Control Network Newsletter
Using an IP Router to Resolve IT vs. OT Conflicts
November 2016 - You are a plant engineer knowledgeable of the operations technology (OT) that keeps your plant productive and you have recently installed three identical machining centers (cells) using the latest in network automation technology. Within each cell, the drives, operator interface and programmable controller have been assigned the same sequential private IP address series because that is how the machine builder builds and tests his machining centers. How do you integrate these preset IP addresses to conform to the IP address assignment policy of your IT department? The simple addition of a Skorpion EIPR-E IP Router could be a quick and inexpensive solution.
Changing the IP addresses on individual components within a machining center just to comply with an IT department IP addressing scheme seems absurd but it can be avoided entirely if there was a means of translating IP addresses between those required addresses and those already assigned. There are two approaches that can be taken - network address translation (NAT) and port forwarding. Both can be handled by the EIPR-E.
Using Network Address Translation (NAT)
In our example we have the three machining cells using the same private subnet 192.168.92.0. For each cell we add an EIPR-E and provide it the LAN side address 192.168.92.100 and then sequentially address the other devices within the machining cell giving us a total of 15 IP addresses that need translation. If the IT department can afford to give us 15 IP addresses in the required range, NAT can be used. The EIPR-E IP Router has one WAN side port, and 4 LAN side ports making it convenient in connecting LAN side devices. The WAN port, which connects to the IT network, can be configured to map 15 WAN side addresses to 15 LAN side addresses used by the equipment as shown below. In this example the IT department gave us a base address of 10.0.10.100 to begin our mapping. A simple one-to-one mapping does the trick.
Port Forwarding
If the IT department is stingy in assigning us IP addresses, port forwarding can be used instead requiring only a single IP address assignment - the IP router's WAN side address. This time the mapping table translates ports to LAN side IP addresses and ports. For example, if it is necessary to reach the web page (port 80) on device 192.168.92.101 an entry is made to translate an arbitrary 8081 on the WAN side to port 80 on the LAN side. If it is also necessary to reach the web page on a second device on the LAN side an 8082 port can be assigned. If only one of the devices - a PLC - required access to the protocol FTP (port 21) then an entry could be made to simple translate port 21 on the WAN side to the PLC IP address and port 21.
Static versus Dynamic IP Addressing
One wrinkle the IT department can provide is the requirement for dynamic assignment of IP addresses instead of static addresses. Although the EIPR-E provides DHCP client capability which means it will request an IP assignment from the IT department's router, dynamic assignments can complicate the situation. If NAT is used, it is important that the IP department does not include in its DHCP range those IP addresses that are used for translation. If port forwarding is used, dynamic addressing is not recommended because once the WAN address is changed through some reboot of the system, you could lose the WAN side assignment critical to port forwarding. The EIPR-E saves time and reduces the potential for errors when reconfiguring the IP addresses in machines just to comply with IT department IP address assignment policy. The EIPR-E is very easy to configure and install. Priced at $299, the EIPR-E provides a simple solution at a cost effective price point.