Encyclopedia segmentata

Posted by     Alexander Goller on Friday, September 6, 2019

This page is work in progress. If there is something missing feel free to comment or send me a mail.




Commonly known as ACI, Cisco ACI is a SDN that allows segmentation through VxLAN.


Access control lists does just what it says, it is a list of allowed or denied connections. ACLs are most commonly applied on Layer 3 switches, routers or firewalls, but are also sometimes used as a term on anything that limits access to things. The ACLs we commonly refer to in segmentation space often include Layer 3 and 4 information like IP addresses, ports, protocols. The below example shows a typical access list.

access-list 101 permit ip

In Microsegmentation context access lists artificially limit operational speed by the need to write IP-to-IP policies.



Blacklisting is a concept in access control and segmentation or firewalling that allows everything accessing a service, but defines exceptions that can not access the service. Although this is a recipe for failure in security it is sometimes a safe bet that will not affect your availability and works without having too much visibility.

Broadcast domain

A broadcast domain is the area of a network in which a broadcast is sent to all participants of the network. It is usually limited to the LAN boundaries or VLANs.


Collision domain

A collission domain is the area in a network that belong to the same OSI Layer 1 area (aka shared medium). It does no longer affect Ethernet, but may still be a problem in wireless networks. In short, on a shared medium only one station can send at a time and when two stations send at the same time a collission happens. Algorihtms like CSMA/CD exist that solve this problem. See Collission domain on wikipedia.



Microsegmentation allows to segment networks into much smaller units than the ones defined by VLANs or LANs to limit collision or broadcast domains. There is no single technology to allow this and it can be achieved by more than one technique or technology.



NSX is VMware approach to a software defined network. It separates the data, control and management plane and allows to build networks based on virtual switches, routers and firewalls. Recent incarnations include a lot of edge services like loadbalancers, NFV etc. There are microsegmentation capabilities in NSX, but it is not the main focus and limited to the VMware estate mainly.


OSI model

When we talk about segmentation we often refer to the OSI model. OSI stands for Open Systems Intereconnection and the model defines seven layers used in data transport between computers or telecommunication devices.

  • Layer 1 - Physical layer
  • Layer 2 - Data link layer
  • Layer 3 - Network layer
  • Layer 4 - Transport layer
  • Layer 5 - Session layer
  • Layer 6 - Presentation layer
  • Layer 7 - Application layer

The Wikipedia article is a great primer on it.

Segmentation typically happens in Layers 2, 3, 4, sometimes up to Layer 7 for special use cases.



Software Defined Networking is a technology that allows to reprogram networks and network architectures using software components (virtual switches, routers, etc) and taking apart the management, control and data planes of the network infrastructure.

Security segmentation

Segmentation was in the beginning done to limit collission and broadcast domains to increase network performance and reliability. However, that changed and people are now using segmentation to control access, limit lateral movement and minimize the blast radius of bad things happening..


Commonly referred to as network segmentation. The act of breaking up a network into smaller parts, usually for limiting collision domains in the old days (see history of segmentation) nowadays used for limiting broadcast domains and more and more used as a term for Security Segmentation


Virtual private cloud (VPC)

A virtual private cloud defines a logically isolated area of usually a cloud provider and is the term mainly used for those areas in Amazons AWS. It is a virtual network environment associated to one or more IaaS instances or virtual machines, but can also be associated with PaaS, SaaS or FaaS services. All major cloud providers share the concept of a VPC, it might be called differently, e.g. virtual network on Microsoft Azure.


VxLAN Tunnel Endpoint, a endpoint for packets sent by a VxLAN device (physical or virtual)


Network virtualisation that encapsulates Layer 2 ethernet frames in layer 4 datagrams (4789/UDP) defined in RFC7348. Read more on VxLAN.



Whitelisting in the context of firewalling and segmentation is the opposite of blacklisting. Whitelisting denies everything and then defines exceptions from the default rule (deny everything). This way the inherent security of whitelisting is much higher than using a blacklisting approach to security. Whitelisting requires you to know what exceptions to write and this is one of the biggest challenges that keeps IT security from using real whitelisting. We often miss the visibility to go to full whitelisting and we do not have tools to test before we enforce the whitelisting policy.

Why did you choose this background picture

The picture shows a Lorica Segmentata, a ancient, roman type of body armour made out of segments to ensure movement while at the same time offering protection.

comments powered by Disqus