The Complete Guide to Migrating from Switched to Routed Network Architecture

Industrial and critical infrastructure networks are seeing a foundational shift: a broad migration from flat, switched Layer 2 (L2) environments to structured, segmented routed Layer 3 (L3) architectures. While enterprise IT made this leap years ago, the operational technology (OT) domain and mission-critical environments often lag due to legacy assets, reliability requirements, and a distinctly different risk calculus.

This article cuts through conjecture, presenting seasoned guidance for CISOs, IT directors, network engineers, and operators navigating this transformation. We'll examine historical drivers, core technical differences, security implications, migration strategy, and the operational subtleties of industrial routed networks.

Historical Snapshot: Why the World Was (Mostly) Switched

The prevalence of switched networks in industrial and OT settings can seem anachronistic—but it's not accidental. Ethernet switching provided two things plants craved: simplicity and determinism. A typical setup saw a plant-floor “star” of PLCs, workstations, and HMIs all talking over one big L2 VLAN, or perhaps a few for functional separation.

• Determinism: Fewer hops to traverse; real-time traffic mostly local.

• Simplicity: Zero need to manage routing; broadcast traffic solved most OT needs.

• Legacy: Many legacy industrial protocols (e.g., Modbus/TCP, EtherNet/IP, PROFINET) assumed flat networks, with minimal concern for IP boundaries.

This status quo persisted until two converging realities surfaced:

1. Network Growth: Large, vendor-diverse plants hit the scalability wall—with broadcast storms, MAC table exhaustion, and troubleshooting nightmares.

2. Cybersecurity: Flat L2 means one compromised node can access anything, with little ability to segment or contain threats.

It's here the L3 paradigm asserts itself. But it's not as simple as swapping L2 switches for routers; factory floors are less forgiving than office cubicles.

Key Concepts: Switched (L2) vs. Routed (L3) Networks in Industrial Settings

Layer 2: Switched Networks

• Broadcast Domains: All devices on a VLAN receive broadcast frames; this is both convenient and dangerous.

• Spanning Tree Protocol (STP): Prevents loops but comes with slow convergence and operational complexity, notably with legacy devices that don't understand RSTP (Rapid STP) or MSTP (Multiple STP Instances).

• No Native Segmentation: Without firewalling, VLANs alone cannot enforce security boundaries.

• Protocol Simplicity: L2 requires little to no configuration on endpoints—great for legacy devices but problematic for visibility and control.

Layer 3: Routed Networks

• IP Subnets: Each segment (e.g., per-cell, per-line) in its own IP subnet; segmentation is enforced at the router, not by convention.

• Protocol Visibility: Routing delivers strict boundaries and the ability to insert filtering controls (access-lists, firewalls).

• Scaling: Routing protocols (OSPF, EIGRP, BGP) manage reachability as the network grows, keeping topologies manageable and resilient.

• Broadcast Containment: Broadcast and multicast are restricted to single subnets, reducing the blast radius for accidental or malicious traffic floods.

• Device Configuration: Endpoints must be IP-aware, potentially a challenge for legacy systems with hard-coded addresses or subnet masks.

Why Migrate: Security, Stability, and Scalability

If you need convincing, consider the following constraints unique to critical and industrial environments:

1. Threat Isolation: A bridge (pun intended) between IT and OT increases attack surface; L3 segmentation is non-negotiable as ransomware pivots to OT targets.

2. Fault Domain Limitation: Layer 2 faults (broadcast storms, misconfigurations) can cripple entire factories. L3 boundaries sharply confine such impacts.

3. Change Management: L3 networks force architectural thinking, so small changes don't ripple globally.

All this comes with caveats: some legacy control traffic may not traverse routed boundaries without specific configuration (or protocol gateways, e.g., EtherNet/IP's CIP routing).

The Technical Migration Path: Principles and Gotchas

Foundational Planning

• Asset Classification: Discover and categorize all endpoints—especially any hard-coded IPs and legacy RTUs that don’t gracefully handle IP/subnet changes.

• Protocol Audit: List industrial traffic types (e.g., multicast CIP, industrial multicast, broadcast device discovery, PROFINET DCP).

• Dependency Mapping: Snoop traffic flows—don’t assume documentation is accurate.

• Vendor Consultation: Some PLCs/vendors will document L3 support but actually rely on L2 broadcast functions (discovery, addressing, failover).

Stepwise Approach

1. Subnet Design: Consider future growth and maintenance—avoid cramming too many devices into a single subnet; prefer /24 or smaller for clarity and ease of isolation.

2. VLAN Rationalization: Map existing VLANs to subnets. Avoid extending VLANs across large geographies; use routed uplinks instead.

3. Staged Routing Introduction: Introduce routing at critical aggregation points first (e.g., ring backbone, cell/zone boundaries). Leverage router-on-stick or distribution-layer L3 switches.

