---
title: "Network Segmentation — AP Cybersecurity Definition"
description: "Network segmentation splits one network into isolated zones to stop attackers from moving laterally, a key defense in Unit 3's network security topics."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 3"
---

# Network Segmentation — AP Cybersecurity Definition

## Definition

Network segmentation is the practice of dividing a network into smaller, isolated zones (often using VLANs or subnets) so that an attacker who compromises one device cannot freely move laterally to reach more sensitive systems.

## What It Is

Network segmentation means breaking one big flat network into smaller chunks that can't all talk to each other freely. Instead of every device sharing one open LAN, you carve it into separate zones, often with VLANs (virtual LANs) or [subnets](/ap-cybersecurity/key-terms/subnet "fv-autolink"), and [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") traffic between them with firewalls. Think of it like adding interior doors to a building. If a burglar gets through the front door, they still can't wander into every room.

This matters because of how attackers behave once they're inside. Per EK 3.1.B.2, an adversary who compromises one device usually tries to leverage that [foothold](/ap-cybersecurity/unit-2/physical-vulnerabilities-and-attacks/study-guide/ZcvQYEyowkyIYrjESpUp "fv-autolink") to compromise other devices on the same LAN. That sideways movement is called lateral movement (EK 3.1.C.1). Segmentation cuts those paths. A compromised printer on a guest VLAN simply has no route to your finance servers sitting in a separate, firewalled subnet.

## Why It Matters

Network segmentation lives in [Unit 3](/ap-cybersecurity/unit-3 "fv-autolink"): Securing Networks, anchored to Topic 3.1 Network Vulnerabilities and Attacks. It directly supports [AP Cybersecurity](/ap-cybersecurity "fv-autolink") 3.1.B (explaining how adversaries exploit network vulnerabilities) and AP Cybersecurity 3.1.C (assessing and documenting network risks). The CED ties it to the core idea that network vulnerabilities threaten confidentiality, integrity, and availability (EK 3.1.C.1). Segmentation is one of the cleanest defenses against the lateral movement described in EK 3.1.B.2, so it shows up whenever the exam asks you to recommend mitigations for a risky flat network.

## Connections

### [VLAN (Unit 3)](/ap-cybersecurity/key-terms/vlan)

A [VLAN](/ap-cybersecurity/key-terms/vlan "fv-autolink") is the most common tool for doing segmentation. It logically splits one physical switch into separate broadcast domains, so devices on different VLANs can't reach each other without passing through a router or firewall first.

### [Subnet (Unit 3)](/ap-cybersecurity/key-terms/subnet)

[Subnetting](/ap-cybersecurity/key-terms/subnetting "fv-autolink") is segmentation at the IP layer. By dividing addresses into separate subnets, you create boundaries where a firewall can sit and filter traffic between zones, which is exactly how you box in an attacker.

### Lateral movement and compromised devices (Unit 3, EK 3.1.B.2)

The whole point of segmentation is to break the chain in EK 3.1.B.2. If a foothold device can't reach high-value systems, the attacker's compromise stays small instead of spreading across the entire LAN.

### [Screened subnet (Unit 3)](/ap-cybersecurity/key-terms/screened-subnet)

A [screened subnet](/ap-cybersecurity/key-terms/screened-subnet "fv-autolink") (DMZ) is segmentation applied to public-facing servers. You put internet-exposed systems in their own isolated zone so a breach there never touches your internal network.

## On the AP Exam

Expect network segmentation to appear in multiple-choice questions as a recommended mitigation. A stem might describe a flat network where one infected machine can reach everything, then ask what control would limit the damage. The right answer is usually segmentation, VLANs, or subnets. It also fits risk-assessment style questions tied to AP Cybersecurity 3.1.C, where you connect a vulnerability to its impact on confidentiality, integrity, or availability and then propose a fix. No released FRQ has used the term verbatim, but it supports the kind of mitigation reasoning the exam rewards: identify the vulnerability, explain the risk (lateral movement), recommend the control.

