VLANs: A brief history
Dr. Dave Sincoskie (1954-2010) developed what is now called the VLAN in the late 1980s. His
creation was the result of experiments to increase Ethernet bandwidth. At the time, VAX-11/780
computers were being used as routers. These units carried a hefty price tag of $400,000 each so
a more affordable alternative would be necessary before the widespread use of the technology
would be practical. With Chase Cotton helping, Sincoskie proposed using the bandwidth of
existing telephone networks to expand bandwidth. Sincoskie’s research would later yield the first
voice-over-IP technology, ushering in a new field of communications.
Source: Sincoskie, W.D. and Cotton, C.J. Extended Bridge Algorithms for Large Networks, Published IEEE Network 1988.
Introduction
A VLAN is an administratively-configured LAN segment that limits the traffic in multiple broadcast domains. Instead of physically reconnecting a device to a different LAN, network administrators can accomplish this task by configuring a VLAN-compliant switch to create logical network segments. A key feature of N-Tron’s VLAN (tagged and port) implementation is the concept of overlapping members.
In this paper, we’ll discuss port and tagged VLANs.
Overlapping Port VLANs
N-Tron uses the term overlapping VLAN port to refer to an individual port that is configured with membership in multiple VLANs.
Overlapping Port VLAN with N-Tron’s 500 Series –A Option Switches
Referring to Figure 1, using a 508TX-A, consider the following example where the Office LAN uplink is on Port 1, the PLC is on Port 2, and the control devices being accessed by the PLC are on ports 3-8. In this case, the network administrator would like to set up VLAN partitions to keep the Office LAN separate from the Control LAN, but still have the capability to access the PLC from a workstation connected to the Office LAN.
This example shows how to set up the PLC as an overlapping member to both VLAN group 2 (VID2) and VLAN group 3 (VID3). To accomplish this, we will create an abstract VLAN (VID4) that has all ports as a secondary member, and only port 2 (the overlapping member) with a PVID of 4. Please note that port 2 is a secondary member of the other two groups as well.
VLAN GROUP ASSIGNMENTS | PVID ASSIGNMENTS | ||||
PORTS | MEMBERSHIP | PORTS | PVID | ||
1 & 2 | VID2 | 1 | 2 | ||
2 - 8 | VID3 | 3 - 8 | 3 | ||
1 - 8 | VID4 | 2 | 4 |
Command Line Interface (CLI) entry to accomplish this configuration
CLI\SWITCH\VLAN> PORT [ENTER]
Port VLAN selected.
/ (Go to top of menu tree)
? (Show menus/commands)
info (Get information about VLAN)
enable (Enable Port VLAN)
tagged (Switch to Tagged VLAN)
group1 (configure Port VLAN Group 1)
group2 (configure Port VLAN Group 2)
group3 (configure Port VLAN Group 3)
group4 (configure Port VLAN Group 4)
group5 (configure Port VLAN Group 5)
group6 (configure Port VLAN Group 6)
group7 (configure Port VLAN Group 7)
group8 (configure Port VLAN Group 8)
cleargroups (clear Port VLAN Groups 2 through 8)
CLI\SWITCH\VLAN> GROUP4 [ENTER]
Configure Port VLAN Group 4.
Enter ports to Join VLAN Group 4 (Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 1,2,3,4,5,6,7,8 [ENTER]
These ports were removed from group1: 1 2 3 4 5 6 7 8
Would you like all these ports to have PVID=4 ?
Enter ‘NO’ or (YES):
CLI> NO [ENTER]
Enter ports to have PVID=4
(Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 2 [ENTER]
*** These ports now have null PVIDs: 1 3 4 5 6 7 8 ***
*** All ports should have valid PVIDs before configuration is complete. ***
CLI\SWITCH\VLAN> GROUP3 [ENTER]
Configure Port VLAN Group 3.
Enter ports to Join VLAN Group 3 (Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 2,3,4,5,6,7,8 [ENTER]
Would you like all these ports to have PVID=3 ?
Enter ‘NO’ or (YES):
CLI> NO [ENTER]
Enter ports to have PVID=3
(Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 3,4,5,6,7,8 [ENTER]
CLI\SWITCH\VLAN> GROUP2 [ENTER]
Configure Port VLAN Group 2.
Enter ports to Join VLAN Group 2 (Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 1,2 [ENTER]
Would you like all these ports to have PVID=2 ?
Enter ‘NO’ or (YES):
CLI> NO [ENTER]
Enter ports to have PVID=2
(Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 1 [ENTER]
Setup Information and Enabling Port VLAN
CLI\SWITCH\VLAN> INFO [ENTER]
Port VLAN is DISABLED.
When enabled:
All outgoing pkts will be untagged.
VLAN GROUP1 includes these Ports: none
VLAN GROUP2 includes these Ports: 1 2
VLAN GROUP3 includes these Ports: 2 3 4 5 6 7 8
VLAN GROUP4 includes these Ports: 1 2 3 4 5 6 7 8
VLAN GROUP5 includes these Ports: none
VLAN GROUP6 includes these Ports: none
VLAN GROUP7 includes these Ports: none
VLAN GROUP8 includes these Ports: none
There is more info. Press ‘SPACE BAR’ to continue, or escape to exit >
Incoming pkts will use these PVIDs to determine group membership:
Port 1 PVID=2
Port 2 PVID=4
Port 3 PVID=3
Port 4 PVID=3
Port 5 PVID=3
Port 6 PVID=3
Port 7 PVID=3
Port 8 PVID=3
CLI\SWITCH\VLAN> ENABLE [ENTER]
Port VLAN is Enabled.
CLI\SWITCH\VLAN>
Overlapping Port VLAN with N-Tron’s 700 Series
1. Login to the web interface of the 700 series switch from PC1 using 192.168.1.201 (default IP)
2. Select VLAN in the left-hand parameter column:
3. Select Configuration
4. Select Modify
5. Select Add
6. Create VLAN2 as pictured and select Update.
7. Select Modify
8. Select Add
9. Create VLAN3 as pictured and select Update:
10.Select Modify
11. Select Add
12. Create VLAN4 as pictured and select Update:
13. Go to Ports – Configuration on the side menu, note the ports’ PVID:
14. Select Port 02 and change the PVID to 2, then select Update:
15. The VLAN configuration should match the example:
16. The PVID port configuration should match the example:
Testing Segmentation by Pinging:
Set two PCs to the following IP addresses:
• PC1 – 192.168.1.1 mask: 255.255.255.0
• PC2 – 192.168.1.2 mask: 255.255.255.0
(Make Sure Windows Firewall is disabled)
Physical Layer Setup and Testing:
1. Connect PC 1 into port 1 of the switch
2. Connect PC 2 into port 2 of the switch
3. Try to ping from PC1 in Port 1 to PC2 in Port 2. You will find that you will be able to ping because Port 1 is in VLAN 2 and Port 2 is an overlapping port.
4. Move PC1 to Port 3 and try pinging between PCs again. You should be able to ping between PC’s in the same VLAN.
5. Now move PC2 from Port 2 to Port 1, leaving PC1 in Port 3. You should not be able to ping between these ports.
Configuring Tagged VLANs
N-Tron uses the term overlapping VLAN port to refer to an individual port that is configured with membership in multiple VLANs.
1. Login to the web interface of the 700 series switch from PC 1
2. Select VLAN in the left-hand parameter column:
3. Select Configuration
4. Select Modify
5. Select Add
6. Configure as pictured and select Update.
VLAN Configuration
Testing Tagged VLAN’s
1. Physical Layer Setup
• Connect a patch cord between the two 700 switches using port 1.
• Connect PC 1 into port 2 of 700 series.
• Connect PC 2 into port 2 of the other 700 series switch.• Run a continuous ping from PC1 to PC2 and from PC2 to PC1.
2. Check the status of the ping between PC 1 and PC 2. The pings should now be timing out.
3. Try to ping from PC 1 in port 2 of the 700 series switch to PC 2 in port 2 of the other 700 series switch. You should find that you will be able to ping because port 1 is tagged VLAN 2 and port 2 on both switches are also in VLAN 2. You created a trunked, tagged VLAN 2 link between switches for VLAN 2.
4. Move PC 2 on the other 700 switch to port 3 and try pinging between PCs again. You should not be able to ping between PCs in the as the PCs are in separate VLANs.
5. Move PC 1 onto the 700 switch in port 4. You should be able to ping between switches again.
OVERLAPPING PORT VLAN with N-Tron 9000 Series
Referring to the figure below, using a 9000 series switch, consider the following example where the Office LAN uplink is on Port A1, the PLC is on Port A2, and the Control devices being accessed by the PLC are on ports A3-A6. As in the previous case, the network administrator would like to set up VLAN partitions to keep the Office LAN separate from the Control LAN, but still have the capability to access the PLC from a workstation connected to the Office LAN.
This example shows how to set up the PLC as an overlapping member to both VLAN Group 2 (VID2) and VLAN Group 3 (VID3). To accomplish this, we will create an abstract VLAN (VID4) that has all ports that are being used as secondary members, and only port 2 (the overlapping member) with a PVID of 4. Please note that port 2 is a secondary member of the other two groups as well.
Note: Default VLAN retains all ports, not on Groups 2-4.
VLAN GROUP ASSIGNMENTS | PVID ASSIGNMENTS | ||||
PORTS | MEMBERSHIP | PORTS | PVID | ||
A1 & A2 | VID2 | A1 | 2 | ||
A2 - A6 | VID3 | A3 - A6 | 3 | ||
A1 - A6 | VID4 | A2 | 4 |
Web Interface entry to accomplish this setup:
N-TRON/Admin#[54]vlan> vlan add 2 1 -name “Group 2” -untagged 1-2 -admit all [ENTER]
PVID of port 1 is set to 2.
PVID of port 2 is set to 2.
Vlan Added with Vlan id : 2
N-TRON/Admin#[55]vlan> vlan add 3 1 -name “Group 3” -untagged 2-6 -admit all [ENTER]
PVID of port 3 is set to 3.
PVID of port 4 is set to 3.
PVID of port 5 is set to 3.
PVID of port 6 is set to 3.
Vlan Added with Vlan id : 3
N-TRON/Admin#[56]vlan> vlan add 4 1 -name “Group 4” -untagged 1-6 -admit all [ENTER]
Vlan Added with Vlan id : 4
N-TRON/Admin#[57]vlan> port set pvid 2 4 [ENTER]
PVID of port 2 is set to 4.
N-TRON/Admin#[58]port/set> vlan show config [ENTER]
Vlan Configuration Information
-------------------------------------------------------------------------------
VID |Vlan Name |Untagged ports |Tagged ports |Mgmt|Admit |Mirror
-------------------------------------------------------------------------------
1E|Default VLAN| 7-26| | YES|ALL | ---
2E|Group 2 | 1-2| | YES|ALL | ---
3E|Group 3 | 2-6| | YES|ALL | ---
4E|Group 4 | 1-6| | YES|ALL | ---
-------------------------------------------------------------------------------
N-TRON/Admin#[59]vlan/show> stp set bridgeadminstatus 1 disable [ENTER]
Admin Status successfully Set
N-TRON/Admin#[60]stp/set> stp set bridgeadminstatus 2 disable [ENTER]
Admin Status successfully Set
N-TRON/Admin#[61]stp/set> stp set bridgeadminstatus 3 disable [ENTER]
Admin Status successfully Set
N-TRON/Admin#[62]stp/set> stp set bridgeadminstatus 4 disable [ENTER]
Admin Status successfully Set
N-TRON/Admin#[63]stp/set>
Note: RSTP is disabled in the code above for all VLANs
OVERLAPPING TAGGED VLANs
Tagged VLAN allows switch segmentation to span across multiple managed switches. This type of VLAN is ideal for LANs that consist of various types of communication groups such as Office LANs, Controls Systems, and IP Cameras. When used properly, it will effectively isolate two or more groups from each other in a logical manner. This means that Broadcast, Multicast, and Unicast frames in one VLAN will not interfere with another isolated VLAN group.
OVERLAPPING TAGGED VLANs with N-Tron 500 Series
Referring to the figure below, we will create an 802.1Q Tagged VLAN trunk (using Port 1 on each switch) between two 500 Series switches. This application will logically isolate the IT / Office LAN from the Controls System LAN. It will also allow you to use a single physical connection as the VLAN Trunk connecting the two switches. Note that only the two N-Tron switches need to understand tagged VLAN to achieve this, as all other traffic is untagged. You may choose to use the Port Trunking feature between the two 508TX-A switches to provide higher bandwidth and media redundancy.
Command Line Interface (CLI) entry to accomplish this configuration on the N-Tron 500-A Series.
These units offer advanced management features.
CLI\SWITCH\VLAN> group2 [ENTER]
Configure Tagged VLAN Group 2.
Enter VID or <(ESC)> to exit> 2 [ENTER]
Enter ports to Join VLAN Group 2 (Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 1 2 [ENTER]
Would you like all these ports to have PVID=2 ?
Enter ‘NO’ or (YES):
CLI> yes [ENTER]
For incoming pkts with tagged VID=2, the outgoing pkts are untagged
for ports: 1 2
Would you like to change that ? Enter ‘YES’ or (NO):
CLI> yes [ENTER]
For VID=2 enter ports for outgoing untagged pkts: 2
Wait......
These ports were removed from group1:
1 2
CLI\SWITCH\VLAN> group3 [ENTER]
Configure Tagged VLAN Group 3.
Enter VID or <(ESC)> to exit> 3 [ENTER]
Enter ports to Join VLAN Group 3 (Example: ‘367<enter>’)
Enter Port Numbers (or ESC to exit)> 1 3 4 5 6 7 8 [ENTER]
Would you like all these ports to have PVID=3 ?
Enter ‘NO’ or (YES):
CLI> yes [ENTER]
For incoming pkts with tagged VID=3, the outgoing pkts are untagged
for ports: 1 3 4 5 6 7 8
Would you like to change that ? Enter ‘YES’ or (NO):
CLI> yes [ENTER]
For VID=3 enter ports for outgoing untagged pkts: 3 4 5 6 7 8
Wait......
These ports were removed from group1:
3 4 5 6 7 8
CLI\SWITCH\VLAN> info [ENTER] (to verify configuration)
Tagged VLAN is DISABLED.
When enabled:
All incoming untagged pkts are sent to PVID group.
VLAN GROUP1 has a VID of: 1, and includes these Ports: none
GROUP1 outgoing pkts are untagged for ports: none
VLAN GROUP2 has a VID of: 2, and includes these Ports: 1 2
GROUP2 outgoing pkts are untagged for ports: 2
VLAN GROUP3 has a VID of: 3, and includes these Ports: 1 3 4 5 6 7 8
GROUP3 outgoing pkts are untagged for ports: 3 4 5 6 7 8
There is more info. Press ‘SPACE BAR’ to continue, or escape to exit >
For each port, untagged incoming pkts will use these PVIDs
to determine group membership:
Port 1 PVID=3
Port 2 PVID=2
Port 3 PVID=3
Port 4 PVID=3
Port 5 PVID=3
Port 6 PVID=3
Port 7 PVID=3
Port 8 PVID=3
CLI\SWITCH\VLAN> enable [ENTER]
Tagged VLAN is Enabled.
CLI\SWITCH\VLAN>
[***CYCLE POWER OF SWITCH***]
NOTE: Repeat above steps on the second switch.
Disclaimer
It is the customer's responsibility to review the advice provided herein and its applicability t the system. Red Lion makes no representation about specific knowledge of the customer's system or the specific performance of the system. Red Lion is not responsible for any damage to equipment or connected systems. The use of this document is at your own risk. Red Lion standard product warranty applies.
Red Lion Technical Support
If you have any questions or trouble contact Red Lion Technical Support by clicking here or calling 1-877-432-9908.
For more information: http://www.redlion.net/support/policies-statements/warranty-statement