Lesson 3.4: Network Segmentation & VLANs | AP Cybersecurity
Topic 3.4: Network Segmentation & VLANs
Breaking one big flat network into isolated zones — so that when an attacker gains a foothold, they find walls instead of open hallways between every system they want to reach next.
- 3.4.1 — Learning Objectives(3 min)
- 3.4.2 — Why Flat Networks Are Dangerous(7 min)
- 3.4.3 — Essential Vocabulary & Exam Tips(10 min)
- 3.4.4 — VLANs In Depth(12 min)
- 3.4.5 — Inter-VLAN Routing & Security Zones(8 min)
- 3.4.6 — Zero Trust Networking(10 min)
- 3.4.7 — Real-World Case Studies(8 min)
- 3.4.8 — Defense Strategies(6 min)
- 3.4.9 — Worked Examples: Predict First(5 min)
- 3.4.10 — AP Exam Strategy(5 min)
- 3.4.11 — Frequently Asked Questions(3 min)
13.4.1 — Learning Objectives
- Explain what a flat network is, describe the lateral movement risk it creates, and contrast it with a segmented network architecture
- Define a VLAN, explain how switches use VLAN tags (802.1Q) to separate traffic on shared physical infrastructure, and describe the difference between access ports and trunk ports
- Explain why inter-VLAN routing must go through a Layer 3 device (router or Layer 3 switch), and how this creates a firewall enforcement point between segments
- Describe Vantex Financial Group’s VLAN architecture and explain the security purpose of each segment
- Explain the Zero Trust principle of “never trust, always verify,” describe how it differs from perimeter-based security, and identify its key implementation components
- Define microsegmentation and explain how it applies Zero Trust principles at the workload level
- Apply segmentation concepts to identify lateral movement paths in described network architectures
- Recognize the three most common AP exam traps on network segmentation questions
23.4.2 — Why Flat Networks Are Dangerous: The Lateral Movement Problem
A flat network is one where all devices share a single network segment with no internal barriers between them. In a flat network, once an attacker compromises one device — any device — they can communicate directly with every other device on the network without crossing any additional security boundary.
This is the lateral movement problem. “Lateral movement” describes how an attacker, after gaining initial access to a low-value target (like a workstation via phishing), moves horizontally across the network to find and compromise higher-value targets (like a database server or domain controller).
Scenario: Vantex employee clicks a phishing link and downloads malware on their workstation (10.0.0.105). The internal network has no segmentation — all 847 servers and 2,400 workstations share one broadcast domain.
What the attacker can do immediately: The malware scans 10.0.0.0/24 and finds the transaction database (10.0.0.33), Active Directory (10.0.0.10), payroll server (10.0.0.88), and every other device. No firewall stands between the compromised workstation and any of these servers. The attacker begins probing them directly.
Result: A single phished employee provides a path to every sensitive system in the organization. The blast radius of the initial compromise equals the entire network.
Same scenario: The same employee is phished and the same malware runs on 10.10.20.105 (Employee VLAN 20). Vantex’s network is segmented into VLANs with inter-VLAN traffic enforced through a firewall.
What the attacker finds: The malware cannot reach the database VLAN (10.10.40.0/24), the server VLAN (10.10.30.0/24), or the management VLAN (10.10.99.0/24) directly. Any attempt to communicate across VLANs must go through the firewall, which denies workstation-to-database and workstation-to-management traffic.
Result: The attacker is contained within the Employee VLAN. They can still attack other workstations on the same VLAN, but the transaction database and domain controllers are behind a firewall they cannot bypass without a second exploit.
The key insight: Network segmentation does not prevent initial compromise — phishing, malware, and credential theft still happen. Segmentation limits what an attacker can do after they gain their first foothold. The technical term is blast radius reduction: the damage an attacker can cause is bounded by the segment they compromised, not the entire organization.
What is the primary security problem with a flat network?
