Most home and small-scale networks start the same way: a router, a switch, and everything plugged in. Laptops, phones, the smart TV, a couple of IoT gadgets, maybe a NAS or a small server. It works, right up until one of those devices is compromised — and then it works for the attacker too, because there's nothing stopping them moving from a cheap smart plug straight to whatever else is sitting on the same network.
VLANs are the standard fix for this, and they're not just an enterprise concern. Once you're running more than a device or two of unknown trustworthiness — IoT, guest devices, anything internet-facing — segmentation stops being a nice-to-have and starts being the difference between a contained incident and a full compromise.
What a VLAN actually is
A VLAN (Virtual LAN) is a logically separate network that shares the same physical switching hardware as other VLANs. Without VLANs, every port on a switch belongs to one flat broadcast domain — every device can, in principle, see and reach every other device on that switch (and anything routed onward from it). VLANs split that single broadcast domain into multiple isolated ones, using the same physical cabling.
The mechanism behind this is 802.1Q tagging. Each Ethernet frame gets a small tag inserted that identifies which VLAN it belongs to (a VLAN ID, from 1 to 4094). Switches that understand 802.1Q read this tag and only forward the frame to ports that are configured to receive traffic for that VLAN. Devices on VLAN 10 and devices on VLAN 20 can share the exact same switch, in the exact same rack, and never see a single frame of each other's traffic — unless something is explicitly configured to allow it.
Access ports vs trunk ports
This is the part that trips people up most when they first configure VLANs, so it's worth being precise:
- Access ports carry traffic for a single VLAN, untagged. This is what you plug an end device into — a laptop, a printer, a camera. The device itself has no idea VLANs exist; the switch handles the tagging invisibly on its behalf.
- Trunk ports carry traffic for multiple VLANs simultaneously, with each frame tagged so the receiving end knows which VLAN it belongs to. Trunks are used between switches, and between a switch and a router or firewall that's doing routing between VLANs.
Get this wrong — commonly, leaving a trunk port's native VLAN untagged and matching the default VLAN on connected switches — and you can end up with VLAN traffic leaking somewhere it shouldn't, silently defeating the whole point of segmenting in the first place. This is worth testing explicitly, not assumed.
Why segmentation actually matters
The value of VLANs isn't abstract network tidiness. It's about limiting blast radius — how far a compromise can spread once something on your network is breached.
- Containment. If an IoT device with poor security gets compromised, segmentation means the attacker is stuck on that VLAN, unable to reach your management interfaces, backups, or anything else of value, unless a specific rule allows it.
- Explicit trust boundaries. Instead of an implicit "everything trusts everything" network, you get to define, in writing, exactly what's allowed to talk to what — and everything else is denied by default.
- Reduced attack surface per segment. A broadcast domain is also a discovery surface. Devices on the same VLAN can often discover each other via ARP, mDNS, and broadcast/multicast traffic. Smaller, purpose-specific VLANs reduce what an attacker can passively learn just by being present.
- Simpler reasoning about risk. When every device is on one flat network, "is this safe?" is a question about the entire network. When segmented, it becomes a question about one VLAN and its specific, documented rules — much easier to reason about and audit.
A practical segmentation model
There's no single correct layout, but a common and sensible starting structure for a homelab or small business network looks something like this:
| Segment | Typical contents | Trust level |
|---|---|---|
| Management | Switch/router/firewall admin interfaces, hypervisor management | Highest — access tightly restricted |
| Trusted devices | Personal laptops, phones, workstations | High — general internal access |
| Servers / infrastructure | NAS, internal application servers, backups | High, but not directly internet-reachable |
| IoT / smart devices | Cameras, smart plugs, appliances | Low — internet access only, no internal reach |
| Guest | Visitor devices | Low — internet access only, fully isolated |
| DMZ / internet-facing | Anything reachable from the public internet | Treated as hostile — isolated from everything internal |
The specific number of segments matters less than the underlying principle: group devices by trust level and by what they actually need to talk to, then write rules that allow only that traffic, denying everything else by default.
The DMZ concept deserves particular attention. Anything reachable from the public internet — a web server, a VPN endpoint, any exposed service — should be treated as the most likely point of compromise on your entire network. It should sit on its own segment with no path back into your trusted internal devices, regardless of how much you trust the software running on it. The assumption should be "this will eventually be probed or attacked," not "this is probably fine."
What you actually need to implement this
- A managed switch (or switches) that supports 802.1Q VLAN tagging. Unmanaged consumer switches can't do this — they treat all traffic as one flat network regardless of any tags already applied upstream.
- A router or firewall capable of inter-VLAN routing and access control. This is where your actual segmentation rules live — which VLANs can reach which others, and on what ports/protocols. Most consumer routers can't do this; this is typically where dedicated firewall/router platforms come in, of which there are several capable options regardless of vendor preference.
- VLAN-aware wireless access points, if you want different Wi-Fi SSIDs mapped to different VLANs (a common pattern: one SSID for trusted devices, one for IoT, one for guests, each landing on its own segment).
- A DHCP and DNS strategy per segment. Each VLAN generally needs its own DHCP scope, and you'll need to decide deliberately which segments can reach which DNS resolvers — this isn't something to leave to whatever the default happens to be.
Common mistakes worth avoiding
- Segmenting on paper but not enforcing it with firewall rules. VLANs alone only separate broadcast domains — if your router or firewall allows unrestricted routing between all VLANs by default, you've built the isolation but never actually turned it on.
- Leaving the default/native VLAN in use and untagged. This is a common, quietly dangerous default. If it's not deliberately configured and isolated like every other segment, it can become an unintended path around your segmentation.
- Assuming isolation without testing it. The only way to know segmentation actually works is to try to breach it yourself — attempt to reach a device on another VLAN and confirm it fails, then check the firewall logs to confirm it was actually blocked rather than just timing out for an unrelated reason.
- Over-permissive "allow" rules written for convenience. A rule that allows an entire segment to reach another entire segment "to make things easier" quietly erases most of the benefit. Rules should be as narrow as the actual use case requires — a specific port, a specific device, not a whole subnet.
Start small if this feels like a lot at once. Even a minimal split — trusted devices on one VLAN, everything else (IoT, guests, anything internet-facing) on another — removes most of the risk of a single compromised low-trust device reaching something that actually matters. You can always add more granular segments later as your setup grows.
Frequently asked questions
What is a VLAN and why would a homelab need one?
A VLAN splits a single physical network into multiple isolated broadcast domains, so an untrusted device can be kept from reaching servers, NAS, or management interfaces even while sharing the same physical switches.
Do I need managed switches to use VLANs?
Yes. VLAN tagging requires switches that support 802.1Q; unmanaged switches treat all traffic as a single flat network regardless of any tags already applied upstream.
What's the difference between a trunk port and an access port?
An access port carries a single VLAN's traffic, untagged, for end devices. A trunk port carries multiple VLANs' traffic simultaneously, each tagged, between switches or to a router doing inter-VLAN routing.
How do I verify VLAN segmentation is actually working?
Attempt to reach a device on another VLAN and confirm it fails, then check firewall/router logs to confirm the attempt was genuinely blocked rather than failing for an unrelated reason.
Working through a segmentation design and want a second opinion? Get in touch — happy to talk through the approach.
Get in touch →