How to Segment Your Network: A Step-by-Step Guide for Miami Small Businesses

In our 2025 incident data from Miami-Dade businesses, 71% of ransomware attacks that started on a single device spread to multiple systems — servers, backups, shared drives — within the first four hours. The reason is almost always the same: a completely flat network with no internal barriers. Network segmentation is the control that changes "ransomware hit one laptop" into "ransomware hit one laptop and stopped there." This guide walks you through exactly how to implement it, step by step, for a typical Miami small business.

What Is Network Segmentation and Why Does It Matter for Miami Businesses?

Network segmentation means dividing your single network into multiple isolated zones — called segments or VLANs (Virtual Local Area Networks) — with controlled access between them. Think of it like the difference between an open-plan office where everyone can walk anywhere, versus an office with locked doors between departments. If someone unauthorized gets into the building, locked doors limit where they can go.

In a flat (unsegmented) network, every device can communicate freely with every other device. Your receptionist's computer can reach the accounting server. The guest Wi-Fi can reach the file server. The smart TV in the conference room can reach the backup system. When ransomware infects any one of those devices, it immediately begins scanning the network for other targets — and in a flat network, it finds everything.

The Real-World Impact: What Segmentation Prevents

• Ransomware lateral movement: LockBit, RansomHub, and most modern ransomware variants use SMB (file sharing protocol) to spread from one infected device to all reachable devices. Network segmentation with firewall rules blocking SMB between segments stops this spread at the segment boundary.
• Guest device attacks: A client's infected laptop on your guest Wi-Fi cannot reach your business network if they are properly segmented. Without segmentation, that guest device is on the same network as your accounting server.
• IoT device exploitation: Smart TVs, security cameras, and HVAC controllers often run outdated firmware with known vulnerabilities. Isolating them in a separate segment means a compromised smart TV cannot pivot to your business computers.
• Insider threat containment: Segmentation limits what any single compromised account or device can reach — reducing the blast radius of both external attacks and accidental insider incidents.
• Compliance requirements: HIPAA, PCI DSS, and the FTC Safeguards Rule all require or strongly recommend network segmentation to isolate systems containing sensitive data.

Step 1: Understand Your Current Network

Before you can segment your network, you need to know what is on it. Most small businesses are surprised by how many devices are connected — and how many of them they did not know about.

How to Inventory Your Network Devices

1. 1Log into your router or firewall admin interface (typically at 192.168.1.1 or 192.168.0.1 in a browser). Look for a "Connected Devices," "DHCP Clients," or "LAN Clients" section. This shows every device currently connected to your network with its IP address and MAC address.
2. 2For a more thorough scan, download and run Angry IP Scanner (free, available at angryip.org) on any computer on your network. Set the IP range to your network range (e.g., 192.168.1.1 to 192.168.1.254) and click Start. It will show every active device.
3. 3For each device found, record: device name or hostname, IP address, MAC address, device type (computer, printer, camera, etc.), and which department or person uses it.
4. 4Pay special attention to devices you do not recognize — these could be unauthorized devices, forgotten equipment, or IoT devices that were connected and forgotten.

Categorize Your Devices by Segment

Once you have your inventory, group devices into categories that will become your network segments. For most Miami small businesses, three to four segments cover everything:

• Business computers and servers (VLAN 10): Employee workstations, laptops, servers, NAS devices, business printers. These are your most trusted devices and need to communicate with each other.
• Guest and visitor Wi-Fi (VLAN 20): Devices used by clients, visitors, and contractors. These need internet access but should never reach your business network.
• IoT and building systems (VLAN 30): Smart TVs, security cameras, HVAC controllers, smart locks, VoIP phones (if separate from computers), and any other internet-connected devices that are not business computers.
• Management network (VLAN 99, optional): A separate segment for network equipment management interfaces — router admin, switch admin, access point admin. Restricting management access to this segment prevents attackers who compromise a business computer from reaching network equipment.

Step 2: Gather the Equipment You Need

Network segmentation requires specific equipment. Consumer-grade routers and unmanaged switches cannot create VLANs. Here is exactly what you need and what it costs.