33.4.3 — Essential Vocabulary & Exam Tips
| Term | Definition | Exam Trap / Critical Distinction |
|---|---|---|
| VLAN (Virtual LAN) | A logical network segment created on a physical switch. Devices on different VLANs cannot communicate directly even if connected to the same physical switch. The switch uses VLAN tags (IEEE 802.1Q) to identify which VLAN each frame belongs to. | KEY VLANs are a Layer 2 (Data Link) concept — they segregate broadcast domains on switches. Inter-VLAN communication requires a Layer 3 router or Layer 3 switch. A VLAN by itself is not firewall protection; inter-VLAN traffic control requires a firewall or ACL at the routing point. |
| 802.1Q VLAN Tagging | The IEEE standard for VLAN tagging. Adds a 4-byte tag to Ethernet frames identifying the VLAN ID (12-bit field supporting up to 4,094 VLANs). Tagged frames travel on trunk ports between switches; untagged frames travel on access ports to end devices. | NOTE End devices (computers, printers) connect to access ports and are unaware of VLAN tags. Switches handle the tagging transparently. Trunk ports between switches carry tagged frames for multiple VLANs. A device on VLAN 10 cannot send a frame tagged for VLAN 20 — the switch handles isolation. |
| Access Port | A switch port assigned to a single VLAN. Frames sent to the device are untagged; frames received from the device are tagged with the port’s VLAN ID by the switch. Workstations and servers connect on access ports. | NOTE Access port = one VLAN = one device/endpoint. The device does not know or care about VLAN IDs — it sees a normal Ethernet connection. |
| Trunk Port | A switch port carrying traffic for multiple VLANs simultaneously using 802.1Q tags. Used for switch-to-switch and switch-to-router connections. All frames on a trunk port are tagged except the “native VLAN.” | TRAP VLAN hopping attacks target trunk ports or misconfigured access ports. An attacker on an access port can attempt to negotiate a trunk link to gain access to multiple VLANs. Defense: explicitly configure all access ports as non-trunk (disable Dynamic Trunking Protocol/DTP). |
| Inter-VLAN Routing | The process of forwarding traffic between VLANs using a Layer 3 device (router or Layer 3 switch). Traffic must leave one VLAN, cross the routing layer, and enter another VLAN. This Layer 3 crossing is where firewall rules and ACLs are enforced. | KEY VLANs without inter-VLAN routing controls provide isolation but not security inspection. The security value comes from placing a firewall at the inter-VLAN routing point, so all cross-segment traffic is inspected. A Layer 3 switch that routes between VLANs without ACLs is an improvement over a flat network but not a complete security solution. |
| Network Segmentation | The practice of dividing a network into isolated segments (VLANs, subnets, zones) with controlled traffic paths between them. Limits lateral movement, contains breaches, and enforces least privilege at the network layer. | KEY Segmentation reduces blast radius — it does not prevent initial compromise. An attacker on VLAN 20 (employees) is contained from VLAN 40 (databases) but can still attack other devices on VLAN 20. The value is limiting how far a breach spreads, not stopping the first foothold. |
| Zero Trust | A security model based on “never trust, always verify.” No device, user, or network location is inherently trusted. Every access request is authenticated, authorized, and continuously validated regardless of whether it originates inside or outside the network perimeter. | KEY Zero Trust is a principle, not a product. The key shift: location no longer determines trust level. Being on the internal corporate network does not grant implicit trust. Every connection is treated as potentially hostile until proven legitimate. |
| Microsegmentation | Fine-grained network segmentation that extends to individual workloads, applications, or even processes. Instead of segmenting by zone (employee VLAN vs. server VLAN), microsegmentation creates policy boundaries around each individual service. Common in cloud and data center environments. | NOTE Microsegmentation goes beyond VLANs to application-level isolation. A web server and a database server on the same VLAN in a traditionally segmented network can still communicate. Microsegmentation would restrict the web server to only the specific database API calls it legitimately needs, blocking all other traffic. |
| VLAN Hopping | An attack that allows traffic from one VLAN to reach another VLAN by exploiting switch configuration weaknesses, particularly misconfigured access ports that can be tricked into establishing trunk links (DTP attacks) or by double-tagging frames. | KEY Defense against VLAN hopping: (1) Disable DTP on all access ports (set explicitly to access mode, not dynamic); (2) Do not use the native VLAN for user traffic (use a dedicated, unused VLAN as the native VLAN); (3) Use private VLANs for high-security segments. |
Match each technology to its segmentation scope.
43.4.4 — VLANs In Depth
3.4.4a — Vantex VLAN Architecture
Vantex Financial Group segments its primary data center network into six VLANs, each representing a security zone with defined trust level and inter-VLAN communication rules:
3.4.4b — How VLANs Work: 802.1Q Tagging
VLANs work by adding a 4-byte 802.1Q tag to Ethernet frames as they traverse the network. This tag contains the VLAN ID (1–4094), allowing a single physical cable (a trunk link) to carry traffic for multiple VLANs simultaneously while keeping them logically separate.
| Port Type | How It Works | Security Implication |
|---|---|---|
| Access Port | Assigned to exactly one VLAN. Receives untagged frames from the end device and tags them with the port’s VLAN ID before forwarding. Sends untagged frames to the end device (strips the tag). | End device is unaware of VLANs. An employee workstation on VLAN 10 cannot send frames tagged for VLAN 40 — the switch controls tagging, not the device. Access ports should always be explicitly configured as access-only (disable DTP to prevent negotiated trunk attacks). |
| Trunk Port | Carries tagged frames for multiple VLANs. Used between switches and between switches and routers. All frames are tagged with their VLAN ID (except the “native VLAN” which is untagged by default). | Trunk ports are the primary target of VLAN hopping attacks. An attacker who can negotiate a trunk link from an access port can send and receive traffic for any VLAN. Defense: set all user-facing ports to access mode explicitly; use an unused VLAN ID as the native VLAN on trunk ports. |
3.4.4c — VLAN Hopping: The Layer 2 Segmentation Bypass
VLAN hopping is an attack that allows an attacker on one VLAN to send traffic to another VLAN by exploiting weaknesses in switch configuration. Two main techniques:
Switch Spoofing (DTP Attack): Many switches support Dynamic Trunking Protocol (DTP), which allows ports to automatically negotiate whether they become access or trunk ports. An attacker connects to an access port and sends DTP frames negotiating the port into trunk mode. Once the port becomes a trunk, the attacker can send and receive tagged frames for any VLAN. Defense: explicitly configure all access ports as “switchport mode access” (not dynamic) and disable DTP.
Double Tagging: The attacker sends a frame with two 802.1Q tags stacked: the outer tag matches the native VLAN of the trunk (which is stripped by the first switch without inspection), and the inner tag carries the target VLAN ID. When the frame reaches the second switch, it sees only the inner tag (now the outer tag) and forwards it to the target VLAN. This attack is one-directional (attacker can send to the target VLAN but cannot receive responses). Defense: ensure the native VLAN is not used for any user or device traffic — use an unused VLAN ID.
This technique is called:
53.4.5 — Inter-VLAN Routing and Security Zones
VLANs isolate broadcast domains at Layer 2. For traffic to travel between VLANs, it must pass through a Layer 3 device — a router or Layer 3 switch. This Layer 3 crossing is where security policy is enforced: ACLs and firewall rules at the inter-VLAN routing point control what traffic can cross segment boundaries.
