---
name: vlan-designer
description: Designs a VLAN scheme from a plain-English site description, with segmentation rationale, numbering convention, inter-VLAN policy, and sizing for growth.
version: 1.0.0
author: VantagePoint Networks
audience: IT Managers, Network Engineers, Infrastructure Designers, MSP Solution Architects
output_format: Formatted Markdown VLAN design document with table, rationale, numbering rules, trunk matrix, policy matrix, and implementation notes.
license: MIT
---

# VLAN Designer

Describe the site, the users, the security posture you want. Get back a VLAN design document that an engineer can implement, an auditor can defend, and that scales.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. Run `/vlan-designer` in Claude Code. Describe the site/building/campus. Tell me about users, servers, IoT, guests, voice, and any compliance scope. Answer clarifying questions. Receive the design.

## When to use this

- You're designing a new site or refreshing an old, flat network.
- You've inherited a 1-VLAN network and need to segment safely for compliance / security.
- You're onboarding an MSP customer and need a consistent design pattern applied to their site.
- You want to enforce a house numbering convention across multiple sites.
- You're preparing for Cyber Essentials / PCI / ISO 27001 and need documented segmentation.

## What you'll get

- **Design principles** - the rules that drive this design (segmentation intent, gateway placement, trunking standard).
- **VLAN table** - ID, name, subnet, gateway, DHCP scope, security zone, typical port type.
- **Numbering convention** - the rule others can apply to add new VLANs.
- **Inter-VLAN policy matrix** - what can talk to what, with rationale.
- **Trunk matrix** - which VLANs traverse which trunks, tagged / untagged / native.
- **Addressing plan** - subnet allocation, growth headroom, reserved ranges.
- **Security zone map** - which VLANs are in which zone (trust, DMZ, restricted, isolated, quarantine).
- **Implementation notes** - per-vendor configuration hints.
- **Gotchas** - common mistakes to avoid (native VLAN on trunks, management VLAN exposure, IPv6 readiness).

## Clarifying questions I will ask you

1. **Site profile?** (Single building / multi-building campus / branch office / data centre / home)
2. **Approximate user count?** (Now and projected 3 years)
3. **What user / device categories do you have?** (Office users, field staff, executives, finance, developers, customer service, printers, phones, APs, cameras, IoT sensors, manufacturing / clinical / lab gear, guest, contractor)
4. **Voice over IP?** (VoIP / softphone / Teams calling - drives voice VLAN need)
5. **Wireless?** (Guest Wi-Fi, corporate Wi-Fi, BYOD, IoT Wi-Fi separate?)
6. **Servers on-site?** (None / a few local / a full rack / two DC rows - drives server VLAN posture)
7. **Compliance scope?** (PCI, HIPAA, clinical data, classified, ITAR - drives isolation requirements)
8. **Data centre / cloud posture?** (Is there a separate DC / cloud handoff VLAN?)
9. **IPv6 posture?** (Nowhere / dual-stack / coming soon)
10. **Addressing supernet?** (What /16 or /24 do you have to work with for this site?)
11. **Vendor stack?** (Cisco / Juniper / Aruba / mixed - drives implementation notes)
12. **Any specific isolation requirements you already know about?** (e.g. "printers must not initiate outbound to internet", "CCTV cannot reach user network")

