Network Segmentation Tutorial: How to Segment Your Corporate Network (2026)

Network Segmentation Tutorial
Network Segmentation Tutorial
By HOC Team  |  Last updated: July 2026 | Read time: ~24 min

In May 2017, the WannaCry ransomware infected over 230,000 systems across 150 countries in a single day. The NHS alone had 80 hospitals and clinics knocked offline. The vulnerability it exploited — EternalBlue, an SMB flaw — was already patched. But the patch had not been applied widely because flat networks meant that applying it broke things. And when WannaCry entered through a single unpatched machine, the flat network gave it a highway to every other machine on the segment.

A properly segmented network would not have stopped WannaCry from infecting its initial target. But it would have contained the spread dramatically — infected machines in one segment cannot reach machines in another segment without crossing a firewall. The NHS's MRI scanners would not have been on the same network segment as its administrative PCs. The ransomware would have hit one room, not the entire hospital.

Network segmentation is the practice of dividing a network into smaller, isolated zones — each with its own security controls, access rules, and traffic policies. It is one of the most impactful security controls available, directly addresses lateral movement (the method attackers use to spread through a network after initial access), and is required by virtually every major compliance framework — PCI-DSS, HIPAA, ISO 27001, NIST. This tutorial covers everything from the fundamentals through to a complete implementation guide with VLAN configurations and firewall rule templates.

📊 Why network segmentation matters — 2026 numbers 74% of breaches involve lateral movement across network segments · Organisations with mature segmentation contain breaches 60% faster · Average breach cost $5.2M — proper segmentation reduces containment costs by $1.4M on average (IBM) · PCI-DSS, HIPAA, ISO 27001, and NIST CSF all require or strongly recommend network segmentation
1. What is network segmentation?

Network segmentation is the process of dividing a computer network into multiple sub-networks — called segments or zones — where each segment is isolated from the others by access controls. Traffic between segments must pass through a firewall or other enforcement point, where it is inspected and either permitted or denied based on policy.

In a flat (unsegmented) network, every device can communicate with every other device. A laptop in the accounts department can freely reach a database server in the data centre. A visitor's device on the guest Wi-Fi can attempt connections to internal systems. An attacker who compromises any single machine has a clear path to every other machine.

In a segmented network, those connections are broken by design. The accounts laptop can reach the finance application server. It cannot reach the HR database, the OT/SCADA network, or the data centre management infrastructure — because those segments have firewall rules that deny connections from the user segment by default, permitting only specifically required flows.

🔑
The core security value — blast radius reduction

The primary security value of network segmentation is blast radius reduction — limiting how far an attacker can move after initial compromise. Even with perfect perimeter defences, some attacks will succeed. Phishing delivers a malware payload to one endpoint. A web application vulnerability is exploited. Credentials are stolen and used to log in.

In a flat network, that initial foothold gives the attacker access to everything on the same broadcast domain. In a segmented network, the attacker is contained to the segment of their initial compromise. Reaching the data centre, the payment card systems, or the OT environment requires crossing firewall boundaries — each of which can detect, alert on, and block the lateral movement attempt.

Think of network segments as fire doors. A fire in one room does not automatically spread to every other room because fire doors contain it. The fire doors do not prevent fires — they limit destruction when fires occur. Network segments are security fire doors: they do not prevent all attacks, but they contain the damage and give you time to respond before the breach becomes catastrophic.
2. Why segment your network — the security case
What a flat network looks like to an attacker
Real attack pattern

This is the lateral movement sequence attackers follow in flat networks — documented in hundreds of incident response reports:

1
Initial access — phishing email delivers malware to one endpoint
The infected machine is a standard employee workstation. In a segmented network, this is contained to the user segment. In a flat network, the machine can reach everything.
2
Reconnaissance — scan the local network
The malware runs a network scan: what other hosts are reachable? In a flat network, it discovers the domain controllers, database servers, file servers, and backup systems — all in the same broadcast domain. In a segmented network, it only sees other user workstations.
3
Credential harvesting — dump credentials from the compromised machine
Mimikatz or similar tools extract credentials cached on the endpoint. These might include domain user credentials, or cached admin credentials from when IT last logged into this machine. Now the attacker has valid credentials for further movement.
4
Lateral movement — use credentials to reach high-value targets
The attacker uses the stolen credentials to authenticate to the domain controller, the file server, and ultimately the data centre systems — all freely accessible in a flat network. In a segmented network, each of these moves requires crossing a firewall, where the traffic pattern triggers alerts and access is denied.
5
Objective — data exfiltration or ransomware deployment
With domain admin access, the attacker deploys ransomware to every machine, or exfiltrates the database containing customer data. In a flat network, this is a company-wide catastrophe. In a segmented network, the damage is limited to what the initial compromised machine could reach.
Beyond security — the additional benefits
  • Compliance — PCI-DSS requires cardholder data to be isolated in a separate network segment. HIPAA requires protected health information systems to be separated from general corporate networks. ISO 27001 Annex A.13 specifies network segregation controls. Segmentation is not optional for regulated organisations.
  • Performance — broadcast traffic (ARP, DHCP, multicast) is contained within each VLAN rather than flooding the entire network. Smaller broadcast domains mean less unnecessary traffic and better performance for legitimate applications.
  • Simplified troubleshooting — when a problem occurs, the segment boundary tells you exactly which devices are affected. A broadcast storm in one VLAN does not bring down the entire network.
  • IoT and OT isolation — printers, IP cameras, HVAC controllers, building management systems, and industrial control systems are notoriously insecure. Segmenting them away from corporate systems means a compromised printer cannot reach the domain controller.
3. Types of network segmentation — physical, VLAN, and microsegmentation
TypeHow it worksSecurity strengthCost and complexityBest used for
Physical segmentationSeparate physical switches, cables, and firewalls for each segment. No shared infrastructure between zones.Strongest — no shared hardware means no risk of VLAN hopping or misconfiguration bridging segmentsHighest — duplicate hardware for each zoneAir-gapped networks, OT/SCADA, highly classified environments, payment processing
VLAN segmentationVirtual LANs on shared switch infrastructure. Traffic tagged with VLAN IDs, switches enforce segment boundaries. Inter-VLAN routing controlled by firewall/router.Strong when properly configured — requires hardening against VLAN hopping attacksMedium — uses existing switch infrastructure, requires managed switchesStandard corporate segmentation. Most cost-effective approach for most organisations.
MicrosegmentationSoftware-defined policies applied at the workload level — each virtual machine, container, or application has its own policy. Works independent of network topology.Strongest for east-west traffic — granular per-workload control, policy follows the workloadHighest complexity — requires SDN or agent-based enforcementData centre east-west traffic, cloud environments, zero trust architectures
Firewall zonesLogical grouping of interfaces/subnets into zones on a firewall. Inter-zone traffic controlled by policy.Strong — firewall enforces all inter-zone traffic at Layer 3/4/7Low to medium — uses existing firewall capabilityComplement to VLAN segmentation. Defines traffic policy between VLANs.
Software-Defined Networking (SDN)Centralised controller manages network policy across virtual and physical infrastructure. Enables dynamic policy enforcement.Strong and flexible — policy enforced consistently across hybrid environmentsHigh — requires SDN platform (VMware NSX, Cisco ACI, Arista CloudVision)Large data centres, multi-cloud environments, enterprises with frequent topology changes
4. Designing your network zones — the standard corporate model

A well-designed corporate network segmentation model defines zones based on the sensitivity of the systems within them and the type of users or services that need access. The following zone model is the industry-standard starting point — adapt it to your organisation's specific applications and compliance requirements.

