This article explains the three different VLAN modes available in OneView™ and how each affects device communication on your OT network.
The term VLAN stands for Virtual Local Area Network and every Ethernet port in an Optigo Connect system can be configured with one of three different VLAN modes: Access, Trunk, or Local.
The image below shows an example of a typical network setup with VLAN Access and Trunk ports (note that the example image below uses VLAN 10 for OneView™ management)
VLAN Mode Access
Typically, VLAN Access mode is used for ports connected to end devices (e.g. cameras, BAS controllers, etc).
The default VLAN mode for all ports is Access. All D-ports and C-ports configured as Access will only allow untagged (u) traffic with a specific VLAN ID (ranging from 1 to 4050 on Connect systems) to flow in and out. Only ports with the same VLAN ID can pass traffic with each other or see each other, for lack of a better term. This applies to all of the ports in the entire Connect system, regardless of what edge switch or optical port they are connected to (note that ONS-S2-based systems require peer-to-peer mode be enabled before traffic can pass between edge switches).
Use Case:
Let's say you have a Connect system containing HVAC devices, access control devices, and IP cameras, but you want to isolate these device groups from each other.
To do so, you could go into OneView™ and set all designated HVAC ports as VLAN mode Access with VLAN ID 100, all access control ports as VLAN mode Access with VLAN ID 200, and all IP camera ports as VLAN mode Access with VLAN ID 300.
Even though each edge switch in your Connect system might have devices of all three types connected to it, the system will operate as if each device group is physically connected to a completely separate network.
VLAN Mode Trunk
Typically, VLAN Trunk mode is used to connect switches to each other (e.g. ONS-S8 to an IT router/core-switch).
All D-ports and C-ports configured as VLAN mode Trunk will only allow tagged (t) traffic with a specific set of VLAN IDs (ranging from 1 to 4050 on Connect systems) to flow in and out, and they can only be connected to other Trunk ports with the same set of VLAN IDs. Trunk ports are great for reducing port count and cabling, in specific situations.
Use Case:
Expanding on the previous example, perhaps each group of devices will be managed with completely different equipment. For instance, the HVAC network may need to be managed from a dedicated PC, the access control network from another dedicated PC, and the IP camera network may need to be connected to an NVR and a computer running VMS software, and all of these machines might be connected to a single core switch which isn't even in the same room as the ONS-S8. Without Trunk mode, that could require 4 separate Ethernet cables and use up 4 separate D-ports on the ONS-S8.
However, if you configure one of the ONS-S8's D-ports as VLAN mode Trunk with VLAN IDs 100, 200, and 300, you can just connect that port to a tagged (t) port on the core switch that is also configured with VLAN IDs 100, 200, and 300. Then, elsewhere on that same core switch, you simply configure one untagged (u) port with VLAN ID 100, another untagged port with VLAN ID 200, and then two more untagged ports with VLAN ID 300 (one for the NVR and one for the VMS PC).
Note that in an Optigo Connect system, fiber ports (S-port to OPT) interconnecting an Aggregation Switch (ONS-S2 or ONS-S8) and Edge Switches (e.g. ONS-C2401p) are automatically configured as VLAN Trunk ports. The user does not need to configure these fiber ports, because the configuration is handled by Optigo Connect/OneView™.
VLAN Mode Local
All D-ports and C-ports configured as VLAN mode Local will only allow untagged (u) traffic with no VLAN ID to flow in and out of ports that are also configured as VLAN mode Local, and only on the same edge switch. You can configure ports on other edge switches as VLAN mode Local, but they will only be able to pass traffic between themselves on that same switch, not across switches.
Use Case:
If you have a set of devices connected to ports on a single edge switch, and you would like them to communicate with each other, but be isolated from the rest of your Connect system, simply configure them all as VLAN mode Local.
IMPORTANT:
Never connect a D-port from the ONS-S8 to a C-port on an edge switch being managed via OneView or a loop will be created, which will disable management on the edge switch.
Comments
0 comments
Please sign in to leave a comment.