What Is a VLAN?
A Virtual LAN (VLAN) is a logical grouping of network devices that behave as if they're on the same physical network, regardless of their actual location. VLANs are defined at the switch level and tagged using IEEE 802.1Q, allowing a single physical switch to carry traffic for multiple isolated networks.
Why Segment Your Network?
Flat networks — where every device can talk to every other device — are a security liability. A single compromised endpoint can reach your servers, printers, IP cameras, and IoT devices without restriction. VLANs contain the blast radius of a breach and reduce unnecessary broadcast traffic at the same time.
A Practical VLAN Layout
A sensible baseline for a small business or home lab might look like this:
VLAN 10 - Management (switches, APs, firewalls)
VLAN 20 - Servers (file, DNS, DHCP, monitoring)
VLAN 30 - Workstations (staff PCs and laptops)
VLAN 40 - IoT (cameras, printers, smart devices)
VLAN 50 - Guest WiFi (internet-only, no internal access)Configuring Trunk and Access Ports
Access ports carry traffic for a single VLAN and are used for end devices. Trunk ports carry tagged traffic for multiple VLANs and connect switches to each other or to a router. On a Cisco-style CLI:
! Access port (workstation on VLAN 30)
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 30
! Trunk port (uplink to router)
interface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50Inter-VLAN Routing
VLANs are isolated by default — traffic between them requires a Layer 3 device. You can use a router-on-a-stick setup with subinterfaces, or a Layer 3 switch with SVIs (Switched Virtual Interfaces). For most small deployments, a pfSense or OPNsense firewall handling inter-VLAN routing gives you segmentation plus ACL control in one place.