Manualshelf

Installation guide

ManualsBrandsEssence Technology ManualsComputer equipmentEIP 7012
31323334353637383940
Network Infrastructure for EtherNet/IP™
Planning the Infrastructure
3-24
3.6.1 Security Issues
Firewalls are important to the security of integrated networks. Routers and switches may also be
configured to contribute to network security.
3.6.1.1 Firewalls
A firewall is a software and hardware solution that acts as a barrier to protect a network from outside
intruders when connected to a wide area network (WAN), such as an enterprise network or the Internet.
Any plant-floor information (e.g., remote diagnostics) that is accessed from outside the building must first
pass through a firewall.
3.6.1.2 Routers and Switches
Most routers today allow filtering of TCP/IP packets as they approach the internal network from a WAN
or the Internet. Operating at the network layer of the OSI Model, these routers can deny access to the
internal network for packets from specific external sites. They allow access to only certain services (such
as internal web servers) or certain computers in the internal network (such as a mail server). All attempts
to connect to other computers in the internal network will be denied. Although not bulletproof, routers do
provide an added line of defense. Many managed switches also contain the ability to disable unused
physical ports to prevent unauthorized personnel from plugging in and accessing the network.
3.7 Traffic Management with VLANs
A virtual LAN (VLAN) is a switched network segmented by functions or applications on an
organizational basis as opposed to a physical or geographical basis. VLAN addressing mechanisms allow
stations to be assigned to logical groups that communicate across multiple LANs as though they were on
a single LAN.
Bridges and switches filter Destination Addresses and forward VLAN frames only to ports that serve the
VLAN to which the traffic belongs. One example is a device-level network with “multi-master”
capability. In this case, two industrial PCs communicate on the same network with a number of devices.
PC #1 may control devices 1, 3 and 5 while PC #2 controls devices 2, 4 and 6.
With industrial Ethernet, all eight devices can be connected together on the same Ethernet network using
several switches. A VLAN approach might place PC #1 and devices 1, 3 and 5 on VLAN 1, and PC #2
with devices 2, 4 and 6 on VLAN 2. Devices or network segments related to VLAN 1 do not receive
messages from VLAN 2, thus reducing overall network traffic.
3.7.1 How VLANs Work
A VLAN is created by “tagging” or inserting a 4-byte VLAN header into the basic Ethernet (MAC Data)
frame between the Source Address and Length/Type fields as shown in Figure 3-3.