Back to Networking
VLAN Isolation
Network segmentation for security
Why Segment with VLANs
- * Security: Limit lateral movement in case of breach
- * Compliance: Isolate PCI, HIPAA, or sensitive data
- * Performance: Reduce broadcast domains
- * Management: Group devices logically regardless of location
- * Guest access: Separate visitor traffic from corporate
Typical VLAN Design
Recommended VLANs
| VLAN | Subnet | Purpose |
|---|---|---|
| 10 | 10.10.10.0/24 | Management (switches, APs, IPMI) |
| 20 | 10.10.20.0/24 | Servers |
| 30 | 10.10.30.0/24 | User workstations |
| 40 | 10.10.40.0/24 | VoIP phones |
| 50 | 10.10.50.0/24 | Printers/IoT |
| 99 | 10.10.99.0/24 | Guest WiFi |
Inter-VLAN Routing
- * Route between VLANs through firewall for inspection
- * Or use Layer 3 switch with ACLs for performance
- * Never trunk VLANs directly without filtering
Implementation Checklist
- 1Create VLANs on all switches
- 2Configure trunk ports between switches (allow only needed VLANs)
- 3Assign access ports to appropriate VLANs
- 4Create VLAN interfaces on firewall/router
- 5Configure DHCP scopes per VLAN
- 6Create firewall policies for inter-VLAN traffic
- 7Test connectivity and document
Security Note: VLAN isolation is not a substitute for proper firewall rules. Always implement defense in depth.