Fact-checked by Grok 2 weeks ago

Network segment

In computer networking, a network segment is a defined portion of a larger network consisting of interconnected devices that share a common communications medium, enabling direct data link layer interactions such as broadcasts or potential collisions within that isolated area.^[1]^[2] These segments are typically bounded by networking devices that prevent traffic from propagating beyond their limits, forming logical or physical groupings for efficient resource sharing.^[3] Network segments can be established through various methods, including physical separation via routers or bridges, which create distinct collision domains to minimize data packet interference, or logical division using virtual local area networks (VLANs) and switch configurations that segment traffic without altering cabling.^[4]^[2] In Ethernet environments, early implementations relied on hubs to form shared segments prone to collisions, but modern switches have largely eliminated this by assigning each port its own collision domain, allowing full-duplex communication.^[5]^[6] The primary purposes of network segments include optimizing performance by containing broadcast traffic to reduce network congestion and separating collision-prone areas, as well as bolstering security by limiting lateral movement of threats across the broader infrastructure.^[7]^[8] For instance, firewalls and access control lists can enforce policies at segment boundaries, minimizing the attack surface in enterprise environments.^[9] This isolation also aids in compliance and management, as segments can be monitored independently for issues like IP addressing conflicts or unauthorized access.^[10] In contemporary networks, advanced techniques such as software-defined segmentation and micro-segmentation extend these principles by applying granular policies at the workload or application level, often using virtualized environments or identity-based controls to dynamically enforce isolation without relying solely on hardware.^[11]^[12] These evolutions address the complexities of cloud and hybrid infrastructures, where traditional physical segments may prove insufficient against sophisticated threats.^[13]

Definition and Fundamentals

Core Concept

A network segment is a portion of a computer network isolated from other portions, either physically through separate cabling or logically through protocol-based divisions, to constrain communication scope, minimize interference, and optimize resource use. This isolation ensures that data traffic, such as broadcasts or collisions, remains contained within the segment rather than propagating across the entire network, thereby enhancing overall efficiency. In foundational networking texts, segments are described as fundamental units within local area networks (LANs), where devices share a common transmission medium like coaxial cable or twisted-pair wiring.^[14]^[15] Key characteristics of a network segment include its shared medium or address space, which allows devices within it to communicate directly, while boundaries prevent unwanted interactions with external parts of the network. Segments are designed to limit issues like broadcast storms, where excessive traffic floods the medium, or collision events in shared-access environments, thereby reducing latency and improving throughput. Additionally, they help mitigate security risks by isolating sensitive areas, ensuring that unauthorized access or threats do not easily spread. These properties make segments essential for scalable network design, as they balance connectivity with controlled isolation.^[14]^[9]^[15] Isolation in network segments is achieved using boundary devices that filter or forward traffic selectively. Repeaters and hubs extend physical reach by regenerating signals but do not isolate, as they propagate all traffic across connected parts; in contrast, bridges and switches segment at the data link layer by learning MAC addresses and forwarding frames only to relevant ports, creating separate collision domains per connection. Routers provide higher-level segmentation at the network layer, using IP addresses to route traffic between segments and containing broadcasts within each. For instance, a bridge might connect two Ethernet cable runs while preventing collisions from one affecting the other.^[14]^[15] A basic illustration of network segmentation depicts a central router linking multiple switches, each switch serving a distinct segment of end devices like computers and printers; arrows indicate intra-segment traffic flowing freely within each switch's domain, while inter-segment communication is directed through the router, demonstrating containment of local broadcasts and collisions. For example, in Ethernet networks, segments often correspond to collision domains, while in IP networks, they align with subnets.^[14]^[15]

Historical Development

The concept of network segmentation emerged in the 1970s alongside the development of early local area networks (LANs), particularly with the ARPANET's packet-switching foundations and the invention of Ethernet at Xerox PARC. In 1973, Robert Metcalfe and David Boggs at Xerox PARC created the first Ethernet prototype, using a shared coaxial cable medium where physical segment lengths were limited to approximately 500 meters in the initial 10BASE5 configuration to mitigate signal attenuation and ensure reliable collision detection across the shared medium.^[16]^[17] This design addressed signal degradation in early cabling while confining broadcasts and collisions to a single domain, laying the groundwork for segmenting networks to manage growing traffic loads.^[18] Key milestones in the 1980s formalized these practices through standardization efforts. The Digital, Intel, and Xerox (DIX) consortium published the Ethernet specification in 1980, defining 10 Mbps operation over coaxial segments up to 500 meters.^[16] In 1983, the IEEE approved the 802.3 standard, which codified Ethernet's carrier-sense multiple access with collision detection (CSMA/CD) and segment constraints to prevent excessive latency from signal propagation delays.^[19] Concurrently, the introduction of bridges by Digital Equipment Corporation (DEC) in the mid-1980s marked a pivotal advancement; conceived in 1983 by Mark Kempf, the LANBridge 100 product launched in 1986, enabling segmentation of Ethernet into multiple collision domains by filtering traffic between cable segments and reducing overall collision rates.^[20] The 1990s drove further evolution as LANs scaled from 10 Mbps shared media to higher speeds, necessitating segmentation beyond single collision domains to handle increased node counts and bandwidth demands. Hubs, which extended shared segments and amplified collisions, were increasingly replaced by switches starting in the early 1990s, allowing dedicated full-duplex links per port and effectively eliminating shared collision domains for gigabit Ethernet transitions.^[21] This shift, building on bridge technology, supported network growth from dozens to thousands of devices without proportional performance degradation.^[20]

