Skip to content
Industrial Networking for Busy Professionals

2.1 What is a VLAN?

The previous chapter showed how a switch forwards frames within a single network segment. A small network operates well with a single segment. As the network grows, every device receives every broadcast from every other device. A maintenance laptop plugged into any port reaches every PLC. VLANs solve both issues by dividing a single physical switch into multiple logical segments.

Why VLANs Exist

Section titled “Why VLANs Exist”

Without VLANs, every device on a switch shares the same broadcast domain. Every ARP request, every DHCP discovery, and every STP BPDU reaches every device. In a network with 200 devices, each device processes every broadcast from every other device — including irrelevant broadcasts.

The impact scales with the square of the device count. Doubling the devices more than doubles the broadcast traffic each device handles. A PLC spending CPU cycles on irrelevant ARP requests has less CPU available for the control task.

VLANs also solve a security issue. Without VLANs, a maintenance laptop plugged into any switch port reaches every PLC on the network. With VLANs, the maintenance laptop resides in a separate VLAN. The laptop reaches production devices only through a router where access control lists apply. To understand how a switch enforces the separation, examine how the switch handles VLAN membership.

How a Switch Handles VLANs

Section titled “How a Switch Handles VLANs”

When a frame arrives on an access port, the switch assigns the frame to the configured VLAN of the port. When the frame leaves an access port, the switch strips the VLAN tag. The end device never sees a tag.

When a frame arrives on a trunk port, the switch reads the VLAN tag from the 802.1Q header to determine the VLAN membership.

Key terms:

  • VLAN ID — a 12-bit number identifying the VLAN, range 1 to 4094
  • Access port — a port carrying traffic for 1 VLAN. Frames are untagged.
  • Trunk port — a port carrying traffic for multiple VLANs. Frames are tagged with 802.1Q headers.
  • PVID (Port VLAN ID) — the VLAN assigned to untagged frames arriving on a port
  • SVI (Switched Virtual Interface) — a virtual IP interface on a Layer 3 switch, 1 per VLAN, used for inter-VLAN routing

With the mechanism understood, the next question is how to design VLANs for an industrial network.

Industrial VLAN Design

Section titled “Industrial VLAN Design”

Safety systems (VLAN 30) require zero routing to any other VLAN. Configure the Layer 3 switch or firewall to block inter-VLAN routing to and from VLAN 30. IEC 62443 and IEC 61511 require this isolation. A well-designed VLAN layout is only useful when configured correctly on every switch — auditing verifies the configuration.

Auditing VLAN Consistency

Section titled “Auditing VLAN Consistency”

A VLAN misconfiguration on 1 switch in a ring silently breaks connectivity for devices in that VLAN on that switch. The following script connects to switches and verifies that VLAN assignments match the expected design. Run the script after every configuration change and before every production startup:

# pip install netmiko
from netmiko import ConnectHandler
import re


SWITCHES = [
    {"host": "192.168.1.100", "name": "SW-Cell1-MRM"},
    {"host": "192.168.1.101", "name": "SW-Cell1-MRC1"},
]
EXPECTED_ACCESS = {"1/1": 10, "1/2": 10, "1/3": 20, "1/4": 50}
REQUIRED_TRUNK_VLANS = {10, 20, 50}


def get_vlan_config(host: str) -> dict[str, dict]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command("show vlan port")
    conn.disconnect()
    ports = {}
    for line in output.splitlines():
        m = re.match(r"(\d+/\d+)\s+(\d+)\s+(access|trunk)\s*([\d,\s]*)", line)
        if m:
            tagged = set(int(v) for v in re.findall(r"\d+", m.group(4) or ""))
            ports[m.group(1)] = {"pvid": int(m.group(2)), "mode": m.group(3), "tagged": tagged}
    return ports


for sw in SWITCHES:
    config = get_vlan_config(sw["host"])
    issues = []
    for port, cfg in config.items():
        if cfg["mode"] == "access" and port in EXPECTED_ACCESS:
            if cfg["pvid"] != EXPECTED_ACCESS[port]:
                issues.append(f"port {port}: PVID={cfg['pvid']} expected {EXPECTED_ACCESS[port]}")
        if cfg["mode"] == "trunk":
            missing = REQUIRED_TRUNK_VLANS - cfg["tagged"]
            if missing:
                issues.append(f"port {port}: trunk missing VLANs {missing}")
    print(f"\n{sw['name']}  {'ISSUES:' if issues else 'OK'}")
    for issue in issues:
        print(f"  {issue}")

Any port with the incorrect PVID places a device in the incorrect VLAN. Any trunk missing a required VLAN silently drops traffic for that VLAN on that link.

Key Takeaways

Section titled “Key Takeaways”

Each VLAN is a separate broadcast domain

Broadcasts stay within the VLAN. A storm in 1 VLAN does not affect others. Separate production, SCADA, safety, and management into distinct VLANs.

Safety VLANs need zero routing

Configure the firewall or Layer 3 switch to block inter-VLAN routing to and from the safety VLAN. IEC 62443 and IEC 61511 require this isolation.

What Comes Next

Section titled “What Comes Next”

VLANs create logical segments. The next section covers 802.1Q tagging — the exact wire format carrying VLAN IDs and priority markings inside Ethernet frames. Understanding the tag structure is essential for configuring QoS for PROFINET RT and MRP.

References

Section titled “References”
  • IEEE 802.1Q-2022 — Bridges and Bridged Networks
  • IEC 62443-3-3:2013 — Industrial communication networks — Network and system security
  • Hirschmann. (2023). User Manual — VLANs in HiOS. Belden/Hirschmann.