Lollipop architecture is a non-inline overlay deployment model used by Trout's Access Gate. An appliance connects at a single point on the existing LAN (the "stick") and creates a zero-trust overlay network (the "head") in the 100.64.0.0/16 CGNAT address range, adjacent to but logically separate from the physical network.
How lollipop architecture works
In a lollipop deployment, the Access Gate appliance plugs into a single switch port on the existing network. It does not sit inline between devices and their upstream gateway. Instead, it advertises overlay routes and handles DNS-based or routing-based traffic steering so that enrolled devices communicate through the overlay rather than directly across the physical LAN.
The overlay network uses the 100.64.0.0/16 CGNAT (Carrier-Grade NAT) address range, which is reserved by IANA for shared address space and does not conflict with RFC 1918 private ranges already in use on the production network. Each enrolled device receives an overlay IP address in this range. Traffic between enrolled devices is encrypted and authenticated through the overlay, while traffic to non-enrolled devices continues to flow over the physical network as before.
The "lollipop" name describes the resulting topology. The single physical connection to the LAN switch is the stick. The overlay network, with its mesh of encrypted tunnels between enrolled devices, forms the head. From the perspective of the physical network, all overlay traffic enters and exits through that single point, simplifying firewall rules and network monitoring.
This architecture is non-inline by design. The appliance does not intercept, proxy, or bridge existing traffic flows. If the appliance is powered off or disconnected, devices revert to communicating over the physical network exactly as they did before deployment. There is no single point of failure introduced into the production network path.
OT and industrial context
In OT environments, inline security devices are a significant operational risk. Inserting a firewall or NAC appliance into the traffic path between a PLC and its HMI introduces a potential failure point in a safety-critical communication loop. If the inline device fails, reboots, or drops packets during a firmware update, the control loop breaks. Most OT environments enforce strict change freezes that prohibit inline deployments during production hours, and many prohibit them entirely.
Lollipop architecture avoids this problem. A manufacturing plant can deploy an Access Gate appliance on a spare switch port during a scheduled maintenance window without modifying any existing cable runs, IP addresses, VLAN configurations, or firewall rules. Enrolled devices begin communicating over the overlay immediately. Non-enrolled devices are completely unaffected. If the plant needs to roll back, disconnecting the appliance restores the network to its prior state with zero residual configuration changes.
This approach is particularly valuable in brownfield facilities where the network has grown organically over decades and the documentation is incomplete or missing. The overlay does not need to understand the existing network topology. It simply creates a new, identity-enforced network layer on top of whatever physical infrastructure exists.
Compliance relevance
The lollipop architecture supports segmentation requirements in CMMC (enclave isolation for CUI), IEC 62443 (zones and conduits), and NERC CIP-005 (Electronic Security Perimeters). Because the overlay enforces identity-based access rather than relying on VLAN membership or IP ranges, it provides auditable evidence of who accessed what and when, which satisfies logging and monitoring controls across these frameworks.
Related terms
- Overlay Networking (OT context)
- Network Segmentation
- Zero Trust Architecture
- Firewall
- Access Control
Access Gate connection
Access Gate uses lollipop architecture as its standard deployment model, connecting non-inline to the LAN and creating an identity-enforced overlay without disrupting production traffic. Learn more at What is overlay networking.
