Isolate systems into logical network segments using VLANs to control traffic flow, limit lateral movement, and improve security and performance.
Orion IT Service Team
May 20, 2026
Traditional networks put all computers on the same network segment. This makes access simple but creates security risks. If an attacker compromises one system, they can move freely to other systems on the network. A malicious insider can access any computer they can reach. Network segmentation divides networks into isolated segments, limiting what compromised systems can access. Virtual LANs (VLANs) enable segmentation on physical switches without requiring separate hardware.
Network segmentation improves both security and performance by controlling traffic flow and isolating problems.
Virtual LANs create logical networks on physical infrastructure. A single switch can contain multiple VLANs. Each VLAN is isolated—systems in VLAN 10 cannot communicate with systems in VLAN 20 without passing through a router or firewall. VLANs are identified by tags (VLAN ID 1-4094). Access ports on switches belong to a single VLAN. Trunk ports carry tagged traffic from multiple VLANs.
VLANs enable segmentation without separate physical networks, reducing cost while improving security.
Segment by function—separate servers from user workstations, separate printers and IoT devices from computers, separate database servers from application servers. Segment by sensitivity—put high-value systems in restricted segments. Segment by compliance—HIPAA systems separate from others, PCI systems separate from others.
At minimum, create VLANs for: user workstations, servers, printers/IoT, management systems, and guest network. Larger organizations add additional segments for specific applications, departments, or compliance requirements.
Systems need to communicate across VLANs sometimes. A user workstation needs to connect to a file server. An application needs to talk to a database. Inter-VLAN routing enables this communication. Route traffic through a firewall that enforces security policies on inter-VLAN traffic. This provides visibility and control.
The firewall uses access control lists (ACLs) to permit only necessary traffic between VLANs. This ensures that even if a system is compromised, it can only communicate with systems it needs to communicate with.
Use appropriate VLAN IDs consistently across infrastructure. Document VLAN purposes and membership. Disable unused ports and VLANs. Use trunk encapsulation (802.1Q) for VLAN tagging. Disable dynamic VLAN assignment if not needed. Protect management VLANs and access to switch configuration. Use strong passwords and SSH (not telnet) for switch access.
Monitor VLAN configuration for unauthorized changes. Verify that firewall rules between VLANs are correct and up to date.
Key Takeaway
Network segmentation using VLANs isolates systems, limits lateral movement, and improves security and performance. Combined with firewalls enforcing inter-VLAN policies, segmentation dramatically reduces breach impact.
Implement Network Segmentation