How many VLANs should an enterprise have for IoT segmentation?

The appropriate number depends on the environment, but common guidance suggests at minimum: separate VLANs for corporate IT, IoT, OT/ICS, IoMT medical devices, building systems, guest/unclassified, and management networks. The goal is functional separation by risk profile and operational domain, not a specific number. Too few VLANs provides insufficient isolation; too many creates management complexity that leads to policy inconsistency.

Definition

VLAN (Virtual Local Area Network)

A logical grouping of devices into separate broadcast domains using network infrastructure. VLANs provide coarse segmentation; ORDR complements them with microsegmentation for finer-grained device-level control.

What is VLAN (Virtual Local Area Network)?

A Virtual Local Area Network (VLAN) is a logical grouping of network devices into separate broadcast domains, implemented through network switch configuration rather than physical wiring. VLANs allow devices on the same physical network to be separated into isolated logical networks, and devices on different physical networks to communicate as if they were on the same network. VLAN 802.1Q tagging on switch ports assigns each device's traffic to its VLAN, and inter-VLAN routing controls what traffic can move between groups.

VLANs are the most widely deployed network segmentation mechanism in enterprise environments. They are appropriate for coarse segmentation — separating clinical networks from corporate IT, separating OT from enterprise networks, isolating IoT devices from sensitive data systems. Their limitation is granularity: within a VLAN, all devices can communicate freely. A VLAN containing 500 IP cameras provides isolation from other network segments, but not isolation between cameras — a compromised camera can reach all other cameras on the same VLAN.

Microsegmentation supplements VLANs by adding per-device or per-device-type policy enforcement within VLANs. This combination — VLANs for coarse zone separation, microsegmentation for fine-grained device-level control — provides a layered segmentation architecture that's both operationally manageable and security-effective. ORDR provides the device classification data needed to define effective VLAN assignments and the behavioral policy data needed for microsegmentation within VLANs.

Key Facts

802.1Q VLAN tagging is supported by virtually all enterprise-grade network switches
VLANs provide broadcast domain isolation but allow unrestricted intra-VLAN communication
Most enterprises have 20–50 VLANs but lack microsegmentation policies within them
Combining VLAN segmentation with ORDR microsegmentation policies reduces lateral movement paths by 90%+

How ORDR Addresses VLAN (Virtual Local Area Network)

ORDR recommends VLAN assignments for newly discovered devices based on their classification and generates microsegmentation policies that restrict communication within VLANs to only permitted device-type-to-device-type paths. ORDR integrates with NAC platforms to automate VLAN assignment at device connection time based on classification.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview