Hey guys,
Automation Eng here with limited network knowledge. And would really appreciate any guidance and knowledge the community can spare. I don’t need it done for me. Just pointed in the right direction. See attached for the diagram.
network.pdf (181 KB)
Picked up a Switch/Router to try and get this job done. If we can get it to work. We’ve saved over 30k from a traditional setup. Using a 500$ switch.
I have 28 Allen Bradley PLCs that are getting added to a SCADA network. These PLC’s have their own Ethernet/IP network. Complete with robots and field devices. They are nearly identical copies of each other.
Questions:
What is the best strategy for the isolation of interfaces/ports from one another?
– So machine 1 can’t send packets to machine 2. This would be bad.
What is the best strategy for doing NAT?
– Do I need both SRC and DST nat rules?
– Do i need MAC addresses off the PLC’s NICs
What is the best strategy for the isolation of interfaces/ports from one another?
– So machine 1 can’t send packets to machine 2. This would be bad
.
Given that PLCs/SCADA won’t be sending Gbps of traffic, the most straightforward method I’d use is setting same horizon value on all the ports of the bridge:
Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading.
What is the best strategy for doing NAT?
– Do I need both SRC and DST nat rules?
– Do i need MAC addresses off the PLC’s NICs
Why NAT? You’re concerned about PLCs communicating with each other, but will expose each to the internet?
Much simpler, cleaner, safer, better control, and best practice: setup a VPN server (you have several to choose within ROS) , and connect via VPN to the CRS354, then straight to the local PLCs IPs.
Tip: Set the bridge arp mode to proxy-arp, this way you could assign IPs from same LAN range to VPN connections, no need for NAT nor setting routes on client VPNs.