demystifying industrial ethernet networking · stratix 5700 enhanced security options. 26....
TRANSCRIPT
ReynoldsOnline.com
Demystifying Industrial Ethernet NetworkingLouisiana Users GroupOctober 2017
Upcoming Events
Users Group Seminars
December 13thBest in Show II: Automation Fair Review
January 17th Automation & Software Topic - tbd
February 21stPower Topic - tbd
March 21stIndustrial Control Topic -tbd
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 32017 Automation Fair® Event #AutoFair17
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 42017 Automation Fair® Event #AutoFair17
Process Solutions User Group (PSUG)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 52017 Automation Fair® Event #AutoFair17
Innovation
Safety
Services Modernization eTools
Components
IntelligentMotor
Control
Integrated Architecture
The Connected Enterprise(Industries)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 62017 Automation Fair® Event #AutoFair17
Connected Enterprise Pavilion
Connected Information
/ SCIO Launch
Oil & Gas
Food & Bev
Chemical
Information Solutions Process
LACT
Compressor
CAMA IF318
Pump Jack
Well Head
Theater
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 72017 Automation Fair® Event #AutoFair17
Automation Fair 2017Hardware and Software Highlights
GuardLogix 5580
ControlLogix Compute
CompactLogix 5480GuardLogix 5580
Flex 5000
ControlLogix Parallel Redundancy ProtocolModule
Logix Designer V30V4 View Designer
FactoryTalk Network Assistant
DCOM
3RD PARTY OPCDATA CLIENT
UA TCP
3RD PARTY OPCUA CLIENT*
ENHANCEDLinx™ Gateway
(9355-OPDxxxxENE)
Software as a Subscription- FactoryTalk AssetCentre- FactoryTalk Analytics for Devices- FactoryTalk TeamONE- Studio 5000 Application Code Manager- Studio 5000 License Portal (license based
protection)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 82017 Automation Fair® Event #AutoFair17
See You in Houston!
2017 Automation Fair® EventNovember 15-16
Houston, Texas, USAGeorge R. Brown Convention Center
Today’s Topic:
Demystifying Industrial Ethernet Networking
?
Today’s Agenda
•Stratix Portfolio• Managed and Lightly Managed Switches• Methods used to configure Stratix networking devices
•Converged Plantwide Ethernet (CPwE) concepts
•Resilient Network Design
•Ethernet Media
From the User Group Archives
January 2016 topic covered how to configure a Stratix 5700 switch using Device Manager and Studio 5000 AOP
https://trcnew.com/2016/01/18/enabling-the-industrial-internet-of-things-iiot/
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 12
Stratix Introduction
12
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 13
The StratixTM product line provides advanced switching, routing and security features for simple, to complex networks applications. The portfolio includes wireless, “On-Machine™” and rack mount options for increased flexibility in hard-to-wire and remote areas. Products are configured using common IT tools for a customized, integrated Plant floor and Enterprise system.
Stratix 8000™/Stratix 8300™
…and Operationsand IT
Addressing the needs of Automation…
Stratix 5900™
Stratix 2000™
Stratix 5100™
Stratix 5700™
1783-NATR
ArmorStratix™ 5700
Networks Infrastructure and Security Portfolio Overview
Stratix 5400™
Stratix 5410™
Stratix 2500™
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL — CONFIDENTIAL
Rockwell Automation / Cisco Partnership:Best of Both Worlds
14
The Connected Enterprise and the convergence of IT/OT What Rockwell Automation brings to the table within Stratix®
Ability to use existing OT tools to design, build, deploy and maintain Stratix network infrastructure products
Global distribution network capable of providing full service support local to your sites What Cisco brings to the table within Stratix
Ability to use existing IT tools to configure and support Stratix products Best in breed technology designed with the security demands of IT in mind
What the partnership delivers Collaborative engagements not only as it pertains to products, but also for design and
implementation guidance, training, and efforts to address the OT skills gap
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL — CONFIDENTIAL
The Value of Stratix: Design Phase
15
