PLC Network on Office Network???

d21x · Sep 18, 2008

We are starting to get new machines that use Compactlogix and they use Ethernet for communications. We currently have some SLC 500's that use DH+ for communications. The DH+ network is on the office network via ControlLogix DH+ Module and Ethernet module.

Corporate has to assign IP Addresses to anything on the network and we don't want to have to assign an IP address to each Panelview, RFID reader, etc that use ethernet to communicate to the local Compactlogix.

What is the best way to put the PLC network on the Office network without having to assign IP addresses to everything? Is it possible to run two Ethernet modules on a Compactlogix, allowing one module to communicate to the network and the other module strictly for communicating between Panelviews, RFID readers, etc?

Are there any safety concerns about putting the PLC network on the Office network? Is there a possibility that if the office network goes down, will that also effect the PLC network?

Please let me know what everyone thinks. Thank you.

rdrast · Sep 18, 2008

Create a separate, isolated network for your automation equipment. One that you control. Pick a nice Private Class A or B subnet (private being 'local, non-routable'...

For class A, Subnet 255.0.0.0, Private range 10.x.x.x/8
for class B, Subnet 255.255.0.0 Private range 172.16.0.0/12

Then, if you do want to exchange data with the office network, install a dedicated gateway router between the two.

I never ever ever ever advise mixing corporate IT with automation gear; it's generally just asking for troubles, especially when some network administrator starts monkeying around with switches and masks.

Also, do please invest in high quality, industrial switches (preferably managed) and components. The difference between a $50 Home/Office Supply Store Switch and a $500 real switch may seem extreme, until the first time the network goes down because of the 'inexpensive' one.

Oakley · Sep 18, 2008

In addition, you could add an ENBT to the ControlLogix chassis connected to this private LAN and bridge to that network from your corporate LAN. Only use this for programming terminal, not for your SCADA system.

Christoff84 · Sep 18, 2008

Oakley said:
In addition, you could add an ENBT to the ControlLogix chassis connected to this private LAN and bridge to that network from your corporate LAN. Only use this for programming terminal, not for your SCADA system.

Is there any reason behind not using an ENBT card as a bridge for a SCADA system? I've been using one for years to bridge 4 DH+ networks to ethernet to communicate with a SCADA system.

rdrast · Sep 18, 2008

Christoff84 said:
Is there any reason behind not using an ENBT card as a bridge for a SCADA system? I've been using one for years to bridge 4 DH+ networks to ethernet to communicate with a SCADA system.

No, to me, it sounded like he was saying add a second ENBT. Configure one for the line and SCADA, and the second one as an interface to the Corporate LAN.

d21x · Sep 18, 2008

rdrast said:
No, to me, it sounded like he was saying add a second ENBT. Configure one for the line and SCADA, and the second one as an interface to the Corporate LAN.

Yes, that is what I am thinking. First ethernet module networks between the Compactlogix, Panelview, RFID reader, etc. And the second ethernet module networking between Compactlogix and the network office for SCADA.

Would that work? Or is there a better way? I definately don't want the network office causing any problems to machines on the line.

Oakley · Sep 18, 2008

rdrast said:
No, to me, it sounded like he was saying add a second ENBT. Configure one for the line and SCADA, and the second one as an interface to the Corporate LAN.

Actually, if you want your SCADA system on your corporate LAN, then put dual nics in the server/workstation to do so. Don't put your IO server on the corporate LAN. If your corporate LAN were to go down, you would still be controlling/visualizing/historizing data.

robertmee · Sep 18, 2008

We're starting to do a combo of all three....

Two ENBTs and a router/bridge

One ENBT is the 'machine' ethernet...Drives, Flex I/O, etc. that are isolated to that machine.

Second ENBT is the 'process' ethernet....HMIs and other ENBTs on other racks for the entire plant.

The process ethernet is connected to the corporate ethernet via router/bridge.

Oakley · Sep 18, 2008

robertmee said:
We're starting to do a combo of all three....

Two ENBTs and a router/bridge

One ENBT is the 'machine' ethernet...Drives, Flex I/O, etc. that are isolated to that machine.

Second ENBT is the 'process' ethernet....HMIs and other ENBTs on other racks for the entire plant.

The process ethernet is connected to the corporate ethernet via router/bridge.

Why connect your process ethernet to the corporate ethernet? Do you have a virtual drawbridge on your router to isolate in the case of virus attack on the corporate LAN?

robertmee · Sep 18, 2008

It's locked down. We use terminal services to bridge between the two. The reason for the connection is that any engineer on the corporate network can get to any plant network for remote access, development and troubleshooting. This is a worldwide setup across multiple facilities.

bkottaras · Sep 18, 2008

Oakley said:
Why connect your process ethernet to the corporate ethernet? Do you have a virtual drawbridge on your router to isolate in the case of virus attack on the corporate LAN?

Agree with Oakley on this one.
Just keep what is tied to your machine control, process control isolated from the office ethernet.
In case of wanting to do data collection and such, do it locally (machine network) and ONLY give them what they may need via their network.

robertmee · Sep 18, 2008

There will always be the need to pass information from plant to business in a fully automated facility whether for inventory, WIPs, formulations, QC, SAP, etc. I do not agree that you must keep them totally isolated. You must take precautions as you are absolutely correct, you don't want virus proliferation on a business network making its way to your plant control. But it is quite doable.

Oakley · Sep 19, 2008

Here is a depiction of what I was referring to.

Note: the ControlLogix gateway allows access to the process LAN from the corporate LAN. The SCADA system will always have connectivity to the process LAN for control, data acquisition, etc. The process LAN is also isolated from the corporate LAN - provides better throughput (no print jobs, email, internet, etc inteferring), and is isolated from network virus attacks.

rta53 · Sep 19, 2008

d21x said:
Yes, that is what I am thinking. First ethernet module networks between the Compactlogix, Panelview, RFID reader, etc. And the second ethernet module networking between Compactlogix and the network office for SCADA.

This is what we did for a customer with a ControlLogix system. We used 2 ENBT modules. Works great.

Christoff84 · Sep 19, 2008

We have a small process network here directly connected to the corporate LAN through a ENBT card, however we've been instructed that they need to be seperated by a router/firewall. Is there any special port forwarding I would need to get online and program PLCs if my laptop is present on the corporate LAN but the PLC is on the process LAN?

The path would go Laptop on 10.x.x.x to router, to ENBT on 172.16.x.x to DH+ network.

PLC Network on Office Network???

d21x

Member

rdrast

Lifetime Supporting Member

Oakley

Member

Christoff84

Lifetime Supporting Member + Moderator

rdrast

Lifetime Supporting Member

d21x

Member

Oakley

Member

robertmee

Lifetime Supporting Member

Oakley

Member

robertmee

Lifetime Supporting Member

bkottaras

Member

robertmee

Lifetime Supporting Member

Oakley

Member

rta53

Lifetime Supporting Member

Christoff84

Lifetime Supporting Member + Moderator

Similar Topics