Network Segmentation & VLANs

Segmentation means dividing a network into smaller sections so a problem in one cannot freely spread to the others.

Two tools do this: subnetting (splitting by IP range) and VLANs (splitting logically).

VLANs

A VLAN (Virtual Local Area Network) creates separate logical networks even when devices share the same physical switch.

In the cloud, the same idea appears as VPCs (Virtual Private Clouds). The point is logical separation that does not require separate physical hardware.

Why routing alone is not enough

Suppose a company hosts a web app across three subnets:

10.0.10.0/24  → Web servers
10.0.20.0/24  → App servers
10.0.30.0/24  → Database servers

If all subnets are reachable via internal routing, here is the problem. An attacker who gets remote code execution on the web server can now:

Attacker → Web server → internal network
         → scan the app subnet (10.0.20.0/24)
         → pivot toward the database subnet (10.0.30.0/24)
         → exploit open internal ports

Routing allows reachability; it does not enforce isolation.

This sideways movement, server to server, is called east-west traffic, and it is exactly how a single breach becomes a full compromise.

Secure segmentation with VLANs

Put each tier in its own VLAN, and force traffic between tiers through a Layer 3 gateway / firewall with explicit rules:

VLAN 10 → Web tier
VLAN 20 → App tier
VLAN 30 → DB tier

Web → App  = ALLOW (443 only)
App → DB   = ALLOW (3306 only)
Web → DB   = DENY

Now a compromised web server cannot reach the database directly, the rule denies it. Segmentation turns one breach into a contained one.

Takeaway

Subnets and VLANs divide the network; firewalls between them enforce who may talk to whom. Reachability is convenience; isolation is security, and you usually want to design for the second.