Avoid Using VLANs for Different Security Domains
Do not use VLANs to separate networks with different security levels.
Plain language
When you set up different parts of your network for security reasons, don't rely on VLANs (Virtual Local Area Networks) to keep them apart. Using VLANs can lead to serious security risks because they aren't foolproof against attacks that could jump from one secured area to another. This matters because if one part of your network is breached, attackers could access sensitive data in other parts too.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
VLANs are not used to separate network traffic between networks belonging to different security domains.
Why it matters
Relying on VLANs to separate different security domains can allow cross-domain access if VLAN hopping or misconfiguration occurs, exposing sensitive data.
Operational notes
Ensure different security domains use physical or cryptographic separation, not VLANs. Review switch configs and routing/ACL paths to confirm no cross-domain VLAN connectivity.
Implementation tips
- The network administrator should review current network segmentation strategies. Ensure that sensitive and non-sensitive network areas are physically separated rather than relying solely on VLANs, which can be bypassed with certain attacks.
- The IT manager should conduct a risk assessment of the current VLAN usage. Include factors like potential data exposure and the impact of a breach across network segments, emphasising the need for physical or additional logical separation methods.
- IT security staff should install additional network security equipment, such as firewalls or routers, to physically separate different security domains within the network, thereby reducing reliance on VLAN separation.
- The IT team should work alongside a security consultant to design a layered network security architecture. This should include using multiple security measures, such as firewalls and network intrusion detection systems (IDS), beyond just VLANs.
- System owners should document and regularly review the network design and security policies. Update these documents to reflect changes in technology or business operations, ensuring network separations are maintained through reliable means.
Audit / evidence tips
-
Askthe network architecture diagram: Request the most recent diagram illustrating the physical and logical separation of network segments
Goodshows multiple layers of network security, with physical separations where needed
-
Goodrecord specifies alternative or additional security solutions employed
-
Aska report on recent penetration testing or network audits: This should include results on how well VLANs are used in conjunction with other security measures
Goodreport highlights segregated security zones with more robust protections
-
Gooddocument details how multiple security domains stayed isolated despite breach attempts, highlighting effective alternative separations
-
Goodlog shows proactive steps taken to separate network domains securely
Cross-framework mappings
How ISM-0529 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-0529 requires that VLANs are not used to separate network traffic between networks belonging to different security domains | |
| handshake Supports (1) expand_less | ||
| Annex A 8.20 | ISM-0529 requires that VLANs are not used to separate network traffic between different security domains, pushing organisations to use st... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.