How to Segment a Flat OT Network Without VLANs or Downtime

A flat OT network means every device can reach every other device. A compromised HMI can talk to every PLC. A vendor laptop on the wrong port can access SCADA. Lateral movement is trivial. The standard fix is VLAN segmentation. The problem: VLANs require switch reconfiguration, recabling, IP changes, and production downtime. For many facilities, that is a project measured in months with a change freeze operations cannot absorb.

Overlay networking segments the network in software, on top of the existing physical infrastructure, without any of that.

Why VLANs Are Hard in OT

Switch reconfiguration. Every port assignment must be planned, configured, and tested. In a facility with hundreds of ports across multiple switches, this is weeks of work.

IP address changes. Moving a device to a new VLAN often means a new IP subnet. OT devices frequently have hardcoded IPs in their configurations. Changing them requires reprogramming the device and testing the entire control loop.

Cabling changes. If a PLC and its HMI need to be on different VLANs, they may need to be on different switch ports. This means pulling new cable.

Downtime. Every change carries risk. A misconfigured VLAN can isolate a critical device. Testing requires taking equipment offline. Production teams resist any change that threatens uptime.

Ongoing maintenance. Every new device, every network change, every expansion requires VLAN reconfiguration. The operational burden never ends.

How Overlay Networking Works

An overlay network creates virtual network segments on top of your existing physical network. The underlay (your switches, cables, and IP addresses) stays exactly as it is. The overlay adds a new logical layer that controls which devices can communicate with which.

Step 1: Deploy the Access Gate. A physical appliance or VM connects to your existing network. No changes to switches or cabling.

Step 2: Asset discovery. The Access Gate passively discovers every device on the network. No active scanning. No risk to operations.

Step 3: Define segments. Group assets into logical segments: CNC machines, SCADA controllers, HMI terminals, engineering workstations. Each segment gets its own access policy.

Step 4: Enforce. The overlay network routes traffic through identity-aware proxies. Devices in different segments cannot communicate unless a policy explicitly allows it. Everything else is denied and logged.

The overlay uses the 100.64.0.0/16 address space (CGNAT range), which does not conflict with existing private IP ranges. Your devices keep their original IPs. Your switches keep their original configurations.

Overlay vs. VLAN: Practical Comparison

What Segmentation Actually Prevents

On a flat network, a single compromised device can:

• Scan and discover every other device
• Attempt connections to PLCs, SCADA, and safety systems
• Exfiltrate data from any accessible endpoint
• Propagate ransomware across the entire network

With overlay segmentation, a compromised device can only reach the assets its policy allows. If the policy says "this HMI can talk to PLC-001 on Modbus TCP port 502 only," that is all it can do. Every other connection is dropped and logged.

The Lollipop Model

Each OT asset connects to the network through a single proxy endpoint. The proxy handles authentication, authorization, logging, and encryption. The direct path from the asset to any other device is blocked. The only way in or out is through the proxy.

This creates a topology that looks like a lollipop for each asset: one stick (the proxy path) and one candy (the asset). No lateral paths between assets. No unauthenticated connections.

The Overlay Networks Explained page walks through the four-step architecture in detail.

For more Zero Trust OT resources, architecture guides, and comparisons, visit the Zero Trust for OT Networks hub.