WIXLIB

Reference Architectures:Fundamentals of IndustrialEthernet Network DesignWorkshop #07Paul Didier - Cisco SystemsIndustry Solutions Architect for ManufacturingGregory Wilcox - Rockwell AutomationNetworks Business Development ManagerReference Architectures 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Session Abstract W7: Reference Architectures: Fundamentals of IndustrialEthernet Network Design– This Workshop demonstrates core principles for designing industrialEthernet networks using the concepts delivered in the RockwellAutomation and Cisco Converged Plantwide Ethernet Architectures.It includes best practices and recommendations that are applicableto both IT and manufacturing networks as well as switch/routerdeployment. A prior understanding of general Ethernet concepts isrecommended. 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Automation FairRockwell Automation / Cisco CollaborationNetwork Infrastructure WallBooth 647 T40: Achieving Secure RemoteAccess to Plant-Wide Applications Time: 1:00 PM Room: Room 211B Gregory Wilcox and Paul Didier 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.Booth 747 T42: Applying Plant-Wide IndustrialWireless Communications Time: 3:00 PM Room: Room 211B Paul Brooks and Dan Knight

Agenda Industrial Network Convergence Network Design Methodology and Fundamentals UtilizingStandards, Reference Models and Reference Architectures Networking Best Practices – Design & icast ManagementSegmentationPrioritizationResiliency Protocols and Multi-path TopologiesSwitch Features and IP AddressingSecurity Additional Resources Questions and Answers 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Industrial Network ConvergenceCorporate NetworkCorporate NetworkBack-Office Mainframes andServers (ERP, MES,etc.)Control NetworkGatewayHuman MachineInterface (HMI)OfficeApplications,Internetworking,Data Servers,StorageSupervisoryControlHuman MachineInterface working,Data Servers,StorageBack-Office Mainframes andServers (ERP, MES, etc.)SupervisoryControlMotors, DrivesActuatorsControllerMotors, DrivesActuatorsSensors and otherInput/Output DevicesSensors and otherInput/Output DevicesRoboticsTraditional – 3 TierIndustrial Network ModelConverged EthernetIndustrial Network ModelConvergence of Control and Information 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Integrated ArchitectureEnabling ConvergenceEnterprise Business SystemsSCM ERP CRM PLM frastructureFactoryTalk Integrated Production & Performance SuitePlantManagementDesign ality &ComplianceAssetManagementPerformance& iscreteMotionProcessBatchSafetyDrivesLogix Control PlatformLegacySystemsOperationsCritical Plant AssetsMachines &ProcessesMaintenance 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.Partners

Industrial and Enterprise (IT)Network Convergence Enterprise (IT) Network Requirements–––––––Internet ProtocolsEnterprise class gearHigh availability – redundant star topologiesDeterminism, latency, jitter, etc.Voice, video, data applicationsIP Addressing - dynamicSecurity - pervasive Industrial Network Requirements– Industrial and internet protocols– Industrial gear– Resiliency – ring topologies are prominent,redundant star topologies are emerging– Determinism, latency, jitter, etc.– Motion, control and safety– IP Addressing – static– Security - emerging 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.So, what are thesimilarities anddifferences?

Common LINGO Ethernet and IPEthernet-n-IPEtherNet/IPEtherNet/IP Ethernet IP CIP 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

How IT Ready isYour Industrial Solution? Align your industrial Ethernet configurations with your,or if partner, your end customers IT policies– Use standard Ethernet and TCP/IP protocol suite– Use managed switches for network and security services– Follow IP addressing, subnetting and default gateway settingsconventions– Consistently use Network Services Virtual LANs (VLANs), Multicast Management, Quality of Service (QoS),Resiliency, Protocols, Layer 2 and Layer 3– Security stance - port security, access control lists, networkaccess control Are you aligned with emerging Industrial Control Systemsecurity standards:– DHS External Report # INL/EXT-06-11478– NIST 800-82– ISA-99 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Industrial Network Design Methodology Understand application and functional requirements––––Devices to be connected – industrial, commercialData availability, integrity & confidentialityCommunication patterns, topology & resiliency requirementsTypes of traffic – information, control, safety, time synchronization,motion control, voice, video Develop a logical framework (roadmap)– Define zones– Define segmentation– Place applications and devices in the framework based onrequirements Determine security requirements,take into consideration ITrequirements Use standards, reference modelsand reference architecturesMANAGE /MONITORDESIGN/PLANAUDITIMPLEMENT 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.ASSESS

Industry Standards Technology– IEEE 802.3 - standard Ethernet, Precision Time Protocol (PTP 1588)– IETF - standard Internet Protocol (IP)– ODVA - Common Industrial Protocol (CIP)– IEC – International Electrotechnical Commission Manufacturing––––Purdue Reference Model for Control HierarchyISA-95 - Enterprise-Control System IntegrationISA-99 - Manufacturing and Control Systems SecurityNIST 800-82 – Industrial Control System Security 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Logical FrameworkLevel 5Level 4Enterprise NetworkRouterE-Mail, Intranet, etc.Site Business Planning and Logistics irrorEnterpriseZoneFirewallAVServerWeb FirewallLevel 3Level ngineeringWorkstationDomainControllerSite ManufacturingOperations and ineeringWorkstationBasic ControlLevel 1Level 0BatchControlDiscreteControlSensors 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights essCell/AreaZone

