AB Stratix 5700 configuration problem

[nightline]

Gents,

I'm working on a new machine which has about 50 local EthernetIP addresses in use including PLC, 2 HMI's, 16 axis Kinetix 5700 servo rack, 9 PF527 vfd's, MAB guardlocking including pushbuttons, 3 PointIO stations, 4 Cognex Vision camera's etc.
All these addresses are in the 192.168.1.X range and connected to a 20 port Stratix 5700 full software managed switch.
The public address range is 10.10.10.X for example.
I've one default VLAN which has address 192.168.1.80.
The switch has also address 192.168.1.80 and is in IO tree of the PLC.

In the NAT table I've configured single rules for the PLC and HMI's and the switch, so these should be accessible from outside.

I also configured a gateway rule 192.168.1.1 to 10.10.10.1

The PLC is connected to switch port G1/2 and the public network is connected to switch port G1/1.

In the NAT table I can mark the VLAN 1 for both G1 ports.
If I mark one of these ports for VLAN 1, I loose all connections with the PLC, but I can reach the PLC from outside.
If I don't mark these VLAN 1, I can't reach the PLC from outside.

Can anyone point me what I have to do to get this working?

The PLC, HMI's and Switch should be accessible from the public network without loosing connection with all local addresses.

It's probably something simple or stupid, but it breaks my head!

I hope that any of you can shine a light on this.
Thanks in advance!

Jack

 

[Vlad Romanov]

This may not be the problem, but what's your PLC & what's the number of connections to it over EtherNet? I've had older PLCs (L32Es) display the same behavior as they can only take 8 EIP connections. Once you remote into it, it would lose all other comms.

Also, please post your NAT config table for both private & public sides. I'm not entirely following everything you have configured.

 

[nightline]

The PLC is a ControlLogix L82SE.
I'm not sure about the amount of connections, and I'm unable to check right now.
But during the configuration of the whole system, we did a calculation on this.

I'll try to upload the image of the NAT config.

 

[Vlad Romanov]

The PLC is a ControlLogix L82SE.
I'm not sure about the amount of connections, and I'm unable to check right now.
But during the configuration of the whole system, we did a calculation on this.

I'll try to upload the image of the NAT config.

Ah, the PLC is definitely not the problem here; the L82SE will handle those without any issue.

 

[nightline]

I've no idea how to insert an image as it asks for an URL...

So there is a tab for general (private to public) where I created the following rules:
private 192.168.1.121 > public 10.10.10.243 ( HMI-1 ) Type = Single
private 192.168.1.120 > public 10.10.10.242 ( HMI-2 ) Type = Single
private 192.168.1.80 > public 10.10.10.241 ( Switch )Type = Single
private 192.168.1.9 > Public 10.10.10.240 ( PLC ) Type = Single

On the right side of this Tab is a box where you can mark the VLAN for both th G1 ports.

There is also a tab Public to Private where I created the same rules.

 

[samski]

How many vlan to you need?
And dont your gateway rule be 10.10.10.1 TO 192.168.1.1 ?

 

[nightline]

How many vlan to you need?
And dont your gateway rule be 10.10.10.1 TO 192.168.1.1 ?

You are right on this, the gateway rule is 10.10.10.1 to 192.168.1.1

I've no idea how many VLAN's I need, the switch creates one native VLAN during the first setup.

I tried a second VLAN without IP address for all local addresses, and made the port setting for the PLC port to accessible to all VLAN's. But this didn't solve the problem.

 

[samski]

What happen if you mark both G1 port in the same vlan?

 

[Dravik]

Is your uplink port to the public range setup as an access port or a trunk port?

What VLAN is your public range on? (This needs to match the VLAN your private range sits on)

 

[nightline]

What happen if you mark both G1 port in the same vlan?

In that case, I can reach the PLC from the public side, but the PLC looses all connections with the drives and HMI's etc.

 

[nightline]

Is your uplink port to the public range setup as an access port or a trunk port?

What VLAN is your public range on? (This needs to match the VLAN your private range sits on)

In the VLAN settings I can only set one IP address.
This VLAN is configured by the switch during setup.
During this setup it got 192.168.1.80 which is also the private address of the switch.

In the NAT table the address 192.168.1.80 got rules to 10.10.10.241.

 

[nightline]

Do you think that I should create a second VLAN with the IP address 10.10.10.241 which is the public address of the switch and connect this to G1/1?

And connect VLAN 1 to all other ports?

 

[Contr_Conn]

Unless I am missing something in your description, the NAT should be applied to Gi1/1 configuration only.
Gi1/2 left as a regular port with Automation Device Smart pot macro applied.
Gi1/2 should be part of VLAN 1

Gi1/1 should be set for Switch for automation that automatically makes it as a trunk make sure you specify Native VLAN to match you upstream settings.
If your upstream switch is using a different native VLAN then this needs to be addressed on your switch by creating that VLAN.

Saying this, what is VLAN number for the rest of your "10.10..." network? it must match VLAN of your "10.10.." network.

It would help if you post you config file and network diagram showing all you VLANs.

 

[Contr_Conn]

Here is the slide from the old NAT presentation that technically does the same as what you are trying to do.

 

[Contr_Conn]

Here is a multi-VLAN architecture from the same presentation