NetworkingNetwork+

Network Segmentation for CompTIA Network+ N10-009

Network segmentation divides a network into smaller, isolated sections to improve security, performance, and manageability. CompTIA Network+ N10-009 tests segmentation in both networking concepts and security domains. You must understand why segmentation is used, how it is implemented (VLANs, subnets, DMZ, air gaps), and how segmentation limits the blast radius of security incidents. This is a high-value topic that connects implementation, operations, and security objectives.

8 min

3 sections · 7 exam key points

2 practice questions

Why Segment a Network?

Security isolation: segmentation contains breaches. If an attacker compromises a device in one segment, they cannot automatically reach devices in other segments without traversing a router or firewall where rules can inspect and block the traffic. This is the principle of least privilege applied to network access.

Performance: segmentation reduces broadcast domains. Every broadcast frame must be processed by every device in the broadcast domain — large flat networks waste CPU cycles on broadcasts. Segmentation into subnets or VLANs reduces the size of each broadcast domain and improves overall network performance.

Compliance and policy: regulations like PCI DSS require that cardholder data environments be isolated from general corporate networks. HIPAA requires protected health information systems to be separated from public-facing systems. Segmentation is a foundational compliance control.

Segmentation Methods

VLANs (Virtual LANs): create logical broadcast domains within a single physical switch infrastructure using 802.1Q tags. Traffic between VLANs requires a router or Layer 3 switch. VLANs are the most common LAN segmentation method. VLAN 1 is the default native VLAN on most switches — best practice is to change the native VLAN and disable VLAN 1 on trunks.

Subnets: IP-level segmentation. Each subnet is a separate Layer 3 network with its own IP range. Devices in different subnets must communicate through a router. Subnetting is often combined with VLANs — each VLAN gets its own subnet.

DMZ (Demilitarized Zone): a special segment between the internet and the internal network where public-facing servers (web, email, DNS) are placed. A DMZ is protected by firewalls on both sides — one facing the internet and one protecting the internal LAN. If a DMZ server is compromised, the attacker still faces the internal firewall.

Air gap: the most extreme segmentation — a completely isolated network with no physical or logical connection to other networks. Used for critical systems like nuclear plant controls, classified government systems, or financial trading systems that must be protected from internet-based attacks.

Zero Trust and Microsegmentation

Traditional perimeter security trusted everything inside the network. Zero Trust assumes no implicit trust — every access request must be authenticated and authorized regardless of network location. 'Never trust, always verify' is the zero trust mantra.

Microsegmentation applies segmentation at a granular level within a data center or cloud environment — each workload or application tier is isolated from others. Even if an attacker moves laterally within the data center, microsegmentation limits how far they can travel. Software-defined firewalling enforces microsegmentation policies.

Key exam facts — Network+

VLANs create logical segments; traffic between VLANs requires a router or L3 switch
DMZ places public-facing servers between two firewalls — isolated from internal LAN
Air gap = completely isolated network with no connections to other networks
Segmentation reduces broadcast domains and improves security and performance
PCI DSS requires cardholder data environment isolation — segmentation is a compliance control
Zero trust = no implicit trust based on network location; always verify
Microsegmentation = workload-level isolation within data centers and cloud

Common exam traps

A firewall is all you need for segmentation

Firewalls enforce boundaries between segments, but segmentation itself is implemented via VLANs, subnets, and routing — the firewall adds the security policy at the segment boundary

VLANs provide complete security isolation

VLANs provide logical separation, but misconfigured trunk ports, VLAN hopping attacks, or Layer 3 routing misconfigurations can break VLAN isolation — proper ACLs and security policies are still required

A DMZ eliminates risk to internal networks

A DMZ reduces risk by isolating public-facing servers, but it does not eliminate risk — a compromised DMZ server can still be used to probe the internal firewall, making internal firewall rules critical

Practice questions — Network Segmentation

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company wants to host a public web server while protecting its internal corporate network. Which network architecture should be implemented?

A.Place the web server on the same VLAN as workstations

B.Create a DMZ between two firewalls and place the web server there

C.Use a proxy to forward web traffic directly to an internal server

D.Apply ACLs to prevent access to the web server from the internet

Explanation: A DMZ (Demilitarized Zone) is specifically designed to host public-facing servers like web servers while keeping them isolated from the internal corporate network. The web server sits between the external firewall (facing the internet) and the internal firewall (protecting corporate resources). If the web server is compromised, the internal firewall still protects the corporate network.

Q2.A security analyst discovers that an attacker who compromised one server in the data center was unable to reach any other servers. Which security control is most responsible for limiting the attacker's movement?

A.Antivirus software

B.Network access control (NAC)

C.Microsegmentation

D.Intrusion detection system

Explanation: Microsegmentation creates workload-level isolation within the data center, preventing lateral movement between servers even within the same data center network. Even if one server is compromised, microsegmentation ensures the attacker cannot easily reach other servers. IDS detects but does not prevent movement; NAC controls endpoint access at connection time; antivirus protects individual systems.

Frequently asked questions — Network Segmentation

What is the difference between a subnet and a VLAN?

A VLAN is a Layer 2 construct that creates logical broadcast domains within switch infrastructure using 802.1Q tags. A subnet is a Layer 3 construct that divides IP address space into smaller networks. In practice, they are used together: each VLAN is typically assigned one subnet. Traffic within a VLAN stays at Layer 2; traffic between VLANs requires Layer 3 routing.

What is VLAN hopping and how is it prevented?

VLAN hopping is an attack where a malicious device sends crafted 802.1Q-tagged frames to trick a switch into forwarding traffic to a VLAN the attacker should not have access to. It exploits misconfigured trunk ports and the native VLAN. Prevention: disable unused trunk ports, change the default native VLAN from VLAN 1, explicitly configure trunk ports (not auto-negotiate), and disable dynamic trunking protocol (DTP).

Practice this topic

Network+practice questions

Test yourself on Network Segmentation

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime