I've inherited a strange production network where all the devices are in the same VLAN: 172.20.0.0/21.
So the first usable IP is 172.20.0.1 and the last 172.20.7.255.
In this VLAN there are PLC's, VM's, HMI's, ThinClients connected.
They segregate the network by modifying the subnet mask on the different devices.
For example: all PLC's are in the 172.20.1.0-255 network and all have a /24 subnet mask set.
As a result, they cannot communicate with any device outside 172.20.1.0/24 network.
They did the same with all the VM's: they have an IP address set in 172.20.2.0/24 network.
The funny thing is, the VM's do have the correct subnet mask set: /21.
But there is no connection because the PLC's are unable to reply because the VM is outside its scope.
So they added a 2nd NIC on the VM and entered an IP in the 172.20.1.0/24 network so the PLC's are able to communicate.
I'm convinced this is a bad set-up. The client thinks they make use of VLANs because of the different IP ranges.
Apparantly, it's not possible at the moment to change the subnet mask on the PLC's because they are owned by a 3rd party.
What are the potential dangers of this network set-up? There is no budget at the moment to implement proper VLANs.
No comments:
Post a Comment