Device in local and plants networks

Hello guys

I would like to know how Control's Engineers are managing this around the world.

As you know there are several devices that connect to the PLC via ethernet.

Usually we use a ControlLogix with 2 ethernet cards:
- one for the Plants network which is in a Vlan
- and the other is a local network, where we connect Panelviews, barcode readers, safety scanners, vision cameras, etc.

Everytime we have to check something in that local network, we gotta go runnining and connect via cable so we can connect and modify parameters or safety zones, etc

Another thing we did is we connected a laptop to the device and then we VNC it, but sometimes we cant get our hands into that extra laptop, or sometimes we need it in more than one place at a time.

Is there a way that those devices can be setup so they can be in both networks ? I would think that it could be possible with an administrative switch, or something like that.


Also, this is maybe way off, but since its connection to the plants network is only necessary when we need to work on it, can it be turned off so that it won't contribute to plants network traffic. (disabling ports or something like that).

Thanks in advance guys

You want something called a NAT. I would suggest get the Rockwell 1783-NATR to start off. This gives you this exact capability. You can use this with your local switch. If you want to upgrade your switch too, you can look into a managed switch. Rockwell has Stratix 5700 which also does NAT, if you buy the right option(Part number ending in 'N').

Regards,
-PreLC

Drilling Across the Back Plane

ControLogix PLCs with multiple Ethernet IP networks are very common. In manufacturing plants with many PLCs the Plant Network is the best & easiest way to access any one PLC however, as you stated you can not get to the IO devices (IO nodes, VFDs, etc.) on the Local IO network. With the latest ControLogix PLCs (1756-L8x) the port for the Ethernet IP Local IO is usually built into the PLC module. The Plant Network is then a 1756-ENBT or 1756-EN2T / EN3T etc. If you are accessing the ControLogix PLC via the Plant Network / 1756-ENBT / EN2T the Local IO network can be accessed by opening RSLinx, expanding the PLC IO tree, right clicking on the ConroLogix backplane and "drilling / mapping" from the 1756-ENBT / EN2T / EN3T to the Local Ethernet IP network. When you open up your project & go online, the devices on Local Ethernet IP IO network can be accessed (right click & properties). Note: I have done this many times before but I have recently retired & am on vacation right now so the actual procedure above was written down from memory but the Local Network must be "mapped" from RSLinx first. Hope this helps.

If you have multiple PLCs in the local network, you can create a tunnel using RSLINX to access those PLCs & its IO devices.... but not Barcode reader, camera.
You might be able to download an MER to the HMI(?)
1756-EN2T is expensive but not a full solution if you want to access other devices like barcode reader , camera and such...
I think the best and cheap solution is to use a Skorpion router.

BachPhi said:

If you have multiple PLCs in the local network, you can create a tunnel using RSLINX to access those PLCs & its IO devices.... but not Barcode reader, camera.
You might be able to download an MER to the HMI(?)
1756-EN2T is expensive but not a full solution if you want to access other devices like barcode reader , camera and such...
I think the best and cheap solution is to use a Skorpion router.

Click to expand...

I don't think MER transfer is possible, as jumping through backplanes is only possible for CIP communication, not simple TCP/IP.

PreLC said:

You want something called a NAT. I would suggest get the Rockwell 1783-NATR to start off. This gives you this exact capability. You can use this with your local switch. If you want to upgrade your switch too, you can look into a managed switch. Rockwell has Stratix 5700 which also does NAT, if you buy the right option(Part number ending in 'N').

Regards,
-PreLC

Click to expand...

Yes, it is NAT. We used PFSense based Firewall/Routers at the last plant I worked at and would setup our devices to have translated IP addresses for the nodes we desired to connect to remotely.

So for example, all of the vision and Cognex cameras were translated from 192.168.1.XXX to 10.1.1.XXX The PFSense is used the opposite of a standard firewall used on a PC. The firewall for PFSense opens all ports for incoming connections and blocks all ports for outgoing connections (to prevent the PLC's or devices from connecting to anything in the plant network unless explicitly assigned to). A normal PC firewall blocks all incoming connections and allows all outgoing connections. So the operation is reversed!

