Annex A — Per-Network Address Allocations and Services-Server Mappings
Referenced by MSA § 4.4. One row per Manufacturing Operations network. Schema below; example registry follows.
Schema
Each Manufacturing Operations network registers:
| Field | Required | Notes |
|---|
| Network ID | yes | Short slug, used everywhere else (e.g. paint-1, conveyance-main) |
| Department owner | yes | Human-readable department name (Paint, Conveyance, Machining, etc.) |
| Network steward | yes | Named individual responsible for this network’s config |
| Controller subnet | yes | 172.x.0.0/16 — horizontal, controller-to-controller |
| IO subnet(s) | optional | 192.168.x.0/24 — vertical, controller-to-IO. One per IO-link master or controller as needed |
| Router / gateway address | yes | Always .1 of controller subnet (per MSA § 4.4) |
| Services server address | yes | Always .2 of controller subnet (per MSA § 4.4) |
| Services hosted | yes | Subset of: DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt IP | yes | Inside controller subnet; admin from MO side only |
| IT-side downlink port | yes | Physical port on IT layer-3 switch terminating this MO network |
| Authorized external DNS records | optional | Records in this MO zone that may be resolved by IT — fill from § 6.1 |
| Authorized external event topics | optional | Event-broker topics IT may subscribe to — fill from § 6.1 |
| Production schedule feed endpoint | yes | URL or topic where IT pulls the schedule (per MSA § 2.6) |
Example registry (illustrative — automotive plant per Gary’s framing)
paint-1 — Paint Operations Department
| Field | Value |
|---|
| Department owner | Paint Operations |
| Network steward | TBD |
| Controller subnet | 172.21.0.0/16 |
| IO subnets | 192.168.21.0/24 (agitator IO-link master A), 192.168.22.0/24 (agitator IO-link master B), 192.168.23.0/24 (agitator IO-link master C) |
| Router / gateway | 172.21.0.1 |
| Services server | 172.21.0.2 |
| Services hosted | DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt | 172.21.0.3 |
| IT-side downlink port | it-l3-core/eth1/14 |
| Authorized external DNS | *.paint-1.mo.plant.local — A records only |
| Authorized external events | paint-1.batch.complete, paint-1.equipment.status |
| Production schedule feed | mqtt://172.21.0.2:1883/paint-1/schedule |
conveyance-main — Conveyance Department
| Field | Value |
|---|
| Department owner | Conveyance |
| Network steward | TBD |
| Controller subnet | 172.22.0.0/16 |
| IO subnets | 192.168.30.0/24, 192.168.31.0/24 |
| Router / gateway | 172.22.0.1 |
| Services server | 172.22.0.2 |
| Services hosted | DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt | 172.22.0.3 |
| IT-side downlink port | it-l3-core/eth1/15 |
| Authorized external DNS | *.conveyance-main.mo.plant.local — A records only |
| Authorized external events | conveyance-main.interlock.heartbeat, conveyance-main.line.stop |
| Production schedule feed | mqtt://172.22.0.2:1883/conveyance-main/schedule |
machining-1 — Machining Department
| Field | Value |
|---|
| Department owner | Machining |
| Network steward | TBD |
| Controller subnet | 172.23.0.0/16 |
| IO subnets | 192.168.40.0/24 |
| Router / gateway | 172.23.0.1 |
| Services server | 172.23.0.2 |
| Services hosted | DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt | 172.23.0.3 |
| IT-side downlink port | it-l3-core/eth1/16 |
| Authorized external DNS | *.machining-1.mo.plant.local — A records only |
| Authorized external events | machining-1.part.ready, machining-1.line.status |
| Production schedule feed | mqtt://172.23.0.2:1883/machining-1/schedule |
assembly-1 — General Assembly Department
| Field | Value |
|---|
| Department owner | Assembly |
| Network steward | TBD |
| Controller subnet | 172.24.0.0/16 |
| IO subnets | 192.168.50.0/24, 192.168.51.0/24 |
| Router / gateway | 172.24.0.1 |
| Services server | 172.24.0.2 |
| Services hosted | DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt | 172.24.0.3 |
| IT-side downlink port | it-l3-core/eth1/17 |
| Authorized external DNS | *.assembly-1.mo.plant.local — A records only |
| Authorized external events | assembly-1.final.complete, assembly-1.station.status |
| Production schedule feed | mqtt://172.24.0.2:1883/assembly-1/schedule |
powerhouse-1 — Powerhouse (Steam / Compressed Air)
| Field | Value |
|---|
| Department owner | Powerhouse |
| Network steward | TBD |
| Controller subnet | 172.25.0.0/16 |
| IO subnets | 192.168.60.0/24 |
| Router / gateway | 172.25.0.1 |
| Services server | 172.25.0.2 |
| Services hosted | DNS, DHCP, NTP, SNMP, syslog, event broker |
| Boundary firewall mgmt | 172.25.0.3 |
| IT-side downlink port | it-l3-core/eth1/18 |
| Authorized external DNS | *.powerhouse-1.mo.plant.local — A records only |
| Authorized external events | powerhouse-1.steam.pressure, powerhouse-1.air.status |
| Production schedule feed | mqtt://172.25.0.2:1883/powerhouse-1/schedule |
Rules
- Subnets are never reused across Manufacturing Operations networks. If you exhaust
172.21–172.99, escalate to joint review (§ 8.1).
192.168.x.0/24 IO subnets are local to a single controller’s downward reach. They do not appear on the controller subnet, are not announced to IT, and are not routable beyond the static-routing-capable switch.- Services-server address
.2 is reserved. If a network needs additional services hosts, they take .3, .4, etc., but the canonical DNS/DHCP/NTP/SNMP/syslog stack lives at .2.
- The boundary firewall management IP is on the controller subnet so MO can reach it from inside. It is not reachable from the IT side.
- Any change to this annex requires § 8.3 pre-commit notification to the IT counterpart.
Open items
- Standard for the MO DNS zone naming convention. Example uses
<network-id>.mo.plant.local; needs sign-off.
- Whether the production-schedule feed should be MQTT, REST pull, or syslog stream — currently shown as MQTT; depends on IT-side monitoring tooling.