VLAN
Virtual Local Area Network
A logical network segment created on a managed switch using 802.1Q tagging — grouping switch ports into isolated broadcast domains that behave as completely separate networks, enabling security segmentation, IoT isolation, and guest networks without separate physical hardware.
A VLAN divides one physical switch into multiple isolated virtual switches. Each port is assigned to a VLAN (1–4094). Broadcast traffic — ARP requests, DHCP discovers, general layer-2 flooding — stays within the VLAN. A device on VLAN 10 cannot directly see or communicate with a device on VLAN 20, even if both are connected to the same physical switch. Traffic between VLANs must be routed by a Layer 3 device (router or Layer 3 switch), where firewall rules can be applied. This creates genuine security boundaries: a compromised device on the IoT VLAN cannot reach your NAS on the trusted VLAN without the router explicitly permitting it.
Common home VLAN setup
| VLAN ID | Name | Subnet | Internet | Access to other VLANs |
|---|---|---|---|---|
| 10 | Trusted | 192.168.10.0/24 | Yes | Full (initiate to any) |
| 20 | IoT | 192.168.20.0/24 | Yes | Blocked (cannot initiate) |
| 30 | Guest | 192.168.30.0/24 | Yes | Blocked (internet only) |
| 40 | Management | 192.168.40.0/24 | No | Admin access to devices only |
VLANs and Wi-Fi
Wireless networks can be VLAN-tagged too — each SSID on a VLAN-capable access point is associated with a VLAN ID. Your "IoT" Wi-Fi network maps to VLAN 20; your main "Home" Wi-Fi maps to VLAN 10. The access point tags all frames from each SSID with the corresponding VLAN ID before sending them up the trunk link to the switch and router. This means the same physical access point can serve multiple isolated wireless networks. The AP must support multiple SSIDs with VLAN tagging — a feature of managed/enterprise APs (Ubiquiti UniFi, TP-Link EAP, Cisco Meraki) and not present on most consumer access points.
Frequently Asked Questions
What hardware do I need to set up VLANs at home?
A managed switch (e.g., TP-Link TL-SG108E, Netgear GS308E), a VLAN-capable router or firewall (pfSense, OPNsense, OpenWrt, or capable consumer router), and optionally a VLAN-capable access point for wireless segments (Ubiquiti UniFi, TP-Link EAP series). Unmanaged switches and most basic consumer routers cannot do VLANs.
What is the difference between a VLAN and a subnet?
VLAN is Layer 2 (Ethernet isolation — broadcast domains). Subnet is Layer 3 (IP address range). They work together: each VLAN gets its own subnet. The VLAN prevents Layer 2 traffic leakage; the router plus firewall rules control Layer 3 routing between subnets.
Can devices on different VLANs communicate?
Only through a router/firewall that explicitly permits it. Inter-VLAN traffic goes to the default gateway, where firewall rules control what's allowed. This lets IoT devices reach the internet but not your NAS, while trusted devices can reach everything — exactly the security boundary VLANs are designed to provide.