Internal segmentation separates diverse operational environments. Mixing corporate user traffic, production servers, and guest Wi-Fi on the same broadcast domain guarantees lateral movement and data leakage.
Corporate networks are high-risk due to user phishing. Production environments require strict stability and access controls. Guest networks are inherently untrusted and must be routed directly to the internet with zero internal access.
💡 Pro-tip: Implement 'Guest VLANs' that are routed via a dedicated internet circuit or a strictly filtered firewall zone that blocks all RFC1918 private IP destinations.
# Cisco Guest VLAN Isolation ACL
ip access-list extended GUEST-ISOLATION
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any anyThis ACL explicitly denies the Guest VLAN from routing to any internal private IP space, forcing all traffic out to the internet while preventing internal snooping.
Operational Technology (OT) and IoT devices often run unpatchable, legacy firmware. They must be placed in isolated, heavily monitored zones with strict outbound ACLs to prevent them from being used as pivot points.
⚠️ Never allow IoT devices (like smart TVs or HVAC controllers) to reside on the Corporate VLAN. They are frequent targets for botnets and provide easy backdoors into the user network.
| Zone | Trust Level | Internet Access |
|---|---|---|
| Corporate | Semi-Trusted | Filtered via Proxy |
| Production | Highly Restricted | None / Strict NAT |
| Guest | Untrusted | Direct / Isolated |
Verify exercises to earn ★ 210 XP and unlock next lab level.