In many bars, hotels and restaurants, everything runs on one shared network: tills, payment terminals, cameras, the reservation system and guest wifi. It is convenient, but also risky. Let us explain why the guest and operational networks should be separated, what VLANs are for and how we do it.

Why not to mix guests and operations

When a guest is on the same network as your till and cameras, several problems arise at once:

  • Security. From a guest’s compromised or infected device, an attack can spread to tills, cameras and company data.
  • Performance. When a guest downloads a large file or plays a video, they can slow down the till or payment terminal just when you need them most.
  • Privacy and compliance. Sensitive payment data and guests on one network is a problem from the point of view of data protection and payment standards too.

What a VLAN is

A VLAN is a virtual network that creates several separate logical networks on one piece of physical hardware, networks that do not see each other. It is as if you had several completely separate networks, but without running extra cables or buying extra switches. Each VLAN has its own space, and only what you explicitly allow passes between them.

How we split the network in practice

In a venue we usually create several separate VLANs:

  • Tills and payment terminals, strictly isolated from the rest.
  • Cameras in their own VLAN, ideally powered over PoE.
  • The office and reservation system for staff.
  • Guest wifi, which has access only to the internet and nowhere else.

Between these networks we then set rules on the firewall, so a guest has no way to reach the till or a camera.

What the benefits are

  • Security, because a problem in one part of the network does not spread to the others.
  • Performance, since you can limit the guests’ speed so they do not burden operations.
  • Compliance with rules for payments and data protection.
  • Clarity, because you know exactly what belongs where.

Guest wifi set up correctly

A quality guest network has its own VLAN and its own SSID, access only to the internet, client isolation (so guests do not see each other), a reasonable speed limit and possibly a login page or a time limit. That way it is convenient for guests and safe for you.

This is what we do

This is exactly the kind of network separation we design and deploy for bars, hotels and restaurants. In most cases there is no need to change all the hardware, often a managed switch and a properly configured router with access points is enough. We take care of the design, the setup and making sure everything works reliably.

Want your venue separated and secure? Get in touch, we will design and deliver it to measure as part of IT support for companies.