VLAN Segmentation
How to use VLANs to segment network traffic and improve security.
What Are VLANs?
VLANs (Virtual Local Area Networks) allow you to logically separate devices on the same physical network into isolated broadcast domains. This limits the blast radius of broadcast storms, improves security by isolating sensitive traffic, and simplifies network management at scale.
Common Segmentation Strategy
- Corporate user workstations — general office traffic
- VoIP phones — quality-of-service priority for voice
- Management interfaces — switches, APs, and controllers
- IoT / building systems — cameras, sensors, HVAC
- Guest wireless — internet-only, no internal access
- Servers / infrastructure — isolated from user broadcast domains
Tip
Assign a dedicated VLAN as your native (untagged) VLAN on trunk ports, and make sure it is not used for any real traffic. This prevents VLAN hopping attacks.
Configuration
Note
Configure trunk ports between switches to carry tagged traffic, and set access ports for end devices. Use inter-VLAN routing on a Layer 3 switch or firewall to control traffic flow between segments with ACLs.
enable
configure terminal
vlan 100
name CORP_USERS
exit
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 100
no shutdown
exitinterface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 100,200,300
switchport trunk native vlan 999
no shutdown
exitBest Practices
- Document every VLAN ID, name, and subnet in a central spreadsheet or IPAM tool
- Use consistent VLAN IDs across all switches in the environment
- Apply ACLs on the Layer 3 device to restrict inter-VLAN traffic
- Periodically audit trunk ports — only allow VLANs that are actually needed on each link
Warning
Avoid using VLAN 1 for any production traffic. Many switches send management and control-plane traffic on VLAN 1 by default, and it cannot be deleted on most platforms.