🛰️

Industrial Network Architecture Designer

Purdue / ISA-95 · ISA-99 / IEC 62443 Zones & Conduits

When to use: Use this tool to lay out an OT/ICS network using the Purdue model (ISA-95) and segment it into IEC 62443 zones & conduits. Enter device counts per Purdue level and it assigns one VLAN + RFC 1918 subnet per zone, sizes managed switches (STAR or redundant RING with MRP/RSTP), places OT firewalls and an optional Industrial DMZ (Level 3.5) and data diode, and produces a bill of materials. Apply defense-in-depth: deny-by-default conduits between zones and one-way data flow out of the plant.

Device Counts (per Purdue level)

L0–1 Field + ControllersPLC/RTU/IED + Eth I/O

dev

L2 SupervisoryHMI/SCADA/eng WS

dev

L3 Site Operationshistorian/servers

dev

Remote Sites

sites

Topology & Redundancy

Topology

Uplink / Redundancy

Switch Port Density

Security Level (IEC 62443)

Include IDMZ (L3.5) + Ent.

Data Diode

Purdue Zone Stack

L4 · Enterprise (uplink)VLAN 40

▲ firewall / conduit ▲

L3.5 · Industrial DMZVLAN 35

▲ firewall / conduit ▲

L3 · Site OperationsVLAN 30

▲ uplink ▲

L2 · SupervisoryVLAN 20

▲ uplink ▲

L0–1 · Cell / Area (Field)VLAN 10

Cell/Area & Supervisory rings (MRP/RSTP) · dual uplink

Total Managed Switches

8 plant + 0 remote (0 sites)

Zone / VLAN / Subnet Plan

Zone	Lvl	VLAN	Subnet	Dev	Sw
Cell / Area (Field)	L0–1	10	10.10.0.0/26	24	3
Supervisory	L2	20	10.20.0.0/28	6	2
Site Operations	L3	30	10.30.0.0/29	4	1
Industrial DMZ	L3.5	35	10.35.0.0/29	4	1
Enterprise (uplink)	L4	40	10.40.0.0/29	2	1

Subnet prefix sized for device count + ~30% growth (RFC 1918). One VLAN per IEC 62443 zone.

Boundary / Security Placement

OT Firewall (L3 ⇄ IDMZ)

Stateful inspection, deny-by-default; conduit between Site Ops and IDMZ

IDMZ ⇄ Enterprise Firewall

Or single firewall with dedicated DMZ interface (3-leg)

Bill of Materials

8×

Managed Switch — 16-port (L2/L3 OT, MRP/RSTP)

Ring-capable (MRP <200 ms / RSTP)

1×

OT Firewall (L3 ⇄ IDMZ)

Stateful inspection, deny-by-default; conduit between Site Ops and IDMZ

1×

IDMZ ⇄ Enterprise Firewall

Or single firewall with dedicated DMZ interface (3-leg)

16×

SFP Uplink Module (1G/10G fiber)

2 per switch (redundant uplink)

8×

Fiber Patch (LC-LC, uplink runs)

One duplex pair per uplink path

Standards & References

ISA-95 / Purdue Model — functional levels L0–L4

ISA-99 / IEC 62443 — zones, conduits & security levels (SL 1–4)

IEC 62439-2 (MRP) — media redundancy <200 ms

IEEE 802.1w (RSTP) — rapid spanning tree

RFC 1918 — private IPv4 address space (10.0.0.0/8)

Defense-in-depth — IDMZ (L3.5), deny-by-default, one-way data