How to choose between managed and unmanaged switches

Industrial automation systems need hardened networking equipment to deliver required performance and cybersecurity, and designers also must consider whether unmanaged switches are sufficient, or if the step up to managed switches is warranted

By Bill Dehner January 29, 2021

In a world where fabulously fast and relatively reliable Ethernet — in wired and Wi-Fi formats — has become so familiar to consumers of all ages and technical abilities, it is tempting to think industrial automation systems can be connected to any available networking gear. After all, people regularly link their portable devices, entertainment electronics and even home automation components to the local network, and in turn to the cloud, with mostly good results.

The “mostly” qualifier is why industrial products must be specified for industrial solutions. While any networking failure in a general consumer setting is usually more of a nuisance than a crisis, industrial systems are constantly transacting time-sensitive data, even input/output (I/O) signals in some cases, via Ethernet. These signals often are informational and optional to some degree, but responsive I/O and interlock signaling is necessary to avoid equipment damage, wasted product and data loss — while providing required personnel safety.

Industrial-oriented network switches, powered by robust and redundant sources and connected with quality media and fittings, are readily available and can be found at a range of price points. But users must actively choose between basic unmanaged switches, which can be sufficient for some applications, or managed switches, which can offer significant operating benefits but cost more to procure and configure. This article looks at how designers can determine if they can make do with an unmanaged Ethernet switch, and when a managed switch is needed.

Industrial-grade and more

While data center Ethernet switches were available and designed to meet stringent performance requirements, any switch to be installed in a field environment needed to withstand even greater extremes of temperature, vibration and electrical noise immunity. Early attempts at industrial-grade Ethernet switches were low-volume specialty products and far more expensive than commercial counterparts.

As Ethernet became prevalent in all levels of industrial automation – from field signals, to controllers and at the supervisory level – economies of scale helped industrial switches reach more mainstream pricing levels. Improved electronics led to lower power consumption and heat generation, making it possible to remove trouble-prone fans. Designers gained a wide range of network hardware options so they could easily make connections as needed from the field to the control panel, to the server room. Soon there was little reason, beyond saving a few dollars, to use anything other than industrial-grade switches.

What was not always as obvious was when to choose a basic plug-and-play unmanaged switch, or when to take the leap toward a managed switch. The operational technology (OT) personnel charged with selecting automation networking components were not always deeply familiar with the information technology (IT) concepts, and corresponding benefits associated with managed switches.

When to go managed

For a typical piece of original equipment manufacturer (OEM) industrial equipment automated by a programmable logic controller (PLC) with I/O, a human-machine interface (HMI), and other miscellaneous smart devices, a small unmanaged industrial switch is often the best choice and can be had for prices starting under $100. These devices are easy to use, provide plenty of network speed and are available for use with copper or fiber media. For simple budget-conscious projects, they may be the best way to go.

But once the device count goes higher, or a formerly standalone piece of automated equipment will be interconnected within a plant with dozens or hundreds of other systems and intelligent devices on the local area network (LAN), greater networking concerns emerge (see Figure 1). On a home or office network, traffic overload and other network problems might simply delay email delivery or slow down playback of a video until the issue is resolved. On an industrial control network, however, traffic overload can cause improper equipment operation.

Five of the most common situations where a managed switch becomes necessary are when there are requirements for one or more of the following:

  • Enhanced traffic filtering
  • Network redundancy
  • Comprehensive security
  • Deeper troubleshooting and diagnostic information
  • Overall better network “awareness” for users and automation platforms.

The following sections explore why each of these needs is a compelling reason to specify a managed switch.

Taming the traffic

To minimize networking delays, and therefore improve the level of determinism on any network, it is important that communication data packets be transmitted from the source to the target device. When packets are transmitted where they are not needed, then destination devices expend resources to handle the packet, delaying processing of critical communications.

Modern unmanaged switches can perform a degree of packet filtering, alleviating this issue somewhat. But there are many types of packets that cannot be effectively identified and filtered by an unmanaged switch, so these devices end up forwarding unneeded packets to all connected devices.

Managed switches include several capabilities to improve traffic filtering in commercial and industrial environments:

  • Multicast filtering: Multicast packets are common with control systems and are indiscriminately forwarded by unmanaged switches. Managed switches perform Internet group management protocol (IGMP) snooping to learn when these packets are needed and selectively forward them.
  • Virtual LANs (VLANs): Managed switches offer VLANs so users can logically separate network traffic on one physical installation. This effectively groups devices so each group does not receive traffic from other groups.
  • Traffic priority: Using quality of service (QoS) features enables devices to prioritize the packets they are sending, allowing managed switches to handle each packet based on its priority.

The preceding features assume a functioning network, but additional aspects must be considered to overcome any hardware or media (cabling) failure.

Redundancy recommendations

A basic unmanaged Ethernet network only allows one point-to-point connection, or path, between any two device ports on the network. If more than one path creates a loop between devices on such a network, then packets circulate endlessly through the loop, causing a network storm, which sooner or later overwhelms the network with traffic. However, a consequence of single paths is any hardware, power or cable failure will interrupt communications.

A significant benefit of managed switches over unmanaged switches is redundancy capabilities. Two common approaches are:

  • Rapid spanning tree protocol (RSTP): This IT-based protocol allows designers to create multiple paths – and therefore rings – on a network, because the managed switch uses RSTP to determine and control which single path should be used, and which alternate path to switch to if trouble is detected. Network storms are averted, but RSTP can be too slow to respond in a useful way for automation applications.
  • Ring protocols: Ring protocols are available to connect switches in rings, which recover from network failure much faster than RSTP, and quickly enough for many critical automation applications. Ring protocols are not standardized but are instead specific to certain makes and models of switches (see Figure 2).

For the cost of upgrading to managed switches and installing some extra cable runs, industrial automation projects with more than a few switches will experience far greater network resilience by implementing a ring protocol.

Superior security

Security to protect from accidental or malicious activity is desirable in any network, and crucial for automation networks that operate physical equipment and contain valuable data. Unmanaged switches forward packets, but managed switches provide an additional level of protection in the form of:

  • Port control: Users can disable unused ports to help limit unauthorized access.
  • Management and browser security: These settings, involving passwords and industry-standard HTTPS using SSL, ensure unauthorized parties or applications cannot disrupt switch and networking settings.

Deeper diagnostics

When networking problems do occur, technicians need useful information as quickly as possible for troubleshooting. Unmanaged switches typically do not support this type of diagnostics, but managed switches can provide the necessary visibility in a few ways:

  • Port monitoring: For detailed troubleshooting, this feature allows a technician to identify a port to be investigated, so all that port data is mirrored to another available port. Users can connect their PC to the mirror port and use software like Wireshark to examine the content of packets.
  • Network statistics: Managed switches provide network statistics pages in the configuration, which are accessible to users with a web browser connection and the proper credentials. The data on these pages can help identify broken packets, for example, which may be caused by faulty field wiring.

Abundant awareness

Traffic, redundancy, security and diagnostics are important — but if the automation system and the users are not made aware of problems — then there is no way to avoid the trouble before it becomes critical. The right managed switches can provide awareness in support of smarter automatic decisions to get technicians involved as soon as possible, but only when necessary.

There are many ways to integrate network awareness into automation systems using managed switches:

  • Modbus TCP and EtherNet/IP: Managed switches oriented for industrial automation applications can provide diagnostics tags, which can be read by PLCs over Ethernet using the Modbus TCP or EtherNet/IP protocol. If network problems are indicated, PLCs can use this information to take action, such as stopping the equipment or notifying operators via the HMI. More advanced managed switches may allow full management capability using these protocols.
  • Simple network management protocol (SNMP): When managed switches incorporate SNMP, users can take advantage of many software tools able to query or receive “traps” generated by the switch, and to indicate hardware health or other network events.
  • Alarm outputs: For users who prefer to keep things simple and not use a communications protocol with a switch, some industrial managed switches provide a hardwired relay output to report power redundancy failure to a PLC digital input.
  • Spanning tree or network ring status: It is important for users to know when the spanning tree or network ring status has changed because this indicates a normal network path has experienced a failure. Managed switches can indicate this type of issue to the automation system, so users can be prompted to identify and resolve the primary problem before a secondary problem causes a network failure.
  • Media access control (MAC) table: Personal networks at home and commercial networks at retail businesses are likely to have many new users coming and going. Industrial networks, on the other hand, usually have a stable number of client stations. Therefore, technicians can monitor the table of MAC identifications maintained by a switch to detect unexpected changes.

When an automation system commands a valve to shift or a motor to run, the end device can be monitored by sensors so the action may be verified – and alarmed if it fails to happen. Using managed switches, designers can perform a similar type of closed-loop verification for network operation using feedback from the switches.

Taking these steps ensures the best possible network awareness and enables the automation system to take action and keep users informed. Critical operations deserve this level of protection.

Moving to managed

Unmanaged switches are certainly suitable and economical for connecting a few devices together with an understanding of low priority networking limitations. However, for many automation applications the cost increase of moving to managed switches over unmanaged switches is not a major impact.

For many applications designers should consider the immediate and future benefits of managed switches and specify them for situations where they would previously have used unmanaged switches (see Table 1).

A managed switch does demand more user configuration than a simple plug-and-play unmanaged switch. However, browser interfaces and configuration guides have simplified this task to a great extent, which means OT personnel can configure and manage industrial networks without needing IT involvement.

For most any type of industrial automation project, users are likely to find the somewhat higher cost premium for a managed switch will yield significant benefits for operating, securing, and maintaining an automation system.

Original content can be found at Control Engineering.


Author Bio: Bill Dehner has spent the majority of his 14-year engineering career designing and installing industrial control systems for the oil and gas, power and package handling industries. He has a BSEE with an associate degree in avionics from the USAF and is currently working for AutomationDirect as a technical marketing engineer.