Isolating Networks

[Ray S]

Hi,I have a question about isolating a control network from the plant Vlan network. In a new project the control network would have a Compactlogix with Ethernet control to 2 Powerflex drives and a Panelview HMI connected through a switch.
The plant network would be connected to the same switch and used for data collection and remote program access to the Compactlogix only.

Can we isolate the Powerflex drives and Panelview ethernet so they would not be visible or allow access from the plant network and only access to the Compactlogix would be allowed?

 

[nwboson]

Yes, there are many ways to do this.

A conservative and easy-to-implement approach is to select a CompactLogix that is capable of installing two Ethernet modules: one will be for the plant network, the other will be for data collection.

The other is to involve a router and/or managed switch(es) that creates VLANs, separates their traffic, applies Quality of Service metrics, possibly allowing for redundancy and failover through link aggregation or a ring topology. You'll probably want someone with an IT background helping you craft a solution that compliments your corporate network in that case.

 

[FactoryTalktotheHand]

What you would do is use a 1768-L4 series CompactLogix processor with 1768-ENBT modules. One ENBT would be set to an address on your plant network and the other would be set to a private network address (most often 192.168.1.x). All of your devices would be on the 192.168.1.x network and the access from outside would be via the other ENBT card.

Honestly though, I wouldn't be TOO concerned about your current setup. If you're communicating via a switch, the traffic between the PLC and the drives is going to stay between the PLC and drives (switches only broadcast on the channel the packets' destination is connected to, hubs broadcast everything on every channel).

Where people run into the most trouble is when they have a processor at one end of the plant, an HMI or Remote IO rack at the other end, and use the corporate network infrastructure to connect them. This is a very, very bad idea. Ethernet/IP is not TCP/IP, and it will wreak havoc on any network that's used this way. But if everything is confined to one switch and the only connection to the corporate network is an uplink from that switch, this generally doesn't cause a problem. The advantage of separating them completely is that you don't have a bunch of control devices taking up valuable IP addresses on the main corporate network. Your IT people might not like you very much if they have to give you 50 addresses for your stuff (half a dozen for this system, half a dozen for that, they add up fast). Especially if they're not prepared to do more advanced networking setups.

 

[Timbert]

Can we isolate the Powerflex drives and Panelview ethernet so they would not be visible or allow access from the plant network and only access to the Compactlogix would be allowed?

Sure.

Because there are so many different ways to implement this, to determine what is the best method for you, you need to ask yourself: "why?"

It sounds like you are doing it mostly for security reasons. You don't want people mucking about on the control network. Good idea. Now, you have to figure out what is most serious viable threat. Is it just some bored front office person or maybe a fat-fingered programmer that thinks he is working on the development system but is really controlling the plant floor. What is the worst damage if they succeed?

The simplest solution is as Boson and the Hand suggest, use two ethernet cards. Just be aware this can not stop a knowledgeable and determined actor from getting in.

The other end of the spectrum is a full blown firewall between the enterprise network and the manufacturing network. That's a lot more work, but will stop all but the most determined foe (I don't believe any network can be totally secure).

The system I'm currently working on was designed using the former method, when we added safety-critical traffic, we went tin-foil hat paranoid and are in the process of adding a firewall.

 

[Ray S]

Thanks for the replies. Looks like 1768-ENBT module is the best way to go.