Prevent VLAN Trunk Sharing Across Security Domains
Ensure network devices do not use shared paths for VLANs from different security areas.
Plain language
This control is about keeping computer networks safe by not letting different areas of your business share the same connection paths for their computer traffic. If this isn't done, sensitive information from one part of the business could leak into another, leading to privacy breaches or security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Network devices managing VLANs belonging to different security domains do not share VLAN trunks.
Why it matters
If VLAN trunks are shared between security domains, traffic can cross domains via mis-tagging or leaks, causing unauthorised disclosure of sensitive data.
Operational notes
Verify trunk ports only carry VLANs for a single security domain; remove unused VLANs, restrict allowed VLAN lists, and routinely review switch trunk configs.
Implementation tips
- The IT team should review the current network design to ensure that VLAN trunks, which are virtual channels used by computers to communicate, aren't shared between different security-sensitive areas. They can do this by mapping each VLAN and its associated trunk, confirming that data paths are not shared between different departments like finance and HR.
- Managers should collaborate with the IT team to understand how their network is set up and ensure it's aligned with security best practices. Regular meetings can help discuss any changes in business operations that might affect how the network should be configured.
- The network administrator should update configuration settings on network devices to ensure VLANs from different departments have separate pathways. This can be done by logging into network switches and checking that each security domain has its unique trunk.
- Procurement officers should ensure that new network equipment supports advanced VLAN features. They can ask suppliers for specifications that include the ability to separate VLAN traffic securely.
- HR should inform the IT team about any significant changes in staff or department structures. This helps the IT team adjust VLAN assignments and paths to suit the current organisational layout, minimising risks of data leakages.
Audit / evidence tips
- AskA network topology diagram: Request a visual map showing how the network is laid out and how VLANs are configured GoodShows clear boundaries between VLANs, with no overlaps between sensitive departments like finance and HR
- AskDevice configuration files: Request files from network switches that detail VLAN setups GoodProvides configurations indicating that each VLAN trunk is uniquely used per security domain
- AskA change management record: Request records of recent network changes that may affect VLAN paths GoodShows that changes were reviewed and authorised, ensuring paths remain separated
- AskTo see incident reports related to network issues: Request logs of any past incidents where VLAN configurations may have failed GoodIncludes evidence of incidents being fixed without data spills across domains
- AskDocumentation on staff training about VLAN security: Request records showing training sessions held for IT and network staff about maintaining VLAN separation GoodShows regular and relevant training, confirming staff are aware of best practices
Cross-framework mappings
How ISM-0535 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-0535 requires organisations to prevent VLAN trunks from being shared between VLANs belonging to different security domains, to mainta... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.