https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/Recent content in Network Architecture on Embedded Systems DevelopmentHugoen-ushttps://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/vlan-segmentation/Mon, 01 Jan 0001 00:00:00 +0000https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/vlan-segmentation/<h1 id="vlan-segmentation">VLAN Segmentation<a class="anchor" href="#vlan-segmentation">#</a></h1> <p>Virtual LANs (VLANs) partition a single physical network into multiple isolated broadcast domains at Layer 2. For IoT deployments, VLAN segmentation is the primary mechanism for keeping device traffic separate from enterprise systems, guest networks, and management infrastructure. Without segmentation, every device on the network shares a single broadcast domain — a compromised temperature sensor can ARP-scan the entire subnet and reach file servers, printers, and databases. IEEE 802.1Q is the standard that makes this isolation possible by inserting a 4-byte tag into Ethernet frames to identify which VLAN each frame belongs to.</p>https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/firewall-and-acls/Mon, 01 Jan 0001 00:00:00 +0000https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/firewall-and-acls/<h1 id="firewalls--acls">Firewalls &amp; ACLs<a class="anchor" href="#firewalls--acls">#</a></h1> <p>VLAN segmentation isolates IoT traffic at Layer 2, but without Layer 3 and Layer 4 enforcement, any device that can route between VLANs has unrestricted access. Firewalls and Access Control Lists (ACLs) enforce what traffic is permitted between IoT subnets, the enterprise network, the internet, and cloud services. The fundamental principle for IoT network security is deny-by-default: no traffic flows between VLANs unless an explicit rule permits it. This inverts the typical enterprise approach where internal networks are broadly trusted, because IoT devices — running firmware that may be months behind on patches, with limited TLS capability, and often deployed in physically accessible locations — represent a fundamentally different threat profile than managed workstations.</p>https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/edge-gateway-topologies/Mon, 01 Jan 0001 00:00:00 +0000https://applied-ee.github.io/embedded/docs/iot-systems/network-architecture/edge-gateway-topologies/<h1 id="edge-gateway-topologies">Edge Gateway Topologies<a class="anchor" href="#edge-gateway-topologies">#</a></h1> <p>An edge gateway sits between field-level IoT devices and upstream infrastructure — cloud platforms, on-premises servers, or enterprise networks. The gateway performs protocol translation (converting BLE, Zigbee, or Modbus into MQTT or HTTPS), aggregates data from multiple devices, applies local logic, and manages the upstream connection. Gateway topology — where gateways are placed, how many are deployed, and what role each one plays — determines the fault tolerance, latency, bandwidth consumption, and operational complexity of the entire IoT system. A poor topology choice shows up as single points of failure, data gaps during connectivity loss, or gateways that become bottlenecks as the device count grows.</p>