Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce access control between segments, and reduce the attack surface by limiting lateral movement paths in enterprise network environments.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconfiguring-network-segmentation-with-vlansExecute the skills CLI command in your project's root directory to begin installation:
Fetches configuring-network-segmentation-with-vlans from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate configuring-network-segmentation-with-vlans. Access via /configuring-network-segmentation-with-vlans in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | configuring-network-segmentation-with-vlans |
| description | 'Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce access control between segments, and reduce the attack surface by limiting lateral movement paths in enterprise network environments. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - vlan - network-segmentation - switch-security - 802.1q |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Do not use VLANs as the sole security control without Layer 3 filtering, for isolating networks that require air-gapping, or without proper switch hardening against VLAN hopping attacks.
# Define VLANs based on security zones and function
VLAN Plan:
VLAN 10 - CORPORATE (10.10.10.0/24) - Employee workstations
VLAN 20 - SERVERS (10.10.20.0/24) - Internal servers
VLAN 30 - DMZ (10.10.30.0/24) - Internet-facing servers
VLAN 40 - GUEST (10.10.40.0/24) - Guest WiFi
VLAN 50 - IOT (10.10.50.0/24) - IoT/OT devices
VLAN 60 - VOIP (10.10.60.0/24) - VoIP phones
VLAN 100 - MANAGEMENT (10.10.100.0/24) - Switch/AP management
VLAN 999 - QUARANTINE (10.10.99.0/24) - Isolated/compromised hosts
VLAN 998 - NATIVE_UNUSED - Native VLAN (no traffic)
# Traffic flow matrix:
# CORPORATE -> SERVERS: Allowed (specific ports)
# CORPORATE -> DMZ: Allowed (HTTP/HTTPS only)
# CORPORATE -> GUEST: Denied
# CORPORATE -> IOT: Denied
# GUEST -> Any Internal: Denied
# IOT -> SERVERS: Allowed (specific ports to specific hosts only)
# DMZ -> SERVERS: Allowed (database ports only)
# MANAGEMENT -> All: Allowed (from management stations only)
! Enter configuration mode
enable
configure terminal
! Create VLANs
vlan 10
name CORPORATE
exit
vlan 20
name SERVERS
exit
vlan 30
name DMZ
exit
vlan 40
name GUEST
exit
vlan 50
name IOT
exit
vlan 60
name VOIP
exit
vlan 100
name MANAGEMENT
exit
vlan 998
name NATIVE_UNUSED
exit
vlan 999
name QUARANTINE
exit
! Configure access ports for workstations (VLAN 10)
interface range GigabitEthernet1/0/1-24
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
exit
! Configure access ports for servers (VLAN 20)
interface range GigabitEthernet1/0/25-36
switchport mode access
switchport access vlan 20
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
exit
! Configure trunk ports to other switches
interface GigabitEthernet1/0/48
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 10,20,30,40,50,60,100
switchport nonegotiate
no shutdown
exit
! Configure trunk to firewall/router
interface GigabitEthernet1/0/47
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 10,20,30,40,50,60,100
switchport nonegotiate
no shutdown
exit
! Shutdown unused ports
interface range GigabitEthernet1/0/37-46
shutdown
switchport mode access
switchport access vlan 999
exit
! Disable DTP on all ports (prevents switch spoofing)
interface range GigabitEthernet1/0/1-46
switchport nonegotiate
exit
! Set native VLAN to unused VLAN on all trunks
interface range GigabitEthernet1/0/47-48
switchport trunk native vlan 998
exit
! Enable DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
ip dhcp snooping trust
exit
! Enable Dynamic ARP Inspection
ip arp inspection vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
ip arp inspection trust
exit
! Enable IP Source Guard (prevents IP spoofing)
interface range GigabitEthernet1/0/1-36
ip verify source
exit
! Enable Port Security
interface range GigabitEthernet1/0/1-24
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 60
exit
! Set VTP to transparent mode (prevents VTP attacks)
vtp mode transparent
! Enable BPDU Guard globally
spanning-tree portfast bpduguard default
! Enable Storm Control
interface range GigabitEthernet1/0/1-36
storm-control broadcast level 10
storm-control multicast level 10
storm-control action shutdown
exit
! On the Layer 3 switch or firewall, configure SVIs
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface Vlan20
ip address 10.10.20.1 255.255.255.0
no shutdown
exit
interface Vlan30
ip address 10.10.30.1 255.255.255.0
no shutdown
exit
interface Vlan40
ip address 10.10.40.1 255.255.255.0
no shutdown
exit
interface Vlan50
ip address 10.10.50.1 255.255.255.0
no shutdown
exit
! ACL: Corporate to Servers (allow specific services)
ip access-list extended CORP-TO-SERVERS
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 80
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 443
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit udp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 53
permit icmp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 echo
deny ip any any log
exit
! ACL: Guest to Internet only (deny all internal)
ip access-list extended GUEST-OUTBOUND
deny ip 10.10.40.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.40.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.40.0 0.0.0.255 192.168.0.0 0.0.255.255
permit tcp 10.10.40.0 0.0.0.255 any eq 80
permit tcp 10.10.40.0 0.0.0.255 any eq 443
