Plant Network - VLANS VS Subnets?

russg

Member
R
Join Date
Aug 2012
Location
UK
Posts
275
Hi,

I created this post recently and got some great information:

http://www.plctalk.net/qanda/showthread.php?t=127080

One thing I'm trying to find out though is what are the pros and cons when using a fiber network and set up with dividing 1 VLAN into separate subnets for each area / line / cell VS dividing it into separate VLANs per area / line / cell?

So far I think the pros for multiple VLANs are:

- Can have duplicate IP addresses in the factory - that are on separate VLANs by using a NAT switch. This is great so we can have a closed system without worrying about IP clashes, but also if we have two or more identical lines then PLC projects can match, including IPs. Question: Can we do this without separate VLANs and just using subnets + NAT?

- Security - If one VLAN is compromised it is much harder for a hacker to get onto the other VLANs. Is this true?

- Scalability - a VLAN can have many more devices connected than a subnet.

- Reliability - I'm assuming it's better to have servos and robots, etc connected to 1 VLAN per line rather than every device on the factory floor to 1 VLAN across the factory? This seems one of the most important points, as we don't want the network design to create device issues. Is this important? And if all devices on the factory floor were connected to 1 VLAN with different subnets could we get any servo / device issues? Thinking about this, if we had a device on the system that was creating excess demand due to a fault, would that not bring down the whole VLAN stopping the whole factory? If it were split into separate VLANs it would only bring down the VLAN it was on, and the rest would be okay?

The only cons I can see for using multiple VLANs are:

- complicated, and the need for controls engineers that understand networking well, and how the set up across VLANs works.


Pros for using subnets:

- easier to understand and connect to the factory network

Cons for using subnets:

- device limit could be hit

- firewalls needed between each subnet if want similar security to separate VLANs method

- if problem device on network, it could bring down the whole factory


The diagram below is the best example I've seen on how to set this up.
It is from this document:
https://literature.rockwellautomatio...d007_-en-p.pdf

Thanks

Plant network example 2 - NAT Switches- Duplicate IPs.PNG
 
Last edited:
On the cons list, your maintenance technicians need to understand that cable marked as Port1 will only ever work on Port1 and not wherever they felt best to install it in.

On the hacking side, I think it depends more on how the physical connection is done to the point that the hacker would have access (hopefully the Corporate network side) rather than out on the factory floor. If that's the case, you have bigger issues than network security.

I find that particular picture funny as you have redundant links for monitoring and control, but the PLC's IO isn't deemed to be important enough for a DLR.
 
How many devices do you have on your controls network that duplicate IPs are a threat?

IF starting a new network.. Use the Private Class A 10.X.X.X network so you have a truly massive number if device addresses available.
 
Nova5 said:
How many devices do you have on your controls network that duplicate IPs are a threat?

IF starting a new network.. Use the Private Class A 10.X.X.X network so you have a truly massive number if device addresses available.
Click to expand...

The biggest worry isn't duplicate IPs, that is just a nice thing to be able to reduce the risk of. The best part of this when you have 2 production lines that are identical in every way. You wouldn't need to change the IP address of every device to connect it to the factory network to allow remote connection from an engineers work station.

There is no other reason why you would want to connect all these devices to the factory network.
 
Last edited:
The thing with VLANs is that if you need them to talk to another VLAN, such as a common one they share, then they can access other VLANs. If you want to segment by machine and keep identical configurations, then you want to use NAT at each machine.



I'm always open to hearing another way to do it though.
 
Here's my 2 cents; from what I seen, sometime folks segregate network just cause they want to and not because they need to. List out the reason you want and that will help you decide if you need to and if you do need to, which method to use.

Another option you didn't mention is just to maintain multiple islanded network with different switches, etc. Industrial managed switch needed for VLAN aren't cheap.
 
Nova5 said:
How many devices do you have on your controls network that duplicate IPs are a threat?

IF starting a new network.. Use the Private Class A 10.X.X.X network so you have a truly massive number if device addresses available.
Click to expand...

It's not about how many devices we have now, we are wanting to plan for scaling up, hence why i'm asking about the pros and cons of each method. My current understanding is that using VLANS is better for scalability, but I'm open to opinions.
 
sparkie said:
The thing with VLANs is that if you need them to talk to another VLAN, such as a common one they share, then they can access other VLANs. If you want to segment by machine and keep identical configurations, then you want to use NAT at each machine.



I'm always open to hearing another way to do it though.
Click to expand...

Hi,

yes I understand the need to use a NAT. Is it more secure using different VLANS and methods to communicate over them, than using subnets with firewalls?

Also is it more reliable to have separate VLANS for each line / cell?
 
harryting said:
Here's my 2 cents; from what I seen, sometime folks segregate network just cause they want to and not because they need to. List out the reason you want and that will help you decide if you need to and if you do need to, which method to use.

Another option you didn't mention is just to maintain multiple islanded network with different switches, etc. Industrial managed switch needed for VLAN aren't cheap.
Click to expand...

Hi,
it's not about cost, we already have a fiber network with multiple switches above each area. We are looking to spend a lot on getting everything done properly, so I'm wanting to know the best and proper way of doing this.

The main thing I want is to be able to connect to every device that has network capabilities. Of course I want to do this securely, and not introduce risk to the production lines reliability. But I want to make sure we can scale up, as we will be getting a lot of new machines in the next few years.

What are the reasons for needing to segregate networks?
 
Last edited:
Security and traffic is two biggest thing. Another big thing is division of responsibly.

So, say if you ran your control network as a separate VLAN off existing IT switch and something went wrong that require you to troubleshoot it. If you don't have complete control over the data path, which include the switch, then you may have to call in a different department to help you instead just troubleshoot end-to-end.
 
russg said:
Hi,

yes I understand the need to use a NAT. Is it more secure using different VLANS and methods to communicate over them, than using subnets with firewalls?

Also is it more reliable to have separate VLANS for each line / cell?
Click to expand...


You are thinking about this all wrong.


You need to be asking yourself WHY you want to segregate so bad. VLANs are used to PREVENT things from talking to each other. So you could, for instance, have three areas of the plant you want to isolate from each other.


But as soon as you add a default gateway (router) in the mix, they can talk to each other, so it defeats that purpose.


Then, you need to add routing rules in the firewall to block everything and only allow specific traffic to come through.


The point I'm getting at, is that you need to figure out how the network should be divided, what can talk to what, and if you want to use duplicate addresses for multiple machines of the same type, you need a NAT device at each one. You can't accomplish it with VLANs.


VLANs aren't a reliability thing. You can't duplicate addresses with them. They are a "keep the shop computers from talking to the production equipment, unless they are PLC workstations".


You all might consider a consultant for this one. Lots of folks around that are good at automation AND networking. There just isn't a "right way" to do any old network that works. The tech is usually easy to implement, but it is a VERY nuanced thing to do right.
 

Similar Topics

A
Profinet Network Setup across Different Subnets in a Plant
I want to establish a Profinet network in my production plant to connect multiple devices, including a PLC, HMI, and multiple Profinet-based...
2
Replies
19
Views
647
aamirawan91
A
K
Connecting L32 to Plant Network
Hello everyone, We have an L32 processor on 192.168.1.x subnet and our corporate is now asking us to connect all our machines to their network...
Replies
3
Views
1,107
dmroeder
dmroeder
F
Allen Bradley Micro 800 Private / Plant Network Transversal
Hi all, I have problem that I could do with some help with: I have a setup consisting of an Allen Bradley Micro 820 controller, Panelview 800 and...
Replies
6
Views
3,052
freddie.b
F
E
How to use wireshark to determine network traffic in my plant bus network (PLC)
Hi Experts, Any manual or steps on how to use the Wireshark app to determine the network traffic on our plant bus network?:confused: I'm having...
Replies
3
Views
2,491
Thomas_v2
T
B
How to set up a plant network to monitor all
All of our PLCs on all lines are 5/04s, about 15 of them. All run DH+ to panelviews and panelview plus's. I would like to be able to monitor the...
2
Replies
15
Views
3,146
GaryS
G
Back
Top Bottom