asmaint2
Supporting Member
I am in process of implementing a new network to separate the manufacturing floor from the Enterprise network. See attached basic diagram.
I have a 5400 that will be my router. (there are actually two 5400s that will act as redundant routers with separate connections to the firewall when IT opens a second port for me).
There is fiber ring using REP connecting the router to multiple 5700s around the plant. These 5700s are used as IDFs with machine levels switches attached to them via copper connections. So port Fa1 of IDF1 goes to cell #1 switch Gi1
The machine level switches then have all of the automation devices attached.
IT has given me 20 subnets to use. Each will be it's own VLAN except the first one. The first subnet will be the home of the firewall and, router, and all switch management addresses. Possibly someone will tell me my machine level switches shouldn't be in this subnet, but read on.
My goal is to have different areas of the plant on their own VLANs, such as all stamping presses VLAN 225, customer specific welders on VLAN 226... and so on. There will be multiple machines that will need to share data with central PLC for process monitoring and every machine will need to share data with an Application server hosting Transaction Manager and XL Reporter software.
At the machine level I want to use NAT so I can follow an IP mapping scheme when building equipment.
I read in another thread that it was good practice to separate the management and CIP VLANS, but I haven't found any documentation to explain the steps when NATing is involved and you want to include the switch in your Studio 5000 IO tree.
I have made most of this work in testing, with the exception that I can't figure out how to add the machine level switch to an IO tree, because of due to having the management and CIP split.
Here some details of my setup;
DF1 Fa1 to Machine#1 Gi1- Smartport roles as Switch for Automation.
IDF1- IP- 10.37.224.10
IDF1 Gtwy- 10.37.224.5(router IP)
Note: Router has routing template set and routing enabled.
All Vlans are configured on the router with static IPs.
All vlans are configured on each IDF with no IP.
Only the Vlans needed are configured on the machine level switches with no IP.
Machine #1 IP- 10.37.224.100
Gtwy-10.37.224.?? Not sure if this should be the address of the router, the IDF, or Vlan1
The management Vlan is 1.
The CIP Vlan is 225. The CIP IP is then 10.37.225.1.
Machine #1, PLC IP is 192.168.1.10 with a gateway of 192.168.1.1
Machine #1 NAT translation is;
Private-192.168.1.10 to public-10.37.225.11
Gateway translation of 10.38.225.1 to 192.168.1.1
I want the switch to have a private address of 192.168.1.2 and I believe I need to have
public to private translation for this, but not sure what public IP to use.
Any advice will be greatly appreciated!
I have a 5400 that will be my router. (there are actually two 5400s that will act as redundant routers with separate connections to the firewall when IT opens a second port for me).
There is fiber ring using REP connecting the router to multiple 5700s around the plant. These 5700s are used as IDFs with machine levels switches attached to them via copper connections. So port Fa1 of IDF1 goes to cell #1 switch Gi1
The machine level switches then have all of the automation devices attached.
IT has given me 20 subnets to use. Each will be it's own VLAN except the first one. The first subnet will be the home of the firewall and, router, and all switch management addresses. Possibly someone will tell me my machine level switches shouldn't be in this subnet, but read on.
My goal is to have different areas of the plant on their own VLANs, such as all stamping presses VLAN 225, customer specific welders on VLAN 226... and so on. There will be multiple machines that will need to share data with central PLC for process monitoring and every machine will need to share data with an Application server hosting Transaction Manager and XL Reporter software.
At the machine level I want to use NAT so I can follow an IP mapping scheme when building equipment.
I read in another thread that it was good practice to separate the management and CIP VLANS, but I haven't found any documentation to explain the steps when NATing is involved and you want to include the switch in your Studio 5000 IO tree.
I have made most of this work in testing, with the exception that I can't figure out how to add the machine level switch to an IO tree, because of due to having the management and CIP split.
Here some details of my setup;
DF1 Fa1 to Machine#1 Gi1- Smartport roles as Switch for Automation.
IDF1- IP- 10.37.224.10
IDF1 Gtwy- 10.37.224.5(router IP)
Note: Router has routing template set and routing enabled.
All Vlans are configured on the router with static IPs.
All vlans are configured on each IDF with no IP.
Only the Vlans needed are configured on the machine level switches with no IP.
Machine #1 IP- 10.37.224.100
Gtwy-10.37.224.?? Not sure if this should be the address of the router, the IDF, or Vlan1
The management Vlan is 1.
The CIP Vlan is 225. The CIP IP is then 10.37.225.1.
Machine #1, PLC IP is 192.168.1.10 with a gateway of 192.168.1.1
Machine #1 NAT translation is;
Private-192.168.1.10 to public-10.37.225.11
Gateway translation of 10.38.225.1 to 192.168.1.1
I want the switch to have a private address of 192.168.1.2 and I believe I need to have
public to private translation for this, but not sure what public IP to use.
Any advice will be greatly appreciated!
