diff --git a/.changelog/11495.txt b/.changelog/11495.txt
new file mode 100644
index 000000000..059a7fede
--- /dev/null
+++ b/.changelog/11495.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+segments: **(Enterprise only)** ensure that the serf_lan_allowed_cidrs applies to network segments
+```
diff --git a/agent/agent.go b/agent/agent.go
index ba4bb650f..9e9cf5c21 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -1270,6 +1270,7 @@ func segmentConfig(config *config.RuntimeConfig) ([]consul.NetworkSegment, error
 		serfConf.MemberlistConfig.BindPort = s.Bind.Port
 		serfConf.MemberlistConfig.AdvertiseAddr = s.Advertise.IP.String()
 		serfConf.MemberlistConfig.AdvertisePort = s.Advertise.Port
+		serfConf.MemberlistConfig.CIDRsAllowed = config.SerfAllowedCIDRsLAN
 
 		if config.ReconnectTimeoutLAN != 0 {
 			serfConf.ReconnectTimeout = config.ReconnectTimeoutLAN
@@ -1565,6 +1566,17 @@ func (a *Agent) LANMembersInAgentPartition() []serf.Member {
 	return a.delegate.LANMembersInAgentPartition()
 }
 
+// LANMembers returns the LAN members for one of:
+//
+// - the requested partition
+// - the requested segment
+// - all segments
+//
+// This is limited to segments and partitions that the node is a member of.
+func (a *Agent) LANMembers(f consul.LANMemberFilter) ([]serf.Member, error) {
+	return a.delegate.LANMembers(f)
+}
+
 // WANMembers is used to retrieve the WAN members
 func (a *Agent) WANMembers() []serf.Member {
 	if srv, ok := a.delegate.(*consul.Server); ok {