Design your network segmentation with zones and VLANs

A VLAN (Virtual Local Area Network) logically segments a physical network into separate broadcast domains. Devices in different VLANs cannot communicate directly at Layer 2 – they need a router or Layer 3 switch. Network segmentation improves security by limiting the blast radius of attacks, reduces broadcast traffic, enables traffic prioritization, and helps meet compliance requirements. In industrial environments, VLANs separate IT from OT networks and isolate critical control systems from less trusted zones.

The Purdue Model (ISA-95/IEC 62443) is a reference architecture that organizes industrial networks into hierarchical levels. Level 0-1 contains field devices and basic control (PLCs, sensors). Level 2 handles area supervisory control (HMIs, engineering stations). Level 3 is the site operations layer (historians, batch management). A DMZ separates OT from Level 4-5 enterprise IT systems. This model guides VLAN design by defining clear security boundaries between levels, with each level typically having its own VLAN(s).

The right number depends on your security requirements, traffic patterns, and management capacity. As a baseline: separate VLANs for user workstations, servers, management, voice/video, and guest access. In OT environments, add VLANs per Purdue level and consider separate VLANs for each production cell or safety system. Avoid extremes – too few VLANs provide weak isolation, while hundreds of VLANs become unmanageable. A medium enterprise typically has 20-50 VLANs; industrial sites often have 10-30 per facility.

VLAN IDs range from 1 to 4094. VLAN 1 is the default VLAN on most switches and should generally be avoided for production traffic due to security concerns. VLANs 1002-1005 are reserved for legacy Token Ring/FDDI on Cisco devices. VLANs 4095 is reserved. Best practice: use a consistent numbering scheme – for example, 10-99 for infrastructure, 100-199 for users, 200-299 for servers, 300-399 for OT. Document your scheme and leave gaps for future expansion.

Security zones are logical groupings of assets with similar security requirements and trust levels – they're a design concept. VLANs are the technical implementation that enforces zone boundaries at Layer 2. A zone might contain multiple VLANs (e.g., a "Production Zone" with separate VLANs for PLCs, HMIs, and historians). Zone boundaries are typically enforced by firewalls or ACLs between VLANs. Think of zones as the security policy and VLANs as the network mechanism that implements it.

IT/OT convergence requires careful VLAN planning to enable data flow while maintaining security boundaries. Create a dedicated DMZ zone with VLANs for data diodes, jump hosts, and data aggregation services. Never allow direct IT-to-OT VLAN communication. Use separate VLANs for remote access infrastructure. Consider one-way data flows from OT to IT where possible. Document all cross-zone traffic requirements and implement strict firewall rules between IT and OT VLANs. The Purdue Model provides an excellent framework for this architecture.