## Output template

```markdown
# VLAN Design: <site name>

**Design ID:** VLAN-<site-slug>-v<X>
**Prepared by:** <name>
**Date:** YYYY-MM-DD
**Status:** Draft / Approved
**Approver:** <name>

## 1. Design Principles
The rules that drive this design. Future additions must honour them.

1. **Segment by function AND trust, not by department.** Same-trust VLANs may share subnets; different-trust VLANs do not, regardless of team.
2. **Gateway at the distribution / core layer.** Access switches are L2 only.
3. **Native VLAN on trunks is <dedicated unused ID, never 1>.** Never carry user traffic on the native VLAN.
4. **Management VLAN is dedicated, not mixed with user or server traffic, and not reachable from user VLANs by default.**
5. **DHCP snooping, ARP inspection, and BPDU guard enabled on all access ports.**
6. **Guest and IoT are isolated from internal trust. Any required exception is an explicit firewall rule with a business owner.**
7. **Every VLAN has capacity for 3-year growth (sized above current count).**
8. **Numbering convention is reserved and documented; ad-hoc additions are not permitted.**

## 2. Numbering Convention

### VLAN number ranges
| Range | Purpose |
|---|---|
| 1 | Reserved - never use (default VLAN, security risk) |
| 10-19 | Management and infrastructure |
| 20-49 | User VLANs (segmented by trust tier) |
| 50-69 | Voice |
| 70-99 | Wireless (corp, guest, IoT) |
| 100-199 | Server / services |
| 200-299 | IoT / operational technology (sensors, CCTV, building) |
| 300-399 | DMZ |
| 400-499 | Restricted / compliance-scoped (PCI, HIPAA, etc.) |
| 500-599 | Quarantine / captive / remediation |
| 900-999 | Point-to-point links, transit |
| 4094 | Reserved - black hole |

### Subnet convention
Each VLAN gets a /24 by default (256 addresses, 254 usable). Exceptions:
- Management: /26 (64 addresses)
- Point-to-point links: /30 or /31
- Server VLANs carrying >200 devices: /23 (512 addresses)

## 3. VLAN Table

| VLAN ID | Name | Subnet | Gateway | DHCP | Security zone | Port type |
|---|---|---|---|---|---|---|
| 10 | MGMT | 10.10.10.0/26 | .1 | Static | Management | Uplinks only |
| 20 | USERS | 10.10.20.0/24 | .1 | Scope .50-.254 | Trust | Access (data) |
| 21 | FINANCE | 10.10.21.0/24 | .1 | Scope | Trust-elevated | Access (data) |
| 30 | PRINTERS | 10.10.30.0/24 | .1 | Reserved .10-.99 | Restricted | Access |
| 40 | DEVELOPERS | 10.10.40.0/24 | .1 | Scope | Trust-elevated | Access (data) |
| 50 | VOICE | 10.10.50.0/24 | .1 | Scope via CUCM/PBX | Trust-voice | Access (voice) |
| 70 | WIFI-CORP | 10.10.70.0/23 | .1 | Scope | Trust | SSID only |
| 71 | WIFI-GUEST | 10.10.72.0/24 | .1 | Scope | Guest | SSID only |
| 72 | WIFI-IOT | 10.10.73.0/24 | .1 | Scope | Isolated | SSID only |
| 100 | SERVERS | 10.10.100.0/24 | .1 | Static | Server | Access (server) |
| 110 | SERVER-MGMT | 10.10.110.0/24 | .1 | Static | Management | Access (server IPMI) |
| 200 | CCTV | 10.10.200.0/24 | .1 | Reserved .10-.200 | Isolated | Access |
| 210 | BMS | 10.10.210.0/24 | .1 | Reserved | Isolated | Access |
| 400 | PCI-POS | 10.10.40.0/24 | .1 | Scope | Restricted - PCI | Access (locked) |
| 500 | QUARANTINE | 10.10.250.0/24 | .1 | Captive | Quarantine | Dynamic |

### Growth headroom
- Users: current <N>, VLAN capacity 254, 3-year plan <N> - fits comfortably
- Servers: current <N>, next /24 reserved as VLAN 101 for expansion
- Wireless: current <N>, /23 accommodates dense deployment + roaming

## 4. Inter-VLAN Policy Matrix

Legend: **Y** = permit, **N** = deny, **C** = conditional (explicit firewall rule per flow)

| From \ To | USERS | FINANCE | PRINTERS | VOICE | WIFI-CORP | WIFI-GUEST | WIFI-IOT | SERVERS | CCTV | PCI | MGMT |
|---|---|---|---|---|---|---|---|---|---|---|---|
| USERS | Y | N | C | N | N | N | N | C | N | N | N |
| FINANCE | N | Y | C | N | N | N | N | C | N | N | N |
| PRINTERS | N | N | Y | N | N | N | N | N | N | N | N |
| VOICE | N | N | N | Y | N | N | N | C | N | N | N |
| WIFI-CORP | Y | N | C | N | Y | N | N | C | N | N | N |
| WIFI-GUEST | N | N | N | N | N | Y | N | N | N | N | N |
| WIFI-IOT | N | N | N | N | N | N | Y | C | N | N | N |
| SERVERS | C | C | N | N | C | N | C | Y | N | N | N |
| CCTV | N | N | N | N | N | N | N | C | Y | N | N |
| PCI | N | N | N | N | N | N | N | C | N | Y | N |
| MGMT | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |

**Rationale highlights:**
- **FINANCE** isolated even from USERS: avoids ransomware lateral movement.
- **PRINTERS** reachable via explicit firewall rules only - printers are classic breach vectors.
- **GUEST** totally isolated from internal; internet-only.
- **IoT** isolated from IoT; IoT talks to its controller via firewall rule.
- **PCI** isolated from everything; explicit rule set only.
- **MGMT** -> everything: management plane can reach targets. Nothing -> MGMT: locked.

## 5. Trunk Matrix

| Trunk | From | To | VLANs carried (tagged) | Native (untagged) |
|---|---|---|---|---|
| Core-to-Dist-1 | CORE-SW-01 | DIST-01 | 10,20-49,50,70-99,100,200-299,400 | 999 (dummy) |
| Dist-to-AccA1 | DIST-01 | ACC-A1-F1 | 10,20,30,40,50,70,71,72,400 | 999 (dummy) |
| Core-to-FW | CORE-SW-01 | FW-CORE-01 | 10,20,21,40,50,100,200,400 (L3 subinterfaces) | n/a |

**Native VLAN:** 999 - "dummy", no ports in this VLAN, shutdown at SVI. Prevents native-VLAN hopping attacks.

## 6. Addressing Plan
- **Site supernet:** <e.g. 10.10.0.0/16>
- **Allocation:**
  - 10.10.10.0/26 - management
  - 10.10.20.0-49.0 - user VLANs
  - 10.10.50.0/24 - voice
  - 10.10.70.0/22 - wireless (room for 4 wireless VLANs)
  - 10.10.100.0/24 - servers
  - 10.10.110.0/24 - server management
  - 10.10.200.0-299.0 - IoT / OT
  - 10.10.250.0/24 - quarantine
  - 10.10.254.0/24 - reserved for transit / P2P

**IPv6:** Dual-stack ready. Per-VLAN /64 allocated from site prefix. SLAAC on user VLANs, DHCPv6 on server VLANs.

## 7. Security Zones
| Zone | VLANs | Description |
|---|---|---|
| Management | 10, 110 | Infrastructure + server OOB |
| Trust | 20, 50, 70 | Standard users, voice, corporate Wi-Fi |
| Trust-elevated | 21, 40 | Finance, developers |
| Server | 100 | Internal services |
| Restricted | 30 | Printers |
| Isolated | 72, 200, 210 | IoT Wi-Fi, CCTV, BMS |
| Guest | 71 | Guest Wi-Fi - internet only |
| DMZ | (none at this site) | - |
| Compliance | 400 | PCI / HIPAA |
| Quarantine | 500 | Captive / remediation |

## 8. Implementation Notes (vendor-specific)

### Cisco (access switch)
```
vlan 20
 name USERS
!
interface Vlan20
 description USERS gateway
 ip address 10.10.20.1 255.255.255.0
 ip helper-address 10.10.100.10
!
interface range Gi1/0/1-36
 description User access ports
 switchport mode access
 switchport access vlan 20
 switchport voice vlan 50
 spanning-tree portfast
 spanning-tree bpduguard enable
 storm-control broadcast level 1.0
 storm-control multicast level 1.0
 no shutdown
```

### Trunk configuration
```
interface Te1/1/1
 description Uplink to DIST-01
 switchport mode trunk
 switchport trunk native vlan 999
 switchport trunk allowed vlan 10,20,21,30,40,50,70,71,72,400
 storm-control broadcast level 5.0
 no shutdown
```

## 9. Known gotchas
- **Never leave native VLAN as 1.** Attackers can double-tag-hop from VLAN 1 to others.
- **Management VLAN must not be reachable from user VLANs.** Default ACL often misses this.
- **Voice VLAN needs QoS markings** or voice quality suffers when data network is busy.
- **Printers are network-dangerous.** Segment them, don't let them talk outbound.
- **DHCP helper-address for every user VLAN** if DHCP is centralised.
- **Verify STP root bridge placement.** Core should be root; if an access switch becomes root, traffic takes strange paths.
- **IPv6 RA on untrusted networks.** Use RA Guard or expect rogue RAs.
- **IoT vendors lie.** "Works on a flat network" often means "uses broadcast; will flood a VLAN". Scope per vendor.

## 10. Approval
> This VLAN design has been reviewed and approved for implementation at <site>. Deviations from the design must be raised as an exception with the Network Architecture Lead.
>
> Approver: <name>
> Date: YYYY-MM-DD
```

