A technically rigorous reference for private 5G network architecture — covering the 5G NR radio layer, CU/DU functional split, O-RAN disaggregation, 5G Core service-based architecture, network slicing design, UPF placement for local breakout, and the deployment models that determine how all of these components are assembled for industrial and enterprise environments.
A private 5G network has three functional layers, each with its own hardware, software, and design decisions. The interface between layers — fronthaul, midhaul, backhaul — is as important to performance as the layers themselves.
The RAN is the wireless infrastructure — the base stations that communicate with devices over the air. In 5G NR, the base station is called a gNB (next-generation Node B). Unlike LTE's eNB, the gNB in 5G is functionally split into two components that can be physically co-located or separated across the network.
Handles the higher protocol stack layers: PDCP (Packet Data Convergence Protocol) and RRC (Radio Resource Control). The CU can be centralized — one CU serving multiple DUs across a large site.
Handles lower protocol stack layers: RLC, MAC, and Layer 1 (physical layer). The DU is physically co-located with the radio hardware at each antenna site.
The antenna and RF hardware. In O-RAN architecture, the RU is further disaggregated from the DU, communicating via the O-RAN fronthaul (eCPRI). The RU handles the physical radio: transmit/receive chains, A/D conversion, beamforming weights application.
O-RAN (Open Radio Access Network) defines open interfaces between RU, DU, and CU, enabling multi-vendor deployments. A Nokia CU can work with a Baicells DU and a third-party RU — in theory. In practice, interoperability testing is essential.
The F1 interface between CU and DU, and the eCPRI fronthaul between DU and RU, are latency-sensitive. eCPRI fronthaul typically requires round-trip latency under 100μs and dedicated fibre — shared Ethernet is not suitable. For large industrial sites where the CU is centralized and DUs are distributed, the fronthaul fibre network is a critical design element that affects both cost and coverage architecture.
The 5G Core is a fundamental architectural departure from the LTE Evolved Packet Core (EPC). Where EPC uses monolithic, tightly coupled network functions, the 5GC uses a Service-Based Architecture (SBA) — each network function exposes REST APIs and communicates with others via a Service-Based Interface (SBI) over HTTP/2. This enables cloud-native deployment, independent scaling of individual functions, and flexible composition of network services.
Handles device registration, authentication (with AUSF), connection management, and mobility. The AMF is the N2 interface termination point for the RAN. In a private network, AMF controls which devices can connect and what network slice they get assigned to.
Manages PDU (Protocol Data Unit) session lifecycle — creation, modification, deletion. The SMF selects and configures the UPF for each session, applies QoS rules, and manages IP address allocation. Controls how data flows through the network.
The data plane workhorse. Routes user data between the RAN and the data network (OT systems, internet, or both). The UPF's placement is the most consequential architectural decision for latency and data sovereignty — a local UPF on-site keeps all OT traffic within the operational perimeter.
Subscriber database. Stores SIM/eSIM profiles, authentication credentials, and subscription data (which network slices a device can access, what QoS it's entitled to). Replaces the LTE HSS. For private networks, UDM stores all device profiles provisioned by the operator.
Defines and enforces policy rules — QoS parameters per slice, per application, per device category. The PCF communicates policy to the SMF, which applies it via the UPF. This is where the QoS 5QI values are configured per network slice.
Selects the appropriate network slice(s) for a connecting device based on its subscription profile and requested slice type. In a multi-slice industrial deployment, the NSSF routes an AMR to the URLLC slice and a staff smartphone to the general operations slice automatically.
Network slicing is the defining feature of 5G Core that does not exist in LTE. A slice is a logically isolated end-to-end virtual network — its own RAN resources, its own UPF, its own QoS policies, its own security domain — running over shared physical infrastructure. The 3GPP defines three standardized slice types:
Ultra-Reliable Low-Latency Communication. <1ms latency, 99.9999% reliability. For industrial automation: AMR control, SCADA, safety-critical systems. Requires dedicated radio resources and a local UPF — cannot share resources with eMBB traffic without hard slice boundaries.