4. Routing Protocol Selection: OSPF tends to be the most common for deterministic convergence and clear separation of areas (cells/zones = OSPF areas). BGP is rarely needed unless dealing with multiple organizations/factories.

5. Multicast/Broadcast Bridging: For legacy protocols, employ IGMP snooping/querier or IP helper-address (for DHCP/BOOTP relay) to cross L3 boundaries if absolutely necessary. Use with caution—each exception is an attack path.

6. Test, Validate, Rollback: Simulate inter-subnet communication in lab environments. Assess both normal operation and failover (link down, misconfigured routes).

Security Integration

• Insert firewalls or ACLs at routed boundaries. Default-deny (block all) and only open ports explicitly required for OT business processes.

• Monitor logs continually—unexpected inter-subnet traffic is a red flag.

• Integrate network access control (NAC) or physical port security where feasible to ensure only authorized devices connect.

Operational Realities and Industrial Constraints

Legacy Device Limitations

• Hard-coded IPs/Subnets: Many older PLCs and IEDs use static addressing, often with flat /24 masks regardless of subnetting plans.

• L2-Dependent Protocols: PROFINET DCP, some broadcast-based discovery/auto-addressing processes, and certain vendor tooling require intra-VLAN (L2) adjacency.

• Minimal Buffering: Some devices may not weather delayed/converged routing protocols well; aim for routing protocols that converge in seconds, not minutes.

Strategy for Bridging the Gap

• Isolate truly legacy assets into “compatibility zones,” keeping them in their native L2 VLANs as small islands, with L3 boundary controls.

• Set a firm policy: All new assets must support IP routing and proper subnet assignment (and document this).

• Where L2 protocol traversal across L3 is unavoidable, limit scope and monitor meticulously—avoid turning efficient routers into inefficient bridges.

IT/OT Collaboration: The Cultural and Process Hurdle

Arguably, the technical migration is easier than the collaborative one. Routinely, breakdowns happen not because of ports or protocols, but because of misaligned expectations:

• Change Management: OT's requirement for high-availability and minimal downtime demands staged rollouts, testbeds, and “parallel running” periods. IT must adapt its risk tolerance.

• Documentation Standards: OT documentation is often tribal and out-of-date. Make network diagrams a living artifact, coupled with asset inventories and logical dependency maps.

• Incident Response: Define clear chain-of-command and escalation paths for both IT and OT stakeholders in the case of a connectivity or security incident after migration.

Design Patterns That Work in Critical Industrial Environments

• Cell/Zone Segmentation: Carve the plant into logical “cells” (per production line, process, or function). Each cell/zone receives its own IP subnet; inter-cell routing managed and filtered by firewalls.

• Redundant Routing: Deploy dual routers or L3 switches per zone, with dynamic routing (OSPF) and dual uplinks for failover.

• DMZs and Conduits: Expose only what’s needed to enterprise/IT-land via strict DMZs (demilitarized zones), with unidirectional data flows where possible (data diodes or application proxies).

• Management Out-of-Band: Out-of-band (OOB) management should use a physically/logically isolated network, never crossover IT or OT production paths.

Pitfalls to Avoid

• Extending VLANs across Layer 3: It defeats the purpose; do not stretch VLANs through routed cores.

• Overreliance on Multicast Routing: Only punch holes for legacy protocols if there is no alternative, and never at the core layer.

• NAT (Network Address Translation) Inside Plant: NAT should only be at IT-OT or external boundaries. NAT inside a plant obfuscates troubleshooting and can disrupt deterministic operation.

• Unmanaged Routing Tables: Static route sprawl is dangerous in dynamic environments. Prefer structured routing protocols and well-documented policies.

• Assuming “Plug and Play” for OT: Industrial asset onboarding is never plug-and-play; each device may have unique quirks. Test before rollout.

Conclusion: A Foundation for the Next Two Decades

Migrating industrial environments from switched to routed architecture delivers measurable improvements in security, scalability, and reliability. But it’s not a panacea: discipline, documentation, and sober trade-offs must anchor each step. Embrace Layer 3 boundaries as both a defensive and operational tool, and recognize that every exception in your segmentation plan is a future troubleshooting ticket.

If you do it right, you’ll have an architecture resilient not only against today’s threats but against the inevitable churn of technologies to come.

Annotation:

Ethernet switching (L2) dates to the 1980s (DEC, IBM, Xerox), and L3 IP routing hit critical mass in enterprise networks with the rise of Cisco IOS and protocol standardization in the 1990s. Industrial environments are, frankly, decades late to this party for justifiable reasons—but those reasons are now secondary to risk and operational stability.

Further Reading and Resources

• Why Flat Networks Are an OT Risk

• NIST SP 800-82: Guide to Industrial Control Systems (ICS) Security

• NIST SP 800-41: Guidelines on Firewalls and Firewall Policy

• Cisco: Designing and Securing Industrial Ethernet Networks

Discussion

Have you completed a switch-to-routed migration in your plant or utility? Share war stories, favorite tools, or hard-learned lessons in the comments.