Best networking practice is a one-to-one relationship between VLANs and subnets.
Subnets and VLANs are two concepts that go hand-in-hand. Here are the top 10 things you should know about these critical components of Converged Plantwide Ethernet (CPwE) Design and Implementation:
- A Layer-2 network also refers to a subnet, broadcast domain and a virtual LAN (VLAN). Best practice is a 1:1:1 relationship between subnets, broadcast domains and VLANs. The Layer-2 network infrastructure devices in the Cell/Area zone are predominantly access switches.
- Layer-3 switches or routers are used in manufacturing environments. Layer-3 switches or routers forward information between different VLANs or subnets. They use information in the IP header (Layer 3) to do so. Regardless of the specific layer being connected, switches provide Industrial Automation Control System (IACS) networks with many of the safeguards realized by the natural separation inherent in existing IACS-optimized networks. Some switches promoted as Layer 2 switches also support limited routing capabilities, like static routing.
- Devices and controllers configured for multicast delivery need to be located within the same Cell/Area IACS network because these packets cannot be routed, meaning that any router will drop the packet before forwarding it outside the subnet/VLAN. Devices and controllers configured for unicast delivery, Implicit I/O or Explicit messaging do not need to be within the same Cell/Area zone because that communication is routable.
- Logical segmentation is the process of outlining which endpoints need to be in the same LAN. Segmentation is a key consideration for a Cell/Area IACS network. Segmentation is important to help manage the real-time communication properties of the network while supporting the requirements defined by the network traffic flows. Security is also an important consideration in making segmentation decisions. A security policy may call for limiting access of plant floor personnel (such as a vendor or contractor) to certain areas of the plant floor (such as a functional area). Segmenting these areas into distinct subnets and VLANs greatly assists in the application of these types of security considerations.
- Network developers should strive to design smaller LANs or VLANs, while recognizing that the traffic patterns of an IACS may make this difficult if routing is required.
- Use VLANs in addition to any physical segmentation, and connect all Cell/Area LANs to Layer-3 distribution switches to maintain connectivity.
- Trunks are also an important concept when deploying VLANs. The inter-switch connections in a Layer-2 network deploying VLANs are referred to and configured as trunks because they carry traffic for multiple VLANs. The relevant standard is IEEE 802.1Q, which specifies VLAN tagging to carry multiple VLANs on Ethernet links between switches. IEEE 802.1Q is the prevalent and most often used standard.
- Management VLANs are also an important consideration when establishing a VLAN concept. In the IT and enterprise network, management VLANs are commonly used to access the network and IT infrastructure, separate from the data VLANs. If IT is involved in managing the IACS network, they may want to establish management VLANs on which only the network infrastructure has IP addresses.
- Two important considerations in designing a VLAN network are the use of VLAN 1 and the native VLAN. The native VLAN is the VLAN to which a port returns when it is not trunking. VLAN 1 is the default native VLAN on trunk ports on Cisco-based switches and therefore may used by a number of network infrastructure protocols.
- Define IACS devices to use a specific VLAN other than the native VLAN and VLAN 1; do not use VLAN 1 for any purpose. Some security threats assume that VLAN 1 is the default VLAN for data and/or management traffic and may target VLAN 1 in their attacks.
To learn more about VLANs and subnets, sign up for the Industrial IP Advantage industrial network design training here.