designing ethernet/ip: machine/skid level

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900D

Designing EtherNet/IP Machine/Skid Level Networks

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

EtherNet/IP provides a single network technology for motion, safety, discrete, drives, and process applications. In this session you will learn recommended machine level architectures with best practices, and design considerations for typical machine control system applications. A prior understanding of general Ethernet concepts, or attendance of the Fundamentals of EtherNet/IP session is recommended.

2

Session Description


Agenda

33

Selecting Infrastructure

Information Integration

3

Reference Architectures Solutions

Best Practices and Example Architectures

Where to learn more


Machine level Network Considerations

44

Control Requirements• I/O and motion control how much how fast

Integration to upstream or downstream equipment• Line Controller• Safety interlocking

Integration of data• SQL or other servers for data collection and monitoring• Supply chain integration

Remote Access• Troubleshooting, monitoring, program changes


Agenda

55

Selecting Infrastructure

5



Advantages Disadvantages

Managed Switches

Unmanaged Switches

Embedded Switches

• Segmentation services (VLANs)• Diagnostic information• Security services• Prioritization services (QoS)• Multicast management services• Network resiliency• Loop prevention

• Inexpensive• Simple to set up

• More expensive• Requires some level of support and

configuration to start up

• No management capabilities• No security• No diagnostic information• Difficult to troubleshoot• No resiliency support• No loop prevention

• Diagnostic information• Prioritization services (QoS)• Time Sync Services (1588 Transparent

Clock)• Network resiliency• Loop prevention

• Limited management capabilities• May require minimal configuration

Switch Considerations


Topology Flexibility with EtherNet/IP

EtherNet/IP is topology neutral for maximum flexibility

HYBRID – Obtain maximum flexibilityLINEAR - Simplify cable management STAR– Connect broad range of devices

RING – Maximum availability


Technology Segmentation

ControlLogix chassis

Stratix 8000 PowerFlex 755

ArmorBlock I/O

SERCOS

EtherNet/IP

DeviceNetPV+ EOI

Kinetix6000

POINT I/O

Safety System


ArmorBlock I/O

CIP Bridge Segmentation


Stratix 8000

PowerFlex 755

EtherNet/IPPV+ EOI

Kinetix6000

POINT I/O

Safety System

EtherNet/IP

Sercos


Converged Network Segmentation


PowerFlex 755

ArmorBlock I/O

EtherNet/IPPV+ EOI

Kinetix6000

PV+ EOI

POINT I/O Safety System

Stratix 8300

Remote User VLAN

Control Vlan

Control VLAN

Safety VLAN

Control VLAN

Control VLAN

Video VLAN

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Cell/Area Zone #3 Cell/Area Zone #4Cell/Area Zone #1 Cell/Area Zone #2

IndustrialZone

DMZ

Enterprise Zone Enterprise Network

Mobile User

Lightweight AP (LWAP)

AP as WorkgroupBridge (WGB)

ERP, Email, Wide Area Network (WAN)

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12

1X

2X

11X

12X

13 14 15 16 17 18 19 20 21 22 23 24

13X

14X

23X

24X

1 2 3 4

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12

1X

2X

11X

12X

13 14 15 16 17 18 19 20 21 22 23 24

13X

14X

23X

24X

1 2 3 4

Converged Network Segmentation


Security Considerations

Physical Access Security Disable unused switch ports Lock a port to only allow specific devices to be

connected Change passwords from default settings

Access Control Lists and Firewall Features Limit access to secure areas of the network. Limit access to secure services on the

network Block remote access to secured devices

VLANs Simplify security enforcement by creating

function groups Control Access by function, by user, by

location, etc.

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13

Infrastructure PerformanceBandwidth

10ms RPI

1 at 4ms RPI

3 at 10ms RPI

4ms updates

Total 8,100 PPS (Less than 10% of bandwidth on a single link)


Infrastructure PerformanceJitter

10ms RPI

1 at 4ms RPI

3 at 10ms RPI

4ms updates


CIP Sync – System of Clocks

15

0000 0000 0000

HIPROM GPS

OB16IS

OB16IS

L63L63

CN

B/EC

NB

/E

EN2T

EN2T

HP-G

PSH

P-G

PS

Copy

M

SS

GMSM

S


Agenda

16Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16

Information Integration

16



Physical vs. Logical segmentation

17

• Isolated networks - two NICs for physical network segmentation

• Converged networks - logical segmentation

• Benefits– Clear network ownership demarcation line

• Challenges– Limited visibility to control network devices

for asset management– Limited future-ready capability

• Benefits– Plantwide information sharing for data

collection and asset management– Future-ready

• Challenges– Blurred network ownership demarcation line– IP address management

Control Network

Information Network

Controland

InformationNetwork


Network Address Translation

Machine 1 NAT10.104.x.x : 192.168.1.x

Machine 2 NAT10.104.x.x : 192.168.1.x

192.168.1.104 192.168.1.104

10.104.100.23

192.168.1.100

Within a Machine Between Machine and Line Network

Send message to Machine 2

CMX10.104.2.100

192.168.1.100


Connectivity to Plant Dual NIC vs. NAT

19

CompactLogix L4

PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant

10.10.10.10

192.168.1.2 CompactLogix 5370 L3PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant

10.10.10.10 192.168.1.2

Dual NICPros:• IP Addresses private to machine• IT manage external IP address• Program does not change when IT address changesCons:• 2 Communications interfaces in controller• Web diagnostics not available outside machine• Many network services will not pass through this

gateway (SNMP, DNS, DHCP, etc.)• Knowledge of route path at the application level