Validated Reference Architectures (Converged Plantwide Ethernet – CPwE): Detailed documentation and guidance to
address common questions and concerns: Migrating Legacy Networks
Network Segmentation considerations
DMZ Implementation
Implementing Wireless
Custom AOPs/AOIs: Reduced coding effort, and provides for
automatic and consistent context as it relates to tag naming and structure within your programs
Offline Network Performance Evaluation: Layout your network in a software
environment to proactively identify potential issues before a single cable is run
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL — CONFIDENTIAL
The Value of Stratix: Build Phase
16
Device Level Ring: Ethernet version of “daisy chain” allowing for
reduced cabling and built in resiliency OT Centric Distributor Support:
Local distribution partner who understands the customer applications and can provide local system level support and training
OT Optimized Switch Configuration: Understanding some OEMs and plant maintenance
personnel may not be familiar with networking best practices, the configuration wizard for Stratix® automatically configures the switch to be optimized for automation applications – all the way to the per port level
Network Address Translation (NAT): Allows like equipment to be configured identically
(IP addressing), yet still accessible on the plant network once commissioned
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL — CONFIDENTIAL
The Value of Stratix: Deploy Phase
17
HMI Faceplates: Existing Stratix faceplates allow for
diagnostics and troubleshooting directly from your Rockwell Automation® HMI applications, reducing the need for PC based troubleshooting
SD Card Support: Save configurations onto an SD card for quick
and easy deployment at commissioning, or if a Stratix® switch needs replaced in the future
Switch InformationFaceplate
Port Information
Faceplate
Trend InformationFaceplate
Broken WireTest
Faceplate
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 18
Stratix and Networking Faceplates
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL — CONFIDENTIAL
The Value of Stratix: Maintain
19
Technical Support: Stratix® switches are covered under your existing
Tech Connect support agreement. This also provides support capabilities for the entire Rockwell Automation® control system as opposed to support tied only to the switch itself
Auto Device Config/Replace: When combining Stratix and Logix controllers, it
is possible to replace devices on the network in a “plug and play” fashion. The IP address and config parameters are automatically downloaded upon replacement
DLR Overview Faceplate: Reduce MTTR by providing instant
feedback to maintenance via the HMI about topology and connectivity
Testing: All of the Stratix portfolio of
products undergo not only functional testing, but also system level testing within a Rockwell Automation® architecture
Managed vs. Unmanaged Switches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 21
Network Switch Product Overview
Stratix 8000/8300
Stratix 5400
Stratix 5410
Layer 2 firmware 6–20 ports IP30 and IP67
On-Machine™ platform
Integrated DLR Integrated NAT IEEE1588 PTP PoE/PoE+
Layer 2 or layer 3 routing firmware
6–26 ports Modular platform
for maximum flexibility
IEEE1588 PTP PoE/PoE+
Layer 2 or Layer 3 routing firmware
8–20 ports 4 port or all gig port
versions IEEE1588 PTP Integrated NAT Up to 8 PoE/PoE+ ports PRP (RedBox)
Feat
ures
Access
Distribution
Stratix 2000
5-16 ports Fiber port options Gig port option Plug & play
Unmanaged / Lightly Managed
Stratix 6000
5–9 port Lightly managed Gig Fiber option
19 in Rack Mount Layer 2 or Layer 3 routing
firmware 28 ports All gig ports plus four 10
gig ports IEEE1588 PTP Up to 8 separate
integrated NAT ports Up to 12 PoE/PoE+ ports PRP (RedBox) DC and AC power input
options
Stratix 5700/ ArmorStratix™
5700
Stratix 2500
5-port model 8-port model Basic Traffic management Diagnostics Security
100M/1G 1G/10G100M/1G 100M
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 22
Stratix 2500 Lightly Managed Switch
Lightly Managed Switches enable a migration path to improved operational efficiencies and reduced costs through provision of secure, contextualized data and control.
