2.1 What is a VLAN?

The previous chapter showed how a switch forwards frames within a single network segment. That works well for a small network. As the network grows, every device receives every broadcast from every other device — and a maintenance laptop plugged into any port can reach every PLC. VLANs solve both problems by dividing a single physical switch into multiple logical segments.

Why VLANs Exist

Without VLANs, every device on a switch shares the same broadcast domain. Every ARP request, every DHCP discovery, and every STP BPDU reaches every device. In a network with 200 devices, each device must process every broadcast from every other device, even broadcasts that are completely irrelevant to it.

The impact scales with the square of the number of devices. Double the devices and you more than double the broadcast traffic each device must handle. A PLC spending CPU cycles processing irrelevant ARP requests is a PLC with less CPU available for its control task.

VLANs also solve a security problem. Without VLANs, a maintenance laptop plugged into any switch port can reach every PLC on the network. With VLANs, the maintenance laptop is in a separate VLAN and cannot reach production devices without going through a router where access control lists apply. To understand how a switch enforces this separation, you need to understand how it handles VLAN membership.

How a Switch Handles VLANs

When a frame arrives on an access port, the switch assigns it to the port’s configured VLAN. When the frame leaves an access port, the switch strips the VLAN tag. The end device never sees a tag.

When a frame arrives on a trunk port, the switch reads the VLAN tag from the 802.1Q header to determine which VLAN it belongs to.

Key terms:

• VLAN ID — a 12-bit number identifying the VLAN, range 1 to 4094
• Access port — a port that carries traffic for one VLAN; frames are untagged
• Trunk port — a port that carries traffic for multiple VLANs; frames are tagged with 802.1Q headers
• PVID (Port VLAN ID) — the VLAN assigned to untagged frames arriving on a port
• SVI (Switched Virtual Interface) — a virtual IP interface on a Layer 3 switch, one per VLAN, used for inter-VLAN routing

With the mechanism understood, the next question is how to design VLANs for an industrial network.

Industrial VLAN Design

Caution

Do not use VLAN 1 for production traffic. VLAN 1 is the default VLAN on all ports. It is too easy to accidentally leave a port in VLAN 1 and expose production traffic to unintended devices.

Safety systems (VLAN 30) require no routing to any other VLAN. Configure the Layer 3 switch or firewall to block all inter-VLAN routing to and from VLAN 30. This is a requirement under IEC 62443 and IEC 61511. A well-designed VLAN layout is only useful if it is actually configured correctly on every switch — which is where auditing becomes essential.

Auditing VLAN Consistency

A VLAN misconfiguration on one switch in a ring silently breaks connectivity for all devices in that VLAN on that switch. The following script connects to all switches and verifies that VLAN assignments match the expected design. Run it after every configuration change and before every production startup:

# pip install netmiko
from netmiko import ConnectHandler
import re

SWITCHES = [
    {"host": "192.168.1.100", "name": "SW-Cell1-MRM"},
    {"host": "192.168.1.101", "name": "SW-Cell1-MRC1"},
]
EXPECTED_ACCESS = {"1/1": 10, "1/2": 10, "1/3": 20, "1/4": 50}
REQUIRED_TRUNK_VLANS = {10, 20, 50}

def get_vlan_config(host: str) -> dict[str, dict]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command("show vlan port")
    conn.disconnect()
    ports = {}
    for line in output.splitlines():
        m = re.match(r"(\d+/\d+)\s+(\d+)\s+(access|trunk)\s*([\d,\s]*)", line)
        if m:
            tagged = set(int(v) for v in re.findall(r"\d+", m.group(4) or ""))
            ports[m.group(1)] = {"pvid": int(m.group(2)), "mode": m.group(3), "tagged": tagged}
    return ports

for sw in SWITCHES:
    config = get_vlan_config(sw["host"])
    issues = []
    for port, cfg in config.items():
        if cfg["mode"] == "access" and port in EXPECTED_ACCESS:
            if cfg["pvid"] != EXPECTED_ACCESS[port]:
                issues.append(f"port {port}: PVID={cfg['pvid']} expected {EXPECTED_ACCESS[port]}")
        if cfg["mode"] == "trunk":
            missing = REQUIRED_TRUNK_VLANS - cfg["tagged"]
            if missing:
                issues.append(f"port {port}: trunk missing VLANs {missing}")
    print(f"\n{sw['name']}  {'ISSUES:' if issues else 'OK'}")
    for issue in issues:
        print(f"  {issue}")

Any port with the wrong PVID is a device that cannot reach its gateway. Any trunk missing a required VLAN means traffic for that VLAN cannot cross that link.

Key Takeaways

Each VLAN is its own broadcast domain

Broadcasts stay within the VLAN. A storm in one VLAN does not affect others. Separate production, SCADA, safety, and management into distinct VLANs.

Safety VLANs need no routing

Configure the firewall or Layer 3 switch to block all inter-VLAN routing to and from the safety VLAN. This is a requirement under IEC 62443 and IEC 61511.

What Comes Next

VLANs create logical segments. The next section covers 802.1Q tagging — the exact wire format that carries VLAN IDs and priority markings inside Ethernet frames. Understanding the tag structure is essential for configuring QoS for PROFINET RT and MRP.

References

• IEEE 802.1Q-2022 — Bridges and Bridged Networks
• IEC 62443-3-3:2013 — Industrial communication networks — Network and system security
• Hirschmann. (2023). User Manual — VLANs in HiOS. Belden/Hirschmann.