Standard corporate network segmentation model — zones, VLANs, and trust levels
Standard Corporate Network Segmentation Model 🌐 INTERNET (Untrusted) 🔥 PERIMETER FIREWALL / NGFW DMZ — Demilitarised Zone (VLAN 10) 🌐 Web Servers 📧 Mail Gateway 🔒 VPN Concentrator 📡 Load Balancers 🔥 INTERNAL FIREWALL / CORE SWITCH L3 USER SEGMENT VLAN 20 · 10.10.20.0/24 Workstations · Laptops BYOD · IP phones Trust: LOW SERVER SEGMENT VLAN 30 · 10.10.30.0/24 App servers · Web servers Internal services Trust: MEDIUM DATABASE SEGMENT VLAN 40 · 10.10.40.0/24 SQL / NoSQL servers Backup systems Trust: HIGH SECURITY MANAGEMENT SEGMENT VLAN 99 · 10.10.99.0/24 Switch management IPs iLO / iDRAC / IPMI Trust: RESTRICTED GUEST WIFI VLAN 50 · 10.10.50.0/24 Visitor devices Internet access only Trust: UNTRUSTED IoT / OT SEGMENT VLAN 60 · 10.10.60.0/24 Printers · IP cameras HVAC · Access control Trust: UNTRUSTED VOICE / VoIP VLAN 70 · 10.10.70.0/24 IP phones Video conferencing Trust: LOW PCI / PAYMENT ZONE VLAN 100 · 10.10.100.0/24 POS terminals Payment processors Trust: MAXIMUM SECURITY
Zone 1
DMZ — Demilitarised Zone
VLAN 10 · 10.10.10.0/24
The buffer between the internet and your internal network. Public-facing services live here — web servers, mail gateways, VPN concentrators, reverse proxies. DMZ hosts can receive traffic from the internet AND send certain traffic to internal servers, but with strict rules. If a DMZ host is compromised, it cannot reach internal systems without crossing a firewall.
Typical members: Apache/Nginx web servers, email gateways, VPN appliances, load balancers, reverse proxies, public DNS servers
Zone 2
User Segment
VLAN 20 · 10.10.20.0/24
Employee workstations, laptops, and other user-operated devices. This is the zone most likely to be compromised through phishing and malware delivery. It should have the most restrictive outbound access — users can reach specific internal services they need, but not broad network ranges.
Typical members: Windows/Mac workstations, laptops, soft-phone clients, thin clients
Zone 3
Server Segment
VLAN 30 · 10.10.30.0/24
Internal application servers that provide services to employees — file servers, internal web applications, print servers, application middleware. Accessible from the user segment for specific required services. Not accessible from the guest or IoT segments.
Typical members: File servers, intranet servers, internal app servers, Active Directory, DHCP/DNS
Zone 4
Database Segment
VLAN 40 · 10.10.40.0/24
The highest-sensitivity internal zone. No user should ever directly reach this segment — only application servers in the server segment should have access to specific database ports. Inbound access is whitelisted per application server IP. Outbound access is denied to everything except backup destinations.
Typical members: SQL servers, NoSQL clusters, backup servers, data warehouses
Zone 5
IoT / OT Segment
VLAN 60 · 10.10.60.0/24
Printers, IP cameras, smart TVs, HVAC controllers, access control systems, and building management systems. These devices typically cannot be patched, run outdated firmware, and have known vulnerabilities. Isolating them from user and server segments ensures a compromised printer cannot reach the domain controller.
Typical members: Network printers, IP cameras, HVAC systems, badge readers, smart building systems
Zone 6
Management Segment
VLAN 99 · 10.10.99.0/24
The most restricted internal zone. Only jump servers (bastion hosts) in this segment should have access to management interfaces — switch management IPs, server iLO/iDRAC out-of-band management, firewall admin interfaces. Direct access from user workstations to this VLAN must be denied categorically.
Typical members: Jump servers, switch management IPs, server management cards (iDRAC, iLO), network monitoring systems
5. VLAN segmentation — configuration guide

VLANs (Virtual Local Area Networks) are the primary mechanism for network segmentation in enterprise environments. They logically divide a physical switch into multiple isolated Layer 2 domains. Traffic between VLANs must pass through a Layer 3 device (a router or Layer 3 switch) where security policy can be enforced.