Required Equipment

• A managed switch: Unlike unmanaged switches (which just pass all traffic between all ports), managed switches support VLANs — they can assign different ports to different network segments. Recommended options for small businesses: Cisco SG350-10 (8 ports, ~$200), Netgear GS308E (8 ports, ~$60), or Ubiquiti UniFi USW-8 (~$100). If you have more than 8 devices, get a 24-port model.
• A business-grade firewall/router: Your firewall enforces the rules between segments — deciding what traffic is allowed to cross from one VLAN to another. Consumer routers cannot do this properly. Recommended options: Fortinet FortiGate 40F (~$400 + $300/yr subscription), Cisco Meraki MX67 (~$600 + $300/yr), SonicWall TZ270 (~$500 + $250/yr), or Ubiquiti UniFi Dream Machine Pro (~$380, no subscription). If you already have a business-grade firewall, check whether it supports VLAN routing — most do.
• Wireless access points that support multiple SSIDs: To create separate Wi-Fi networks for business and guest, your access points must support multiple SSIDs (network names) on different VLANs. Most business-grade access points do. Consumer routers with built-in Wi-Fi often support a "guest network" feature that approximates this — check your router documentation.

Total Equipment Cost Estimate for a 20-Person Miami Business

Step 3: Plan Your VLAN Design

Before touching any equipment, document your VLAN design on paper. This prevents mistakes during configuration and gives you a reference document for future changes.

VLAN Design Template for a Miami Small Business

Firewall Rules Between Segments (Plan These Before Configuring)

The firewall rules between segments define what traffic is allowed to cross from one VLAN to another. Plan these rules before you start configuring — it is much easier to think through the logic on paper than to troubleshoot broken connectivity after the fact.

• Guest (VLAN 20) → Business (VLAN 10): BLOCK ALL. Guest devices should never reach business computers or servers. No exceptions.
• Guest (VLAN 20) → Internet: ALLOW. Guest devices need internet access.
• IoT (VLAN 30) → Business (VLAN 10): BLOCK ALL. IoT devices should never reach business computers.
• IoT (VLAN 30) → Internet: ALLOW (with restrictions). IoT devices may need internet access for updates and cloud services, but consider restricting to specific destinations if possible.
• Business (VLAN 10) → Internet: ALLOW (with outbound filtering). Business computers need internet access, but consider DNS filtering and content filtering.
• Business (VLAN 10) → IoT (VLAN 30): ALLOW specific ports only. For example, if employees need to cast to a conference room TV, allow the specific casting protocol (TCP 8009 for Chromecast) but block everything else.
• Management (VLAN 99) → All VLANs: ALLOW (for IT administration). Only IT staff should have access to the management VLAN.
• All VLANs → Management (VLAN 99): BLOCK ALL. No device should be able to reach network equipment management interfaces except from the management VLAN.

Step 4: Configure VLANs on Your Managed Switch

The managed switch is where you assign physical ports to VLANs. The exact steps vary by switch manufacturer, but the logic is the same across all managed switches. We will use Cisco SG350 as the example — one of the most common small business managed switches in Miami.

Cisco SG350 VLAN Configuration (Step by Step)

1. 1Connect to the switch admin interface: Open a browser and navigate to the switch's IP address (default is 192.168.1.254 for most Cisco SG350 models). Log in with the admin credentials (default: admin/admin — change this immediately if you have not).
2. 2Create the VLANs: Navigate to VLAN Management → VLAN Settings. Click Add. Enter VLAN ID 10 and name it "Business." Click Apply. Repeat to create VLAN 20 (Guest), VLAN 30 (IoT), and VLAN 99 (Management).
3. 3Configure trunk port to firewall: The port connecting your switch to your firewall needs to carry all VLANs — this is called a trunk port. Navigate to VLAN Management → Port to VLAN. Select the port connected to your firewall. Set it as a Trunk port. Add all VLANs (10, 20, 30, 99) as Tagged on this port.
4. 4Assign access ports to VLANs: For each port that connects to a device (not the firewall), assign it to the appropriate VLAN as an Access port (untagged). Navigate to VLAN Management → Port to VLAN. For each port: select the port, set it as Access, and assign it to the correct VLAN (e.g., port 1–8 to VLAN 10 for business computers, port 9–10 to VLAN 30 for IoT devices).
5. 5Configure the management VLAN: Navigate to IP Configuration → IPv4 Interface. Set the switch management IP to an address in the VLAN 99 subnet (e.g., 192.168.99.2). This ensures the switch admin interface is only accessible from the management VLAN.
6. 6Save the configuration: Click Save in the top right corner to save the configuration to flash memory. If you do not save, the configuration will be lost on reboot.

Ubiquiti UniFi Switch VLAN Configuration

If you use Ubiquiti UniFi equipment (increasingly common in Miami small businesses), VLAN configuration is done through the UniFi Network Controller:

1. 1Open the UniFi Network Controller in your browser.
2. 2Navigate to Settings → Networks. Click Create New Network.
3. 3Create each VLAN: Name it (e.g., "Business"), set the VLAN ID (10), set the subnet (192.168.10.0/24), and enable DHCP server. Repeat for each VLAN.
4. 4Navigate to Devices → your switch. Click on the switch to open its settings.
5. 5Click on each port and assign it to the appropriate network (VLAN). Ports connecting to devices get assigned to their VLAN. The uplink port to the firewall is automatically configured as a trunk.
6. 6Apply the changes. UniFi will push the configuration to the switch automatically.

Step 5: Configure VLAN Routing and Firewall Rules

The firewall is where you control what traffic is allowed between VLANs. This is the most critical step — the switch creates the segments, but the firewall enforces the rules between them. We will use Fortinet FortiGate as the example, but the concepts apply to all business firewalls.

Fortinet FortiGate VLAN and Firewall Rule Configuration

1. 1Create VLAN interfaces on the firewall: Log into the FortiGate admin interface. Navigate to Network → Interfaces. Click Create New → Interface. Set Type to VLAN. Set the parent interface to the physical port connected to your switch. Set the VLAN ID (10 for Business). Set the IP address (192.168.10.1/24 — this will be the default gateway for devices on this VLAN). Enable DHCP Server if you want the firewall to assign IP addresses to devices on this VLAN. Repeat for each VLAN (20, 30, 99).
2. 2Create firewall policies between VLANs: Navigate to Policy & Objects → Firewall Policy. Click Create New. For the Guest-to-Business block rule: Source Interface = Guest (VLAN 20), Destination Interface = Business (VLAN 10), Action = DENY. For the Guest-to-Internet allow rule: Source Interface = Guest (VLAN 20), Destination Interface = WAN, Action = ACCEPT. Repeat for each rule in your plan.
3. 3Enable logging on deny rules: For each DENY rule, enable logging. This records every blocked connection attempt — useful for detecting attacks and verifying your segmentation is working.
4. 4Test the rules before finalizing: Connect a test device to the guest VLAN and try to ping a device on the business VLAN. The ping should fail. Try to access the internet from the guest VLAN — it should succeed. Verify each rule in your plan.

SonicWall VLAN Configuration

1. 1Log into the SonicWall admin interface. Navigate to Network → Interfaces.
2. 2Click Add Interface. Select VLAN as the type. Set the VLAN ID, parent interface, IP address, and subnet mask. Enable DHCP server if needed. Repeat for each VLAN.
3. 3Navigate to Firewall → Access Rules. Click Add to create rules between zones.
4. 4SonicWall uses "zones" rather than interfaces for firewall rules. Assign each VLAN interface to an appropriate zone (LAN, DMZ, or create custom zones for Guest and IoT).
5. 5Create access rules between zones following your planned rules. Set the action to Allow or Deny as appropriate.

Step 6: Configure Separate Wi-Fi Networks (SSIDs) for Each Segment

Wireless segmentation requires your access points to broadcast separate SSIDs (Wi-Fi network names) that are tagged to different VLANs. When a device connects to the "Guest" SSID, it gets placed on VLAN 20 and is subject to the guest firewall rules. When a device connects to the "Business" SSID, it gets placed on VLAN 10.

