VLANs Explained: Why Every Business Network Needs Segmentation
Virtual LANs (VLANs) are one of the most important yet overlooked tools in business networking. By logically segmenting a single physical network into isolated broadcast domains, VLANs improve security, boost performance, and simplify management. This guide explains how VLANs work, why they matter, and how to start using them on your managed switch.
What Is a VLAN?
A Virtual Local Area Network (VLAN) is a logical grouping of devices on one or more physical switches that can communicate as though they are on the same isolated network segment, regardless of their physical location. Without VLANs, every device connected to a switch shares a single broadcast domain. That means a broadcast packet sent by one device reaches every other device on the network, wasting bandwidth and creating potential security risks.
Think of a VLAN as a virtual wall inside your switch. Devices on VLAN 10 cannot see or talk to devices on VLAN 20 unless a router or Layer 3 switch explicitly allows traffic between them. This concept is called inter-VLAN routing, and it gives network administrators precise control over which parts of the network can communicate.
Tagged vs Untagged Ports
When configuring VLANs on a managed switch, you will encounter two key concepts: tagged and untagged ports.
An untagged (access) port belongs to exactly one VLAN. The device connected to it, such as a desktop PC or IP phone, has no idea a VLAN exists. The switch silently adds the VLAN tag to incoming frames and strips it on the way out. This is the most common configuration for end-user devices.
A tagged (trunk) port carries traffic for multiple VLANs simultaneously. Each Ethernet frame on a trunk link includes an IEEE 802.1Q header that identifies which VLAN the frame belongs to. Trunk ports are typically used between switches, between a switch and a router, or between a switch and a virtualisation host that needs access to several VLANs at once.
Why Your Business Needs VLANs
Security
VLANs are a fundamental layer of network security. By isolating sensitive systems, such as finance servers, point-of-sale terminals, or security cameras, onto their own VLAN, you reduce the attack surface. If a device on the guest WiFi VLAN is compromised, the attacker cannot easily pivot to your corporate VLAN because the two segments are logically separated. Firewall rules at the inter-VLAN routing point provide an additional enforcement layer.
Performance
Every broadcast packet consumes bandwidth and CPU cycles on every device that receives it. In a flat network with hundreds of devices, broadcast storms can bring the entire network to its knees. VLANs shrink broadcast domains, so a chatty printer or a misbehaving IoT sensor only affects devices in its own VLAN, leaving the rest of the network unaffected.
Management and Compliance
Regulatory frameworks like PCI-DSS explicitly require network segmentation to protect cardholder data. VLANs make it straightforward to demonstrate that payment systems are isolated from the general network. They also simplify IP address management: each VLAN has its own subnet, making troubleshooting and auditing much easier.
VLAN Segmented Network vs Flat Network
| Feature | VLAN Segmented Network | Flat Network |
|---|---|---|
| Broadcast domain size | Small and contained per VLAN | Entire network |
| Security isolation | Logical separation between segments | No isolation; all devices share access |
| Performance under load | Stable; broadcast traffic is limited | Degrades as device count grows |
| Compliance readiness | Supports PCI-DSS and similar standards | Difficult to achieve segmentation requirements |
| Management complexity | Moderate; requires planning and managed switches | Simple initial setup, harder to scale |
| Troubleshooting | Easier; issues are contained to a VLAN | Harder; problems affect the entire network |
Practical VLAN Examples
Here are common VLAN configurations seen in small and medium businesses:
Guest WiFi (VLAN 50): Visitors connect to a wireless SSID that maps to a dedicated VLAN. This VLAN has internet access but absolutely no route to internal resources. Bandwidth throttling can be applied at the VLAN level to prevent guests from saturating your connection.
VoIP (VLAN 100): IP phones are placed on their own VLAN with Quality of Service (QoS) policies that prioritise voice traffic. This prevents a large file download from causing choppy phone calls.
IoT and Security Cameras (VLAN 200): Smart sensors, CCTV cameras, and building management devices are notoriously insecure. Isolating them on a locked-down VLAN with strict firewall rules prevents compromised IoT devices from being used as a foothold into your core network.
How to Set Up VLANs on a Managed Switch
The exact steps vary by vendor, but the general process is the same across most managed switches from brands like Ubiquiti, MikroTik, Cisco, or Netgear:
1. Plan your VLANs. Decide how many VLANs you need and assign each a VLAN ID and subnet. For example, VLAN 10 = 192.168.10.0/24 for corporate, VLAN 20 = 192.168.20.0/24 for servers, VLAN 50 = 192.168.50.0/24 for guests.
2. Create VLANs on the switch. Log into the switch management interface and define each VLAN by its ID and name.
3. Assign access ports. For each port that connects to an end device, set it as an untagged member of the appropriate VLAN.
4. Configure trunk ports. For uplinks between switches or to your router, set the port as a tagged member of all VLANs that need to traverse that link.
5. Set up inter-VLAN routing. On your router or Layer 3 switch, create a virtual interface (SVI) for each VLAN subnet and apply firewall rules to control traffic between VLANs.
6. Configure DHCP. Ensure each VLAN has its own DHCP scope so devices receive an IP address in the correct subnet.
Important: Always keep a management VLAN with a known static IP on your switch. If you misconfigure VLAN assignments, you could lock yourself out of the switch management interface. Many administrators reserve VLAN 1 or a dedicated management VLAN for this purpose.
Yes. Unmanaged switches do not support VLAN tagging. You need at minimum a smart-managed or fully managed switch that supports IEEE 802.1Q. Most business-grade switches from brands like Ubiquiti, MikroTik, Netgear, and Cisco support VLANs.
The IEEE 802.1Q standard supports up to 4094 VLANs (IDs 1 to 4094). In practice, most small business environments use fewer than 20 VLANs. The limiting factor is rarely the switch but rather the complexity of managing too many segments.
Not by default. VLANs create isolated broadcast domains. To allow communication between VLANs, you need a router or Layer 3 switch performing inter-VLAN routing, along with firewall rules that permit only the traffic you want to allow.
No. VLANs are handled in hardware by the switch ASIC and add negligible overhead. In fact, VLANs typically improve performance by reducing unnecessary broadcast traffic across the network.
A VLAN operates at Layer 2 (data link) and defines a broadcast domain. A subnet operates at Layer 3 (network) and defines an IP address range. In practice, each VLAN is typically mapped to a single subnet, but they are technically separate concepts.
