Designing EtherNet/IP Machine/Skid level Networks · PDF fileSecurity features for Network access to the Control System: ... Cisco ASA 5500 Cisco Catalyst ... Remote Access Server

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Designing EtherNet/IP Machine/Skid level Networks


Agenda

33

Selecting Infrastructure

Information Integration

3

Reference Architectures Solutions

Best Practices and Example Architectures

Where to learn more

Demonstration of Integration Techniques


Agenda

44

Selecting Infrastructure

4



Machine level Network Considerations

55

Control Requirements• I/O and motion control how much how fast

Integration to upstream or downstream equipment• Line Controller• Safety interlocking

Integration of data• SQL or other servers for data collection and monitoring• Supply chain integration

Remote Access• Troubleshooting, monitoring, program changes


Advantages Disadvantages

Managed Switches(ie. Statix 5700)

Unmanaged Switches(ie. Stratix 2000)

Embedded Switches(ie. CompactLogix controller)

• Segmentation services (VLANs)• Diagnostic information• Security services• Prioritization services (QoS)• Multicast management services• Network resiliency• Loop prevention

• Inexpensive• Simple to set up

• More expensive• Requires some level of support and

configuration to start up

• No management capabilities• No security• No diagnostic information• Difficult to troubleshoot• No resiliency support• No loop prevention

• Diagnostic information• Prioritization services (QoS)• Time Sync Services (1588 Transparent

Clock)• Network resiliency• Loop prevention

• Limited management capabilities• May require minimal configuration for Ring

Topology

Switch Considerations


Why Managed Switches for Machine Networks?

Robust/future proof the control network: Reduce risk from interference from other devices on the network Customer support & satisfaction

Security features for Network access to the Control System: Enabler for remote access Customer support/satisfaction Equipment differentiation

Diagnostic Capability: Reduce TTM Increase equipment differentiation Improve customer support/satisfaction and reduce risk)

7


Topology Flexibility with EtherNet/IP

EtherNet/IP is topology neutral for maximum flexibility

HYBRID – Obtain maximum flexibilityLINEAR - Simplify cable management STAR– Connect broad range of devices

RING – Maximum availability


Security Considerations Physical Access Security

Disable unused switch ports Lock a port to only allow specific devices to be

connected Change passwords from default settings

Access Control Lists Limit access to secure areas of the network. Limit access to secure services on the

network Block remote access to secured devices

VLANs Simplify security enforcement by creating

function groups Establish groups by function, by location, etc.


Infrastructure Performance ConsiderationsBandwidth

10ms RPI

1 at 4ms RPI

3 at 10ms RPI

4ms updates

This application will use less than 10% of bandwidth on the single Ethernet segment…


Agenda

11Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 11

Information Integration

11



If Machines could talk what would they say?

12

Who would they talk to? ERP, MES, Partners, other Machines?

Who would they talk to? ERP, MES, Partners, other Machines?


Remote Access Approaches

13

Direct to ICS

Inside-Out Terminal Services

Outside-In

modems

VPN appliance

Through IT Infrastructure

Inside-Out

Conferencing technology (WebEx)

Terminal Services

Outside-In VPN Technology


Secure Remote Access Workshop W21

14

Levels 0–2Cell/Area Zones

Demilitarized Zone (DMZ)


Enterprise ZoneLevels 4 and 5

Manufacturing Zone Site Manufacturing

Operations and ControlLevel 3

Internet


EnterpriseWAN

EnterpriseData Center

Gbps Link FailoverDetection

Firewall(Active)Firewall

(Standby)

Patch ManagementTerminal ServicesApplication MirrorAV Server

CiscoASA 5500

Remote Access Server• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500

Remote Engineeror Partner

EnterpriseConnectedEngineer

Enterprise EdgeFirewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)

Catalyst 3750StackWise

Switch Stack

EtherNet/IP

I PS ECVPN

SS LVPN

FactoryTalk Application Servers• View• Historian• AssetCentre• Transaction ManagerFactoryTalk Services Platform• Directory• Security/AuditData Servers

Secure remote access for employees and trusted partners such as machine builders and system integrators• Meeting the security requirements

of IT while enabling manufacturers to leverage shared, distributed company resources and trusted partners

• Management of assets - monitor, configure and audit

• Simplify change management, version control, regulatory compliance and software license management

• Simplify remote clienthealth management


Network Topology

15

Catalyst 3750StackWise

Switch Stack

FactoryTalk Application Servers• View• Historian• AssetCentre• Transaction ManagerFactoryTalk Services Platform• Directory• Security/AuditData Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

I/O

Levels 0–2

HMI

Cell/Area Zones




Rockwell AutomationStratix 8000

Layer 2 Access Switch

CiscoASA 5500

CiscoCatalyst Switch

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

Patch ManagementTerminal ServicesApplication MirrorAV Server

ERP, Email,Wide Area Network (WAN)

Network Services• DNS, DHCP, syslog server• Network and security mgmt

Drive Controller HMI

Controller

Drive

Controller

Drive

HMI

I/O

I/O

Cell/Area #1 Cell/Area #2 Cell/Area #3

VLAN 10 VLAN 20 VLAN 30


How is your Machine/Skid connecting to the Plant Network?

