Every SE has heard this objection at least once: “We already have VLANs. Our network is segmented.”
The customer is not wrong. VLANs exist. Ports are assigned. There may even be a spreadsheet somewhere that maps VLANs to building floors. But when you ask whether a compromised workstation on VLAN 10 can reach the database servers on VLAN 50, the room goes quiet. Nobody has tested it. Nobody has looked at the inter-VLAN ACLs — if there are any — in months. The VLAN spreadsheet has not been updated since the last network refresh.
This is the conversation where segmentation deals start. Not with a product pitch. Not with a slide deck. With a whiteboard and a simple question: if an attacker compromises one machine on your network today, how far can they move before something stops them?
This post walks through the segmentation maturity model that SEs can use to frame customer conversations, the technical architecture at each stage, the comparison of approaches, objection handling, and real breach examples that make the business case concrete.
The Segmentation Maturity Model
Network segmentation maturity is not binary. Customers do not go from “unsegmented” to “fully segmented” in one project. The maturity model below describes five progressive levels, each with distinct characteristics, risk profiles, and operational requirements.
Level 0 — Flat Network (No Segmentation)
All devices share a single broadcast domain or a small number of VLANs with no access control between them. A compromised device can reach every other device on the network. This is more common than most customers admit — especially in manufacturing, healthcare, and organizations that grew through acquisition without network consolidation.
Level 1 — VLAN-Based Segmentation
Devices are grouped into VLANs by function, location, or department. VLANs create broadcast domain boundaries, but inter-VLAN routing is typically enabled with no access control lists. The segmentation is logical but not enforced — any device can route to any other VLAN through the default gateway.
Level 2 — ACL-Enforced Segmentation
Access control lists are applied at the distribution or core layer to restrict traffic between VLANs. This is where most mid-market customers land. The challenge is operational: ACLs are static, IP-based, and grow in complexity over time. A 500-user network might have thousands of ACL entries across dozens of switches. Changes require manual updates, and stale rules accumulate.
Level 3 — Microsegmentation
Policy enforcement moves from the network layer to the workload layer. Agents on endpoints or hypervisor-level controls enforce access policy between individual workloads — even workloads in the same VLAN or subnet. Microsegmentation tools like Cisco Secure Workload (formerly Tetration), VMware NSX, or Illumio provide visibility into east-west traffic flows and enforce policy at the application level.
Level 4 — Identity-Based Segmentation (TrustSec/SGT)
Segmentation is driven by identity and context rather than IP addresses. Cisco TrustSec assigns Scalable Group Tags (SGTs) to users and devices based on who they are, what they are, and their security posture — not where they connect. Policy is defined in a centralized SGT-to-SGT matrix on Cisco ISE, and enforcement happens inline at the switch, router, or firewall. When a user moves from one building to another, their SGT follows them. No ACL changes required.
The Whiteboard Conversation Flow
The maturity model is most effective when drawn on a whiteboard during a discovery meeting. Here is the flow that consistently generates productive conversations:
Step 1: Draw the five levels as a horizontal progression.
Start with a simple left-to-right arrow. Label each level. Do not put the customer’s name on the board yet — keep it abstract.
Step 2: Ask the customer to self-identify.
“Where would you put your network today on this scale?” Most customers place themselves at Level 1 or Level 2. Some will say Level 2 when they are actually at Level 1 — the follow-up questions will surface the reality.
Step 3: Ask the validation questions.
For customers who self-identify at Level 2 (ACL-enforced):
- “When was the last time someone reviewed your inter-VLAN ACLs?”
- “If I plug a laptop into a conference room port, what can I reach?”
- “How do you handle segmentation for devices that move — laptops, wireless clients, IoT devices?”
These questions are not adversarial. They are discovery. The answers reveal the gap between perceived segmentation and actual enforcement.
Step 4: Draw the blast radius.
Pick a realistic scenario: “An employee clicks a phishing link on their workstation. The attacker has a foothold. Show me on the network diagram what that attacker can reach in the first 30 minutes.”
On a flat network, the answer is everything. On a VLAN-only network, the answer is usually still everything within the VLAN and most things across VLANs. This is the moment where the conversation shifts from theoretical to urgent.
Step 5: Position the solution as a journey, not a rip-and-replace.
No customer moves from Level 0 to Level 4 in a single project. Position a roadmap: get to Level 2 first with proper ACL enforcement, then move to Level 3 or Level 4 depending on their environment and operational maturity. This makes the project approachable rather than overwhelming.
