TroutTrout
Back to Blog
Network DesignSegmentationOT Security

Overlay Networking vs VLANs: A Practical Comparison for OT Segmentation

Trout Team7 min read

The Segmentation Problem in OT

Every OT security framework — IEC 62443, NIST 800-82, NIS2 — requires network segmentation. Separate your safety systems from your process control. Isolate your HMI network from the enterprise LAN. Create zones and conduits. The guidance is clear.

The implementation is where it gets difficult. Most OT environments are brownfield: built years or decades ago, running flat or semi-flat networks, with equipment that cannot tolerate downtime for network changes. The question isn't whether to segment. It's how to segment without shutting down production.

Two approaches dominate: VLANs (the traditional method) and overlay networking (the modern alternative). Both achieve segmentation. The effort, risk, and operational impact are very different.

How VLANs Work

A VLAN (Virtual Local Area Network) creates logical broadcast domains on a managed switch. Devices assigned to VLAN 10 can communicate with each other but are isolated from devices on VLAN 20. Inter-VLAN traffic requires a Layer 3 router or firewall, where access control rules can be applied.

VLANs have been the standard segmentation method for 25+ years. Every managed switch supports them. Every network engineer understands them. They work.

VLAN Implementation Steps for OT Segmentation

  1. Inventory the network — document every device, its switch port, IP address, and communication dependencies
  2. Design the VLAN topology — define zones, assign VLAN IDs, plan IP subnets
  3. Configure switches — assign ports to VLANs, set up trunk links between switches
  4. Re-cable if necessary — devices on the same VLAN may need to connect to the same physical switch or stack
  5. Re-address devices — moving a device to a new VLAN typically means a new IP subnet, requiring IP address changes on PLCs, HMIs, and SCADA servers
  6. Update firewall/router rules — configure inter-VLAN routing and access control
  7. Test thoroughly — verify every communication path works in the new topology
  8. Schedule downtime — steps 3-7 usually require a maintenance window

The Problem with VLANs in Brownfield OT

Each of those steps carries risk in an operating OT environment:

  • Re-cabling means physical work in cabinets, panels, and junction boxes — often in hazardous or hard-to-access areas
  • IP address changes break hardcoded addresses in PLC programs, HMI configurations, SCADA polling lists, and historian connections. Many legacy devices have IP addresses configured via front-panel DIP switches or serial console — not remotely manageable
  • Downtime is required for the switchover. Even with careful planning, flat-to-segmented migrations typically require 4-8 hours of downtime per network zone
  • Rollback is painful — if something breaks after the migration, returning to the original unsegmented topology means undoing every change

For greenfield deployments, VLANs are straightforward. For brownfield OT environments with 10-20 year old infrastructure, VLANs often stall because the downtime window never materializes.

How Overlay Networking Works

An overlay network creates a logical network layer on top of the existing physical network. Devices communicate through encrypted tunnels (WireGuard, IPsec, or proprietary encapsulation) that run over the existing IP infrastructure. The physical network doesn't change.

Think of it this way: VLANs segment by reconfiguring the physical network. Overlays segment by building a new logical network on top of it.

Overlay Implementation Steps for OT Segmentation

  1. Deploy the overlay appliance — install a single appliance or VM at the site
  2. Define segmentation policies — specify which devices can communicate with which zones
  3. Enroll devices — devices join the overlay network by connecting through the appliance (no agent installation, no IP changes)
  4. Enforce policies — the appliance routes traffic between overlay segments according to policy
  5. No physical changes — the existing switches, cables, and IP addresses remain untouched

The critical difference: no re-cabling, no IP changes, no switch reconfiguration, no downtime.

How Access Gate Implements Overlay Segmentation

Access Gate creates a WireGuard-based overlay network. Each device or zone connects to the Access Gate appliance through an encrypted tunnel. The appliance acts as the policy enforcement point — it decides which traffic flows between segments based on identity-based zero-trust rules.

The existing network — with no internal boundaries — continues to operate. Devices keep their IP addresses. Switches keep their configuration. The overlay sits on top, adding segmentation and access control without touching the underlay.

