Plan addresses before deployment
Changing an IP address in a running OT network requires production downtime. Design the address scheme before installation and validate the scheme with the script above.
3.1 IP Addressing and Subnetting
Chapter 2 covered VLANs — how to segment a network at Layer 2. Devices in different VLANs communicate only through a router. For a router to forward traffic between VLANs, every device needs an IP address and every subnet needs a plan. This section covers IPv4 addressing and subnetting — the foundation of Layer 3 communication.
Why IP Addressing Is Hierarchical
Section titled “Why IP Addressing Is Hierarchical”Early network addressing schemes assigned flat addresses with no structure. Every router stored a route to every individual host. As networks grew, routing tables became unmanageable.
IPv4 solves the scalability issue with a hierarchical address structure. The address has 2 parts: a network portion and a host portion. Routers store routes to networks only, not to individual hosts. A router serving 254 hosts in 192.168.10.0/24 stores 1 route entry instead of 254.
The subnet mask defines the boundary between the network and host portions. The same address space divides into subnets of different sizes, matching the device count in each segment. CIDR notation expresses the boundary.
IPv4 Address Structure
Section titled “IPv4 Address Structure”An IPv4 address is a 32-bit number written as 4 decimal octets: 192.168.10.50.
| Octet | Decimal | Binary | Role in /24 |
|---|---|---|---|
| 1 | 192 | 11000000 | Network |
| 2 | 168 | 10101000 | Network |
| 3 | 10 | 00001010 | Network |
| 4 | 50 | 00110010 | Host |
CIDR (Classless Inter-Domain Routing) notation appends the prefix length: 192.168.10.0/24. The /24 means the first 24 bits identify the network.
| CIDR | Subnet Mask | Usable Hosts | Typical Use |
|---|---|---|---|
| /24 | 255.255.255.0 | 254 | Standard cell network |
| /25 | 255.255.255.128 | 126 | Split cell |
| /26 | 255.255.255.192 | 62 | Small segment |
| /28 | 255.255.255.240 | 14 | Very small segment |
| /30 | 255.255.255.252 | 2 | Point-to-point router link |
Usable hosts = 2^(host bits) minus 2. Subtract the network address (host bits = 0) and the broadcast address (host bits = 1). With the addressing structure understood, the next step is to plan address allocation across an industrial network.
Industrial Address Planning
Section titled “Industrial Address Planning”Assign static IP addresses to every OT device. Changing an IP address in a running OT network requires production downtime. Plan the address scheme before installation.
The default management address of a factory-fresh Hirschmann switch is 192.168.1.1/24. A well-designed address plan is only useful when validated before deployment.
Validating an Address Plan
Section titled “Validating an Address Plan”Before deploying a new cell, verify that the planned IP addresses are in the correct subnet and that no 2 devices share an address. The following script validates an address plan against the subnet design. Run the script before any deployment:
import ipaddress
def validate_plan(subnet: str, plan: dict[str, str]) -> list[str]: network = ipaddress.ip_network(subnet, strict=False) issues = [] seen: dict[str, str] = {} for device, addr_str in plan.items(): try: addr = ipaddress.ip_address(addr_str) except ValueError: issues.append(f"{device}: '{addr_str}' is not a valid IP address") continue if addr not in network: issues.append(f"{device}: {addr} is not in {subnet}") if addr_str in seen: issues.append(f"{device} and {seen[addr_str]} share address {addr}") seen[addr_str] = device return issues
plan = { "gateway": "10.10.1.1", "SW-MRM": "10.10.1.2", "PLC-1": "10.10.1.11", "PLC-2": "10.10.1.12", "HMI-1": "10.10.1.51", "wrong-host": "10.10.2.99", # wrong subnet}
issues = validate_plan("10.10.1.0/24", plan)if issues: print("Address plan issues:") for issue in issues: print(f" {issue}")else: print("Address plan is valid.")Address plan issues: wrong-host: 10.10.2.99 is not in 10.10.1.0/24A duplicate address found before deployment takes 30 seconds to fix. The same duplicate found during production causes an ARP conflict that is difficult to diagnose.
Key Takeaways
Section titled “Key Takeaways”Use static IPs for every OT device
PLCs, switches, and I/O modules need static addresses. DHCP is acceptable only for maintenance laptops and mobile devices.
What Comes Next
Section titled “What Comes Next”IP addressing identifies devices. The next section covers routing — how routers decide which path to use for each packet, and why the longest prefix match algorithm is the core of every routing decision.
References
Section titled “References”- RFC 791 — Internet Protocol (IETF, 1981)
- RFC 1519 — Classless Inter-Domain Routing (CIDR) (IETF, 1993)
- RFC 1918 — Address Allocation for Private Internets (IETF, 1996)