NATPros:• IP Addresses private to machine• 1 Communications interface in controller• Web diagnostics available outside machineCons:• Additional cost for NAT device or switch• Some additional complexity and management


Connectivity to Plant IP Routing vs. NAT

20

PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant VLAN

10.10.10.10

CompactLogix 5370 L3PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant

10.10.10.10 192.168.1.2

IP RoutingPros:• No machine level switch configuration needed if the

machine is a single VLAN• Removes “single point of failure” for NAT device• Designed to allow network services (SNMP, VPN,

DNS, DHCP)Cons:• IP addressing must be unique at the machine level

NATPros:• IP Addresses private to machine (not visible outside of

machine network)• Web diagnostics available outside machineCons:• Additional cost for NAT device or switch• Some additional complexity and management

Machine VLAN


Strengths and Weaknesses NAT vs Layer 3 routingCriterion NAT router IP-routing

For pre-commissioning at equipment manufacturer

easily possible (+) Equipment manufacturer requires a planned address list (-)

Duplication of equipment easily possible (+) IP addressing in programs may differ (-)

Avoid address collision with other users of private addresses

easily possible (+) Centralized management of the entire address space needed (-)

Additional maintenance effort for the required 1:1 NAT address mappings (private ↔ public)

required (-) not required (+)

Failure probability NAT router is a "single point of failure" (-)

Low because of redundant router/layer 3 switch (+)

Availabilty of network services (ie. DHCP, DNS, Remote access)

difficult (-) easily possible (+)

Design andInstall

Operate andMaintain


Remote Access Approaches

22

Inside-Out

• Remote Desktop

• Conference Technology

Outside-In

• VPN • Dial-Up

Modems


Secure Remote AccessFrom Cisco and Rockwell Automation

23

Levels 0–2Cell/Area Zones

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Enterprise ZoneLevels 4 and 5

Manufacturing Zone Site Manufacturing

Operations and ControlLevel 3

Internet

Enterprise ZoneLevels 4 and 5

EnterpriseWAN

EnterpriseData Center

Gbps Link FailoverDetection

Firewall(Active)Firewall

(Standby)

Patch ManagementTerminal ServicesApplication MirrorAV Server

CiscoASA 5500

Remote Access Server• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500

Remote Engineeror Partner

EnterpriseConnectedEngineer

Enterprise EdgeFirewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)

Catalyst 3750StackWise

Switch Stack

EtherNet/IP

I PS ECVPN

SS LVPN

FactoryTalk Application Servers• View• Historian• AssetCentre• Transaction ManagerFactoryTalk Services Platform• Directory• Security/AuditData Servers

Secure remote access for employees and trusted partners such as machine builders and system integrators• Meeting the security requirements

of IT while enabling manufacturers to leverage shared, distributed company resources and trusted partners

• Management of assets - monitor, configure and audit

• Simplify change management, version control, regulatory compliance and software license management

• Simplify remote clienthealth management


Agenda

242424

Best Practices and Example Architectures


Machine with motion and safety

Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 25

Vision

Kinetix 6500 Servo Drives

PanelView Plus HMI

GuardLogix Controller

EtherNet/IPEthernet Switch

I/O

EtherNet/IP

PowerFlexDrives


Process Skid application

HMI / SCADA System

CompactLogix

PowerFlex40 VFD’sPoint I/O

PanelviewPlusCE

836E Pressure Transmitters

837E Temperature Transmitters

839E Flow Transmitters

873P Ultrasonic Level Sensors

840E Level Sensor

Discrete (On / Off) Sensors836 Pressure Sensor

837 Temperature Sensor

OR

Plant Network Connectivity


Machine level best practices summary

27

Best practices for machine level design:• Verify Physical Layer devices• Verify Speed and Duplex settings on

devices (should be running at 100/Full Duplex)

• Use Gigabit ports whenever possible for trunks and uplinks between switches

• Apply port security to protect open ports on the switch

• Apply password to the switches to prevent unauthorized changes

• Limit the size of broadcast domain with segmentation


Agenda

282828

Reference Architectures SolutionsWhere to learn more


Additional MaterialRockwell Automation

29

Networks Website: http://www.ab.com/networks/ EtherNet/IP Website: http://www.ab.com/networks/ethernet/ Publications:

ENET-UM001-EN-P EtherNet/IP Network Configuration ENET-AP005-EN-P Embedded Switch application guide ENET-RM002-EN-P EtherNet/IP Design Considerations

Network and Security Services Website: http://www.rockwellautomation.com/services/networks/ http://www.rockwellautomation.com/services/security/

ODVA Website http://www.odva.org


Additional MaterialCisco and Rockwell Automation Alliance

30

Website http://www.ab.com/networks/architectures.html

Design Guides CPwE DIG 2.0

Education Series Whitepapers

Securing Manufacturing Computer andController Assets

Production Software within ManufacturingReference Architectures

Achieving Secure Remote Access to Plant FloorApplications and Data


Additional MaterialCisco and Rockwell Automation Alliance

31

Education Series Webcasts

The Trend - Network Technology and Cultural Convergence

What every IT professional should know about Plant Floor Networking

What every Plant Floor Controls Engineer should know about working with IT

Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access

for Plant Floor Applications and Data Securing Architectures and Applications

for Network Convergence

Available Online

http://www.ab.com/networks/architectures.html


Questions?


Thank you for participating!Please remember to tidy up your work area for the next session.We want your feedback! Please complete the session survey!