VLANs for SMEs: three networks you really want to keep separate

Why this matters

Picture this: a client visits and asks for the wifi. You give them the password. That same wifi connects to the same switch as your bookkeeping, your client files, and the printer that prints the payslips. Technically, that visitor - or their infected laptop - now has the same access as your employees.

That’s not a theoretical risk. In a large share of the SME companies we audit, everything sits on one flat network. And “everything” means: guests, employees, IoT devices, security cameras, internet-connected coffee machines, and the management network from which we - or your network administrator - operate. One weak link, and the entire business is exposed.

The solution is called a VLAN. A term you don’t really need to understand - except that it exists, what it does, and why three separate VLANs are the minimum for any serious business.

What is a VLAN?

A VLAN (Virtual Local Area Network) is a logically separate network within your existing cabling. Your business switch and access points pretend there are multiple separate networks, while physically sharing the same hardware. For a user on VLAN A, VLAN B is just as unreachable as the neighbour’s internet.

The big advantage: you don’t need to install a second network. The same cables, the same switch, the same access points - but logically divided into multiple networks that are isolated from each other. Traffic on one VLAN doesn’t reach the other VLAN unless you explicitly allow it via a firewall rule.

The three networks you want to separate

For an SME business, three VLANs are the absolute minimum. Less is too little, more is fine - but only after you have the three basic levels in order.

1. Guest network

Visitors, clients, suppliers - anyone temporarily using your wifi belongs here. The guest network only provides internet access. No view of printers, no access to shared folders, no contact with other devices on the network.

Why separate? You have no idea what’s on a visitor’s phone or laptop. If it’s infected with malware and that malware tries to find other devices on the network, that search should hit a wall. The wall is the VLAN.

Business consequence if you don’t do this: one infected visitor laptop can spread through your entire office network. Ransomware on your client files sometimes starts exactly this way.

2. Management network

This network hosts the devices used to control the network itself: switches, the firewall, access points, server management interfaces. At Barion, we operate from this VLAN as your network administrator - just like your own IT admin would, if you have one.

Why separate? If your management interfaces sit on the same network as ordinary workstations, they’re reachable for every employee and every intruder. The administrative password of your main switch should be just as far away from a random office laptop as from a visitor.

Business consequence if you don’t do this: an intruder who breaks in via a workstation can directly try to log in to your network equipment. Once inside the switch or firewall, the game is over - they have the keys to the entire building.

3. Business network

This is where your employees work. Computers, business phones, business printers, access to your file server, workplace applications. This is the network that keeps you productive.

Why separate? Not because your employees aren’t trustworthy - but because you want a problem on the guest or management network to never affect their work. The other way around: an intern who accidentally changes a strange wifi setting should never reach the firewall admin page.

Business consequence if you don’t do this: problems in one corner of the network directly affect your employees. Downtime, productivity loss, and often a data breach that has to be reported to the data protection authority.

How to migrate to a VLAN setup

The transition is less invasive than it sounds. Four steps, usually without downtime:

Without VLANs vs with VLANs

VLANs and NIS2

Frequently asked questions

Is a VLAN the same as a guest wifi?

No. A guest wifi is usually one SSID that internally still sits on the same network as the rest. A VLAN is the actual separation at network level: traffic on one VLAN can't reach the other VLAN without a deliberately allowed firewall rule. A good guest wifi is a VLAN - but not every guest wifi is.

Do I need special equipment for VLANs?

Almost always no. Most business switches and access points support VLANs by default. Very old consumer equipment doesn't, but if you already use business hardware (UniFi, Aruba, Cisco, MikroTik, Zyxel) you have everything you need. We check this in the network scan before proposing any changes.

Will my business go offline during the migration?

In the vast majority of cases, no. The configuration is prepared in advance, and the switch-over per device or group of devices is done step by step - often in the evening or weekend. Brief interruptions of a few minutes can occur when access points restart, but full days of downtime are not normal.

Can I do this myself or do I need a partner?

Technically, someone with networking knowledge can do this themselves. In practice, SME companies usually get stuck on three points: getting firewall rules between VLANs right, making printers and VoIP work properly across VLANs, and documenting the network so it stays manageable. If you're not sure you have those three under control, get help. A poorly configured VLAN often causes more problems than no VLAN at all.