Architecture: What Each Level Looks Like
Level 1 — VLANs Only
[Access Switch] -- VLAN 10 (Users) ----\
[Access Switch] -- VLAN 20 (Servers) ---+-- [Core/Distribution Router] -- Internet
[Access Switch] -- VLAN 30 (IoT) ------/
(inter-VLAN routing enabled,
no ACLs between VLANs)
Traffic between VLANs is routed freely. The router (or Layer 3 switch) forwards all inter-VLAN traffic without restriction. A compromised device in VLAN 10 can reach every server in VLAN 20 and every IoT device in VLAN 30.
Level 2 — VLANs + ACLs
[Access Switch] -- VLAN 10 (Users) ----\
[Access Switch] -- VLAN 20 (Servers) ---+-- [Core/Distribution Router] -- Internet
[Access Switch] -- VLAN 30 (IoT) ------/ |
[ACLs applied on SVI interfaces]
VLAN 10 -> VLAN 20: permit tcp 443, 3389
VLAN 10 -> VLAN 30: deny all
VLAN 30 -> VLAN 20: permit tcp 8883 (MQTT)
ACLs restrict which traffic flows between VLANs. This works for small networks but becomes unmanageable at scale. Every new application, server, or device requires ACL updates across multiple switches.
Level 3 — Microsegmentation
[Hypervisor / Endpoint Agent]
|
+-- VM-A (Web Server) -- Policy: allow inbound 443, deny all else
+-- VM-B (App Server) -- Policy: allow from VM-A on 8080, deny all else
+-- VM-C (Database) -- Policy: allow from VM-B on 5432, deny all else
|
All VMs may be on the same VLAN/subnet — policy is enforced at the workload level
Microsegmentation enforces policy regardless of network topology. Two VMs on the same subnet can be isolated from each other. The microsegmentation platform provides traffic flow visibility first, then generates recommended policies, then enforces them.
Level 4 — TrustSec / SGT
[User authenticates via 802.1X or MAB]
|
v
[Cisco ISE assigns SGT based on identity + posture]
|
v
[Switch tags frame with SGT = 5 (Employee)]
|
v
[Traffic reaches destination switch/firewall]
|
v
[SGACL lookup: SGT 5 (Employee) -> SGT 10 (Finance Servers) = DENY]
[SGACL lookup: SGT 5 (Employee) -> SGT 8 (General Servers) = PERMIT]
The SGT follows the user everywhere on the network. Policy is defined once in the ISE SGACL matrix and enforced at every TrustSec-capable device in the path. No IP-based ACLs. No manual updates when users move.
Comparison Table: Segmentation Approaches
| Criteria | VLANs Only | VLANs + ACLs | Microsegmentation | TrustSec/SGT |
|---|---|---|---|---|
| Enforcement point | None (grouping only) | Router/L3 switch | Workload/agent | Inline at switch/FW |
| Policy granularity | Broadcast domain | IP/port-based | Application-level | Identity-based |
| Scalability | Good | Poor (ACL explosion) | Good | Excellent |
| Operational overhead | Low | High (manual ACLs) | Medium (agent mgmt) | Low (centralized matrix) |
| Handles mobility | No | No (IP changes break rules) | Yes | Yes (SGT follows user) |
| East-west within VLAN | No control | No control | Full control | Full control |
| Prerequisite | Managed switches | L3 switches + discipline | Agent deployment or hypervisor | ISE + TrustSec-capable infra |
| Typical customer size | Any | SMB to mid-market | Mid-market to enterprise | Mid-market to enterprise |
| Relative cost | Included in switches | Included (but labor-intensive) | Software licensing | ISE + infrastructure licensing |
Handling Customer Objections
“VLANs are fine — we are already segmented.”
Acknowledge, then probe: “VLANs are a great foundation. Let me ask — between your user VLAN and your server VLAN, what ACLs are in place? Can a user workstation initiate an RDP session to a database server directly?” If the answer is yes (or unknown), the segmentation is logical grouping without enforcement. VLANs without ACLs are organizational, not security controls.
“ACLs are too complex to maintain.”
Agree — this is precisely the problem that identity-based segmentation solves. Show the math: a network with 20 VLANs and 50 servers generates hundreds of ACL entries that must be updated manually every time a server is added, moved, or decommissioned. With TrustSec, the policy is defined once as “Employees can reach General Servers but not Finance Servers” — no IP addresses in the policy at all.
“We do not have the budget for a full segmentation project.”
Position the maturity model as a phased approach. Phase 1: audit existing VLANs and ACLs, close the obvious gaps (often zero cost — just configuration changes). Phase 2: deploy ISE for visibility and 802.1X for wired/wireless authentication. Phase 3: enable TrustSec SGTs. Each phase delivers incremental security value and can be budgeted separately.
