VLAN Question

curlyandshemp

Lifetime Supporting Member
Join Date
Jul 2005
Location
Toronto
Posts
1,903
Our company has been asked to review the ethernet network in out of town plant owned by one of our customers.

Currently the plant has about 60 Ethernet devices , all on the same subnet. These devices are a combination of PFlex VFDs, PV+s, 1756 EIP IO,Contrologix 1756-ENBT, EIP Numatics solenoid blocks, NET-ENI modules for programming Micrologix PLCs, CompactLogix L32es, RSlogix5000 PC for support and SCADA, RSView and Ignition.

Needless to say, the network has serious response issues and online programming is virtually impossible.

Scenerio #1
We proposed a solution of splitting the overall network into two physical networks where one network would consist of HMIs, NET-ENI modules and SCADA with ethernet home runs back to a central switch in a new IT closet and EIP IO, VFDs and 1756-ENBT, Compact L32Es with home runs back to another central switch in the same IT closet. We also proposed having the main Contrologix rack reside in the IT closet with 2 1756-ENBT modules where one ENBT would connect to 1 switch and the other ENBT connect to the other switch.

Scenerio #2
An IT company has previously proposed to this customer to install a single 24 port managed switch utilizing VLAN technology and a star topology. Each area in the plant would be assigned a VLAN subnet that existing VFDs, HMIs and EIP IO would connect to switch then a home run back to the central managed switch.

I am too green regarding VLAN, so if anyone can comment on the above Scenerios that would be greatly appreciated.
 
Last edited:
More details on the process and current physical layout would be helpful. Is this a large single process plant or is it say a plant that has process line 1,2,3 and they just have everything with a RJ-45 jack connected together?

It's best to keep everthing that goes on a process together as much as possible meaning if it's process line 1,2,3 I would make a physical network for each process line then maybe have vlans where drives and IO were on a vlan and HMI,data collection,engineering /programming terminal were on another.

Basic idea is not to have too many items on a physical wire and not to many on a subnet. By putting drives and IO on their own vlan on a manged switch you can give that traffic priority over other traffic using QOS or quality of service settings.

HMI and data collection systems,batch,historian,etc can be real chatty and need their own space also.

If you have any systems using multicast this could produce a lot of traffic that can slow things down if not using managed switches and having a lot of equipment.

Anything running V18 or lower is likely multicast. A firmware upgrade and a switch to unicast may help things a lot and it's a cheap upgrade.

I like to have a managed layer 3 switch per process line and a large layer 3 managed core switch to tie it all together for traffic between processes and programming and data collection and manipulation.
 
Both scenarios would work. VLANs just allow a managed switch to create multiple virtual networks within a single physical switch. Much like running multiple operating systems on a single physical server by creating virtual machines. Saves on costs, and you can get really creative and controlled network solutions this way. You just need to learn up on it.

I assume in scenario #2 the switch would be setup where ports 1-12 are one VLAN (the IO network}, ports 13-24 a second VLAN (the SCADA network). So you've got network separation needed with a single switch and a reduction in hardware costs. Keep in mind, you would still want two separate 1756-ENBT cards to isolate traffic to your controller. However it would be possible to create a third VLAN to bridge the IO network and SCADA network for the PLC to use only a single 1756-ENBT(this gets into a layer 2/layer 3 switch discussion). If this was desired I'd upgrade to a 1756-EN2T for higher bandwidth and CIP connections. However I'd stick with separate cards.

Obviously consideration must be made to the switches that exist on the plant floor. If you have EthernetIP and SCADA going to the same switch, then home-running back to the 24 port switch you may have problems. Would need more detail.

Scenario #2 is more politically complicated because it's a third party IT company, so in terms of supporting the plant who ends up with the phone calls, your company or theirs? And how do you separate responsibility if there continues to be network problems?

As EthernetIP becomes a staple in manufacturing so will a merging of IT technologies such as managed switches and VLAN configurations. I highly recommend talking to your vendors about networks, VLANS and such. It will ensure you keep third parties out, and you in control of meeting your customer needs.
 
Thanks for the input guys. I am heading back to the remote plant later this week to doicument for myself how this is plant is layed out. So far I am working from a network layout drawing created by others and I am questioning the accuracy, as I saw things in the plant on the initial visit that are not on the drawing.

This plant has 5 Quantum PLCs and Panelmate HMIs on MB+. The end user wishes to migrate away from Schneider and switch to Rockwell. The incumbent local sparky started the migration process a few years ago by placing a Clgx rack with Prosoft AB to MB+ gateway. They now have all panelmates replaced with PV+ and I can only assume the Clgx is acting as a Gateway to the Quantums.

The sparky also has installed Pflex VFDs and Clgx EIP racks and EIP IO blocks hanging off the clgx rack's 1756-ENBT.

It is looking like a spaghetti mess, and I need to figure out what is going on.

I have always beleived that EIP IO should be physically separated from HMIs and SCADA on etherent. I have seen many filling machines (Tetra)over the years coming from Europe that use Compactlogix as the main controller and all VFDs and Solenoid blocks on EIP with a PV+ as the HMI. These machines have all this connected over the same ethernet connection and I have watched the company's techs curse and swear as getting online has a horrible lag time.
 
Both scenarios would work. VLANs just allow a managed switch to create multiple virtual networks within a single physical switch. Much like running multiple operating systems on a single physical server by creating virtual machines. Saves on costs, and you can get really creative and controlled network solutions this way. You just need to learn up on it.

I assume in scenario #2 the switch would be setup where ports 1-12 are one VLAN (the IO network}, ports 13-24 a second VLAN (the SCADA network). So you've got network separation needed with a single switch and a reduction in hardware costs. Keep in mind, you would still want two separate 1756-ENBT cards to isolate traffic to your controller. However it would be possible to create a third VLAN to bridge the IO network and SCADA network for the PLC to use only a single 1756-ENBT(this gets into a layer 2/layer 3 switch discussion). If this was desired I'd upgrade to a 1756-EN2T for higher bandwidth and CIP connections. However I'd stick with separate cards.

Obviously consideration must be made to the switches that exist on the plant floor. If you have EthernetIP and SCADA going to the same switch, then home-running back to the 24 port switch you may have problems. Would need more detail.

Scenario #2 is more politically complicated because it's a third party IT company, so in terms of supporting the plant who ends up with the phone calls, your company or theirs? And how do you separate responsibility if there continues to be network problems?

As EthernetIP becomes a staple in manufacturing so will a merging of IT technologies such as managed switches and VLAN configurations. I highly recommend talking to your vendors about networks, VLANS and such. It will ensure you keep third parties out, and you in control of meeting your customer needs.

I will be taking both configurations with me to Automation Fair next week and head over to the Cisco booth.
 
Any update on this?

My gut feeling would be to consider letting the IT company do what is their "bread and butter" if you're uncomfortable with it. I suspect that a network upgrade with modern managed switches and VLANs would be a reasonable upgrade.

FYI - VLANs provide logical "layer 2" traffic isolation so you could allow sets of alike systems to communicate directly. Broadcast/unicast traffic would not pass. Communication between VLANs could be allowed/disallowed as you see fit. This works with a router or "layer 3 switch" passing traffic.
 

Similar Topics

My experience with VLANs in the past has been that everything on the VLAN inside of the corresponding subnet should be able to speak to one...
Replies
10
Views
5,704
Hi All, Have a question about setting up routing across VLANS. I have attached a picture of the layout and will try describe best I can...
Replies
6
Views
645
Hello everyone, I have a question... is it possible that two IPS in different network segments can see each other through communication between...
Replies
3
Views
1,062
I am in process of implementing a new network to separate the manufacturing floor from the Enterprise network. See attached basic diagram. I have...
Replies
0
Views
904
I have been having an issue with assigning the management VLAN other than the default 1 to my stratix 5700 switch. I go through the express set up...
Replies
1
Views
1,633
Back
Top Bottom