Network Segmentation on a Budget: How to Isolate Your Most Sensitive Systems

Network segmentation is one of the most effective security controls you can implement. It is also one of the least implemented in small businesses. The reason is not that it is expensive or complicated. It is that most people assume you need enterprise-grade hardware to pull it off. You do not. If you have a managed switch and a halfway decent router, you already have what you need.

With fall approaching and many teams gearing up for a back-to-office push, now is the perfect time to rethink your network layout. A little planning now saves you a lot of pain when someone plugs in a compromised smart TV or a visitor connects to the wrong WiFi and ends up on the same network as your file server.

Why Segmentation Matters More Than You Think

Picture this: an employee brings in a personal smart speaker and plugs it into the office network. That device phones home to servers you do not control, listens for voice commands, and runs firmware that gets updated on the manufacturer's schedule. If it gets compromised, the attacker is now sitting on the same network as your accounting software, your customer database, and your domain controller.

That is the problem with flat networks. Everything can talk to everything. There are no barriers, no checkpoints, and no way to contain a breach once it happens. When ransomware hits a flat network, it spreads to every reachable device in minutes.

Segmentation fixes this by dividing your network into isolated zones. Each zone can only communicate with other zones through rules you define. If that smart speaker gets compromised, the attacker is stuck on the IoT VLAN with no route to your workstations or servers. The blast radius shrinks from "the entire company" to "a handful of IoT gadgets."

"Segmentation does not prevent every attack. But it turns a catastrophic breach into a containable incident. That is the difference between losing everything and losing one segment."

Step 1: Diagram Your Current Network

Before you change anything, you need to understand what you have. Most small businesses have never documented their network topology. Devices get added over time, switches get daisy-chained, and nobody really knows what is connected to what.

Start by mapping it out. draw.io (also called diagrams.net) is completely free and works in your browser. You do not need anything fancy. Just open it up and start dragging shapes.

Here is what to document:

• Your internet connection and modem
• Your router (make, model, firmware version)
• Every switch (managed or unmanaged)
• Access points and their SSIDs
• Every device you can find: workstations, servers, printers, cameras, smart devices, NAS boxes, everything
• Any existing VLANs or subnets (even if they were set up years ago and nobody remembers why)

This exercise alone is worth doing. You will almost certainly find devices you forgot about, switches you did not know existed, and connections that make no sense. That is normal. Every network audit we do turns up surprises.

Step 2: Plan Your VLANs

For most small businesses, four VLANs cover the essentials. You can always add more later, but starting with these four gives you solid isolation without overcomplicating things.

VLAN 10: Management

This is for network infrastructure only. Your router's management interface, switch management interfaces, access point management, and any monitoring tools. Nobody's laptop should be on this VLAN. If an attacker compromises a workstation, they should not be able to reach your switch's admin panel.

• Subnet: 10.10.10.0/24
• Devices: router, switches, access points (management interfaces only)
• Access: restricted to IT admin workstations via firewall rules

VLAN 20: Workstations

Employee computers, laptops, and any devices that need access to business applications and shared drives. This is your primary productivity network.

• Subnet: 10.10.20.0/24
• Devices: desktops, laptops, VoIP phones
• Access: can reach servers on approved ports, internet access, no access to management or IoT VLANs

VLAN 30: IoT and Smart Devices

Everything that is "smart" but not a computer. Smart TVs, thermostats, security cameras, printers, badge readers, that random smart coffee maker someone brought in. These devices typically have weak security, rarely get patched, and should never share a network with your workstations.

• Subnet: 10.10.30.0/24
• Devices: printers, cameras, smart displays, IoT sensors
• Access: internet access (filtered), no access to workstation or management VLANs. Workstations can reach printers on specific ports.

VLAN 40: Guest

Visitors, personal devices, and anything you do not fully trust. This VLAN gets internet access and nothing else. No access to any internal resources whatsoever.

• Subnet: 10.10.40.0/24
• Devices: guest WiFi clients, personal phones, contractor laptops
• Access: internet only, completely isolated from all other VLANs

Step 3: Configure VLANs on Your Switch

You need a managed switch to do this. If you are running unmanaged switches (the kind with no configuration interface), this is the one piece of hardware you might need to upgrade. Fortunately, managed switches are not expensive. A decent 24-port managed switch from TP-Link, Netgear, or Ubiquiti runs between $100 and $250.

The exact steps vary by manufacturer, but the general process is the same across all managed switches.

Example: Creating VLANs on a Typical Managed Switch

Log into your switch's web interface (usually at the switch's IP address in a browser). Navigate to the VLAN configuration section. Create each VLAN:

• VLAN 10 - Name: "Management"
• VLAN 20 - Name: "Workstations"
• VLAN 30 - Name: "IoT"
• VLAN 40 - Name: "Guest"

Next, assign ports to VLANs. There are two types of port assignments you need to understand:

• Access ports carry traffic for a single VLAN. Your end devices (workstations, printers, cameras) connect to access ports. The device does not need to know anything about VLANs.
• Trunk ports carry traffic for multiple VLANs simultaneously using 802.1Q tagging. These connect your switch to your router and to other switches. The VLAN tag tells the receiving device which VLAN each packet belongs to.

For a typical setup with 24 ports, you might assign them like this:

• Port 1: Trunk to router (all VLANs tagged)
• Ports 2-3: Access, VLAN 10 (management devices)
• Ports 4-15: Access, VLAN 20 (workstations)
• Ports 16-20: Access, VLAN 30 (IoT devices)
• Ports 21-23: Access, VLAN 40 (guest or spare)
• Port 24: Trunk to second switch (if needed)

Wireless VLANs

Most prosumer and business access points (Ubiquiti UniFi, TP-Link Omada, even some higher-end consumer routers) let you create multiple SSIDs and map each one to a different VLAN. Create separate SSIDs for each network zone:

• Office-Staff mapped to VLAN 20
• Office-IoT mapped to VLAN 30
• Office-Guest mapped to VLAN 40

The access point connects to the switch on a trunk port so it can carry all three VLANs over a single cable.