Lightly Managed Switches allow you to control the network: Connect your plants, gain critical diagnostic information within
your Integrated Architecture® system Detect network loops using Spanning Tree Protocol (STP) and
prevent them to help uncover errors before the network stops Prioritize critical traffic using Quality of Service (QoS)
and optimize bandwidth Segment your network using VLANs to help minimize risk of packet
storms that can bring down your network Improve your security posture by using network security features
like port security to control connections to the network
Unmanaged Switches only allow you to connect devices, but cannot provide context of the state of your connectivity
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 23
Offers 5 and 8 10/100 Mbps EtherNet/IP copper port versions in a compact design Add-on Profile (AOP) for configuration via Studio 5000® and FactoryTalk® View Faceplate Port security helps disable ports, or control end device connectivity based on MAC ID Diagnostics help minimize downtime SNMPv3, Syslog uncovers errors before the network stops completely SSH and HTTPS for secure connectivity VLAN provides logical segmentation IGMP enables multicast for data traffic control Topology discovery (LLDP) STP, RSTP and MSTP – Loop prevention Operating temperature -20 ˚C…60˚C, protection class IP30
Stratix 2500 Lightly Managed Switch Features
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 24
Stratix 5700 Managed Switch 3 base platforms offering 25 configurations
6, 10, 18 and 20 port base units 2 gig port option
SFP slots support multi & single mode fiber Secure Digital flash card (optional) Power over Ethernet (PoE) Dual independent power inputs Alarm relays (2 inputs and 1 output)
Supports – NAT, DLR, CIP SyncCombo ports can be either copper or SFP
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5700 Managed Switch Differentiators
25
Includes integrated DLR connectivity enabling the switch to act as a node or a supervisor on the ring
Offers consolidation of ring information for a single point of management for retrieving network machine-level diagnostics and DLR status (in supervisor mode)
Provides redundant gateway capability providing support for two switches on a single ring connected together on the network for increased resiliency
Enables DHCP IP address assignment to end devices on the DLR network for simplified device replacement.
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5700 Enhanced Security Options
26
Protecting the Machine Application/Project (CIP) based port access Controller-based port control (on/off) Unauthorized device identification
(tags) per port Configurable port security Preconfigured port security set-up
via smartports Configure number of devices that are
allowed per port Configurable device MAC ID
authentication
Protecting the Plant Encrypted administrative traffic
SSHv2, SNMPv3, and HTTPS 802.1x for user authentication Multiple layers of password protection Access Control Lists (ACLs) to apply
security policies per port TACACS+ and Radius for centralized
authentication
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5700 Catalog Information
27
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5700 Software Features
28
* Separate SW IOS required
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 29
Stratix 5400 Hardware 18 catalog items supporting
4 gig port versions (8 to 20 ports)
All gig versions (12 to 20 ports)
Single HW form factor (6.12H x 6.12 W x 5.09D in.)
SecureDigital (SD) flash card (included)
Power over Ethernet (PoE)
Up to 12 ports of gig fiber
Dual power inputs (9.6 to 60 VDC)
Expanded temp range (-40 to 70 C)
2 alarm inputs and one output
RJ45 or Mini-USB console port
Minimum four Combo ports for either copper or SFP SD card for
backup
Dual power inputs including PoE power
LED mode selector
Alarm input/outputs
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 30
Stratix 5400 Catalog Information
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5410 Industrial Managed Switch
31
The Stratix 5410TM industrial distribution switch offers a 19” rack mount design with 28 ports providing a centralized point of network distribution and increased port density. In addition to its rugged design, the Stratix 5410 also enables layer 2 switching and layer 3 routing with high performance (10-Gigabit port) capabilities, which can help increase flexibility in designing robust, future-ready network architectures.
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5410 Applications
32
Rugged design for applications where harsh conditions are present
Provides a centralized point of network distribution
Enables access switching to distribution switching with routing capabilities for configuration flexibility
For use in a wide variety of applications such as: Water/wastewater Oil & Gas Pulp & Paper
Cell/Area Zone - Levels 0–2Star Topology
(Lines, Machines, Skids, Equipment)
Operator Interface
Camera
Controller
Stratix 5410 Distribution Switch
Camera
Drive
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Stratix 5410 Catalog Information
33
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 34
Stratix Configuration Tools
34
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Simplified Setup and Maintenance Common Configuration and Support Tools Configure, Manage and Diagnose your network with familiar tools Automation (OT) Professionals
FactoryTalk® Services tightly integrateinto the Integrated Architecture® system
Studio 5000AOP, Predefined Logix tags FactoryTalk® View Faceplates – Sample Code website Device Manager web Interface
IT Professionals Cisco IOS software and Command Line Interface (CLI) IT management tools: Cisco CNA, CiscoWorks, Cisco Prime, SNMP-based tools Tight integration into joint Cisco and Rockwell Automation®
