Stratix 8000 - VLAN overlap

[Paully's5.0]

On aother managed switches I have been able to assign a port to multiple VLANS, trying to figure out how this works on a Stratix 8000 (first time using one). Using the web interface it looks to give the option of assigning a port to just a single vlan. Is there something I am missing? Or do I need to use the CLI to access an option such as this?

Thanks all!

[The Plc Kid]

To do that you will need to setup vlan trunking or in cisco speak VTP vlan trunking protocol and yes this will have to be done in IOS with the CLI interface the webserver will not do it.

You don't need any of these vlans to exchange info do you? just wanted to point out that the 8000 is layer 2 and will not route between vlans. For that you need 8300 which is layer 3 or a firewall or router outside the stratix.

[Paully's5.0]

Thanks Kid, I know that a layer 3 switch would be required to route between VLANS, which is why I'm asking about an overlap. I've downloaded the Cisco Network Assistant and am poking around with it, think I'm on track.

Right now I'm on site, and have a slow day, so this is more of an experiment/educational exercise. Currently I have a single distributed control system with two physically isolated networks, one for IO, and one for SCADA. With 2 1756-EN2T cards in my main chassis for each network. Late in the game I discovered I needed to code MSG instructions to exchange PLC data between a couple of smaller skid system. These systems are simple L35 controllers with flex IO over Ethernet for IO, and a single PanelView+.

Originally I wanted to keep all IO traffic isolated, however with these systems the PV+ and IO are on the same single network. I figured it would be wise to create some VLANS to isolate this skid systems.

VLAN1 - 1756-EN2T(SCADA), SCADA Terminals/Servers
VLAN2 - 1756-EN2T(SCADA), Skid 1
VLAN3 - 1756-EN2T(SCADA), Skid 2

[Dravik]

Something I haven't tried myself, but will the EN2T cards pass VLAN tags or do they rely on the native VLAN of the trunked port?

[The Plc Kid]

Paully's 5.0

I try to isolate in segments like you have don but I try to use the layer 3 switches where I can so I can setup a port that is wired to the grace port on the cabinet and that DHCP range routes to all other segments.

The reason for this is so network tools like ping,arp,and IP scanners,etc work from my laptop to all segments without me havign to change networks or multihoming my NIC card.

[Mark Buskell]

PLC Kid,

Do you know off hand if the 8300 supports a VPN connection?
I did not see it mentioned in the feature list.

[The Plc Kid]

Mark What do you mean by support?

If you are asking if it will provide a VPN then no as it is just a switch. You normally find a VPN in a firewall applicance or a dedicated firewall appliance.

If you are asking if a VPN will work with it then yes and for that fact 8000 works with a vpn also and is quite a bit cheaper. The thing with the 8300 vs. the 8000 is it is a layer 3 switch or router. Like if my line has a filler made by abc inc with ip address of 192.168.1.1 and a case packer by kid industries with a ip address range of 10.10.90.1 and they can't be changed the 8300 will route between them to exchange message instructions, produce / consumed tags ,etc.

If you are looking for something to provide you a vpn that is based in the panel then I suggest a tofino firewall appliance as they are built for industrial protocols,din rail mount,and provide you with vpn access. If you just ned a vpn for a locaton I like to use the free pfsense firewall and open vpn as a cheap solution that will run on just about any cheap pc.

[Mark Buskell]

Thanks PLC Kid

My company is looking at using tofina firewalls. Allen-Bradley was here the other day and they are pushing the 8300 switches. What we are trying to do is segregate the industrial plc's from our IS department (No pushes, No ARP scans that may be interfering with our drives). We still need to be able to access the plc's from outside, hotel, home, etc. and this will still have to come though a VPN which we already have. We have Cisco switches, managed Hischmann switches, VLANS at each plant but as I said we are now looking at taking it to the next level.

[The Plc Kid]

IMO the best way to do that is for you to have a firewall that you maintain and then vpn into it. you manufacturing firewall should have internet access so it's WAN connection could be direct to the internet or a vlan from the IS dept.

In this vlan from the IS dept could also be your DMZ which is where you would want things that the IS dept needs access to like a data historian or something along those line to give data and reports to the corporate guys if you have or need that.

[The Plc Kid]

Also a firewall you control and vpn to will serve as layer 3 and route you to the equipment you need if you have the correct credentials.

Here I can vpn in and get to everything and I have a few guys that can only get to controllers on certain lines.

I like sonicwall firewalls for this as they are a breeze to setup. Sonicwall has a excellent vpn appliance also.

[Paully's5.0]

Quote:

Originally Posted by The Plc Kid

Paully's 5.0

I try to isolate in segments like you have don but I try to use the layer 3 switches where I can so I can setup a port that is wired to the grace port on the cabinet and that DHCP range routes to all other segments.

The reason for this is so network tools like ping,arp,and IP scanners,etc work from my laptop to all segments without me havign to change networks or multihoming my NIC card.

Thanks again Kid, you've brought up a good point about getting access to multiple network segments, think I'll consider the 8300 on the next project.