VLANs and Network Segmentation
This article is educational content about network segmentation and security architecture. It is not professional network design advice or a substitute for consulting with a qualified network architect or security engineer.
You probably have a single network where all devices—employee laptops, servers, printers, guest visitors' phones—sit on the same logical layer. That's a flat network, and it's dangerous. If an attacker compromises one device, they can potentially reach everything else on that network. The infected laptop in accounting can talk to the database server. The compromised server can reach your domain controller. Everything is accessible to everyone, which is exactly what an attacker wants.
Network segmentation fixes this by dividing your network into smaller networks, each with its own access controls. Think of it like replacing one building with unlocked doors connecting all rooms with a building that has lockable doors, walls, and controlled access points. VLANs are the most common tool for implementing segmentation. They're not magic, but they're foundational security infrastructure that most organizations don't use effectively. This article explains what VLANs do, how to design segmentation strategy, and why the most important part isn't the technology but the thinking that goes into how you divide your network.
Virtual Networks: How VLANs Work
A VLAN—Virtual Local Area Network—is a way of logically dividing a network without physically dividing it. Devices on the same VLAN can reach each other directly. Devices on different VLANs cannot communicate without going through a firewall or router that explicitly allows the communication. This means you can run a finance VLAN, an engineering VLAN, and a guest VLAN all on the same physical switch, but traffic from guests cannot reach finance systems without explicit permission.
VLANs are implemented through switch configuration and tagging. The switch marks packets with their VLAN membership, and based on that tag, sends them to the right place. When a device on the finance VLAN tries to communicate with the finance server, the switch sees the VLAN tag, recognizes they're on the same VLAN, and lets the traffic through. When a device on the guest VLAN tries the same thing, the switch blocks it because the VLANs don't match. To allow any communication between different VLANs, traffic has to go through a router or firewall that can make those decisions.
From a security perspective, VLAN membership enforces a first layer of segmentation. Even if an attacker gets a device onto your network, VLAN boundaries slow them down and can prevent immediate lateral movement to sensitive systems. An infected guest laptop can't just start accessing your file servers because it's on a different VLAN. The attacker has to find a way through the router or firewall controlling traffic between VLANs, which is harder and more detectable.
Designing Your Segmentation Strategy
The technology of VLANs is straightforward. The real work is designing your segmentation strategy—deciding which systems need to be isolated and from what. Segmentation strategy starts with understanding what you're protecting and what threatens it. Are you protecting sensitive customer data? Intellectual property? Payment card data? Regulatory compliance requirements? Classify your systems by sensitivity and criticality, then group them into segments accordingly.
A common pattern that works for many organizations is this: a management VLAN with restricted access for IT administrators, a server VLAN for production systems, a user VLAN for employee computers, and a guest VLAN for visitors. The principle underlying all of this is least privilege: each segment can only communicate with other segments and systems it actually needs to communicate with.
You don't create one segment per person or per system—that would be unmaintainable. You create segments around trust boundaries and sensitivity levels. Finance systems, which handle sensitive data, are separate from general-purpose systems. Manufacturing systems, which need different uptime requirements and have specialized equipment, are separate. Guest systems, which you don't control, are completely isolated. Segmentation is your defense-in-depth layer that slows attackers down and limits the blast radius of a breach. Even if an attacker compromises one system, the segmentation boundary means they can't immediately reach everything else.
Isolating What Matters Most
Start with the systems that would cause the most damage if compromised or if data was stolen. For most organizations, this includes active directory servers (if someone compromises AD, they control your entire identity system), financial systems, healthcare records, customer databases, and credential vaults. These systems should be on their own VLANs with restricted access.
Active directory servers, for example, should not be reachable from the guest network or from public-facing web servers. Database servers should not be reachable from user workstations—database access should go through an application server that enforces business logic and validates requests. A web application server can talk to the database. User computers should not talk directly to the database. This sounds obvious when written out, but it's violated in most organizations.
Many networks allow database access directly from any computer, creating a free path for an attacker on any infected workstation to reach the database. Isolation doesn't prevent all attacks, but it forces attackers to work harder and often through multiple stages rather than a single lateral movement. An attacker who compromises your employee's laptop now has to find additional vulnerability or misconfiguration to reach the database. That additional step is often where they get caught.
Completely Isolating Guest Networks
Guest networks deserve special attention because they're the systems you least control. Visitors need Wi-Fi to function in your facility, but they don't need access to your servers, printers, file shares, or domain infrastructure. A proper guest network is completely separate: separate Wi-Fi network or VLAN, separate firewall rules, separate internet exit. Guest devices can reach the internet but cannot reach any internal systems.
