Control Network Newsletter
Cascading IP Routers for Additional Isolation
For increased security and isolation, IP routers can be cascaded. Make sure that each LAN-side subnet address is unique when cascading IP routers. The left-most IP router can have its WAN-side IP address assigned using DHCP client or by using static IP address assignment.
The illustration shows a pair of EIGR routers, but the right-most router could also be some other type of router because the EIGR supports standard Internet protocols. A common use case for this application would be an already existing router/firewall in the business system that would correspond to the right-most router in the image. If automation devices need to be added, they can form their own subnet behind the second router. The traffic of the automation devices is restricted to its own subnet behind the second IP router and doesn't burden the existing business or IT network with extra traffic. Incase access to the automation network is needed to get any relevant statistics or production data, a port forwarding rule can be used to provide access. An additional port forwarding rule on the internet facing router/firewall can be configured to extend the access to the automation network over the internet. IP routers have features, such as an Allowlist, to restrict access from specific originating IP Addresses to provide additional security.
This article focuses on an automation system, but the concept can be easily applied to a BACnet System to manage a BMS network. Learn more by watching our Cascading the EIGR IP Router for Additional Isolation" video, or by visiting our EIGR IP Routers product page.