TL;DR: VLANs create logical separation at Layer 2, but they do not inherently stop lateral movement or enforce granular access between devices, according to Zero Networks. That gap makes VLANs a foundation, not a complete segmentation strategy, especially in distributed environments where policy drift and misconfiguration can leave internal paths open.
At a glance
What this is: This is an explainer on VLANs that concludes they are useful for basic logical separation but insufficient as a standalone segmentation control.
Why it matters: For IAM, PAM, NHI, and broader security teams, the key issue is that weak internal segmentation lets compromised identities, workloads, and devices move farther than intended.
By the numbers:
- VLANs remain one of the most popular network segmentation methods, leveraged by 30% of organizations today.
👉 Read Zero Networks' explainer on VLAN limitations and segmentation strategies
Context
VLANs are a network design control, not a complete security boundary. In practice, they separate broadcast domains and help organise traffic, but they do not automatically enforce the granular access decisions needed to stop lateral movement once an attacker is inside the environment.
That distinction matters for identity governance as much as for network security. Compromised human credentials, exposed service accounts, and unmanaged machine identities all benefit from weak east-west controls, which is why modern segmentation discussions increasingly intersect with IAM, PAM, and NHI governance rather than stopping at switch configuration.
Key questions
Q: What breaks when manufacturing networks rely on VLANs for segmentation?
A: VLANs create broad trust zones, so once an attacker enters a segment, they can often move laterally to other reachable devices inside the same zone. In manufacturing, that is especially dangerous because OT assets often share infrastructure and cannot all be protected with agents or frequent redesign. The control fails when location is treated as trust.
Q: Why do VLANs still matter if they are not true segmentation?
A: VLANs still matter because they reduce broadcast noise, simplify network organisation, and provide a coarse isolation layer that supports other controls. The problem is not that VLANs are useless, but that they are incomplete. They work best when paired with enforcement that understands traffic, identity, and workload sensitivity across segment boundaries.
Q: What do security teams get wrong about microsegmentation?
A: They often treat it as a one-time network redesign instead of an iterative control that depends on current workload behaviour. If policies are not refreshed as applications change, segmentation becomes stale and leaves blind spots that attackers can exploit.
Q: How should organisations reduce lateral movement in hybrid networks?
A: Use layered controls that combine logical network separation with explicit access enforcement. In hybrid environments, identity-aware microsegmentation, tightly scoped inter-segment rules, and continuous validation of allowed paths are more effective than static VLAN design alone. The goal is to constrain what can communicate, not just where traffic is grouped.
Technical breakdown
How VLAN membership and tagging shape Layer 2 isolation
A VLAN is a logical construct that groups devices so they share the same Layer 2 broadcast domain even when they sit on the same physical infrastructure. Membership is usually assigned by switch port or MAC address, and 802.1Q tagging marks frames so trunk links can carry traffic for multiple VLANs. This design improves organisation and reduces unnecessary traffic, but it only establishes separation at the broadcast layer. Once traffic needs to cross into another VLAN, a Layer 3 device or policy engine must decide whether that flow is allowed.
Practical implication: treat VLANs as a structural boundary that still requires explicit enforcement for inter-segment traffic.
Why VLANs often fail as a security boundary
The common failure mode is assuming that a VLAN label equals containment. It does not. If routing, access rules, or switch configurations are too permissive, a compromised endpoint can still reach assets in other segments through allowed paths, especially in environments with sprawling allow-lists and manual change control. This is why VLANs can appear to provide segmentation while leaving meaningful east-west exposure intact. The control problem is not the existence of the VLAN, but the completeness and consistency of the policies that govern movement between segments.
Practical implication: validate inter-VLAN policy paths continuously, not only during initial network design.
Why microsegmentation changes the control model
Microsegmentation moves from broad network grouping to workload-, application-, or identity-aware enforcement. Instead of trusting a segment as a proxy for safety, it applies least privilege to east-west traffic and shrinks the blast radius if an endpoint or workload is compromised. In modern environments, that matters because hybrid infrastructure, cloud workloads, and changing application topologies make static network partitions brittle. Identity-aware segmentation is especially relevant where machine identities, service accounts, or application-to-application flows carry sensitive access that VLANs cannot express on their own.
Practical implication: use identity-aware microsegmentation where the risk is lateral movement between workloads, not just traffic organisation.
Threat narrative
Attacker objective: The attacker aims to convert a single internal foothold into wider east-west access that increases blast radius and operational impact.
- Entry occurs when an attacker compromises one device or workload inside a broadly trusted VLAN.
- Escalation happens when permissive routing or weak inter-VLAN rules allow movement beyond the original segment.
- Impact follows when the attacker reaches additional systems, enabling internal spread, data access, or ransomware propagation.
NHI Mgmt Group analysis
VLAN drift is a governance problem, not just a network design problem. Once organisations treat VLANs as equivalent to segmentation, policy quality becomes invisible and exceptions accumulate until the boundary stops meaning anything. That is a governance failure because ownership, review cadence, and enforcement discipline matter as much as topology. Practitioners should govern VLANs as an intermediate control, not a security outcome.
