The key steps to designing a Converged Plantwide Ethernet (CPwE) architecture by leveraging a VLAN approach involve the following steps:
- Assign the various Cell/Area zones a VLAN that corresponds to an IP subnet in which the devices in that zone all have their IP address.
- Determine how to deploy the VLANs into the network infrastructure.
- Determine how to configure the VLAN Interface, end-device ports and switch uplinks.
Once the VLANs and IP addressing schema has been set, the next key design decision is how to deploy VLANs into the network infrastructure. Best practice dictates that VLANs are manually configured on the switches. Industrial Automation Control System (IACS) networks tend to be designed and configured – and not updated often, if at all during their lifetime. There are “automated” ways to manage the VLANs in a switch, for example to exemplify the VLAN trunk protocol (VTP).
But these mechanisms carry inherent risk. Inadvertent changes could significantly impact the IACS network. Therefore, best practice says that VTP is in transparent mode on the IACS network. Manual VLAN configuration requires a bit more work up front to implement the VLANs onto the network infrastructure, but once complete, it lowers the risk of operational issues due to inadvertent VTP updates.
Trunks are another important concept in deploying VLANs. The inter-switch connections in a Layer-2 network deploying VLANs are referred to and configured as trunks because they carry traffic for multiple VLANs. The prevalent and most often used standard is IEEE 802.1Q, which specifies VLAN tagging to carry multiple VLANs on Ethernet links between switches.
Best practice is to use IEEE 802.1Q for inter-switch connections within the Cell/Area zone. Some switches support other protocols, , which are proprietary precursors to 802.1Q and not recommended.
Using manual configuration, the inter-switch connections are set to use 802.1Q. Set negotiation to “off” to enforce use of 802.1Q.
VLAN1 and Native VLANs
Two important considerations in designing a VLAN network are the use of VLAN 1 and the native VLAN.
The native VLAN is the VLAN to which a port returns when it is not trunking. Also, an IEEE
802.1Q trunk does not apply a VLAN tag to the native VLAN; in other words, the VLAN tag is implicit.
The Native VLAN is the assigned VLAN for the port (and used if trunking is removed), and is the VLAN used by network-specific protocols (for example, LACP, MSTP or Resilient Ethernet Protocol).
VLAN 1 is the default native VLAN on trunk ports on Cisco-based switches and therefore may use by a number of network infrastructure protocols. For a number of performance and security reasons, the following regards VLAN 1 and native VLANs for trunk ports:
- Both sides of an inter-switch trunk must be configured with the same native VLAN.
- Configure the native VLAN to be a dedicated and specific VLAN not already in use. For example, in an IACS Cell/Area Zone VLAN, the Native VLAN should not be routed to/from, and therefore is never enabled on the router or Layer 3 distribution switch. No IACS network traffic should flow in the Native VLAN.
- It is recommended that the size and scope of a Native VLAN be a Cell/Area zone. For example, on a Cell/Area zone, the same Native VLAN would reside on all the trunks between the switches.
- Configure the 802.1Q trunk to allow only specified VLANs. All other VLANs should be “pruned” from the trunk, including VLAN 1.
- Define IACS devices to use a specific VLAN other than the native VLAN and VLAN 1. Allow these VLANs on the trunks.
- Best practice is to not use VLAN 1 for any purpose. Some security threats assume that VLAN 1 is the default VLAN for data and/or management traffic and may target VLAN 1 in their attacks.
In the IT and enterprise network, management VLANs are common and used to access the
network and IT infrastructure separate from the data VLANs. If IT is involved in managing the IACS network, they may want to establish management VLANs.
Essentially, a management VLAN is a VLAN on which only the network infrastructure has IP addresses. The concept can also be taken so far as to establish an out-of-band physical network with the network infrastructure to allow network connectivity even when the in-band network is disrupted. Given the cost of cabling and infrastructure, this is not a consideration for most manufacturers.
Management VLANs are a supported concept, especially when IT may be involved in IACS
networking. If Cell/Area zone network management is to be performed by plant floor personnel,
putting the switch in the IACS VLANs provides a management interface to the network
infrastructure, so IACS applications can access the network infrastructure for management, monitoring and control – the same reasons a management VLAN is established.
VLANs are identified by a number between 1 and 4094. VLANs 1002 to 1005 are for backward
compatibility with legacy Layer-2 network protocols and cannot be used. VLANs 1006 to 4094 are extended range VLANs. These cannot be used in conjunction with the ISL trunking protocol or VTP in client-server mode, neither of which is recommended by Cisco or Rockwell Automation for use in VLAN management.
The following is a quick summary of the recommendations for Cell/Area zone implementation:
Key Segmentation and VLAN Recommendations
- The Cell/Area zone VLANs must be defined on a distribution/core switch (Layer 3 capable), so the switch can route between VLANs.
- All CIP-bearing VLANs should have IP directed broadcast-enabled and CIP-enabled to allow connectivity to RSLinx data servers in the Manufacturing zone. This is applied to the outbound interface on the Layer-3 switch.
- For CIP integration, the industrial Ethernet switches must have a VLAN interface defined with a specific IP address on the Cell/Area zone VLANs where the switch must communicate with CIP enabled controllers. A switch can have IP addresses in multiple Cell/Area VLANs; however, only one VLAN can be CIP-enabled.
- Set the switch in VTP mode transparent (all switches) to reduce the potential for operational error.
- Consider establishing a management VLAN, especially if IT or IT tools will be involved in the Cell/Area zone network management.
- Uplinks or inter-switch connections:
- Hard set the trunk mode to ON and the encapsulation negotiate to OFF for optimal network convergence.
- On all trunk ports in switches in a Cell/Area zone, assign the native VLAN to an unused ID to avoid VLAN hopping. The native VLAN setting has to be the same on both sides of the trunk.
- Set the trunk encapsulation to dot1q.
- Manually prune all VLANs except those that are needed.
- Configure the end-host ports:
- Use switchport-mode host command to set the port for an access device.
- The end-device must be assigned an IP address, subnet mask and default gateway in the appropriate subnet.
- Configure the interface for the appropriate VLAN.
The following are logical segmentation and VLAN recommendations:
- Segment the IACS network into Cell/Area zones, where each zone is a subset of devices that communicate consistently with each other. All devices should have an IP address in the same IP subnet and be in the same VLAN. Smaller Cell/Area zones are generally better.
- All devices communicating with each other via multicast (I/O) traffic must be in the same VLAN.
- Layer-3 switches or routers are required to route traffic between VLANs, which may impact traffic flow.
- Each VLAN should consist of a single IP subnet.
- If non-manufacturing traffic (PC and so on) must exist in the physical topology, it should be on a separate VLAN.
- Configure VTP mode as transparent to avoid operational error because very few VLANs are used.
- Assign all end-device or host ports a VLAN and set to switchport-mode access.
- Do not explicitly use VLAN 1 because it is easily misused and can cause unexpected risks
- All uplinks are connected as 802.1Q trunks.
- Use an unused VLAN as the native VLAN on all trunk ports.
- Prune all unused VLANs from a trunk.
To learn more about VLANs, sign up for the Industrial IP Advantage industrial network design training here