Network Segmentation
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Network+ premium course — no separate purchase.
Included in this chapter:
- Why segment: containment, compliance, fragile devices
- VLANs are zones; firewalls and ACLs are the gates
- Device-class segments: OT, IoT, DMZ, guest, BYOD
- Microsegmentation and zero trust
- Exam-pattern recognition
Which segment for which device class
| Segment / zone | What goes there | Reachability it should have | Why it is isolated |
|---|---|---|---|
| OT / ICS / SCADA zone | Legacy industrial controllers, PLCs, DCS | Only its own controllers and engineering hosts | Unpatchable, no AV; isolate per NIST SP 800-82r3 |
| IoT / IIoT VLAN | Cameras, sensors, smart/embedded devices | Only required controllers and update servers | Weak defaults, rarely updated |
| Screened subnet (DMZ) | Public web, mail, DNS servers | Internet inbound + tightly limited internal | Internet-exposed; breach must not reach LAN |
| Guest / BYOD segment | Visitor and personal devices | Internet only, no internal access | Untrusted devices, unknown posture |
| Internal trusted zone | Corporate workstations and servers | Internal services per least privilege | Holds the assets the other zones protect |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.