AP Cybersecurity Unit 3 Lesson 4 Exercise 2
Unit 3 • 3.4 • Exercise 2
Exercise 2 — VLAN Design and Segmentation Policy
3 parts, 24 points — Design segmentation architecture for Meridian Energy Grid
Score: 0 / 24
Complete all 3 parts to see your final score
Client Organization
Meridian Energy Grid
Meridian Energy Grid is redesigning its network after an audit found that SCADA controllers, corporate workstations, and guest Wi-Fi all share a flat network. The CISO has tasked you with designing a VLAN architecture and inter-VLAN access policies for the main operations center.
Part 1
Scenario: Designing the VLAN Architecture
The operations center has five distinct device groups: (1) SCADA controllers that manage power substations, (2) engineering workstations used by grid operators, (3) corporate desktops for billing and HR, (4) guest Wi-Fi for visiting contractors, and (5) building IoT systems (badge readers, HVAC, security cameras). Currently all five groups share one network.
8 points
1a. Design a 5-VLAN architecture by assigning each device group to a VLAN. For each VLAN, provide a name, VLAN number, and one-sentence justification for why that group needs its own VLAN.
Key terms: SCADA, OT, isolate, critical infrastructure, corporate, guest, IoT, separate, sensitive, untrusted, manage
1b. Explain which VLAN should have the strictest isolation and why.
Key terms: SCADA, OT, physical safety, power grid, critical, real-world harm, air gap, minimal access
Model Response: VLAN 10: SCADA/OT — SCADA controllers managing substations; requires maximum isolation because compromise could cause physical harm or power outages. VLAN 20: Engineering — grid operator workstations; needs controlled access to SCADA and corporate systems. VLAN 30: Corporate — billing/HR desktops; handles financial and employee data requiring separation from OT systems. VLAN 40: Guest — contractor Wi-Fi; untrusted devices must be fully isolated from all internal resources. VLAN 50: IoT — building systems (badges, HVAC, cameras); low-trust devices with minimal firmware security need containment.
SCADA (VLAN 10) needs strictest isolation because these systems directly control physical infrastructure. A compromised SCADA controller could open/close breakers, alter voltage, or disable safety systems — causing real-world harm to equipment and people. Ideally, the SCADA VLAN should have near-air-gap isolation with only the minimum necessary connections to engineering workstations.
SCADA (VLAN 10) needs strictest isolation because these systems directly control physical infrastructure. A compromised SCADA controller could open/close breakers, alter voltage, or disable safety systems — causing real-world harm to equipment and people. Ideally, the SCADA VLAN should have near-air-gap isolation with only the minimum necessary connections to engineering workstations.
Part 2
Scenario: Writing Inter-VLAN Access Rules
The CISO needs specific firewall rules between VLANs. Requirements: (1) Engineering workstations must access SCADA controllers on port 502 (Modbus protocol) only. (2) Corporate desktops must NOT access SCADA under any circumstances. (3) Guest Wi-Fi must only reach the internet — no internal resources at all. (4) IoT devices must only reach their management server (10.50.1.5) on port 8443.
8 points
2a. Write four inter-VLAN firewall rules that implement these requirements. Use the format: ALLOW/DENY [source VLAN] to [destination] port [number].
Key terms: ALLOW, DENY, engineering, SCADA, corporate, guest, IoT, 502, 8443, internet, ANY, internal, management
2b. Explain what would happen if Rule 2 (blocking corporate from SCADA) were accidentally placed after a broader ALLOW rule that permits all inter-VLAN traffic.
Key terms: first match, top-down, broad, specific, override, unreachable, never evaluated, bypass, order
Model Response: Rule 1: ALLOW TCP from Engineering (VLAN 20) to SCADA (VLAN 10) port 502 — permits Modbus access for grid operators. Rule 2: DENY ALL from Corporate (VLAN 30) to SCADA (VLAN 10) — blocks corporate from reaching critical infrastructure. Rule 3: DENY ALL from Guest (VLAN 40) to 10.0.0.0/8 — blocks guest from all internal networks (only internet gateway allowed). Rule 4: ALLOW TCP from IoT (VLAN 50) to 10.50.1.5 port 8443 — permits IoT management only.
If the corporate DENY were placed after a broad ALLOW ALL, the firewall would process the ALLOW first (top-down, first-match). Corporate traffic to SCADA would match the broad ALLOW and be permitted before the specific DENY is ever evaluated. The DENY rule becomes unreachable — it exists in the policy but never fires. This is why specific deny rules must be placed BEFORE any broader allow rules.
If the corporate DENY were placed after a broad ALLOW ALL, the firewall would process the ALLOW first (top-down, first-match). Corporate traffic to SCADA would match the broad ALLOW and be permitted before the specific DENY is ever evaluated. The DENY rule becomes unreachable — it exists in the policy but never fires. This is why specific deny rules must be placed BEFORE any broader allow rules.
Part 3
Scenario: Containment During a Breach
A contractor’s laptop on the Guest VLAN is infected with malware that scans for SCADA protocols (Modbus on port 502, DNP3 on port 20000). The malware also attempts SSH (port 22) to every IP on the 10.0.0.0/8 range. Assume the VLAN architecture and rules from Parts 1 and 2 are in place.
8 points
3a. Explain whether the malware can reach the SCADA controllers, and specifically cite which rule prevents or allows the access.
Key terms: blocked, denied, guest, SCADA, Rule 3, DENY, internal, cannot reach, firewall, inter-VLAN
3b. Identify one limitation of this segmentation design — describe a scenario where the malware could still cause damage despite the VLAN boundaries.
Key terms: same VLAN, guest, other contractors, intra-VLAN, lateral, within, broadcast, no protection inside, spread
Model Response: The malware cannot reach SCADA controllers. Rule 3 (DENY ALL from Guest VLAN to 10.0.0.0/8) blocks all guest traffic to internal networks, including the SCADA VLAN. The Modbus (502), DNP3 (20000), and SSH (22) scans are all dropped at the inter-VLAN firewall before reaching any internal resource.
Limitation: The malware CAN spread to other devices on the same Guest VLAN. If multiple contractors are connected, the infected laptop can scan and attack their devices directly because intra-VLAN traffic does not cross the firewall. Additionally, if the guest network allows internet access, the malware could exfiltrate data about the network topology it discovered during scanning, or contact a C2 server for further instructions.
Limitation: The malware CAN spread to other devices on the same Guest VLAN. If multiple contractors are connected, the infected laptop can scan and attack their devices directly because intra-VLAN traffic does not cross the firewall. Additionally, if the guest network allows internet access, the malware could exfiltrate data about the network topology it discovered during scanning, or contact a C2 server for further instructions.
AP Cybersecurity 3.4 Exercise 2 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]