Ubiquiti UniFi Access Point SSID Configuration

1. 1In the UniFi Network Controller, navigate to Settings → WiFi.
2. 2Click Create New WiFi Network.
3. 3For the business SSID: Name it (e.g., "SNS-Business"), set a strong password, and assign it to the Business network (VLAN 10). Enable WPA3 or WPA2 security.
4. 4For the guest SSID: Name it (e.g., "SNS-Guest"), set a separate password, and assign it to the Guest network (VLAN 20). Enable the "Guest Policy" option if available — this enables client isolation (prevents guest devices from communicating with each other).
5. 5For the IoT SSID (if needed): Name it (e.g., "SNS-IoT"), set a password, and assign it to the IoT network (VLAN 30).
6. 6Apply the changes. UniFi will push the SSID configuration to all access points automatically.

Cisco Meraki Access Point SSID Configuration

1. 1Log into the Meraki Dashboard at dashboard.meraki.com.
2. 2Navigate to Wireless → SSIDs.
3. 3Click on the SSID you want to configure (or create a new one).
4. 4Set the SSID name and security settings (WPA2 or WPA3).
5. 5Under "VLAN tagging," enable VLAN tagging and set the VLAN ID to match your design (10 for business, 20 for guest).
6. 6For the guest SSID, enable "Client isolation" to prevent guest devices from communicating with each other.
7. 7Save the changes. Meraki will push the configuration to all access points in the network.

Consumer Router Guest Network (Simplified Option)

If you are not ready to invest in managed switches and business-grade access points, most modern consumer routers include a "Guest Network" feature that provides basic isolation between guest and business Wi-Fi. This is not as robust as proper VLAN segmentation, but it is significantly better than no segmentation at all.

1. 1Log into your router admin interface (typically 192.168.1.1 or 192.168.0.1).
2. 2Look for "Guest Network," "Guest Wi-Fi," or "Guest Zone" in the wireless settings.
3. 3Enable the guest network and set a separate SSID name and password.
4. 4Ensure "Access to local network" or "Allow guests to access my local network" is DISABLED. This is the critical setting — it prevents guest devices from reaching your business network.
5. 5Enable "Client isolation" if available — this prevents guest devices from communicating with each other.
6. 6Save the settings.

Step 7: Verify Your Segmentation Is Actually Working

This is the step most businesses skip — and it is the most important one. Configuring segmentation and verifying segmentation are two different things. A misconfigured firewall rule, a forgotten trunk port setting, or a VLAN assignment error can leave your network completely unsegmented despite all the configuration work. Always verify.

Verification Test 1: Guest Cannot Reach Business Network

1. 1Connect a laptop or phone to your guest Wi-Fi network.
2. 2Open a command prompt (Windows: press Windows key + R, type cmd, press Enter) or terminal (Mac: Applications → Utilities → Terminal).
3. 3Find the IP address of a device on your business network (e.g., a workstation or server). You can find this by running ipconfig on that device and noting the IPv4 address.
4. 4From the guest device, run: ping [business device IP address] (e.g., ping 192.168.10.50)
5. 5The ping should FAIL — you should see "Request timed out" or "Destination host unreachable." If the ping succeeds, your segmentation is not working and you need to review your firewall rules.
6. 6Also try to access a shared folder on a business computer from the guest device. Open File Explorer and type \\[business device IP] in the address bar. This should fail with an access denied or network error.

Verification Test 2: Guest Can Access the Internet

1. 1While still connected to the guest Wi-Fi, open a browser and navigate to google.com or any website.
2. 2The website should load normally. If it does not, check your guest-to-internet firewall rule.
3. 3Also verify DNS resolution works: from the command prompt, run nslookup google.com. You should get an IP address response.

Verification Test 3: IoT Devices Cannot Reach Business Network

1. 1Connect a device to your IoT VLAN (or temporarily move a device to the IoT VLAN for testing).
2. 2Attempt to ping a business network device from the IoT device.
3. 3The ping should fail. If it succeeds, review your IoT-to-Business firewall rule.

Verification Test 4: Business Computers Can Reach Each Other

1. 1From a business network computer, ping another business network computer.
2. 2The ping should succeed. If it fails, check that both devices are on the same VLAN and that intra-VLAN traffic is not being blocked.
3. 3Also verify that business computers can access shared folders and servers on the business network.

Verification Test 5: Check Firewall Logs for Blocked Traffic

1. 1Log into your firewall admin interface and navigate to the logs or traffic monitor.
2. 2Look for DENY log entries from the guest VLAN (192.168.20.x) attempting to reach the business VLAN (192.168.10.x). These entries confirm your block rules are working.
3. 3If you see no deny entries after running the ping tests above, your logging may not be enabled on the deny rules — enable logging and repeat the tests.

Step 8: Migrate Existing Devices to the Correct Segments

Once your VLANs and firewall rules are configured and verified, you need to move your existing devices to the correct segments. This is the most disruptive part of the process — devices will temporarily lose network connectivity as they are moved.

Migration Strategy: Minimize Disruption

1. 1Schedule the migration during off-hours or a weekend. Moving devices between VLANs causes brief connectivity interruptions — plan for 5–15 minutes of downtime per device group.
2. 2Start with IoT devices: Move smart TVs, cameras, and other IoT devices to VLAN 30 first. These are the lowest-risk devices to migrate and the least likely to cause business disruption.
3. 3Move guest Wi-Fi devices: Ensure your guest SSID is broadcasting on VLAN 20 and that any devices that should be on the guest network are connecting to the guest SSID.
4. 4Verify business devices are on VLAN 10: Check that all business computers and servers are connected to ports assigned to VLAN 10 (or connecting to the business SSID for wireless devices).
5. 5Update static IP addresses if needed: If any devices have static IP addresses configured, update them to addresses in the correct VLAN subnet (e.g., a server with a static IP of 192.168.1.50 should be updated to 192.168.10.50 if it is moving to VLAN 10).
6. 6Test each device after migration: After moving a device to its new VLAN, verify it can reach the internet and the resources it needs (file servers, printers, etc.) and cannot reach resources it should not (devices on other VLANs).

Step 9: Document Your Network Segmentation

Documentation is not optional — it is what allows you (or your IT provider) to troubleshoot problems, make changes safely, and verify that the segmentation remains correct over time. Create and maintain the following documents:

• Network diagram: A visual diagram showing your VLANs, the devices in each VLAN, and the firewall rules between them. Tools like draw.io (free) or Lucidchart make this easy.
• VLAN assignment table: A spreadsheet listing each VLAN ID, name, subnet, purpose, and the devices assigned to it.
• Firewall rule documentation: A list of all firewall rules between VLANs, including the source, destination, protocol, port, and action (allow/deny) for each rule.
• Switch port assignment: A record of which physical switch port is assigned to which VLAN — useful when adding new devices or troubleshooting connectivity.
• Change log: A record of every change made to the network segmentation configuration, including the date, what was changed, and who made the change.

Step 10: Establish Ongoing Maintenance Procedures

Network segmentation is not a one-time project — it requires ongoing maintenance to remain effective. Establish these procedures:

Quarterly Segmentation Review

• Run the verification tests from Step 7 to confirm segmentation is still working correctly.
• Review the device inventory and ensure all devices are in the correct VLAN. New devices added since the last review should be assigned to the appropriate segment.
• Review firewall rules for any changes that may have been made since the last review. Remove any rules that are no longer needed.
• Check firewall and switch firmware versions and apply any available updates.
• Review firewall logs for unusual traffic patterns — repeated connection attempts from the guest VLAN to the business VLAN may indicate a misconfigured device or an attack attempt.

New Device Onboarding Procedure

Every time a new device is added to the network, it should be assigned to the correct VLAN before it is connected. Create a simple checklist:

1. 1Identify the device type and purpose.
2. 2Determine the correct VLAN based on your segmentation design.
3. 3If wired: connect the device to a switch port assigned to the correct VLAN.
4. 4If wireless: ensure the device connects to the correct SSID for its VLAN.
5. 5Verify the device received an IP address in the correct subnet.
6. 6Test that the device can reach the resources it needs and cannot reach resources it should not.
7. 7Add the device to the network inventory documentation.

