Network Segmentation and VLANs
Learn how subnets, VLANs, DMZs, and micro-segmentation limit lateral movement and contain the blast radius of a breach.
Why Network Segmentation Matters
Network segmentation divides a large flat network into smaller, isolated zones. Without segmentation, a single compromised host can communicate with every other device on the network — giving attackers free rein once they are inside. Segmentation enforces the principle of least privilege at the network layer: a workstation should not be able to directly reach a database server, and a guest Wi-Fi device should never see internal file shares. Segmentation dramatically reduces the blast radius of a breach.
VLANs: Virtual Local Area Networks
A VLAN (Virtual Local Area Network) is a logical network created on a switch that groups ports together regardless of physical location. Devices in the same VLAN communicate as if they are on the same physical segment; devices in different VLANs cannot communicate without going through a router or Layer 3 switch that enforces access control. VLANs are tagged with an 802.1Q header that carries a VLAN ID (1-4094), allowing a single physical link (trunk port) to carry traffic from multiple VLANs simultaneously.
# Cisco switch: create a VLAN and assign a port
vlan database
vlan 10 name CORPORATE
vlan 20 name GUEST
exit
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
# Trunk port carries all VLANs:
interface GigabitEthernet0/1
switchport mode trunkAll lessons in this course
- TCP/IP Model and Common Ports
- Firewalls: Packet Filtering vs Next-Gen
- Network Segmentation and VLANs
- Common Network Attacks: DoS, Spoofing, and MITM