VLAN

A VLAN, or Virtual Local Area Network, is a logical network segment defined on a shared physical switching infrastructure. It allows network administrators to separate and control traffic as if there were multiple independent LANs, even though devices may be connected to the same physical switches and cabling.

Core concept

In a VLAN-based network, switch ports are assigned to one or more VLAN IDs. Devices connected to ports in the same VLAN can communicate at Layer 2 (Ethernet) as if they are on the same physical network segment. Devices in different VLANs require routing or a Layer 3 device to communicate.

VLANs are commonly configured using IEEE 802.1Q tagging, where Ethernet frames carry a VLAN ID so switches can keep traffic for different VLANs logically separated on shared links.

Use in industrial and regulated environments

In industrial operations, VLANs are frequently used to:

• Separate office IT networks from OT networks on the same physical infrastructure
• Group control system components, such as PLCs, HMIs, and SCADA servers, into dedicated broadcast domains
• Limit broadcast traffic and reduce congestion on control networks
• Implement network-based access controls between systems involved in manufacturing, quality, MES, and ERP integration

In regulated environments, VLANs are often part of documented network architectures, supporting segmentation requirements and security controls. They are a technical mechanism that can help implement higher-level security or functional groupings but do not define those groupings by themselves.

Relationship to zones and segments

VLANs are sometimes used to support concepts such as security zones or network segments:

• A security zone (for example, in IEC 62443) is a grouping based on risk, function, and required security controls.
• A VLAN is a transport-level construct based on switch configuration and VLAN IDs.

A single security zone may span multiple VLANs, and a single VLAN may contain devices from multiple zones, depending on how the network is designed. Clear mapping, routing rules, firewall policies, and documentation are important so that VLAN configurations align with intended zoning and segregation.

What a VLAN is not

• It is not a physical network by itself; it relies on underlying switches, cabling, and routers.
• It is not a complete security solution; additional controls such as firewalls, access control lists, and monitoring are usually required.
• It is not the same as an IP subnet, although VLANs and subnets are often aligned one-to-one for simplicity.

Common confusion

• VLAN vs. subnet: A VLAN is a Layer 2 construct; a subnet is a Layer 3 IP addressing construct. They are often paired but are technically independent.
• VLAN vs. security zone: A VLAN is a network implementation tool; a zone is a conceptual grouping defined by risk and functional criteria. VLANs may help implement zones but do not define them.
• VLAN vs. physical segment: Physical segments depend on cabling and hardware separation, while VLANs overlay logical separation on shared hardware.