Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
5
Replies

Large Manufacturing Campus Core Network Technology Selection

ezisaac
Level 1
Level 1

‎07-21-2022 09:28 PM

I am engaging a large manufacturing campus network redesign project. There are around 50 buildings in that 3,000-acre campus. There are couple of software applications (e.g. MES and Historian) are used by almost all manufacturing control systems in most buildings. However, to prevent unauthorized lateral movement issues, we don't want every control system can talk with other control systems (except those pre-defined applications). Unfortunately, the firewall is not allowed within the campus. Shall we consider a L3 core to distribution edge, then, the L2 distribution to access network architecture? May I consider to manipulate the route-target filtering of VRF to achieve this special network security goal? I understand the route-target is a BGP extended community. Can I just enable iBGP on the L3 core switches (e.g. Cat-9500/9600)? or any other recommendations? Any comments are welcome. Thanks,

0 Helpful
5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-21-2022 09:36 PM

@ezisaac wrote:

Unfortunately, the firewall is not allowed within the campus.

Was this decision due to cost?

0 Helpful

ezisaac
Level 1
Level 1
In response to Leo Laohoo

‎07-22-2022 06:23 AM

No, that's client's IT decision. Whole system shall be scanned by a remote SOC during the night. Internal FW will block scanning.

0 Helpful

Kasun Bandara
VIP
VIP

‎07-21-2022 10:29 PM

Internal Firewall is recommended for this kind of scenarios. if that is not possible you have to use proper VLAN architecture and do ACLs at each point where you need filtering. but that is comes with high administrative tasks and complexity. also you can check product like ISE with NAC features and use DACL kind features to automate some tasks.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Georg Pauwen
VIP
VIP

‎07-22-2022 12:35 AM

Hello,

I recently got a little bit into SCADA/ICS security, and I think implementing any sort of layer 3 security can be very tricky, as you have to be very careful as to what exactly you block, in order not to break the entire real time calculation engine data flow of the plant/campus. That said, who is the historian/MES supplier (e.g. Maverick/Rockwell) ?

0 Helpful

ezisaac
Level 1
Level 1

‎07-22-2022 07:04 AM

Does anybody try OSPF route/LSA filtering feature to filter some "unwanted" routes in a L3 campus network (L2 campus core network is kind of too complex)? If so, I may filter the specific other Area routes out from type-3 LSA. I guess that may work for this scenario but wanna confirm that with community. Any comments? Thanks again,

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card