Layer 2 Segmentation

Ethernet Segments

In Ethernet networks operating at Layer 2, a segment refers to a portion of the shared medium where devices contend for access using the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol, as defined in the original IEEE 802.3 standard for half-duplex operation.^[22] This protocol allows multiple devices to share the medium by sensing carrier activity before transmitting and detecting collisions during transmission, thereby defining the segment as the bounded area susceptible to such contention.^[23] Early Ethernet implementations, such as those at 10 Mbps, limited the overall network extent to 2500 meters when using up to four repeaters to regenerate signals and prevent excessive propagation delay.^[23] Physical segmentation in Ethernet relied on the wiring medium to create discrete, bounded areas for collision-prone transmission. In original setups using coaxial cable, such as 10BASE5 (thick Ethernet), individual segments consisted of up to 500 meters of 50-ohm coaxial cable with devices tapped in at intervals of at least 2.5 meters, terminated at ends to avoid signal reflections.^[23] Later standards shifted to twisted-pair wiring, as in 10BASE-T under IEEE 802.3i, where unshielded twisted-pair (UTP) cables formed star topologies with segments limited to 100 meters per link from hub to device, reducing susceptibility to interference through wire twisting.^[24] For 10BASE2 (thin Ethernet), coaxial segments were 185 meters, enabling cheaper deployment but still requiring careful termination.^[25] Network devices played a key role in managing segment boundaries and collision propagation. Hubs, functioning as multi-port repeaters, extended the physical reach of a segment by regenerating signals but did not segment traffic, instead broadcasting frames to all ports and propagating collisions across the entire domain.^[26] In contrast, bridges connected multiple segments while providing early logical segmentation by learning MAC addresses in a table and forwarding frames only to the destination segment, thereby isolating collisions to individual segments and reducing overall contention.^[26] In legacy Ethernet standards like 10BASE-T and 100BASE-TX, segments functioned as collision domains constrained by a slot time of 512 bit times to ensure reliable collision detection—the time for a signal to traverse the domain round-trip at the medium's speed.^[27] This limit, equivalent to 51.2 microseconds at 10 Mbps, dictated maximum segment sizes to avoid late collisions, with 100BASE-TX using the same 512 bit-time slot but a shorter temporal duration of 5.12 microseconds due to the higher rate, requiring stricter limits on collision domain diameters to avoid late collisions, though practical constraints from 100-meter UTP cabling often align the effective sizes.^[27]

Collision and Broadcast Domains

In Ethernet networks employing the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol, a collision domain refers to the portion of the network where data packets transmitted simultaneously from multiple devices can collide, leading to retransmission attempts and reduced throughput.^[28] Collisions occur in half-duplex mode on shared media, such as coaxial or twisted-pair segments connected via hubs, where devices compete for access and must detect and back off upon interference.^[26] Network bridges and switches mitigate this by segmenting the collision domain, forwarding frames only to the intended port based on MAC addresses, thereby isolating traffic and minimizing retries to enhance overall efficiency.^[29] A broadcast domain, in contrast, defines the scope within a layer 2 network where broadcast frames—such as Address Resolution Protocol (ARP) requests—are propagated to all devices, potentially consuming bandwidth across the segment.^[30] These broadcasts are confined by layer 2 boundaries but extend across multiple connected segments without layer 3 intervention, as switches forward them to all ports except the originating one, unlike routers which block them.^[28] In Ethernet, ARP broadcasts exemplify this, where a device floods the domain to resolve an IP address to a MAC address, ensuring all nodes in the domain receive and process the frame.^[30] Modern switches further refine segmentation by creating micro-segments, treating each port as an independent collision domain in half-duplex configurations, which drastically reduces collision opportunities compared to hub-based shared media.^[26] In full-duplex mode, enabled on switch ports with dedicated transmit and receive paths, collisions are entirely eliminated, as devices can simultaneously send and receive without contention.^[31] The impact of segmentation on collision probability can be modeled using a Poisson process for frame arrivals: assuming an arrival rate \lambda (frames per unit time), the probability of no other frame arriving during the slot time t is e^{-\lambda t}, so the approximate collision probability for a transmission is P(\text{collision}) \approx 1 - e^{-\lambda t}.^[32] This derivation stems from slotted CSMA/CD, where the slot time t represents the minimum time needed to detect collisions reliably; if multiple arrivals occur within this window, a collision ensues, prompting backoff and retry. To arrive at this, consider frame arrivals as a Poisson random variable with mean \lambda t; the probability of zero arrivals (successful transmission without interference) is the Poisson probability mass at 0, e^{-\lambda t}, hence the complement yields the collision risk. A key parameter for sizing collision domains is Ethernet's slot time, defined as 512 bit times in IEEE 802.3 for 10 Mbps and 100 Mbps networks, equivalent to the transmission time of 64 bytes at the respective speeds.^[17] This duration ensures that a transmitting station can detect collisions before the frame fully propagates across the maximum network diameter, allowing proper backoff and preventing undetected errors; larger domains increase \lambda t, elevating collision rates and necessitating smaller segments for optimal performance.^[17] For Gigabit Ethernet (IEEE 802.3ab), the slot time was extended to 4096 bit times to accommodate larger domains and maintain CSMA/CD viability in half-duplex configurations, though full-duplex operation predominates today.^[33]

