Fiveable

🔒AP Cybersecurity Unit 3 Review

QR code for AP Cybersecurity practice questions

3.3 Protecting Networks: Segmentation

3.3 Protecting Networks: Segmentation

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Network segmentation splits one big network into smaller, isolated pieces (subnets) so an attack in one area cannot spread everywhere. You build those segments with screened subnets (DMZs), IP subnetting, and VLANs on switches, then use firewall rules and port security to control traffic between zones. The payoff is breach containment, traffic isolation, and the ability to apply different security rules to different parts of the network.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

This topic sits inside the defense-in-depth thinking that runs through AP Cybersecurity. Once an adversary gets onto a network, segmentation is one of the main reasons a single compromised device does not turn into a full breach. You should be able to identify the techniques used to segment a network and explain why segmentation increases security.

Expect to reason about scenarios: given a network setup, you may need to identify where to place a screened subnet, why a higher security zone needs stricter rules than a lower one, or how port security stops a MAC flooding attack. Being able to connect a technique to the specific threat it reduces is the kind of thinking that shows up across the course.

Key Takeaways

  • Network segmentation divides a network into smaller isolated subnets so problems in one stay contained.
  • A screened subnet (DMZ) sits between the public internet and the internal LAN, holds public-facing resources, and is a lower security zone than the internal network.
  • Subnetting uses IP addressing to split a network, which limits how many devices an attacker can reach after compromising one.
  • Switches can create VLANs that logically separate devices even when they share the same physical switch.
  • Segmentation lets you apply different security policies to different zones, creating higher and lower security zones.
  • Port security limits how many MAC addresses a switch port allows, which prevents MAC flooding attacks.

What Network Segmentation Is

Think of a network like a big office building. If every room shared one giant open floor, anyone who got inside could wander anywhere. Add walls, locked doors, and keycard zones, and a single intruder gets stuck in one area. That is the idea behind network segmentation.

Network segmentation is the process of dividing a network into smaller, isolated segments called subnetworks (or subnets). Instead of one flat network where every device can freely talk to every other device, you carve the network into chunks. Each chunk has its own boundary, and traffic between chunks gets controlled.

Three big reasons to do this:

  • Traffic isolation. Devices in one subnet do not see traffic from another subnet. That limits what an attacker can snoop on.
  • Breach containment. If malware infects a laptop in the marketing subnet, segmentation can stop it from spreading to the finance servers in a different subnet.
  • Custom security policies. You can lock down sensitive segments harder than less sensitive ones. A subnet holding patient records can have strict rules, while guest Wi-Fi can be more relaxed.

That last point introduces higher security zones and lower security zones. A higher security zone gets tighter firewall rules, stricter access controls, and more monitoring. A lower security zone is more open because what is inside it is less sensitive or already meant to be public.

Screened Subnets (DMZs)

Some servers need to be reachable from the public internet, like a company's website, email server, or a web app that customers log into. You cannot hide those behind a wall, because customers need to reach them. But you also do not want random people on the internet getting near your internal files.

The solution is a screened subnet, also called a demilitarized zone (DMZ). It is a network segment that sits between the public internet and the private internal network, created using firewall zones and rules.

Here is the layout:

</>Code
Internet  →  [Firewall 1]  →  Screened Subnet (DMZ)  →  [Firewall 2]  →  Internal LAN
                              (web servers, email,                       (employee computers,
                               public-facing apps)                        file servers, databases)

The screened subnet is a lower security zone. It holds the organization's publicly facing resources, like web servers. The first firewall lets internet traffic reach those servers but blocks everything else. The second firewall is much stricter and protects the internal LAN, which is a higher security zone.

So if an attacker compromises a web server in the DMZ, they are still stuck. The second firewall stops them from jumping into the internal network where the sensitive data lives. The DMZ acts like a buffer.

A quick way to remember it: the DMZ is the lobby of the building. Visitors can come in, but they cannot get past the security desk into the actual offices.

Subnetting Based on IP Addressing

Subnetting is one way to build those segments. It uses IP addressing to split a larger network into smaller logical pieces.

