VLAN Setup for Small Offices: A Practical Step-by-Step Guide

Most small offices start with a single flat network — one router, one switch, everything on the same subnet. It works until it doesn't. A guest laptop shares bandwidth with your VoIP phones. An IoT thermostat sits on the same network segment as your file server. One compromised device can reach everything else.

If you're managing a network for a 20–150 person office and you've never set up network segmentation, this guide is for you. We'll walk through exactly how to approach vlan setup for a small office: which VLANs to create, how to configure them on real hardware, and where people go wrong.

No fluff — just the configuration decisions that matter.

What Is a VLAN?

A VLAN (Virtual Local Area Network) is a way to logically divide a single physical switch into multiple isolated network segments. Think of it like this: your office building has one set of hallways, but you put up walls and locked doors between departments. People in accounting can't wander into the server room, even though they're all in the same building.

Without VLANs, all your network traffic rides the same hallway. With VLANs, each segment gets its own walled-off space — with a firewall (or router with ACLs) controlling what can talk to what.

Switches carry VLAN traffic in two ways:

  • Access ports — assigned to a single VLAN, typically where end devices plug in
  • Trunk ports — carry traffic from multiple VLANs between switches, routers, and access points (tagged with 802.1Q headers)

You don't need to memorize the spec. You just need to know which ports are access and which are trunk — and we'll cover that in the configuration steps.

Why Small Offices Need VLAN Segmentation

The argument for vlan segmentation in a small business isn't just theoretical. Here's what we see in real environments:

Security exposure. A flat network means any device can initiate traffic to any other device. If a laptop gets infected with ransomware, it can scan and attempt to reach your NAS, your backup server, your printer admin interface — everything. VLANs don't stop all lateral movement, but they force it through your firewall where you can log and block it.

Compliance and liability. If you process payment cards, handle healthcare data, or operate under any regulated framework, auditors will ask about network segmentation. A flat network is a finding.

Performance and QoS. VoIP traffic is time-sensitive. If it competes with a large file transfer or a video conference on the same broadcast domain, call quality degrades. Putting VoIP on its own VLAN lets you prioritize that traffic at the switch level.

Guest access. Giving a visitor your main Wi-Fi password is a security problem. A guest VLAN with internet-only access solves this cleanly.

Here's the VLAN structure we typically deploy at Tinaht for small office environments. Adjust subnet sizes based on your headcount.

VLAN ID Name Subnet Purpose
10 Staff 192.168.10.0/24 Employee workstations, laptops, corporate devices
20 Servers 192.168.20.0/24 File servers, NAS, internal apps, printers
30 VoIP 192.168.30.0/24 IP phones, SIP infrastructure
40 IoT 192.168.40.0/24 Thermostats, cameras, building automation
50 Guest 192.168.50.0/24 Visitor Wi-Fi — internet only, no LAN access
99 Management 192.168.99.0/24 Switch management IPs, AP management, router access

A few design decisions baked into this:

  • Servers get their own VLAN. Staff can reach servers (via firewall rules), but IoT devices cannot. This is the most impactful single change in most flat-network environments.
  • Management VLAN is isolated. Your switch admin interfaces and AP management should never be reachable from the Guest or IoT VLANs.
  • IoT is quarantined. These devices often have poor security and no update cadence. Keep them isolated — they should reach the internet and nothing else.

Your router or firewall handles inter-VLAN routing. pfSense, OPNsense, Cisco ASA, and Fortinet all support this natively. The firewall ruleset determines what can talk across VLANs.

Step-by-Step: Configuring VLANs on Managed Switches

You need a managed switch to implement VLANs. Unmanaged switches cannot do this. Common choices we work with: Aruba Instant On, Ubiquiti UniFi, and Cisco Business series.

Ubiquiti UniFi Example

UniFi handles much of this through its controller UI.

  1. Log into the UniFi Network controller (cloud or local)
  2. Navigate to Settings → Networks → Create New Network
  3. For each VLAN, create a network:
    • Name: Staff
    • VLAN ID: 10
    • Gateway/Subnet: 192.168.10.1/24
    • DHCP: Enabled (or point to your external DHCP server)
  4. Repeat for each VLAN in the table above
  5. Navigate to UniFi Devices → [your switch] → Ports
  6. For uplink/trunk ports (to router, other switches, APs): set port profile to All (carries all VLANs tagged)
  7. For endpoint ports (workstations, phones): assign the appropriate port profile matching that VLAN

Aruba Instant On Example

  1. Log into the Aruba Instant On portal or local app
  2. Go to Networks → Wired Networks → Add Network
  3. Create each VLAN with its ID and name
  4. Under Switch Configuration, assign VLANs to ports:
    • Set trunk ports (to router/APs) as Tagged for all VLANs
    • Set access ports as Untagged for the appropriate VLAN
  5. Your default/native VLAN should be the Management VLAN (99), not VLAN 1

Important: Change the management VLAN from the default VLAN 1 on every switch you deploy. VLAN 1 is a known attack target and leaving management on it is a documented misconfiguration.

Step-by-Step: SSID-to-VLAN Mapping for Wi-Fi

For the office network segmentation to extend to Wi-Fi, each SSID needs to be mapped to a VLAN. This means your APs must be on a trunk port (carrying all VLANs), and your controller or AP must support SSID-to-VLAN assignment.

In Ubiquiti UniFi

  1. Go to Settings → WiFi → Create New WiFi Network
  2. Create separate SSIDs:
    • Tinaht-Staff → Network: Staff (VLAN 10)
    • Tinaht-VoIP → Network: VoIP (VLAN 30)
    • Tinaht-Guest → Network: Guest (VLAN 50)
  3. For Guest, enable Client Device Isolation and disable LAN access
  4. Ensure your AP uplink port is configured as a trunk carrying all relevant VLANs

In Aruba Instant On

  1. Go to Networks → Wireless Networks → Add
  2. Assign each SSID a VLAN ID matching your table
  3. For the Guest network, enable the Guest toggle — this automatically restricts it to internet-only with client isolation
  4. Apply the network to your access points

After mapping, confirm with a device connected to each SSID that it receives an IP in the correct subnet and that cross-VLAN traffic is blocked where intended.

Common Mistakes to Avoid

We've cleaned up a lot of small office networks. Here are the errors we see most often:

Leaving everything on VLAN 1. VLAN 1 is the default on every switch and should carry no production traffic. Create a dedicated management VLAN and move switch IPs there.

Forgetting to trunk APs. If your AP uplink port is configured as an access port on only one VLAN, all your SSIDs end up on that VLAN regardless of how you configure them in the controller. Always verify the physical port config.

No inter-VLAN firewall rules. Creating VLANs without writing firewall rules between them gives you the appearance of segmentation without the protection. Staff VLAN reaching the IoT VLAN via the router is still a problem — you need explicit deny rules.

Using /24 everywhere without thinking. A /24 gives you 254 hosts. For an IoT VLAN with 12 devices or a Management VLAN with 5 switches, a /28 or /27 is more appropriate and reduces broadcast traffic.

Testing from the same VLAN you configured. Always test cross-VLAN connectivity from a device on the source VLAN, not from the router itself. The router can usually reach everything — that doesn't mean your firewall rules are working.

When to Hire a Professional vs. DIY

A vlan configuration guide can get you to a working setup, but there are situations where it's worth bringing in a network engineer.

DIY is reasonable if:

  • You're using a unified platform (UniFi or Aruba Instant On) with a GUI controller
  • You have fewer than 5 switches and 3 SSIDs
  • You don't have compliance requirements (PCI, HIPAA)
  • You're comfortable reading switch logs when something breaks

Hire a professional if:

  • You're mixing hardware from multiple vendors (Cisco + Ubiquiti + pfSense)
  • You have existing infrastructure that can't go offline during changes
  • You need documented network diagrams for compliance or insurance
  • Your VoIP or security cameras are on the same network as production systems and you can't afford downtime during troubleshooting

At Tinaht, we handle vlan setup for small office environments regularly — from a 25-person professional services firm to a 120-person manufacturing office with OT equipment. We design the VLAN structure, configure the hardware, write the firewall rules, and hand you documentation you can actually use.

We also do post-implementation testing: confirming that Guest devices can't reach Staff, that IoT can't reach Servers, and that management interfaces are locked down.

Your Network Should Work For You, Not Against You

A properly segmented network isn't a luxury — it's the baseline for a secure, manageable small office environment. The vlan setup for your small office doesn't need to be complicated, but it does need to be intentional. Random subnets, VLAN 1 everywhere, and undocumented port configs create problems that compound over time.

If you're ready to do this right — or you've inherited a network that was never set up properly — we can help.

Ready to segment your office network?

We assess your current setup, design the right VLAN structure, and configure everything — switches, APs, and firewall rules — with full documentation.

Talk to Our Network Team →
Djonny Noel

Founder of Tinaht. Network architect and engineer with hands-on experience designing and deploying VLAN infrastructure for small and mid-sized businesses across New England. Based in Littleton, MA.