(Revised 2013-06-21)
33
VLAN
A local area network (LAN) is a private network usually confined to one plant. Virtual LANs (VLANs)
allow a single physical LAN to be partitioned into several smaller logical LANs.
VLANs are an effective
means of portioning a larger LAN into manageable subsets. VLANs restrict the broadcast domain, improve
performance and security, and they are ideal for isolating industrial automation systems from IT systems
while retaining the plant's structural wiring.
The simplest of VLANs to implement are Port VLANs, but in some cases the most effective VLAN scheme
is the IEEE 802.1Q VLAN tagging standard that improves mobility by allowing a user to potentially access
any VLAN from any point on the LAN.
More flexibility is gained if VLAN associations can be learned from
the contents of the Ethernet frame.
Security and traffic reduction can be provided with Port VLAN or with Tagged VLAN in accordance with
IEEE 802.1Q. VLAN is a function to divide a switch internally into virtual groups. As the switch is divided
into several VLAN groups, the broadcast domain is divided also, thus restraining broadcast packets and
enhancing security. Broadcast and multicast frames are constrained by VLAN boundaries so only stations
whose ports are members of the same VLAN see those frames. Also, flooding of unlearned unicast frames
goes only to VLAN members.
Tag-based VLAN uses an extra tag in the MAC header to identify the VLAN membership of a frame. The
four-byte tag is inserted immediately after the source address and before the Type/Length field. The
VLAN
ID
(VID)
associates a frame with a specific VLAN and provides the information that switches need to
process the frame across the network. A VID must be assigned for each VLAN. By assigning the same VID
to VLANs on many switches, one or more VLANs can be extended across a large network.
Notice that there is no change in Ethernet frames (external to the switch) with
Port VLAN
partitioning. End
stations are unaware of the VLAN structure.
Whether using Port or Tagged VLAN, clear one group by entering a zero as the VID, and clear all groups
with a “cleargroups” command.
Each port has one and only one
PVID (Port VLAN Identifier).
If using tagged vlan and incoming frames
are tagged, the PVID will not come into play at all. If untagged incoming packets are accepted by a port, the
port's PVID will be used as the tag for routing inside the switch. The PVID determines group membership of
the packet, so where packets can go or not. If also the port transmits tagged for the group, that PVID (used
for untagged incoming frame) will then be used outgoing.
If no port belongs to more than one group, the defaults (just enter) will take care of the PVIDs.
Whether using PORT or TAGGED VLAN, if one is using shared VLAN (port(s) with more
than one group membership), one must understand the use of PVIDs.
As a simple port vlan example, take: VLAN GROUP2 includes these Ports: 1 2 3 4 5
VLAN GROUP3 includes these Ports: 4 5 6 7 8 9
VLAN GROUP4 includes these Ports: 1 2 3 4 5 6 7 8 9
Ports 1,2,3 each have a PVID of 2; Ports 4,5 each have a PVID of 4; Port 6,7,8,9 each have a PVID of 3.
An untagged frame coming in from a PC on port 4 gets a PVID of 4, so has a VLAN group of ports 1 2 3 4 5 6 7 8 9.
An untagged frame coming in from a control system device on port 1 has a PVID of 2, so has a VLAN group of ports 1 2 3 4 5.
An untagged frame coming in from an office device on port 6 has a PVID of 3, so has a VLAN group of ports 4 5 6 7 8 9.
Thus: ports 1,2,3 - control system (only communicate with each other and the 2 PC's)
ports 4,5 - PCs (each communicate with all ports 1 thru 9)
ports 6,7,8,9 office system (only communicate with each other and the 2 PC's)
For example: TX 7 to 3 and no ports RX.
(Detailed setup of this configuration is presented later.)
