Connecting to a “managed” network

[PLCrookiee]

Hi legends, new to this industry but absolutely loving it.

I am looking to go online with a ControlLogix PLC, the network is supported by a “Managed” switch, I had read somewhere that when connecting to a managed network there is a possibility of taking everything offline?

Just looking for some clarification on what the meaning might’ve been behind this as taking the control system offline is definitely not the intention in this case

 

[cardosocea]

I had read somewhere that when connecting to a managed network there is a possibility of taking everything offline?s

The only time I saw something like this, the switch had been configured to shut down if the mac address connected to a certain port was not matching whatever it had been set to. Other than that, I don't think there's a risk of shutting down the network.

 

[AlfredoQuintero]

Hi PLCCrookie:
Managed switches normally have passwords so that only the administrator can modify the parameters. There are many things that could be done to bring everything or many things offline, depending on the capability of the switches. If someone messes around with the baud rate of the ports, or disables the ports, or messes around with the VLAN, a lot of things could go wrong.
For your purposes, just make sure that the IP addresses of your PC is dynamically assigned by the company's DHCP. Or, if the automation network's IP addresses are assigned manually, make sure that your PC's IP address is not used by any other node, and that you assign an IP address for the PC compatible with that of the ControlLogix.

 

[TheWaterboy]

If it's a managed network, then in the name of all that is holy find the person who manages it and ask them about it. If you create an IP conflict you will hear about it from someone. This means someone has taken the time to think about the network and cares what gets attached to it.

I knew an otherwise competent contractor who, when confronted with a managed network in the field, would just find the IP of a device on the switch, configure his laptop with the same IP and then unplug the device and plug his in to do whatever he needed to do. He set off so many alarms in the security software and sent folks running to find out what's going on that we had to contact his company and ban him from working for us.

 

[mk42]

If it's a managed network, then in the name of all that is holy find the person who manages it and ask them about it. If you create an IP conflict you will hear about it from someone. This means someone has taken the time to think about the network and cares what gets attached to it.

I was about to say the same thing.

It COULD be that it's a managed switch that is more or less just at default settings, but definitely see if there's someone responsible for the network to tell you what to do before you just plug in and hope for the best.

 

[AlfredoQuintero]

If it's a managed network, then in the name of all that is holy find the person who manages it and ask them about it. If you create an IP conflict you will hear about it from someone. This means someone has taken the time to think about the network and cares what gets attached to it.

I knew an otherwise competent contractor who, when confronted with a managed network in the field, would just find the IP of a device on the switch, configure his laptop with the same IP and then unplug the device and plug his in to do whatever he needed to do. He set off so many alarms in the security software and sent folks running to find out what's going on that we had to contact his company and ban him from working for us.

TheWaterboy, what a scary story. Why did he not try to setup his computer for dynamically assigned IP settings to see if his computer got an IP address from the DHCP server?

 

[TheWaterboy]

TheWaterboy, what a scary story. Why did he not try to setup his computer for dynamically assigned IP settings to see if his computer got an IP address from the DHCP server?

He was one of those guys who could do anything quickly and was extremely talented and experienced. When you call this guy to do something quickly, don't have the safety guy anywhere nearby. You know, the good old days...

The extra ports are all shut off and the ones that are connected have an IDS monitoring them so a different connection "fingerprint" would tip the alarms. All the networking was set up by IT folks with only a passing familiarity with the concept of process resilience where the security pyramid is upside down. i.e. it must run and it's great if it's also secure. So having the IDS shut the port down was not an option and tight alarming was the compromise. He knew what he could and couldn't unplug but would never take the time to have us call IT ahead of time and have them just open a port for him. In my heart I can't really blame him as that request could take hours to get done. He worked really quickly and did great work but you reach a tipping point after repeated politeness then threatening. Had to do it.

Story goes some years after that he met some woman who got him into drugs of some type. Never heard much about him again.

 

[mk42]

In my heart I can't really blame him as that request could take hours to get done.

On the one hand, you can't do that, yeah. On the other hand, how rare is it to get a contractor who wouldn't jump at the chance to pad his billing? "Sir, it says here the operators watched you twiddle your thumbs for 3 hours" "oh, no, i was liasing with your IT team to get network access, they must have misinterpreted"

 

[TheWaterboy]

On the one hand, you can't do that, yeah. On the other hand, how rare is it to get a contractor who wouldn't jump at the chance to pad his billing? "Sir, it says here the operators watched you twiddle your thumbs for 3 hours" "oh, no, i was liasing with your IT team to get network access, they must have misinterpreted"

exactly. One time there was a location that was all union. Went to troubleshoot a startup and saw a wire that was in the wrong terminal in their cabinet. Reached for my screwdriver and was stopped by the escort. We had to call the instrumentation crew to move that wire. Which meant an electrical LOTO (different crew) and safety officer monitor (yet another crew). Took 3 hours and thousands of dollars to coordinate all that. All for a single 24vdc signal wire off by one number.

Reminds me of when car owners manuals contained the procedure to lash the valves... now they tell you not to drink the battery acid.

 

[crawler009]

whean you are talking about "taking everything offline", maybe you heard of the spanning tree issue?

I had this issue a few years ago. Manged stratix switches on each machine. Sometimes (first it looked random) all the ethernet connection was down. After a minute or two, everything worked fine again. First we thought, someone is messing with the network (if 10 people are in the different areas at the same time, you never know ).
Then we found out, it happens always if one of the machines in the network is powered down and up again.

I dont know exactly what it was, there was a Rockwell guy who reconfigured the stratix switches, then it was fine.
But i remember him talking about spanning tree protocol, which sends a message to all the switches in the network during boot. And a bad configuration of that
made that all switches disconnected themself from the network, for a short time.

 

[TheWaterboy]

There was a time when Stratix switches by default didn't respect the STP election status of any other switches on the network. One Stratix added to an existing non Stratix system would trigger the port shutdowns by ignoring there was even the probability of another working system in place and assert its dominance. Oddly the Cisco model that is the basis of the Stratix never did that so it absolutely came from the AB influence. Which kinda fits their profile.
It was easily fixed in the config but by default AB and their huge ego assumed there would be nothing but Stratix on the network They fixed the default setting in FW pretty quickly after that assumption became a problem.