Avoid Using VLANs for Network Separation
Do not use VLANs to separate internal networks from the public internet.
Plain language
This control advises against using VLANs, or Virtual Local Area Networks, to separate your organisation’s internal networks from the internet. If you rely on VLANs alone for this separation, you could be putting your data at risk, as VLANs can be vulnerable to attacks that allow intruders to bypass these barriers.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
VLANs are not used to separate network traffic between an organisation's networks and public network infrastructure.
Why it matters
Relying on VLANs for network separation exposes sensitive data to potential breaches by attackers exploiting VLAN hopping techniques.
Operational notes
Ensure separation from public infrastructure uses physical links or encrypted tunnels, not VLANs; review switch trunking and ACLs to prevent VLAN hopping.
Implementation tips
- Network Administrators should reevaluate current network configurations to ensure that VLANs are not the primary method for separating internal networks from the public internet. They can achieve this by using separate physical networks or firewalls instead.
- IT Managers should work to establish a policy that clearly prohibits the use of VLANs for isolating internal networks from the internet. This policy should outline acceptable methods for network separation, such as firewalls or dedicated routers.
- Security Officers should organise training for IT staff to help them understand the limitations of VLANs for network separation and educate them on more secure alternatives. This training could be done through workshops or e-learning modules focused on network security best practices.
- IT Teams should inspect all connection points between internal and public networks to ensure that secure methods like firewalls are in place instead of relying on VLANs. This can involve conducting regular audits of network configurations and ensuring compliance with the established network separation policy.
- System Engineers should implement and regularly update firewall rules to ensure they are effectively separating internal networks from the public internet. This involves defining rules that control which data is allowed to pass and regularly reviewing these rules to address emerging threats.
Audit / evidence tips
-
Askthe current network topology diagram: Request a detailed diagram showing how internal networks are separated from the public internet
Goodwill show firewalls or physical separation methods clearly noted
-
Askthe network security policy document: Request the written policy that details how the organisation separates internal networks from the internet. Look to see if the policy mentions firewalls or other secure methods instead of VLANs
Goodpolicy will explicitly prohibit VLAN use for this purpose
-
Asktraining records: Request documentation of recent training sessions on network security for IT staff
Goodincludes session agendas, dates, and participant lists
-
Aska firewall configuration snapshot: Request a current configuration export from the firewall in use
Goodconfiguration will have specific rules reducing unnecessary exposure to the internet
-
Askrecent network audit reports: Request reports from any network audits conducted in the past year. Look to see if they assessed VLAN use and recommended changes
Goodreport will identify VLAN issues and document corrective actions taken
Cross-framework mappings
How ISM-1532 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.20 | ISM-1532 requires organisations to avoid using VLANs as the separation mechanism between internal networks and public network infrastruct... | |
| Annex A 8.22 | ISM-1532 requires that VLANs are not used to separate traffic between an organisation’s networks and public network infrastructure | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.