hide IP address from network

[RyreInc]

Hi all, not sure if this is the best spot for this post, please let me know! The solution does not need to be a Cisco product.

I'm a Controls Engineer for an industrial machinery OEM which has a machine that uses 2 IP addresses (PLC and HMI) to communicate. These come into an unmanaged switch which also connects these devices to the plant network. The customer wants to see only one IP on their network though.

Initially we thought a managed switch would do the trick, but it looks like even if communication is prevented the blocked IP will still be visible to the network. Speaking with a technical expert from one of our vendors pointed us to a Hirschmann EAGLE One, which will work, but has a lot of features we will not utilize, and is pretty expensive.

Are there any other options out there to hide an IP address from one device (the network) while allowing communication with another device? A router with IP filtering or DMZ was mentioned in another forum (Eng-Tips).

An industrial, DIN-rail mountable solution is preferred, but I'm open to all suggestions.

Thanks!

 

[VinceWhirlwind]

I don't understand your requirement - if the interface isn't needed, just shut it down.
If the interface *is* needed, then "hiding" the IP address will break whichever system uses it.

Maybe if you explain the desired traffic flows for each of the IP addresses as well as the undesired traffic flows, I might be able to get my tiny brain around what is required...

 

[RyreInc]

Vince,

The goal is to have the two machine nodes visible to each other but only one visible to the plant network. So the first machine node should have uninhibited communication with both the second machine node and the plant network, while the second node should only be able to communicate with the first machine node.

 

[imbadatthis]

if i understand this correctly ..

machine A:
A1 --> allowed to talk to all .
A2 --> Only allowed to talk to B1

Machine B:

B1 --> Only allowed to talk to A2


if these assumptions are correct then :


private vlan A2 and B1 on the same Pvlan , with A2 being in promiscuous mode.

A1 --> on your regular network as is.

http://www.cisco.com/c/en/us/tech/l...ans-promiscuous-isolated-community/index.html

if assumptions are incorrect then fix them and im sure either vince or someone or I will come up with a solution for ya. ..

maybe


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[VinceWhirlwind]

OK, I think it's simpler than what imbadatthis is saying:

Desired outcome:
A1 <--> A2
A1 <--> other LAN hosts
A2 x--x other LAN hosts

I see two ways of doing this:
1/ get on your "core" switch or router. Create a MAC-address access list and block A2's MAC address. Your existing hardware may or may not be able to do this.
2/ Simpler: Can A1 have a secondary IP address configured? Retain A1 IP address. Delete A2 IP address. Configure new IP addresses in a different as-yet-unused subnet on both devices (so A1 has a 2nd IP address). They will then see each other via the existing unmanaged switch, but A2's IP address will not be visible or reachable from the rest of the network due to the rest of the network's subnet mask configurations.

 

[rednx]

If I'm reading this correctly,,,

Machine A talks to Machine B via two NIC's

But only NIC 1 on either machine should be seen on the network.

If Machines A & B on NIC 2 don't need to talk to any other Machines on the network, (1) install a cross over cable between them. (2) Otherwise replace the switch with a managed switch and set up a VLAN with two ports one for each machine for NIC 2, this VLAN will not be seen by the other computers.

Hope this helps

 

[VinceWhirlwind]

Where do you see 4 NICs in this story?
I see only 2 IP addresses, which are probably each on their own NIC, so 2 NICs total.