The OSI Reference ModelLayer NameLayer No.ApplicationLayer 7Network Services to User AppPresentationLayer 6Encryption/Other processingSessionLayer 5Manage Multiple ApplicationsTransportLayer 4Reliable delivery/Error correctionTCP - UDPLayer 3Logical addressing - RoutersIPLayer 2Access Endpoints MAC address802.3 MACLayer 1Specifies voltage, pin-outs, cableTIA -568-BNetworkData ctionExamplesCIPDe-EncapsulationSimilar sounding network services exist at Layer 2 (L2) andLayer 3 (L3) – e.g. QoS, Resiliency, Security 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Layer 1 - Physical Design and implement a robustphysical layer Environment Classification - MICE More than cable– Patch panels– Cable management– Grounding & Bonding (noise mitigation) Physical Media––––Wired vs. WirelessCopper vs. FiberUTP vs. STPSinglemode vs. Multimode 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.ENET-WP007ODVA Guide

Layer 2 – Data LinkSwitching Uses the Data Link layer todetermine where the frame goesLAN Looks at the MAC address (MediaAccess Control) All ports are in the same broadcastdomain Managed switches provide Layer 2features, such as segmentation(VLAN tag), security, QoS,resiliency, etc.861MAC Port Address TableXXX1XXX2XXX3 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.Port 1Port 6Port 8

Layer 3 – NetworkRouting Connect different LANs Extend network distanceWAN– LAN, MAN, WAN Switch/route packets by IP Address Broadcast control Multicast control, EtherNet/IP multicastnot routable - TTL 1 Layer 3 features such as security, QoS,resiliency, etc Make sure IT understands requiredprotocols– Is there a need to route to other subnets?– Multicast traffic?– Security or segmentation? 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.LANLAN

Layer 4 – TransportUDP / TCP over IP User Datagram Protocol– Connectionless/best effort– Does not use acknowledgements– Unicast and Multicast IP– CIP – used for Class 1 (implicit) I/Oand P/C connectionsUDP Header Transmission Control Protocol– Connection-oriented, end-to-endreliable transmission– Utilizes acknowledgements (ACK) toensure reliable delivery– Unicast IP– CIP – used for Class 3 (explicit)messaging such as Operator Interface 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.TCP Header

Campus Network Reference ModelAccessDistributionCoreDistributionAccess Offers hierarchy modular topology - buildingblocksLoad Easy to grow, understand and troubleshootBalancing Creates small fault domains - cleardemarcations and isolationingTrunk Promotes load balancing and redundancyGLBP Promotes deterministic traffic patterns Incorporates balance of both Layer 2 andHSRPLayer 3 technology, leveraging theSpanningstrength of bothRoutingTree Utilizes Layer 3 routing for loadbalancing, fast convergence, scalability andcontrol 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Converged Plantwide EthernetArchitectures (CPwE) Logical framework Industrial and ITnetwork convergence iliencyTraffic managementPolicy enforcement Security policies– Defense in depthERP, Email,Wide Area Network(WAN)Enterprise ZoneLevels 4 and 5Demilitarized Zone (DMZ)Patch ManagementTerminal ServicesApplication MirrorAV ServerGbps Linkfor FailoverDetectionFirewall(Standby)CiscoASA 5500Firewall(Active)Manufacturing ZoneSite ManufacturingOperations and ControlLevel 3FactoryTalk Application Servers View Historian AssetCentre Transaction ManagerDemilitarized Zone (DMZ)Catalyst6500/4500CiscoCatalyst SwitchFactoryTalk ServicesPlatformRemoteAccessServer Directory Security/AuditData ServersCatalyst 3750StackWiseSwitch StackNetwork Services DNS, DHCP, syslog server Network and security mgmtLevels 0–2Cell/Area Zones Secure remote accessRockwell AutomationStratix 8000Layer 2 Access /Area #1Redundant Star TopologyFlex Links Resiliency 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.DIODriveDriveControllerCell/Area #2Ring TopologyResilient Ethernet Protocol (REP)DIOCell/Area #3Bus/Star Topology

CPwE Design Guide 2.0 vs. 1.2 Application Centric vs. Network Centric Stratix 8000 vs. 2955 Resiliency– MSTP/rPVST : Ring & Redundant Star– Flex Links: Redundant Star– EtherChannel: Redundant Star Screw-to-screw Application PerformanceMulticast ManagementQuality of ServiceSecure Remote Access 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Examples of Customer ExtremesEnterprise NetworkLevel 5Level 4 Level 5 E-Mail, Intranet, etc.FactoryTalkLevel 4ApplicationServerLevel 3EnterpriseZoneEnterpriseNetworkSite Business Planning and LogisticsNetworkE-Mail,Intranet, etc.FactoryTalkEngineering Site BusinessDomain Planning and Logistics NetworkDirectoryWorkstationControllerSite ManufacturingOperations and ControlEnterpriseZoneManufacturingZoneAir gap . Clipboard & SneakernetLevel onInterface Server3Site ManufacturingZoneCell/AreaOperationsand ControlBasic ControlLevel 1Level 2Level eratorInterface stationRobotsBasic ControlLevel 1Level obotsCell/AreaZoneProcessInnovation & AgilityConvergenceChallengesChallenges TrafficDuplicationmanagementof efforts, prone to errors SecurityNo remote access False sense of security 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.