Announcement

Collapse
No announcement yet.

Best Practice for Isolating PLCs and Manufacturing Equipment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts


  • Best Practice for Isolating PLCs and Manufacturing Equipment

    When a new machine comes into our facility the PLCs and Variable Frequency drives typically come with their IP addresses in the 192.168.1.XX or 192.168.0.XX ranges. Our IT network is in the 10.0.192.0 - 10.0.207.255 range.

    My first thought is to let the manufacturers keep using what they are used to *(192...)*using. Then we would isolate each machine network. One thought was to use a router at each machine and have the machine network hooked up to the LAN side and out IT network to the WAN. We could use port forwarding to access the PLCs from the IT network to capture manufacturing data or for purposes of modifying the ladder logic in the PLCs.

    Is my approach acceptable? Is there a better method? I am extremely interested in what others are doing to accomplish the same thing.


  • #2
    The 10.x.x.x range and 192.168.x.x range are for "internal" networks, i.e. these IP Addresses will NEVER appear on the Internet (capital I). You will notice that the 10. gives you 1 extra "tuple" than the 192.168. range. This extra "tuple" would let your IT department provide you a whole subnet like 10.1.x.x, while all theirs could be 10.0.x.x. You could then have internal gateways that knew how to route 10.0.x.x to 10.1.x.x and vice versa, where needed (e.g. to an internal email server or internal time server or database server, etc.).

    It really is a function of what you are trying to accomplish. While it seems "arbitrary", there is some advantages to having an entire campus under 10.x.x.x vs. divided between 10.0 and 192.168. Your IT people may actually have some helpful recommendations based on the "business" side goals along with the "manufacturing" side goals.
    There are 10 kinds of people in this world, those who know binary, and those who do not.

    Comment



    • #3
      You may be surprised that the reason the equipment comes in at 192.168 is because that was the default of the PLC, and drive vendor. I just did an application with A-B, and every device was defaulted to 192.168.1.x IP address, and had to change all nine devices to a 10.10.10.xx setup. I appreciate that the P2K is defaulted to 10.10.10.10. Makes my life easier.
      If you've done the very best you can, worrying won't make it any better - Walt Disney

      Comment



      • #4
        I would suggest that you leave each machine/line on it's own network and if you want to network the machine to the plant control network (if possible put in an other network card in the PLC using a different subnet) run it thru a managed switch making the machine/line it's own VLAN. then link all of the VLAN's to a tier 2 network for central access for the entire network and VPN if needed. The danger in putting all of the equipment on the same subnet is traffic and troubleshooting a problem. You press a button and nothing happen or it is delayed. But not matter how you network them I would suggest you use managed switches not hubs, it will make it much easer to track down a problem with the network and help manage the traffic. We have done a few plants this way, wired for the VLAN's for each line and fiber for the tier 2 and 3 networks and it works very well. Also makes putting in central data collection much easier.

        JW

        Comment



        • #5
          I build custom wood CNC wood-working machines. They are all purpose specific, and compact. Each machine typically has a PLC, HMI, and at least one servo drive, all ethernet connected. we put a router on each machine, so that each machine has it's own LAN. The router setup is always the same, with the exception of a unique Hostname. We can always find our machines, no matter where they are one our plant network, and we can access the individual devices with port forwarding. After the machine is commissioned, we know we can always connect, and the IT department does not have to worry about assigning static IP addresses. It also completely isolates network traffic. If you are able to do something like this for your application, you would find it very useful.

          Comment

          Working...
          X