🔧
VLAN configuration — Cisco IOS reference
Adapt for your vendor
Step 1 — Create VLANs on the core switch
! Create VLANs and assign names — Cisco IOS syntax Switch(config)# vlan 10 Switch(config-vlan)# name DMZ Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# name USERS Switch(config-vlan)# exit Switch(config)# vlan 30 Switch(config-vlan)# name SERVERS Switch(config-vlan)# exit Switch(config)# vlan 40 Switch(config-vlan)# name DATABASES Switch(config-vlan)# exit Switch(config)# vlan 50 Switch(config-vlan)# name GUEST Switch(config-vlan)# exit Switch(config)# vlan 60 Switch(config-vlan)# name IOT Switch(config-vlan)# exit Switch(config)# vlan 99 Switch(config-vlan)# name MANAGEMENT Switch(config-vlan)# exit
Step 2 — Assign access ports to VLANs (endpoint ports)
! Access port — connects a single end device (workstation, server, printer) ! The device does not know it is on a VLAN — the switch tags the traffic Switch(config)# interface range GigabitEthernet0/1 - 48 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 20 ! User VLAN Switch(config-if-range)# spanning-tree portfast Switch(config-if-range)# spanning-tree bpduguard enable ! Prevent switch attacks Switch(config-if-range)# ip dhcp snooping limit rate 15 ! DHCP rate-limit Switch(config-if-range)# storm-control broadcast level 20 Switch(config-if-range)# exit! IoT devices — assign to IoT VLAN Switch(config)# interface GigabitEthernet1/0/10 Switch(config-if)# description Printer-Floor2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 60 ! IoT VLAN Switch(config-if)# shutdown ! Disable unused ports
Step 3 — Configure trunk ports (uplinks between switches)
! Trunk port — carries multiple VLANs between switches using 802.1Q tagging ! CRITICAL: explicitly specify allowed VLANs — do NOT allow all VLANs Switch(config)# interface GigabitEthernet0/49 Switch(config-if)# description Uplink-to-CoreSwitch Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,70,99 ! NEVER use: switchport trunk allowed vlan all — this allows VLAN hopping attacks Switch(config-if)# switchport trunk native vlan 999 ! Change native VLAN from 1 Switch(config-if)# switchport nonegotiate ! Disable DTP — prevents VLAN hopping Switch(config-if)# exit
Step 4 — Disable unused ports and harden the switch
! Disable all unused ports — every enabled unused port is a potential entry point Switch(config)# interface range GigabitEthernet1/0/25 - 48 Switch(config-if-range)# description UNUSED-PORT Switch(config-if-range)# switchport access vlan 999 ! Black-hole VLAN Switch(config-if-range)# shutdown! Protect the management VLAN — disable management on all interfaces except VLAN 99 Switch(config)# ip access-list standard MGMT-ACCESS Switch(config-std-nacl)# permit 10.10.99.0 0.0.0.255 Switch(config-std-nacl)# deny any log Switch(config)# line vty 0 15 Switch(config-line)# access-class MGMT-ACCESS in ! Only VLAN 99 can SSH in Switch(config-line)# transport input ssh ! SSH only, no Telnet
Step 5 — Configure SVIs for inter-VLAN routing on Layer 3 switch
! SVIs (Switched Virtual Interfaces) — the gateway IP for each VLAN ! Traffic between VLANs goes to the SVI, which routes it (and can apply ACLs) Switch(config)# ip routing Switch(config)# interface Vlan20 Switch(config-if)# description User-Segment-GW Switch(config-if)# ip address 10.10.20.1 255.255.255.0 Switch(config-if)# ip helper-address 10.10.30.10 ! DHCP server address Switch(config-if)# no shutdown Switch(config)# interface Vlan40 Switch(config-if)# description Database-Segment-GW Switch(config-if)# ip address 10.10.40.1 255.255.255.0 Switch(config-if)# no shutdown ! Repeat for each VLAN
VLAN hopping attack prevention checklist: (1) Change native VLAN from VLAN 1 to an unused VLAN (e.g. 999). (2) Disable DTP on all access ports with switchport nonegotiate. (3) Explicitly list allowed VLANs on trunk ports — never use allowed vlan all. (4) Disable unused ports and assign them to a black-hole VLAN. (5) Enable BPDU guard on access ports. These five steps close the primary VLAN hopping attack vectors.
6. DMZ design — protecting public-facing services

The DMZ (Demilitarised Zone) is the network segment that sits between the internet and your internal network, hosting services that must be publicly accessible — web servers, mail gateways, VPN endpoints, and API gateways. It is the most critical segmentation boundary in most organisations because it faces the internet directly.

🏰
DMZ design principles
Never bypass these rules
The dual-firewall DMZ model (recommended)

The most secure DMZ design uses two separate firewall devices — a perimeter firewall between the internet and the DMZ, and an internal firewall between the DMZ and the internal network. Even if an attacker compromises the perimeter firewall (or a DMZ host), they face a second, separate firewall before reaching internal systems. Single-firewall DMZ designs (using three interfaces on one firewall) are acceptable for smaller organisations but provide less defence-in-depth.

Core DMZ traffic rules
  • Internet → DMZ: Allow only the specific ports needed for each public service. Web server: TCP 80 and 443 only. Mail gateway: TCP 25 (SMTP), 587, 465. VPN: UDP 500, 4500. Deny everything else.
  • DMZ → Internal: The most critical rule set. DMZ servers should only be able to initiate connections to specific internal resources they explicitly need — a web server connecting to an application server on specific ports. No DMZ host should ever initiate connections to the internal network broadly.
  • Internal → DMZ: Administrative access only, from the management VLAN jump servers. Users do not connect from internal to DMZ directly.
  • DMZ → Internet: Restrict outbound. Web servers should not need to initiate outbound connections to arbitrary internet IPs. If a web server starts making outbound connections to unusual IPs, that is a strong indicator of compromise. Whitelist known-required destinations only.
  • No direct path from internet to internal: No rule should ever permit a connection from an internet IP directly to the internal network without passing through the DMZ.
Example DMZ firewall rule set (perimeter firewall)
RuleSourceDestinationPort/ProtocolActionLog
1ANY (internet)10.10.10.5 (Web server)TCP 80, 443ALLOWYes
2ANY (internet)10.10.10.10 (Mail GW)TCP 25, 587ALLOWYes
3ANY (internet)10.10.10.15 (VPN)UDP 500, 4500ALLOWYes
4ANY (internet)DMZ (10.10.10.0/24)ANYDENYYes
5ANY (internet)Internal (10.0.0.0/8)ANYDENYYes — Alert
Example DMZ-to-internal rule set (internal firewall)
RuleSourceDestinationPortActionPurpose
110.10.10.5 (Web)10.10.30.20 (App server)TCP 8080ALLOWWeb → App tier
210.10.10.10 (Mail)10.10.30.25 (Exchange)TCP 443ALLOWMail delivery
310.10.10.0/24 (DMZ)10.10.40.0/24 (DB)ANYDENYNo DMZ-to-DB
410.10.10.0/24 (DMZ)10.10.99.0/24 (Mgmt)ANYDENYNo DMZ-to-Mgmt
510.10.10.0/24 (DMZ)10.10.0.0/16 (Internal)ANYDENYDefault deny all
7. Firewall rules for segmented networks

Firewall rules between segments follow the principle of least privilege — deny everything by default, then explicitly permit only what is required. The rule order matters: firewalls evaluate rules top-to-bottom and stop at the first match. Always put specific permit rules before general deny rules.

🔥
Inter-VLAN firewall rule templates
Adapt to your environment
User VLAN (20) — what users can reach
# Users can reach: specific servers, internet via proxy, DNS # Users cannot reach: databases directly, management VLAN, IoT management, other users' printers permit VLAN20 → VLAN30 tcp port 443 # HTTPS to internal app servers permit VLAN20 → VLAN30 tcp port 445 # SMB file server access permit VLAN20 → VLAN30 tcp port 389 # LDAP to Active Directory permit VLAN20 → VLAN30 udp port 53 # DNS queries to internal DNS server permit VLAN20 → INTERNET tcp port 80,443 # Internet browsing via web proxy deny VLAN20 → VLAN40 any # Users never reach databases directly deny VLAN20 → VLAN99 any # Users never reach management VLAN deny VLAN20 → VLAN60 any # Users cannot manage IoT devices deny VLAN20 → any any # Default deny everything else
Server VLAN (30) — what application servers can reach
# App servers can reach: databases (specific ports), internet for updates (via proxy) # App servers cannot reach: user workstations (no reason an app server needs to initiate to users) permit VLAN30 → VLAN40 tcp port 1433 # SQL Server (adjust for your DB) permit VLAN30 → VLAN40 tcp port 5432 # PostgreSQL permit VLAN30 → VLAN40 tcp port 3306 # MySQL / MariaDB permit VLAN30 → INTERNET tcp port 443 # OS updates, package managers (via proxy) permit VLAN30 → VLAN30 tcp port 443 # Server-to-server internal APIs deny VLAN30 → VLAN20 any # Servers don't initiate to user devices deny VLAN30 → VLAN99 any # Servers don't reach management VLAN deny VLAN30 → any any # Default deny
Database VLAN (40) — maximum restriction
# Databases should initiate almost no outbound traffic at all # Backup egress is the main legitimate outbound need permit VLAN40 → BACKUP_SERVER tcp port 9000 # Backup agent to backup server permit VLAN40 → VLAN30 tcp port 32000-32100 # Database clustering (if needed) deny VLAN40 → INTERNET any # Databases NEVER reach the internet deny VLAN40 → VLAN20 any # Databases never talk to users deny VLAN40 → any any # Default deny everything # Inbound to databases: ONLY from specific app server IPs, specific ports # Never permit inbound from the user VLAN to databases
IoT / OT VLAN (60) — internet access denied, management restricted
# IoT devices: printers, cameras, HVAC, etc. # They need almost nothing except: NTP (time), possibly firmware update URL, print queues permit VLAN60 → NTP_SERVER udp port 123 # Time synchronisation permit VLAN60 → VLAN30 tcp port 9100 # Print queue (if print server on server VLAN) deny VLAN60 → INTERNET any # IoT devices do NOT reach the internet deny VLAN60 → VLAN20 any # IoT cannot reach user workstations deny VLAN60 → VLAN30 any # IoT cannot reach servers (except print above) deny VLAN60 → VLAN40 any # IoT absolutely cannot reach databases deny VLAN60 → VLAN99 any # IoT cannot reach management deny VLAN60 → any any # Default deny all
Implement egress filtering — not just ingress. Most firewall policies focus on what can enter a segment. Outbound filtering is equally important: a database server that suddenly initiates connections to an external IP is almost certainly compromised. A user workstation uploading 500MB to a cloud storage service outside business hours warrants investigation. Logging all inter-VLAN and internet-egress traffic — and feeding it to your SIEM — turns your segmentation into a detection system, not just a control.
8. Microsegmentation — zero trust network controls

