Often with CNC communication products including CIMCO DNC-Max server, the server hosting the software resides on a single network. Some companies and government agencies have requirements that don’t allow their CNC Controls to be accessible on their main networks. This is actually a smart policy and you might have read about the SIEMENS vulnerability or other high profile hacks of networks using assorted devices such as credit card terminals connected to corporate networks. If you wish to better isolate our system but still need access to another network, there is a way to accomplish this by implementing two networks with your CIMCO/DNC communications server participating on both, allowing the shop floor network to be completely isolated.
In Ethernet LANs, dual-homing is a network topology whereby a networked device is built with more than one network interface. -Wikipedia
In our example the DNC Max server resides on the machine that participates on two distinct networks but does not allow traffic to pass between the two, but both interfaces are active at all times. This allows the server to be backed up and managed the way all other assets are but isolates the CNC Controls that are connected to it, preventing them from accessing or being accessed by any other computers or devices on your network. The communications components of DNC Max server will only be accessed from the private CNC network, while the client portion can be accessed on the rest of the network. This allows access to only the mission critical components of the CIMCO software such as your programmers being able to store and send files to the DNC-Max server but the CNC network only able to send/receive to DNC-Max and nothing else. This is an over-view of the concept of multi-homed DNC Max installation. With some basic understanding of TCP/IP Networks and the installation guide available in the CIMCO Documentation you should have most of what you need to plan the installation. If you have questions about your specific environment you can contact us with your questions or leave them in the comments at the bottom of this article. As always it is best to consider professional installation if any of this is foreign to you. Here is a diagram demonstrating the concept addressed in this article:
Planning your Dual Homed DNC Max Install
There are a three (item #’s 1-3) unique steps that a dual homed DNC-Max install requires before downloading and installing CIMCO DNC Max on your soon to be dual homed CNC Communications server. There is also 1 special consideration during the installation process (item #4).
- Determine an (un-used) IP Address subnet for the private CNC LAN.
- Install a second network card (if not already present) and a network to all the devices on the private LAN.
- File management considerations.
- DNC-Max installation considerations.
- Firewall considerations – for extra credit
Choosing an IP Address Subnet
The most critical issue when choosing this subnet is to make sure it is a private address range that is not already in use anywhere on the larger main network. In larger organizations you will probably have to request this from your IT or Network group as they will know which address ranges are in use. Without turning this into a network tutorial, network routers and firewalls can be configured to access a number of different private and public networks. If the IP Address range you choose exists somewhere else on your network it is likely to cause problems for the DNC Max Server machine accessing valid resources on the existing network. The list of private networks is available per RFC-1918, in our example we’ll be using 10.0.1.0/24 for the private CNC network and we’ll pretend that the main network is 192.168.122.0/24, here is a list of all the private ranges that are allocated (source: wikipedia):
You will assign one of these addresses to your private network adapter on the DNC Max Server, in our example we’ve chosen 10.0.1.1. Each CNC Control and network device (such as Moxa Nport devices) with an ethernet port will be assigned a unique address on that subnet. It is a good idea to store all of this information in a spreadsheet or google doc for later reference.
Creating the Private Network
You will need to install a second network card on the machine acting as the DNC Max Server. This network card will be configured using TCP/IP and be sure to leave the default gateway completely blank when configuring the settings. In our example the settings would look like this for the Private network adapter:
In addition to the network card an isolated network (meaning: completely separated from the Main LAN and only connected to the ethernet based CNC Controls, Moxa Nport or similar ethernet to serial adapters, and the “new” second network card on the server) will need to be in place. This network requires Cat5 or above network cabling and an appropriately matched switch with enough ports to connect all the devices to the private LAN. If you are unsure how to do this and don’t have the resources in house it’s probably a good idea to hire a company that has experience installing Ethernet cabling in an industrial environment.
File Management Considerations
All of the files required to run your programs on your CNC Machines will need to be accessible on the dual-homed DNC Max Server. You will want to take appropriate steps to ensure that this server is backed up sufficiently to protect those files. This is an area where a little careful planning can go a long way. If you traditionally stored the files elsewhere on the network, you may require some additional steps to relocate or mirror the files to the Dual-Homed server. This could represent an opportunity because you could make it so only known good programs are stored on the dual-homed DNC Max server and completely isolate any files that are not approved for production. If you require more control over your files than Windows permissions allow you should also consider Manufacturing Data Management or CIMCO NC-Base as alternatives to gain much more control over those digital assets.
DNC Max Server Installation Considerations
Once the pre-requisite steps are all complete you will be ready to install DNC Max server. This should be done by or with careful guidance from a qualified CIMCO re-seller or installer. There is one setting under Server Configuration/Network Settings that where the IP Address of the Private LAN interface will need to be entered:
With the noted exceptions the rest of the DNC-Max installation and configuration will be handled normally. We hope that this guide is useful to you, if you are looking to isolate your CNC Network we believe the information will be helpful, there are other ways to manage network traffic including VLANS, static routes and firewall rules. This article is provided purely for informational purposes. Please consult a professional for assistance. If you like, we have a network of dealers and installers ready to help you with your DNC Max Server installation.
Firewall Considerations – Extra Credit
One area where you can further limit access is within Windows Firewall on the DNC Max server. For example, a typical practice might be to give DNC-Max client port access to only the main network interface, while limiting the private CNC network access to just the DNC Max server and other required ports for devices such as the Moxa N-Port device.