Subnets, vlans, and network design

[ahackwor]

I have found a lot of good information about industrial networks here but I am still unclear on subnets and vlans.

Let's say we have the following network:

Process 1 - subnet: 10.10.1.0/24
Process 2 - subnet: 10.10.2.0/24
Process 3 - subnet: 10.10.3.0/24
Historian and engineering workstations - subnet: 10.10.4.0/24

I want to have each process on its own subnet but the PLC in Process 1 does need to message the PLC in Process 2. The computers in subnet: 10.10.4.0/24 would need to be able to communicate to all of the devices on all 4 subnets.

Would each subnet have its own vlan?
Would I need a layer 3 switch to connect the 4 subnets?
What goes into the vlan configuration?

 

[steelblue48310]

My understanding is that with either 'discrete' networks or Vlan's, you would need a router between networks. Vlan's allow for 'virtual' physical networks in the same hardware rack. The router would then be configed what traffic was allowed from subnet to subnet.

 

[steelblue48310]

Also, a Layer 3 switch could work, since it can do quite a lot of 'routing' (depending on brand and firmware)... If there isn't "other" traffic on the 'process' subnets, there isn't much need for Vlan's. (It would all be TCP/IP anyway) Broadcasts and such would still need to go to all 4 subnets. As for the Vlan configs, it is very important to know more about the bigger picture! (No need to tell you to forward or filter certain packets if they aren't there to begin with)

 

[cbuysse]

Nothing that you've described so far would require you to use any special routers or switches. All you'll need to do is set all of the subnet masks to 255.255.248.0

You're really only setting up one subnet - one where all of the IP addresses have first octet as 10, the second octet is 10, the third octect any number between 0 and 7, and the fourth octet completely open. 248 corresponds to binary 11111000. So the 248 in the third octet of the mask means that all of the devices in this subnet have to have the same value for the highest five binary digits there - in your case they're all going to be 0. The mask will ignore the lowest three digits so you're free to make them any value you wish - thus this octect can be any number between 0 and 7.

This will give you room to add a couple of new process lines in the future without having to reprogram any of the existing equipment.

 

[Timbert]

Each subnet doesn't have to have its own VLAN but having each subnet as its own VLAN is a good way to create physical segmentation of the network. This works well if everything is in close proximity. VLANs create logical segmentation.

As an example lets assume each line in process is connected to a single switch and its own subnet. While there is an engineering station on each of the three switches.

You will need a layer 3 switch to communicate between the subnets.

When configuring a VLAN you configure which physical ports on each switch are connected to each VLAN.

In the above example switch one will handle all the .1 traffic, switch two the .2 traffic, and three the .3 traffic. On each switch one port will be configured to the engineering VLAN.

You then configure the level 3 switch to allow cross VLAN traffic. So when any of the engineering stations need to talk to a controller the traffic is routed to the correct VLAN (and subnet).

 

[ahackwor]

cbuysse,

Thanks for your comments. The network in the first post is a simplified example of my plant. We actually have hundreds of Ethernet devices in the plant.

Each process may have dozens or even a hundred devices, so we would not want the whole plant on one subnet.

 

[The Plc Kid]

A layer 3 switch or a router won't pass a broadcast (255.255.255.255 or FF:FF:FF:FF:FF:FF). If routers passed that traffic, the backbone routers on the internet would crash. You must use directed broadcasts if you need to use broadcast traffic. IP or UDP broadcast will not route. Some automation equipment and other hardware use broadcast.
You can also have issues with using multicast across vlans with some equipment. Just things to be aware of.
The key difference between a layer 3 switch and a firewall or router is a switch is very simplistic where you configure you vlans and intervlan routing but a firewall or router you can be very specific and granular about your traffic.
I like stratix 8300 if I am going to do routing in the switch as you can do a lot of good things as it is a cisco IOS using CLI. Other layer 3 smart switches are not as full featured and all they give youis what the GUI has.
As others have posed unless you have a lot of traffic it is not a must but it does make it nice to segregate by process so that when there are issues they are contained to one area and not network wide. Also makes traffic issues much easier to troubleshoot.

 

[The Plc Kid]

When configuring a VLAN you configure which physical ports on each switch are connected to each VLAN.

This is only true for router and switches that only support static vlans. Most routers and firewalls can do dynamic vlans where traffic routes and vlan assignment is based on vlan tag and device MAC address.

The same hold true for end to end vlan setups.

 

[surferb]

As Timbert pointed out, you can separate traffic at layer 3 (IP) with subnetting. However, adding VLANs (layer 2) in that sort of scheme is the "right" way to do it. Here are some reasons:

1. Broadcast domains. Broadcast/multicast traffic will be segmented. This keeps traffic down and can separate problematic devices

2. Routing. In either case you'll need a router or layer 3 switch (router) to pass IP traffic between nodes on those networks. Inter-VLAN routing allows devices to communicate between those networks. That's also the point where you can set up your rules (Access control lists, ACLs) which define who can talk to whom and over what ports.

As the PLC Kid pointed out - there are many ways of implementing VLANs. For example, you might statically assign ports, or have IP phones automatically be on a "voice" VLAN based on their hardware (MAC) addresses.

Utilize your IT department. This is their area of expertise. You'll want to do it properly on a good size network, and this probably means VLANs at a minimum. More extreme would be a separate network and less would be subnetting at layer 3 by playing with your subnet masks.

The network in the first post is a simplified example of my plant. We actually have hundreds of Ethernet devices in the plant.

Each process may have dozens or even a hundred devices, so we would not want the whole plant on one subnet.