15 posts in this topic

Ok guys, this is more a networking question involving a Stratix 5700 managed switch and 5 machines. The five machines all have set IP addresses from the OEM that cannot be changed. The manufacturer has them set in the program to maintain that IP ,so if it sees the IP change it will change it back. With that being said all Five machines have the exact same IP configuration and I cannot change it without contacting the manufacturer and getting them to change it or sell me the program so i can change it. both options will costs entirely too much in my opinion. With that being said my only goal is to read tags from the PLC on each machine. Is there anyway to set each port on that Stratix switch where i can communicate with each  machine individually without causing them to have IP address conflicts with the other machines that have the same IP address. I hope I explained my question well enough. Thank you in advance for any help on this issue.

Share this post


Link to post
Share on other sites

I fully understood your post, but I don't know how to solve your issue. What you can probably do if it's a managed switch is to create different VLANs for the different ports on your switch, and disable any VLAN forwarding between the networks affected. At this point we have them separated. However, the problem occurs once you want to poll data (probably from a central place) from all of them. You cannot setup routing since it bases on IP address. I'm honestly not sure if it's possible to solve without purchasing some extra equipment... What you can investigate is if there are any possibilities in TCP/IP to setup some sort of MAC forwarding that gets priority over IP forwarding. That way you could setup routes for MAC addresses which are unique, and let the IP be more or less a dummy-field. But again, I'm not sure this exists.

Here's one suggestion: Buy a simple and cheap router (NAT-device) for each machine. Put it in front of the PLC, with the config [InternalNet = PLC, ExternalNet = Stratix]. That way, you create a form of a www inside your plant, with all the PLC's as local branches and your complete intranet as the www. This way you can determine the best "External" IP on each router (different for each of them) and you can setup the "Internal" IP as you wish on each device. It's pretty straight-forward networking and you have full control of your plant network, without the interference of the PLC's. I would also gently say that this is a very cheap solution (at least they aren't that expensive anymore in Norway). You can even buy some cheap home-networking NAT device and buy a couple to have in spare if it's an industrial environment... Or you can buy industrial devices which costs more. You might have to do some forwarding in the routers External->Internal. You can trigger the forwarding on port number. Disable firewall if no special purpose.

I'ev attached a small drawing to explain the topology, the IP addresses are randomly chosen, you have to change them according to your setup. Could this work?

net.PNG

1 person likes this

Share this post


Link to post
Share on other sites

The drawing is exactly what I am trying to do. I'm not sure what a NAT device is, I will have to research that.And I am trying to pole them to read the tags that are in them. They are in a temperature controlled area that rarely goes above or below 70 degrees Fahrenheit so the residential equipment will be probably be fine. I do have a managed switch they all connect too. So just to make sure I understand what your saying. I need to get a NAT device. Which I will figure out what device that does. It sounds really straightforward the way you explained it. Basically this device will take the IP of the PLC and forward it to a different IP that I can use on the PLC network to communicate and pole its tags? Networking is somewhat new to me. Other than putting everything on the same network I haven't done much with port forwarding or any type of complex communication paths. Thank you so much for your response.

Share this post


Link to post
Share on other sites

Could this be what you are talking about? It says that stratix 5700 is capable of creating a NAT.

Screenshot_20190224-135904_Drive.jpg

Share this post


Link to post
Share on other sites

I'll do some reading on your specific switch! Maybe you're already good to go with some extra config!

Share this post


Link to post
Share on other sites

I just googled it quickly: It looks like some of the Stratix 5700 models (not all of them) are capable of 1:1 NAT. I must admit I have never tried 1:1 NAT myself, but I'm pretty sure that should work as expected after doing a quick search on the web. The way 1:1 NAT works is exactly what you need. My suggestion was to use 1:n NAT which is basically the same as any office (home or business use): You have one external "internet" IP address, which are "NAT'ed" into all the internal IP addresses "inside" the router. But the 1:1 NAT is even more suited for you since you only want a direct 1 to 1 link (from switchport directly to your PLC). If I were you I would check if your switch already supports this feature, if it does start doing some testing on a test system (non-production system), like an old laptop or another PLC or any other form of equipment where you can specify the IP address. If it doesn't support 1:1 NAT, I would certainly check with Rockwell if it's possible to purchase an addon/option or something to enable the feature. It would be a lot easier to manage with only one device (the switch).

Are you familiar with programming the Stratix switch? Also; it might be (I haven't read everything) that you need to create different VLAN's on the 5 machines since two identical IP's on the same VLAN 'usually' causes issues. But if you segment into VLAN's there are no issues, but then you will need the routing 1:1 NAT function... Do you have experience with VLAN's (sorry if this is a dumb statement to you, but VLAN is not the same as WLAN).