You simply need devices that are Layer 3 NAT capable and you can specify to IT (or do it yourself if okay) which nodes you need translated and they should give you those IPs.

Keep in mind that Ethernet/IP traffic from what I'm aware is not allowed any hops (to be routed to a different network/subnet) so all of that traffic should be local on the same subnet.

The other option is what was posted earlier to hookup a local PC to that network and then VNC directly into it.

One big mistake is to allow all of your control nodes for the whole plant in the same PLC subnet. We had over 2,000 devices and they would continuously timeout from too much traffic on one broadast domain. I would recommend setting up a VLAN for each major work area or work cell when you have that many nodes. The traffic can still be routed outside if necessary but broadcasts will not hog your whole network.

I am a huge fan of remote control because it saves you long trips and allows to save a lot of down time the faster you can log in.

PreLC said:

I don't think MER transfer is possible, as jumping through backplanes is only possible for CIP communication, not simple TCP/IP.

Click to expand...

If you want to download to HMI then what I did was one of two things...

1.) The plant PLC network was on the WAN 10.x.x.xxx and you can download directly to it or login with a VPN from outside of the network.

2.) You use a firewall/NAT appliance that has the panelview IP address translated to a WAN address. From 192.168.1.xxx to 10.x.x.xxx and the you download directly to that IP or VPN into your plant network and then download to that 10.x.x.xxx Ip address.

IT has the firewall settings and they can set what routes your VPN can access. Such as the ENTIRE plant network of all VLAN's, or just the PLC network VLAN

Maybe I'm missing something in this discussion, but I download .mer files to panelviews and access vfds thru controllogix from my office via 10.xxx.xxx.xxx ENTR cards.

We have a 10.xxx.xxx.xxx card in every chassis for plant access. IO devices are always placed on 192.168.x.xxx cards.

Using the panelview transfer utility, it can take awhile for it to browse and find the panelview (but eventually seems to find it). To speed it up, I can go into my PV development application and manually insert the panelview into the communications tree. PV transfer uses RSLinx enterprise, which allows the pass thru.

If I want to access a VFD from my controllogix IOtree, it is a little different approach. I need to open RSLinx classic, browse to the 1756-ENTR that the drive is on, right click properties (or something like that), and manually add the VFD ethernet address to the pass thru list.

Other ethernet devices do not use RSlinx, so I do not believe you can pass thru for them.

Well I bought the 1783-NATR to connect 2 keyence cameras that are in a local network.
I configure all the hardware and I can ping them from the plants wireless network, but I'm not so sure how far the translation goes by, when I tried to connect to those cameras using the keyence software and their public IPs its not recognized them.
Any configuration Im missing guys?

Bolatov said:

Well I bought the 1783-NATR to connect 2 keyence cameras that are in a local network.
I configure all the hardware and I can ping them from the plants wireless network, but I'm not so sure how far the translation goes by, when I tried to connect to those cameras using the keyence software and their public IPs its not recognized them.
Any configuration Im missing guys?

Click to expand...

Seems like this issue is very popular these days: If you can ping the public IP, but not use a particular software, that might mean that the port is blocked by the NATR.

Refer to this link for some solutions.

Also, you might want to make a separate post about this issue. Gives more targeted solutions.

Regards,
-PreLC

Just a tip. Open your laptop in the cmd window type in tracert 192.168.x.xxx (or the IP address you want). You will see all of the hops/routers the packet takes to get to the destination.

Another tip is to try the following command in the command prompt (that has telnet enabled in windows programs and features) or in putty using...

telnet 192.168.x.xxx (or your ip address) 80 (you can use the suspected port that your device should have open)

This will tell you if the port is open because it tests for a connection. Even though it is not the telnet port it should allow a connection unless the nat device/firewall is blocking that port.

Finally, you can fire up wireshark and in the search filter type in...
IP.src==192.168.x.xxx || IP.dst==192.168.x.xxx
It's an easy way to see what ports you are trying to connect to your device on.

Good luck.