Converged Plantwide Ethernet (CPwE) Architecture
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Simplified Setup and MaintenanceDefault Configurations and Smartports
Easy Switch configuration without being a network expert Express Setup
Automatically sets switch configuration for typical automation applications Smartports
Pre-defined port settings for common automation and network devices like Logix Controllers, Desktop devices and Routers Optimizes traffic through the port
and network Minimizes latency
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 37
Studio 5000 AOP
Logix IO Tree Stratix Configuration / Monitoring Options in Studio 5000
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 38
Cisco CNAFor easy system diagnostics and configuration
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 39
New USB Console Cable
New cable:USB to StratixCNSL - 9300-USBCBL-CNSL
No more adapters• One cable• Plugs into USB port on PC
No installation disk Drivers automatically install
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 40
Converged Plantwide Ethernet (CPwE)
40
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 41
41
Why Is This Important?Design Considerations for Robust EtherNet/IP Networking
Scalable, robust, secure and future-ready infrastructure/architecture:
Application
Software
NetworkInternet of Things, Internet of Everything
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 42
Reference ArchitecturesConverged Plantwide Ethernet (CPwE) Tested, validated and documented Reference Architectures
Tested for performance, availability, repeatability, scalability and security Comprised of a collection of Cisco and Rockwell Automation Validated Designs
Built on technology and industry standards “Future-ready” network design
Content relevant to both OT and IT Engineers OT – Operational Technology
Industrial Control Systems Deliverables
Tested and Validated Reference Architectures Deploy Firewalls Within a CPwE Architecture – Dec. 31, 2016
Industrial Network and Security Whitepapers Deployment of Industrial Firewalls – Dec. 30, 2016
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 4343
Logical FrameworkConverged Plantwide Ethernet (CPwE)
Operational Technology
Industrial IT
Information Technology
Physical or Virtualized Servers• FactoryTalk® Application Servers
and Services Platform
• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)
• Storage ArrayRemote AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
DistributionSwitch Stack
HMI
Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4-5
Rockwell Automation®Stratix 5000/8000
Layer 2 Access Switch
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Phone
Controller
CameraSafety
Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
I/O
Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
SafetyI/O
ServoDrive
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
Active
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Standby
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch Stack
Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),
Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/ Firewall
Internet
AccessSwitches
AccessSwitches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 4444
Logical FrameworkConverged Plantwide Ethernet (CPwE)
Levels 0-2
Phone
Controller
SafetyController
Camera
Safety I/O
Instrumentation
HMI
Industrial ZoneLevels 0-3
Switch Stack
Media & Connectors
Cell/Area Zone #1Redundant Star Topology
Cell/Area Zone #2Ring Topology
MCC
Layer 3 Distribution
Switch
Soft Starter
Level 2 HMI
Level 0 Drive
I/O
Level 1 ControllerServoDrive
Levels 0-2Levels 0-2 Cell/Area Zone #3Bus/Star Topology
Layer 2 Access Switch
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 45
Cisco® Catalyst® Switching and Routing
• Catalyst 3850, Layer 3Distribution Switch
• StackWise™ allows up to 9 switches to be linkedtogether, managed as a single switch, 480GBthroughput
15
Physical or Virtualized Servers• FactoryTalk® Application Servers
and Services Platform
• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)
• Storage ArrayRemote AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
DistributionSwitch Stack
HMI
Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4-5
Rockwell Automation®Stratix 5000/8000
Layer 2 Access Switch
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Phone
Controller
CameraSafety
Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
I/O
Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
SafetyI/O
ServoDrive
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
Active
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Standby
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch Stack
Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),
Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/ Firewall
Internet
AccessSwitches
AccessSwitches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 46
Cisco® Catalyst® Switching and Routing
• Catalyst 4500-X, Layer 3Distribution/Core Switch
• Mid to high level plantdistribution andaggregation
15
Physical or Virtualized Servers• FactoryTalk® Application Servers
and Services Platform
• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)
• Storage ArrayRemote AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
DistributionSwitch Stack
HMI
Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4-5
Rockwell Automation®Stratix 5000/8000
Layer 2 Access Switch
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Phone
Controller
CameraSafety
Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
I/O
Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
SafetyI/O
ServoDrive
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
Active
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Standby
