Network Segmentation and VLANs

ByChirag

The single most effective network defense is segmentation — splitting one big network into many smaller ones with controlled boundaries between them. When (not if) something gets compromised, segmentation is what keeps the blast radius small.

Why flat networks fail

If your office has 100 devices all on one flat 192.168.1.0/24 network, any compromised device can reach every other device. A phished workstation can scan, attack, and exfiltrate from servers, printers, IoT, and other workstations without crossing any boundary.

The mental model: zones of trust

Group devices by their trust level and access requirements. Each group gets its own network segment. Traffic between segments goes through a firewall that only allows what’s explicitly needed.

External (untrusted)
       │
       └── Edge firewall
             │
             ├── DMZ                  (web servers, mail relay)
             ├── User VLAN            (workstations)
             ├── Server VLAN          (databases, app servers)
             ├── IoT VLAN             (cameras, smart bulbs)
             ├── Guest VLAN           (visitor Wi-Fi)
             └── Management VLAN      (switch/router admin)

VLANs (Layer 2 segmentation)

A VLAN (Virtual LAN) lets one physical switch serve multiple isolated Layer 2 networks. Each port is assigned to a VLAN; traffic doesn’t cross between VLANs without a router.

How it works

Switches add a VLAN tag (802.1Q, 4 bytes) to frames. The tag identifies which VLAN the frame belongs to. Other switches read the tag and only deliver frames to ports in the same VLAN.

Trunk vs access ports

  • Access port — assigned to one VLAN. End-user device connects here. Frames are untagged.
  • Trunk port — carries multiple VLANs. Used between switches or to a router. Frames are tagged.

Subnets (Layer 3 segmentation)

Each VLAN typically gets its own IP subnet. The router enforces which subnets can talk to which.

VLAN 10 (Users):    10.10.0.0/24
VLAN 20 (Servers):  10.20.0.0/24
VLAN 30 (IoT):      10.30.0.0/24
VLAN 40 (Guest):    10.40.0.0/24

Router rules:
- Users → Servers: allow only ports 80, 443, 22
- Servers → Servers: allow only what specific apps need
- IoT → Internet: allow
- IoT → anything internal: DENY
- Guest → Internet: allow
- Guest → anything else: DENY

The principle of least privilege

For each segment, allow only the traffic that’s actually needed. Default deny, explicit allow. This is harder than “allow everything between trusted segments” but it’s what stops lateral movement.

Microsegmentation

Take segmentation to the extreme — each individual workload (or even each app) gets its own segment with explicit policies. Implemented via software-defined networking (Cisco ACI, VMware NSX) or service mesh (Istio, Linkerd).

Practical effect: a compromised web pod can ONLY talk to its own database, nothing else. Attacker who gets shell on web pod can’t even discover the existence of other services.

Zero Trust Architecture

The modern evolution of segmentation:

  • Never assume internal is trustworthy
  • Authenticate AND authorize every connection
  • Encrypt all traffic, including internal
  • Continuously verify (not just at login)
  • Assume breach — design for containment

Tools: BeyondCorp (Google’s pioneer), Cloudflare Access, Tailscale (built on WireGuard with identity).

Common segmentation patterns

3-tier network (classic)

DMZ for public services, internal for users, secure for databases. Firewalls between.

PCI DSS scope reduction

Cardholder data on its own segment with strict access controls. Reduces what’s “in scope” for PCI audit.

Operational Technology (OT) isolation

Industrial control systems on separate networks from corporate IT. Mandatory in critical infrastructure.

Dev / staging / prod isolation

Each environment in its own segment so dev can’t accidentally hit prod databases.

How to start (for a small office or home)

  1. Get a router that supports VLANs (Ubiquiti, MikroTik, pfSense)
  2. Create at least: main, IoT, and Guest VLANs
  3. Put all “smart home” devices on IoT VLAN — block them from reaching your laptop
  4. Put visitors on Guest — block them from anything internal
  5. Allow management access (web UI for switches/router) only from your main network

Common mistakes

  • VLANs without firewall rules between them — all traffic still flows freely (no actual segmentation)
  • Allowing all from one segment to another instead of specific ports
  • Forgetting that the management VLAN itself needs protection
  • Single point of failure — one router enforcing everything

What to learn next

IDS vs IPS — the systems that watch for malicious patterns and alert (or block) automatically. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *