Question about plant networks / VLANS

russg · Nov 10, 2020

Hi,

I'm trying to get my head around how plant networks should be set up, and I've created a few topics on this before.

One new question I have though is how do you connect everything in a certain area / cell to a remote engineers station?

So say in your factory you have 6 different productions lines / areas, and each line is a collection of different machines, would you create a network / VLAN for each area, which will allow an engineers server to connect to all of the devices on line like servos, cameras, etc? Or would you create just one machine VLAN for all areas and connect every device to that? This would obviously mean each device in the factory needs a unique IP address.

Currently on some of the machines we have a connection for remote access and MES connection to Kepserver, but that is usually on a different network to the machines network of inverters, servos, etc. What is the best way to access these remotely / from an engineers server?

Jim3846 · Nov 10, 2020

If your local machines are on a local network. I would use the NAT switch to map the local network to a real IP in your plant, so that you can connect all the machines without changing the original IP (a lot of work to avoid).

Something like the below device:
Allen Bradley
Configurable NAT Router
Catalog Number 1783-NATR
Look up this pub below
Rockwell Automation Publication 1783-UM008A-EN-P - February 2015

A lot of switch manufacturers make the same type of device.

harryting · Nov 10, 2020

As you realized already. There' so many different ways of doing it one almost run into paralysis on how to proceed. To narrow down your option, start clarify your priority. Also, learning more how different network segregation strategy will help.

Some of thing to consider:

- Having one single VLAN is the same as not having any VLAN

- One do not need VLAN to segregate traffic. Having different subnet will do that.
- If you have one Engineering station and want to talk to different subnet then you would have to either:

-- Having multiple network port on the EWS.
-- Constantly change subnet on your EWS.
-- Use subnet summation on EWS.
-- Use a router to bridge the different subnet/VLAN.

In GENERAL, one would want to keep things that doesn't NEED to talk to each other segregated. This reduce the breadth you need to troubleshoot if something goes haywire.

rdrast · Nov 11, 2020

I always install several networks per line. At the very least, I have a pure local 192.xxx.yyy.zzz/24 network for IO and drives, and a completely separate network for HMI's. If I have enough IO/Drives, I'll often split them into two local networks. I might also have one for video.
Each line has a single home run, to a central Level 3 switch that controls access to the machine HMI network (also allows access to PLC's), and the machine servers. There is one other single home run to the Plant Enterprise network, that is locked down on an IP basis, as to what PC's can get to the Machine network.

Cumbersome, but it works well, and keeps me from butting heads with IT for everything.

russg · Nov 11, 2020

Thanks for your reply:

So if I have two lines running identical products and using same machines / subnets/ IPs.

The IP range of the machines goes from 192.168.0.1 - 192.168.0.255 on both lines.

I can then connect both to the same switch? Or would I need a switch per line? and then connect them both to the main switch?

Does anyone have a diagram of how this would all be set up?

russg · Nov 11, 2020

harryting said:
As you realized already. There' so many different ways of doing it one almost run into paralysis on how to proceed. To narrow down your option, start clarify your priority. Also, learning more how different network segregation strategy will help.

Some of thing to consider:

- Having one single VLAN is the same as not having any VLAN
- One do not need VLAN to segregate traffic. Having different subnet will do that.
- If you have one Engineering station and want to talk to different subnet then you would have to either:

-- Having multiple network port on the EWS.
-- Constantly change subnet on your EWS.
-- Use subnet summation on EWS.
-- Use a router to bridge the different subnet/VLAN.

In GENERAL, one would want to keep things that doesn't NEED to talk to each other segregated. This reduce the breadth you need to troubleshoot if something goes haywire.

Hi, thanks for your reply.

the one VLAN I mentioned, would be one machine VLAN, which is seperate to the enterprise VLAN that connects all the PCs on the factory floor to their email, etc.

russg · Nov 11, 2020

rdrast said:
I always install several networks per line. At the very least, I have a pure local 192.xxx.yyy.zzz/24 network for IO and drives, and a completely separate network for HMI's. If I have enough IO/Drives, I'll often split them into two local networks. I might also have one for video.
Each line has a single home run, to a central Level 3 switch that controls access to the machine HMI network (also allows access to PLC's), and the machine servers. There is one other single home run to the Plant Enterprise network, that is locked down on an IP basis, as to what PC's can get to the Machine network.

