Trials and demos
How to buy

What is network segmentation?

Segmentation is the practice of dividing a network into smaller parts called segments to improve security, performance, manageability, and compliance.

Explore Cisco Hybrid Mesh Firewall

Key findings of Cisco 2025 segmentation survey

79 %

Of organizations say segmentation is a priority.
33 %

Of organizations surveyed have fully implemented both macro and microsegmentation.
31 %

Faster recovery time with both network and microsegmentation implemented reported by respondents.

    Why do organizations implement segmentation, and what are the benefits? 

    Segmentation helps organizations improve security, increase performance, and meet compliance requirements by controlling communication between infrastructure and applications.

    Improved security: Segmentation is vital for limiting the spread of cyberthreats, containing breaches, and remediation. 

    • It effectively reduces the attack surface by isolating systems and controlling traffic flow to prevent unauthorized lateral movement.
    • Segmentation helps enforce access policies, strengthening overall security posture and supporting compliance with industry standards. It aligns with Zero Trust models by enabling granular control over network communication.
    • It helps speed the remediation of malicious activity. When a threat or suspicious activity is detected and confined to a specific area IT teams can more effectively fix or counter the activity without impacting the rest of the network.

    Increased operational performance: Segmentation can reduce network congestion. Depending on the segmentation techniques deployed, it can limit broadcast domains which reduces congestion and improves overall speed.

    Simplified management and compliance: Segmentation simplifies network management and strengthens an organization's ability to meet compliance requirements. By creating a clear, logical structure, it makes the network easier for IT teams to understand, organize, and maintain as it evolves. For compliance, segmentation enables organizations to isolate sensitive data and enforce strict access controls to help meet internal security requirements or external regulations mandated by different industry standards and governmental bodies.

    How does segmentation work? 

    Segmentation works by controlling how traffic flows among the parts, or segments. You could choose to stop all traffic in one part from reaching another, or you can limit the flow by traffic type, source, destination, and many other options. How you decide to segment your network is called a segmentation policy.

    What are the different types of segmentation?

    Macro-segmentation: The most common form of network segmentation, macro-segmentation is the practice of dividing a computer network into distinct segments, or zones, based on broad criteria such as department, function, application, or location. This approach creates high-level boundaries designed to control traffic flow between these areas and enhance overall network security and performance. Macro-segmentation is also referred to as zonal segmentation.

    Microsegmentation: This is a highly granular approach where workloads and applications are segmented based on fine-grained attributes such as prior observed communication between individual workloads, administrator-designated labels assigned to individual workloads, or policies assigned by the application owner. Access control policies are applied on the individual workload, making it highly effective at limiting unauthorized lateral movement to prevent the spread of threats.

    What are the implementation methods for segmentation?

    Physical segmentation: Requires physically separating entities (such as cables, ports, servers, switches, routers, and firewalls) so that they can't communicate with each other unless they are specifically connected and configured to do so. Physical segmentation is uncommon, as it is the most expensive, least flexible, and hardest to manage.

    Logical (virtual) segmentation: Built on top of a physical network using software (logical) entities to create virtual boundaries. It is more flexible and cost-effective than physical segmentation. Common techniques include:

    • Subnetting: Breaks down a larger IP network into smaller subnetworks at Layer 3 using IP addressing schemes. 
    • Virtual Local Area Network (VLAN): Uses Layer 2 switches to group devices into separate broadcast domains, regardless of their physical location on the network. Each VLAN is typically assigned a unique subnet to enable routing between different VLANs and to enforce security policies at the boundary.
    • Virtual Extensible LAN (VXLAN): A network virtualization technology that creates a virtual Layer 2 network over an existing physical Layer 3 network infrastructure. It addresses the limitations of traditional VLANs, providing significantly greater scalability. VXLAN has become a standard for large data centers and cloud environments, enabling the creation of flexible virtual networks atop physical infrastructure.
    • Software-Defined Networking (SDN): A network architecture where software is used to automate network configurations and policies, dynamically creating scalable, isolated virtual network segments. This approach leverages traditional VLAN and more commonly VXLAN technologies for large data centers and cloud environments to enable the creation of vast numbers of virtual networks atop physical infrastructure.
    • Virtual Routing and Forwarding (VRF): Enables routers and Layer 3 switches to maintain multiple, independent routing tables. VRF provides robust isolation by associating specific VLANs and their corresponding subnets with a unique routing instance, allowing total separation of traffic within multi-tenant environments and secure data centers.
    • Identity-based segmentation: Compatible with macro- and microsegmentation, access control policies are based on the user's or device's identity and role. This identity is used to grant and limit access to workloads and applications, providing consistent security across on-premises, cloud, and remote work environments.
    • Container Network Interface (CNI) for segmentation: Used primarily in Kubernetes and other container orchestration platforms to control network traffic flow between containerized application workloads. CNIs connect containerized workloads to the network, providing a network security enforcement point at the workload. Policies are defined based on application identity, enabling microsegmentation in dynamic cloud-native applications where IP addresses change frequently.

    How are segmentation policies enforced?

    Segmentation policies are applied on a combination of hardware and software known as policy enforcement points. These act as checkpoints within the network infrastructure to control traffic flow according to predefined security rules. Common enforcement points include:

    • Physical or virtual devices such as firewalls, routers, and switches.
    • Host-based firewalls in the application operating system.
    • Cloud-native controls, called Security Groups (AWS) or cloud firewalls (Azure, GCP), are virtual enforcement points provided by the cloud service provider.
    • Network access control (NAC) systems for managed and unmanaged devices, which verify their identity and security posture before allowing access to a network segment.

    Insightful reports on segmentation

    The Segmentation Report: Results of Cisco's 2025 Survey

    Cisco commissioned an independent global survey to understand the drivers, challenges, approaches, and benefits of segmentation.

    Read The Segmentation Report, Cisco's 2025 Survey (PDF)

    A Taxonomy of Segmentation in Network Security

    This paper introduces practical definitions for key segmentation concepts and a comprehensive taxonomy for classifying methods across technologies, infrastructures, and enforcement strategies.

    Read A Taxonomy of Segmentation external site (PDF)

    Associated terms

    5-tuple: A set of five data points in a packet header—source IP, destination IP, source port, destination port, and protocol—that serves as a unique identifier for a network flow, enabling network devices to identify, filter, and track individual sessions for security and performance.

    Application: A type of software program designed to perform a specific set of coordinated functions, tasks, or activities by coordinating the functionality of multiple workloads.

    Access control lists (ACL): A set of rules defining who can access what, and what actions they can perform.

    Container: A package of software code that contains all the dependencies, such as specific versions of programming language libraries required to run the code.

    extended Berkely Packet Filter (eBPF): A technology that enables the execution of sandboxed programs within the privileged context of the operating system kernel. eBPF enables the kernel to be reprogrammed without requiring changes to the kernel source code or modules to be loaded. 

    Hypervisor: Software that creates and runs virtual machines (VM). A hypervisor enables one physical host computer to support multiple VMs   by sharing hardware resources.

    Network access control (NAC): A security framework that regulates which users and devices are allowed to access a network by verifying their identity and ensuring policy compliance.

    Workload: The processes and resources that support an application and its interactions with users or other applications.

    Resources

    Connect with us

    Related products

    Related network security topics

    Useful links