VLAN segmentation operates at the network layer and controls traffic between subnets. Microsegmentation goes deeper — it controls traffic between individual workloads (virtual machines, containers, application processes) within the same subnet. Even within the server VLAN, a compromised application server cannot reach another application server it has no business communicating with.

Microsegmentation is the network implementation of the zero trust "assume breach" principle. It answers the question: if an attacker compromises one application server, how far can they move among other application servers on the same VLAN?

🔬
Microsegmentation — implementation approaches
Zero trust network layer
Approach 1 — Host-based firewalls (most accessible)

Windows Firewall and Linux iptables/nftables provide workload-level traffic filtering. Each server only accepts connections on the specific ports from the specific IPs that need to reach it. This is the most accessible microsegmentation approach — no additional tools required, deployable via Group Policy (Windows) or Ansible/Puppet (Linux).

# Linux iptables microsegmentation — web application server example # Only accept web traffic from load balancer, and DB connections from this server to DB# Accept established connections (return traffic) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Accept web traffic ONLY from load balancer IP iptables -A INPUT -p tcp --dport 8080 -s 10.10.30.5 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j DROP # Drop from all other sources# Accept SSH ONLY from management jump server iptables -A INPUT -p tcp --dport 22 -s 10.10.99.10 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP# Accept monitoring agent connections ONLY from monitoring server iptables -A INPUT -p tcp --dport 9100 -s 10.10.30.50 -j ACCEPT# Drop everything else inbound iptables -A INPUT -j DROP iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED: " # Log drops for SIEM
Approach 2 — Software-Defined Networking platforms

For data centre and cloud environments, SDN platforms provide centralised microsegmentation policy management across hundreds or thousands of workloads. The policy follows the workload — if a VM moves to a different host, its microsegmentation policy moves with it.

  • VMware NSX — the market leader for data centre microsegmentation. Distributed firewall runs on each ESXi host, enforcing policy at the vNIC of each VM before traffic enters the network. Policy is defined centrally in NSX Manager and pushed to all hosts.
  • Illumio Core — agent-based microsegmentation that maps all workload communications (its "Illumination" feature shows you exactly what talks to what before you write any policies), then enforces policies through the host firewall.
  • Guardicore / Akamai Guardicore Segmentation — similar to Illumio. Strong in mixed environments with physical servers, VMs, and cloud workloads.
  • AWS Security Groups, Azure NSGs — cloud-native microsegmentation. In AWS, Security Groups are instance-level firewalls that define exactly which sources can reach each instance on which ports. Properly configured, they provide effective microsegmentation in cloud environments without additional tools.
Approach 3 — Container network policies (Kubernetes)

In Kubernetes environments, NetworkPolicy resources define which pods can communicate with which other pods and services. By default, all pods in a Kubernetes cluster can communicate with each other — enabling network policies is the equivalent of implementing segmentation for containerised workloads.

