Most small offices run on one flat network: every laptop, printer, phone, CCTV camera and guest device shares the same digital room and can, in principle, talk to everything else. A VLAN is how you put internal walls in that room without re-cabling the building. It sounds like deep networking trivia - until a guest's infected phone reaches your accounts server, and then it becomes a board-level conversation.
One office, many invisible rooms
VLAN stands for Virtual Local Area Network. The key word is virtual: instead of running separate physical cabling for each group of devices, your switches and Wi-Fi create separate logical networks over the same wires and access points.
Think of an open-plan office. Everyone shares the floor, but you put up partitions so the finance team, the warehouse tablets and the visitor sofa each have their own space. People can still be moved between areas, but by default they cannot wander into a space they were not assigned to. A VLAN is that partition, applied to network traffic.
Why one flat network is a quiet risk
On a flat network, every device can attempt to reach every other device. That has three consequences most owners never think about until something goes wrong.
- •Security: a compromised guest phone, smart TV or camera can probe your servers and PCs, because nothing separates them.
- •Noise: chatty devices and broadcast traffic reach everything, which can drag down performance as the network grows.
- •Compliance: card-payment and personal-data rules expect sensitive systems to be separated from general traffic - hard to evidence on one open network.
What businesses actually use VLANs for
The everyday uses are pleasingly mundane, which is exactly why they matter. A typical UK office might split its single physical network into a handful of VLANs, each with its own access rules.
Common groupings are: corporate devices (staff laptops and PCs), a separate guest Wi-Fi that can reach the internet but nothing internal, voice handsets kept on their own lane so calls stay clear, and a locked-down VLAN for cameras, door entry and other 'internet of things' kit that you never want talking to your file server.
How traffic moves between VLANs (or does not)
By design, VLANs cannot talk to each other unless something deliberately allows it. That something is usually your firewall or a layer-3 switch acting as a controlled doorway between the rooms.
This is the real prize. Because all inter-VLAN traffic passes through that doorway, you can write simple rules: guests reach the internet but never the office; cameras reach the recorder but nothing else; staff reach the servers they need and no more. You have turned an open floor into a building with locked doors and a security desk.
Do you need them, and what it takes
If you have more than a handful of staff, offer guest Wi-Fi, run VoIP phones, or have any cameras and smart devices on the network, the answer is almost always yes. The good news is you usually do not need new cabling - just business-grade switches and access points that support VLANs (sometimes labelled 'managed' or 'smart'), plus a firewall to police the doorways.
It is also a foundation for other things. Segmented networks are far easier to monitor, and they are a building block for the kind of internal isolation behind modern network security and Zero Trust thinking. Set up the rooms once, and a lot of later security work gets simpler.