3.4.5a — Two Inter-VLAN Architectures
| Architecture | How It Works | Security Implication |
|---|---|---|
| Router-on-a-Stick | A single router interface (or subinterfaces) connects to a trunk port on the switch. Each VLAN has a sub-interface on the router. All inter-VLAN traffic flows through the router, which applies ACLs between VLANs. | All inter-VLAN traffic bottlenecks through one physical interface. ACLs on the router sub-interfaces enforce security policy. Scales poorly for high-volume internal traffic but simple to understand and configure. Classic deployment for small environments. |
| Layer 3 Switch with Firewall | A Layer 3 switch routes inter-VLAN traffic with wire-speed performance. For high-security inter-VLAN paths (e.g., employee VLAN to database VLAN), traffic is forced through a dedicated firewall appliance rather than just L3 switch ACLs. | Best of both: high-performance routing for normal inter-VLAN traffic, stateful inspection for sensitive paths. Vantex uses this model: Layer 3 switch handles employee-to-app server traffic, dedicated firewall handles app server-to-database traffic and all connections touching VLAN 40 (databases) and VLAN 99 (management). |
3.4.5b — Security Zones and Trust Levels
Network zones extend the VLAN concept to the full security architecture. Each zone has an assigned trust level, and inter-zone traffic policies reflect the trust relationship between zones. Vantex’s four security zones:
| Zone | VLANs | Trust Level | Inter-Zone Policy |
|---|---|---|---|
| Internet Zone | External (no VLAN) | Untrusted | Internet → DMZ: only specific public services (HTTPS/443, SMTP/25, DNS/53). Internet → Internal: always denied. DMZ → Internet: only approved update/mail destinations. |
| DMZ Zone | VLAN 100 (separate infrastructure) | Semi-trusted | DMZ → App (VLAN 30): approved ports only. DMZ → Employee (VLAN 10): denied. DMZ → Database (VLAN 40): denied (must go via app tier). |
| Internal Zone | VLANs 10, 20, 30, 50 | Trusted | Employee (10) → App (30): approved business apps only. Employee (10) → Guest (20): denied. Guest (20) → all internal: denied. App (30) → Database (40): port 5432 only. |
| Restricted Zone | VLANs 40, 99 | Highly restricted | Database (40): accepts VLAN 30 on port 5432 only; all other inbound denied; no outbound internet. Management (99): accepts only from jump host on specific IP; no user or server access. |
VLANs create separate domains, confining traffic within each zone.
Traffic between VLANs requires a Layer 3 device (router or ) to forward packets.
A switch port configured to carry traffic for a single VLAN is called an port.
A switch port carrying tagged traffic for multiple VLANs is called a port.
Disabling Dynamic Trunking Protocol (DTP) on user ports prevents automatic negotiation.
63.4.6 — Zero Trust Networking
Zero Trust is a security philosophy that emerged as a direct response to the failure of perimeter-based security. The core insight: the assumption that everything inside the network is trusted is wrong. Insiders, compromised devices, and attackers who have bypassed the perimeter can all operate freely on a trusted internal network.
The Zero Trust principle: Never trust, always verify. Every access request — regardless of network location, user, or device — is treated as potentially hostile until it is explicitly verified as legitimate. Being inside the corporate network does not grant any implicit trust or access rights.
Principle 1: Verify Explicitly
Authenticate and authorize every access request using all available data points: user identity, device health, location, time of day, resource sensitivity, and behavioral signals. No implicit trust based on network location alone.
Vantex implementation: Even employees on the internal network must authenticate to applications (not just the VPN). Conditional access policies evaluate device compliance before granting application access. Accessing the transaction database requires MFA regardless of whether the user is on-site or remote.
Principle 2: Use Least Privilege Access
Limit user access to only the specific resources needed for the current task, for the minimum time needed. Just-in-time and just-enough-access (JIT/JEA) replaces standing privileged access with time-limited, scope-limited grants.
Vantex implementation: Network access follows role: a Teller workstation can reach teller applications (VLAN 30 specific IP range) but not the database VLAN. No user segment has standing access to management VLAN 99 — all access is JIT through PAM.
Principle 3: Assume Breach
Design systems as if attackers are already inside the network. Minimize blast radius through segmentation, encrypt internal traffic end-to-end, log all access for forensic capability, and assume any device could be compromised at any time.
Vantex implementation: Internal traffic between sensitive VLANs is encrypted (TLS for all application-to-database communication, even on the internal network). All internal access logged to SIEM. Anomaly detection treats unusual internal access patterns with the same urgency as external threats.
Principle 4: Microsegmentation
Extend segmentation from VLAN-level zones to individual workloads. A web server and an email server in the same VLAN cannot communicate with each other unless explicitly permitted. Each workload is isolated from its neighbors by default.
Vantex implementation (roadmap): Current architecture segments at VLAN level. Zero Trust roadmap targets host-based firewall rules and software-defined networking (SDN) to implement workload-level microsegmentation within each VLAN — so even if an attacker moves laterally within VLAN 30, they cannot reach every app server.
3.4.6b — Zero Trust vs. Perimeter Security: The Key Difference
| Dimension | Perimeter (Castle & Moat) Model | Zero Trust Model |
|---|---|---|
| Trust basis | Network location. Being inside the perimeter = trusted. Being outside = untrusted. | Identity + device health + context. Network location provides no implicit trust. |
| After perimeter breach | Attacker inside the network faces no further barriers. Lateral movement is unrestricted. | Each resource requires re-authentication. Segmentation limits lateral movement. Anomaly detection still active. |
| Remote work | VPN puts remote users “inside” the network, granting full internal trust. | Remote and on-site users face identical authentication and authorization requirements. VPN access is scoped (split tunnel or ZTNA). |
| Insider threat | Insider with internal access can reach any resource on the flat/lightly segmented network. | Insider can only reach resources explicitly authorized for their role. Behavioral monitoring detects anomalous access patterns. |
| Failure mode | Single perimeter breach = full internal exposure (attacker has castle keys) | Breach of one segment does not grant access to adjacent segments. Each access requires fresh verification. |
Predict: What does the firewall rule block?
73.4.7 — Real-World Case Studies: Segmentation in Practice
What happened: NotPetya was a destructive cyberattack masquerading as ransomware, deployed in June 2017. It used EternalBlue (the same exploit as WannaCry) plus a credential-harvesting tool (Mimikatz) to spread across networks. Once inside an organization, it spread by extracting credentials from compromised machines and using them to authenticate to other machines on the network via SMB, WMI, and PSEXEC.
Why flat networks made it catastrophic: Maersk, the shipping giant, lost approximately 45,000 PCs and 4,000 servers in 45 minutes. Merck lost 30,000 computers. FedEx subsidiary TNT lost most of its IT infrastructure. The common factor: flat or lightly segmented internal networks. NotPetya extracted credentials from memory on an infected machine and used those credentials to authenticate to every other machine visible on the network segment. On a flat network, that meant every machine. On a segmented network, it would have been limited to the compromised segment.
The network segmentation lesson: NotPetya required no user interaction on subsequent machines — it spread silently using valid credentials. The only effective defense was network segmentation that prevented the malware from reaching new machines after the initial compromise. Organizations with aggressive VLAN segmentation (particularly those with isolated OT/IT networks) survived relatively intact. Those with flat enterprise networks lost essentially everything.
Cost: Total damages estimated at $10 billion+ across all affected organizations. Maersk alone: ~$300 million. All preventable with network segmentation that blocked lateral SMB movement.
Scenario: A Vantex employee in the Kansas City branch office clicks a phishing link and downloads ransomware. The malware encrypts files on the employee’s workstation and begins scanning the local network for SMB shares and other endpoints to spread to.
What the malware finds (with segmentation in place): The workstation is on VLAN 10 (Employee) subnet 10.10.10.0/24. The malware successfully spreads to three other workstations on VLAN 10 that have open SMB shares with weak credentials. However, every attempt to reach VLAN 30 (App servers), VLAN 40 (Database), and VLAN 99 (Management) is blocked by the inter-VLAN firewall. The malware sends outbound C2 traffic, which is caught by the egress filter blocking connections to the known C2 IP range.
Incident response: The SIEM detects unusual SMB activity within VLAN 10 (multiple new connections from one workstation in 2 minutes) and fires an alert. IT security isolates VLAN 10 within 8 minutes of initial infection. Four workstations are encrypted; zero servers are affected. The transaction database, client PII, and financial systems are completely unaffected.
Without segmentation: The same ransomware on a flat 10.0.0.0/24 network would have had direct access to all 847 servers and all 2,400 workstations. Estimated total damage: $14–20M (based on industry ransomware cost data for organizations of Vantex’s size). Actual damage with segmentation: 4 workstations, $12,000 in recovery costs.
Background: After the 2009-2010 Operation Aurora attacks (sophisticated Chinese state-sponsored attacks against Google and 20+ other companies), Google decided to rebuild its corporate network security model from scratch. The result, published in 2014 as “BeyondCorp,” is now recognized as the foundational real-world implementation of Zero Trust networking.
The key architectural shift: Google eliminated the concept of a privileged internal network. Employees can work from any network (corporate office, home, coffee shop) and receive identical security enforcement — because the corporate network provides no additional trust. Access to each application is granted based on: (1) verified user identity (certificate-based), (2) device inventory and compliance check (is the device managed? up to date?), and (3) access control policies for the specific application requested.