“Segmentation will break applications.”
This is the most legitimate concern. The mitigation is monitor-before-enforce. Every microsegmentation and TrustSec deployment starts with a monitoring phase where traffic flows are observed and mapped before any enforcement policy is applied. Cisco Secure Workload and ISE both provide traffic flow visibility that lets you build policies based on actual observed behavior rather than documentation (which is always incomplete).
“Our compliance auditor said VLANs satisfy the segmentation requirement.”
PCI DSS 4.0 requirement 1.4 specifically requires network segmentation controls between the cardholder data environment (CDE) and other networks, and those controls must restrict traffic to only what is necessary. VLANs without ACLs do not satisfy this requirement. The QSA may have accepted it in a previous assessment, but the standard is clear: segmentation requires access control, not just logical grouping.
Breach Case Studies: Why Segmentation Matters
Target (2013) — 40 Million Payment Cards
The Target breach is the textbook example of segmentation failure. Attackers compromised credentials belonging to an HVAC vendor (Fazio Mechanical Services) that had VPN access to Target’s network for electronic billing and contract submissions. From the vendor network, the attackers moved laterally to the point-of-sale (POS) network because no effective segmentation prevented a vendor network connection from reaching POS terminals.
If Target had enforced segmentation between vendor access and the POS environment — even basic ACLs denying vendor network traffic to POS subnets — the blast radius would have been contained to the vendor segment. The attackers would have had access to billing systems, not payment card data.
Maersk / NotPetya (2017) — $300 Million in Damage
The NotPetya ransomware spread through Maersk’s global network in under seven minutes, encrypting approximately 49,000 laptops, 3,500 servers across 600 sites in 130 countries. The propagation was possible because the network was effectively flat — the malware used EternalBlue (SMB exploit) and credential harvesting to move laterally without restriction.
Maersk’s IT team later described the network as having minimal segmentation between business units and geographies. A segmented network with restricted SMB traffic between segments and micro-segmented server environments would have contained NotPetya to the initially compromised segment, reducing a $300 million disaster to a localized incident.
Colonial Pipeline (2021) — Operational Technology Exposure
Colonial Pipeline shut down fuel distribution for the US East Coast after ransomware compromised their IT network. The company preemptively shut down OT (operational technology) systems because they could not confirm that the IT/OT boundary was properly segmented. Whether the ransomware actually crossed into OT is debated — but the fact that Colonial Pipeline could not verify their own segmentation forced a precautionary shutdown that caused fuel shortages across multiple states.
Proper IT/OT segmentation with monitored and enforced boundaries would have allowed Colonial Pipeline to confirm that OT systems were isolated and continue fuel operations while remediating the IT environment.
Positioning Segmentation in the Sales Cycle
Segmentation is not a product sale — it is an architecture conversation. The most effective approach for SEs:
During discovery: Use the maturity model whiteboard to assess current state. Document the customer’s self-assessment and your validated assessment. These often differ by one or two levels.
During technical validation: Run a traffic flow analysis using whatever tools the customer has (NetFlow, Secure Workload, even packet captures). Show the customer what traffic actually flows between their segments. The gap between what they think is restricted and what actually is restricted drives urgency.
During proposal: Present a phased roadmap with clear milestones. Phase 1 is always visibility — you cannot segment what you cannot see. Phase 2 is enforcement at the VLAN/ACL level. Phase 3 is microsegmentation or TrustSec depending on the customer’s infrastructure.
During negotiation: Reference the breach case studies. The cost of a segmentation project is always less than the cost of a breach that could have been contained. Target’s breach cost exceeded $200 million in settlements and remediation. A segmentation project for a comparable retailer would cost a fraction of that.
Segmentation is one of the few security investments where the SE can draw a direct line from the technical control to the business outcome: smaller blast radius means smaller breach impact means lower financial risk. That story sells itself when the whiteboard work is done right.
Related Posts in This Series
- How to Whiteboard a Zero Trust Architecture in 10 Minutes — Zero trust depends on strong segmentation; learn how to whiteboard both together
- Secure Campus Network Reference Architecture — See how VLANs and microsegmentation fit into a full campus design
- Cisco ISE vs Aruba ClearPass vs Forescout — Compare the NAC platforms that enforce segmentation policies
- How to Build a Business Case for NAC — Tie your segmentation architecture to a business justification the customer can sell internally
- IoT Security Architecture for Manufacturing and Healthcare — Segmentation is the foundation of every IoT security deployment
Practice with free flashcards, quizzes, and hands-on lab scenarios at cciesec.it-learn.io — built specifically for the CCIE Security v6.1 written (350-701 SCOR) and lab exam.
