In plain English
VLANs let you split one physical network into multiple isolated virtual networks. A typical office might use separate VLANs for staff computers, guest Wi-Fi, IP phones, and CCTV cameras — even though all of these devices plug into the same switches. Traffic between VLANs is blocked by default unless a firewall rule explicitly permits it, which limits the blast radius if any single segment is compromised.
Full definition
VLANs are a foundational network security control. Placing CCTV cameras, access control hardware, and IoT devices on dedicated VLANs prevents a compromised camera from communicating directly with file servers, domain controllers, or other sensitive systems on the corporate network.
VLAN configuration is stored in the network switch and router (or firewall). When an organisation relocates, VLAN configurations typically migrate with the controller backup, but firewall rules that reference specific subnet addresses must be reviewed and updated to reflect the new network topology at the new site.
UniFi network equipment makes VLAN configuration straightforward through the UniFi Network Application console. Each SSID, switch port, or device group can be assigned to a specific VLAN, with inter-VLAN routing controlled through the gateway firewall policy.