# Kubernetes NetworkPolicy — deny all ingress by default, then selectively allow # Apply this to every namespace as a baseline apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: production spec: podSelector: {} # Applies to all pods in namespace policyTypes: - Ingress --- # Then explicitly allow what is needed — e.g. frontend can reach backend on port 8080 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: production spec: podSelector: matchLabels: app: backend ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 8080
9. Step-by-step implementation roadmap
🗺
Network segmentation implementation — 6 phases
Start immediately with Phase 1
1
Phase 1 — Discover and map (Week 1–2)
You cannot segment what you do not understand. Run a full network discovery: use Nmap to identify every IP address, hostname, and open port in your environment. Document every device — what it is, who owns it, what it communicates with. Map all application flows: which servers talk to which databases, which users access which servers, which services need internet access. This map becomes your segmentation design blueprint. Skip this phase and you will break production applications when you enforce segmentation rules.
2
Phase 2 — Design your zone model (Week 2–3)
Based on your network map, design the zone model. Define: which devices belong in each zone, the IP addressing scheme (allocate a /24 per zone minimum), the VLAN IDs, and the trust model (what can each zone reach?). Start with the standard model in Section 4 and adjust for your environment. Get the design reviewed by application owners — they will tell you about flows you missed in your discovery phase.
3
Phase 3 — Implement VLANs in monitor mode (Week 3–6)
Create the VLANs on your switches and configure the firewall zones — but set all inter-VLAN rules to LOG only, not DENY. This observe mode lets you see all traffic crossing segment boundaries without blocking anything. Run for 2–4 weeks, collecting logs. Review the logs with application teams: is this traffic legitimate? This step prevents the most common segmentation failure — breaking production applications because you did not know they needed a specific port. Only after the logs show no unexpected legitimate traffic do you switch rules from LOG to DENY.
4
Phase 4 — Migrate devices into VLANs (Week 6–12)
Move devices into their correct VLAN segments in batches — one zone at a time, starting with the lowest risk (guest VLAN, then IoT VLAN). Keep a rollback plan for every change. Test connectivity after each batch. The management VLAN migration is the highest risk — move management interfaces last, after all other zones are working, and always maintain an out-of-band management path (console access to switches) in case you lock yourself out.
5
Phase 5 — Enforce rules (Week 12–16)
Switch the firewall rules from LOG to DENY for each inter-VLAN rule set, one zone at a time. Monitor closely — this is when you will discover traffic flows your discovery phase missed. Have a fast-track process for exceptions: when a legitimate application breaks, document the required flow, create a specific permit rule, and track all exceptions for quarterly review. The goal is not zero exceptions — it is documented, justified, time-limited exceptions with a review process.
6
Phase 6 — Validate and maintain (Ongoing)
Validate your segmentation annually: attempt lateral movement between segments (authorised penetration test) to confirm the boundaries hold. Review firewall rules quarterly — remove rules that were added as temporary exceptions and never reviewed. Review VLAN assignments when new devices are added — IoT devices commonly get placed on the user VLAN by helpdesk staff who do not know the segmentation policy. Feed inter-VLAN firewall logs to your SIEM for ongoing anomaly detection.
10. Segmentation and compliance — PCI-DSS, HIPAA, ISO 27001
FrameworkSegmentation requirementSpecific controlsBenefit of compliance
PCI-DSS v4.0Required — cardholder data environment (CDE) must be isolated from non-CDE networks. Isolation must be verified annually by a QSA.Req. 1.2: Network security controls between CDE and other networks. Req. 1.3: No direct routes between internet and CDE. Req. 4.1: Segmentation must be validated annually.Organisations with segmented CDE have a dramatically smaller PCI scope — reducing audit cost and complexity significantly.
HIPAARequired — ePHI (electronic Protected Health Information) systems must be isolated. Technical safeguards require access controls limiting ePHI access to authorised users.Technical Safeguard 164.312(a): Access control. 164.312(e): Transmission security. Segmentation is the primary implementation mechanism.In the event of a breach, segmentation that contained ePHI to a specific zone may qualify as a mitigating factor reducing breach notification requirements.
ISO 27001Strongly recommended — Annex A Control 8.20 (network security) and 8.22 (segregation of networks) specify network segmentation as a required control area.A.8.20: Networks shall be managed and controlled to protect information. A.8.22: Groups of information services, users, and information systems shall be segregated in networks.Auditors expect to see VLAN segmentation documentation, firewall rule reviews, and network diagrams showing zone isolation.
NIST CSF 2.0Recommended — Protect function, Network Security category. PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate.Aligns with NIST SP 800-53 SC-7 (boundary protection) which requires monitoring and control at external and internal boundaries.Demonstrates mature PR (Protect) capability in CSF assessments. Required for US federal contractors and agencies under FedRAMP.
74%
of breaches involve lateral movement across segments
60%
faster breach containment with mature segmentation
$1.4M
average containment cost reduction (IBM Cost of Breach)
4
major frameworks requiring or recommending segmentation

⚡ Start segmenting your network

  1. Run a network discovery scan this week — use Nmap (nmap -sn 192.168.0.0/16) to discover every live host in your environment. Before you can segment, you need to know what you have. Our Nmap tutorial covers the full scanning methodology.
  2. Start with guest and IoT VLANs — these are the easiest to create (few legitimate flows to preserve), deliver immediate security improvement (printers and cameras off the main network), and give your team experience with VLAN configuration before tackling the more complex user-to-server segmentation.
  3. Understand zero trust and how segmentation fits in — network segmentation is the network pillar of zero trust architecture. VLAN segmentation controls north-south and east-west traffic between zones; microsegmentation controls traffic within zones. Zero trust architecture guide →
  4. Feed your segmentation logs into your SIEM — inter-VLAN firewall traffic is some of the most valuable security telemetry you can collect. Every denied connection is a potential lateral movement attempt worth investigating. SIEM guide →
  5. Validate with a penetration test — once segmentation is in place, verify it holds with an authorised penetration test specifically targeting lateral movement across segment boundaries. Test from the user VLAN: can you reach the database VLAN? Can you reach management interfaces? A pentester will find gaps your implementation missed. Penetration testing guide →
Frequently asked questions
What is network segmentation and why is it important?

