AQ: Why designing an ethernet network IP scheme?
Depends on the size of the network (# of devices planned on connecting), for medium to large corporate networks go 10.x, for home and small business 192.168.x, or to 172.16.x. I would think the IP plan would be looking at least 10 – 20 years out. Changing IP schemes is hard, especially on a controls LAN, you wouldn’t want to undertake this task to frequently. Also consider any routing / firewalling / DMZing that you may want to do between the controls LAN and the business network (ideally these are separated networks).
Here’s some things to consider:
Number of devices or potential devices on the network
You may want to use a Class A subnet when you have or will have a large number of devices or a Class C when you have or will have a small number of devices.
Amount of traffic
A large subnet will more likely expose devices to more traffic. A smaller network may be employed to segment and/or control the amount of data that must be handled by a device.
Security
A large network (e.g., Class A) network may be more difficult to restrict access to or exposure of devices.
Simplicity
A Class A network is a flatter architecture and may be simpler to manage because you don’t have to worry about routing, gateways, and/or firewalls as much. This has to be balanced with security and traffic issues though.
Others
There are other considerations too…
In my experience, connecting with the “business” side of things is not technically difficult with an appropriate firewall/router. However, I have often found that the political challenges are more difficult. I have often butted heads with IT folks who have a fortress mentality and don’t understand the constraints, limitations, restrictions, and special considerations needed for industrial control systems. Many times, the best solution is to have a well defined line of demarcation where the IT folks take care of their side and the control guys take care of the control side. Most IT folks are OK with that as long as they can quarantine the control side to their satisfaction.
When it comes to selecting the firewall/router, you will need to take into consideration the protocols passing through it. If it’s the nominal business protocols like http, ftp, rdp, ssh, etc., then any business class device will typically work. However, if industrial protocols like CIP, Ethernet/IP, or OPC will be passing through, you will need to confirm that the firewall/router supports them specifically. When making the link, the important thing is the type of packet filtering and address translation rules that are configured in the firewall router. The IT folks might be more happy if they can setup a VLAN just for the controls.
