle inter-VLAN routing and apply access rules
  • VLAN-aware wireless access points — to assign different SSIDs to different VLANs (e.g., "CompanyName-Staff" on VLAN 10, "CompanyName-Guest" on VLAN 30)

Most business-grade networking equipment from brands like Ubiquiti, Cisco, Draytek, and TP-Link supports VLANs out of the box.

How to Set Up VLANs: Overview

While the exact steps depend on your hardware, the general process is:

  1. Plan your VLANs — decide how many segments you need and assign VLAN IDs and IP subnets to each
  2. Configure your switch — assign each port to the correct VLAN; set trunk ports between switches and to your router
  3. Configure your router/firewall — create sub-interfaces for each VLAN, assign IP addresses, set up DHCP scopes, and define firewall rules
  4. Configure wireless APs — map each SSID to the appropriate VLAN
  5. Test thoroughly — confirm devices on each VLAN can access what they should and cannot access what they shouldn't

Common VLAN Mistakes

  • Leaving the default VLAN (VLAN 1) in use — best practice is to move all traffic off VLAN 1 and use it only for switch management
  • Not restricting inter-VLAN traffic — creating VLANs but then allowing all traffic between them defeats the purpose
  • Forgetting to tag trunk ports correctly — misconfigurations cause devices to lose connectivity or end up on the wrong segment
  • No documentation — record your VLAN IDs, subnets, port assignments, and firewall rules so anyone managing the network can understand the setup

Should You Set Up VLANs Yourself?

If you're comfortable with network administration, setting up basic VLANs on a small network is manageable. However, misconfiguration can knock out connectivity for your entire office, so many businesses prefer to have a managed IT provider handle it.

A professional can design the segmentation, configure the hardware, test everything, and document the setup — typically in a few hours for a standard office environment.

Need IT Support?

Get expert help with network segmentation and VLAN configuration for your business.

Get a Free IT Quote

Other articles in Network & Infrastructure

Business Router vs Home Router: Why It MattersHow to Check Your Business Internet Speed (And What to Do If It's Slow)How to Set Up a Business WiFi Network: Router, Access Points & SecurityWhat Is SD-WAN? A Simple Guide for Business Owners

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap