Вы находитесь на странице: 1из 14

Application Guide

Volume I

AG2015-17

Implementing IEEE 802.1Q VLANs on an


SEL-2730M Managed Ethernet Switch
Tom Bartman and Kevin Carson

INTRODUCTION
Virtual local-area networks (VLANs) separate Ethernet networks into multiple domains. For
example, one local-area network (LAN) can be logically separated into multiple domains, such as
an engineering domain and a production domain, using VLANs. The main reason for the need for
separation is broadcast control. The normal operation of a network relies on messages known as
broadcasts, which are normally sent to all ports on a device, such as an Ethernet switch. As
networks grow in size, these broadcasts begin to consume more bandwidth. By separating a
network into smaller VLANs, the broadcast traffic is only communicated to ports on the
applicable VLAN.
The IEEE 802.1Q standard defines how Ethernet switches tag and process Ethernet frames for
VLANs. This is done with a 12-bit VLAN identifier (ID) that is added to the standard Ethernet
frame. This method of tagging with a VLAN ID is how the switches are able to separate the
traffic into the different broadcast domains on one switch or a network of connected switches.
It is important to note that an information technology (IT) network is configured and applied
differently than an operational technology (OT) network. An OT network typically supports
machine-to-machine communications, whereas an IT network supports user-to-user or user-tomachine communications. These differences and how they affect the configuration of the
Ethernet switches are discussed in the next section.
This application guide describes how to configure VLANs on the SEL-2730M 24-Port Managed
Ethernet Switch. You will create a VLAN, assign ports to the VLAN, and modify the VLAN to
learn how a change is made. You will also create a tagged port for OT network applications to
enable the passage of Generic Object-Oriented Substation Event (GOOSE) traffic.
In this application guide, you will learn the following:

The difference between IT and OT networks.

How to create two VLANs on the SEL-2730M.

How to create a tagged port for use with GOOSE traffic.

Date Code 20150507

SEL Application Guide 2015-17

SECTION 1: CONFIGURATION OF VLANS IN IT AND OT NETWORKS


In most IT network applications, VLAN tagging is a function of the Ethernet switches
themselves. The end devices are completely unaware that a VLAN tag has been applied and
removed during the transmission of the frame through the network, as shown in Figure 1.
Untagged Frame

Tagged Frame

Untagged Frame

SEL-2730M

SEL

SEL

SEL-2730M

Figure 1 Untagged VLAN Application for an IT Network

An end device can be connected to an untagged port. The switch can be configured to have one or
multiple untagged VLANs. Any physical port can be assigned to only one untagged VLAN. A
serial port cannot be assigned to multiple untagged VLANs. For two devices to communicate
through the switch using the untagged VLAN, they must be plugged into Ethernet switch ports
that are both assigned to the same untagged VLAN. When an end device sends an untagged
Ethernet frame, the switch applies the VLAN ID to the incoming Ethernet frame as it enters the
switch and this tag stays with the frame in that switch or as it is forwarded to adjacent switches.
The last switch removes the tag before sending the untagged frame to the destination.
In the example in Figure 1, an Ethernet frame egresses the computer and ingresses an untagged
port in the first SEL-2730M Switch. Because the port is assigned to a VLAN, the switch applies
an IEEE 802.11Q VLAN tag before forwarding the frame across a link. At the destination, the
second SEL-2730M removes the VLAN tag and forwards the frame to the end device. The
sending and receiving devices are unaware that the frame was tagged. This system is known as an
untagged VLAN because the source and destination frames are untagged. The tagging operation
is a function that occurs within the Ethernet switches.
Some networks, however, contain end devices, such as relays, that apply VLAN tags to the
Ethernet packets before they are sent to the Ethernet switch. An example of this type of
application is sending GOOSE messages between protective relays. For this type of application, a
tagged VLAN is required.
Unlike an untagged network, where the Ethernet switches perform the tagging function, a tagged
VLAN simply passes the Ethernet frame along and neither applies nor removes the tag, as shown
in Figure 2.
Tagged Frame

SEL Relay
SEL

Tagged Frame

SEL

SEL-2730M

Tagged Frame

SEL

SEL-2730M

SEL Relay
SEL

Figure 2 Tagged VLAN Application for GOOSE Messaging

In the example in Figure 2, the Ethernet frame sent by the protective relay for a GOOSE message
already has the VLAN tag applied. The Ethernet switch passes the Ethernet frame between the
ports where the relays communicating with GOOSE messages are connected. For the Ethernet
switch to pass along an Ethernet frame with that particular VLAN tag, the port that the frame is
ingressing or egressing must be configured as a tagged port for the VLAN assigned to the frame.
The use of tagged VLANs on managed switches for IEC 61850 is a good engineering practice. If
GOOSE messages are used without untagged VLANs configured on the switch, then the GOOSE
message is broadcasted to all of the ports on that switch. The use of tagged VLANs allows the
SEL Application Guide 2015-17

Date Code 20150507

GOOSE messages to be received only by the end devices that need to process these messages.
This prevents other devices from receiving and processing GOOSE messages that were not
intended for them, which eases the processing burden of these devices.
In Figure 3, two protective relays are participating in GOOSE messaging with a VLAN ID of
120. For the Ethernet switches to forward the frames across this network, the ingress and egress
ports of the Ethernet switches must be set as tagged ports and the VLAN ID for these tagged ports
must be set to 120. Ports on an Ethernet switch can be assigned to several tagged VLANs
simultaneously.
SEL Relay

Port 1

Port 2

SEL

Port 2

Port 1

SEL-2730M

SEL

SEL

SEL-2730M

SEL Relay
SEL

VLAN 120

Figure 3 Tagged VLANs for GOOSE Messaging

The following sections describe how to set up an untagged VLAN to separate an engineering
network from a production network. You will also set up a tagged VLAN for forwarding GOOSE
traffic among devices.

SECTION 2: CREATING VLANS


After completing this section, you will have an Ethernet switch configured with two VLANs set
for the following:

Engineering VLAN (14) on Ports 9, 10, 12, 13, 14, 15, and 16.

Production VLAN (15) on Ports 20, 21, 22, 23, and 24.

In addition to these two VLANs, you will create a tagged VLAN for GOOSE traffic on Ports 4
and 5.

Date Code 20150507

SEL Application Guide 2015-17

Enabling VLAN-Aware Setting and Configuring VLANs on Specific Ports


Step 1
To configure VLANs, you must first enable the VLAN-aware setting. From the Dashboard of the
SEL-2730M web interface, select the Global Settings page and select the VLAN-aware check
box. Click Submit. This is shown in Figure 4.

Figure 4 Enable VLAN-aware

SEL Application Guide 2015-17

Date Code 20150507

Step 2
Now that VLANs are enabled, the specific ports can be assigned to the various tagged or
untagged VLANs. Click on VLAN Settings under Switch Management, and click the plus sign
(+) beneath the VLAN table in order to add a new VLAN. This is shown in Figure 5.

Figure 5 Adding a VLAN

Step 3
Enter the desired VLAN ID and choose a name for the VLAN. For this example, assign 14 as the
VLAN ID (VID) and call it Engineering. Enter the specific ports to assign to the Engineering
VLAN (14) under the Untagged Ports heading. For this example, enter 12, 13, 14, 15, and 16.
You are configuring these ports as untagged because the source and destination frames are
untagged. The tagging operation is a function of the Ethernet switches. Figure 6 shows that Ports
12, 13, 14, 15, and 16 are assigned to the Engineering VLAN.

Figure 6 Configuring the VLAN

Step 4
Click Submit. The settings are saved to the SEL-2730M and a green banner is displayed,
notifying you that the settings were successfully updated. You can see in Figure 7 that the ports
that were assigned to the Engineering VLAN (14) were removed from the Default VLAN (1).
This is because any specific Ethernet port can only be assigned to one untagged VLAN at a time.

Figure 7 Successful VLAN Addition

Date Code 20150507

SEL Application Guide 2015-17

The completed VLAN configuration is displayed in the Port View tab of the VLAN Settings
page, as shown in Figure 8.

Figure 8 VLAN Configuration View

SEL Application Guide 2015-17

Date Code 20150507

Updating an Existing VLAN


Sometimes a VLAN requires updating. One such example is the need to add additional ports to a
particular VLAN. In the following example, Ports 9 and 10 are added to the Engineering VLAN
(14).
Step 1
From the VLAN Settings page, click inside the Untagged Ports box, as shown in Figure 9.

Figure 9 Updating an Existing VLAN

Step 2
Add Ports 9 and 10 as shown in Figure 10.

Figure 10 Adding Ports 9 and 10 to the Engineering VLAN

Step 3
Click Submit to save the changes to the SEL-2730M. The green banner is displayed (shown in
Figure 11), notifying you that the settings were successfully updated.

Figure 11 Successfully Updating an Existing VLAN

Date Code 20150507

SEL Application Guide 2015-17

Step 4
Verify that Ports 9 and 10 have been added to the Engineering VLAN (14) by viewing the table in
the Port View tab, as shown in Figure 12.

Figure 12 Port View Showing Ports 9 and 10 Added to VLAN 14

Creating the Remaining VLAN


Step 1
Create the Production VLAN with a VLAN ID of 15, name it Production, and add Ports 20 to 24
to this VLAN. In the VLAN Settings page, click the plus button (+) to add a VLAN, as shown in
Figure 13. Enter the VLAN ID (VID), VLAN Name, and ports. Click the Submit button to save
the configuration changes.

Figure 13 Adding the Production VLAN

SEL Application Guide 2015-17

Date Code 20150507

Step 2
Verify that the ports have been configured correctly by viewing the table in the Port View tab, as
shown in Figure 14. Notice that Ports 20 to 24 have been added to the Production VLAN (15),
and removed from the Default VLAN (1).

Figure 14 Port View Showing Ports 20 to 24 Added to VLAN 15

SECTION 3: CREATING TAGGED VLANS FOR GOOSE TRAFFIC


In Section 2, you added two untagged VLANs commonly used in an IT application. This is in
addition to the default untagged VLAN (Default with VLAN ID 1) on the switch. The Ethernet
switch provides VLAN tagging for an untagged VLAN, and the end devices are unaware that the
tagging is taking place inside the switch. For a GOOSE messaging application, the end devices
apply the VLAN ID tags to the Ethernet frames and the managed switch is programmed to allow
the ingress and egress of these Ethernet frames on specific ports.
In this section, you will create a tagged VLAN used in GOOSE messaging and configure Ports 4
and 5 to be tagged for VLAN 120. This will allow GOOSE traffic with a VLAN ID of 120 to
ingress and egress through these ports. In this exercise, assume two IEDs are connected to Ports 4
and 5 of the SEL-2730M.
Date Code 20150507

SEL Application Guide 2015-17

10

Adding a Tagged VLAN


Step 1
From the VLAN Settings page, click the plus button (+) to add an entry.
Step 2
Enter 120 as the VLAN ID (VID), and choose a name for VLAN. For this example, use GOOSE.
Enter Ports 4 and 5 as the tagged ports, and click the Submit button. This is shown in Figure 15.

Figure 15 Adding the GOOSE VLAN

Verifying That Tagged Ports Are Configured


Step 1
Verify that the settings were updated successfully. Figure 16 shows the green verification bar.

Figure 16 Successfully Updating the GOOSE VLAN

SEL Application Guide 2015-17

Date Code 20150507

11

Step 2
Verify that the ports have been configured correctly by viewing the table in the Port View tab, as
shown in Figure 17. Ports 4 and 5 will now allow the ingress and egress of GOOSE traffic from
connected devices with a VLAN ID of 120.

Figure 17 Port View Showing Ports 4 and 5 Added to VLAN 120

Date Code 20150507

SEL Application Guide 2015-17

12

Step 3
When tagged ports are used, the connected device applies the VLAN ID to the Ethernet frame.
The setting for the VLAN ID for an SEL 451-5 Protection, Automation, and Bay Control System
GOOSE message is shown in Figure 18. ACSELERATOR Architect SEL-5032 Software is used
for configuring SEL devices for GOOSE messages. It is important to note that the VLAN ID is
set in Architect as a hexadecimal number, but the VLAN ID in the SEL-2730M Switch is set as a
decimal number. In Figure 18, the VLAN ID is set to 78 hexadecimal (0x078), which is
equivalent to 120 decimal.

Figure 18

Architect VLAN ID Setting

CONCLUSION
This application guide describes how to enable VLANs in the SEL-2730M Managed Switch,
including how to create a VLAN, assign specific ports to a VLAN, update a VLAN, and create a
tagged VLAN for GOOSE applications. Key points include the following:

VLANs are for network separation, not for security.

A VLAN provides efficiency by creating smaller broadcast domains through limiting the
size of networks.

Untagged VLANs are transparent to the endpoints and are typically used in IT networks.

Tagged VLANs are for cases where the devices apply the VLAN IDs, such as GOOSE
traffic, and are typically used in OT networks, where machine-to-machine
communications are used.

This application guide also demonstrates the capabilities of the SEL-2730M Managed Switch in
VLAN applications.

SEL Application Guide 2015-17

Date Code 20150507

13

FACTORY ASSISTANCE
We appreciate your interest in SEL products and services. If you have questions or comments,
please contact us at:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 USA
Telephone: +1.509.332.1890
Fax: +1.509.332.7990
www.selinc.com info@selinc.com

Date Code 20150507

SEL Application Guide 2015-17

14

2015 by Schweitzer Engineering Laboratories, Inc.


All rights reserved.
All brand or product names appearing in this document are
the trademark or registered trademark of their respective
holders. No SEL trademarks may be used without written
permission.
SEL products appearing in this document may be covered by
U.S. and Foreign patents.

SEL Application Guide 2015-17

*AG2015-17*
Date Code 20150507