Common Network Segmentation Mistakes to Avoid

• Forgetting to block inter-VLAN routing by default: Some firewalls allow all inter-VLAN traffic by default and require you to create explicit deny rules. Others deny all inter-VLAN traffic by default and require explicit allow rules. Know which behavior your firewall uses and configure accordingly.
• Leaving the firewall management interface accessible from all VLANs: If your firewall admin interface is accessible from the guest VLAN, a guest device could attempt to access it. Restrict management access to the management VLAN or a specific IP address.
• Not testing after configuration: The most common mistake. Always run the verification tests in Step 7 before considering the implementation complete.
• Forgetting to update static IP addresses: Devices with static IP addresses configured in the old subnet will not work correctly after being moved to a new VLAN. Update static IPs to addresses in the new VLAN subnet.
• Creating overly permissive rules "temporarily": Rules created as temporary workarounds often become permanent. Every firewall rule should have a documented business justification and a review date.
• Not documenting changes: Without documentation, the next person to work on the network (including you, six months from now) will not know why rules exist or what they do.

Network Segmentation for Specific Miami Industries

Medical Practices (HIPAA)

HIPAA's Security Rule requires covered entities to implement technical safeguards that protect electronic protected health information (ePHI). Network segmentation is a key component: systems containing ePHI (EHR software, medical imaging systems, billing systems) should be on a separate VLAN from general business computers, and access from other VLANs should be restricted to specific authorized users and applications. Patient check-in kiosks and waiting room Wi-Fi should be on completely separate segments from clinical systems.

Law Firms

Client confidentiality requires that client files and communications be protected from unauthorized access. Network segmentation supports this by isolating systems containing client data from guest networks and IoT devices. Consider a separate VLAN for your document management system and case management software, with access restricted to attorneys and authorized staff.

Retail and Hospitality (PCI DSS)

PCI DSS Requirement 1 specifically requires network segmentation to isolate the cardholder data environment (CDE) from other networks. Your point-of-sale systems and payment terminals must be on a separate VLAN from your general business network, guest Wi-Fi, and any internet-connected devices. The PCI DSS assessor will verify this segmentation during your annual assessment.

Getting Professional Help: When to Call an IT Provider

Network segmentation is a technical project that requires specific expertise. While this guide provides the knowledge to understand and plan your segmentation, the actual implementation involves risks — a misconfigured firewall rule can take down your entire network, and a missed VLAN assignment can leave sensitive systems exposed. Consider engaging a professional IT provider if:

• You have never configured VLANs or firewall rules before
• Your business has compliance requirements (HIPAA, PCI DSS, FTC Safeguards Rule) that require documented, verified segmentation
• You have more than 20 devices or multiple physical locations
• Your network includes specialized equipment (medical devices, industrial controls, point-of-sale systems) that requires careful integration
• You want the implementation done during business hours with minimal disruption

Simple Network Solutions has implemented network segmentation for over 150 Miami-Dade businesses since 2006. Our team includes CISSP and CompTIA Network+ certified engineers who can assess your current network, design the appropriate segmentation architecture, implement it with minimal disruption, and verify it is working correctly. We also provide ongoing monitoring to ensure your segmentation remains effective as your network evolves.

Start with a Free Firewall Audit

Before investing in new equipment or configuration changes, get a clear picture of your current network security posture. Simple Network Solutions offers a free firewall audit for Miami businesses that includes an assessment of your current network segmentation (or lack thereof), exposed ports and services, firewall rule review, and a prioritized remediation report.

• External port scan: We identify any services exposed to the internet that should not be
• Segmentation assessment: We verify whether your guest Wi-Fi, business network, and IoT devices are properly isolated
• Firewall rule review: We identify overly permissive rules and rules that should have been removed
• Equipment assessment: We evaluate whether your current equipment supports proper VLAN segmentation or whether upgrades are needed
• Prioritized remediation report: We deliver a written report with specific recommendations ranked by risk level