Enhanced Mobile Broadband. High throughput, moderate latency. For surveillance video, AR/VR, staff communications, remote equipment operation. Most of the 5G NR spectral efficiency gains (Massive MIMO, beamforming) primarily benefit eMBB slice performance.
Massive Machine-Type Communication. Very high device density, low data rate, low power. For IIoT sensors, predictive maintenance, asset tracking. Implemented via eMTC (LTE-M) and NB-IoT modes within 5G NR. Battery life measured in years.
True slice isolation in the data plane requires a separate UPF instance per slice, or strict traffic isolation within a shared UPF. For OT environments, the URLLC/OT slice must have its own UPF that never routes traffic to the public internet. The eMBB/IT slice can share a UPF with internet access. The PCF enforces these boundaries; the NSSF ensures devices are placed on the correct slice at attach time.
Where the UPF runs determines where data is processed. This is the most architecturally significant decision for industrial private 5G deployments.
| UPF Placement | Latency | Data Sovereignty | Best For |
|---|---|---|---|
| On-premises (same server as AMF/SMF) | Lowest (<1ms local processing) | Complete — data never leaves site | OT/SCADA, URLLC, security-sensitive deployments |
| Edge node (dedicated edge server) | Very low (<5ms) | Data stays on-site or in a defined edge zone | Multi-site deployments, MEC workloads |
| Regional data centre | Low–medium (10–30ms) | Data in operator-controlled DC, not public cloud | Enterprise campus with DC-based IT infrastructure |
| Cloud-hosted | Medium–high (30–100ms+) | Data transits WAN — carrier or cloud provider handles | Non-critical applications, cost-sensitive deployments |
For any industrial deployment with OT systems (SCADA, PLCs, RTUs), the UPF must be on-premises. This ensures that control traffic never leaves the operational perimeter, that the local industrial network is accessible even during WAN outages, and that the latency budget for control loops is not consumed by WAN round-trips.
The components above can be assembled in several deployment patterns. The right model depends on site complexity, existing infrastructure, budget, and internal operational capability.
Full 5GC (AMF, SMF, UPF, UDM, PCF) and all RAN components deployed on-site. Maximum control, minimum external dependency. Requires on-premises server hardware and internal or contracted management capability. Standard for mining, utilities, and high-security environments.
AMF and SMF hosted in a cloud or regional DC; UPF deployed on-premises for local data breakout. Control plane decisions are made remotely, but user plane traffic stays local. Reduces on-premises hardware cost while preserving OT data sovereignty. Requires reliable backhaul for control plane.
Vendor manages all core and potentially RAN infrastructure. Operator accesses the private 5G service via a management portal. CapEx becomes OpEx. Suitable for organisations without internal wireless engineering capability. Celona, Nokia, and Ericsson offer NaaS models.
Multiple sites each have local UPFs, sharing a centralized 5GC control plane. Devices roaming between sites maintain session continuity. Complex to design; significant operational benefit for utilities, transportation, or mining companies with multiple sites requiring integrated network management.
For industrial deployments, the private 5G network must integrate with existing Operational Technology (OT) infrastructure — SCADA systems, historian servers, PLCs, distributed control systems (DCS), and safety systems. This integration has security and protocol implications that must be addressed in the network design.
Traditional industrial security architecture follows the Purdue Model — a hierarchical segmentation that keeps OT networks (Level 0–3) isolated from IT networks (Level 4–5) via a DMZ. Private 5G introduces a new wireless layer that must be integrated into this model without collapsing the security boundaries.
The recommended approach: the URLLC network slice functions as a virtual Level 2/3 network segment, with the UPF acting as a secure gateway between 5G-connected OT devices and the existing OT network. The eMBB/IT slice has a completely separate data path via a different UPF, maintaining the IT/OT separation at the network core level.
Protocol translation — DNP3, IEC 61850 GOOSE/MMS, Modbus TCP — must be addressed either at the edge compute layer or within the existing OT infrastructure. Private 5G transports the protocols; it does not translate them.
Technical reference pages across the Private5G.ca library.
A site assessment translates your operational requirements into a concrete architecture — RAN design, core placement, slicing configuration, and OT integration plan.