A VLAN (virtual local area network) is a logical grouping of devices on a switch that behaves like a separate network, used to segment traffic so a compromise in one segment can't spread freely across the whole LAN.
A VLAN (virtual local area network) lets you carve one physical switch into several separate logical networks. Devices in different VLANs act like they're on totally different LANs, even when they're plugged into the same hardware. Traffic doesn't cross between VLANs unless something (usually a router or layer-3 switch) explicitly allows it.
Think of a VLAN as drawing walls inside a building that already exists. You don't buy new buildings (new switches), you just decide which rooms can talk to each other. This is a form of network segmentation, and it's a defensive answer to the attacks in Topic 3.1. If an adversary compromises a device (EK 3.1.B.2) and tries to leverage that foothold to hit other machines on the LAN, VLANs limit how far they can reach.
VLANs live in Unit 3: Securing Networks, specifically Topic 3.1 (Network Vulnerabilities and Attacks). They connect directly to [AP Cybersecurity 3.1.B], which asks you to explain how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication. EK 3.1.B.2 calls out lateral movement, an adversary who owns one device trying to compromise others on the LAN, and segmentation with VLANs is a primary way to shut that down. They also tie to [AP Cybersecurity 3.1.C]: because a flat, unsegmented network puts confidentiality, integrity, and availability all at risk, segmenting it lowers that risk. When the exam frames a network defense scenario, VLANs are part of the toolkit you reach for.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryNetwork segmentation (Unit 3)
VLANs are the most common way to actually do segmentation. Segmentation is the goal (keep parts of the network isolated), and a VLAN is the technique that pulls it off on a switch.
Lateral movement on a LAN (Unit 3)
EK 3.1.B.2 describes an attacker pivoting from one compromised device to others on the local network. VLANs cut off those pivot routes, so a breach in the guest VLAN can't reach the finance VLAN.
Screened subnet (Unit 3)
A screened subnet (DMZ) isolates public-facing servers behind firewalls, and VLANs do similar isolation work at the switch level. Both answer the same instinct: don't let everything sit on one open network.
MAC flooding (Unit 3)
Attacks like MAC flooding target the switch itself to break its normal traffic separation. Understanding how a switch keeps traffic apart (and how VLANs reinforce that) helps you see why flooding the switch table is dangerous.
Expect VLANs in multiple-choice stems about defending or segmenting a network, often as the right answer when a scenario describes stopping an attacker from spreading across the LAN. No released FRQ has used the term verbatim, but it fits the kind of risk-assessment and mitigation questions Unit 3 rewards, where you propose controls that reduce lateral movement or limit blast radius. If asked to recommend a defense, be ready to explain why segmenting with VLANs reduces risk to confidentiality, integrity, and availability (EK 3.1.C.1), not just to name-drop the term.
A VLAN is a logical separation done at the switch (layer 2), grouping which ports talk to each other. A subnet is an IP-address-range division (layer 3) that splits networks by addressing. They often line up one-to-one in practice, but a VLAN is about switch port grouping while a subnet is about IP math.
A VLAN splits one physical switch into multiple logical networks so devices in different VLANs act like they're on separate LANs.
VLANs are a form of network segmentation that limits lateral movement, the EK 3.1.B.2 problem of an attacker hopping from one compromised device to others.
Traffic doesn't pass between VLANs unless a router or layer-3 device explicitly allows it.
Segmenting a flat network with VLANs lowers risk to confidentiality, integrity, and availability (EK 3.1.C.1).
On MCQs, VLANs are usually the right pick when the scenario is about isolating network segments to contain a breach.
A VLAN (virtual local area network) is a logical grouping of devices on a switch that behaves like its own separate network. In security terms, it segments traffic so a compromise in one part of the network can't freely spread to the rest.
No. A VLAN separates devices logically at the switch level (layer 2), while a subnet divides networks by IP address range (layer 3). They frequently map to each other in real setups, but they're different concepts working at different layers.
They limit it, not eliminate it. By separating the network into segments, VLANs stop an attacker who compromises a device (EK 3.1.B.2) from reaching machines in other VLANs unless routing between them is allowed.
Cost and flexibility. A VLAN lets you create separate logical networks on hardware you already own, so you can isolate, say, guest Wi-Fi from internal servers without running new physical cabling.
VLANs are the most common way to implement segmentation, which Unit 3 treats as a key defense. If a question asks how to reduce risk from an attacker spreading across the LAN, segmenting with VLANs is the move tied to learning objective 3.1.B and 3.1.C.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.