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch Stack
Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),
Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/ Firewall
Internet
AccessSwitches
AccessSwitches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 47
Cisco® Catalyst® Switching and Routing
• Catalyst 6800, Layer 3 Core Switch
• Flagship network core switch, different chassis sizes. 880 GB per slot bandwidth. 11Terabit system capacity
• Virtual Switching System (VSS) – two switches act as a single virtual switch
15
Physical or Virtualized Servers• FactoryTalk® Application Servers
and Services Platform
• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)
• Storage ArrayRemote AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
DistributionSwitch Stack
HMI
Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4-5
Rockwell Automation®Stratix 5000/8000
Layer 2 Access Switch
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Phone
Controller
CameraSafety
Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
I/O
Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
SafetyI/O
ServoDrive
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
Active
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Standby
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch Stack
Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),
Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/ Firewall
Internet
AccessSwitches
AccessSwitches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 48
Campus ModelConverged Plantwide Ethernet (CPwE)
Hierarchal, modular and scalable building blocks Creates small domains - clear demarcations and segmentation
Fault domain (e.g. Layer 2 loops), broadcast domain, domains of trust (security) Easier to grow, understand and troubleshoot Multi-tier switch model
Core Aggregates distribution switches Backbone of network Industrial DMZ connectivity
Distribution Aggregates access switches Provides Layer 3 services
Access Aggregates industrial automation and
control system (IACS) devices Provides Layer 2 services Access
Distribution
Core
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 49
Campus ModelPlantPAx High Availability Architecture
Access
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 50
Campus ModelTraffic Recovery
Access
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 51
EtherNet/IP IntelliCENTER MCCConnecting to the Plant Ethernet Network
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 52
Packaged Power SolutionsSegmented Network Approach Integrated Network Approach
52
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 5353
Logical Model Access Layer Distribution
Structure, Hierarchy and Segmentation Physical vs. Logical
Segmentation Virtual LANs
Network Availability Linear Star Ring
Network Redundancy
Industrial Network Design MethodologyDesign Considerations for Robust EtherNet/IP Networking
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 54
Resilient Network Design
54
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 55
Network AvailabilityRing Linear
HMI
CiscoCatalyst 2955
Cell/Area Zone
Cisco Catalyst3750 StackwiseSwitch Stack
Controllers,Drives, and Distributed I/O
HMI
CiscoCatalyst 2955
Cell/Area Zone
Controllers
Controllers, Drives, and Distributed I/O
CiscoCatalyst 2955
Cell/Area ZoneControllers, Drives, and Distributed I/O
HMI
Controllers
Cell/Area Zone
Cisco Catalyst3750 StackwiseSwitch Stack
Cisco Catalyst3750 StackwiseSwitch Stack
HMI
Controllers
Star/Redundant Star
Controller
VFDDrive
HMII/O I/O
ServoDrive
Controller
VFDDrive
HMI
I/O
I/O
Servo DriveDevic
e Lev
elSw
itch
Leve
l
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 56
ResiliencyProtocol
Mixed Vendor Ring Redundant
StarNetwork
Convergence> 250 ms
Network Convergence60 - 100 ms
Network Convergence
1 - 3 msLayer 3 Layer 2
STP (802.1D) X X X X
RSTP (802.1w) X X X X X
MSTP (802.1s) X X X X X
rPVST+ X X X X
REP X X XEtherChannel(LACP 802.3ad) X X X X
Flex Links X X XDLR(IEC & ODVA) X X X X
StackWise X X X X X
HSRP X X X X
GLBP X X X X
VRRP(IETF RFC 3768) X X X X X
Network Resiliency ProtocolsSelection is Application Driven
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 57
Device Level RingDevice Level Ring (DLR) Overview
A DLR network is a single-fault tolerant ring network intended for the interconnection of automation devices:
Advantages include: Simple installation Resilience to a single point of
failure on the network Fast recovery time when a single
fault occurs on the network
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 58
Embedded Switch TechnologyDirect DLR Overview (available on select Stratix 5700™ switches)
Direct DLR connection to Stratix 5700™ : Firmware upgrade on selective
hardware versions Eliminates the need for an ETAP Removes single point of failure at
ETAP Can be configured as a node or
supervisor (active or backup) Supports Redundant Gateway and
DHCP Provides consolidated (in the switch)
network status and diagnostics
PowerFlex®
Drive
CompactLogix™ 5370
Point I/O™
Stratix 5700™
Point I/O™ ArmorPoint I/O™
ETAP
PowerFlex®
Drive
CompactLogix™ 5370
Point I/O™
Stratix 5700™
Point I/O™ ArmorPoint I/O™
Before:
After:
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 59
Embedded Switch TechnologyDevice Level Ring (DLR) Example
Shown using DLR faceplates: Available diagnostics:
Network Supervisor
Node
Ring Participant
Node
Connection Link Status (Red/Green)
Supervisor Takeover
Order
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 60
Spanning Tree Protocol (MSTP) MSTP is an IEEE standard Ring and redundant star topology Built into Stratix 5410 / 5400 / 5700 / 8000 / 8300 / 2500 Provides:
Loop-free network Redundancy in case of failure
Distribution is the root bridge Operates in a plug-and-play fashion Coordinate with IT before implementing