16

Popular Switches with routing capability

Cisco 3750x

Cisco 6500xCisco 3560x

• Stratix 8300

10/100 and Gig ports

High density1 gig, 10 gig, and 40

gig ports

Stack-wise resiliency10/100 and gig ports


Plant Network Connectivity Options

ArmorBlock I/O

CompactLogix L36ERM chassis

EtherNet/IP

PV+ EOIPOINT I/O

EtherNet/IP

Plant Network

Kinetix 5500


ArmorBlock I/O

ControlLogix L71S Machine Solution (with a managed switch)

ControlLogix L71s chassis

EtherNet/IP

PV+ EOIPOINT I/O

EtherNet/IP

Plant Network

Machine Network 192.168.5.x IP Address

255.255.255.0 Mask0.0.0.0 Gateway

IP - 10.10.6.x

Kinetix 5500


CompactLogix 5370 Machine Solution (with embedded switches/VLAN)

ArmorBlock I/O

EtherNet/IP

POINT I/O

Plant Network


255.255.255.0 Mask192.168.5.1 Gateway

10.10.x.x Interface

PV+

192.168.1.x Interface Stratix 8300

PowerFlex 525

Kinetix 5500

CompactLogix L36ERM


CompactLogix 5370 Machine Solution (with a Subnet/VLAN on Plant network)

ArmorBlock I/O

PV+ EOIPOINT I/O

Plant Network


255.255.255.0 Mask192.168.5.1 Gateway

IP - 10.10.6.x

PowerFlex 525

Stratix 5700Kinetix 5500

Compact Logix L36ERM

IP – 192.168.5.1

Stratix 8300 or Cisco 3560


Network Address Translation

Machine 1 NAT10.104.x.x : 192.168.1.x

Machine 2 NAT10.104.x.x : 192.168.1.x

192.168.1.104 192.168.1.104

10.104.100.23

192.168.1.100

Within a Machine Between Machine and Line Network

Send message to Machine 2

CMX10.104.2.100

192.168.1.100


CompactLogix 5370 Machine Solution (with a managed switch & NAT)

ArmorBlock I/O


PV+ EOIPOINT I/O

EtherNet/IP

Plant Network

Embedded NAT

PowerFlex 525

Kinetix 5500


255.255.255.0 Mask192.168.3.1 Gateway

10.10.x.x Network


CompactLogix Machine Solution (embedded with NAT)

ArmorBlock I/O


EtherNet/IP

PV+ EOIPOINT I/O

Plant Network

NAT Device


255.255.255.0 Mask192.168.5.1 Gateway

10.10.x.x Interface

Kinetix 5500


Connectivity to Plant VLAN or NAT

26

PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant VLAN

10.10.10.10

CompactLogix 5370 L3PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant

10.10.10.10 192.168.1.2

VLANPros:• No machine level switch configuration needed if the

machine is a single VLAN• Removes “single point of failure” for NAT device• Designed to allow network services (SNMP, VPN,

DNS, DHCP)Cons:• IP addressing must be unique at the machine level

NATPros:• IP Addresses private to machine (not visible outside of

machine network)• Web diagnostics available outside machineCons:• Additional cost for NAT device or switch• Some additional complexity and management

Machine VLAN


Dual Interfaces vs. NAT

27

PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

EtherNet

Plant Network

10.10.10.10

192.168.1.2 CompactLogix 5370 L3PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

EtherNet

Plant Network

10.10.10.10 192.168.1.2

2nd InterfacePros:• IP Addresses private to machine• End user manages external IP address• Program does not change when Plant network

address changeCons:• Limited Security• Cable resiliency between, machine and plant• Web diagnostics not available outside machine• Only CIP will traverse the backplane

NATPros:• Same pros as Dual NIC Plus• Lower network connectivity cost• Web diagnostics available outside machine• Will limit access to Machine network (only devices in

NAT table will communicate)Cons:• NAT Table Configuration• Some network protocols will not traverse

through NAT


Agenda

282828

Best Practices and Example Architectures


CompactLogix 5370 Machine Solution (Subnet/VLAN on Plant network)

ArmorBlock I/O

PV+ EOIPOINT I/O

Plant Network


255.255.255.0 Mask192.168.5.1 Gateway

IP - 10.10.6.x

PowerFlex 525

Stratix 5700Kinetix 5500


IP – 192.168.5.1


77% Savings on Network Enabling Technology


CompactLogix 5370 Machine Solution (Multiple VLANs at the Machine level)

L36ERM

PowerFlex 525

ArmorBlock I/O

PV+ EOI

Kinetix5500

PV+ EOI

POINT I/O

Programming

Control

ControlControl

Control

Video

Stratix 5700

Segmentation within the machine also available


CompactLogix 5370 Machine Solution (Hybrid Topology, VLAN Plant switch)