For example, a company might use the IP range 10.0.0.0/16 for its whole network, then divide it like this:

  • 10.0.1.0/24 for the finance department
  • 10.0.2.0/24 for engineering
  • 10.0.3.0/24 for guest Wi-Fi
  • 10.0.4.0/24 for servers

Each /24 is its own subnet with up to 254 usable addresses. Routers and firewalls sit between these subnets and control which ones can talk to which.

The security payoff: if an adversary compromises a device on the guest Wi-Fi subnet (10.0.3.0/24), the breach is contained to that subnet. The attacker cannot automatically reach finance machines on 10.0.1.0/24 because the firewall rules between those subnets will not let them through. You have reduced the number of exposed devices.

VLANs and Switches

Sometimes you want to separate devices logically even if they are plugged into the same physical hardware. That is where VLANs (Virtual Local Area Networks) come in.

A switch is the device that connects computers, printers, and other gear together inside a building using cables. Normally, every device plugged into a switch can talk to every other device on that switch. VLANs change that by grouping ports into separate virtual networks.

Picture a single 24-port switch in an office. Without VLANs, all 24 ports share one network. With VLANs, you can configure it like this:

  • Ports 1 to 8: VLAN 10 (Finance)
  • Ports 9 to 16: VLAN 20 (Engineering)
  • Ports 17 to 24: VLAN 30 (Guest)

Even though all those computers are wired into the same physical switch, the switch treats them as if they were on three separate networks. A finance computer on port 3 cannot directly talk to a guest laptop on port 20 without going through a router or firewall that allows it.

VLANs are useful because you do not need to buy separate switches for each department. One switch, logically separated. That saves money and makes the network easier to reconfigure when people move desks.

Port Security and MAC Flooding

Switches keep a table that maps MAC addresses (unique hardware IDs on every network device) to the physical port they are connected to. That is how the switch knows where to send traffic.

But this table has a limited size. In a MAC flooding attack, an adversary sends a huge flood of fake MAC addresses into a switch port. The table fills up, and the switch cannot fit any more entries, so it starts broadcasting all incoming traffic to every port. Now the attacker can sniff traffic they should not be able to see.

Port security is a switch feature that prevents this. You configure each port to allow only a limited number of MAC addresses, often just one or two. If the port sees more MACs than allowed, it can shut down or ignore the extra addresses.

For example, a port security rule might say:

</>Code
interface FastEthernet0/5
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation shutdown

That tells the switch: this port allows a maximum of 2 MAC addresses, and if more show up, shut the port down. The MAC flooding attack is stopped before it starts.

Putting It All Together

Network segmentation is not just one technique. It is a layered approach:

  • Screened subnets (DMZs) separate public-facing servers from your internal network using firewalls and zones.
  • Subnetting uses IP addressing to divide the network into logical groups that firewalls can control.
  • VLANs logically separate devices on the same physical switch.
  • Port security locks down individual switch ports to prevent attacks like MAC flooding.

Each layer reduces how far an attack can spread. If something goes wrong, you want the damage to stay contained. A flat network is one big problem waiting to happen. A segmented network gives defenders time to spot the breach, isolate it, and clean it up before it spreads.

The key idea: segmentation gives different parts of the network different levels of trust and different rules, then enforces those boundaries with firewalls, routers, switches, and IP design.

How to Use This on the AP Cybersecurity Exam

Identify the Technique

When a question describes a network problem, match it to the right segmentation technique:

  • Need to expose a web server safely? Screened subnet (DMZ).
  • Need to split departments by IP and contain a breach? Subnetting.
  • Need to separate devices on the same physical switch? VLANs.
  • Need to stop a switch from being flooded with fake MAC addresses? Port security.

Explain the Security Benefit

It is not enough to name a technique. Be ready to explain why it increases security. Tie each one to a concrete outcome: traffic isolation, breach containment, or different security policies for different zones. For a DMZ, the point is that a compromised public server is still blocked from the internal LAN by the second firewall.

Common Trap

Watch for questions that mix up zones. The screened subnet is a lower security zone than the internal network, not the other way around. The DMZ is exposed on purpose because it holds public-facing resources, and the stricter firewall protects the higher security internal LAN behind it.

Common Misconceptions

  • A DMZ is not the most protected part of the network. It is a lower security zone on purpose, because it holds resources that need to be reachable from the internet. The internal LAN is the higher security zone.
  • VLANs do not require separate physical switches. They logically separate devices that are plugged into the same switch by grouping ports into virtual networks.
  • Subnetting is not just about organization. Splitting by IP address contains breaches by limiting how many devices an attacker can reach after compromising one.
  • Port security does not detect malware. It limits the number of MAC addresses on a switch port, which specifically defends against MAC flooding, not general infections.
  • Segmentation does not block attacks by itself. It reduces how far an attack can spread and buys defenders time, but it works alongside firewalls, access controls, and monitoring rather than replacing them.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

demilitarized zone

A network segment (also called a screened subnet) that is behind a firewall but still externally accessible, typically containing servers that host web applications or websites.

firewall rules

Specific configurations that define which network traffic should be allowed or denied based on criteria such as source, destination, port, protocol, or application.

firewall zones

Distinct network areas created and controlled by firewalls to separate different levels of trust and security within a network.

MAC flooding attack

An attack where an adversary sends many Ethernet frames with different MAC addresses to a switch, potentially forcing it into broadcast mode to allow eavesdropping.

network segmentation

The practice of dividing a network into separate segments or zones to improve security and contain potential breaches.

network traffic

The flow of data packets between devices on a network, including both inbound and outbound communications.

port security

A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port.

screened subnet

A network segment that sits between public external networks and internal private networks, typically holding an organization's publicly facing resources while maintaining lower security than internal networks.

security policies

Rules and controls that define how security is managed and enforced on network segments.

security zones

Network segments designated with different levels of security controls, ranging from higher security to lower security areas.

subnet

A smaller network segment created through subnetting that can be isolated to contain security breaches and reduce the number of exposed devices.

subnetting

The technique of dividing a network into smaller subnets based on IP addressing to contain security breaches and limit exposure of devices.

virtual local area network

A network configuration that logically separates devices physically connected to central switches without requiring separate physical hardware.

Frequently Asked Questions

What is a screened subnet (DMZ) in AP Cybersecurity?

A screened subnet, also called a DMZ, is a network segment that sits between the public internet and an organization's internal private network, created using firewall zones and rules. It holds publicly facing resources like web servers and is considered a lower security zone than the internal LAN. A second, stricter firewall protects the internal network behind it, so a compromised server in the DMZ cannot directly reach internal devices.

What is the difference between a VLAN and subnetting in network segmentation?

Subnetting divides a network into smaller groups using IP addressing, so routers and firewalls can control traffic between those groups and contain breaches to fewer devices. VLANs are configured on switches to logically separate devices that share the same physical hardware, meaning computers plugged into the same switch can still be kept on entirely different virtual networks. Both techniques isolate traffic, but subnetting works at the IP layer while VLANs work at the switch level.

Why does network segmentation increase security?

Segmentation divides a network into isolated subnets so that an attack or infection on one subnet cannot automatically spread to devices on other subnets. It also allows different security policies to be applied to different zones, so sensitive areas can have stricter firewall rules than less sensitive ones. This combination of traffic isolation, breach containment, and flexible security controls is why segmentation is a core defense strategy.

What is port security and how does it prevent MAC flooding?

Port security is a switch feature that limits the number of MAC addresses allowed on a single switch port. In a MAC flooding attack, an adversary sends a flood of fake MAC addresses to fill up the switch's address table, causing the switch to broadcast all traffic to every port where it can be intercepted. By capping the number of allowed MAC addresses per port, port security stops that flood before the table overflows.

Is the DMZ a high security zone or a low security zone?

The DMZ is a lower security zone compared to the internal private network. It is intentionally more accessible because it holds public-facing resources like web servers that need to be reachable from the internet. The internal LAN sitting behind the second firewall is the higher security zone, with stricter rules that block traffic from the DMZ.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot