Campus Segmentation Design: From VLANs to Unified Fabric

Campus segmentation often starts with virtual local area networks (VLANs) because VLANs are familiar and easy to create. The problem is that VLANs alone do not provide a complete security model. They identify broadcast domains. They do not automatically express identity, role, intent, or least privilege.

Design takeaway: use VLANs for attachment, virtual routing and forwarding instances (VRFs) or virtual networks for macro boundaries, and Security Group Tags (SGTs) for role-based microsegmentation policy.

The VLAN Sprawl Problem

Many networks have a VLAN for every department, building, device class, and historical exception. Over time, nobody remembers which VLANs are security boundaries and which are just addressing convenience. Access control lists (ACLs) pile up at gateways, firewalls carry exceptions, and troubleshooting becomes forensic reconstruction.

A better design separates attachment from policy. A device can attach through a VLAN, but its access should be determined by identity, role, segment, and destination.

Macrosegmentation

Cisco SD-Access guidance describes macrosegmentation with virtual networks or VRFs. Use this for big boundaries such as Guest, Internet of Things (IoT), Corporate, operational technology (OT), Payment Card Industry (PCI), and Shared Services.

The best practice is restraint. Keep the number of macro segments small, because every virtual network (VN) or virtual routing and forwarding (VRF) affects routing, border handoffs, route leaking, firewall policy, monitoring, and operations.

Microsegmentation

Microsegmentation handles the fine-grained question: inside a broader domain, which roles or device groups can talk to each other? This is where SGTs and group-based policy are useful.

• Employees may reach business apps but not building automation.
• Cameras may reach video management systems but not user subnets.
• Printers may receive print traffic but not initiate broad lateral access.
• Admins may reach management interfaces only from hardened workstations.

Implementation Order

Do not start by writing a large deny matrix. Start by observing traffic and defining segments. Then create a small number of meaningful groups. Then enforce in stages.

1. Inventory users, devices, applications, and shared services.
2. Define macro segments and inter-segment routing paths.
3. Define SGTs for meaningful roles and device classes.
4. Monitor policy hits and unexpected traffic.
5. Move from default permit to targeted denies, then toward stronger enforcement.

A segmentation design succeeds when security can explain the policy and network operations can troubleshoot it at 2 a.m.

Design Detail: Segmentation Has a Cost Curve

Every segment has a cost. VRFs require routing, border handoff, route leaking, firewall policy, monitoring, and troubleshooting. SGTs require classification, propagation, policy matrix management, and enforcement validation. VLANs require addressing, Dynamic Host Configuration Protocol (DHCP), and gateway placement. Good design chooses the cheapest control that meets the risk requirement.

The hierarchy matters. VLANs attach devices. VRFs or virtual networks (VNs) separate large domains. SGTs express identity or role inside a domain. Firewalls inspect boundaries where deep policy or logging is required. network access control (NAC) classifies endpoints. Assurance verifies behavior.

The migration should begin by reducing ambiguity. Label existing VLANs as attachment-only, security-boundary, legacy-exception, or retirement candidates. Then decide which boundaries deserve VRFs and which roles deserve SGTs.

Implementation Details

• Do not use a new VRF when a Security Group Tag (SGT) policy inside an existing VN is enough.
• Do not use an SGT when the endpoint cannot be reliably classified.
• Avoid hundreds of groups unless the operations team can maintain the matrix.
• Use traffic observation before default-deny enforcement.
• Document shared-services paths and exception ownership.

Segmentation Control Model

The clean model is layered. VLANs attach endpoints. VRFs or virtual networks create macro boundaries. SGTs express role and device intent. security group access control lists (SGACLs) enforce the role matrix. Firewalls still belong at places where inspection, network address translation (NAT), threat prevention, or deep logging is required.

Architecture diagram

Campus Segmentation Control Model

VLANs attach endpoints; VRFs separate macro domains; SGTs express role; enforcement evidence verifies whether policy is working.

Control	Use It For	Do Not Use It For	Evidence
VLAN	Layer 2 attachment, DHCP scope, wireless or wired onboarding behavior	Long-term security intent by itself	Switchport assignment, wireless local area network (WLAN) mapping, DHCP lease, endpoint identity.
VRF or virtual network	Large trust boundaries such as Guest, Corporate, OT, PCI, IoT, and Shared Services	Every department or every small exception	Route table, border handoff, route leak policy, firewall path.
SGT	Role, device class, or identity-driven policy inside a macro segment	Endpoints that cannot be classified reliably	NAC authorization, SGT assignment, propagation state, endpoint session.
Security Group Access Control List (SGACL)	East-west allow and deny decisions by source group and destination group	Deep application inspection or user activity auditing	Policy matrix version, hit counts, deny logs, switch enforcement point.
Firewall	North-south inspection, inter-VRF policy, internet edge, regulated logging	Compensating for an unreadable campus policy matrix	Rule ID, session log, threat log, change ticket.

