Showing results for 
Search instead for 
Did you mean: 

Large Manufacturing Campus Core Network Technology Selection

Level 1
Level 1

I am engaging a large manufacturing campus network redesign project. There are around 50 buildings in that 3,000-acre campus. There are couple of software applications (e.g. MES and Historian) are used by almost all manufacturing control systems in most buildings. However, to prevent unauthorized lateral movement issues, we don't want every control system can talk with other control systems (except those pre-defined applications). Unfortunately, the firewall is not allowed within the campus. Shall we consider a L3 core to distribution edge, then, the L2 distribution to access network architecture? May I consider to manipulate the route-target filtering of VRF to achieve this special network security goal? I understand the route-target is a BGP extended community. Can I just enable iBGP on the L3 core switches (e.g. Cat-9500/9600)? or any other recommendations? Any comments are welcome. Thanks,

5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

@ezisaac wrote:

Unfortunately, the firewall is not allowed within the campus.

Was this decision due to cost?

No, that's client's IT decision. Whole system shall be scanned by a remote SOC during the night. Internal FW will block scanning.

Internal Firewall is recommended for this kind of scenarios. if that is not possible you have to use proper VLAN architecture and do ACLs at each point where you need filtering. but that is comes with high administrative tasks and complexity. also you can check product like ISE with NAC features and use DACL kind features to automate some tasks.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck


I recently got a little bit into SCADA/ICS security, and I think implementing any sort of layer 3 security can be very tricky, as you have to be very careful as to what exactly you block, in order not to break the entire real time calculation engine data flow of the plant/campus. That said, who is the historian/MES supplier (e.g. Maverick/Rockwell) ?

Level 1
Level 1

Does anybody try OSPF route/LSA filtering feature to filter some "unwanted" routes in a L3 campus network (L2 campus core network is kind of too complex)? If so, I may filter the specific other Area routes out from type-3 LSA. I guess that may work for this scenario but wanna confirm that with community. Any comments? Thanks again,