Solved: Isolation of Private Manufacturing Subnets

Josh Thrun · ‎10-23-2013

I am looking for a simple way to isolate a private manufacturing network so it can not speak to or be advertised to the business network, This is all connected to a single 4506 switch.

Currently I have 10 VLANs setup. 8 are on the business network and the other 3 are on the manufacturing side. I do not want any of the 3 on the manufacturing side to talk to each other or the business network.

Would simply setting them as 3 layer 2 broadcast domains suffice? All devices on these network only need to talk to each other and nothing else. Also, every address is statically assigned.

Marvin Rhoads · ‎10-23-2013

Yes, just set it up so that there are no layer 3 interfaces on your switch for the "private" manufacturing subnets. I did it just that way for a customer with a SCADA system for industrial controls. For the few times someone needs access into the industrial systems from the business side, they use a dual-homed server as a jump box and RDP into it.

View solution in original post

Marvin Rhoads · ‎10-23-2013

Yes, just set it up so that there are no layer 3 interfaces on your switch for the "private" manufacturing subnets. I did it just that way for a customer with a SCADA system for industrial controls. For the few times someone needs access into the industrial systems from the business side, they use a dual-homed server as a jump box and RDP into it.

Josh Thrun · ‎10-24-2013

Great thanks. That's exactly what I ended up doing for our SCADA server as well.