## network segmentation vs MAC filtering

MAC filtering decides which individual devices are allowed on a network by checking their MAC addresses. Network segmentation decides which zones of the network can talk to each other once devices are already on. One is an access door (who gets in); the other is interior walls (where you can go after you're in).

## Key Takeaways

- Network segmentation divides one network into isolated zones so an attacker who breaches one device can't freely reach the rest.
- It's the main defense against lateral movement, the behavior described in EK 3.1.B.2 where a compromised device is used to attack others on the LAN.
- VLANs and subnets are the usual tools for segmentation, with firewalls controlling traffic between the resulting zones.
- Segmentation protects confidentiality, integrity, and availability by keeping a breach contained instead of letting it spread.
- A screened subnet (DMZ) is segmentation used to isolate public-facing servers from the internal network.

## FAQs

### What is network segmentation in AP Cybersecurity?

It's dividing a network into smaller, isolated zones, often with VLANs or subnets, so a compromise in one zone can't spread to more sensitive systems. It maps to Topic 3.1 in Unit 3 and supports learning objectives AP Cybersecurity 3.1.B and 3.1.C.

### Does network segmentation stop attackers from getting in?

No. Segmentation doesn't keep attackers out of the network. It limits how far they can go once they're already inside by blocking lateral movement between zones. Keeping them out is the job of controls like firewalls, port security, and authentication.

### How is network segmentation different from MAC filtering?

MAC filtering controls which devices are allowed onto the network by checking their MAC addresses, while segmentation controls which network zones are allowed to talk to each other. Filtering is about getting on; segmentation is about where you can go after you're on.

### Is a VLAN the same as network segmentation?

Not quite. A VLAN is a tool you use to do segmentation. Segmentation is the broader strategy of isolating zones, and VLANs (along with subnets and firewalls) are how you actually build those zones.

### Why does network segmentation matter for the AP exam?

Because the CED treats lateral movement (EK 3.1.B.2) as a major risk, and segmentation is the cleanest answer when a question asks how to contain a breach or reduce risk to confidentiality, integrity, and availability.

## Related Study Guides

- [3.1 Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation#resource","name":"Network Segmentation — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.262Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation#term","name":"network segmentation","description":"Network segmentation is the practice of dividing a network into smaller, isolated zones (often using VLANs or subnets) so that an attacker who compromises one device cannot freely move laterally to reach more sensitive systems.","url":"https://fiveable.me/ap-cybersecurity/key-terms/network-segmentation","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is network segmentation in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's dividing a network into smaller, isolated zones, often with VLANs or subnets, so a compromise in one zone can't spread to more sensitive systems. It maps to Topic 3.1 in Unit 3 and supports learning objectives AP Cybersecurity 3.1.B and 3.1.C."}},{"@type":"Question","name":"Does network segmentation stop attackers from getting in?","acceptedAnswer":{"@type":"Answer","text":"No. Segmentation doesn't keep attackers out of the network. It limits how far they can go once they're already inside by blocking lateral movement between zones. Keeping them out is the job of controls like firewalls, port security, and authentication."}},{"@type":"Question","name":"How is network segmentation different from MAC filtering?","acceptedAnswer":{"@type":"Answer","text":"MAC filtering controls which devices are allowed onto the network by checking their MAC addresses, while segmentation controls which network zones are allowed to talk to each other. Filtering is about getting on; segmentation is about where you can go after you're on."}},{"@type":"Question","name":"Is a VLAN the same as network segmentation?","acceptedAnswer":{"@type":"Answer","text":"Not quite. A VLAN is a tool you use to do segmentation. Segmentation is the broader strategy of isolating zones, and VLANs (along with subnets and firewalls) are how you actually build those zones."}},{"@type":"Question","name":"Why does network segmentation matter for the AP exam?","acceptedAnswer":{"@type":"Answer","text":"Because the CED treats lateral movement (EK 3.1.B.2) as a major risk, and segmentation is the cleanest answer when a question asks how to contain a breach or reduce risk to confidentiality, integrity, and availability."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 3","item":"https://fiveable.me/ap-cybersecurity/unit-3"},{"@type":"ListItem","position":4,"name":"network segmentation"}]}]}
```