Link to full manual: https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1783-um007_-en-p.pdf

nat.PNG

nat-stratix5700.PNG

Edited by kaare_t
Added link to complete manual

Share this post


Link to post
Share on other sites

Unfortunately the switch I have does not have this feature. I just checked the product ID. I will check tomorrow first thing with out local AB rep to see if this is indeed an add on functionality that I can purchase. But I am still thinking I could probably do what you suggested and find a router that supports 1:1 NAT. I am learning a lot through this conversation and I greatly appreciate your help. Each machine does have it's own LAN. We have all of the ports on the stratix switch setup as one big VLAN. Basically just using it as an unmanaged switch. But it looks like I may not be able to utilize that switch. Unless there is some way to use port forwarding. But I would probably still have issues with the machines trying to communicate to one another since they all have that exact same VLAN setup.

Share this post


Link to post
Share on other sites

Unfortunately the switch I have does not have this feature. I just checked the product ID. I will check tomorrow first thing with out local AB rep to see if this is indeed an add on functionality that I can purchase. But I am still thinking I could probably do what you suggested and find a router that supports 1:1 NAT. I am learning a lot through this conversation and I greatly appreciate your help. Each machine does have it's own LAN. We have all of the ports on the stratix switch setup as one big VLAN. Basically just using it as an unmanaged switch. But it looks like I may not be able to utilize that switch. Unless there is some way to use port forwarding. But I would probably still have issues with the machines trying to communicate to one another since they all have that exact same VLAN setup. If you have any suggestions on particular NAT 1:1 small router let me know. If I can configure 5 cheap ones real quick then I wont even fool with the Stratix switch. 

Share this post


Link to post
Share on other sites

I see. Check with AB first. If not possible with the equipment you already have, then we'll look at your options. By the way: Which kind of protocol are you using to the PLC's?

Share this post


Link to post
Share on other sites

Opc. I am going to use the driver in Ignition to browse the tags.

Share this post


Link to post
Share on other sites

We haven't set ours up yet but we will soon. As kaare-t has suggested, our plan for that problem is to use a NAT device on each machine. We're using the AB 9300-ENA. Ultimately, we want to change the IP addresses on the machines but this is a problem for us because we are a regulated environment and it would mean a revalidation of our processes. Here are some of my thoughts as an Automation guy.

 I liked the NAT idea but the IT guys have convinced me it should be a temporary solution until we can get the IP addresses changed. I thought it would be great to allow only the PLC for each machine to be translated. This would limit the possibility of cross-talk between machines. Their response was, NATs will limit our communication abilities. For example, we wouldn't be able to initiate communications from inside the NATed devices. I'm not sure we need to but it wouldn't be possible nonetheless. They also said it would be cumbersome to manage all those IP addresses. We are going to connect over 200 PLCs and it's still growing.

I agree with kaare-t on the VLANs. Our IT guys suggest a VLAN for each department then VLAN inside of it for each machine. This would create a meaningful hierarchy for our network and eliminate any fear of cross-talk.

This is an interesting discussion. I'll post some results if you are interested in them. It may be a month or so.

Edited by IO_Rack
1 person likes this

Share this post


Link to post
Share on other sites

Our local Rockwell rep told us about a NAT device that they sell. I don't remember the actual catalog number, but ProposalWorks came up with the 1783-NATR. We never pursued it further since our IT network is managed by our corporate IS group in another state and they won't allow any NAT devices that they don't have exclusive control over. They also control and manage our VLANs and port configurations and we haven't been able to get them to add enough VLANs or subnets for all of our machines.

1 person likes this

Share this post


Link to post
Share on other sites

We use the 1783-NATR in a couple applications.  It is a 1:1 NAT device for up to 32 devices.  The setup is simple and our IT department approves.  

Edited by drforsythe
1 person likes this

Share this post


Link to post
Share on other sites

The problem I am having is costs. The OEM of the machine has the program locked. There is only 4 devices on each machine. 2 i/o modules an HMI and a PLC. They are all small machines but we have no plans of having that machine being able to initiate communications out. I just want to read maybe 10 tags out of the machine. It's not worth the 2500 dollars per machine they want for the programs. That's 10 grand and it's just not worth it for what we are trying to accomplish. Likewise it would costs around the same to have the OEM come out and change the IP addresses. I am not sure what you mean by creating a VLAN on each machine. Currently the NAT device I found is around 260 dollars. If I could do it cheaper that would be even better. Also I do not have the hassles of dealing with any corporate or local IT department. They do not want anything to do with the PLC network and all communications are done through a single machine with 2 network cards. Currently I am the only one making any changes to the PLC network. And I keep a record of all of the devices and IP and MAC addresses. I also label them locally at the device.

Share this post


Link to post
Share on other sites
On ‎2‎/‎25‎/‎2019 at 9:40 AM, Cegge said:

I am not sure what you mean by creating a VLAN on each machine.

For your purpose I believe you are doing the right thing with the NATs. Ours eventually will be a full control MES consisting of a few hundred PLCs. We are debating right now on segmenting each machine to its own VLAN. One of our network consultants have expressed concern that a flat network configuration may cause issues with some machines due to the large amount of traffic. We will most certainly segment each department to its own VLAN. This will prevent any possibility of cross-talk between departments.

BTW... I'm not a network specialist. I'm learning this stuff as we go.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now