Management VLAN for DeltaV Networks

Our company IT department approached me with a project to add a separate management VLAN onto our DeltaV Primary and Secondary Cisco switches (3750) for monitoring in SolarWinds.  The switches themselves definitely support management VLAN configuration, but I'm not exactly sure how to answer them.  The switches are physically isolated from the rest of the company's networks.  I was assured that while adding a management VLAN will physically bridge the switches into the corporate domain, the network and data will be unaffected.

Has anyone done this before?  Is this even supported or recommended by Emerson?  Will this open up our network to extra security risks?  Can this possibly affect the operation of controllers and workstations?

Thank you.

James Suisse

4 Replies

  • Technically it should work; you’d be dedicating a switch port to a separate VLAN for the role of management, but I’m not sure if that is a fully supported application.
     
    Emerson does support the use of SNMP (Readonly) in a configuration where the SNMP application is installed on an application station, see below. You’d have to somehow link that application with your higher level management application – Solarwinds.
     
     
    From: James Suisse [mailto:bounce-suissejr@community.emerson.com]
    Sent: Thursday, May 02, 2013 10:58 PM
    To: DeltaV@community.emerson.com
    Subject: [EE365 DeltaV Track] Management VLAN for DeltaV Networks
     

    Our company IT department approached me with a project to add a separate management VLAN onto our DeltaV Primary and Secondary Cisco switches (3750) for monitoring in SolarWinds.  The switches themselves definitely support management VLAN configuration, but I'm not exactly sure how to answer them.  The switches are physically isolated from the rest of the company's networks.  I was assured that while adding a management VLAN will physically bridge the switches into the corporate domain, the network and data will be unaffected.

    Has anyone done this before?  Is this even supported or recommended by Emerson?  Will this open up our network to extra security risks?  Can this possibly affect the operation of controllers and workstations?

    Thank you.

  • In reply to AdrianOffield:

    Hi,

    I would recomend keeping the Process Lan to itself. If you open a pipe outside there is always the risk that somebody can get in trough it :(

    In the picture you can see the recomended network layout.

    Here is a document you could read:

    www2.emersonprocess.com/.../DeltaV-Cyber-Security-Flyer.pdf

    Niklas Flykt 

    Klinkmann Oy

    Key Account Manager safety products

    nikfly@gmail.com

  • Technically DeltaV does not support the use of VLANs in the DeltaV network.  It does create a possible security issue as the VLAN as described would be connected directly to the external LAN and VLANs can be bridged and access gained to the DeltaV network.   Also all of DeltaV testing is done without VLANs and DeltaV expects to have access to 100% of the network bandwidth.
     
    Perhaps the real question is what does IT want to monitor (be sure they do not have any write access to the switch if they do insist on doing this monitoring)  DeltaV network traffic has very low bandwidth usage and we do monitor the network for network problems and switch to the secondary network if issues.  The system will also alert the user of there are network issues than impact communications.  We have hundreds of DeltaV networks running successfully without issues without the need for added monitoring. 
     
    Bob Huba
    DeltaV Product Manager (responsible for DeltaV networks)
     
     
     
    From: James Suisse [mailto:bounce-suissejr@community.emerson.com]
    Sent: Thursday, May 02, 2013 2:58 PM
    To: DeltaV@community.emerson.com
    Subject: [EE365 DeltaV Track] Management VLAN for DeltaV Networks
     

    Our company IT department approached me with a project to add a separate management VLAN onto our DeltaV Primary and Secondary Cisco switches (3750) for monitoring in SolarWinds.  The switches themselves definitely support management VLAN configuration, but I'm not exactly sure how to answer them.  The switches are physically isolated from the rest of the company's networks.  I was assured that while adding a management VLAN will physically bridge the switches into the corporate domain, the network and data will be unaffected.

    Has anyone done this before?  Is this even supported or recommended by Emerson?  Will this open up our network to extra security risks?  Can this possibly affect the operation of controllers and workstations?

    Thank you.

  • The Cisco switches will have an MGMT port on them

    This port is in a dedicated Management VRF that only has access to the management plane

    Make sure you apply access lists to the line inputs and to management services

    It should look something like this

    interface GigabitEthernet0/0
    vrf forwarding Mgmt-vrf
    ip address x.x.x.x x.x.x.x
    negotiation auto

    access-list 80 permit x.x.x.x
    access-list 90 permit x.x.x.x

    snmp-server community read!it RO 80

    line vty 0 4
    login
    transport input ssh
    access-list 90 in