Creating a network: switching and topologies
With devices selected and connection types decided, the next step is designing how the network is structured. This means choosing how devices are grouped into segments, which segmentation method is appropriate, and which physical topology best meets the network's goals.
What this topic covers
- › 3.2.A — How data travel through a segmented network — same-segment vs. cross-segment routing
- › 3.2.B — Segmentation methods: physical, VLANs, subnetting, and multiple SSIDs
- › 3.2.C — Wired network topologies: star, mesh, and hybrid — trade-offs in reliability, cost, and complexity
- › 3.2.D — Evaluating AI-generated network designs
Why this design step matters
Segmentation divides a network into zones, improving security by limiting lateral movement and improving performance by reducing broadcast traffic. The choice of segmentation method and topology directly determines the cost, complexity, and resilience of the finished network.
How data travel in a segmented network (3.2.A)
Every time a device sends data, it must determine whether the destination is on the same segment or a different one. This decision determines whether a switch or a router handles the delivery.
Same-segment delivery (via switch)
When a host compares its own IP address and subnet mask to the destination address and finds that the network portions match, the destination is on the same segment. The packet is addressed to the destination's MAC address and delivered directly through the switch — no router involved.
Example
Source: 192.168.1.20/24
Destination: 192.168.1.50/24
→ Same /24 network. Sent via switch to MAC.
Cross-segment delivery (via router)
When the network portions do not match, the destination is on a different network segment. The host forwards the packet to its configured default gateway — the router. The router checks its routing table, identifies the correct segment, and forwards the packet to the switch on that segment for final delivery.
Example
Source: 192.168.1.20/24
Destination: 192.168.2.50/24
→ Different /24 network. Sent to default gateway.
Segmentation methods (3.2.B)
Different segmentation methods are appropriate for different scenarios. The choice depends on the level of isolation needed, available hardware, and the mix of wired and wireless devices.
Physical segmentation
Use when: maximum isolation and security are required, such as a restricted server room, testing lab, or classified environment.
Separate switches, routers, and cabling create completely independent subnetworks. A failure or compromise in one physical segment has no path to another. This approach increases cost and complexity but provides the strongest possible separation.
Example
A university testing lab with its own dedicated switch and router, completely isolated from classroom and office network equipment.
VLAN segmentation
Use when: flexible logical separation is needed on shared hardware, such as separating departments, device types, or user roles without purchasing additional switches.
VLANs allow devices connected to the same physical switch to be logically isolated. Port assignments determine which VLAN each device belongs to. Traffic between VLANs is controlled by a router or layer-3 switch.
Example
Employee computers, VoIP phones, and printers on the same switch, each in separate VLANs — keeping voice, data, and print traffic logically isolated.
Subnetting
Use when: devices need to be organized by IP address range to support routing decisions, access control lists, or broadcast containment across multiple segments.
Subnetting divides a large address space into smaller logical networks. It is well-suited for environments where firewall rules will enforce access between IP groups, or where broadcast traffic needs to be controlled across multiple segments.
Multiple SSIDs (wireless)
Use when: different groups of wireless users need separate access policies, such as staff and guests using the same physical access point.
Multiple SSIDs can be assigned to separate VLANs or subnets, providing both traffic isolation and access control without additional wireless hardware. Each SSID appears as a different wireless network name to users.
Wired network topologies (3.2.C)
Network topology describes how devices are physically or logically connected to each other. Topology choice affects reliability, cost, ease of maintenance, and how the network responds to failures.
Star topology
Each node connects independently to a central switch. All traffic passes through the switch. Most modern LANs use star topology.
- + Easy to scale — add devices by plugging into switch
- + Easy to troubleshoot — each device connects independently
- + Low cost — minimal cabling required
- − Central switch is a single point of failure
Mesh topology
Each node connects directly to every other node. Multiple paths allow traffic to reroute if a connection fails.
- + Very high fault tolerance
- + No single point of failure
- − Very expensive — many cables and connections required
- − Complex to install, scale, and manage
Hybrid topology
Combines elements of star and mesh to balance performance, reliability, and cost. Common in large enterprise LANs.
- + Balances cost and redundancy across the network
- + Different segments can use different topologies
- − More complex to plan and manage than pure star
| Factor | Star | Mesh | Hybrid |
|---|---|---|---|
| Fault tolerance | Moderate (central switch is SPOF) | Very high (multiple paths) | High (mesh between key nodes) |
| Cost | Low | High | Moderate |
| Ease of setup | Easy | Complex | Moderate |
| Best for | Most LANs with limited resources | Critical systems requiring 100% uptime | Large enterprise networks |
Evaluating AI-generated network designs (3.2.D)
AI tools can generate suggestions for topologies, segmentation strategies, and device lists for a segmented LAN. They can be a useful starting point — but their output must be carefully reviewed before implementation.
- › Prompts must clearly define technical requirements including traffic flow, security policies, redundancy needs, and physical layout constraints — incomplete prompts produce incomplete or flawed designs
- › AI suggestions may include missing segments, devices that are not the best solution, or technically accurate but unnecessarily complex configurations
- › Any AI output should be verified against actual requirements before implementation