Identity-aware segmentation is the real control shift. Modern environments carry risk through workloads, service accounts, and application flows, so a network boundary without identity context leaves too much trust implicit. This is where network security intersects with IAM and NHI governance: privileged connections and machine-to-machine paths need explicit control, not inherited segment trust. Practitioners should align segmentation policy with identity and workload context.
Blast-radius control is the right concept for evaluating segmentation maturity. The question is not whether traffic is neatly grouped, but whether a compromised endpoint can reach anything materially sensitive. That framing is closer to Zero Trust than traditional VLAN administration, and it forces teams to measure containment rather than configuration volume. Practitioners should use blast radius as the standard for judging whether segmentation is effective.
Legacy segmentation tools persist because they are operationally familiar, not because they are sufficient. VLANs still have value for traffic organisation, cost efficiency, and coarse isolation, but that value disappears if they are sold internally as a substitute for adaptive policy. The market trend is toward automation, deterministic policy creation, and identity-aware enforcement because static segmentation cannot keep pace with modern attack paths. Practitioners should plan for layered controls, not VLAN-only governance.
What this signals
Blast-radius control should become the practical yardstick for segmentation programmes. If a VLAN or subnet design still allows a compromised endpoint to reach admin planes, sensitive data stores, or workload-to-workload trust paths, the programme has organised the network without materially constraining attack movement. For identity-heavy environments, that is a gap between network design and access governance.
The next maturity step is to connect segmentation policy with identity and workload context, especially where service accounts and machine identities move across shared infrastructure. That is where the boundary between network control and NHI governance starts to blur, and where teams should align operational reviews with the NHI Lifecycle Management Guide rather than treating network design as a standalone discipline.
If the environment is moving toward microsegmentation, the operating model needs to support continuous validation rather than periodic cleanup. The most useful signal is not how many VLANs exist, but whether attack-path testing shows that a single foothold can still cross into materially sensitive zones. That is the point at which segmentation becomes a security control instead of a documentation exercise.
For practitioners
- Map east-west trust paths across every VLAN Inventory which systems can talk across segment boundaries, then identify where routing or firewall exceptions create hidden lateral paths. Focus on paths that bridge user endpoints, workloads, and admin systems.
- Review inter-VLAN allow-rules for blast-radius exposure Treat every allow-rule as a containment decision, not a convenience setting. Remove broad exceptions, validate whether rules still match business need, and test whether a compromised endpoint could reach adjacent segments.
- Anchor segmentation to identity and workload context Pair network segments with controls that recognise application identity, privileged access, and machine-to-machine flows. This is especially important where service accounts or other non-human identities carry sensitive access across shared infrastructure.
- Test containment with attack-path simulations Use red-team or exposure-analysis exercises to see whether a single foothold can traverse VLAN boundaries, reach administrative surfaces, or access sensitive data stores. Measure the time and effort required to stop movement rather than assuming the topology is safe.
Key takeaways
- VLANs provide logical grouping, but they do not automatically enforce containment against lateral movement.
- The security question is whether a compromised identity or endpoint can cross into sensitive zones, not how many VLANs exist.
- Modern segmentation needs identity-aware enforcement and continuous validation, especially in hybrid environments.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | VLANs alone do not enforce access restrictions between segments. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement directly applies to inter-VLAN traffic control. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | VLAN configuration drift and rule accumulation are core network management risks. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article's core risk is internal spread after initial compromise. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports the move from coarse network trust to explicit enforcement. |
Map segment trust paths to PR.AC-4 and verify that inter-segment access is explicitly controlled.
Key terms
- VLAN: A virtual local area network is a logical grouping of devices that share the same Layer 2 broadcast domain even when they sit on the same physical switch fabric. It improves traffic organisation, but it does not by itself provide fine-grained access control between devices or guarantee containment after compromise.
- Microsegmentation: Microsegmentation is a granular containment approach that divides workloads, applications, or devices into smaller trust zones with explicit policy between them. It reduces lateral movement by enforcing least privilege on east-west traffic rather than relying on broad network placement as a proxy for safety.
- Inter-VLAN Routing: Inter-VLAN routing is the Layer 3 function that allows traffic to move between VLANs through a router or Layer 3 switch. It is operationally necessary in many networks, but it also creates the policy chokepoint where weak rules or excessive exceptions can undermine the intended isolation between segments.
- Blast Radius: Blast radius is the amount of damage an attacker can cause after gaining an initial foothold. In segmentation discussions, it measures whether a compromise stays local or expands into adjacent systems, workloads, or administrative planes through permitted trust paths.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of VLAN membership, tagging, trunking, and inter-VLAN routing.
- Practical examples of when VLANs help and where they fall short in modern network design.
- Comparisons with firewall segmentation, SDN, application ringfencing, and physical segmentation.
- The vendor's automated microsegmentation workflow and how it is positioned against legacy segmentation.
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is designed for practitioners who need to connect access governance, machine identity control, and lifecycle management across their programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org