Layer 3 Segmentation

IP Subnetting

IP subnetting is a technique used in Internet Protocol (IP) networks to divide a large IP address space into smaller, more manageable subnetworks, or subnets, by extending the IP address with additional bits from the host portion to create a network portion. This process employs a subnet mask, which is a 32-bit number that distinguishes the network bits from the host bits in an IP address, allowing routers to logically segment the network without altering the physical topology. For instance, a subnet mask of /24 indicates that the first 24 bits are used for the network prefix, leaving 8 bits for hosts, which provides up to 256 addresses (254 usable for hosts and networks).^[34] The introduction of Classless Inter-Domain Routing (CIDR) in 1993 enabled variable-length subnet masking (VLSM), which allows subnet masks of varying lengths to be applied flexibly across different parts of the network, promoting efficient IP address allocation and aggregation to mitigate the exhaustion of IPv4 addresses. Prior to CIDR, fixed class-based addressing (Classes A, B, C) led to wasteful allocation, but VLSM under CIDR permits hierarchical routing and supernetting, reducing the size of routing tables. To calculate the number of subnets and hosts, subnetting borrows bits from the host portion of the original network prefix; the number of subnets is determined by $2^b, where b is the number of borrowed bits, and the number of usable hosts per subnet is $2^h - 2, where h is the remaining host bits (subtracting two addresses for the network and broadcast identifiers). For example, subnetting the network 192.168.0.0/16 (which has 16 network bits and 16 host bits, supporting 65,534 hosts) by borrowing 8 bits to create /24 subnets results in $2^8 = 256 subnets, each with $2^8 - 2 = 254 usable hosts. This method ensures precise division while maintaining compatibility with IP routing protocols.^[34] In IPv6 networks, segmentation is achieved through prefix delegation rather than traditional subnetting, where addresses are divided using 128-bit prefixes, typically /64 for site-local subnets to support autoconfiguration and a vast number of hosts (approximately 18 quintillion per subnet). Due to the enormous IPv6 address space (3.4 × 10^38 addresses), there is less emphasis on conserving addresses through aggressive subnetting compared to IPv4, though prefixes can still be subdivided for organizational purposes, such as using /48 for sites and /64 for links. This approach simplifies deployment while enabling scalable segmentation.^[35]

