VLAN security: segment sensitive systems (finance, PCI, management), isolate guest/IoT on separate VLANs, place inter-VLAN routing behind firewalls, use private VLANs for isolation within same subnet.
VLANs alone don't provide security — traffic between VLANs passes through a router/firewall where ACLs apply. Private VLANs (PVLAN) isolate hosts within the same subnet (useful for hosting environments). Management VLAN should be separate and tightly access-controlled.