A properly segmented network limits breach blast radius, improves performance, and makes compliance audits straightforward. This guide covers VLAN planning, trunk configuration, inter-VLAN routing, and firewall enforcement end-to-end.
A flat network — where every device sits on the same Layer 2 broadcast domain — was acceptable when offices had 20 devices and security threats were rare. Today, with hundreds of endpoints, IoT devices, guest users, and sophisticated attackers actively targeting internal networks, a flat network is an unacceptable risk.
VLANs (Virtual Local Area Networks) divide a single physical network into multiple logical segments. Each segment is isolated at Layer 2 — devices in different VLANs cannot communicate without explicitly routing through a firewall or Layer 3 switch. This segmentation is the foundation of modern network security architecture.
Understanding the business and security drivers for segmentation helps make the right design decisions and justify the investment to stakeholders.
When an attacker compromises a device on a flat network, they can immediately see and attempt to reach every other device — workstations, servers, printers, IP cameras, and network devices all on the same broadcast domain. VLAN segmentation means a compromised device in the Users VLAN cannot directly reach the Servers VLAN — it must traverse a firewall where access control policies can detect and block lateral movement.
Every ARP request, DHCP broadcast, and network discovery packet is sent to every device in a broadcast domain. A flat network with 500 devices generates enormous broadcast traffic that consumes bandwidth and CPU on every device. Splitting into VLANs of 50–100 devices each reduces broadcast traffic by 80–90% and improves overall network performance.
✅ Pro Tip: Even if your organization is not currently subject to compliance requirements, design your network as if it will be within 2 years. Retrofitting segmentation onto a flat production network is one of the most disruptive and expensive network projects possible — doing it right from the start is dramatically easier.
Good VLAN design starts on paper — not in the switch CLI. A well-structured VLAN plan with a logical IP addressing scheme makes the network intuitive to operate and scale.
| VLAN ID | Name | Subnet | Purpose | Internet |
|---|---|---|---|---|
10 | Users | 10.10.0.0/24 | Employee workstations and laptops | ✅ Yes |
20 | Servers | 10.20.0.0/24 | Internal application and file servers | ❌ No |
30 | DMZ | 10.30.0.0/24 | Public-facing web and mail servers | ✅ Controlled |
40 | IoT | 10.40.0.0/24 | IP cameras, smart devices, printers | ✅ Limited |
50 | Voice | 10.50.0.0/24 | VoIP phones and call manager | ✅ SIP only |
60 | Guest | 10.60.0.0/24 | Visitor WiFi — internet only | ✅ Yes |
70 | PCI | 10.70.0.0/24 | Payment card data environment | ❌ Isolated |
99 | Management | 10.99.0.0/28 | Network device management interfaces | ❌ No |
✅ Pro Tip: Assign VLAN IDs in multiples of 10 — VLAN 10 = Users, VLAN 20 = Servers, VLAN 30 = IoT, and so on. This scheme leaves room to grow within each category (VLAN 11, 12, 13 could be floor-specific user VLANs) and makes the VLAN scheme immediately intuitive to any engineer reading the configuration for the first time.
Access ports carry traffic for a single VLAN — untagged. Trunk ports carry traffic for multiple VLANs simultaneously using 802.1Q tags. Getting this configuration right is fundamental to VLAN operation.
⚠️ Warning: Always explicitly set the native VLAN to an unused VLAN ID (e.g., VLAN 999) on every trunk port — never leave it as the default VLAN 1. VLAN hopping attacks exploit the native VLAN to cross VLAN boundaries. Remove VLAN 1 from all trunk allowed VLAN lists and never use VLAN 1 for any production traffic.
VLANs are isolated at Layer 2 — devices in different VLANs cannot communicate by default. Inter-VLAN routing provides controlled connectivity between VLANs through either a Layer 3 switch or a dedicated firewall.
A single physical link from a router carries trunk traffic for all VLANs using 802.1Q subinterfaces. Simple and cost-effective for small deployments:
Switched Virtual Interfaces (SVIs) on a Layer 3 switch perform inter-VLAN routing in hardware — much higher throughput than router-on-a-stick, suitable for enterprise deployments:
⚠️ Critical Warning: If you use a Layer 3 switch for inter-VLAN routing, ALL inter-VLAN traffic must still traverse a stateful firewall for security inspection. A common mistake is enabling full inter-VLAN routing on the L3 switch and bypassing the firewall entirely — this defeats the entire purpose of segmentation. Route all inter-VLAN traffic through the firewall using policy-based routing or a dedicated firewall segment.
The firewall is the enforcement point for inter-VLAN security policy. Every packet crossing a VLAN boundary must be inspected and explicitly permitted — implicit deny is the default.
| Source VLAN | Destination VLAN | Access | Notes |
|---|---|---|---|
| Users (10) | Servers (20) | ✅ Limited | Specific ports only — SMB, RDP, HTTP/S |
| Users (10) | Internet (WAN) | ✅ Yes | HTTP/HTTPS with UTM inspection |
| Users (10) | IoT (40) | ❌ Deny | Users must not reach IoT management |
| IoT (40) | Users (10) | ❌ Deny | Complete isolation — IoT never initiates to users |
| IoT (40) | Internet (WAN) | ✅ Limited | Only manufacturer update servers |
| Guest (60) | Any internal | ❌ Deny | Guests get internet only — no internal access |
| Management (99) | All VLANs | ✅ Yes | Admin access for monitoring tools only |
| PCI (70) | Any non-PCI | ❌ Deny | PCI systems must not initiate outbound to non-PCI |
✅ Pro Tip: Build your inter-VLAN firewall policy matrix as a table like the one above before writing a single firewall rule. This forces you to explicitly define the intended security posture for every VLAN pair — gaps in the matrix become obvious and can be addressed in design, not discovered during a security incident.
IoT devices — IP cameras, smart TVs, printers, building management systems — are among the most vulnerable devices on any network. They rarely receive security updates, often have hardcoded credentials, and run outdated firmware. They must be completely isolated.
⚠️ Warning: Client isolation on the guest WiFi SSID prevents guest devices from communicating with each other at Layer 2 — but it does NOT prevent them from accessing your internal network at Layer 3. You still need the explicit firewall deny rule blocking guest VLAN from all internal RFC 1918 subnets. Both controls are required.
VoIP phones require low latency (<150ms), low jitter (<30ms), and near-zero packet loss to deliver acceptable call quality. A dedicated Voice VLAN combined with QoS policies ensures VoIP traffic is prioritized over bulk data traffic.
✅ Pro Tip: Use DSCP EF (Expedited Forwarding — DSCP 46) for VoIP RTP media and DSCP CS3 for SIP signaling. These are the industry standard markings — all modern switches, routers, and firewalls recognize them and apply appropriate queuing automatically when QoS is enabled. Using non-standard markings means you will need to manually configure every device in the path.
A VLAN design is only as good as its documentation and ongoing governance. Networks without documentation drift — VLANs get created for temporary purposes and never removed, firewall rules accumulate, and within 2 years nobody knows what anything does.
✅ Pro Tip: Use NetBox (free, open-source) as your IPAM and VLAN documentation platform. It tracks VLANs, IP prefixes, device port assignments, and rack layouts in a single database with a REST API — enabling automation of VLAN provisioning and generating accurate topology documentation automatically as you make changes.
EnterWeb IT Firm designs and implements enterprise VLAN architectures — from initial planning and IP addressing to switch configuration, firewall policy design, and ongoing audit programs. We work with Cisco, HP, Juniper, and all major switching vendors.