## Example invocation

**User:** "/vlan-designer - designing VLANs for a new 3-storey office, about 200 staff, 40 printers, VoIP phones for everyone, guest Wi-Fi, corporate Wi-Fi, CCTV, and a server closet with about 12 servers. Finance is a separate team of 15 and needs to be segregated. We're Cisco-based and need Cyber Essentials Plus."

**What the skill will do:**
1. Ask about supernet (likely a /16), IPv6 intent, and whether BYOD is in scope for wireless.
2. Produce the full design with VLAN 10 (mgmt), 20 (users), 21 (finance - segregated), 30 (printers - isolated outbound), 40 (exec if needed), 50 (voice), 70/71/72 (WiFi), 100 (servers), 110 (server mgmt), 200 (CCTV), 500 (quarantine), 999 (native dummy).
3. Tailor the inter-VLAN policy matrix to explicitly isolate finance from other user VLANs (ransomware lateral-movement control - Cyber Essentials Plus friendly).
4. Include Cisco IOS-XE snippets for access and trunk configuration.
5. Flag Cyber Essentials Plus specific items: boundary firewall, patch management, segregation documented, MFA on management interfaces.

## Notes for the requester

- **Number for the next 10 years, not just today.** Renumbering is painful. Reserve ranges generously.
- **Never trust "flat works fine."** A flat network is a breached network waiting to be noticed. Segment proactively.
- **Policy matrix is the real deliverable.** VLANs without policy are just broadcast domains. The matrix is what gives you security posture.
- **Management VLAN discipline is the single highest-value control.** Most breaches move laterally through mis-scoped management.
- **Get buy-in before implementation.** A design signed off by the security lead and the network lead changes the conversation when engineers push back.
- **"Good" looks like:** an engineer new to the site can figure out where a new device should go in 30 seconds. An auditor maps the design to Cyber Essentials / CIS / PCI / ISO controls without help.