MaxPowers76

Industrial Controls Network Design

5 posts in this topic

IT guy here. The manufacturer I work for is on a path of connecting its production equipment/industrial controls to the IT network to start collecting data. Today, we have a single VLAN dedicated to the industrial controls and have a variety of different PLCs and automation devices that plug into it. Some of these devices plug right into our Cisco 3850 IDFs and others are connected through Stratix 2500 lightly managed switches that then hit the 3850.

Our plant floor is fairly dynamic, so equipment/controls move between lines and come on/offline as lines are set-up for different jobs.  At any given time there are approx. 45 IP addresses reporting on the PLC vLAN.  We are running into situations where different equipment that is connected to the network will crash at random intervals.  In some cases these crashes will occur with a piece of equipment just powered on and not even running and/or in times of the week when there is very little else active on the network.  Researching the alarms we get usually lead back to motion/clock delays or I/O faults that are considered a networking problem, and unplugging a device from the network has eliminated the issues, however this has put us in a spot where we don’t know how to proceed to get things connected again with stability.  From the IT side, the bandwidth utilized on the PLC segment is very minimal and the crashes that occur are isolated to an individual machine while all others stay up.  Using WireShark, I see Broadcast traffic traversing the vLan but it is difficult for me to determine if the level of traffic is an issue or not?

To attempt to resolve the issue from the IT side, I am suggesting we add more vLANs to reduce the number of devices on each segment.  We have not implemented this route yet.  Since I don’t know much about the industrial controls side, I wanted to run this scenario past this forum.  Outside of network changes, is there anything we should consider from the PLC configuration side that would help increase resiliency to network traffic if that is the root issue?  Is there anything I should consider differently with how our IDF switches are configured? Storm Control perhaps?

1 person likes this

Share this post


Link to post
Share on other sites

Not a networking guy here...

We have an account manager for Rockwell reaching out to us pretty often to consult about connecting control networks to the corporate network. I know that they have done a lot to figure it out and have good knowledge about it. If your equipment is at least mostly Rockwell equipment, I would contact your local distributor to set up a conversation with them and Rockwell about it.

There are others on here, though, who have experience with this and can probably give you more information.

1 person likes this

Share this post


Link to post
Share on other sites

Thanks - Ill see if we can get in touch with a rep as a lot of our controls are AB/Rockwell.

I could be very wrong about this, but when I look at documentation from Rockwell on industrial networking I interpret their solutions as being focused on heavily deploying switches throughout the plant floor then linking up the industrial network with the IT network with a router or layer 3 device.  If I am interpreting that right, is there value in that type of design vs. using central layer 3 switches that have vLans segregating the PLC network from other business networks?

2 people like this

Share this post


Link to post
Share on other sites

Sorry, you just went over my head. I think they advise to physically isolate the controls and IT networks for security reasons (primarily).

I know our IT network is divided up into VLANs that are set up so that only certain address ranges are routable. So devices on our "machines" VLAN can reach each other regardless of which switch/port they're plugged into as long as their IP addresses are in the correct range and the port they're plugged into is on the right VLAN. We're only using those connections for remote access for programming PCs and one or two SCADA PCs. Actual machine controls (drives, I/O chassis, etc.) are on physically isolated local networks on non-routable subnets.

Our IT system is very centrally managed (from another state) and we're not allowed to have any local control of anything more than an unmanaged switch.

1 person likes this

Share this post


Link to post
Share on other sites

The IT person and the plant controls person need to work together to resolve the issues and you need to see each other as peers working toward a common solution. Too often, the PLC person views the network as similar to the plant-wide electrical distribution network. Just plug in that cat5 cable and you're good to go. Too often the IT person views all packets on the network as being of equal value. So if that update of the state of the inputs gets lost, there'll be another coming along shortly.

3 people like this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now