brinocerous
Member
Hello, crew.
I work at a small integration shop and recently we ran network drops from the office to the shop for the convenience of our programmers. We have a small office so our business network is on a single subnet 192.168.1.0/24. The entire office and shop physical network is comprised of two Cisco SG350X-48P switches, which are in turn connected to a router for internet access.
Now that the shop is connected to the switches, a disagreement has arisen on how to segregate the programmer’s PLC, HMI, and other automation devices from the business network, even though they share the same physical infrastructure. Obviously, these devices should not be visible to/from the internet so assigning them to the office subnet is out of the question. As I see it, this leaves the following two options:
(1) Leave all the switch ports on the same VLAN (as they are now), and simply use a different subnet (say 192.168.100.0/24) for the automation devices. The programmers can assign their computers static IP addresses on this new subnet. If the devices are not assigned a gateway, then they should be effectively hidden from the business network hosts. The downside is that both subnets will see each other’s broadcast traffic, but if the total number of hosts remains relatively low, this shouldn’t have much of an impact (hopefully).
(2) Assign a separate VLAN and designate switch ports for automation devices and programmers’ computers. As far as I understand, this means that we would have to run separate drops to each programmer’s desk so they could simultaneously access the PLC VLAN and the business VLAN. The benefit is that the business and PLC network can’t see each other’s broadcast traffic.
I have huge holes in my networking knowledge, so I’m sure I’m missing some subtlety here. PLCtalk, please educate me, which way is best to accomplish this goal?
I work at a small integration shop and recently we ran network drops from the office to the shop for the convenience of our programmers. We have a small office so our business network is on a single subnet 192.168.1.0/24. The entire office and shop physical network is comprised of two Cisco SG350X-48P switches, which are in turn connected to a router for internet access.
Now that the shop is connected to the switches, a disagreement has arisen on how to segregate the programmer’s PLC, HMI, and other automation devices from the business network, even though they share the same physical infrastructure. Obviously, these devices should not be visible to/from the internet so assigning them to the office subnet is out of the question. As I see it, this leaves the following two options:
(1) Leave all the switch ports on the same VLAN (as they are now), and simply use a different subnet (say 192.168.100.0/24) for the automation devices. The programmers can assign their computers static IP addresses on this new subnet. If the devices are not assigned a gateway, then they should be effectively hidden from the business network hosts. The downside is that both subnets will see each other’s broadcast traffic, but if the total number of hosts remains relatively low, this shouldn’t have much of an impact (hopefully).
(2) Assign a separate VLAN and designate switch ports for automation devices and programmers’ computers. As far as I understand, this means that we would have to run separate drops to each programmer’s desk so they could simultaneously access the PLC VLAN and the business VLAN. The benefit is that the business and PLC network can’t see each other’s broadcast traffic.
I have huge holes in my networking knowledge, so I’m sure I’m missing some subtlety here. PLCtalk, please educate me, which way is best to accomplish this goal?