# VLANs and Segmentation One-sentence definition: Logical separation of broadcast domains to contain threats and enforce policy. ## Key Facts - Trunks (802.1Q) carry multiple VLANs; use allowed lists. - Private VLANs and microsegmentation reduce east–west spread. - ACLs/firewalls between VLANs; default deny. - Disable unused ports; apply 802.1X for edge authentication. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose VLANs to isolate sensitive systems quickly. **Mnemonic:** “Segment to **contain**.” ## Mini Scenario Q: Dev laptops can ping DB VLAN—control? A: Inter-VLAN ACLs/Firewall with deny by default. ## Revision Checklist - 802.1Q trunk concept. - Private VLAN use-case. - Edge security steps. ## Related [[Network Access Control (802.1X, NAC)]] · [[DMZ Patterns and Secure Edge]] · [[Zero Trust Network Access (ZTNA)]] · [[Firewalls (Types and Placement)]] · [[IDS vs IPS (NIDS HIDS)]] · [[Domain 4 - Index]]