A guest network should not be able to access your mail server, resolve your internal DNS, or reach any of your internal systems. Many organizations get this wrong by allowing guest traffic onto their main network or by isolating the guest network but still allowing it to reach critical systems. If a guest's laptop is infected with malware, you don't want that malware to have access to your internal infrastructure.
Complete isolation means a guest network breach is painful—you've lost internet for guests—but not catastrophic. The attacker doesn't have internal access. They can't pivot from the guest network to your servers or data.
Handling Untrustworthy Devices
Internet of Things devices present a different segmentation challenge. Printers, IP cameras, smart building systems, and network-connected sensors often run firmware with security gaps and don't receive regular updates. These devices need network isolation. Not because you don't want them working, but because if one is compromised, you don't want it as a launching point for attacks on your servers or sensitive systems.
An IoT VLAN should be able to do what the devices need to do—send log data, receive commands, connect to the internet—but should not be able to reach your active directory, your file servers, or other sensitive systems. This requires thought at the network design stage. A printer doesn't need to reach your SQL server, but your print management system needs to manage the printer. That management system can exist in a specialized management VLAN with controlled access to the IoT VLAN, preventing direct access while still enabling operation.
IoT segmentation feels like overkill until one of your IP cameras becomes the launching point for an attack on your servers. Then it feels essential.
Enforcing Boundaries With Rules
A VLAN creates a boundary, but the boundary is only as strong as your enforcement of it. Access Control Lists (ACLs) are the rules that determine which traffic is allowed to cross segment boundaries. An ACL at your firewall between the user VLAN and the server VLAN might say "allow users to reach the mail server on port 143 but block everything else."
Organizations often make a common design mistake here. Once they've created segments, they create ACLs that are too permissive, allowing traffic that shouldn't be allowed or making exceptions that become permanent. Good segmentation ACLs start with default-deny: block everything unless explicitly allowed. This is more work to configure but dramatically more secure. It forces you to be explicit about what should be allowed rather than trying to anticipate everything that should be blocked.
When someone says "we need the engineering VLAN to reach the finance system," instead of immediately saying yes, ask why and create a specific rule that allows only that communication. Don't open blanket access. ACL management is not glamorous, but it's critical. Misconfigured ACLs can make your segmentation strategy useless.
Monitoring Your Boundaries
Segmentation creates chokepoints where you can monitor traffic. If all traffic between the user VLAN and server VLAN flows through a single firewall, you can see everything that's happening. But many organizations build segmentation and never actually monitor it. They set up the VLANs and ACLs and assume it works.
Monitoring at segment boundaries means looking at what traffic is crossing those boundaries. Is it what you expect? Are there unauthorized connection attempts? Is someone trying to reach systems they shouldn't? This is the intelligence layer that tells you whether your segmentation is actually working or whether you have a problem.
Without monitoring, segmentation is like building walls and never checking whether someone's broken through. With monitoring, you have early warning when something unusual happens.
Managing Complexity as You Scale
Segmentation scales, but complexity grows. Ten VLANs are manageable. Fifty VLANs create configuration challenges—tracking who's on which VLAN, managing ACL rules across that many boundaries, and troubleshooting become harder. The solution is not to abandon segmentation but to design it thoughtfully.
Segment around business function or risk level, not around individual systems or departments. A company might have a "financial systems" VLAN rather than separate VLANs for accounting, budgeting, and payroll. A university might have a "student lab" VLAN rather than one per classroom. This reduces complexity while maintaining security boundaries.
Document your segmentation clearly. Maintain a diagram showing which VLANs exist, what systems are on each, and what traffic is allowed between them. Use automation and templating for ACL configuration so changes are consistent and less error-prone. The goal is security that's strong enough but also maintainable enough that it won't be abandoned when it becomes too complex to manage.
The Practical Reality
Network segmentation is not a silver bullet, but it's foundational security infrastructure. It slows attackers down, limits their movement if they get onto your network, and creates points where you can monitor traffic. VLANs are the practical tool for implementing segmentation, but understanding the strategy is more important than the specific technology.
Classifying systems by sensitivity, defining clear boundaries, enforcing rules through ACLs, and monitoring enforcement—these are the principles that matter. When you hear "we should segment our network," you now understand what that means and what it takes to do it well. When someone says segmentation is too complicated to implement, you can ask whether they've considered the complexity of defending a flat network where an attacker can reach everything once they compromise one device.
Fully Compliance provides educational content about IT infrastructure and cybersecurity. This article reflects general information about network segmentation practices as of its publication date. For network design decisions specific to your organization, consult a qualified network architect or security engineer.