FB
F - Forwarding
F
DistributionSwitch
Catalyst 3750 Switch Stack
Stratix 8000Access
Switches
B
B - Blocking
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 61
EtherChannel
6
Link Aggregation Control Protocol (LACP) port aggregation – IEEE 802.3ad
Redundant Star Topology Built into Stratix 5410/5400/5700/8000/8300 Aggregates multiple physical links into one logical link Provides resiliency between connected switches if a connection is
broken
Stratix 8000Access
Switches
F - Forwarding
F F F F
DistributionSwitch
Catalyst 3750 Switch Stack
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 62
EtherNet/IP IntelliCENTER MCCHigh Availability – Redundant Star Topology with EtherChannel
EtherChannel redundant star topology Provides redundancy with higher bandwidth
MCC Serviceability Device-level Star topology remains -- no impact
Network and Device Configuration Requires Stratix 5700 with Full firmware Complex implementation, typically used for larger
networks
Network Fault Tolerance High level of network performance & convergence
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 63
Flex Links
6
Cisco technology Redundant star only Built into Stratix 5410/5400/5700/8000/8300 Active/Standby port scheme
Provides alternate path in case of failures, avoiding loops
No bandwidth aggregation
Applied to the Stratix Access Switch
Recommend using equal speed ports
Provides fast fail over for multicast traffic A S A S
A - ActiveS- Standby
Stratix 8000Access
Switches
DistributionSwitch
Catalyst 3750 Switch Stack
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 64
Flex LinksRedundant Star Topology
Stratix 5410
Stratix 5700(Full Features)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 65
Resilient Ethernet Protocol (REP)
• A REP segment is a chain of switch ports connected to each other and configured with the same segment ID.
• Each end of a segment terminates on what is called the "edge port" of an edge switch.
• With REP, in order to prevent a loop in the network, one switch port (the alternate port) is always blocked in any given segment.
• The blocked port helps ensure that the traffic within the segment is loop-free by requiring traffic flow to exit only one of the edge ports. Therefore, when a failure occurs in the segment, REP opens the alternate port so traffic can reach the edge of the segment.
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 66
REPSingle Ring
Stratix 5410
Stratix 5700(Lite or Full Features)
Stratix 5400
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 67
REPDual Ring
Stratix 5410
Stratix 5700(Lite or Full Features)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 68
NEW - 1756-EN2TPParallel Redundancy Protocol Module
68
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 69
1756-EN2TP Parallel Redundancy Protocol Module
The 1756-EN2TP Parallel Redundancy Protocol Module offers PRP support for a redundant network infrastructure for high availability to help minimize unplanned downtime.
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 70
1756-EN2TP Parallel Redundancy Protocol ModuleFeatures and Benefits
Provides a redundant network infrastructure for high availability, helping minimize the risk of downtime
IEC 62439-3 compliant Same packets sent out of both ports to
eliminate network switchover time PRP is a different protocol than DLR
Acts as I/O scanner in controller chassis or I/O adapter in remote chassis
Supports HMI communications Provides same performance and capacity
as 1756-EN2TROffers ControlLogix® redundancy system support
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 71
* For example only - number of switches and topology varies based on application
Building a PRP NetworkStarting with a Basic Star Topology
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 72
Redundant Ethernet Networks Independent LANs
Independent Paths
Switches are not PRP aware
Redundancy is in the end nodes, called, “Doubly Attached Nodes (DANs)” attach to both LANs
The DANs in this example are all 1756-EN2TP PRP modules
Any switch that supports 1506 byte frames can be used
Stratix 5700 switchesshown in example
Building a PRP NetworkAdding Redundant Media and ControlLogix PRP Modules
LAN A LAN B
DAN DAN DAN
DAN
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 73
Building a PRP NetworkSending Frames on both LANs
Source DAN sends same frame over both LANs
Destination DAN consumes the frame the first time it is received, then discards the duplicate when received
DAN has 1 MAC, 1 IP address Frames have LAN ID
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 74
Building a PRP NetworkAdding RedBox Devices
RedBox: a device that attaches non-PRP devices to a redundant network
Devices attached through a Redbox are called, “Virtual Doubly Attached Nodes (VDANs)”
The RedBox shown is a standard Stratix 5400 switch with built-in RedBox functionality
Redbox
VDANs
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 75
Building a PRP NetworkAdding a Singly Attached Node
Non-PRP devices can be connected to only one of the two LANs, however, media redundancy is lost
Singly Attached Nodes (SANs) can communicate only to other devices on the LAN that they are connected to
SANs are not PRP-aware
SAN
SAN
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 76
Building a PRP NetworkAdding ControlLogix Controller Redundancy
Future capability - ControlLogix Redundancy kit that supports the 1756-EN2TP
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 77
Ethernet Media
77
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 78
Demystifying Ethernet Typeswww.ab.com/networks/media/ethernet
Speed 1000Mbps 10 Gbps over 33-55 meters (110-165 feet) of cable
Cost Varies by length and manufacturer, generally $0.20 - $0.30 per foot.
Varies by length and manufacturer, with $0.40 - $0.60 per foot as an average; generally about 20% higher than Cat5e.
Frequency Up to 100MHz Up to 250 MHz
Performance Less crosstalk/interference than CAT5. Potentially more interference than CAT6.
Signal-to-Noise-Ratio higher
Maximum Cable Length
100 meters 100 meters for slower network speeds (up to 1,000 Mbps) For Gigabit Ethernet, 55 meters max, with 33 meters in high crosstalk conditions. Thicker sheath
Standard gauges in conductors
24-26 AWG wire 22-24 AWG wire
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Product Overview Ethernet Media – Complete Portfolio
Ethernet Cable Spools & RJ45 Cables Unshielded Twisted Pair (UTP)
2-pair High Flex TPE – 10 million cycles 4-pair High Flex TPE – 10 million cycles 4-pair PVC Riser – General Purpose 4-pair Plenum – Air duct applications
Shielded Twisted Pair (STP) STP 4-pair PVC Riser – General Purpose STP 4-pair PUR – Halogen Free – High Flex STP 2-pair PUR – Halogen Free – High Flex STP 4-pair PVC – 600 Volts STP 2-pair PVC – 600 Volts
RJ45 Right and Left Angle overmolded Connectors RJ45 IP67 Overmolded Patchcords
Variant 1 Overmolded Patchcords Male to Male Variant 1 Patchcords
Variant 1 Field Attachable Connectors Male Housing with Crimp/IDC Insert Female Receptacle Outlet Female to Female RJ45 Coupler Protective Cap for Housing and Outlet
M12 Patchcords/Cordsets & Field attachables M12 Connectivity - D Code
Straight / Right Angle – Male & Female Connectors Unshielded High Flex TPE Cable – 2 pair Shielded High Flex, Halogen Free PUR Cable -2 pair Shielded 600V cable – 2 pair
M12 to RJ45 Connectivity - Patchcords M12 Female Receptacle to RJ45 Patchcord M12 Field Attachable Components
M12 IDC Connector M12 to RJ45 Bulkhead Connector - IP20 to IP67
RJ45 Field Attachable Components RJ45 IDC Connector
CAT 6 rating AWG 26-22
RJ45 Crimp Connector with rugged Boot Crimp Tool Kit
Crimper, cable stripper/cutter, conductor separator
PUBLIC
www.rockwellautomation.com
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 80
Thank you!
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 81
Additional Material
81
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 82
Additional Material CPwE Architectures - Cisco and Rockwell Automation
CPwE websites Rockwell Automation Cisco
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 83
Additional Material CPwE Architectures - Cisco and Rockwell Automation Whitepapers ENET-WP022B-EN-P - Top 10 Recommendations for Plant-wide EtherNet/IP Deployments ENET-WP031A-EN-P - Design Considerations for Securing Industrial Automation and Control
System Networks ENET-WP033A-EN-P - Resilient Ethernet Protocol in a Converged Plantwide Ethernet (CPwE)
Architecture ENET-WP034A-EN-P - Deploying 802.11 Wireless LAN Technology within a Converged Plantwide
Ethernet Architecture ENET-WP036A-EN-P - Deploying Network Address Translation within a Converged Plantwide
Ethernet Architecture
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 84
Additional Material CPwE Architectures - Cisco and Rockwell Automation Whitepapers
ENET-WP037A-EN-P - Deploying Identity Services within a Converged Plantwide Ethernet Architecture
ENET-WP038A-EN-P - Securely Traversing IACS Data Across the Industrial Demilitarized Zone
ENET-WP039B-EN-P - A Resilient Converged Plantwide Ethernet Architecture
ENET-WP040A-EN-P - modernizing Legacy IACS Networks to a Converged Plantwide Ethernet Architecture
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 85
Additional Material CPwE Architectures - Cisco and Rockwell Automation Design and Implementation Guides
ENET-TD001E-EN-P - Converged Plantwide Ethernet (CPwE) Baseline Document
ENET-TD005B-EN-P - Deploying the Resilient Ethernet Protocol (REP) in a Converged Plantwide Ethernet Architecture
ENET-TD006A-EN-P - Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture
ENET-TD007A-EN-P - Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 86
Additional Material CPwE Architectures - Cisco and Rockwell Automation Design and Implementation Guides
