subnetting question?

[dunc 8]

be gentle with me as i am not sure if i am going about this the wrong way, or explaining it particularly well, but here goes....

in simple terms, we have 2 networks on site. one is managed by IT, and the other is managed by myself within the engineering team.

all SCADA PC,s are connected to both networks with separate network adapters. all the automation gear is then connected via switches to the relevant SCADA system. the switches are also linked together for the most part, creating a network which is completely transparent from any point. we call this the control network.

 

due to the ever increasing size of the control network, i want to look at sub dividing it down into areas, but still keep the transparency of devices across the whole network. would i be right in thinking that i could substitute the 3rd number in the IP address with a number which would define the area, this would then give me 255 addresses available per area.
would i also be correct in thinking that to achieve this, i would need to change the subnet mask on all machines to be 255.255.0.0 to allow everything to connect to each other, but to still maintain a "marker" to denote the area the device is in?

 

hopefully i am right, but if not, please let me know the best way to achieve this without making it too complicated or onerous to maintain. 

 

 

[kaare_t 155]

Hi! Did you ever test/solve/figure this out?

I've always wondered about the same since subnetting 'should' work the way you describe it, but I never seem to get the hang of it nor make it work exactly the way I want to. The way you describe it is way easier than any other way I can think of, but I've never gotten it to work (at least not in my small practical tests).

Anyway, here's a different approach. It's a bit more complicated, but at the same time very elegant:
By using VLAN (Virtual LAN) and a router you can basically add as many networks as you want to, and at the same time control all the traffic. You will need L3 managed switches (they handle the VLAN Tag) to achieve this, and a firewall that supports VLAN Tags. Here's what you could do:

• Assign specific VLANs to specific ports on a managed switch (e.g. 10.0.10.0/24 = Tag10, 10.0.11.0/24 = Tag11 and so on)
• Logical units of equipment that use the same VLAN can be set up with unmanaged (normal L2) switches
• Use a router on your engineering side that routes between the VLANs you have, and at the same time routes traffic to the IT side

What happens is that the router sends/receives packets with the different VLAN tags to the switches via "TR-Ports" (Trunk ports) which basically means they forward all VLANs. When the switch received a VLAN Tagged packet it checks which ports are allowed to send/receive the specific VLAN(s). If e.g. the TR-Ports have Tag10 and Tag11, but switchport 1 only allows VLAN10, then only VLAN10 will be forwarded to that switchport. The same, if port to only allows VLAN11 only that VLAN will be forwarded through the port. And you also set up TR-Ports between managed switches so that equipment even beyond the first switch can be logically splitted. I've created a very generic, and simple drawing below.

I would also like to point out that you have to be very structured when it comes to what equipment is connected where as the VLANs are basically completely separated networks, so maintain good documentation and proper physical tagging of connection-points etc.

VLANs are basically the same as wiring different networks. Most organizations count two VLANs as secure as two different cabled networks since they basically cannot cross eachother. The exception is of course e.g. classified lines for the military/government etc. but the general advice is that you can think of it as two physically divided networks, but they traverse the same cable.

I know this isn't exactly what you asked for since it's most likely a bit more complicated (and probably more costly equipment wise) but to be honest this would be my preferred method. Security plays a huge role these days even in SCADA networks, and by dividing into logical VLANs/segments you are able to specifically control what data goes where. This is because you route all VLANs through the central router (and most routers today are basically firewalls) that allow you to filter/block specific traffic between your different VLANs. You can, in the same way as you block/allow internet traffic through a firewall also do the same for your internal networks.

As said, not exactly what you asked for but it's a very elegant solution. My post was just scratching the surface a little, but feel free to post again if you have questions/are interested. I've worked a lot with this kind of setup and we use it at work. It's a great way of controlling access to the different networks (and to make sure that no user or incompetent person is accessing the engineering network).

[dunc 8]

I Havnt managed to get back onto it to be honest.

thanks for the suggestion.

i wanted to keep things simple as IT are not interested in helping (plus they work 9-5 and that is it). i am also the only person on site other than IT that has any networking knowledge. we dont have the resource to manage anything too complicated. like you said, adding extra items onto the network isnt always a simple case of setting the IP address and plugging it in using your above suggestion.

if in the middle of the night we had a network issue, i would like everything to be physical unmanaged switches so a like for like replacement is easier for an engineer. in simple terms, if the lights arent working, they can get a new switch out of the stores, plug it in and it works.

 

i do plan to give it a go at some point, just need to free up some time to allow me to sit down and try it in theory and then in practice without disrupting production. i will let you know how i get on.

Edited 22 Mar 2017 by dunc