Routing and Segmentation

Routers operate at Layer 3 of the OSI model and serve as the primary devices for interconnecting IP segments, forwarding packets based on their IP headers to direct traffic between different subnets while inherently blocking broadcast traffic to prevent it from propagating across segments. By examining the destination IP address against their routing tables, routers determine the optimal path for unicast and multicast traffic, ensuring that only relevant packets cross segment boundaries and maintaining logical isolation between networks.^[36] This separation is fundamental to Layer 3 segmentation, as routers do not forward Layer 2 broadcasts, such as ARP requests, beyond the originating subnet, thereby containing broadcast domains within individual IP segments. To enable communication between segments, routers employ routing protocols that dynamically discover and advertise routes to remote networks. The Open Shortest Path First (OSPF) protocol, an interior gateway protocol (IGP), uses link-state advertisements to build a topology map of the network, allowing routers to calculate shortest paths to IP segments within an autonomous system. Similarly, Border Gateway Protocol (BGP), an exterior gateway protocol (EGP), facilitates route exchange between autonomous systems, enabling large-scale segment discovery across the internet by considering policy attributes like path length and preferences. For smaller or static environments, manual configuration of static routes provides a simple alternative, where administrators explicitly define paths to specific segments without relying on protocol exchanges, though this lacks the adaptability of dynamic methods.^[37] Segmentation enhances routing efficiency through techniques like route summarization, where multiple smaller subnets are aggregated into a single larger prefix advertised to neighboring routers, significantly reducing the overall size of routing tables. For instance, several /24 subnets within the 192.168.0.0/16 range can be summarized as a single /16 route, minimizing the number of entries that routers must process and store, which conserves memory and CPU resources while accelerating convergence times.^[38] This aggregation also decreases bandwidth usage on links by limiting the volume of routing updates propagated across the network.^[39] Access control lists (ACLs) on routers further enforce policy-based segmentation by inspecting and filtering traffic flows between IP segments according to predefined rules, such as permitting or denying packets based on source/destination IP addresses, ports, or protocols. Standard and extended ACLs can be applied inbound or outbound on interfaces to create granular barriers, ensuring that only authorized inter-segment communication occurs while blocking unauthorized access attempts.^[36] This mechanism integrates with routing to provide both connectivity and controlled isolation, often used in conjunction with subnet masks to define segment boundaries precisely.^[40]

Applications and Benefits

Performance Optimization

Network segmentation enhances efficiency by confining traffic to relevant subsets of the network, thereby minimizing contention for shared resources and optimizing bandwidth utilization. In traditional shared media environments like hubbed Ethernet, broadcasts and collisions flood the entire domain, wasting significant bandwidth on unnecessary packet transmissions. Segmentation, particularly through switching, isolates these interactions into smaller collision domains, limiting floods and enabling dedicated paths for data. This approach also delivers notable latency improvements by accelerating critical processes such as MAC address resolution. In smaller segments, protocols like ARP broadcast queries to fewer devices, reducing resolution times and the incidence of retries from collisions. Consequently, network throughput can rise from approximately 30% of capacity in heavily loaded shared media under CSMA/CD to near-line-rate performance in segmented switched environments, where full-duplex operation eliminates collisions entirely.^[17] Furthermore, segmentation promotes scalability by allowing concurrent traffic flows across independent segments, preventing bottlenecks as networks expand. This parallelization supports growth to thousands of nodes—such as in large enterprise data centers—without degrading overall performance, as each segment operates autonomously with its own bandwidth allocation.^[41] A practical illustration is found in enterprise LANs, where segmenting departments isolates VoIP traffic from general data flows, significantly reducing jitter and ensuring low-latency voice communications essential for business operations. For instance, hospitals or offices using VLAN-based segmentation for voice segments report improved call quality even during peak data usage.^[42]

Security and Isolation

Network segmentation plays a crucial role in enhancing cybersecurity by containing threats within defined boundaries, thereby limiting the potential for widespread compromise. By dividing a network into isolated segments, organizations can prevent lateral movement of attackers or malware, which often exploits broadcast traffic or interconnected systems to propagate. For instance, in traditional broadcast domains, malware can spread rapidly across an entire segment if unchecked; segmentation restricts this by enforcing boundaries that contain infections to a single area, reducing the overall blast radius of an attack. This approach aligns with zero-trust models, where micro-segmentation further granularizes isolation, assuming no inherent trust within the network and verifying access continuously.^[43]^[44]^[45] Implementation of security through segmentation typically involves deploying firewalls at the edges of each segment to enforce access controls and inspect traffic between zones. These firewalls act as choke points, filtering unauthorized communications and preventing threats from crossing boundaries. A common application is the demilitarized zone (DMZ), a segmented public-facing area that hosts external services like web servers, isolated from internal networks to shield sensitive assets from direct internet exposure. Proper configuration ensures that even if a DMZ system is breached, attackers cannot easily pivot to core infrastructure.^[46]^[47]^[48] Standards such as NIST SP 800-207 outline zero-trust architecture principles that emphasize segmentation to protect resources without relying on network perimeters alone. This framework promotes explicit verification and policy enforcement at segment boundaries, supporting micro-segmentation for fine-grained control. Real-world examples underscore the consequences of inadequate segmentation; the 2013 Target breach, where hackers accessed payment systems due to poor isolation between vendor networks and sensitive data environments, resulted in the theft of 40 million credit card details and highlighted how segmentation failures enable rapid escalation.^[49]^[50] By isolating critical assets in dedicated segments, network segmentation significantly reduces the attack surface, with implementations often achieving 80-90% risk reduction through containment and limited exposure pathways. This isolation not only complies with regulatory requirements but also minimizes compliance costs by scoping audits to smaller, manageable zones. Overall, such practices fortify defenses against evolving threats, ensuring that breaches remain localized and manageable.^[51]^[52]

