A2.2.4 Explain the concepts and applications of network segmentation.
• Segmentation for network performance and security, to reduce congestion, to manage network resources efficiently
• Network segmentation must include the uses and roles of segmenting, subnetting and virtual local area networks (VLANs).
The big idea
Modern LANs carry traffic for different users, devices, and security classes—all over the same physical cables.
Network segmentation is the architectural principle that says: divide a large broadcast or collision domain into smaller, policy-defined zones so that traffic, faults, and attacks stay where they belong.
By carving the network into subnets (Layer 3) and VLANs (Layer 2), engineers can tune performance, shrink attack surfaces, and allocate resources with surgical precision—without having to re-pull a single fibre.
1 Why segment at all?
| Objective | How segmentation helps |
|---|---|
| Performance / congestion reduction | Smaller broadcast domains mean ARP, DHCP, and multicast floods don’t swamp every port; inter-VLAN routing can steer high-bandwidth flows through faster paths. |
| Security & compliance | Finance devices in VLAN 20 can’t see R&D hosts in VLAN 30; ACLs or firewalls between subnets enforce least privilege and stop lateral movement. |
| Resource efficiency | Subnetting turns one /20 into sixteen /24s, wasting fewer addresses and simplifying DHCP scopes; VLAN IDs act as logical cables that let different departments share the same switch stack. |
2 Key mechanisms
2.1 Physical or logical segmenting
- Physical segmenting – separate switches or routers per department; simplest but expensive and inflexible.
- Logical segmenting – one switch fabric, multiple isolated domains created with software (VLAN tags) or IP subnets.
2.2 Subnetting (Layer 3)
- Concept Split an IP network into smaller child networks by borrowing host bits for the network prefix.
- Tools Subnet mask or CIDR notation:
10.0.0.0/24⇒ 256 addresses.- Split into four
/26s (10.0.0.0/26,10.0.0.64/26, …) each with 62 hosts.
- Applications Separate voice vs. data, isolate IoT devices, summarise routes to keep routing tables small.
2.3 VLANs (Layer 2)
- Concept IEEE 802.1Q inserts a 12-bit VLAN ID into the Ethernet frame; switches forward only within the same ID unless routing is invoked.
- Tagging modes
- Access port – untagged frames for a single VLAN (typical edge).
- Trunk port – carries many VLANs between switches or to a hypervisor.
- Inter-VLAN routing Layer-3 switch or router interface (“SVI”) joins the VLANs so that approved traffic can cross with ACL inspection.
- Special cases Private VLANs (PVLAN), voice VLANs, VLAN pruning with VTP or MST.
3 Design patterns and practical deployments
| Environment | Typical segmentation plan | Benefits achieved |
|---|---|---|
| Home / SOHO | Two subnets: IoT VLAN 10, trusted devices VLAN 1; inter-VLAN ACL blocks IoT → LAN. | Prevents compromised smart bulbs from probing laptops. |
| College campus | Each residence hall gets a /23; each department a distinct VLAN; core routers summarise per-building routes. | Limits broadcast storms, eases quarantine of infected dorm PCs. |
| Enterprise data-centre | Hundreds of /28 “micro-segmented” server networks delivered via VXLAN overlays; east-west firewalls enforce zero-trust. | Cuts blast radius of any server breach to a few IPs. |
| VoIP deployment | Voice VLAN 200 with DSCP EF; data VLAN 10 regular best-effort. | Guarantees latency under 150 ms and protects call signaling from bulk data traffic. |
4 Operational considerations
| Topic | Best-practice highlights |
|---|---|
| Address planning | Document subnet size vs. growth; leave room for future VLAN IDs (0–4094). |
| Routing & summarisation | Advertise aggregate prefixes at distribution layer; black-hole unused sub-ranges. |
| Spanning-tree interaction | Ensure VLAN topology matches STP instances (PVST+/MST) to avoid loops. |
| Security hardening | Disable unused switch ports; prevent VLAN-hopping (no native VLAN on trunks); apply port-based ACLs or private VLANs for sensitive zones. |
| Monitoring | Use NetFlow/sFlow per-VLAN to detect anomalous east-west traffic that may signal compromise. |
Take-away
Segmentation is not optional hygiene but a foundational control.
By combining subnetting for logical addressing with VLANs for Layer-2 isolation, network architects deliver faster, cleaner, and far safer infrastructure—scalable from a two-room office to a fully meshed, zero-trust campus core.