Direct Comparison: Overlay vs VLANs

FactorVLANsOverlay Networking
Deployment effortHigh — switch config, cabling, IP changesLow — appliance deployment + policy config
Downtime requiredYes — typically 4-8 hours per zoneNo — overlay deploys alongside live network
Physical network changesRequired — port assignments, trunk links, cablingNone — existing infrastructure unchanged
IP address changesUsually required (new subnets per VLAN)None — devices keep existing addresses
ScalabilityLimited by switch port density and VLAN ID range (4094 max)Limited by appliance throughput
Remote site supportRequires managed switches at every siteAppliance or VM at each site; tunnels over WAN
EncryptionNot inherent — VLANs are unencrypted at Layer 2Built-in — all overlay traffic is encrypted
Rollback complexityHigh — must undo all physical and logical changesLow — remove overlay; physical network untouched
CostManaged switches + labor for reconfigurationAppliance + license per site
Protocol supportAll — VLANs are transparent to protocolsAll — overlay tunnels carry any IP traffic
Maturity25+ years, universally understoodNewer, but based on proven tunnel protocols
Switch vendor dependencyYes — configuration is vendor-specificNo — works over any IP network

Tradeoffs

Neither approach is strictly superior. Each has tradeoffs:

VLANs are better when:

  • You're building a greenfield network and can design the VLAN topology from the start
  • You need Layer 2 segmentation for protocols that require broadcast domain isolation (e.g., some PROFINET configurations)
  • Your team has deep experience with switch management and the switches are already in place
  • Downtime windows are available and the network is simple enough for a clean migration

Overlays are better when:

  • You're working in a brownfield environment with flat or legacy networks
  • Downtime is not available or carries significant production cost
  • The physical network is complex, sprawling, or poorly documented — touching it is risky
  • You need to segment remote sites connected over WAN links
  • Encryption is a requirement — overlay traffic is encrypted by default
  • You need segmentation fast — days, not months

The Hybrid Approach

Many deployments use both. VLANs provide coarse segmentation at the switch level (e.g., separate VLANs for the corporate LAN and the plant floor). Overlay networking provides fine-grained micro-segmentation within the OT environment (e.g., isolating individual production cells or safety zones).

This layered approach gives you:

  • Broad segmentation from existing VLAN infrastructure
  • Micro-segmentation from the overlay, without modifying the VLAN topology
  • Encryption on OT traffic segments that carry sensitive data
  • Zero-trust access control at the overlay enforcement point

Picking the Right Approach

The decision tree is straightforward:

  1. Can you afford downtime for network reconfiguration? If no, overlay is the only practical option.
  2. Are you building new or retrofitting? Greenfield = VLANs are fine. Brownfield = overlay avoids the pain.
  3. Do you need encryption? VLANs don't provide it. Overlays do by default.
  4. How fast do you need segmentation? VLANs take weeks to months in complex environments. Overlays take hours to days.

Stop waiting for the perfect maintenance window. Deploy segmentation on top of the network you already have. For the broader argument on why enforcement should stay local, see why on-premise OT security beats cloud-routed solutions. And for organizations with dozens of sites, our guide to scaling zero trust across 50+ locations covers how overlay networking enables centralized management at scale.

Full NIS2 on-premise compliance guide → /resources/nis2-on-premise

Other Articles

Zero TrustOT Security

Agent-Free Zero Trust: Why OT Environments Can't Use Endpoint Software

IT Zero Trust relies on endpoint agents. OT devices cannot run them. Here is why, and how network-layer enforcement provides equivalent protection without touching the device.

Zero TrustCISA

What the New CISA Zero Trust OT Guide Means for On-Premise Deployments

CISA, the Department of War, DOE, FBI, and Department of State published joint Zero Trust OT guidance on April 29, 2026. Three findings matter most for on-premise deployments: agentless network-layer enforcement is endorsed for legacy OT, microsegmentation must operate without redesign, and air-gap alone is called out as a false sense of security.

CMMCManufacturing

CMMC Level 2 for Manufacturers: Why VLANs Are Not Enough for Shop Floor OT

VLANs segment traffic at the switch level. CMMC Level 2 requires identity-based access control, audit logging, and encryption. VLANs provide none of these. Here is what assessors actually look for on the shop floor.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles