Plan addresses before deployment
Changing an IP address in a running OT network requires production downtime. Design the address scheme before installation and validate it with the script above.
3.1 IP Addressing and Subnetting
Chapter 2 covered VLANs — how to segment a network at Layer 2. Devices in different VLANs cannot communicate without a router. For a router to forward traffic between VLANs, every device needs an IP address and every subnet needs a plan. This section covers IPv4 addressing and subnetting — the foundation of Layer 3 communication.
Why IP Addressing Is Hierarchical
Section titled “Why IP Addressing Is Hierarchical”Early network addressing schemes assigned flat addresses with no structure. Every router had to store a route to every individual host. As networks grew, routing tables became unmanageable.
IPv4 solves this with a hierarchical address structure. The address has two parts: a network portion and a host portion. Routers only need to store routes to networks, not to individual hosts. A router serving 254 hosts in 192.168.10.0/24 stores one route entry, not 254.
The subnet mask defines the boundary between the network and host portions. This allows the same address space to be divided into subnets of different sizes, matching the actual number of devices in each segment. The notation for expressing this boundary is CIDR.
IPv4 Address Structure
Section titled “IPv4 Address Structure”An IPv4 address is a 32-bit number written as four decimal octets: 192.168.10.50.
| Octet | Decimal | Binary | Role in /24 |
|---|---|---|---|
| 1 | 192 | 11000000 | Network |
| 2 | 168 | 10101000 | Network |
| 3 | 10 | 00001010 | Network |
| 4 | 50 | 00110010 | Host |
CIDR (Classless Inter-Domain Routing) notation appends the prefix length: 192.168.10.0/24. The /24 means the first 24 bits identify the network.
| CIDR | Subnet Mask | Usable Hosts | Typical Use |
|---|---|---|---|
| /24 | 255.255.255.0 | 254 | Standard cell network |
| /25 | 255.255.255.128 | 126 | Split cell |
| /26 | 255.255.255.192 | 62 | Small segment |
| /28 | 255.255.255.240 | 14 | Very small segment |
| /30 | 255.255.255.252 | 2 | Point-to-point router link |
Usable hosts = 2^(host bits) minus 2. Subtract the network address (all host bits = 0) and the broadcast address (all host bits = 1). With the addressing structure understood, the next step is to plan how to allocate addresses across an industrial network.
Industrial Address Planning
Section titled “Industrial Address Planning”Assign static IP addresses to all OT devices. Changing an IP address in a running OT network requires production downtime. Plan the address scheme before installation.
The default management address of a factory-fresh Hirschmann switch is 192.168.1.1/24. A well-designed address plan is only useful if it is validated before deployment.
Validating an Address Plan
Section titled “Validating an Address Plan”Before deploying a new cell, verify that the planned IP addresses are in the correct subnet and that no two devices share an address. The following script validates an address plan against the subnet design. Run it before any deployment:
import ipaddress
def validate_plan(subnet: str, plan: dict[str, str]) -> list[str]: network = ipaddress.ip_network(subnet, strict=False) issues = [] seen: dict[str, str] = {} for device, addr_str in plan.items(): try: addr = ipaddress.ip_address(addr_str) except ValueError: issues.append(f"{device}: '{addr_str}' is not a valid IP address") continue if addr not in network: issues.append(f"{device}: {addr} is not in {subnet}") if addr_str in seen: issues.append(f"{device} and {seen[addr_str]} share address {addr}") seen[addr_str] = device return issues
plan = { "gateway": "10.10.1.1", "SW-MRM": "10.10.1.2", "PLC-1": "10.10.1.11", "PLC-2": "10.10.1.12", "HMI-1": "10.10.1.51", "wrong-host": "10.10.2.99", # wrong subnet}
issues = validate_plan("10.10.1.0/24", plan)if issues: print("Address plan issues:") for issue in issues: print(f" {issue}")else: print("Address plan is valid.")Address plan issues: wrong-host: 10.10.2.99 is not in 10.10.1.0/24A duplicate address found before deployment takes 30 seconds to fix. The same duplicate found during production causes an ARP conflict that is difficult to diagnose.
Key Takeaways
Section titled “Key Takeaways”Use static IPs for all OT devices
PLCs, switches, and I/O modules need static addresses. DHCP is acceptable only for maintenance laptops and mobile devices.
What Comes Next
Section titled “What Comes Next”IP addressing identifies devices. The next section covers routing — how routers decide which path to use for each packet, and why the longest prefix match algorithm is the core of every routing decision.
References
Section titled “References”- RFC 791 — Internet Protocol (IETF, 1981)
- RFC 1519 — Classless Inter-Domain Routing (CIDR) (IETF, 1993)
- RFC 1918 — Address Allocation for Private Internets (IETF, 1996)