Modern Implementations

VLANs and Virtual Segmentation

Virtual Local Area Networks (VLANs) provide a method for logical segmentation at Layer 2 of the OSI model, allowing multiple isolated broadcast domains to coexist on the same physical network infrastructure without requiring additional hardware or rewiring. Defined by the IEEE 802.1Q standard, first published in 1998, VLANs enable switches to assign ports to specific virtual networks, effectively dividing a single physical switch into multiple logical segments. This approach extends the concept of broadcast domains by containing broadcasts within each VLAN, preventing them from propagating across the entire physical network.^[53]^[54] The core mechanism of VLANs relies on tagging Ethernet frames with a 4-byte header inserted after the source MAC address, which includes a 12-bit VLAN Identifier (VID) field capable of supporting up to 4096 unique VLANs (with VLAN IDs 0 and 4095 reserved for special purposes). On trunk ports, which interconnect switches or carry traffic between devices, frames from multiple VLANs are tagged to maintain separation, allowing a single physical link to transport traffic for several logical segments simultaneously. In contrast, access ports connect end-user devices and operate in untagged mode, associating all traffic on that port with a single, default VLAN. This tagging ensures that frames are filtered and forwarded only within their assigned VLAN by compliant bridges and switches.^[55]^[56] Configuration of VLANs involves assigning switch ports to specific VLANs through management interfaces, such as command-line tools on Cisco IOS or graphical utilities on modern switches. Access ports are statically or dynamically assigned to one VLAN, while trunk ports are configured to allow a range of VLANs and often include a native VLAN for untagged traffic. For communication between VLANs, inter-VLAN routing is required, typically implemented via Layer 3 switches or external routers that perform address translation and forwarding at the IP level. This setup is particularly advantageous in dynamic environments like corporate offices, where it reduces costs by leveraging existing cabling for flexible segmentation—for instance, isolating guest Wi-Fi traffic into a dedicated VLAN (e.g., VLAN 25) to enhance security without physical isolation. Overall, VLANs improve network performance by minimizing broadcast overhead and bolster manageability in scalable deployments.^[57]^[58]^[59]

SDN and Network Segmentation

Software-Defined Networking (SDN) represents a paradigm shift in network architecture by decoupling the control plane, which makes decisions on traffic forwarding, from the data plane, which handles packet forwarding, thereby enabling programmable and dynamic network segments. This separation allows centralized controllers to manage network behavior through software, facilitating rapid reconfiguration and innovation in segmentation strategies. The foundational OpenFlow protocol, proposed in 2008 by researchers at Stanford University, provides a southbound interface for controllers to install flow rules directly on switches, supporting fine-grained control over traffic paths and isolation.^[60]^[61] In SDN environments, network segmentation is implemented via flow-based rules that define match-action pairs to create on-demand, virtual segments tailored to specific policies or traffic patterns, offering greater flexibility than traditional hardware-based methods. For instance, these rules can isolate traffic flows in real-time, preventing lateral movement in case of breaches. Network Function Virtualization (NFV) complements SDN by virtualizing security functions, such as deploying virtual firewalls as software instances on commodity hardware to enforce segmentation policies dynamically. This integration allows virtual firewalls to scale with demand and integrate seamlessly with SDN controllers for policy enforcement across distributed networks.^[62]^[63] Key tools for managing SDN-based segmentation include open-source controllers like ONOS and Ryu, which orchestrate segments across multi-cloud infrastructures. ONOS, developed by the Open Networking Foundation, supports high-availability clustering and real-time control for carrier-grade deployments, enabling operators to provision isolated segments for diverse services without proprietary hardware. Ryu, a lightweight Python-based framework, simplifies application development for flow rule installation and monitoring, making it suitable for cloud-scale segmentation in experimental and production environments. These controllers facilitate automation, such as intent-based networking, where high-level policies are translated into low-level flow rules for segment isolation.^[64]^[65] SDN's programmability has been pivotal in integrating with 5G network slicing, as outlined in 3GPP Release 15 and subsequent standards from 2018 onward, with enhanced management specifications in Release 16 (2020) and beyond. This allows SDN controllers to dynamically allocate resources for end-to-end slices, each acting as a logically isolated segment optimized for use cases like ultra-reliable low-latency communications or massive machine-type communications. Post-2020 advancements, including ETSI and 3GPP orchestration frameworks, enable SDN to handle slice lifecycle management, from instantiation to scaling, across radio access and core networks.^[66]^[67] Looking ahead, trends in SDN emphasize AI-driven auto-segmentation to support zero-trust architectures in hybrid networks. As of 2025, adoption is growing, with surveys indicating 38% of organizations implementing zero-trust principles and 42% planning to do so within the next year, driven by AI algorithms that analyze traffic patterns and threats in real-time to automatically generate and adjust flow rules, creating micro-segments that verify every access request without implicit trust. This approach enhances resilience in multi-cloud and edge environments, where traditional manual segmentation falls short against evolving cyber threats.^[68]^[69]^[70]

References

[1]
Ethernet Segment - Cisco Learning Network
Feb 16, 2020 · "The term network segment is sometimes used to refer to the portion of a computer network in which computers can access each other using a data ...
[2]
What is a network segment? Is a network segment the same as an ...
Nov 22, 2004 · A network segment is a logical group of computers that share a network resource. This can be accomplished with a router, VLAN, switch segmentation, etc.
[3]
Network types - IBM
But perhaps a more accurate definition of the term LAN would be to refer to it as a physical segment within the scope of an ARP broadcast.
[4]
Broadcast and Collision Domain - Cisco Learning Network
Feb 16, 2020 · Bridges, switches, and routers separate or segment a LAN into multiple collision domains, whereas hubs and repeaters do not.
[5]
Broadcast Vs Collision domain - Cisco Learning Network
Feb 16, 2020 · A collision domain is a shared segment where frames can collide, usually Half-Duplex links. For example, hubs worked on a Half-Duplex mode and ...
[6]
Why is a switchport in full duplex mode connected to a host ...
Feb 16, 2020 · All switch ports are considered their own collision domain. While you are correct in that head-to-head collisions do not exist in full-duplex mode.
[7]
Bridging, Routing, Segmentation, and QoS Configuration Guide for ...
Dec 4, 2019 · At its most rudimentary level, segmentation provides traffic isolation. The most common forms of network segmentation are virtual LANs, or VLANs ...
[8]
What Is Network Segmentation and Why Does It Matter? - CompTIA
Nov 13, 2024 · Network segmentation is when different parts of a computer network, or network zones, are separated by devices like firewalls, switches, and routers.
[9]
What Is Network Segmentation? - Cisco
Segmentation divides a computer network into smaller parts. The purpose is to improve network performance and security.
[10]
Gathering Information about Your Current Network Infrastructure
Aug 31, 2016 · Network segmentation. This includes IP addressing maps, showing how your routers separate each network segment. It includes information ...
[11]
Software Defined Segmentation - A Primer - Cisco Learning Network
Aug 7, 2024 · Network segmentation is a best practice that has been used for years to partition enterprise networks into manageable, secure segments. The goal ...
[12]
What Is Micro-Segmentation? - Cisco
Micro-segmentation refers to the granular control of applications and workload visibility to deliver consistency in security policies across containers, ...
[13]
[PDF] Microsegmentation in Zero Trust Part One: Introduction and Planning
Jul 29, 2025 · 16 For example, a traditional network might place all servers in its datacenter into a single network segment, making them potentially ...
[14]
[PDF] Computer-Networks---A-Tanenbaum---5th-edition.pdf
Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps.
[15]
2 Ethernet - An Introduction to Computer Networks
The term collision domain is sometimes used to describe the region of an Ethernet in between switches; a given collision propagates only within its collision ...
[16]
Milestones:Ethernet Local Area Network (LAN), 1973-1985
May 17, 2024 · Ethernet wired LAN was invented at Xerox Palo Alto Research Center (PARC) in 1973, inspired by the ALOHAnet packet radio network and the ARPANET.
[17]
2 Ethernet - An Introduction to Computer Networks
Repeaters will restore the signal to its original strength. The reason for the per-segment length restriction is that Ethernet collision detection requires ...2.1 10-Mbps Classic Ethernet · 2.4 Ethernet Switches · 2.5 Spanning Tree Algorithm<|separator|>
[18]
NIHF Inductee Robert Metcalfe, Who Invented the Ethernet
Robert Metcalfe invented, standardized, and commercialized Ethernet. Developed as a way to link the computers at Xerox's Palo Alto Research Center (PARC) to ...
[19]
Ethernet Through the Years: Celebrating the Technology's 50th Year ...
1985. The IEEE 802.3 Ethernet standard is released for Local Area Networks (CSMA/CD), featuring two coaxial sizes and a fiber medium option with a data rate of ...
[20]
How Engineers at Digital Equipment Corp. Saved Ethernet
Apr 7, 2024 · And in 1986, DEC introduced the technology as the LANBridge 100, product code DEBET-AA. Soon after, DEC developed DEBET-RC, a version that ...
[21]
What Is a Switched Network? Evolution & Operation Explained (2025)
Introduction of Network Switches (1990s): In the early 1990s, network switches started gaining popularity as a solution to the limitations of hub-based networks ...
[22]
[PDF] Carrier Sense Multiple Access with Collision Detection (CSMA/CD ...
Oct 16, 2006 · The media access control (MAC) protocol specified in IEEE Std 802.3 is Carrier Sense Multiple Access with Collision Detection (CSMA/CD). This ...
[23]
[PDF] Ethernet (802.3)
