Saturday, May 30, 2020

Need help connecting IACS to the network

Hey guys,

I am a network newbie and am in real need of some help. I am more of a sysadmin that covers the network at decently sized manufacturing facility so please bare with me. I am just learning all the Rockwell Automation\Cisco terminology for these devices aswell.

We just recently got a IACS that has a Stratix 5700 inside it. We were asked to hook it up to our network for VPN access and connection to the SCADA system. But are not sure how to do it.

Our goal right now is to isolate the internal IACS network from the already vlan isolated industrial network. Then connect up only specific devices within the IACS (like one or two PLCs or the HMI) to the rest of the industrial network.

All of the other IACS were connected to our network by a past employee with little documentation. From what I could tell the other IACS do not have switches as robust as the Stratix 5700 most of them are the Allen-Bradley 9300 Rades.

After reading through the Rockwell/Cisco CPwE documents we think we have a good grasp on the theory but not the actual configuration.

How would we configure the switch ports and vlans to get this configuration:

NETWORK DIAGRAM

With:

  1. There only being 1 "Machine".
  2. With the inside network being on vlan1.
  3. Inside devices configured on 192.168.1.0\24 on vlan 1
  4. Outside devices configured on 10.10.20.0\24 and vlan30
  5. No etherchannel, one single uplink. Stratix port: gi1/1 -> 2960x port: gi1/0/40
  6. The layer 3 switch is a Catalyst 2960x

We know that we should be using NAT to translate the IP addresses from the inside network to the network outside of the IACS but dont know specifically how.

Would we configure the switchport on the stratix 5700 as an access port on vlan 30? But apparently NAT does not change the vlan tag so that would not work right? No traffic from vlan 1 would come out interface gi1/1?

Should we change the vlan identifier for on all the stratix's device ports from vlan 1 to vlan 30 then just use NAT to translate (IP address and Gateways) across the subnets 192.168.1.0\24 -> 10.10.20.0\24?

Or should we be using NAT at the layer 3 with PAT and a routed interface?

Has anyone else implemented this sort of configuration with the Stratix? Any help would be greatly appreciated.

References:

https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td007_-en-p.pdf

https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Stratix 5700 Switch Configuration



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)