ArmorBlock I/OPV+ EOIPOINT I/O

Plant Network

IP - 10.10.6.x

PowerFlex 525

Stratix 5700

Kinetix 5500


IP – 192.168.5.1



CompactLogix 5370 Machine Solution (Embedded with VLAN)

ArmorBlock I/O

EtherNet/IP

POINT I/O

Plant Network

IP - 10.10.6.xIP – 192.168.5.1

Kinetix 5500


CompactLogix 5370 Machine Solution (Managed with NAT, Hybrid Topology)

ArmorBlock I/O


EtherNet/IP

PV+ EOIPOINT I/O

EtherNet/IP

Plant Network

Embedded NAT

Kinetix 5500


CompactLogix 5370 Machine Solution (embedded with NAT)

ArmorBlock I/O


EtherNet/IP

PV+ EOIPOINT I/O

Plant Network

NAT Device

Kinetix 5500


Plant HMI Connectivity Only

35

PVP6

Machine: 192.168.1.20

Plant: 10.10.10.20

• Benefits– Clear network ownership demarcation line

• Challenges– No visibility to control network devices– Limited future-ready capability– No Bridging and Routing Capability

Kinetix 5500


Agenda

363636

Reference Architectures SolutionsWhere to learn more

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 37

EtherNet/IP Network Infrastructure BoothAdditional On-site Information

Booth 1407


Network Infrastructure WallAdditional On-site Information

Integrated Architecture – Booth 915

Convergence-ReadyOEM MachineHigh Availability Time Synchronization Integrated Safety Integrated MotionConvergence-ReadyOEM Machine


Workshops, Hands-On LabAdditional On-site Information

L19 - Applying EtherNet/IP in Real-Time Applications Rockwell Automation 8:00AM, 10:00AM, 12:30PM, 2:30PM

W14 – Plantwide Network Infrastruture Rockwell Automation, Panduit, Fluke and Cisco 10:00AM

W16 - Fundamentals of Securing EtherNet/IP Networks Rockwell Automation and Cisco 2:30PM

W21 - Scalable Secure Remote Access Solutions Rockwell Automation and Cisco 8:00AM

T04 — Designing Innovative Machines with the Rockwell Automation Midrange Architecture System Rockwell Automation — 11:00AM


Additional MaterialODVA

Website: http://www.odva.org/

Media Planning and Installation Manual http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_EtherNetI

P_Media_Planning_and_Installation_Manual.pdf Network Infrastructure for EtherNet/IP: Introduction and Considerations http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00035R0_Infrastruct

ure_Guide.pdf Device Level Ring http://www.odva.org/Portals/0/Library/CIPConf_AGM2009/2009_CIP_Networks_Conference_Tec

hnical_Track_Intro_to_DLR_PPT.pdf The CIP Advantage http://www.odva.org/default.aspx?tabid=54


Additional MaterialRockwell Automation

Networks Website: http://www.ab.com/networks/ EtherNet/IP Website: http://www.ab.com/networks/ethernet/ Media Website: http://www.ab.com/networks/media/ethernet/ Embedded Switch Technology Website: http://www.ab.com/networks/switches/embedded.html

Publications: ENET-AP005-EN-P Embedded Switch Technology Manual ENET-UM001G-EN-P EtherNet/IP Modules in Logix5000 Control Systems …. provides

connection and packet rate specs for modules 1783-UM003 Stratix 8000 and Stratix 8300 Ethernet Managed Switches User Manual ENET-WP0022 Top 10 Recommendations for plant-wide EtherNet/IP Deployments ENET-RM002A-EN-P Ethernet Design Considerations Reference Manual ENET-AT004A-EN-E Segmentation Methods within the Cell/Area Zone ENET-RM003A-EN-P Embedded Switch Technology Reference Architectures

Network and Security Services Website: http://www.rockwellautomation.com/services/networks/


Additional MaterialPanduit, Cisco, Rockwell Automation Collaboration

Plant-wide EtherNet/IP Ecosystem Partners Website

Fiber Optic Infrastructure Application Guide

ENET-TD003


Additional MaterialCisco and Rockwell Automation Alliance

Websites http://www.ab.com/networks/architectures.html

Design Guides Converged plant-wide Ethernet (CPwE)

Application Guides Fiber Optic Infrastructure Application Guide

Education Series http://www.ab.com/networks/architectures.html

Whitepapers Top 10 Recommendations for plant-wide EtherNet/IP

Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference

Architectures Achieving Secure Remote Access to Plant-Floor Applications

and Data


Additional MaterialCisco and Rockwell Automation Alliance

Education Series Webcasts What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access

for Plant-Floor Applications and Data Securing Architectures and Applications

for Network Convergence IT-Ready EtherNet/IP Solutions Available Online

http://www.ab.com/networks/architectures.html


www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

Designing EtherNet/IP Machine Level NetworksWorkshop 15 - Automation Fair 2012

Thank you for participating!Please remember to tidy up

your area for the next session.

Documents

Designing EtherNet/IP Machine/Skid level Networks · PDF fileSecurity features for Network access to the Control System: ... Cisco ASA 5500 Cisco Catalyst ... Remote Access Server