ENET-TD008A-EN-P - Deploying Identity Services within a Converged Plantwide Ethernet Architecture
ENET-TD009A-EN-P - Securely Traversing IACS Data Across the Industrial Demilitarized Zone
ENET-TD010A-EN-P - Deploying A Resilient Converged Plantwide Ethernet Architecture
ENET-TD011A-EN-P - modernizing Legacy IACS Networks to a Converged Plantwide Ethernet Architecture
ENET-TD012A-EN-P - Site-to-site VPN to a Converged Plantwide Ethernet Architecture
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 87
Additional Material CPwE Architectures - Cisco and Rockwell Automation
Application Guides ENET-TD003A-EN-E - Fiber-optic Infrastructure Application Guide
(Panduit/Cisco/Rockwell Automation)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 88
Ethernet Design Considerations Reference Manual ENET-RM002C-EN-P EtherNet/IP Overview, Ethernet
Infrastructure Components, EtherNet/IP Protocol, Predict System Performance
EtherNet/IP IntelliCENTER® Reference Manual (MCC-RM001)
The OEM Guide to Networking ENET-RM001A-EN-P This guide is intended to help OEMs
understand relevant technologies, networking capabilities and other considerations that could impact them as they develop EtherNet/IP solutions for the machines, skids or equipment they build
88
Additional Material Reference Documents
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 89
Integrated Architecture® Builder (IAB) Updates and additions to better-
reflect CPwE structure, hierarchy and best practices
Improved Switch Wizard for distribution (e.g. Stratix 5410™) and access (e.g. Stratix 5700™)
Easier to create a large EtherNet/IP network with many topologies
CIP traffic is measured per segment, not just controller scanner and adapter centric
EtherNet/IP Capacity Tool Popular Configuration Drawings
(PCDs) Updates and additions to better
reflect CPwE recent enhancements
89
Additional Material Tools
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 90
Additional MaterialEducation - OT - OT/IT Convergence - Industrial IT
Community of like-minded companies –Cisco, Panduit, and Rockwell Automation
Four eLearning courses that teach criticalnetwork design skills based on CPwE Reference Architectures
Scenario-based training on topics such as: logical topologies, protocols, switching, routing, wireless and physical cabling
Sign up today for free on the Industrial IP Advantage website
Network Design eLearning modulesModule 1 Designing for the Cell/Area Zone (part
1)
Module 2 Designing for the Cell/Area Zone (part 2)
Module 3 The Industrial Zone
Module 4 IT/OT Integration
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 91
Cisco Industrial Networking Specialist Training and Certification Classroom training
Managing Industrial Networks with Cisco Networking Technologies (IMINS)
Exam: 200-401 IMINS CPwE Design Considerations
and Best Practices
CCNA Industrial Training and Certification Classroom training
Managing Industrial Networks for Manufacturing with Cisco Technologies (IMINS2)
Exam: 200-601 IMINS2 CPwE Design Considerations
and Best Practices
91
Additional MaterialTraining and Certification - OT - OT/IT Convergence - Industrial IT
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 9292
Additional MaterialTraining and Certification - OT - OT/IT Convergence - Industrial IT
Industrial Networking Specialist Module 1 Industrial Networking Solutions and
Products
Module 2 Industrial Network Documentation and Deployment Considerations
Module 3 Installing Industrial Network Switches, Routers, and Cabling
Module 4 Deploying Industrial Ethernet Devices
Module 5 Maintaining Industrial Ethernet Networks
Module 6 Troubleshooting Industrial Ethernet Networks
CCNA IndustrialModule 1 Industrial Networking Concepts and
Components
Module 2 General Troubleshooting Issues
Module 3 EtherNet/IP
Module 4 Troubleshooting EtherNet/IP
Module 5 PROFINET
Module 6 Configuring PROFINET
Module 7 Troubleshooting PROFINET
Module 8 Exploring Security Concerns
Module 9 802.11 Industrial Ethernet Wireless Networking