Running everything on a single flat network is one of the most common — and most avoidable — mistakes small businesses make. When your guest WiFi, staff workstations, IP cameras, VoIP phones, and payment terminals all share the same broadcast domain, a single compromised device can reach everything else. VLANs fix that. This guide explains what they are, what hardware you need, and how to plan a practical segmentation for a business with 5–50 staff.
What a VLAN actually is
A Virtual LAN (VLAN) is a logical grouping of network ports and wireless clients that behaves as if it were a separate physical network — even though the traffic all flows over the same cables and switches. Devices in VLAN 10 cannot communicate directly with devices in VLAN 20 unless your firewall explicitly permits it. That isolation is the point.
The IEEE 802.1Q standard is how switches and access points tag frames with a VLAN ID. A managed switch sends tagged traffic across “trunk” links (typically the uplink to your firewall and to your APs) and untagged traffic out “access” ports to end devices. End devices — a PC, a phone, a camera — never see the tag.
Why segment your small business network
Guest WiFi is the obvious starting point. Customers and visitors should be able to reach the internet and nothing else. Without a separate VLAN, a guest device sits on the same network as your file server, NAS, or accounting software.
Beyond guests, the real risk areas are:
- VoIP phones — SIP traffic is latency-sensitive and should be QoS-prioritised; a phone shouldn’t be able to probe your workstations
- CCTV and IoT devices — IP cameras, smart sensors, and building automation gear are notoriously poorly patched; isolate them
- Payments / POS terminals — PCI DSS explicitly requires cardholder data environments to be network-segmented from other systems
- Staff workstations — your primary trusted network, but still separate from servers if you run any internal services
Hardware you need
Three pieces of infrastructure are required. You cannot do this with a home router and an unmanaged switch.
1. Managed or smart switch — must support 802.1Q VLAN tagging. Layer 2 smart switches (TP-Link TL-SG108E and similar) handle basic VLAN assignment at a low price point. Layer 3 managed switches add inter-VLAN routing in hardware, which matters if you have high volumes of traffic between segments.
2. VLAN-aware firewall or gateway — this terminates your VLAN trunk from the switch, assigns a gateway IP and DHCP scope per VLAN, and enforces rules between segments. UniFi Dream Machine Pro, Omada ER series, and Netgate pfSense/OPNsense appliances are common choices at SMB scale.
3. VLAN-capable access points — APs need to broadcast multiple SSIDs, each tagged to a different VLAN, over the same radio hardware. Most enterprise and prosumer APs (UniFi, Omada, Ruckus) handle this. Consumer APs typically cannot.
A simple VLAN plan
This is a starting point for a typical retail or professional services business. Adjust to your own risk profile.
| VLAN ID | Purpose | Example devices | Internet | LAN access |
|---|---|---|---|---|
| 10 | Staff LAN | Workstations, laptops, printers | Yes | Full |
| 20 | Guest WiFi | Customer devices, visitor laptops | Yes | None |
| 30 | VoIP | IP phones, SBC | Yes (SIP trunk) | Block |
| 40 | IoT / CCTV | IP cameras, NVR, sensors | Blocked | NVR only |
| 50 | Payments / POS | Terminals, payment gateway server | Yes (restricted) | None |
The IoT VLAN is often given no internet access at all, with a specific rule permitting firmware update servers if needed. The payments VLAN should have the most restrictive ruleset — outbound only to known payment processor IP ranges.
Inter-VLAN routing and firewall rules
Your firewall is the only device that should route between VLANs, and it should do so only where explicitly required. A useful default policy: deny all inter-VLAN traffic, then add specific permit rules.
Typical rules you will need:
- Staff → IoT (CCTV): permit TCP 554 (RTSP) and the NVR management port from staff subnet to NVR IP only
- VoIP → Internet: permit SIP (UDP 5060) and RTP (UDP 10000–20000) outbound; deny everything else inbound
- Payments → Internet: permit outbound TCP 443 to payment processor ranges; deny all inbound
- Guest → Internet: permit TCP 80/443; optionally rate-limit per client; deny all access to RFC1918 ranges
Log denied traffic. Reviewing firewall logs monthly will tell you whether any device is trying to reach a segment it shouldn’t.
Security and performance benefits
Segmentation limits blast radius. If a staff laptop is hit by ransomware, it cannot reach your IP cameras or payment terminals over the network. If an IP camera is compromised — a common attack vector given how rarely camera firmware gets updated — it cannot scan your workstation subnet.
QoS tagging per VLAN also lets you prioritise VoIP traffic at the switch level, reducing jitter during calls when a large file transfer is in progress.
Common mistakes to avoid
One flat network with a guest SSID added — a guest WiFi network that isn’t on a separate VLAN still lands on your main switch. The wireless isolation helps, but wired devices remain reachable.
Forgetting the AP trunk configuration — managed switches and firewalls are configured correctly, but the AP is left on the default untagged network. Every SSID ends up on VLAN 10. Check the AP’s WLAN-to-VLAN mapping explicitly.
No DHCP scope per VLAN — each VLAN needs its own IP subnet and DHCP scope on the firewall. A common oversight is creating the VLAN on the switch but forgetting to add the DHCP pool, leaving clients with no IP address.
Over-trusting internal VLANs — VLANs separate broadcast domains; they don’t encrypt traffic. Use TLS for internal services. Treat inter-VLAN firewall rules with the same care as perimeter rules.
All managed switches and VLAN-capable gateways on Business IT Supply are priced GST-inclusive, with the ex-GST figure shown alongside — useful for your BAS. Stock availability is displayed honestly: verified on-hand stock is shown separately from supplier ETA lines, so you know what ships today and what ships on order. If you need help sizing a managed switch or choosing a gateway for your VLAN setup, add items to a quote via /catalogue?cat=networking and we can work through the configuration requirements with you.