How many VLANs is too many?

A practical campus typically has 6-12 VLANs by function. Hundreds of VLANs become an operational liability — change-management cost rises and most "isolated" segments end up with mass any-any allow rules out of fatigue. Prefer fewer well-controlled segments + microsegmentation for granularity.

Should I run a flat VPC and rely on Security Groups?

For small / single-environment deployments, yes — SGs provide the actual security. For multi-environment or multi-tenant, separate VPCs per boundary make the segmentation auditable and limit blast radius if a SG misconfig occurs. Both approaches can be secure; the multi-VPC approach is more obviously auditable.

How do I test that my segmentation actually works?

Periodic segmentation tests: a host in segment A attempts every common service in segment B; observe what gets through. Tools: nmap from each segment, scripted "tcptest" matrices, commercial segmentation-test products (Tufin, AlgoSec). Run quarterly and on every major change.

Is Zero Trust just segmentation rebranded?

Closely related, with three additions: identity-aware policy (not just IP-based), continuous verification (per-request authorisation), and explicit assumption that no segment is trusted. Zero Trust without segmentation is policy theatre; segmentation without identity is 1990s perimeter. The right answer is both. Module 16 covers ZTNA in depth.

How does microsegmentation handle ephemeral cloud workloads?

Tag-based or label-based policy that applies as workloads come and go. AWS SGs reference SGs (not IPs), Kubernetes NetworkPolicy uses labels, NSX uses tags. The key is that policy is specified abstractly, then resolved against the live workload set — you do not write policies referring to specific instance IPs.

Is segmentation always better than a flat network?

Yes for production. The only "flat is better" exceptions: very small offices (<10 users with limited resources), and isolated environments where the perimeter is the only meaningful boundary. For everything else the cost of segmentation is low and the blast-radius reduction is substantial.

How does segmentation interact with disaster recovery?

Carefully. DR test plans must include verifying segmentation post-failover. Many DR tests reveal that the secondary site's firewall rules drifted from primary; the failed-over apps cannot reach dependencies. Treat firewall rules as code (Terraform, Ansible, vendor-specific exporters) so primary and DR are in sync.

Network Segmentation Explained — VLANs, VRFs, Zero Trust

Read as

Last updated: May 1, 2026

Segmentation is splitting your network into zones with controlled traffic between them. Done well it slows lateral movement, reduces blast radius, and is the single control RBI/SEBI/IRDAI auditors quote most often. This module covers VLAN segmentation (the campus baseline), VRF for L3 separation, microsegmentation (host-based / cloud-native security groups), the tier model defenders rely on, and the practical “where do I put what” guide.

Segmentation is the difference between “one foothold leads to domain compromise” and “one foothold leads to one VLAN compromise.” Almost every Indian breach in the last three years that escalated to domain admin would have been contained by competent segmentation. This module is the practitioner introduction: VLANs at L2, VRFs at L3, microsegmentation per host or workload, and the trust-tier model that maps controls to business risk.

Why segmentation is the single highest-leverage control

When attackers land an initial foothold (phished employee laptop, vulnerable web app), their first step is lateral movement: scan the local subnet, find a domain controller or file server, escalate. A flat network turns one compromised host into total compromise. Segmentation forces the attacker to traverse choke points — and choke points are where your IDS, EDR, and access controls live. Auditors love segmentation because it is observable: show me the network diagram, show me the firewall rules between zones, show me the segment-bridging device logs. RBI Cyber Security Framework Annex 1 and SEBI CSCRF both call out segmentation explicitly.

Practical baselineat minimum separate user / server / management / DMZ / IoT into distinct broadcast domains with explicit inter-segment ACLs.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Network Segmentation — VLANs, VRFs, Microsegmentation, and the Tiers Auditors Actually Look For

Why segmentation is the single highest-leverage control

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume