network segment

A network segment is a logically or physically distinct portion of a computer network where connected devices share a common addressing or broadcast domain. In most modern IP networks, a segment typically corresponds to a single IP subnet or broadcast domain separated from others by a router or layer-3 device.

Key characteristics

In industrial and manufacturing environments, a network segment commonly refers to:

• An IP subnet defined by a specific IP address range and subnet mask.
• A group of devices that can communicate at layer 2 without routing, often limited by a switch or virtual LAN (VLAN) configuration.
• A portion of the network that can be monitored, rate-limited, or isolated for performance, availability, or security reasons.

Network segments can be created by:

• Physical separation, such as dedicated switches or separate cabling for control systems and business systems.
• Logical separation, such as VLANs, VPNs, or virtual routing instances on shared hardware.

Use in industrial and regulated environments

In regulated manufacturing plants and critical infrastructure, network segments are often used to:

• Separate operational technology (OT) networks from information technology (IT) networks.
• Limit the blast radius of failures or cyber incidents by restricting broadcast domains and traffic paths.
• Apply different firewall rules, access controls, and monitoring to groups of systems (for example, separating MES, ERP, lab systems, and safety systems).
• Support security zoning concepts from standards such as IEC 62443 by providing technical boundaries where policies can be enforced.

Relation to security zones and VLANs

Security zones (such as IEC 62443 zones) are groupings based on function and risk, while network segments are technical constructs in the network design. A zone may span multiple network segments, or several zones may be implemented within a single segment, depending on design choices and legacy constraints. VLANs are one common technology used to create network segments, but a VLAN is not automatically equivalent to a security zone.

What a network segment is not

• It is not, by itself, a complete security control. Additional measures such as firewalls, access control lists, and monitoring are typically required.
• It is not a guarantee of isolation from other segments unless routing and access controls are configured and maintained correctly.
• It is not necessarily tied to a single physical switch or cable; virtualized and software-defined networks can create segments across shared infrastructure.

Common confusion

• Network segment vs VLAN: A VLAN is a specific method to implement layer-2 segmentation. A network segment is the broader concept, which can be implemented with or without VLANs.
• Network segment vs subnet: In many IP networks these are aligned, but a single subnet can be extended across multiple switches or physical locations, and advanced designs may layer multiple logical constructs on one physical segment.
• Network segment vs security zone: A security zone is defined by risk and policy boundaries. Network segments are one of the technical tools used to implement those boundaries but are not identical to them.