Network segmentation is the practice of dividing a network into isolated zones where traffic between zones is controlled by firewall policy. It is important because it limits lateral movement — an attacker who compromises one machine in a segmented network cannot freely reach all other machines. They are contained within the compromised segment and must cross firewall boundaries to progress, where their movement can be detected and blocked. It is also required by major compliance frameworks including PCI-DSS, HIPAA, and ISO 27001.

What is the difference between VLANs and microsegmentation?

VLANs segment the network at Layer 2 — they create separate broadcast domains and control traffic between subnets. A VLAN is a zone containing multiple devices. Microsegmentation goes deeper, controlling traffic between individual workloads within the same subnet or zone. While VLANs prevent an attacker in the user segment from reaching the database segment, microsegmentation prevents a compromised application server from reaching another application server on the same VLAN. VLANs address north-south traffic between segments; microsegmentation addresses east-west traffic within segments.

What is a DMZ in networking?

A DMZ (Demilitarised Zone) is a network segment that sits between the internet and the internal corporate network, hosting services that must be publicly accessible — web servers, email gateways, VPN endpoints, and API gateways. The DMZ is exposed to internet traffic but protected from the internal network by a firewall. If an internet-facing server in the DMZ is compromised, the attacker is contained in the DMZ — strict firewall rules prevent them from freely reaching internal systems. The name comes from the military concept of a buffer zone between two opposing territories.

How many VLANs should my company have?

The number depends on your environment's complexity, but a practical minimum for most organisations is seven to ten VLANs: DMZ, users, servers, databases, management, guest Wi-Fi, IoT/OT, and voice/VoIP. PCI-DSS regulated organisations need an additional dedicated payment zone. Healthcare organisations need ePHI system isolation. The principle is functional separation — devices with similar trust levels and communication requirements belong in the same VLAN; devices with different trust levels or very different communication needs belong in separate VLANs. Avoid over-segmenting to the point where the administrative complexity exceeds your team's ability to maintain it accurately.

What is VLAN hopping and how do you prevent it?

VLAN hopping is an attack where an attacker on one VLAN gains access to traffic on another VLAN by exploiting switch trunk configuration weaknesses. The two main techniques are switch spoofing (the attacker's device pretends to be a switch and negotiates a trunk connection) and double tagging (the attacker sends frames with two 802.1Q tags, and the outer tag is stripped by the first switch, leaving the inner tag to route the frame to a different VLAN). Prevention: disable DTP on all access ports with switchport nonegotiate, set access ports to access mode explicitly, change the native VLAN from VLAN 1 to an unused VLAN, and never use switchport trunk allowed vlan all.

Does network segmentation replace a firewall?

No — network segmentation requires a firewall. VLANs create the segment boundaries, but a Layer 3 device (firewall or Layer 3 switch with ACLs) is what enforces the traffic policy between segments. Without a firewall controlling inter-VLAN routing, the segments are technically separate broadcast domains but traffic can still flow freely between them. Segmentation and firewalls are complementary: segmentation defines the zones, firewalls enforce the policy at the zone boundaries. A segmented network with no inter-VLAN firewall policy provides very little security improvement.

How does network segmentation relate to zero trust?

Network segmentation is the network implementation of zero trust's "assume breach" principle. In zero trust architecture, the network pillar specifies that network access should be controlled based on identity and context rather than network location — ZTNA replaces VPN for remote access, and microsegmentation controls east-west traffic within the network. Traditional VLAN segmentation addresses the macro-level (controlling traffic between large zones), while zero trust microsegmentation addresses the micro-level (controlling traffic between individual workloads). A mature zero trust implementation builds on strong VLAN segmentation and adds microsegmentation at the workload level on top of it.

About the author Written by the HOC Team at Hackers Online Club — a cybersecurity community trusted by network security engineers, SOC analysts, penetration testers, and security students since 2010. 15+ years of free cybersecurity tutorials, network security guides, and corporate security resources. Learn more about HOC →