Control Engineer’s Guide to
IP ADDRESSING
As a control engineer, you see those 192.168.100.1 addresses all the time. They’re known as the “dotted decimal” address. When you buy an RTA gateway, such as an ASCII to PLC gateway, a Modbus to PROFIBUS gateway or any other one of our gateways, it needs to have an address. There are two ways a gateway can get that address, either it’s supplied by a device on your network that is a DHCP (Dynamic Host Configuration Protocol) server or it comes from you, the control engineer. It’s automatic with DHCP so the rest of this application note is going to focus on what you must know to supply that dotted decimal address.
There are four basic concepts critical to understanding IP Addressing on the plant floor: the terminology, what that Network Address actually means, what IT means by a “gateway” and what a subnet mask is. Let’s get started by understanding the terminology used in the IT world.
The Terminology
The descriptions the IT staff use can sometimes confuse those of us in industrial automation. We use clients and servers differently than the IT people do. In our world, we’re pretty much PLC-centric. The client is usually the PLC because it initiates the connection. The server is the end device on the link, the one who receives the connection from the PLC. Servers (called adapters in EtherNet/IP) are all our real-world interface devices: I/O blocks, motor drives, robots and the like. On the plant floor, we’ll always have many servers and fewer clients (PLCs). In the IT world, it’s usually the other way around and they use different terms. In their world, hosts are the computers on people’s desks. Those hosts make connections to servers both local (your local server with your engineering files on it) and remote (Amazon.com and ebay.com).
Unlike an automation system, the typical IT system has lots and lots of hosts. Every VOIP phone, laptop, desktop and mobile phone is a host. It has fewer local servers than an automation system, but an uncountable number out on the Internet.
The following figure demonstrates how IT networks compare to factory floor networks:
IT NETWORK
ETHERNET/IP NETWORK
The networks may look the same, and they are the same in many respects, but they operate differently. How IT is different than OT, a blog written by John S. Rinaldi, discusses the differences between IT and plant floor networks.
What a Network Address Means
In the early days of Ethernet, the designers didn’t know if there would be a lot of small networks with thousands of hosts or lots of large networks with a few hosts, so they designed an addressing scheme that would accommodate various numbers of hosts and networks. They divided the hosts and networks into address classes. The following table looks at the three common address classes that you might find on the factory floor:
| Class | 1st Octet | Leading Addr Bits | Num Network Bits | IP ADDRESSES | Typical Subnet Mask | Number Networks | Number of Hosts |
| A | 0-127 | 0 | 8 | 000.x.x.x to 127.xxx (00.x.x.x to 7F.x.x.x) | 255.0.0.0 (FF.00.00.00) | 128 | 16,777,214 |
| B | 128-191 | 10 | 16 | 128.000.x.x to 191.255.x.x.x (7F.FF.x.x to BF.FF.x.x) | 255.255.0.0 FF.FF.00.00 | 16,384 | 65,534 |
| C | 190-223 | 110 | 24 | 192.000.000.x to 223.255.255.x (C0.FF.FF.x to D0.FF.FF.x) | 255.255.255.0 (FF.FF.FF.00) | 16,777,216 | 254 |
Looking at this table, we immediately see that the number of networks and the number of hosts varies for each class. Class A is for very large networks with lots of hosts, Class B for a smaller number of networks with a significant number of hosts, and Class C is for a small number of hosts with a large number of networks. Class C is the only IP address class most of us will ever see on the factory floor.
Next, we see that it is the leading bits of the IP address that identify the address class. Class C is identified by the bits 110 as the first three leading bits of a Class C address. If you look at any class C address like 192.168.100.1, convert the first octet (192 in this case) to binary you can identify the network class. In this example, 192 is represented in hexadecimal as C0 and in binary as 1100 0000. The first three bits of that address are 110 so we know that is a Class C address. An easier way is to just remember that if you see an address with the leading octet between 192 and 223, you have a Class C address.
Continuing to look at the table above, you’ll note that the number of bits used to identify the network portion of the IP address changes from Class A to B to C. Class A uses 8 bits, Class B uses 16 bits and Class C uses a whopping 24 bits to identify the network. That explains why the number of networks increases, why the number of hosts decreases and why in Class C there are so many networks and so few addresses on each network.
You might wonder why, with 8 host bits in a class C address, you can only have 127 addresses instead of 128. You math geeks know that 28 is 128 not 127 and that, in fact, the number of hosts is one short in every address class. That’s because every .0 address is reserved and can’t be a host. You can’t use 192.168.100.0, for example. In fact, IT people commonly refer to a network using “.0” for the host bits. The address 192.168.100.0 refers to an entire Class C network while 192.168.0.0 refers to an entire Class B network. That becomes important in our next topic.
