VLAN & ACL Configuration: Implementing the 3-Zone Model
This guide provides a step-by-step implementation of VLAN tagging and Access Control List configuration for a three-zone maritime OT model — Bridge, Engine and Cargo — with a governing industrial DMZ.
The 3-Zone Network Segmentation Model is the engineering standard for protecting a vessel’s Essential Services. By establishing firewalled boundaries between Operational Technology (OT), Corporate IT, and Untrusted guest networks, we ensure that a compromise in one zone cannot propagate to critical ship functions.
Critical Limitation: VLANs Are Not a Zone 1 Boundary
VLANs provide logical broadcast domain separation at Layer 2 only. They do not inspect packets, enforce stateful policy, or satisfy the conduit requirement under IACS UR E26 §4.2.1.1 and IEC 62443-3-3 SR 5.1. VLAN tagging in this guide applies to internal Zone 2 separation (admin vs. crew vs. guest) and to organising traffic before the firewall. The boundary between Zone 1 (OT Essential Services) and all other zones must always be enforced by a routed stateful firewall interface — never by the switch alone. Step 2 below is mandatory, not optional.
Step 1: Logical Isolation via VLAN Tagging
The first step is to logically segment the physical switch fabric into three distinct broadcast domains. This prevents “flat network” risks where a single infected device can see the entire vessel’s traffic.
Step 2: The Firewall as the “Conduit” Enforcer — Mandatory
This step is not optional. Without it, the VLAN configuration above provides no meaningful Zone 1 protection.
In accordance with IEC 62443 and IACS UR E26 §4.2.1.1, traffic between zones must pass through a secure conduit — a stateful firewall performing full packet inspection. All inter-VLAN routing must be disabled on the switches and handled exclusively by the firewall (Router-on-a-Stick or multi-interface). If a managed switch is performing inter-VLAN routing, your Zone 1 boundary does not exist in any meaningful security sense — an attacker on VLAN 20 can reach VLAN 10 through the switch fabric. The firewall is the conduit. The switch is only the cable organiser.
Step 3: Access Control List (ACL) Strategy
The following technical ruleset translates high-level policies into a granular firewall configuration, specifically designed for IACS UR E26 compliance by brokering all essential services through the iDMZ:
Before finalising your VLAN design, map your CBS topology and check whether your segmentation holds up against E26/E27 requirements. The tool specifically assesses whether VLAN-only boundaries constitute adequate zone separation — or whether a routed firewall interface is required.
Open CBS Risk Assessor →The specific regulatory requirements this playbook satisfies. Use these references when preparing for Class survey or responding to a surveyor's checklist.