permit udp 10.10.40.0 0.0.0.255 any eq 53
deny ip any any log
exit
! ACL: IoT limited access
ip access-list extended IOT-OUTBOUND
permit tcp 10.10.50.0 0.0.0.255 host 10.10.20.10 eq 443
permit tcp 10.10.50.0 0.0.0.255 any eq 443
permit udp 10.10.50.0 0.0.0.255 host 10.10.20.1 eq 53
deny ip 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log
deny ip any any log
exit
! Apply ACLs to VLAN interfaces
interface Vlan10
ip access-group CORP-TO-SERVERS out
exit
interface Vlan40
ip access-group GUEST-OUTBOUND in
exit
interface Vlan50
ip access-group IOT-OUTBOUND in
exit
! DHCP pools for each VLAN
ip dhcp pool CORPORATE
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.20.10
domain-name corp.example.com
lease 1
exit
ip dhcp pool GUEST
network 10.10.40.0 255.255.255.0
default-router 10.10.40.1
dns-server 1.1.1.1 8.8.8.8
lease 0 4
exit
ip dhcp pool IOT
network 10.10.50.0 255.255.255.0
default-router 10.10.50.1
dns-server 10.10.20.10
lease 7
exit
! Exclude gateway and server IPs from DHCP pools
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.40.1 10.10.40.10
ip dhcp excluded-address 10.10.50.1 10.10.50.10
# From a workstation on VLAN 10 (Corporate):
# Should succeed:
ping 10.10.20.10 # Server access
curl https://10.10.20.10 # HTTPS to server
# Should fail:
ping 10.10.40.100 # Guest VLAN - should be blocked
ping 10.10.50.100 # IoT VLAN - should be blocked
# From a device on VLAN 40 (Guest):
# Should succeed:
ping 8.8.8.8 # Internet access
curl https://www.google.com
# Should fail:
ping 10.10.10.1 # Corporate gateway - blocked
ping 10.10.20.10 # Server - blocked
# Verify switch configuration
show vlan brief
show interfaces trunk
show ip arp inspection statistics
show ip dhcp snooping binding
show port-security
show ip access-lists
# Run VLAN hopping tests (from authorized pentest)
# These should all fail if hardening is correct:
# 1. DTP negotiation - should fail (nonegotiate)
# 2. Double tagging - should fail (native VLAN 998)
# 3. ARP spoofing - should fail (DAI enabled)
| Term | Definition |
|---|---|
| VLAN (Virtual LAN) | Logical network partition at Layer 2 that groups switch ports into isolated broadcast domains, regardless of physical location |
| 802.1Q Trunking | IEEE standard for VLAN tagging that adds a 4-byte header to Ethernet frames, identifying which VLAN a frame belongs to across trunk links |
| Inter-VLAN Routing | Layer 3 forwarding of traffic between VLANs using a router, Layer 3 switch, or firewall with access control lists |
| Native VLAN | VLAN assigned to untagged frames on trunk ports; should be set to an unused VLAN to prevent VLAN hopping attacks |
| DHCP Snooping | Switch feature that validates DHCP messages and builds a binding table of IP-MAC-port mappings, preventing rogue DHCP servers |
| Port Security | Switch feature that limits the number of MAC addresses per port and takes action (shutdown, restrict) when violated |
Context: A retail chain must isolate their payment card processing systems from the general corporate network to meet PCI-DSS requirements. The current flat network has point-of-sale terminals, employee workstations, inventory servers, and guest WiFi on a single VLAN. The environment uses Cisco Catalyst 9300 switches.
Approach:
Pitfalls:
## Network Segmentation Implementation Report
**Network**: Retail Store #42
**Switch Platform**: Cisco Catalyst 9300
**VLANs Configured**: 8
### VLAN Summary
| VLAN ID | Name | Subnet | Ports | Purpose |
|---------|------|--------|-------|---------|
| 10 | CORPORATE | 10.10.10.0/24 | Gi1/0/1-24 | Employee workstations |
| 20 | SERVERS | 10.10.20.0/24 | Gi1/0/25-36 | Internal servers |
| 30 | DMZ | 10.10.30.0/24 | Gi2/0/1-4 | Internet-facing |
| 40 | GUEST | 10.10.40.0/24 | WiFi AP trunk | Guest WiFi |
| 50 | CDE | 10.10.50.0/24 | Gi2/0/5-12 | POS terminals |
| 100 | MGMT | 10.10.100.0/24 | Gi1/0/48 | Switch management |
| 998 | NATIVE | N/A | Trunks only | Unused native |
| 999 | QUARANTINE | 10.10.99.0/24 | Unused ports | Isolation |
### Security Hardening Status
| Control | Status |
|---------|--------|
| DTP Disabled (nonegotiate) | All ports |
| Native VLAN (998) | All trunks |
| DHCP Snooping | VLANs 10,20,40,50 |
| Dynamic ARP Inspection | VLANs 10,20,40,50 |
| Port Security | Access ports |
| BPDU Guard | Access ports |
| Unused Ports Shutdown | 10 ports in VLAN 999 |
| VTP Transparent Mode | Enabled |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
configuring-network-segmentation-with-vlans has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: configuring-network-segmentation-with-vlans is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for configuring-network-segmentation-with-vlans matched our evaluation — installs cleanly and behaves as described in the markdown.
configuring-network-segmentation-with-vlans is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in configuring-network-segmentation-with-vlans — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
configuring-network-segmentation-with-vlans has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend configuring-network-segmentation-with-vlans for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
configuring-network-segmentation-with-vlans reduced setup friction for our internal harness; good balance of opinion and flexibility.
configuring-network-segmentation-with-vlans has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: configuring-network-segmentation-with-vlans is focused, and the summary matches what you get after install.
showing 1-10 of 65