A Note Before You Begin

Every time you answer a question like this, you're practicing more than just technical recall. You're stepping into the mindset of someone responsible for enterprise-wide security decisions. VLANs are not just about routing traffic. They are about creating trust boundaries, reducing risk exposure, and proving to auditors that segmentation controls actually work.

The CISSP exam tests your ability to think at this level. And so does your future role.

Thanks for being someone who studies like this. The industry needs you.

Luke Ahmed

Rymar Tech’s security team recently discovered that a misconfigured VLAN allowed sensitive database traffic to traverse the same broadcast domain as general office workstations. This oversight was uncovered during a PCI DSS audit, raising concerns that cardholder data was exposed to unnecessary risk. The network team immediately corrected the issue, but now the CIO wants to know how this could have been prevented at the policy level.

As the security manager, what should you recommend to ensure VLAN segmentation aligns with governance and ongoing audit requirements

A. Implement MAC-based VLAN assignment to enforce user-level isolation across all devices

B. Require all VLAN changes to go through formal change management and architecture review

C. Configure port security to restrict endpoint types based on device fingerprints

D. Disable VLAN trunking entirely on all internal switches to prevent cross-VLAN contamination

Think Like a Manager

This question is about more than VLANs. It's about traceability. The CISSP exam expects you to know how to tie technical safeguards back to policy and governance. That means your job is not to reconfigure switches. It's to make sure reconfigurations never happen without the right controls in place.

You don’t just prevent misconfigurations. You prevent the conditions that allow them to go undetected.

Why the Other Choices Fall Short

A. MAC-based VLAN assignment is useful in very specific environments like VoIP or BYOD, but it is operationally complex and doesn't address the governance issue. It’s a control, not a governance mechanism.

C. Port security focuses on endpoint types and traffic control at a lower layer. It doesn’t help you ensure architectural segmentation compliance. It’s reactive, not strategic.

D. Disabling VLAN trunking is an overly blunt instrument. It may stop lateral movement in theory, but it also cripples legitimate multi-VLAN designs and limits scalability. It solves a symptom, not the root issue.

CISSP Core Concept: Governance over Configuration

The right answer focuses on how to make sure no one touches VLANs without oversight. Change control is not about bureaucracy. It’s about creating a paper trail, an audit path, and a chain of accountability. This is how security proves itself in the boardroom.

The goal is not to stop mistakes. The goal is to stop unverified changes.

Security misconfigurations will happen. But how you govern them decides whether you're managing risk or letting it manage you.