Step 4: Set Up Inter-VLAN Routing and Firewall Rules

Creating VLANs without firewall rules is like building walls with no doors and then leaving giant holes in them. The VLANs provide the separation, but your router's firewall rules determine what traffic can cross between them.

Your router needs to act as the gateway for each VLAN. Most routers that support VLANs (pfSense, OPNsense, Ubiquiti EdgeRouter, even MikroTik) let you create sub-interfaces, one for each VLAN, each with its own IP address and DHCP scope.

Router sub-interfaces

• eth0.10 - 10.10.10.1/24 (Management gateway)
• eth0.20 - 10.10.20.1/24 (Workstations gateway)
• eth0.30 - 10.10.30.1/24 (IoT gateway)
• eth0.40 - 10.10.40.1/24 (Guest gateway)

Firewall rules: start with deny-all, then allow exceptions

The golden rule of firewall configuration is the same as the principle behind zero trust: deny everything by default, then create explicit rules for traffic that needs to flow. Here are the rules most small offices need:

1. All VLANs to Internet: Allow. Every VLAN needs internet access (you can filter the Guest and IoT VLANs more aggressively with DNS filtering or content restrictions).
2. Workstations to Servers: Allow on specific ports. If your file server is on the workstation VLAN, workstations need SMB (445), RDP (3389), HTTP/HTTPS (80/443), etc. Only open what is actually used.
3. Workstations to IoT (printers): Allow TCP 9100 (raw print), TCP 631 (IPP), and UDP 5353 (mDNS/Bonjour for printer discovery). Block everything else.
4. IT Admin Workstation to Management VLAN: Allow HTTPS (443) and SSH (22) from a specific IP or small subnet. This lets your IT person manage switches and APs without putting the management VLAN at risk.
5. Guest to anything internal: Deny. No exceptions. The guest VLAN gets internet and nothing else.
6. IoT to Workstations: Deny. IoT devices should never initiate connections to your workstations.
7. IoT to Management: Deny. There is no reason a smart thermostat needs to talk to your switch.

If you are using pfSense or OPNsense (both free and open source), you create these rules on each VLAN interface. The rules are processed top to bottom, so put your allow rules first and your deny-all rule last.

Step 5: Test Everything

After configuring your VLANs and firewall rules, test from a device on each VLAN to make sure the rules are working as intended.

• From a workstation: Can you browse the internet? Can you print? Can you access shared drives? Can you reach the switch management page? (That last one should fail.)
• From an IoT device: Can it reach the internet? Can it ping a workstation? (Should fail.)
• From the guest network: Can you browse the internet? Can you ping anything on the internal network? (Should fail completely.)
• From your IT admin machine: Can you reach the switch and AP management interfaces? Can you reach everything else you need?

Use ping and traceroute to verify connectivity. If something that should be blocked is getting through, check your firewall rule order. Rules are evaluated top to bottom, and the first match wins.

Common Mistakes to Avoid

• Leaving the management VLAN on the default VLAN 1. Many switches use VLAN 1 as the default, and some untagged traffic ends up there. Create a dedicated management VLAN (like our VLAN 10) and change the switch's management interface to use it.
• Forgetting about DHCP. Each VLAN needs its own DHCP scope. Your router should serve DHCP for each subnet. If devices are not getting IP addresses after the switch, check your DHCP configuration.
• Making trunk ports access ports by mistake. If the uplink between your switch and router is set as an access port instead of a trunk, only one VLAN's traffic will pass through. Double-check that port.
• Not documenting your port assignments. Label your switch ports (physically, with a label maker) and keep your network diagram updated. Future you will be grateful.
• Over-segmenting too early. Four VLANs is a great starting point. You can always add more later (a dedicated server VLAN, a VoIP VLAN, a security camera VLAN). Do not try to create ten VLANs on day one. Get the basics working and iterate.

The Budget Breakdown

Let's talk about what this actually costs if you are starting from scratch with basic equipment:

• Managed switch (24-port): $100 to $250. TP-Link TL-SG1024DE, Netgear GS324T, or Ubiquiti USW-24 are all solid options.
• Router with VLAN support: $0 if you install pfSense or OPNsense on an old PC, or $100 to $200 for a dedicated appliance like a Protectli Vault or Ubiquiti EdgeRouter.
• Access point with multi-SSID/VLAN support: $100 to $150. Ubiquiti U6 Lite or TP-Link EAP245 both work well.
• draw.io for network diagrams: Free.
• Your time: Plan for a Saturday afternoon. The initial setup takes a few hours. Testing and tweaking takes another hour or two.

Total cost: somewhere between $0 (if you already have the hardware) and $600 (if you are buying everything new). Compare that to the average cost of a data breach for a small business, which is well into six figures, and this is one of the best investments you can make.

Timing It Right

If your team is heading back to the office this fall or you are planning a network refresh before the busy season, this is the ideal time to implement segmentation. You are already going to be plugging things in and reconfiguring. Add VLAN setup to the checklist while everything is in flux anyway.

It is also a good time to audit what is on your network. Chances are there are devices connected that nobody remembers deploying. Old test servers, forgotten IoT gadgets, that Raspberry Pi someone set up for a demo two years ago. Find them, decide if they still need to exist, and assign them to the right VLAN.

"The best time to segment your network was when you first set it up. The second best time is right now, before the fall rush."