cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
0
Helpful
2
Replies

Are these ideas about traffic flow incorrect?

I was wondering if my understanding of the network ieads below are correct or off base, so that I my better explain things to may boss.

 

 Tweak QoS – give priority to different protocols – requires expertize

 

Types of VLANS – There are VLANS that aren’t allowed to talk to other VLANS, VLANS that can talk only to specific VLANS, and VLANS that can talk to all others.  -  this is something I may be able to learn.

 

Routers and internal firewalls – setup routes for traffic flow.  For example, most subnets can’t talk to the PLC subnet except at a single point and only in one direction and only certain kinds of traffic (for remote access and web interfaces).  These could act as an internal DMZ from manufacturing to the office.

 

I think the bandwidth is there but the separation of packets is not. 

 

I think the routers and access rules will not permit the other packets from going by the PLC devices.  I think I mean that instead of  a PLC device seeing all packets and saying “I don’t need that – I will drop it” (taking up its processing and intake buffer), the packet will not be allowed to pass by the device.

 

This is my vague and possibly incorrect understanding.

2 Replies 2

pieterh
VIP
VIP

Tweak QoS – give priority to different protocols – requires expertize
YES:

you need a thorough understanding of protocols
of course there are general guidelines, but thes may need adjustment in your network

Types of VLANS – There are VLANS that aren’t allowed to talk to other VLANS, VLANS that can talk only to specific VLANS, and VLANS that can talk to all others. - this is something I may be able to learn.
NO:

vlans are meant to isolate traffic parts of the network, by default no VLAN has access to another VLAN.
most times each lan is also using its own subnet and there is a device that forwards data between vlans (a router or firewall)

Routers and internal firewalls – setup routes for traffic flow. For example, most subnets can’t talk to the PLC subnet except at a single point and only in one direction and only certain kinds of traffic (for remote access and web interfaces). These could act as an internal DMZ from manufacturing to the office.
NOT QUITE:
a router can forward packets between networks; it's configuration determines which subnets are forwarded to eachother
by default all packets between routed subnets will be forwarded
in addition a router can use ACL's to NOT forward packets for the whole subnet, but selection of individual IP-adresse / protocols or combination
a firewall can also forward packets between networks; frequently terms "outside" and "inside" are used to determine a "security level"
inside is more trusted than outside, traffic from inside to outside en from outside to inside are treated differently
in addition firewalls can provide additional services for data-inspection like url-filtering and intrusion detection/prevention
routers can offer similar functionality as a firewall but as firewalls are designed dedicated to the job, they are considered to offer a better security


I think the bandwidth is there but the separation of packets is not.
???

 

I think the routers and access rules will not permit the other packets from going by the PLC devices. I think I mean that instead of a PLC device seeing all packets and saying “I don’t need that – I will drop it” (taking up its processing and intake buffer), the packet will not be allowed to pass by the device.
NO:

the PLC's network interface should allready ignore all packets not addressed to the PLC's IP-address
only this data sent to the PLC's address and broadcasts will reach the PLC's processor
YES:

the router/firewall can be used to filter data sent to the PLC, but more for security reasons than to prevent an overload on the PLC.

Our VLANS will pass traffic from one to another.  What about promiscuous, private and community VLANs?

Doesn’t the PLC ignore the packet but still inspect it to see if it needs it filling up a buffer?

We are seeing packets from all over the network and different VLANs,  I want to segment this traffic.  We don't have any internal Routers or Firewalls.