SGT and SGACL Example

The example below is intentionally small. If the first production matrix cannot fit on one screen, it is probably too large for the first enforcement wave.

Source SGT	Destination SGT	Allowed Services	Default	Operational Note
Employee	Business_App	Hypertext Transfer Protocol Secure (HTTPS), app-specific Transmission Control Protocol (TCP) ports	Deny all else	Validate app dependencies before blocking ephemeral paths.
Employee	Printer	Internet Printing Protocol (IPP), print server path only	Deny direct printer admin	Prefer users to print through print servers when possible.
Camera	Video_Management	Vendor-required ports from camera to recorder	Deny all else	No camera-initiated access to user VLANs.
IoT	DNS_NTP_Update	Domain Name System (DNS), Network Time Protocol (NTP), vendor update endpoints	Deny lateral access	Use firewall or proxy where vendor destinations need inspection.
Admin_Workstation	Network_Management	Secure Shell (SSH), HTTPS, Remote Desktop Protocol (RDP) to jump hosts, Simple Network Management Protocol (SNMP) from tools	Deny from non-admin groups	Require hardened workstation posture and phishing-resistant multi-factor authentication (MFA).
Guest	Any_Internal	None	Deny	Guest should egress through internet controls only.

Enforcement Safety

Segmentation outages usually come from classification errors, hidden dependencies, or enforcement points that behave differently from the diagram. Treat enforcement as a staged safety process.

Stage	Goal	Required Evidence	Stop Condition
Observe	Learn real flows before denying traffic	NetFlow or telemetry for source, destination, port, app, user, device, SGT, and business owner	Unknown critical app paths or unclassified endpoint classes.
Classify	Assign SGTs consistently	NAC authorization logs, endpoint profile confidence, fallback handling	Large number of endpoints landing in Unknown or default groups.
Monitor policy	Simulate or log denies where supported	Policy hit counts, unexpected destination list, owner review	High-volume denies to shared services, identity, DNS, DHCP, or update systems.
Partial enforce	Block narrow high-risk lateral paths	Positive tests for required apps and negative tests for blocked movement	Help desk tickets without policy evidence or rollback clarity.
Default deny	Move mature groups to least privilege	Exception register, expiry dates, change approval, rollback tested	Unowned exceptions or undocumented route leaks.

Evidence, Security Information and Event Management (SIEM), and Incident Workflow

Evidence Source	Fields to Normalize	How the security operations center (SOC) uses it
NAC or identity platform	User, device, profile, authorization rule, assigned SGT, posture result	Confirm whether a blocked flow is a real policy decision or a classification failure.
Switch or fabric enforcement	Source SGT, destination SGT, SGACL rule, permit or deny, enforcement node	Detect lateral movement attempts and identify which device enforced the deny.
Flow telemetry	Source, destination, port, protocol, bytes, app, site, segment	Build allow lists, find hidden dependencies, and hunt for new east-west paths.
Firewall logs	VRF, zone, rule ID, threat verdict, user, app, uniform resource locator (URL), NAT	Correlate inter-segment movement with inspection results and threat events.
Change and exception register	Policy version, requester, approver, business reason, expiry	Let security orchestration, automation, and response (SOAR) auto-open review tasks for expiring or abused exceptions.

What This Does Not Protect or Validate

• Segmentation does not confirm an endpoint is clean. It only limits what that endpoint should be able to reach.
• An SGT-based policy does not protect traffic if endpoint classification is wrong, missing, or easy to spoof.
• A deny in the campus does not replace vulnerability management for applications, printers, cameras, controllers, or network devices.
• VRFs reduce blast radius, but route leaking and shared services can quietly rejoin separated worlds if they are not reviewed.
• A policy matrix is not production-ready until operations can explain a blocked flow using identity, classification, propagation, and enforcement evidence.

Cisco References

• Cisco SD-Access Design Guide
• Cisco SD-Access Macro Segmentation Guide
• Cisco Ethernet virtual private network (EVPN) microsegmentation
• Trust at machine speed

Related foundation post: Cisco Live 2026: Network Announcements That Matter.