The practical result: Google employees connect to applications through a central access proxy that enforces all access decisions. There is no VPN — because VPN implies a trusted internal network that Zero Trust explicitly eliminates. The access proxy evaluates each request in real time and applies the same rigor to an employee at Google HQ as to one working from a hotel in a foreign country.
Why it matters for AP Cybersecurity: BeyondCorp proved that Zero Trust is operationally feasible at massive scale. The model has since been adopted (with variations) by major cloud providers, financial institutions, and government agencies as the security architecture for a world where “inside the network” provides no meaningful security boundary.
Select ALL valid reasons for creating separate VLANs.
83.4.8 — Defense Strategies: Building a Segmented Architecture
| Control | What It Does | Vantex Implementation |
|---|---|---|
| VLAN Design by Trust Level | Assign devices to VLANs based on their trust level and data sensitivity requirements. High-sensitivity systems (databases, management infrastructure) in isolated VLANs with strict inter-VLAN ACLs. Untrusted devices (guests, contractors) in their own isolated VLAN with internet-only access. | Six VLANs with defined trust levels (10=employee, 20=guest/vendor, 30=app servers, 40=databases, 50=security, 99=management). Guest VLAN has no internal access. Database and management VLANs are isolated from all user-facing segments. |
| Firewall at Inter-VLAN Routing Point | Route sensitive inter-VLAN traffic through a stateful firewall rather than just Layer 3 switch ACLs. Provides connection tracking, logging, and deeper inspection for critical segment boundaries. | All traffic crossing into VLAN 40 (database) or VLAN 99 (management) routes through a dedicated internal firewall with full logging. VLAN 10↔30 traffic uses Layer 3 switch ACLs; VLAN 30↔40 uses firewall with stateful inspection. |
| Disable DTP on Access Ports | Explicitly configure all user-facing switch access ports as access-only (disable Dynamic Trunking Protocol). Prevents VLAN hopping attacks where an attacker negotiates a trunk link from an access port. | All access ports configured “switchport mode access; switchport nonegotiate.” Verified quarterly via automated switch configuration audit. Non-compliant ports flagged for immediate remediation. |
| Native VLAN Hardening | Change the native VLAN on all trunk ports to an unused VLAN ID (not VLAN 1 or any user VLAN). Prevents double-tagging VLAN hopping attacks that exploit the native VLAN’s untagged nature. | Native VLAN on all Vantex trunk ports set to VLAN 999 (unused, no devices assigned). VLAN 1 (the default native VLAN) is not used for any traffic on any Vantex switch. |
| Network Access Control (NAC) | Validates device identity and compliance before granting network access and VLAN assignment. Unregistered or non-compliant devices are placed in a quarantine VLAN with limited access pending remediation. | 802.1X NAC deployed on all employee access ports. Devices must present a valid certificate to join VLAN 10. Non-authenticated devices placed in VLAN 90 (quarantine) with access only to the remediation server and support portal. |
| East-West Traffic Monitoring | Monitor traffic moving between internal segments (east-west), not just traffic entering or leaving the network (north-south). Lateral movement and insider threats are detected in east-west traffic patterns. | All inter-VLAN traffic logged to SIEM. Unusual traffic patterns (workstation to database direct connection attempt, anomalous SMB scan behavior) trigger P1 alerts. NetFlow data collected from all Layer 3 switches. |
Match each design to its primary benefit.
93.4.9 — Worked Examples: Predict First, Then Classify
Map the Direct Paths
From VLAN 10: direct to VLAN 40 is denied (rule C). Direct to VLAN 30 on port 443 is permitted (rule A).
Identify the Indirect Path (Two-Hop Attack)
VLAN 10 → VLAN 30 (port 443) is permitted. If the attacker can compromise a VLAN 30 app server, they are now on VLAN 30. From VLAN 30, the attacker can reach VLAN 40 on port 5432 (rule B). The database is reachable via a two-hop lateral movement: workstation → app server → database.
