Machine network

bbzp

Member
B
Join Date
Nov 2020
Location
USA
Posts
9
Looking for some insight on how to move forward.

Right now we have a cisco switch managed by IT doing NAT switching for a PLC. I'm looking to gain access to all devices on the machine. (HMI, Barcode Readers, Vision systems)

The set up we have is the connection coming from the IT switch goes to the PLC, and then a secondary ethernet connection go from PLC to a unmanaged switch that hooks up to the machine network.

Any ideas on the easiest way to make this accessible?

Thanks
 
Yes,

The hope would be able to hit any device when logged into the company network. Right now we can hit most PLC in the plant.
 
From your description, it sounds like there are three networks:

  1. The company network on the WAN side of the NAT router
  2. The LAN side of the NAT switch, with the first Ethernet port of the PLC
  3. The machine LAN on the other side of the PLC, with the PLC's second ethernet port

The NAT router is between 1.company-LAN and 2.NAT-LAN.


The PLC is between 2.NAT-LAN and 3.machine-LAN


Can a PLC can act as a network router or gateway?


However, you say you already "can hit most PLC in the plant," which suggests there is already another way from 1.company-LAN and 3.machine-LAN, assuming "plant" is the same as 3.machine-LAN.
 
Yes,

The company goes to a switch at the workstation layer 2. Then 1 port from the workstation goes to the PLC. This is where we do our NAT switch for the PLC.

Issue is we have 100+ machines all running the same IP scheme. This is the reason for the NAT switching on PLC port. But with out running all other devices to the work station switch, I cant figure out how to hit those other devices.
 
Sorry, I lost you there; too much undefined jargon: "IP scheme;" "workstation;" etc. E.g. a NAT device is not a switch; it is a router and/or gateway.

Can you make a diagram, with

  • netmasks on each side of any router/gateway/NAT-device,
  • where everything is
  • what needs to talk to what?
A smartphone photo of a pen-and-paper sketch would be fine.


Generally, a NAT-device it put in place so nodes on the WAN side of the NAT cannot initiate a connection to nodes on the LAN side; there are ways to tunnel around that (e.g. VPN), of course, but they are the exception not the rule.
 
Last edited:
Nodes in [plant] are not going to be able to initiate direct TCP/IP connections to any node behind the second PLC port [192.168.1.0/24].


Assuming [Workstation switch] is actually the [NAT router], nodes in [plant] may initiate connections to nodes on the LAN [10.1.140.0/24] side of the [NAT router] via port forwarding on the [NAT router].


The PLC should be able to connect to anything, so it may be possible for the PLC to internally map data from [192.168.1.0/24] and allow those data be read from [plant] connecting to the PLC via port forwarding.
 
That was my hope, but running 1769-L32E it is not looking promising of the PLC doing that.
 
With so few nodes on the [10.1.140.0/24], eliminating that network, moving the PC and barcode scanner to [192.168.1.0/24] and making the NAT-router be the gateway between [plant] and [192.168.1.0/24] would allow any node on [plant[ to get to any node on [192.168.1.0/24], but you would be up to your ears in port forwards, using non-standard ports, to make it work.
 
Okay,

What if I upgraded the machine switch and did a dedicated drop from the plant bypassing the work station?

Or

Would it be best just to change all PLC over to the 10.1.140 scheme?
 
bbzp said:
Okay,

What if I upgraded the machine switch and did a dedicated drop from the plant bypassing the work station?

Or

Would it be best just to change all PLC over to the 10.1.140 scheme?
Click to expand...




Hey, I just know how the bits can move i.e. what is possible. I don't know

  • your plant,
  • your machines,
  • if your machines could harm or kill someone
  • if you can trust persons on [plant] to access machines
So those queries are way past my pay grade.
 
So True,

Thank you for the help I think I got my answer that there is no easy way of reaching those peripheral devices with the current set up.
 
bbzp said:
So True,

Thank you for the help I think I got my answer that there is no easy way of reaching those peripheral devices with the current set up.
Click to expand...






Heh, from our Outside The Box series:

  • put everything on the PLC side of the NAT router onto [10.1.140.0/24]
  • Invert the NAT-router, so [plant] is its LAN, and [10.1.140.0/24] is its WAN.
Because it is likely that few connections across the NAT-device will be initiated from the machine side, and almost all initiations will come from [plant] side.



Makes [machines] LAN accessible to everyone; assumes you trust everyone on [plant], or who can get to [plant].


Crazy? yes.
 
Last edited:

Similar Topics

AutomationTechBrian
Machine Network: Managed switch, DLR??
I've never used a managed switch before, and I've never configured a DLR before. On my current extruder rehab project, I'm thinking about both...
2
Replies
16
Views
5,090
mk42
M
R
Industrial Machine Network Setup?
Hi, I'm investigating into what is the proper way to design a factory machine network. My current understanding is that the machine-to-machine...
Replies
13
Views
3,618
Dravik
D
J
FactoryTalk and Virtual Machine network folders
I am trying to set up network folders to be used with FactoryTalk software. For many years I have been able to store my 500 and 5000 programs on...
Replies
4
Views
1,712
wperriman
W
C
Ethernet Machine Network
I am working on a little project at work converting a feed conveyor from relay logic to PLC. Engineering dept took this project on but didn't...
Replies
13
Views
4,846
T Gibbs
T
Z
Confused about subnet conflict on machine network...?
So I thought I understood networking better than I apparently do... can someone explain this to me: We have a machine with an NTRON 700 switch...
Replies
9
Views
4,047
Pete.S.
P
Back
Top Bottom