Routed vs. Switched Networks
Manufacturing networks face constant threats, with ransomware being the most dangerous. Once inside, attackers move laterally, stealing or locking up critical data. A network’s real value isn’t just in connecting devices—it’s in stopping that spread. The best approach? Shift from switched to routed networks.
📖 Estimated Reading Time: 5 minutes
Content
Routed vs. Switched Networks
What Is a Routed Network?
A routed network operates at Layer 3, using IP-based routing to move packets between distinct network segments or subnets. Each subnet acts as an independent entity, and traffic flows between them only when explicitly permitted by routing policies and firewall rules. Unlike switched networks, which rely on MAC addresses for local forwarding, routed networks make IP-based decisions to determine traffic flow, ensuring that devices in separate subnets do not communicate unless explicitly allowed.
Firewalls play a critical role in routed networks, functioning as gatekeepers that regulate inter-subnet communication. Administrators can create granular security policies that define exactly how different parts of the network interact. This structure not only enhances security but also improves network monitoring and incident response. Instead of a flat, open environment where any device can communicate freely within the same VLAN, routed networks introduce controlled, structured pathways for traffic, reducing unnecessary exposure.
Segmentation in routed networks helps limit lateral movement, effectively containing security breaches. Studies from organizations like NIST and SANS Institute emphasize network segmentation as a core cybersecurity best practice.
What Is a Switched Network?
A switched network, in contrast, primarily operates at Layer 2, forwarding packets using MAC addresses. Devices are commonly grouped into VLANs to provide logical segmentation. However, VLAN-based segmentation often mirrors asset types instead of defining meaningful security boundaries based on business function.
Switched networks pose a serious security risk. Once an attacker gains access to a VLAN, they can move freely within it, encountering minimal resistance. Securing VLANs properly requires implementing inter-VLAN routing, but many organizations neglect this step due to complexity and maintenance challenges. As a result, VLANs often fail to serve as effective security boundaries.
The Problems with VLAN-Based Segmentation
1. Low Visibility and High Complexity
VLAN configurations often develop without a clear strategy, grouping similar assets rather than aligning with actual business needs. This can make tracking traffic patterns and troubleshooting difficult. Anyone who has dealt with VLAN and Spanning Tree Protocol (STP) issues knows how complex and frustrating they can be.
2. Performance Limitations and Broadcast Storms
Layer 2 networks experience performance degradation as they scale. When a VLAN surpasses 200 devices, broadcast traffic can consume 20–30% of available bandwidth, leading to network congestion and slowdowns.
3. VLANs Don’t Reflect Business Operations
Most VLAN implementations organize devices by type (e.g., all cameras in VLAN 20, all production machines in VLAN 30) rather than by function. This approach complicates access control because communication between VLANs is not designed around real business needs, making it harder to enforce security policies effectively.
4. Inter-VLAN Security Is Difficult to Maintain
For VLAN segmentation to be secure, inter-VLAN communication must be explicitly controlled using firewalls and authentication protocols like 802.1X. These solutions are really difficult to deploy and maintain in industrial environments. As a result, many organizations leave VLAN communication wide open, leaving the network in-effect flat.
5. Static IPs as Identity
Manufacturing networks often rely on static IPs to identify devices. In such environments, routed networks provide a more straight-forward approach to segmentation by enforcing identity and access control at Layer 3.
A More Secure Manufacturing Network Design
To enhance security and scalability, manufacturing sites should adopt routed networks with firewall-enforced segmentation. Consider the following network design for a typical facility:
40 workstations
15 security cameras
20 production machines
10 printers
HVAC control system
Door access system
On-premises ERP system
Rather than grouping these devices into VLANs, implement a routed architecture based on functional security zones:
Perimeter Edge Firewall: This controls inbound and outbound traffic, enforcing global security policies. It should be optimized for handling external threats while maintaining minimal latency.
Internal Security and Routing Layer: This secondary firewall/router is responsible for segmenting internal traffic and ensuring security enforcement within the network.
Defined Security Enclaves:
ERP and Business Systems: Requires high security with limited external access.
Active Directory and Authentication Services: Critical infrastructure with strict access controls.
Core Production Machines: Isolated from general IT systems, segmented into dedicated enclaves.
Door Access, HVAC Security Cameras and IoT Devices: Restricted, with minimal outbound communication to prevent exploitation.
This approach ensures that only necessary communication occurs between systems, preventing unchecked lateral movement and enhancing overall security.
Why Routed Networks Provide Better Security
Stronger Containment of Lateral Movement
Once an attacker gains access to a switched network, lateral movement is often unrestricted. Routed networks, however, control communication between subnets explicitly, significantly reducing an attacker’s ability to spread.
Enhanced Traffic Visibility and Incident Response
By enforcing Layer 3 segmentation, routed networks provide structured, observable traffic flows. IT and security teams can identify anomalies and respond to threats effectively.
Easier Security Policy Management
With a routed network, firewall rules dictate inter-segment access, making it easier to enforce security policies at a granular level. VLAN-based security tends to be inconsistently applied and difficult to audit.
The Reality: Defense is about layers
Even with good preventive measures, attackers will eventually find a way inside— through misconfiguration, phishing, zero-days, insider threats, 3rd party asset... The objective isn’t just to prevent breaches but to contain them effectively.
Routed networks naturally limit an attacker’s ability to move beyond the initial entry point, significantly improving resilience against modern cyber threats. They are also simpler to implement and manage over time compared to complex VLAN-based segmentation, reducing administrative overhead while maintaining strong security controls.
Transitioning from a switched to a routed network ensures a more secure, scalable, and resilient infrastructure for manufacturing environments. By moving away from VLAN-based segmentation and embracing a business-function-oriented routing strategy, organizations can enforce real security while maintaining operational efficiency.
Other blog posts from Trout