What This Means for Defense
Segmentation limited the direct path but did not eliminate the indirect path. The two-hop path requires the attacker to compromise a second system (the app server). Additional defenses: restrict VLAN 10 access to only specific app server IPs (not the entire VLAN 30 subnet); implement application-level authentication on the app servers; monitor for unusual VLAN 30 → VLAN 40 query patterns in the database logs.
The database is reachable via two-hop lateral movement. Segmentation raised the bar (attacker needs to compromise an app server first), but did not eliminate the path. This illustrates a key lesson: network segmentation is one layer of defense-in-depth, not a complete solution. Application-layer authentication, behavior monitoring, and microsegmentation within VLAN 30 would close the residual gap.
Perimeter Security Model (Traditional VPN)
The VPN connection places the compromised home computer “inside” the corporate network. The employee’s role is Loan Officer, but the VPN connection grants access to the employee VLAN (VLAN 10) as if physically at the office. The malware on the home computer now has the same network access as a workstation at the office — it can scan VLAN 10, attempt to access VLAN 30, and try any other attack the attacker chooses, all from inside the trusted perimeter.
Zero Trust Model (ZTNA)
The Zero Trust Network Access (ZTNA) solution evaluates the connection before granting access: Device compliance check — the home computer is not registered in Vantex’s device inventory and has missing security patches. Access denied at the connection level. Even if the employee authenticated successfully with MFA, the unmanaged device fails compliance. If configured to allow unmanaged devices, access is scoped to only the specific applications the Loan Officer role needs (loan application portal) — no network-level access to VLANs.
Perimeter model: attacker gains full VLAN 10 access. Zero Trust model: attacker is blocked at device compliance check or given only application-level access to the specific apps the user needs. Zero Trust converts a network-level breach (VLAN access) into an application-level access decision that can be scoped, logged, and revoked without network changes.
What does the segmentation contain?
103.4.10 — AP Exam Strategy: Segmentation Questions
Strategy 1: Segmentation = Blast Radius Reduction
When an AP question describes network segmentation, always frame the benefit as blast radius limitation, not breach prevention.
- Segmentation does NOT prevent initial compromise
- Segmentation LIMITS post-compromise lateral movement
- “If one device is compromised, what can the attacker reach?” → the answer changes dramatically with segmentation
- VLAN → limits blast radius to segment
- Flat network → blast radius = entire network
Strategy 2: VLANs Need ACLs to Be Security
VLANs alone ≠ security. This is the most common AP exam trap on segmentation.
- VLANs separate Layer 2 broadcast domains
- Inter-VLAN traffic still flows if no ACLs at routing point
- Security comes from ACLs + firewall at the inter-VLAN routing point
- “Does creating a VLAN block all traffic between segments?” = No, traffic can still route unless explicitly blocked
- VLANs = isolation. ACLs at router/firewall = enforcement.
Strategy 3: Zero Trust Quick Facts
- Core principle: “never trust, always verify”
- Trust is based on identity + device + context, NOT network location
- Being inside the corporate network grants NO implicit trust
- Key difference from perimeter: no trusted zone
- Zero Trust components: strong authentication, device compliance, least privilege, microsegmentation, continuous monitoring
- ZTNA replaces VPN in Zero Trust architectures
Strategy 4: The Three Fatal Traps
- Trap 1 — VLANs prevent all lateral movement: Wrong. VLANs limit direct Layer 2 movement. ACLs/firewalls at the routing point prevent routed lateral movement.
- Trap 2 — Zero Trust means no access: Wrong. Zero Trust means explicit verification for every access; it still grants access — just based on verified identity, not network location.
- Trap 3 — Network segmentation prevents initial compromise: Wrong. Segmentation contains post-compromise spread; it does not prevent phishing, malware downloads, or credential theft that cause the initial breach.
What makes PVLANs different from regular VLANs?
?3.4.11 — Frequently Asked Questions
Q: What is the difference between a VLAN and a subnet?
A VLAN is a Layer 2 (Data Link layer) concept that creates logical separation between devices on the same physical switch infrastructure. A subnet is a Layer 3 (Network layer) concept that divides IP address space into smaller ranges. In practice, each VLAN is typically associated with one IP subnet — so VLAN 10 might use 10.10.10.0/24 and VLAN 20 might use 10.10.20.0/24. But the VLAN is what provides the Layer 2 isolation; the subnet is just the IP addressing for that segment. Two devices on different VLANs but somehow configured with addresses in the same subnet would still be Layer 2 separated by the VLAN. The distinction matters because VLAN isolation happens at the switch, while subnet-based routing happens at the router/firewall.
