Articles

Network Segmentation: VLANs and Zones for Security (2026)

April 18, 2026 3 min read

VLANs and network zones aren’t about isolating devices, but about isolating traffic at different layers of the network stack.

Let’s see this in action. Imagine two servers, webserver-1 (192.168.1.10) and dbserver-1 (192.168.2.20), intended to be on separate VLANs for security. webserver-1 is on VLAN 10, dbserver-1 on VLAN 20.

# On webserver-1, trying to ping dbserver-1
ping -c 4 192.168.2.20
# Expected output: Destination Host Unreachable or Request timed out

# On a host in VLAN 10 (e.g., 192.168.1.50)
ping -c 4 192.168.2.20
# Expected output: Destination Host Unreachable or Request timed out

This is because the switch, acting as the gatekeeper, won’t allow traffic from VLAN 10 to reach VLAN 20 unless explicitly permitted by a router or firewall.

The core problem VLANs and zones solve is broadcast domain reduction and traffic isolation. In a flat network, a broadcast packet from any device goes to every device. This is a massive security and performance drain. By segmenting into VLANs, you create smaller, more manageable broadcast domains. Zones take this a step further, often at the Layer 3 (IP) or Layer 7 (application) level, by defining security policies between these segments.

Here’s how it works internally:

  • VLANs (Layer 2): A switch port is assigned to a specific VLAN. When a frame enters the switch on that port, the switch tags it with the VLAN ID. Frames with the same VLAN ID are forwarded to other ports in that VLAN, but not to ports in different VLANs. This happens before IP addresses are even considered.
  • Inter-VLAN Routing (Layer 3): To communicate between VLANs, you need a Layer 3 device – typically a router or a Layer 3 switch. This device has an IP interface in each VLAN (e.g., 192.168.1.1 for VLAN 10, 192.168.2.1 for VLAN 20). When traffic destined for another VLAN arrives, the router consults its routing table and forwards the packet to the correct egress interface (and thus, the correct VLAN).
  • Zones (Firewall/Security Policy): This is where the security aspect truly kicks in. Firewalls (or zone-based firewalls on routers/Layer 3 switches) define security policies based on zones. You might have zones like DMZ, INTERNAL, SERVER, MANAGEMENT. Traffic is allowed or denied to flow between these zones based on rules. For example, you might allow HTTP (port 80) and HTTPS (port 443) from the INTERNAL zone to the WEB zone, but deny all other traffic.

The exact levers you control are:

  • Switch Port VLAN Assignment: On a Cisco switch, for example, you’d use switchport access vlan 10 on a port to assign it to VLAN 10. For trunk ports connecting switches or routers, you’d use switchport mode trunk and switchport trunk allowed vlan add 10,20.
  • Router/L3 Switch Interface IP Configuration: On a Cisco router, you’d create subinterfaces for each VLAN: interface GigabitEthernet0/1.10 with encapsulation dot1Q 10 and ip address 192.168.1.1 255.255.255.0.
  • Firewall Zone Definition and Policy Rules: On a Palo Alto Networks firewall, you’d create zones, assign interfaces to them, and then define security policies like "Allow from INTERNAL to WEB on tcp/80, tcp/443".

The most surprising mechanical aspect is how broadcast traffic is contained. A broadcast from 192.168.1.50 (VLAN 10) will never reach 192.168.2.20 (VLAN 20) at the Layer 2 level. The switch simply doesn’t forward it across the VLAN boundary. This isolation is fundamental, and it’s why you see ARP requests only within their respective VLANs.

The next logical step after segmenting with VLANs and applying basic firewall rules between them is to implement more granular application-aware security policies within those zones.

Want structured learning?

Take the full Computer Networking course →