Thanks HB_Guy. Using a managed switch to create 2 virtual networks that are separated does appear to be the best way to go.
Also, thanks for the tutorial on how to do it. I was planning on using the port based solution if I can figure out how to do it something like this:
Port 1: Do-More port - can talk to all ports.
Port 2: Plant LAN port - can only talk to Port 1.
Port 3+: Expansion ports - can not talk to Port 2.
You will need a managed switch that can do VLAN routing. in this scenario, you will need 3 VLANS.
You will have to have different IP subnets on each VLAN. ie. VLAN1 = 192.168.1.x/255.255.255.0 VLAN100=192.168.100.x/255.255.255.0 VLAN101 = 192.168.101.x/255.255.255.0
Port 1 will be VLAN 1 (The management VLAN) Connect this to the production LAN. (It will need an IP address, lets use 192.168.1.254 for this example)
Port 2 will be the PLC VLAN (VLAN 100)(It will need an IP address, lets use 192.168.100.254 for this example)
Ports 3-XX will be the Expansion VLAN (VLAN 101)(It will need an IP address, lets use 192.168.101.254 for this example)
The switch will then need to be configured with routing tables for all VLANS.
Then you will have the issue of routing on the rest of the network. ie, if you are sitting at your desk in the office, you will not be able to connect to the PLC or EXPANSION VLANs because you are on the "Production" network, and your default gateway does not know about these other subnets/VLANs.
To resolve this, you will have to have a route entered into the default gateway for the "Production" network pointing to the IP address of the switch. (ie Route 192.168.100.x can be found at 192.168.1.254. Do this for both VLANs )
It may be simpler to have only 2 VLANs. Production/Management (VLAN1) and PLC NET (VLAN101).
In VLAN100, only the PLC would be configured with a default gateway (192.168.100.254 in the example above.) All expansion bases would not have a default gateway configured and would not be able to talk to anything outside of their VLAN.
Then only 1 route needs to be added to the company router/default gateway.
(additionally, you could forgo the route added to the company router and just have a static route setup on your workstation. This would prevent anyone else on the network from connecting to the PLC VLAN, as there is no route to it...)
Just a few thoughts. Hope they help.
If you need more help, you can email me at levon _at_ shiftcs _dot_ com