Q: Why do VLANs require a router to communicate between them?
VLANs are Layer 2 constructs — they operate below the IP level. A device on VLAN 10 (10.10.10.100) that wants to communicate with a device on VLAN 20 (10.10.20.200) must use IP routing (Layer 3), because the two devices are on different subnets. The switch only knows about MAC addresses within a VLAN — it has no mechanism to forward a frame from one VLAN to another at Layer 2. A router (or Layer 3 switch) must receive the packet from VLAN 10, make an IP routing decision, and forward it to VLAN 20. This Layer 3 crossing is where ACLs and firewalls can inspect and control the inter-VLAN traffic.
Q: How is Zero Trust different from just having a really good perimeter firewall?
A good perimeter firewall controls what enters and exits the network boundary. Zero Trust controls every access decision inside and outside the boundary, treating all traffic as potentially hostile. A perimeter firewall assumes that once traffic is permitted through the boundary, it is safe. Zero Trust makes no such assumption — an employee on the internal network who accesses a database must still be authenticated and authorized for that specific database, at that time, from that device, just like if they were accessing it from outside. Zero Trust also handles scenarios that perimeter firewalls cannot: insider threats, compromised internal devices, employees working remotely, and cloud services outside the traditional perimeter. The key question: does your security model fail completely when someone bypasses the perimeter? Perimeter-only: yes. Zero Trust: no, because every resource is independently protected.
Q: Can a single physical switch implement multiple VLANs? How?
Yes — this is exactly how VLANs work and why they are so cost-effective. A single physical switch with 48 ports can implement 10 or 20 different VLANs simultaneously. The switch maintains a separate MAC address table per VLAN, limiting broadcasts to only the ports in the same VLAN. When a frame arrives from a device on an access port, the switch tags it with that port’s VLAN ID and handles it completely separately from frames on other VLANs, even though they all share the same physical switch hardware. The switch’s ASIC (Application-Specific Integrated Circuit) handles VLAN isolation at wire speed. This is why VLAN implementation is so practical — no additional hardware is needed, just configuration.
Q: What is microsegmentation and how is it different from VLANs?
VLANs segment the network into zones (employee zone, database zone, DMZ). Microsegmentation goes to a finer granularity: individual workloads, applications, or even processes. On a VLAN with 10 application servers, VLANs provide no isolation between those 10 servers — a compromised server can attack its VLAN neighbors freely. Microsegmentation wraps each application in its own policy boundary: the web server can reach the authentication service on port 8443 but cannot communicate with the email service at all, even though they are on the same VLAN. Microsegmentation is typically implemented using software-defined networking (SDN) or host-based firewalls (Windows Firewall with domain policies, or cloud security groups in AWS/Azure/GCP). It is the network equivalent of applying least privilege at the workload level.
Q: How does network segmentation connect to the Vantex Network Security Audit Report?
The network segmentation assessment (Layer 4 in the DiD architecture) evaluates whether Vantex’s network zones are correctly defined and enforced. Key questions for the audit report: Are all six VLANs properly configured with appropriate inter-VLAN ACLs? Does the guest VLAN have any path to internal resources? Can a workstation in VLAN 10 reach the database VLAN 40 through any multi-hop path? Are all access ports configured to prevent VLAN hopping? Is there east-west traffic monitoring? The ALE calculations from Lesson 2.4 can support VLAN hardening recommendations: if a flat network creates $14M ransomware exposure and proper VLAN segmentation reduces it to $12,000 per incident (the Vantex simulation values), that is a compelling cost-justification for any reasonable VLAN implementation cost.
Select ALL controls that prevent VLAN hopping.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 1,845+ verified tutoring hours on Wyzant with a 5.0 rating from 451+ reviews. His AP CSA students score 5s at more than double the national average (54.5% vs. 25.5% nationally).
+Continue Learning
Practice what you learned, then move to the next topic in Unit 1:
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]