Sep 16, 2005 · – No more than 4 repeaters between any two hosts, so max separation is 2,500 m. • Segment ends in terminator that prevents reflection of ...
[24]
IEEE 802.3 and Ethernet - Tutorials Point
Nov 3, 2023 · IEEE 802.3i: This gave the standard for twisted pair (10BASE-T) that uses unshielded twisted pair (UTP) copper wires as physical layer medium.
[25]
Collision Domain - NetworkLessons.com
This lesson explains what a collision domain is and explains the role of hubs, bridges, switches and CSMA/CD.
[26]
[PDF] Introduction to Fast Ethernet - Contemporary Controls
512 bit-times. 96 bit-times. 16 tries. 10 (exponent). 32 bits. 1518 bytes. 64 ... Maximum segment length for 100BASE-TX is 100m just like 10BASE-T. Signaling.
[27]
Broadcast Domains and Collision Domains - Cisco Learning Network
Feb 16, 2020 · A collision domain is a physical network segment where data packets can collide with one another for being sent on a shared medium.
[28]
CCNA - Bridges vs. Switches - Cisco Certification Kits
Bridges allow an Ethernet network to be segmented into multiple collision domains thereby reducing the number of collisions and increasing the available ...<|control11|><|separator|>
[29]
Broadcast Domain - NetworkLessons.com
A broadcast domain is a collection of network devices that receive broadcast traffic from each other.
[30]
Troubleshooting Ethernet Collisions - Cisco
Aug 1, 2006 · In full-duplex Ethernet, collision detection is disabled. ... Collisions are not bad; they are essential to correct Ethernet operation.
[31]
[PDF] CSMA, CSMA/CD and Ethernet - MIT
probability of collision. • Unslotted CSMA has a smaller effective value of β than slotted CSMA. – Essentially β becomes average instead of maximum ...
[32]
RFC 950: Internet Standard Subnetting Procedure
RFC 950 specifies procedures for using subnets, which are logically visible sub-sections of a single Internet network, for hosts.
[33]
RFC 4291: IP Version 6 Addressing Architecture
This specification defines the addressing architecture of the IP Version 6 protocol. It includes the basic formats for the various types of IPv6 addresses.
[34]
Configure IP Access Lists - Cisco
Introduction. This document describes various types of IP Access Control Lists (ACLs) and how they can filter network traffic.
[35]
Configuring IP Routing [Cisco IOS Software Releases 11.0]
This chapter describes how to configure IP routing protocols, which are divided into Interior Gateway Protocols (IGPs) and Exterior Gateway Protocols (EGPs).
[36]
[PDF] Route Summarization - Cisco
Route summarization simplifies route tables by replacing many specific addresses with an single address. For example, 10.1.1.0/24, 10.1.2.0/24, ...
[37]
Route Summarization > BGP Fundamentals | Cisco Press
Jan 1, 2018 · Route summarization conserves router resources, accelerates path calculation, and reduces routing churn by reducing the size of the BGP table.
[38]
Cisco Software-Defined Access Solution Design Guide
Feb 25, 2025 · For example, specific SGTs or port-based Access Control Lists (ACLs) can limit and prevent east-west communication. Further protection can ...
[39]
[PDF] Hubs Versus Switches—Understand the Tradeoffs
With the introduction of switching hubs as a replacement for repeating hubs, network performance was enhanced by breaking up one collision domain into several.Missing: efficiency | Show results with:efficiency
[40]
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html
[41]
(PDF) Voice Over IP (VoIP) for Enterprise Networks - ResearchGate
The widespread interest in VoIP is not necessarily the ability of IP to carry voice traffic but the ability to carry voice and fax traffic over data networks.
[42]
Cybersecurity 101: What is Network Segmentation? - Illumio
Network segmentation means breaking a large network into smaller, separate sections to stop the spread of breaches, also called lateral movement.
[43]
Network Segmentation: Your Last Line of Defense? - Exabeam
Learn why network segmentation is critical to preventing insider threats and lateral movement, and avoid important segmentation pitfalls.
[44]
[PDF] Zero Trust Architecture - NIST Technical Series Publications
Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer.
[45]
[PDF] Layering Network Security Through Segmentation Infographic - CISA
Properly implemented Demilitarized Zones1 (DMZs) and firewalls can prevent a malicious actor's attempts to access high-value assets by shielding the network ...
[46]
Improving ICS/OT Security Perimeters with Network Segmentation
May 18, 2022 · Firewalls segment networks by inspecting the network traffic and filtering the traffic based on security policies. A well configured firewall ...Understanding The Security... · Strategic Ot Network... · Implementing Network...
[47]
Mastering DMZ Network Segmentation: The Key to Strengthening ...
Dec 5, 2024 · DMZ network segmentation involves setting up a network area that acts as a buffer zone between your internal network and external sources (like the internet).
[48]
SP 800-207, Zero Trust Architecture | CSRC
This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve ...
[49]
Target breach happened because of a basic network segmentation ...
Feb 6, 2014 · The massive data breach at Target last month may have resulted partly from the retailer's failure to properly segregate systems handling sensitive payment card ...
[50]
[PDF] A “Kill Chain” Analysis of the 2013 Target Data Breach
Mar 26, 2014 · Target appears to have failed to respond to multiple automated warnings from the company's anti-intrusion software that the attackers were ...
[51]
Illumio Zero Trust Segmentation Delivers Provable Risk Reduction ...
Mar 30, 2023 · Illumio customers have shared stories about how Zero Trust Segmentation delivers value, from five-nines availability to an 80% reduction in attack surface.
[52]
Maximizing Microsegmentation ROI: Essential KPIs for Security ...
Aug 13, 2025 · The integrated approach demonstrated in the table above shows an 89.2% reduction in overall attack surface.
[53]
IEEE 802.1Q-2018
Jul 6, 2018 · This standard specifies Bridges that interconnect individual LANs, each supporting the IEEE 802 MAC Service using a different or identical media ...<|control11|><|separator|>
[54]
Configuring 802.1Q VLAN Interfaces [Cisco 8000 Series Routers]
Jun 1, 2025 · The 802.1Q standard is intended to address the problem of how to divide large networks into smaller parts so broadcast and multicast traffic ...
[55]
802.1Q Encapsulation Explained - NetworkLessons.com
802.1Q is an industry-standard VLAN trunking protocol supported by most network vendors; It inserts a 4-byte tag into Ethernet frames containing a VLAN ...
[56]
Fundamentals of 802.1Q VLAN Tagging
Oct 25, 2024 · The purpose of a tagged or "trunked" port is to pass traffic for multiple VLANs, whereas an untagged or "access" port accepts traffic for only a ...
[57]
[PDF] Configuring 802.1Q VLAN Interfaces - Cisco
802.1Q Tagged Frames. The IEEE 802.1Q tag-based VLAN uses an extra tag in the MAC header to identify the VLAN membership of a frame across bridges.
[58]
Configuring a Guest Wireless Network - Cisco
Dec 13, 2018 · In this example VLAN ID 25 is chosen for the guest network. Step 4. In the Description field, enter a name for the VLAN.
[59]
IEEE 802.1Q – VLAN Tagging and Trunking in Networking
Mar 16, 2025 · VLANs allow network administrators to segment a physical network into multiple logical networks, improving security, efficiency, and management.Missing: benefits | Show results with:benefits
[60]
[PDF] OpenFlow: Enabling Innovation in Campus Networks
ABSTRACT. This whitepaper proposes OpenFlow: a way for researchers to run experimental protocols in the networks they use ev- ery day. OpenFlow is based on ...
[61]
RFC 7426 - Software-Defined Networking (SDN) - IETF Datatracker
Software-Defined Networking (SDN) refers to a new approach for network programmability, that is, the capacity to initialize, control, change, and manage ...<|separator|>
[62]
Software-Defined Networking (SDN) and SDN Security - Cisco Press
Apr 17, 2024 · NFV allows you to create a virtual instance of a virtual node such as a firewall that can be deployed where it is needed, in a flexible way ...
[63]
[PDF] VNGuard: An NFV/SDN Combination Framework for Provisioning ...
However, the work in this paper at- tempts to investigate solutions for effectively provisioning and managing virtual firewalls in context of NFV. Zhang et ...
[64]
ONOS SDN Controller for SDN/NFV Solutions
ONOS supports both configuration and real-time control of the network, eliminating the need to run routing and switching control protocols inside the network ...Missing: Ryu | Show results with:Ryu
[65]
Ryu SDN Framework
Ryu is a component-based software defined networking framework. Ryu provides software components with well defined API that make it easy for developers.Ryu Certification · Resources · Community
[66]
5G Network slice management - 3GPP
Jul 10, 2023 · A network slice is a logical network that provides specific network capabilities and network characteristics, supporting various service properties for network ...
[67]
[PDF] ETSI TS 128 530 V16.3.0 (2020-10)
The present document specifies the concepts, use cases and requirements for management of network slicing in mobile networks. The 3GPP management system ...
[68]
Autonomous identity-based threat segmentation for zero trust ...
This research proposes an AI-driven, autonomous, identity-based threat segmentation framework for ZTA. Behavioral analytics provide real-time risk scores by ...
[69]
2025 Network Management Trends: AI, 5G & Security Innovations ...
May 28, 2025 · Discover how AI automation and Zero Trust architecture are transforming network management. Explore 2025's top tools for hybrid cloud ...