Cumbersome, but it works well, and keeps me from butting heads with IT for everything.

Thanks for your reply.

That's interesting. do you have any diagrams showing an example of this?

russg · Nov 11, 2020

So if we look at the example I've posted. Is this possible?

rdrast · Nov 11, 2020

No, unless you are doing something fancy in high level switches. You have duplicate ip's hitting the upstream switch. That is why I use completely separate IO networks, including multiple Ethernet adapters in the PLC rack.

russg · Nov 11, 2020

Jim3846 said:
If your local machines are on a local network. I would use the NAT switch to map the local network to a real IP in your plant, so that you can connect all the machines without changing the original IP (a lot of work to avoid).

So if you look at my diagram. If the top switch was a NAT switch would it be possible to have duplicate IP addresses like shown?

russg · Nov 11, 2020

rdrast said:
No, unless you are doing something fancy in high level switches. You have duplicate ip's hitting the upstream switch. That is why I use completely separate IO networks, including multiple Ethernet adapters in the PLC rack.

That's what I'm asking really. i know you can't have two IPs on the same network, but I want to know if there is a way to do the above with switches / routers?

And is this how some factories do it?

Dravik · Nov 11, 2020

Yes, a switch w/ NAT will allow you to map the internal/private (192.x in your case) addresses/subnet to public IPs that are unique.

There's different implementations of NAT, 1 to many, 1 to 1, @ the L2 level or @ the L3 level.

rankhornjp · Nov 11, 2020

russg said:
So if you look at my diagram. If the top switch was a NAT switch would it be possible to have duplicate IP addresses like shown?

Yes, depending on the switch capabilities.

I usually recommend a NAT switch on each machine and then setup the NATing like this:

Say, your plant network is 10.0.0.*

Line 1 switch will NAT 192.168.0.* to 10.0.1.*
Line 2 switch will NAT 192.168.0.* to 10.0.2.*
So forth for however many machines you have.

Here is a Rockwell/Cisco guide that does a good job of explaining how to do setups like you have.
https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_-en-p.pdf

VAN · Nov 12, 2020

harryting said:
As you realized already. There' so many different ways of doing it one almost run into paralysis on how to proceed. To narrow down your option, start clarify your priority. Also, learning more how different network segregation strategy will help.

Some of thing to consider:

- Having one single VLAN is the same as not having any VLAN
- One do not need VLAN to segregate traffic. Having different subnet will do that.
- If you have one Engineering station and want to talk to different subnet then you would have to either:

-- Having multiple network port on the EWS.
-- Constantly change subnet on your EWS.
-- Use subnet summation on EWS.
-- Use a router to bridge the different subnet/VLAN.

In GENERAL, one would want to keep things that doesn't NEED to talk to each other segregated. This reduce the breadth you need to troubleshoot if something goes haywire.

When setting up a server for sites I would just have the server with multiple IPs on the one NIC. I don't know if this is the best solution as we had a single VLAN with multiple subnets.

I only had one major issue with the setup but that was because someone moved a ethernet cable to a random switch that caused a weird circle configuration. The network was unhappy and I ripped out a couple switches and made them a single VLAN instead of two mixed switches (multiple VLANs). I wasn't happy that day.

russg · Nov 13, 2020

rankhornjp said:
Yes, depending on the switch capabilities.

I usually recommend a NAT switch on each machine and then setup the NATing like this:

Say, your plant network is 10.0.0.*

Line 1 switch will NAT 192.168.0.* to 10.0.1.*
Line 2 switch will NAT 192.168.0.* to 10.0.2.*
So forth for however many machines you have.

Here is a Rockwell/Cisco guide that does a good job of explaining how to do setups like you have.
https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_-en-p.pdf

That's great, thank you.

I've got a couple of documents by Cisco and Rockwell about networking, but didn't have this one.

Question about plant networks / VLANS

russg

Member

Jim3846

Member

harryting

Lifetime Supporting Member

rdrast

Lifetime Supporting Member

russg

Member

russg

Member

russg

Member

russg

Member

rdrast

Lifetime Supporting Member

russg

Member

russg

Member

Dravik

Member

rankhornjp

Member

VAN

Member

russg

Member

Similar Topics