DeLaval dairy network best practices

adam:ONE® KB & Manual
,
1

DeLaval dairy robots are a common use case with our clients. As is typical in the industry, DeLaval has traditionally provided a complete network segment that includes these devices and IP address assignments:

DeLaval typical setup (without adam:ONE)

  1. VMS for the robot itself (192.168.168.1 - statically assigned)
  2. The AMS/AMSSC controller (192.168.168.101& alias to 192.168.168.102 statically assigned)
  3. DelPro server (main PC) (192.168.168.168 statically assigned)
  4. The camera(s) (192.168.168.x via DHCP)
  5. A layer 3 device, typically an EdgeRouter (192.168.168.250)
  6. Often an additional PC is used as well (192.168.168.x via DHCP)

The DNS is then assigned to be 192.168.168.1 or 192.168.168.102, depending on the version of the software. Without any network level security access control, the above setup provides the DeLaval environment full functionality.

DeLaval optimal setup with adam:ONE

When adam:ONE is deployed, subscribers want layer 2 (MAC address) visibility at the edge of the network, in which case our managed services team will deploy VLAN168 and move layer 3 functionality to adam:ONE, while physically removing the EdgeRouter completely. Changes bolded:

  1. VMS for the robot itself (192.168.168.1 - statically assigned)
  2. The AMS/AMSSC controller (192.168.168.101& alias to 192.168.168.102 statically assigned)
  3. DelPro server (main PC) (192.168.168.168 statically assigned)
  4. The camera(s) (192.168.168.x via DHCP)
  5. adam:ONE as the gateway at 192.168.168.250
  6. Often an additional PC is used as well (192.168.168.x via DHCP)

The DNS is then assigned to be 192.168.168.250 (and must be only that), no matter the software version. In order for internal DNS resolution to work while at the same time having Internet connectivity, the split DNS is achieved with a Forwarding rule like this:

vms.delaval.com 
vms_1.vms.delaval.com
amssc.vms.delaval.com
time01.delaval.com

Above domains forwarded (routing queries) to 192.168.168.102

The rule on dashboard.adamnet.works looks like this:

dairy-forwarding-rule
dairy-forwarding-rule1452×1000 48.3 KB

And the rule must be enabled on the policy assigned to the Dairy devices like this:

dairy-rule-enabled
dairy-rule-enabled1426×102 6.54 KB

Enabling www.google.com Connectivity Check

A recent update to the DeLaval system now requires that www.google.com be accessible from the DeLavalPC. In situations where access to Google services (mainly search) is blocked, a forwarding rule needs to be created and enabled for the Dairy policy (or whichever policy contains the DeLaval PC).

Screenshot 2023-01-20 at 12.32.23 PM
Screenshot 2023-01-20 at 12.32.23 PM1432×1008 46.9 KB

Then change the default browser search to DuckDuckGo and remove Google as an option from the list. This will prevent the user from being able to run a search query from the address bar on the browser.

Troubleshooting

  • To see how DNS is being resolved for vms.delaval.com, for example, just use the main DelPro server and navigate to http://mytools.management/log
  • If mytools.management doesn’t even launch, likely the network interface doesn’t have 192.168.168.250 specified as the only DNS server
  • If the log shows, and the Answer column shows 127.0.0.1, the forwarding rule is pointing to 192.168.168.1 (and should be changed to 192.168.168.102)

About uPnP

Due to the nature of the uPnP security risks, this protocol is never enabled on adam:ONE managed environments.

1 Like