What’s That Gateway Address Thing
Knowing the number of network bits is very important to a device. Anytime it needs to send a message to another device, it must know if that device is in its local network (the PLC network) or on some other network (the quality app on the enterprise network, for example). The way it does that is by looking at just the network bits and ignoring the host bits.
Let’s look at an example. If a Class C device’s address network bits are 192.168.1.0 and the destination network bits are 192.168.100.0, then the device knows it must send the address to a device that knows where to find that 192.168.100.0 network. The destination for that message, the one that can start it on the way to that other network, is the address you fill in as the gateway address when you configure an Ethernet device. You must know that destination address when you configure a device.
That gateway address is usually the address of a router. Routers are the phone books for a network. They build tables of all the networks in your plant and when they get a message from a PLC or another device, they examine the destination address of that message. If the router finds that network in its tables, it sends the message to another router that is a step closer to that destination. That router does the same thing, until eventually, the message lands on a router containing that destination network. If the router can’t find a way to get your message to its network or if there are too many links through too many routers, your message will eventually be thrown away.
The gateway address you configure can also be a switch. There are switches with router capabilities, called Layer 3 switches. Layer 3 switches combine the capabilities of routers and switches. Layer 3 switches can route messages between networks connected on their ports.
Let’s review the previous example, now using a Layer 3 switch. Both devices, a device using address 192.168.1.1 and a device using address 192.168.100.1 (two different networks) are both connected to a Layer 3 switch. Now, the gateway addresses in those devices point at the Layer 3 switch instead of the router. So, when 192.168.1.1 wants to send a message to 192.168.100.1, it sends that message to the Layer 3 switch who routes that message to the port connected to the device with the 192.168.100.1 address. If it didn’t find the address on any of its ports, its gateway would be the next router or Layer 3 switch above it, and it would send the message there for routing.
The gateway address is simply the device that figures out where the network is located that has the destination device in the message.
THE MYSTERIOUS WORLD OF THE SUBNET MASK
Many control engineers find it difficult to understand the subnet mask, but rest assured, it’s not that hard. All the subnet mask does is provide an easy way for the device to determine if a device is on its own network or on some other possibly far flung network. If the device is on its own network, it can send the Ethernet frame to a switch, which will deliver it to another port on that same switch, or a port that is connected to the destination device. If it’s on a network somewhere else in the plant or on the network, it must send it to a device (a gateway) that knows how to route it to that far away device.
The components in this process were described in the last section. In this section, we are going to describe exactly how a device uses the subnet mask in a simple two-step process, to determine if a message should be sent directly to the destination or to the gateway where it can be forwarded to the destination.
The first step is to use a binary AND operation to both the sender’s IP address and the destination IP address with the subnet mask. The subnet mask “masks” off a portion of each address that is the network address. On the factory floor, you will usually have a subnet mask of 255.255.255.0 which is 24 bits of ones followed by 8 bits of zeros. So, the results of an AND operation between a source address like 192.168.100.10 and 255.255.255.0 is 192.168.100.0. The result of an AND operation between a destination address like 192.168.100.5 with 255.255.255.0 is also 192.168.100.0. That’s easy, right?
We can tell by looking at those two results (both 192.168.100.0) that they are the same, but computers don’t do it by eyeing them up. They use an XOR (exclusive OR) operation to check if they are the same. Our second step is to XOR every bit of the source network (192.168.100.0) with every bit of the destination network (192.168.100.0).
In an XOR operation, a result is a one only if exactly one of the two bits is a one. If we XOR two identical network addresses together (192.168.100.0), bit by bit, all the bit pairs are either both zeros or both ones. In either case, every result is a zero and the result of the XOR is 000.000.000.000. A result of all zeros means that the destination address is on our local network. The destination is on our local network and we can use that destination address as the destination and not the gateway address as the destination. Easy, right?
Here’s two examples for you to examine. In both examples, messages originate from address 192.168.2.1. In the first example, the destination is a local network. In the second example, the destination is a non-local network.
Example 1 – Sending a Message to a Device on the Local Network
| 1 | Source IP Address (Class C): | 192.168.2.1 (C0 A8 02 01 in hex) |
| 2 | Destination IP Address (Class C): | 192.168.2.10 (C0 A8 02 0A in hex) |
| 3 | Class C Subnet Mask: | 255.255.255.0 (FF FF FF 00 in hex) |
In these first three lines, we’ve just listed the source and destination of our message and our subnet mask.
| 4 | Source IP Address in Binary: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0001 |
| 5 | Subnet Mask in Binary: | 1111 1111 . 1111 1111 . .1111 1111 . 0000 0000 |
| 6 | AND Operation: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 7 | Result of Source AND Operation: | 192.168.2.0 (C0 A8 02 00 in hex) |
Our next step is to do a bit by bit AND of the source address with the subnet mask. The result of that AND, identifies the network address. The source of the message is on the 192.168.2.0 network.
| 8 | Destination IP Address in Binary: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 1010 |
| 9 | Subnet Mask in Binary: | 1111 1111 . 1111 1111 . .1111 1111 . 0000 0000 |
| 10 | AND Operation: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 11 | Result of Source AND Operation: | 192.168.2.0 (C0 A8 02 00 in hex) |
Now we do the same bit by bit AND of the destination address with the subnet mask. The result of that AND, identifies the network address. The destination address is on the 192.168.2.0 network.
| 12 | Source Addr after Subnet Mask AND: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 13 | Dest Addr after Subnet Mask AND: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 14 | Result of XOR: | 0000 0000 . 0000 0000 . 0000 0000 . 0000 0000 |
Finally, we exclusive XOR those two results. Remember, in an XOR, two 1s or two 0s result in a zero. When we do that, the result is all 0s and we know that the two addresses are on the same network.
Example 2 – Sending a Message to a Device on a Different Network
| 1 | Source IP Address (Class C): | 192.168.2.1 (C0 A8 02 01 in hex) |
| 2 | Destination IP Address (Class C): | 10.100.3.20 (0A 64 03 14 in hex) |
| 3 | Class C Subnet Mask: | 255.255.255.0 (FF FF FF 00 in hex) |
In these first three lines, we’ve just listed the source and destination of our message and our subnet mask.
| 4 | Source IP Address in Binary: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0001 |
| 5 | Subnet Mask in Binary: | 1111 1111 . 1111 1111 . .1111 1111 . 0000 0000 |
| 6 | AND Operation: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 7 | Result of Source AND Operation: | 192.168.2.0 (C0 A8 02 00 in hex) |
Our next step is to do a bit by bit AND of the source address with the subnet mask. The result of that AND, identifies the network address. The source of the message is on the 192.168.2.0 network.
| 8 | Destination IP Address in Binary: | 0000 1010 . 0110 1000 . 0000 0011 . 0001 0100 |
| 9 | Subnet Mask in Binary: | 1111 1111 . 1111 1111 . .1111 1111 . 0000 0000 |
| 10 | AND Operation: | 0000 1010 . 0110 1000 . 0000 0011 . 0000 0000 |
| 11 | Result of Destination AND Operation: | 10.100.03.00 (0A 64 03 00 in hex) |
Now we do the same bit by bit AND of the destination address with the subnet mask. The result of that AND, identifies the network address. The destination address is on the 10.100.3.0 network.
| 12 | Source Addr after Subnet Mask AND: | 1100 0000 . 1010 1000 . 0000 0010 . 0000 0000 |
| 13 | Dest Addr after Subnet Mask AND: | 0000 1010 . 0110 1000 . 0000 0011 . 0000 0000 |
| 14 | Result of XOR: | 1100 1010 . 1100 0000 . 0000 0001 . 0000 0000 |
Finally, we XOR those two results. Remember, in an XOR, two 1s or two 0s result in a zero. When we do that, the result is not all 0s as it was in the previous example. We have determined that the destination is on a remote network and the message must be sent to the gateway address and not directly to the destination.
Advanced Operation of the Subnet Mask
Now, the bad news. Unfortunately, everything isn’t always as straightforward as that. Sometimes, a network may need to be slightly bigger than 254 devices and doesn’t fit the standard Class C address. Say, for example, you needed a 300-device network. Now what do you do?
The answer is to expand the host portion of the network by one more bit. The number of network bits decreases to 23 (still 8,388,608 networks) and the number of host bits increases to 9 (511 hosts). Everything works the same as before, but the subnet mask is now formed with 23 1’s, 255.255.254
(FF.FF.FE)1, instead of 24 1’s. A device identifies if a new destination is on its local network or on a remote network in exactly the same way as shown earlier.
This is so common, there is a short form of identifying networks with extra host bits. A slash with the number of network bits is added to the end of an address. A normal Class C network is identified as 192.168.2.5/24 indicating 24 network bits and 8 host bits. The example from the previous paragraph would be identified as 192.168.2.5/23 indicating 23 network bits and 9 host bits. You can form networks with many more hosts if you like but most plant floor networks don’t usually exceed even 100 end devices.
