Separate VLANs by Security Domains
Ensure VLANs from different security domains use separate network interfaces to avoid cross-traffic.
Plain language
When you're organising your computer network, imagine it like different sections in a department store. This control is about ensuring each section (or VLAN) is kept on its own floor, preventing items (or data) from accidentally ending up in the wrong place. This matters because if sections aren't kept separate, sensitive information can accidentally end up where it shouldn't, leading to data breaches and potential legal troubles.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces.
Why it matters
Without separate physical interfaces per security domain, VLAN termination can allow unintended inter-domain routing, increasing risk of data leakage.
Operational notes
Confirm VLANs for different security domains are terminated on separate physical interfaces; review trunks/SVIs and change records to prevent shared termination.
Implementation tips
- IT manager: Identify the different security domains within your organisation. Security domains are like different departments in an office, each with its own types of data that need protection from others. List these domains and assess which areas of your network they use.
- Network administrator: Configure each VLAN for different security domains to run on separate network interfaces. This is like dedicating a specific lane to each type of traffic on a highway, ensuring there's no crossover that could cause confusion or accidents.
- IT team: Conduct regular reviews of the network setup. Check that no changes have merged VLANs that should be separate. Use network management tools to verify that all VLAN configurations still meet the security domain separations.
- Procurement officer: Ensure that when new networking equipment is purchased, it supports multiple physical network interfaces. This way, new devices can maintain the separation required between different security domains.
- Security officer: Educate staff about the importance of keeping network segments separate. Use simple examples, likening it to keeping work files in separate, labelled cabinets so nothing is misplaced or mistakenly accessed by the wrong people.
Audit / evidence tips
-
Askthe network architecture diagram: Request the most up-to-date diagram showing how VLANs are structured and connected
Goodis seeing a clear visual separation with no overlap between sensitive and regular data traffic
-
Askthe VLAN configuration policy: Request the policy document that outlines how VLANs should be set up
Goodwill describe specific rules for separation aligned with organisational security domains
-
Askto review recent network logs: Request logs from the network management system showing the current network setup and recent changes
Goodshows logs matching the policy with no unauthorised changes
-
Askstaff training records: Check documentation of any training given on network security relevant to VLAN management
Goodincludes regular sessions on VLAN separation and evidence that key IT staff attended
-
Askto see the equipment purchase records: Request records for recent networking equipment purchases
Goodshows purchases aligned with strategic network design goals, supporting multiple VLAN separations
Cross-framework mappings
How ISM-1364 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-1364 addresses a specific network-device configuration requirement: VLANs for different security domains must terminate on separate p... | |
| Annex A 8.22 | ISM-1364 requires VLANs from different security domains to be terminated on separate physical network interfaces to prevent cross-domain ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | ISM-1364 requires physical interface separation when terminating VLANs from different security domains to minimise unintended cross-domai... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.