Independent LAN: Private cellular network with masked IP architecture

What is the preferred architecture for private cellular networks?

Or Turgeman
By Or Turgeman, OneLayer Co-Founder & VP R&D

A tale of two networks: Which is the preferred private network architecture?

More and more enterprises today are implementing private 5G and LTE networks alongside their existing IT and OT networks in order to realize tremendous business value. If the private cellular network is intended to interact with the other enterprise networks (as is usually the case), a decision must be made regarding network architecture.

There are two primary approaches to private cellular network architecture in this situation: one is to treat it as a LAN extension; the other is to treat it as an independent LAN.

The LAN extension approach aims to make the cellular network similar in structure to other enterprise LANs by “flattening the network.”. In flat architecture, all devices are connected to a single network segment without any hierarchy or central control. Flat architecture removes networking boundaries and, by doing so, disregards cellular architecture best practices. LAN extension is most relevant for small-scale networks, similar to Wi-Fi.

The second approach focuses on high-security hygiene and survivability, following the telecom industry’s highest standards for cellular networks, creating an independent LAN. This approach better fits bigger networks with hundreds or thousands of devices.

In this blog post, we will uncover context-sensitive pros and cons of each network architecture style and discuss which use case each better addresses.

LAN Extension: Private cellular network with flat architecture

LAN Extension: Private cellular network with flat architecture

LAN Extension: Private cellular network with flat architecture

Diagram 1: LAN Extension / Flat network architecture

In a LAN extension-style network, priority is put on simplicity and direct connections. No NAT (Network Address Translator) effect is employed at the outskirts of the packet core gateway. Each cellular network device’s IP is allocated by a centralized DHCP server hosted on the enterprise domain.

Often there will be devices in the cellular network that connect via cellular routers due to a lack of built-in cellular connectivity. The IPs for these devices may be directly allocated by the DHCP server using IP passthrough.

Flat architecture possesses the pros of easy management and low operational overhead. It also often makes it easier to accomplish integrations with external tools on the IT and enterprise side.

When it comes to security, however, flat architecture is severely lacking. The direct assignment of IPs without a NAT effect at the network boundary enables an attack from the enterprise network to access the cellular assets directly. Because devices are easily discoverable, east-west movement between cellular assets is attainable using simple adversarial methodologies.

LAN extension architecture might suit the use case of a small-scale network where easy deployment and low operational support are a priority. It is not suitable for most Factory 4.0 use cases or in cases where critical assets are connected to the network. Flat architecture degrades the cellular network’s most important security features. If you do decide to use this type of architecture, it is extremely important to utilize an external security and management platform like OneLayer Bridge to ensure high enterprise security standards.

Independent LAN: Private cellular network with masked IP architecture

Independent LAN: Private cellular network with masked IP architecture

Independent LAN: Private cellular network with masked IP architecture

Diagram 2: Independent LAN / Masked IP network architecture

A private cellular network that is treated as an independent LAN is configured with a NAT effect to seamlessly translate cellular network devices’ internal IPs (granted by the cellular packet core) to external IPs whenever they want to access the external network. No IP passthrough is configured for cellular routers. If an external application requires direct inbound access to a device in the private cellular network, secured NAT pinholing is employed.

In a masked IP architecture, the masking provided at the network boundary by the NAT effect makes it almost impossible for a bad actor to gain access to cellular assets from the IT or enterprise network, or to eavesdrop on the network and track IP sessions in real-time.

Clearly, the security posture of this network is much better by design, making it very hard for a threat actor to gain access to or manipulate any cellular asset data or data in transit.

The security benefits, however, come with the cost of added complexity when it comes to network management and operability. Visibility is lacking, as tracking and correlating asset identities (e.g. IMSI, IMEI, ICCID, IP, MAC, etc.) in real-time is required to attain a full end-to-end understanding of the network life cycle. It can also be more complex to manage integrations with external tools on the IT and enterprise side, since identities change frequently and there is no direct IP connectivity between the cellular network and the IT or enterprise network to keep network identities up to date.

A masked IP architecture is best for use cases of large-scale networks where dedicated operational support and manpower are available. Security standards are high by design in masked IP architecture, allowing for the connectivity of critical assets with peace of mind.

Since the downsides of asset visibility, management and orchestration will be exacerbated by increasing network size, this use case calls for a private cellular network operations management platform, such as OneLayer Bridge.

OneLayer Bridge creates a digital twin for the cellular network, tracking its operation in real-time, from big-picture overview to detailed device granularity. This complete visibility of the cellular network and cellular network devices – even when they cross networks – enables a host of critical security and operational capabilities. Among the capabilities OneLayer Bridge provides are Zero Trust segmentation, tracking individual devices behind cellular routers, policy creation, anomaly detection, alerting and integrations with external tools such as firewalls, NACs and CMDBs.

Which do you choose?

LAN extension or independent LAN? Flat network architecture or masked IP? Prioritize simplicity or security?

What thoughts can you add about how to pick the correct private network architecture in a given use case – and how to compensate for its inevitable downsides? We look forward to your insights in the comments below.

To learn more about how OneLayer can transform your private cellular management – no matter which network architecture you choose – visit

open popup