Securing Enterprise Networks with VLANs and Subnetting

In the digital battlefield of enterprise IT, the walls no longer surround the castle. With cloud sprawl, remote work, and IoT proliferation, attackers no longer need to breach the perimeter—they're already inside. That's why network segmentation, achieved through VLANs and subnetting, has become a front-line strategy to contain threats, slow down attackers, and maintain control. These aren't just networking tools anymore; they are security weapons.

The Digital Office Is a Maze—Not a Hallway

Imagine walking into a large corporate building where all doors are open, and everyone—accountants, HR, developers, and interns—shares the same hallway. That's what a flat network is: every device, from domain controllers to vending machines, lives on the same broadcast domain. It's fast, simple—and dangerous.

Enter VLANs (Virtual Local Area Networks) and subnetting, the twin strategies for carving that digital office into safe, separate rooms with locks and surveillance.

VLANs: Carving Up the Broadcast Domain

A VLAN is a logical grouping of devices within the same switch or across multiple switches, isolated as if they were on different physical networks. VLANs don't care where the devices physically sit; they're about function, role, and policy.

In practice, IT departments often segment VLANs based on job function:

  • VLAN 10: Accounting
  • VLAN 20: Engineering
  • VLAN 30: HR
  • VLAN 99: Management
  • VLAN 666: Honeypots and traps

By tagging traffic at Layer 2, switches ensure that devices from one VLAN can't talk to another without passing through a router or Layer 3 firewall—giving the blue team a chance to inspect, log, or block the interaction.

From a blue team perspective, VLANs are a godsend. Need to isolate a legacy machine with known vulnerabilities? Drop it into a VLAN with no route to the internet. Want to monitor contractor laptops? Place them in a separate VLAN and apply more aggressive inspection rules.

From a red team point of view, VLANs are hurdles—but not walls. Once access is gained to one VLAN, attackers may try VLAN hopping, exploiting misconfigured trunk ports or spoofing tags. That's why proper switch configuration, pruning, and port security are essential.

Subnetting: Drawing Lines on the Map

While VLANs work at Layer 2, subnetting operates at Layer 3—the IP layer. Subnetting divides an IP network into smaller chunks, each with its own address range, broadcast domain, and potential security rules.

A company with a 10.0.0.0/8 address block might carve it like this:

  • 10.10.0.0/24 for management
  • 10.20.0.0/24 for employees
  • 10.30.0.0/24 for development servers
  • 10.99.0.0/24 for guest Wi-Fi
  • 10.254.254.0/24 for honeynet decoys

With each subnet routed through firewalls, it's possible to allow, log, or deny access between them with surgical precision.

From the blue team's standpoint, subnetting prevents lateral movement. If ransomware hits a marketing PC in 10.20.0.0/24, it shouldn't be able to reach production databases sitting quietly in 10.30.0.0/24 without a firewall decision.

For the red team, subnetting is an obstacle to reconnaissance. If ICMP is filtered and routing tightly controlled, scanning beyond one's local subnet becomes noisy or impossible. That forces attackers to shift strategies—from horizontal privilege escalation to phishing or domain attacks.

When VLANs and Subnets Work Together

While VLANs and subnets can exist independently, pairing them creates a strong architectural foundation. Typically, a one-to-one mapping is preferred: each VLAN gets its own subnet. This simplifies routing, auditing, and access control.

For instance:

  • VLAN 30 = 10.30.0.0/24 = HR Department
  • VLAN 50 = 10.50.0.0/24 = Wi-Fi
  • VLAN 100 = 10.100.0.0/24 = Printer VLAN (yes, printers need their own zoo)

When you bridge a VLAN to a router interface (called a "router-on-a-stick" setup), the router can enforce ACLs between VLANs. Want to block all traffic between the printer VLAN and accounting? Just add a rule.

Microsegmentation: Going Beyond VLANs

Some enterprises take segmentation even further with microsegmentation—using software-defined networking (SDN) or firewalls to enforce rules at the individual host level. But VLANs and subnets are still the ground floor.

Blue teams can place “canary” hosts in each subnet—devices that no one should touch. If they receive a connection, something is wrong. Paired with SIEM alerts, it becomes a tripwire for lateral movement.

Red teams, meanwhile, must get creative. If a subnet only allows port 80 outbound, how do you exfiltrate data? Perhaps via DNS tunneling. Or maybe you find an old dev server straddling two VLANs. Weakness is often in the exceptions, not the rules.

Real-World Use Case: A Manufacturing Network

Let's look at a fictional example: ACME Manufacturing Corp.

  • Office VLANs handle HR, Finance, and Engineering
  • Factory Floor VLAN connects robotic arms and PLCs
  • Guest VLAN has no access to internal resources
  • Dev VLAN runs experimental software—heavily monitored

A contractor plugs in a laptop on the factory floor. Thanks to VLAN isolation and port-based authentication, the device lands in a quarantine VLAN, with no access to the control systems unless explicitly approved.

Now imagine a red teamer finds a forgotten Wi-Fi AP bridging the Dev VLAN and Office VLAN. That's a goldmine. Suddenly, Dev VLAN can route to HR servers. But subnet rules and logs alert the blue team, who kills the rogue AP within minutes.

Best Practices for Blue Teams

  • Enforce one VLAN per subnet to reduce complexity.
  • Disable unused switch ports and set them to an unused VLAN.
  • Use port security to bind MAC addresses.
  • Prune VLANs from trunks that don't need them.
  • Monitor inter-VLAN traffic through firewalls or Layer 3 switches.
  • Deploy honey VLANs with fake assets to detect unauthorized scanning.

Tactics for Red Teams

  • Look for dual-homed devices or misconfigured trunk ports.
  • Probe for overly permissive inter-VLAN routing rules.
  • Use low-noise protocols like NetBIOS or mDNS for lateral movement.
  • Try ARP poisoning if switches don't have dynamic ARP inspection.
  • Watch for inconsistencies between VLAN tag and IP address ranges.

The Future: Zero Trust Needs Segmentation

Zero Trust isn't just a buzzword. It's a strategy that assumes breach and enforces least privilege. VLANs and subnets are foundational tools for making Zero Trust real—not just a vendor checkbox.

As threats grow more advanced and insiders more capable, flat networks become a liability. Segmentation doesn't just slow attackers—it buys defenders time, visibility, and leverage.

Final Thoughts

Enterprise networks are no longer castles. They're airports, with zones, scanners, barriers, and logs. VLANs and subnets are the floor plan. Used wisely, they're invisible fences that turn a chaotic sprawl into a controlled grid.

For the blue team, they're a blueprint for defense. For the red team, they're a challenge to outwit. But in the end, it's segmentation that decides whether an intrusion becomes a breach—or just another blip on the radar.

Love it? Share this article: