Remote access of machine ethernet ?s

BinderNut

Member
Join Date
Apr 2008
Location
ND
Posts
65
I'm just a tech and pretty rusty on my ethernet theory from college (many years ago) so bear with me. :)
In a medium-sized food processing plant. With new projects and upgrades we've been shifting more towards ethernet-based communication between devices (VFDs and servos in particular). This is replacing some Devicenet control networks and hard-wired controls.
We're just trying to set up some long-term plan for organizing our IP addresses.

How are you guys handling IP address overloading of networks?
Our current network setup is a dedicated "business" network and a dedicated "process" network.
Our process network is rapidly running out of IP address for equipment without going to subnets or secondary networks.

One situation in particular:
One new piece of equipment has 1 PLC, 1 HMI, and 5 servo drives on a machine-local network. We could just re-address the devices on the machine network to to fit in with our process network scheme but that would take 7 addresses in place of 1 on the machine it replaced. Not what we're looking for since there are multiple machines that will be recieving similar upgrades as we progress.
Currently, the machine networks are isolated from the process network but we would like to incorporate them for data acquisition and troubleshooting.

Ideally, we'd like to keep the machine-local network as built and jump across a gateway/switch to be able to access all devices on the machine-local network.

What is available to allow this?
I'm thinking a Spectrum Webport or similar?

Allen-Bradley Control/CompactLogix and SLC PLCs, PV+ HMIs, Kinetix servo drives, PF525 and PF755 VFDs are the main ethernet-based devices we're incorporating right now.

Any tips would be appreciated.
 
Currently we have around 160 devices on the process network.
Around 20 PLCs, a dozen PF700/20-comm-e and PF755s VFDs. The remainder are HMIs (mostly PV+).

Besides the current load, we have roughly 300 VFDs in plant on Devicenet and hard-wire control that we eventually would like to change over to Ethernet control when we finalize upgrading all of our old SLCs to Controllogix. This will definitely push us over the 254 possible IPs.

I am sure we will eventually wind up adding another process network, which is how the IS dept has handled adding IPs for business related Ethernet devices.
Personally, I would like a changeover to IPv6 but that is in the hands of our corporate IS dept.
 
The process network supports IP6?

I've been out of the AB game since 2006.

I don't know much about the different classes, but have you looked into using the mask: 255.255.0.0?
 
Personally, I would like a changeover to IPv6 but that is in the hands of our corporate IS dept.

Um....NO. Why would you do that????

Class C network: 192.168.0.0 - 192.168.255.255 65,536 addresses

192.168.1.x = Networking Gear
192.168.2.x = Machine/Process #1
192.168.3.x = Machine/Process #2
.
.
.
192.168.255.x = Machine/Process #255

If you want isolation put each of those machine/networks on it's own VLAN, but you still need a layer 3 switch to hop the VLANs to get you access everywhere.

If you bridge your business and process network --> Router and FIREWALL need plenty of security in place otherwise FUBAR (note I am over simplifying this statement).
 
Last edited:
Forgive me if I am reading the previous posts wrong...

But I would have the PLCs on one Ethernet network structure.
Add an extra network card to each PLC that has devices working on Ethernet - drives/HMIs etc - keep their own network per machine.

Your PLCs can then talk to the SCADA/Data Logging, and you can create a bridge to the Business network, if needs be, using dual network cards/firewall etc.
Traffic is minimised, as all your drives/meters/HMIs may well be broadcasting and will only then broadcast to their own local PLC, within their own subnet.

You will have ample IP addresses on your industrial network, which will be separate from the business network, as well the device networks.
 
This is how I have seen it done too.

Um....NO. Why would you do that????

Class C network: 192.168.0.0 - 192.168.255.255 65,536 addresses

192.168.1.x = Networking Gear
192.168.2.x = Machine/Process #1
192.168.3.x = Machine/Process #2
192.168.255.x = Machine/Process #255
This is how I have seen it done every where I go. Each machine center has its own switch so traffic within the machine center doesn't go outside the machine center unless something outside requests it.

On top of that different OEMs have different standards. Usually the switch is at 192.168.x.1.
The PLCs are addresses at 192.168.x.10-19
HMIs are address at 192.168.x.20-29 etc
Drives and motion controllers get a range.
The I/O above that. The point is the the x is the machine center number
and all the PLCs, HMis etc have the same offset in the range of 1-240.

Office traffic should NEVER be on the plant floor except to request report data.

We use smart/managed switches because they are cheap now.




.
.
 
I don't think it's that limited. We're running a mix of 192.168.x.x and 10.121.x.x on our controls network.

It was a simple example of a class C network scheme that is "typical" for IO networks. You are also running a class A network 16,777,216 addresses.

I typcially see:

Class C - IO networks
Class A/B - SCADA/Business

Wikipedia
 
Um....NO. Why would you do that????

Class C network: 192.168.0.0 - 192.168.255.255 65,536 addresses

192.168.1.x = Networking Gear
192.168.2.x = Machine/Process #1
192.168.3.x = Machine/Process #2
.
.
.
192.168.255.x = Machine/Process #255

If you want isolation put each of those machine/networks on it's own VLAN, but you still need a layer 3 switch to hop the VLANs to get you access everywhere.

If you bridge your business and process network --> Router and FIREWALL need plenty of security in place otherwise FUBAR (note I am over simplifying this statement).


We use a similar configuration as Paully described. Network that are Class B, C, etc. on the floor's switches are routed to the primary layer 3 switch. The VLANs allows for the different routing, allows more capacity, and has worked well without latency, albeit the connection from the floor to the primary and back are fiber.
 
Thanks for all the input guys!

Um....NO. Why would you do that????

Class C network: 192.168.0.0 - 192.168.255.255 65,536 addresses

192.168.1.x = Networking Gear
192.168.2.x = Machine/Process #1
192.168.3.x = Machine/Process #2
.
.
.
192.168.255.x = Machine/Process #255

If you want isolation put each of those machine/networks on it's own VLAN, but you still need a layer 3 switch to hop the VLANs to get you access everywhere.

If you bridge your business and process network --> Router and FIREWALL need plenty of security in place otherwise FUBAR (note I am over simplifying this statement).

This is how I have seen it done every where I go. Each machine center has its own switch so traffic within the machine center doesn't go outside the machine center unless something outside requests it.

On top of that different OEMs have different standards. Usually the switch is at 192.168.x.1.
The PLCs are addresses at 192.168.x.10-19
HMIs are address at 192.168.x.20-29 etc
Drives and motion controllers get a range.
The I/O above that. The point is the the x is the machine center number
and all the PLCs, HMis etc have the same offset in the range of 1-240.

Office traffic should NEVER be on the plant floor except to request report data.

We use smart/managed switches because they are cheap now.




.
.

Using Paully's example, how do you handle traffic between the different subnetworks (192.168.1.x, 192.168.2.x, 192.168.3.x, etc)?

That is how our current plant-wide network is set up.
192.168.1.x is our "business" network.
192.168.2.x is another business network.
192.168.3.x is our process network.

Currently, the .3.x subnetwork is isolated from all others except for a SCADA/SQL server where we pass report data back to the .1.x biz subnetwork.
There should be no problem allowing full access between our current .3.x and an added .4.x subnetwork if the switch is configured properly, correct?


The fun part will be the sales pitch to corporate IT (not just our plant) on getting more hardware
 
On top of that different OEMs have different standards. Usually the switch is at 192.168.x.1.
The PLCs are addresses at 192.168.x.10-19
HMIs are address at 192.168.x.20-29 etc
Drives and motion controllers get a range.
The I/O above that. The point is the the x is the machine center number
and all the PLCs, HMis etc have the same offset in the range of 1-240.

This addresses another question that I didn't expand on in my original post.

Some of our equipment that shipped with it's own OEM supplied machine network.
What options do we have to allow comms from an external connection (on our 192.168.3.x network) to the internal network on the machine without readdressing the OEM network.
 
This addresses another question that I didn't expand on in my original post.

Some of our equipment that shipped with it's own OEM supplied machine network.
What options do we have to allow comms from an external connection (on our 192.168.3.x network) to the internal network on the machine without readdressing the OEM network.


Depending on what type of system your IT guys are using will determine how external connection are able to connect to your machine networks.

As an example, we use Sonicwall as the fire wall, which allows us to have configuration for a SSL VPN, thus to allow vendors or OEM to have connections to the plant, the routing are configured and handled with the VLANs on the layer 3 switch, ensuring that OEM has access to only the network specified.
 

Similar Topics

Has anyone had experience with both the **** Cosy 131, and Weintek Easy Access 2.0? I have an OEM I do work for, who is shopping the internet on...
Replies
12
Views
2,225
Hi all, Looking for a way to use my computer at home with Rockwell software and my internet connection to connect to a machine at my clients...
Replies
3
Views
1,871
Has anybody used one of the range of devices from ****, the Talk2M website and their VPN software, eCatcher. It looks like the combination solves...
Replies
3
Views
2,005
I have to provide remote access and control to a touch screen. I was thinking about using Weintek and the Weincloud. Does anyone know if this is...
Replies
1
Views
102
Hi everyone, I have a project involved with Toyota whereby the customer would like to be able to control devices within a booth using a portable...
Replies
0
Views
177
Back
Top Bottom