Beginner Networks Updated on Jun 25, 2025

Network segmentation and VLAN — zone isolation and DMZ

A flat network where every device communicates freely is the worst security scenario. If an attacker compromises one host, they can reach everything. Segmentation fixes this by dividing the network into zones with controlled traffic between them.

Why segment

Flat network (no segmentation):
  Printer ← → HR server ← → Customer database
  Compromise the printer = access to everything

Segmented network:
  [IoT zone] ← firewall → [HR zone] ← firewall → [Data zone]
  Compromise the printer = access only to the IoT zone

Principle: blast radius — limit the damage a compromised device can cause.

VLAN — Virtual LAN

VLANs segment the network at layer 2 (Data Link). A single physical switch can host multiple isolated logical networks.

Managed switch with 3 VLANs:
  VLAN 10 — Corporate  (192.168.10.0/24)
  VLAN 20 — Servers    (192.168.20.0/24)
  VLAN 30 — Guest/IoT  (192.168.30.0/24)

Hosts on VLAN 10 cannot see hosts on VLAN 20 without passing through the router/firewall

Configure VLANs on a switch (generic example)

# Create VLAN and assign access port
vlan 10
  name Corporate
interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10

# Trunk port (carries multiple VLANs — for uplink to router)
interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30

VLAN Hopping — attack and defense

Attack: switch spoofing
  Attacker configures their port as trunk → receives traffic from all VLANs

Defense:
  Access ports never set to auto/desirable mode
  Disable DTP (Dynamic Trunking Protocol) on access ports
  Native VLAN must not be VLAN 1 (default)

DMZ — Demilitarized Zone

The DMZ is a subnet between the internet and the internal network, hosting public-facing servers (web, email, DNS):

Internet
    ↓
[External firewall]
    ↓
  [DMZ] — Web server, mail server, public DNS
    ↓
[Internal firewall]
    ↓
  [Internal network] — Database, ERP, workstations

Typical rules:

Internet → DMZ: allowed on specific ports (80, 443, 25)
DMZ → Internal: only what is necessary (e.g., web server → DB on port 5432)
Internet → Internal: blocked completely

Typical security zones

Zone            | Examples                   | Trust level
----------------|----------------------------|------------
Internet        | Any source                 | Zero
DMZ             | Web server, MX, DNS        | Low
Corporate       | Workstations, printers     | Medium
Servers         | App servers, AD            | High
Sensitive data  | Databases, backups         | Maximum

Microsegmentation

In modern environments (cloud, containers), microsegmentation applies the same principle per workload:

Pod A → Pod B: blocked by default
Only explicitly needed routes are allowed
Implemented via Network Policy in Kubernetes or Security Groups in AWS

Segmentation checklist

✓ Separate VLANs by function (user, server, IoT, guest)
✓ Firewall/ACL between each zone
✓ Native VLAN changed from the default (VLAN 1)
✓ DTP disabled on access ports
✓ DMZ for every service accessible from the internet
✓ Inter-zone traffic logged and monitored
✓ Administrative access (SSH, RDP) only from management zone