i have 3 location blast furnace, sinter plant, sms
installed with yokogawa cs1000, having 4 computers in each locations. the ip addresses are 172.17.1.21,22,23,24 in each location. i have to take all theses computer in a network through existing plant Ethernet.
please suggest something.

 

I think you mean that each location has the same (default) yokogawa addresses assigned IP range 172.17.1.21,22,23,24 - and that it is impossible to route traffic to these locations & addresses as they are all the same.

So don't use these ranges - assign additional addresses to the existing network cards (Win2k, XP, Vista all allow this functionality), if you don't know how just ask your IT guy (where you assign IP address to the card, select on advanced and you can add additional IP addresses).

For exmaple;
Blast Furnace - 172.20.1.21,22,23,24
Sinter Plant - 172.20.2.21,22,23,24
SMS - 172.20.3.21,22,23,24

The details of the connection and data transfer etc will depend on exactly what you want to achieve.
You are not clear on whether you are using Vnet2/IP or a separate "Enet" for this traffic, based on the address I suspect Vnet2/IP.
Personally I would use a separate network - physically separate from Vnet2 with separate network cards.

This is for security & traffic - always separate control from other layers.

Are you planning to merge all projects?
Do you want to put them onto a common bus Vnet1 & Vnet2?
Are they close together?
How are you transferring traffic between the sites and what kind of bandwidth do you need - have you secured the network from accidental corruption - is it secure from deliberate corruption?

So many options.

 

I've had a lot of success using bi-directional Network Address Translation (NAT) and interconnection routers for this type of application. What do you mean by the existing plant Ethernet though? Is this all your DCS switches connected together, or is it some other network?

NAT is basically a concept that allows you to keep internal addresses the way they are, but provide a public address that accesses the internal address. It's used a lot by companies that are trying to interconnect networks that have the same IP addresses. More info: http://en.wikipedia.org/wiki/NAT

To do NAT, you define a public IP range (192.168.100.0\23) that maps to each individual DCS IP like so:
Furnace - 172.17.1.2x <-> 192.168.100.2X
Sinter - 172.17.1.2x <-> 192.168.100.3X
SMS - 172.17.1.2x <-> 192.168.100.4X

Then, connect the router to each of your DCS switches, and configure appropriately according to the NAT table. This keeps your DCS networks segregated from one another, while still allowing the intercommunication you want. You want segregation from one another, as control systems are not robust against network events. Ensure you use router equipment with a full and easy-to-configure NAT featureset, or hire a decent network engineer to do it for you. I'd also recommend adding Access Control Lists (ACLs) to limit traffic between the networks, it'll save you pain in the future.

Benefits:

1. Consistent approach allows you to add or remove systems quickly

2. Segregation keeps networking events in one area from impacting others

3. Allows capability to configure security (firewall rules that limit what communications go between your DCS computers)

4. Can configure bandwidth limits on the router to limit the traffic between networks and ensure that your DCS always has a certain amount of bandwidth available.

5. DCS system changes are limited to the addition of routes/gateways, rather than invasive network interfaces changes.

Downside:
1. Adds networking complexity you may not be prepared for, though NAT is a simple enough concept to learn.

2. Requires a router, preferably two in redundant setup.

3. Increased intercommunication comes with computer security issues.

I like the idea of assigning an additional IP Address to the interface, but would caution: This approach will increase traffic on your network, and you can't enforce any central control on this traffic (like you can on a router). Large file transfers, uninformed users, etc, could impact operation, so training is necessary.

You could also re-IP all the networks to use different IP ranges, but I'm sure that option was already considered and rejected for whatever reason.

Mike Toecker
Control System Network and Security Engineer

 

i found rather easy solution to change the domain by setting dip switch setting in controller as well as vl-net card, but is it not that simple. changes in project is also needed in that case.