General Networking with PLCs

[xC0MMAND0x]

Let's suppose I have a PLC and I want it to talk to 2 different Networks. 2 different networks that can't talk to eachother.

With a ControlLogix, this can be done just by having 2 ENBT cards. 1 on the "PLC / IO" network, and 1 on the "SCADA" network. That way, all of the HMI traffic and connection is separated from the PLC - PLC and IO traffic. Makes sense.

Now, say I'm working with a CompactLogix - that only has a single Ethernet connection. I connect it to a Layer 3 switch into a port that is a member of 2 VLANs - 1 for the "SCADA" network, and 1 for the "PLC / IO" network. Without VLAN Tagging, and message that is sent from the CompactLogix would get assigned the default VLAN for the port - if one is set. How in the world can I get a ComapactLogix to talk to 2 networks - that can't talk to eachother? This has to be not as complicated as I'm making it. There has to be others who have ran into this setup before.

 

[The Plc Kid]

The best way to do this is to make a VLAN for your compactlogix and other devices and then on layer 3 and then use InterVLAN routing to make the PLC VLAN talk to the other 2 VLAN's.

There is no need for the existing 2 VLAN's to talk to each other.

To control traffic in the best way it would be best to do this with a firewall and not just a layer 3 switch. This way you can set rules that only allow traffic flow on the VLAN to and from the devices you need and nothing else.

 

[The Plc Kid]

Some switches will allow you to setup routing down to the device level and some will only do InterVLAN routing on the subnet level.

All depends on what gear you are using.

 

[xC0MMAND0x]

The best way to do this is to make a VLAN for your compactlogix and other devices and then on layer 3 and then use InterVLAN routing to make the PLC VLAN talk to the other 2 VLAN's.

There is no need for the existing 2 VLAN's to talk to each other.

To control traffic in the best way it would be best to do this with a firewall and not just a layer 3 switch. This way you can set rules that only allow traffic flow on the VLAN to and from the devices you need and nothing else.

So you're essentially proposing 3 VLANs?

Vlan10 - SCADA/HMI/SERVER etc
Vlan20 - IO Traffic / VFDs / Process Ethernet Devices
Vlan30 - All CompactLogix PLCs

Connect PLCs to switch access ports on Vlan30 - so all the PLCs can talk to eachother just fine. Use InterVLAN routing to have the PLC-VLAN (Vlan30) talk to Vlan20 and Vlan10?

Is that a correct understanding of what you're saying?

The whole idea is that I don't want my SCADA/HMI traffic to impact the production network, or saturate bandwidth, or be even remotely subject to broadcast storms or other issues that could occur.

Edit - Also, couldn't VACLS be used to ensure only the traffic I want passes between VLANs - as opposed to a true "firewall"? IE using an L3 switch to accomplish what I need.

I'm still learning - I appreciate your help.

 

[The Plc Kid]

Yes 3 VLANs.

Also a VACL is only applied to Ingress traffic and traffic within the VLAN it's assigned to which could be made to work but an ACL / RACL between the VLANs would be easier to setup and manage.

As long as your not connecting to a corporate LAN or the internet at any point a switch /router with ACL will be fine but if you are connecting to a Corporate LAN / WAN or to the internet then you will want a true firewall.

 

[The Plc Kid]

What switch / router are you using? What IOS version?