Network segmentation through VLANs, or Virtual Local Area Networks, is defined by the IEEE 802.1Q standard. It belongs to the basic practices recommended by CIS Controls v8 for network infrastructure administration, and it aligns naturally with ANSSI guidance on network filtering. In many small and mid-sized organizations, segmentation remains incomplete or limited to a few use cases such as guest Wi-Fi. The result is often a network that is too flat, harder to filter and harder to evolve cleanly.
This guide covers the core principles, a reference architecture suited to SMBs, and configuration commands for Cisco IOS and HP ProCurve.
Why a flat network is a structural problem
On a network without segmentation, a compromised device has much broader network visibility across the environment. Servers, endpoints, printers, IP cameras and IoT devices all share the same exchange space. Security teams describe this as enabling lateral movement, meaning the ability to move from one compromised machine to other network resources.
Segmentation does not remove intrusion risk. It does, however, limit propagation between zones and makes filtering rules easier to understand. That is precisely why it remains valuable in SMB environments. It improves both security and day-to-day operations.
The second issue with a flat network is operational clarity. Broadcasts, management traffic and dependencies between devices all mix inside the same logical space. As the environment grows, troubleshooting, filtering and network evolution all become more complex.
Core VLAN principles
VLAN as an isolated broadcast domain
A VLAN is a logical broadcast domain. Devices in VLAN 10 do not see the broadcasts of devices in VLAN 20, even when they are connected to the same physical switch. Communication between VLANs requires routing at layer 3, usually handled by a firewall or a layer 3 switch.
Access ports and trunk ports
Two configuration modes apply to switch ports.
Access port: the port belongs to a single VLAN. This is the mode used for user endpoints, printers and IP phones. Ethernet frames travel without a VLAN tag on the cable between the switch and the end device.
Trunk port: the port carries several VLANs at the same time, identified by an 802.1Q tag. This is the mode used for switch uplinks and links to firewalls.
Native VLAN
On a Cisco trunk port, the native VLAN is the VLAN whose frames travel untagged. By default, this is VLAN 1. A common practice is to define a dedicated native VLAN with no active devices in order to reduce configuration mistakes and certain abuse scenarios documented around trunking.
Reference architecture for an SMB
A segmentation architecture suited to an SMB with 20 to 200 endpoints can be built around the following functional zones.
| VLAN | ID | Use | Internet access | Server access |
|---|---|---|---|---|
| Management | 10 | Network equipment, switches, APs, firewalls | No | Restricted |
| Servers | 20 | Application servers, NAS, domain controllers | No | N/A |
| Users | 30 | Workstations and laptops | Yes, filtered | Yes, filtered |
| Voice | 40 | IP phones and PBX | No | No |
| Guests | 50 | Guest Wi-Fi and personal devices | Yes, unfiltered | No |
| IoT | 60 | Cameras, printers and connected equipment | Restricted | No |
The firewall sits between the Internet and the internal network and handles inter-VLAN routing with filtering rules that define what is allowed between zones. ANSSI recommends a default deny approach, meaning everything is blocked unless it is explicitly allowed.
Configuration on Cisco IOS
The following examples apply to Catalyst switches running IOS 12.2 or later. The official Cisco configuration guide remains the reference.
Create the VLANs
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name MANAGEMENT
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# exit
Switch(config)# vlan 30
Switch(config-vlan)# name USERS
Switch(config-vlan)# exit
Switch(config)# vlan 40
Switch(config-vlan)# name VOICE
Switch(config-vlan)# exit
Switch(config)# vlan 50
Switch(config-vlan)# name GUESTS
Switch(config-vlan)# exit
Switch(config)# vlan 60
Switch(config-vlan)# name IOT
Switch(config-vlan)# exit
Configure an access port for a user device
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 30
Switch(config-if)# spanning-tree portfast
Switch(config-if)# exit
spanning-tree portfast speeds up port activation for end devices. It should not be applied on a trunk port.
Configure a trunk port toward a firewall or upstream switch
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60
Switch(config-if)# exit
VLAN 99 is the dedicated native VLAN here, with no active devices. The allowed vlan parameter explicitly restricts which VLANs can cross the trunk. That limitation reduces unnecessary traffic and makes it easier to control what each link is allowed to carry.
Verify the configuration
Switch# show vlan brief
Switch# show interfaces trunk
Switch# show interfaces GigabitEthernet0/1 switchport
Configuration on HP ProCurve and Aruba
The syntax differs from Cisco IOS. The following examples apply to ProCurve switches with firmware K or KA.15 and later. The HPE Advanced Traffic Management Guide is the reference.
Create the VLANs
ProCurve# configure
ProCurve(config)# vlan 10
ProCurve(vlan-10)# name "MANAGEMENT"
ProCurve(vlan-10)# exit
ProCurve(config)# vlan 20
ProCurve(vlan-20)# name "SERVERS"
ProCurve(vlan-20)# exit
ProCurve(config)# vlan 30
ProCurve(vlan-30)# name "USERS"
ProCurve(vlan-30)# exit
Configure the ports
On ProCurve, port assignment happens from the VLAN context rather than the interface context.
ProCurve(config)# vlan 30
ProCurve(vlan-30)# untagged 1-20
ProCurve(vlan-30)# exit
ProCurve(config)# vlan 10
ProCurve(vlan-10)# tagged 24
ProCurve(vlan-10)# exit
ProCurve(config)# vlan 20
ProCurve(vlan-20)# tagged 24
ProCurve(vlan-20)# exit
untagged is the equivalent of Cisco access mode. tagged is the equivalent of trunk mode.
Verify the configuration
ProCurve# show vlan
ProCurve# show vlan 30
ProCurve# show interfaces brief
Wi-Fi and VLANs, mapping SSIDs to VLANs
Enterprise Wi-Fi access points such as Cisco, Aruba or Ubiquiti UniFi can map each SSID to a VLAN. The Guests SSID maps to VLAN 50. The Corporate SSID with 802.1X authentication maps to VLAN 30.
The cable between the switch and the access point must be configured as a trunk carrying the necessary VLANs. The AP handles 802.1Q tagging internally depending on the SSID used by each wireless client.
Common mistakes
Not restricting the native VLAN: leaving VLAN 1 as the native VLAN increases the risk of mistakes and makes trunk configurations harder to audit. Using a dedicated native VLAN with no active devices creates a cleaner configuration.
Allowing every VLAN on every trunk: the switchport trunk allowed vlan all behavior sends every VLAN across every trunk, even when they are not needed. Explicitly restricting allowed VLANs reduces exposure.
Not isolating the management VLAN: if switches, APs and firewalls live inside the same VLAN as user endpoints, administrative interfaces become easier to reach. The management VLAN should be isolated and limited to a small set of management IPs.
Ignoring spanning tree: when several switches are interconnected, Spanning Tree Protocol remains necessary to avoid loops. On Cisco, RSTP is usually preferable to classic STP for convergence speed.
What this changes in practice
A correctly segmented network reduces the attack surface available when one device is compromised. A compromised user endpoint should not be able to reach servers freely if inter-VLAN rules follow the principle of least access. On a flat network, that logical separation does not exist or exists only weakly.
Segmentation also improves readability. Traffic becomes easier to understand, filtering rules become easier to maintain, and guest, IoT and management use cases become easier to isolate.
Rolling segmentation into an existing network requires a precise inventory of application flows before inter-VLAN rules are deployed. Segmentation without prior dependency mapping creates service interruption.
Sources
- Cisco - VLAN Configuration Guide, Cisco IOS
- CIS Controls v8 - Control 12: Network Infrastructure Management
- ANSSI - Recommendations for firewall filtering policy design
- IEEE 802.1Q - Standard for Local and Metropolitan Area Networks: Bridges and Bridged Networks
- HPE - Advanced Traffic Management Guide ProCurve
Sources
- https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst/ios/12_2/configuration/guide/swconfig/swvlan.html
- https://www.cisecurity.org/controls/v8
- https://www.ssi.gouv.fr/guide/recommandations-pour-la-definition-dune-politique-de-filtrage-reseau-pare-feu/
- https://www.ieee.org/standards/technology/networking.html
- https://support.hpe.com/hpesc/public/docDisplay?docId=a00036251en_us
Support available on this topic
Initial Infrastructures handles these topics for SMBs and mid-size companies. A short call is enough to identify priorities and the right scope of intervention.