This is a machine-translated text that may contain errors!
Imagine a school network where students, teachers, administration, and IoT devices (printers, smart screens, cameras) all share the same network. Everyone can theoretically see each other. This is neither secure nor efficient. The solution is segmentation.
Why Segment?
Segmentation means dividing a network into several smaller parts. Each part is isolated from the others, so traffic does not flow freely between them.
| Benefit | Explanation |
|---|---|
| Security | A compromised IoT camera cannot reach the servers |
| Performance | Less broadcast traffic per segment |
| Control | Different rules for different user groups |
| Troubleshooting | Easier to isolate problems to a specific segment |
A practical example
In a school, the network might look like this:
- VLAN 10: Administration - Payroll, HR, management. Strictly limited access.
- VLAN 20: Employees - Teachers and other staff. Access to shared folders and printers.
- VLAN 30: Students - Internet access and learning platforms only.
- VLAN 40: IoT - Printers, smart screens, cameras. No internet access (or very limited).
- VLAN 50: Servers - Internal servers, inaccessible directly from other VLANs.
What is a VLAN?
VLAN stands for Virtual Local Area Network. It is a way to create multiple logical networks on the same physical switch. Instead of buying a separate switch for each network, you configure the switch to treat different ports (or traffic) as separate networks.
Each VLAN has its own address range (subnet):
| VLAN | Name | Subnet | Gateway |
|---|---|---|---|
| 10 | Administration | 10.0.10.0/24 | 10.0.10.1 |
| 20 | Employees | 10.0.20.0/24 | 10.0.20.1 |
| 30 | Students | 10.0.30.0/24 | 10.0.30.1 |
| 40 | IoT | 10.0.40.0/24 | 10.0.40.1 |
| 50 | Servers | 10.0.50.0/24 | 10.0.50.1 |
Subnetting kort forklart
/24 means that the first 24 bits are the network portion of the address. In practice, this means you have 254 available addresses (.1 to .254) in each VLAN.
10.0.10.0/24provides addresses from10.0.10.1to10.0.10.254- The gateway is usually the first address (
.1)
Tagged vs. Untagged Traffic
For VLANs to function across multiple switches (or between a switch and a router), tagging is used:
| Type | Explanation | Use |
|---|---|---|
| Untagged (access) | The port belongs to one VLAN. The device is unaware of VLANs. | PCs, printers, phones |
| Tagged (trunk) | The port carries traffic from multiple VLANs, marked with the VLAN ID. | Between switches, towards routers |
Devices such as PCs and printers do not need to know that they are on a VLAN. They are connected to an “access” port that is assigned the correct VLAN. The connection between two switches or between a switch and a router uses a “trunk” port that carries all VLANs.
Task 1 - See VLAN in Practice
If you have access to Unifi or another network management platform at school:
- Look at which VLANs are configured
- Which ports are set as access, and which as trunk?
- Try to find out which VLAN your PC is connected to (hint: check your IP address and compare with the subnet table)
Firewall Rules Between VLANs
Creating VLANs is only half the job. Without firewall rules, traffic can still flow between them via the router/gateway. You must explicitly determine what is allowed:
| From (source) | To (destination) | Allowed? | Justification |
|---|---|---|---|
| Students | Internet | ✅ Yes | Necessary for teaching |
| Students | Servers | ❌ No | Students do not need access to servers |
| Employees | Servers | ✅ Yes | File storage and internal systems |
| IoT | Internet | ❌ No (or limited) | IoT devices rarely need internet |
| IoT | Students/Employees | ❌ No | IoT should be isolated |
| Servers | All | ✅ Yes (outgoing) | Servers can respond to requests |
Standard: block everything, allow what you need
A good firewall policy starts with blocking all traffic between VLANs, and then only opening what is needed. It is much safer than starting with everything open and trying to block what you don’t want.
Subnetting
Each VLAN needs its own subnet. A subnet defines the address range for the network:
| Subnet | Network Mask | Number of Addresses | Typical Use |
|---|---|---|---|
/24 | 255.255.255.0 | 254 | Most VLANs |
/25 | 255.255.255.128 | 126 | Smaller segment |
/16 | 255.255.0.0 | 65 534 | Large networks |
Task 2 - Calculate a Subnet
Use an online subnet calculator, e.g. subnet-calculator.com:
- Enter
192.168.1.0with mask/24. How many addresses do you get? - What happens if you change to
/25? Or/23? - What would you choose for a classroom with 30 students?
DHCP per VLAN
Each VLAN needs its own DHCP configuration so that devices receive the correct IP address for their segment. This can be configured on the router or a dedicated DHCP server.
Example for the Student VLAN:
| Setting | Value |
|---|---|
| Subnet | 10.0.30.0/24 |
| Gateway | 10.0.30.1 |
| DHCP-range | 10.0.30.100 - 10.0.30.250 |
| DNS | 1.1.1.1 / 8.8.8.8 |
Summary
- Segmentation divides the network into isolated parts for security and control
- **VLAN**s are virtual networks on the same physical switch
- Access ports connect devices to one VLAN, trunk ports carry multiple VLANs
- Firewall rules determine what is allowed between the VLANs
- Each VLAN needs its own subnet and DHCP configuration
- Starting point: block everything, only allow what is needed