gateway icon  PRODUCT SELECTOR:

Connect Your:

To:

RTA's Blog

VLAN Confusion

Posted on by John S Rinaldi
20
Aug

I have maintained for a long time that it is hard to do IT/OT conversion because both groups use the same technology, Ethernet, differently. While some maintain that Ethernet is Ethernet is Ethernet, when you get into the specifics of how that technology is used, the application of the technology is different.

Let’s talk about VLANs as an example. A Virtual Local Area Network (VLAN) is a way of grouping devices into a common local Ethernet as if they were connected on their own network. In the following diagram, there are two VLANs. Each VLAN maintains its own collision domain. Traffic within one collision domain never interferes with traffic on another collision domain. Both switches in this diagram manage traffic within each VLAN as if there were two separate physical networks.

VLAN diagram

In the classic paradigm used to teach about VLANs, you put the Sales team on one VLAN, HR on another and Marketing on another. It’s a little different on the factory floor. On the factory floor, we group devices that have some common automation function. Devices related to an automation tool might be on one VLAN and devices on another tool would be on a second VLAN. A PLC and all its EtherNet/IP devices might be on the same VLAN. An RTA PLC gateway, for example, would always be grouped into the VLAN with the PLC. All the devices might use the same switch, but that is irrelevant. We use VLANs to organize devices by common functionality.

IT uses VLANs differently. In a typical IT architecture, VLANs are not often used to group end devices illustrated in the Sales/HR example above. Instead, VLANs are used to organize groups of switches and routers. IT folks like to have all their switches and routers interconnected on a VLAN with their administrative tools. They have tools that download configuration, read statistics and monitor switch and router operation and they find it convenient to do that over a VLAN.

Another reason for using VLANs is security. This plays out more in the IT space than in the OT space. To join a VLAN, the switch port must be configured for that VLAN. The device itself cannot add itself to a VLAN. An administrator must designate a port as part of a VLAN. That means if you connect your laptop to an open port on Switch 1 in the figure above and start nosing around, you won’t find any devices. If that port is not configured as part of one of the VLANs, you have no access to any of the devices on a VLAN. Since the OT space is (or should be) protected at some higher level, this is not as important to control architects designing OT networks.

Ethernet is not Ethernet. There are all sorts of ways that control engineers use Ethernet that varies considerably from IT practices.

Avatar photo
John S Rinaldi

John Rinaldi is Chief Strategist, Business Development Manager and CEO of Real Time Automation (RTA). After escaping from Marquette University with a degree in Electrical Engineering, John worked in various jobs in the Automation Industry before once again fleeing back into the comfortable halls of academia. At the University of Connecticut, he once again talked his way into a degree, this time in Computer Science (MS CS). John is a recognized expert in industrial networks and the author of six books: Modbus: The Everyman’s Guide to Modbus, OPC UA – Unified Architecture: The Everyman’s Guide to OPC UA, EtherNet/IP: The Everyman’s Guide to EtherNet/IP, The Smart Product Manager’s Guide to Industrial Automation Connectivity, The Smart Product Manager’s Guide to Connectivity in the Packaging Industry, and his latest, The Everyman’s Guide to Properly Architecting Ethernet/IP Networks.

Our office is closed Monday September 2nd in observance of Labor Day. Orders placed after 2pm CST 8/30/24 will be processed on 9/3/24.