PLC Industrial Layer 3 Switch

[tgr9004]

Hey ya'll,

I have thoroughly enjoyed reading many, many posts on this forum. Very very helpful as you all know.

We are in the process of networking all of our Allan Bradley's PLCs (12 PLCs right now, could increase to 30+) to be able to setup a SCADA system.

What we have done so far:
1) Configure IP Addresses for all of our PLCs so none conflict with each other when we connect to managed switch.
2) Start running Cat6 cable (read: no fiber optics) to each PLC to our central location where the switch will be installed. We have decided to go with the "star" topology rather than a ring format.

What we want to do next is
3) Order a managed, (possibly layer 3) switch. 16 Ethernet ports. The more I look at the Stratix 8300 switches, the more I become discouraged and lean towards the Hirschmann and NTRON equivalents.

Obviously, we want a managed switch so to physically separate our PLC network from our business network.

IT is onboard with the project. But they, like us, have never done this before. I don't think this is that hard but we would like to do it right the first time. Any advice on criteria for choosing one switch over another?

[Lancie1]

I don't know which switch you should choose, but you should keep the devices that run your factory completely separate from any devices that are controlled by your IT department. They really do not understand the security issues of the plant operating system, and allowing them ANY access to the PLC network would be a big mistake. Put your PLC network switching in a room with one door and no windows, and place a large padlock on the door.

[James Mcquade]

i agree.

at my old workplace, it was a nightmare.
they dictated everything. they had my programming laptop so messed up it took 2 hours to boot.

my boss went to a maintenance tech and had it fixed in 5 minutes. when he found out what they had done, i had a new laptop within 2 days and it wasn't allowed to touch it without my permmission and then they hasd to tell me what they were doing.

where i am now, i'm in IT and almost everything is on the network. we can even remote in to the plc's if required.

regards,
james

[widelto]

Tgr9004:
Chapter 1 of this document has a good explanation:
http://www.cisco.com/c/en/us/td/docs...tF/EttFDIG.pdf

[Paullys50]

Quote:

Originally Posted by tgr9004

Hey ya'll,

I have thoroughly enjoyed reading many, many posts on this forum. Very very helpful as you all know.

We are in the process of networking all of our Allan Bradley's PLCs (12 PLCs right now, could increase to 30+) to be able to setup a SCADA system.

What we have done so far:
1) Configure IP Addresses for all of our PLCs so none conflict with each other when we connect to managed switch.
2) Start running Cat6 cable (read: no fiber optics) to each PLC to our central location where the switch will be installed. We have decided to go with the "star" topology rather than a ring format.

What we want to do next is
3) Order a managed, (possibly layer 3) switch. 16 Ethernet ports. The more I look at the Stratix 8300 switches, the more I become discouraged and lean towards the Hirschmann and NTRON equivalents.

Obviously, we want a managed switch so to physically separate our PLC network from our business network.

IT is onboard with the project. But they, like us, have never done this before. I don't think this is that hard but we would like to do it right the first time. Any advice on criteria for choosing one switch over another?

Why no fiber? Why no ring? Just curious.

Why do you need a Layer 3 switch? Layer 3 indicates you want to bridge networks on some level.

I think Lancie1's way of thinking, while valid years ago is quickly fading. There is quite the security risk in a "stand" alone environment too. Maintenance techs/contractors could easily infect these networks inadvertently, no firewalls and out-of-date operating systems are very vulnderable. The data that can be retrieved from these systems is extremely valuable to strategic decisions that must be made on a daily basis; for the data to be inaccessible just doesn't make sense in the manufacturing environment of today and tomorrow.

Everything will be interconnected, and automation systems will need to be continuously updated just like any other computer software. Firewalls need to be installed, and should be considered at the SCADA server and at the PLC level.

This mind-set is very problematic for traditional SCADA software since it takes a good year after an OS is released for the SCADA system to be compatible, and the risk of updates is always high. But, evolution is forcing a shift in thinking and design.

[nwboson]

When I need more than just a few ports, I've been using Commercial switches instead of the industrial switches. They've proven to be incredibly rugged and provide the high end configurability to allow them to work flexibly in many scenarios. The commercial switches tend to be ahead of the industrial switches in terms of implementing new features and standards. And the IT guys understand them so I can confer and team up with them in a way that ensures IT & Controls are working together: it helps me speak their language and vice-versa.

We run redundant wires between control cabinets and make sure the switch has 'link aggregation' features that allow any wire failure to have no effect. And these switches are ring capable, layer 3 capable, vlan capable, fiber capable, and PoE capable. Its inexpensive to run redundant cables at installation time and I like the idea that a completely severed cable will have no effect on the control network.

Our experience has been with the Cisco Linksys SGE/SW series. We have dozens installed in ugly environments and have had no failures. We've built custom cabinets for them so we can flush mount them in the field: they are only 6" thick and wall mounted so people walk by them and don't even notice they are there: this lets us mount them in air conditioned environments but do it innocuously.

I especially am fond of the link aggregation: dual wires between all switches. My opinion is that wiring and connections are the most likely failures in our systems, so having redundant connections is a feature that increases reliability. Combine that with a ring and you can have total failure of a link/switch/bundle of wires with no effect on your control system.

Just my two cents. With the thousands of switches/routers out there, I suspect you'll have at least that many different opinions.

[Stephen Luft]

Greetings,

If you are still not satisfied with your Ethernet switch / router selection, may I offer another alternative.

Westermo offers both layer 2 and layer 3 products.

http://www.eternity-sales.com/Wester...alethernet.htm

They offer a powerful custom operating system with a web interface:

http://www.eternity-sales.com/westermo/WeOS.htm

A complete management guide, providing detailed information about the WeOS capabilities is available at our web site also:

http://www.eternity-sales.com/wester...ment+Guide.pdf

If you have any questions feel free to email through the link below, pm or call.

Disclosure - ESI is a Westermo distributor

[Clayton0520]

I have used both CISCO and Hirschmann switches in industrial application and hands down I would go with the Hirschmann. They have no internal fans plus they offer true dry contacts for power monitoring unlike CISCO. They are way more user friendly to non IT people who aren't the best with a command prompt when it comes to configuring. In the end Iv had repeated CISCO switches fail and 1 Hirschmann due to water leaking in on it.

[OkiePC]

+1 for Hirschmann.

[The Plc Kid]

Quote:

Originally Posted by tgr9004

Hey ya'll,

I have thoroughly enjoyed reading many, many posts on this forum. Very very helpful as you all know.

We are in the process of networking all of our Allan Bradley's PLCs (12 PLCs right now, could increase to 30+) to be able to setup a SCADA system.

What we have done so far:
1) Configure IP Addresses for all of our PLCs so none conflict with each other when we connect to managed switch.
2) Start running Cat6 cable (read: no fiber optics) to each PLC to our central location where the switch will be installed. We have decided to go with the "star" topology rather than a ring format.

What we want to do next is
3) Order a managed, (possibly layer 3) switch. 16 Ethernet ports. The more I look at the Stratix 8300 switches, the more I become discouraged and lean towards the Hirschmann and NTRON equivalents.

Obviously, we want a managed switch so to physically separate our PLC network from our business network.

IT is onboard with the project. But they, like us, have never done this before. I don't think this is that hard but we would like to do it right the first time. Any advice on criteria for choosing one switch over another?

Here is my 2 cents. I think you should reconsider using a ring topology if this is a green field install which it sounds like it is from your OP. If you are firm on staying with star at the very least I would pull 2 cables and run redundant uplinks or setup an EtherChannel.

Do you have switches in your PLC cabinets going to I/O or Drives, HMI's? If so what are they? If you are using Stratix there I would go with a Cisco switch.

If you are using Stratix at the machine level then your core switch would benefit from being a Cisco Catalyst as that's what the Stratix IOS is under the Hood with a few hooks to make it work with Logix 5000. if you don't like command line CLI then use cisco CSM which is GUI for Catalyst switches or ASDM which is GUI for ASA switches.

You mention Stratix 8300 like you were considering it for the core switch which would not be a good choice as it was never designed to be a core switch with that many ports and subnets.

Stratix 8300 are designed for the machine level not core level.

You also mention keeping your network physically separate but if you join it to the enterprise at any point then it's no longer separate. Many people try to have air gapped networks and the truth is that most people that think they have an air gapped network are wrong. Almost every supposed air gapped network I have come across I have been able to show the customer they really did not have an air gap.

Nothing wrong with connecting to your enterprise and today it's almost a must have and it's perfectly safe and even safer that the old supposed air gap if it's done correctly with an emphasis on correctly.

I do like the fact that you have chose to run your own media from your plc's to a switch you control and not use existing corporate network switches and media. A lot of people do it that way but it's a huge mistake IMHO so you are on the right path.