A single flat network — every device able to see and talk to every other device by default — is one of the most common sources of both security exposure and performance problems in growing IT environments. VLANs are the standard fix, but the term gets used casually without always being understood precisely. This article covers what a VLAN actually does, why segmentation matters for security and performance, and how VLANs are designed in practice.
What a VLAN actually does
A VLAN, or Virtual Local Area Network, creates a logically separate broadcast domain on top of shared physical switching infrastructure. Without VLANs, every device connected to the same physical switch — or set of interconnected switches — belongs to one broadcast domain: traffic intended for "everyone on this network" reaches every device, and devices can reach each other directly by default.
A VLAN divides that shared physical infrastructure into multiple logically isolated segments, without requiring a separate physical switch for each one. Devices assigned to different VLANs don't see each other's broadcast traffic and can't communicate directly, even though they may be plugged into the exact same physical switch. Communication between VLANs has to pass through a routing or firewall device, where it can be explicitly permitted, denied, or inspected — which is precisely the point.
Why segmentation matters
VLAN segmentation solves two distinct problems, and it's worth understanding both, because organizations sometimes implement VLANs for one reason while missing the other.
Security is usually the more important driver. Segmenting traffic by type limits lateral movement — if a guest device or an IoT device on its own VLAN is compromised, it cannot directly reach the server VLAN, the corporate workstation VLAN, or anything else it hasn't been explicitly permitted to reach through routing and firewall policy. This containment is one of the most effective and lowest-cost security controls available, because it limits the blast radius of a compromise without requiring the compromised device to be identified or removed first.
Performance is the second driver, and it matters more as networks grow. Broadcast traffic — the kind every device on a shared broadcast domain has to process — scales with the number of devices in that domain. A large flat network with hundreds of devices generates broadcast traffic that every single device has to receive and process, even though almost none of it is relevant to any individual device. Segmenting into smaller VLANs reduces the scope of broadcast traffic to just the devices that actually need to see it, which reduces unnecessary load across the network.
Segmentation is a Zero Trust principle, not just a network design choice
Limiting what a device can reach by default — rather than trusting it because it's "inside the network" — is one of the foundational ideas behind Zero Trust security models. VLAN segmentation applies that principle at the network layer. See Zero Trust in Microsoft 365 for how the same principle is applied at the identity layer.
How VLANs are designed in practice
In practice, VLANs are almost always designed around traffic type rather than physical location or department alone. A typical enterprise design separates traffic into VLANs such as:
| VLAN purpose | Typical traffic | Inter-VLAN access consideration |
|---|---|---|
| Corporate | Employee workstations and laptops | Broad internal access, restricted from guest and IoT |
| Guest | Visitor and unmanaged devices | Internet-only, no access to internal VLANs |
| VoIP | Phone and voice traffic | Prioritized (QoS), isolated from data traffic for reliability |
| IoT | Cameras, sensors, smart devices | Highly restricted — outbound-only or vendor-specific access |
| Servers | Application, database, and file servers | Access limited to specific corporate or application VLANs, not broadly open |
| Management | Switch, router, and firewall administrative interfaces | Restricted to IT/admin devices only, never exposed broadly |
Each VLAN gets its own inter-VLAN routing and firewall policy, defining specifically what's allowed to reach it and what it's allowed to reach — rather than assuming default access in either direction. The management VLAN in particular deserves deliberate isolation: administrative access to network devices should never be reachable from general corporate traffic, let alone guest or IoT VLANs, since compromising that access would compromise the network infrastructure itself.
This traffic-type approach also scales cleanly as new categories of devices get added to the environment. A new class of IoT device, for example, can be placed on the existing IoT VLAN — or a new one, if its access needs are meaningfully different — without having to redesign the network from scratch, because the segmentation was built around traffic type and access needs rather than around today's specific device inventory.
Common mistakes
- Running a flat, unsegmented network where IoT devices and servers share the same broadcast domain as general corporate traffic. This is the single most common VLAN-related exposure — it means a compromised smart device or camera has direct network-level reach into systems that should be tightly protected.
- Creating VLANs without defining inter-VLAN policy. A VLAN that isolates broadcast traffic but still allows unrestricted routing to every other VLAN provides almost none of the security benefit segmentation is meant to deliver.
- Leaving the management VLAN broadly reachable. Administrative interfaces for switches, routers, and firewalls should be isolated to a dedicated, tightly restricted VLAN — not reachable from the general corporate network.
- Designing VLANs around department names instead of traffic type and risk profile. Department-based VLANs can still work, but segmentation driven purely by org chart rather than by what traffic actually needs to talk to what tends to leave meaningful gaps, particularly around IoT and guest access.
FAQ
Does a small business need VLANs, or is that only relevant at enterprise scale? Any business with guest Wi-Fi, IoT devices, or a meaningful device count benefits from at least basic VLAN segmentation — separating guest and IoT traffic from corporate and server traffic is a low-cost control that significantly reduces exposure, regardless of company size.
How many VLANs should a typical business have? There's no fixed number — it should map to the distinct traffic types and access needs actually present in the environment. Over-segmenting into VLANs with no meaningfully different policy adds administrative overhead without a security or performance benefit; under-segmenting leaves distinct traffic types sharing a broadcast domain they shouldn't.
Do VLANs replace the need for a firewall? No — VLANs create the segments, but a firewall or routing device with defined policy is what actually enforces what can pass between those segments. A VLAN without enforced inter-VLAN policy is segmented in name but not in practice.