The invention comprises three extensions of the IEEE 802.1Q VLAN bridge model. The first extension is the cryptographic separation of VLANs over trunk links. A LAN segment type referred to as an encapsulated LAN segment is introduced. All frames on such a segment are encapsulated according to an encryption and authentication code scheme. The second extension is the division of a trunk port into inbound and outbound ports. The third extension is a protocol that automatically infers for each outbound port in a bridged VLAN, a set of LAN segment types for the port that minimizes the number of transfers between encapsulated and unencapsulated segments required to transport a frame in the bridged VLAN.