configuring-network-segmentation-with-vlans

Included with Lifetime

$97 forever

Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce access control between segments, and reduce the attack surface by limiting lateral movement paths in enterprise network environments.

Generalnetwork-securityvlannetwork-segmentationswitch-security802.1qscripts

What this skill does

# Configuring Network Segmentation with VLANs

## When to Use

- Segmenting an enterprise network into isolated security zones (corporate, servers, DMZ, guest, IoT)
- Meeting compliance requirements (PCI-DSS, HIPAA, SOC 2) that mandate network isolation for sensitive data
- Reducing blast radius of security incidents by preventing lateral movement between network segments
- Isolating high-risk devices (IoT, BYOD, legacy systems) from critical infrastructure
- Implementing defense-in-depth by combining VLANs with firewall rules and access control lists

**Do not use** VLANs as the sole security control without Layer 3 filtering, for isolating networks that require air-gapping, or without proper switch hardening against VLAN hopping attacks.

## Prerequisites

- Managed switches supporting 802.1Q VLAN trunking (Cisco Catalyst, HP Aruba, Juniper EX, etc.)
- Layer 3 switch or firewall for inter-VLAN routing and access control
- Network design document specifying VLAN assignments, IP subnets, and traffic flow requirements
- Console or SSH access to switches with privileged configuration mode
- Understanding of 802.1Q trunking, STP, and inter-VLAN routing concepts

## Workflow

### Step 1: Design the VLAN Architecture

```
# Define VLANs based on security zones and function

VLAN Plan:
  VLAN 10  - CORPORATE    (10.10.10.0/24)  - Employee workstations
  VLAN 20  - SERVERS      (10.10.20.0/24)  - Internal servers
  VLAN 30  - DMZ          (10.10.30.0/24)  - Internet-facing servers
  VLAN 40  - GUEST        (10.10.40.0/24)  - Guest WiFi
  VLAN 50  - IOT          (10.10.50.0/24)  - IoT/OT devices
  VLAN 60  - VOIP         (10.10.60.0/24)  - VoIP phones
  VLAN 100 - MANAGEMENT   (10.10.100.0/24) - Switch/AP management
  VLAN 999 - QUARANTINE   (10.10.99.0/24)  - Isolated/compromised hosts
  VLAN 998 - NATIVE_UNUSED                  - Native VLAN (no traffic)

# Traffic flow matrix:
# CORPORATE -> SERVERS: Allowed (specific ports)
# CORPORATE -> DMZ: Allowed (HTTP/HTTPS only)
# CORPORATE -> GUEST: Denied
# CORPORATE -> IOT: Denied
# GUEST -> Any Internal: Denied
# IOT -> SERVERS: Allowed (specific ports to specific hosts only)
# DMZ -> SERVERS: Allowed (database ports only)
# MANAGEMENT -> All: Allowed (from management stations only)
```

### Step 2: Configure VLANs on Cisco Catalyst Switch

```
! Enter configuration mode
enable
configure terminal

! Create VLANs
vlan 10
  name CORPORATE
  exit
vlan 20
  name SERVERS
  exit
vlan 30
  name DMZ
  exit
vlan 40
  name GUEST
  exit
vlan 50
  name IOT
  exit
vlan 60
  name VOIP
  exit
vlan 100
  name MANAGEMENT
  exit
vlan 998
  name NATIVE_UNUSED
  exit
vlan 999
  name QUARANTINE
  exit

! Configure access ports for workstations (VLAN 10)
interface range GigabitEthernet1/0/1-24
  switchport mode access
  switchport access vlan 10
  switchport nonegotiate
  spanning-tree portfast
  spanning-tree bpduguard enable
  no shutdown
  exit

! Configure access ports for servers (VLAN 20)
interface range GigabitEthernet1/0/25-36
  switchport mode access
  switchport access vlan 20
  switchport nonegotiate
  spanning-tree portfast
  spanning-tree bpduguard enable
  no shutdown
  exit

! Configure trunk ports to other switches
interface GigabitEthernet1/0/48
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 10,20,30,40,50,60,100
  switchport nonegotiate
  no shutdown
  exit

! Configure trunk to firewall/router
interface GigabitEthernet1/0/47
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 10,20,30,40,50,60,100
  switchport nonegotiate
  no shutdown
  exit

! Shutdown unused ports
interface range GigabitEthernet1/0/37-46
  shutdown
  switchport mode access
  switchport access vlan 999
  exit
```

### Step 3: Harden Switch Against VLAN Hopping

```
! Disable DTP on all ports (prevents switch spoofing)
interface range GigabitEthernet1/0/1-46
  switchport nonegotiate
  exit

! Set native VLAN to unused VLAN on all trunks
interface range GigabitEthernet1/0/47-48
  switchport trunk native vlan 998
  exit

! Enable DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
  ip dhcp snooping trust
  exit

! Enable Dynamic ARP Inspection
ip arp inspection vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
  ip arp inspection trust
  exit

! Enable IP Source Guard (prevents IP spoofing)
interface range GigabitEthernet1/0/1-36
  ip verify source
  exit

! Enable Port Security
interface range GigabitEthernet1/0/1-24
  switchport port-security
  switchport port-security maximum 2
  switchport port-security violation restrict
  switchport port-security aging time 60
  exit

! Set VTP to transparent mode (prevents VTP attacks)
vtp mode transparent

! Enable BPDU Guard globally
spanning-tree portfast bpduguard default

! Enable Storm Control
interface range GigabitEthernet1/0/1-36
  storm-control broadcast level 10
  storm-control multicast level 10
  storm-control action shutdown
  exit
```

### Step 4: Configure Inter-VLAN Routing with ACLs

```
! On the Layer 3 switch or firewall, configure SVIs
interface Vlan10
  ip address 10.10.10.1 255.255.255.0
  no shutdown
  exit
interface Vlan20
  ip address 10.10.20.1 255.255.255.0
  no shutdown
  exit
interface Vlan30
  ip address 10.10.30.1 255.255.255.0
  no shutdown
  exit
interface Vlan40
  ip address 10.10.40.1 255.255.255.0
  no shutdown
  exit
interface Vlan50
  ip address 10.10.50.1 255.255.255.0
  no shutdown
  exit

! ACL: Corporate to Servers (allow specific services)
ip access-list extended CORP-TO-SERVERS
  permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 80
  permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 443
  permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
  permit udp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 53
  permit icmp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 echo
  deny ip any any log
  exit

! ACL: Guest to Internet only (deny all internal)
ip access-list extended GUEST-OUTBOUND
  deny ip 10.10.40.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 10.10.40.0 0.0.0.255 172.16.0.0 0.15.255.255
  deny ip 10.10.40.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit tcp 10.10.40.0 0.0.0.255 any eq 80
  permit tcp 10.10.40.0 0.0.0.255 any eq 443
  permit udp 10.10.40.0 0.0.0.255 any eq 53
  deny ip any any log
  exit

! ACL: IoT limited access
ip access-list extended IOT-OUTBOUND
  permit tcp 10.10.50.0 0.0.0.255 host 10.10.20.10 eq 443
  permit tcp 10.10.50.0 0.0.0.255 any eq 443
  permit udp 10.10.50.0 0.0.0.255 host 10.10.20.1 eq 53
  deny ip 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log
  deny ip any any log
  exit

! Apply ACLs to VLAN interfaces
interface Vlan10
  ip access-group CORP-TO-SERVERS out
  exit
interface Vlan40
  ip access-group GUEST-OUTBOUND in
  exit
interface Vlan50
  ip access-group IOT-OUTBOUND in
  exit
```

### Step 5: Configure DHCP and DNS per VLAN

```
! DHCP pools for each VLAN
ip dhcp pool CORPORATE
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  dns-server 10.10.20.10
  domain-name corp.example.com
  lease 1
  exit

ip dhcp pool GUEST
  network 10.10.40.0 255.255.255.0
  default-router 10.10.40.1
  dns-server 1.1.1.1 8.8.8.8
  lease 0 4
  exit

ip dhcp pool IOT
  network 10.10.50.0 255.255.255.0
  default-router 10.10.50.1
  dns-server 10.10.20.10
  lease 7
  exit

! Exclude gateway and server IPs from DHCP pools
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.40.1 10.10.40.10
ip dhcp excluded-address 10.10.50.1 10.10.50.10
```

### Step 6: Verify and Test Segmentation

```bash
# From a workstation on VLAN 10 (Corporate):
# Should succeed:
ping 10.10.20.10          # Server access
curl https://10.10.20.10  # HTTPS to server

# Should fail:
ping 10.10.40.100         # Guest VLAN - should be blocked
ping 10.10.50.100         # IoT VLAN - should be blocked

# From a device

Files: 4

Size: 33.4 KB

Complexity: 66/100

Category: General

Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/configuring-network-segmentation-with-vlans

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts