VLAN ESSENTIALS

VirtualLanRecently, just out of curiosity, I’ve asked a number of controls people about VLANs. The responses are interesting. It’s gone all the way from “never used them / never heard of anyone using them” to “critical to our networking strategy.” I was really surprised by the range of answers I received to what I though was a simple question.

For those new to the term, VLAN is short for Virtual LAN. It’s a mechanism inherent in network switches and routers to restrict the traffic for a group of devices to the traffic for those devices even if those devices are on different network segments. Traffic for those devices is very much like what it would be if the devices were on the same physical segment. Switches and routers insert a VLAN tag into the frame of the IP layer header to mark messages as VLAN traffic, and the switches and routers get them to the right ports where the VLAN devices are located.

There are a myriad of ways that network equipment implements a VLAN. A “static” implementation is one in which certain ports of the switch or router is assigned to the VLAN. Any device on one of the ports assigned to the VLAN becomes part of the VLAN. “Dynamic” implementations are built by using some device characteristic.

People tell me that they use VLANs to improve network performance or segment traffic that they don’t want mixed with some other traffic. For example, some networks have a VLAN where guest traffic resides. That traffic can’t (hopefully) mix with traffic from other devices. Also, an intruder would be restricted from seeing traffic on other VLANs. It adds a measure of security to your network implementation. VLANs organize a manufacturing network implementation. You can put all your EtherNet/IP or Profinet IO devices on a VLAN to logically organize your network and provide some measure of additional security to that traffic.

The downside of VLANs is that they are only implemented by more expensive switches and routers. Unmanaged switches don’t support VLANs. You have to get a managed switch and along with the managed switch comes more configurability, and the requirement for more support and more care in deploying it. Anybody can plug things into an unmanaged switch and set a network up. More care and thought should go into your entire network strategy if you plan to implement a VLAN using managed switches.

So, why aren’t more people using VLANs in their manufacturing systems? The answer, I believe, is that they mostly just buy more network equipment and physically create network segments instead of creating them logically using a VLAN. There is nothing wrong with that if you want to spend the extra money. It’s probably less complex for controls engineers who aren’t network experts.

A lot of the same stuff can be accomplished with NAT (Network Address Translation) tables, but I’ll have to leave that to another time.