You are on page 1of 33

Designing EtherNet/IP Machine/Skid Level

Networks

Rev 5058-CO900D

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Session Description

EtherNet/IP provides a single network technology for motion, safety,


discrete, drives, and process applications. In this session you will learn
recommended machine level architectures with best practices, and design
considerations for typical machine control system applications. A prior
understanding of general Ethernet concepts, or attendance of the
Fundamentals of EtherNet/IP session is recommended.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Agenda
Selecting Infrastructure

Information Integration
Best Practices and Example Architectures
Where
to learn more
Reference
Architectures
Solutions
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

33

Machine level Network Considerations


Control Requirements
I/O and motion control how much how fast

Integration to upstream or downstream equipment


Line Controller
Safety interlocking

Integration of data
SQL or other servers for data collection and monitoring
Supply chain integration

Remote Access
Troubleshooting, monitoring, program changes
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

44

Agenda
Selecting Infrastructure

Reference Architectures Solutions


Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

55

Switch Considerations
Advantages

Managed
Switches

Segmentation services (VLANs)


Diagnostic information
Security services
Prioritization services (QoS)
Multicast management services
Network resiliency
Loop prevention

Unmanaged
Switches

Inexpensive
Simple to set up

Embedded
Switches

Diagnostic information
Prioritization services (QoS)
Time Sync Services (1588 Transparent
Clock)
Network resiliency
Loop prevention

Disadvantages
More expensive
Requires some level of support and
configuration to start up

No management capabilities
No security
No diagnostic information
Difficult to troubleshoot
No resiliency support
No loop prevention

Limited management capabilities


May require minimal configuration

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Topology Flexibility with EtherNet/IP

LINEAR - Simplify cable management


HYBRID Obtain maximum flexibility

STAR Connect broad range of devices


RING Maximum availability

EtherNet/IP is topology neutral for maximum flexibility


Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Technology Segmentation
Safety System

ControlLogix chassis

EtherNet/IP
SERCOS

DeviceNet

PV+ EOI
Stratix 8000

PowerFlex 755

POINT I/O

Kinetix
6000

ArmorBlock I/O

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

CIP Bridge Segmentation


Safety System
ControlLogix chassis
Stratix 8000

EtherNet/IP
PV+ EOI
Sercos

EtherNet/IP

ArmorBlock I/O
POINT I/O
Kinetix
6000
PowerFlex 755

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Converged Network Segmentation


Remote User VLAN

Control VLAN

Control Vlan

ControlLogix chassis

EtherNet/IP

PV+ EOI
PowerFlex 755
Stratix 8300

Kinetix
6000

POINT I/O

Safety System

ArmorBlock I/O

Control VLAN

Control VLAN

Safety VLAN

Video VLAN
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Converged Network Segmentation


Enterprise Zone

Network
Enterprise

ERP, Email, Wide Area


Network (WAN)

DMZ
Industrial
Zone

Catalyst 3750 SERIES

1
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

1X

11X

13X

23X

2X

12X

14X

24X

Catalyst 3750 SERIES

1
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
MODE

9 10

11 12

13 14

15 16

17 18

19 20

21 22

23 24

1X

11X

13X

23X

2X

12X

14X

24X

Lightweight AP
(LWAP)
Mobile User
AP as Workgroup
Bridge (WGB)

Cell/Area Zone #1

Cell/Area Zone #2

Cell/Area Zone #3

Cell/Area Zone #4

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Security Considerations
Physical Access Security
Disable unused switch ports
Lock a port to only allow specific devices to be
connected
Change passwords from default settings
Access Control Lists and Firewall Features
Limit access to secure areas of the network.
Limit access to secure services on the
network
Block remote access to secured devices
VLANs
Simplify security enforcement by creating
function groups
Control Access by function, by user, by
location, etc.
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Infrastructure Performance
Bandwidth

1 at 4ms RPI
3 at 10ms RPI

4ms updates
10ms RPI

Total 8,100 PPS (Less than 10% of bandwidth on a single link)


Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

13

Infrastructure Performance
Jitter

1 at 4ms RPI
3 at 10ms RPI

4ms updates
10ms RPI

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

14

CIP Sync System of Clocks


HIPROM GPS

0000

HP-GPS

EN2T

CNB/E

OB16IS

L63

0000

0000

GM

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

15
Copy

Agenda

Information Integration

Reference Architectures Solutions


Copyright 2009 Rockwell Automation, Inc. All rights reserved.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

16
16

Physical vs. Logical segmentation


Isolated networks - two NICs for
physical network segmentation

Converged networks - logical


segmentation

Information Network

Control
and
Information
Network
Control Network

Benefits
Clear network ownership demarcation line

Challenges
Limited visibility to control network devices
for asset management
Limited future-ready capability

Benefits
Plantwide information sharing for data
collection and asset management
Future-ready

Challenges
Blurred network ownership demarcation line
IP address management
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

17

Network Address Translation


Send message
to Machine 2
CMX
10.104.2.100
10.104.100.23

Machine 2 NAT
10.104.x.x :
192.168.1.x

Machine 1 NAT
10.104.x.x :
192.168.1.x

192.168.1.100

192.168.1.100
192.168.1.104

Within a Machine

192.168.1.104

Between Machine and Line Network


Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Connectivity to Plant Dual NIC vs. NAT


Plant
PV+ or PV+
Compact

PV+ or PV+
Compact

10.10.10.10

192.168.1.2

CompactLogix L4

PowerFlex
4/40 AC
Drive

PowerFlex
4/40 AC
Drive

Dual NIC
Pros:

IP Addresses private to machine


IT manage external IP address
Program does not change when IT address changes

Cons:

Plant

2 Communications interfaces in controller


Web diagnostics not available outside machine
Many network services will not pass through this
gateway (SNMP, DNS, DHCP, etc.)
Knowledge of route path at the application level

10.10.10.10 192.168.1.2

CompactLogix 5370 L3

NAT
Pros:

IP Addresses private to machine


1 Communications interface in controller
Web diagnostics available outside machine

Cons:

Additional cost for NAT device or switch


Some additional complexity and management

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

19

Connectivity to Plant IP Routing vs. NAT


Plant VLAN
PV+ or PV+
Compact

PowerFlex
4/40 AC
Drive

Plant

10.10.10.10

PV+ or PV+
Compact

PowerFlex
4/40 AC
Drive

Machine
VLAN

IP Routing
Pros:
No machine level switch configuration needed if the
machine is a single VLAN
Removes single point of failure for NAT device
Designed to allow network services (SNMP, VPN,
DNS, DHCP)
Cons:
IP addressing must be unique at the machine level

10.10.10.10 192.168.1.2

CompactLogix 5370 L3

NAT
Pros:

IP Addresses private to machine (not visible outside of


machine network)
Web diagnostics available outside machine

Cons:

Additional cost for NAT device or switch


Some additional complexity and management

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

20

Strengths and Weaknesses NAT vs


Layer 3 routing
IP-routing

For pre-commissioning at
equipment manufacturer

easily possible (+)

Equipment manufacturer
requires a planned
address list (-)

Duplication of equipment

easily possible (+)

IP addressing in programs
may differ (-)

Avoid address collision


with other users of private
addresses

easily possible (+)

Centralized management
of the entire address
space needed (-)

Additional maintenance
effort for the required 1:1
NAT address mappings
(private public)

required (-)

not required (+)

Failure probability

NAT router is a "single


point of failure" (-)

Low because of redundant


router/layer 3 switch (+)

Availabilty of network
services (ie. DHCP, DNS,
Remote access)

difficult (-)

easily possible (+)

Operate and
Maintain

NAT router

Design and
Install

Criterion

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Remote Access Approaches

Inside-Out
Remote
Desktop
Conference
Technology

Outside-In
VPN
Dial-Up
Modems

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

22

Secure Remote Access


From Cisco and Rockwell Automation

Meeting the security requirements


of IT while enabling manufacturers to
leverage shared, distributed company
resources and trusted partners
Management of assets - monitor,
configure and audit
Simplify change management,
version control, regulatory
compliance and software license
management
Simplify remote client
health management

Enterprise
Data Center

Cisco VPN Client

Internet
Enterprise Zone
Levels 4 and 5

Enterprise Edge
Firewall

S SL V P N

Secure remote access for


employees and trusted
partners such as machine
builders and system
integrators

I P S EC VPN

Remote Engineer
or Partner

Enterprise
Connected
Engineer

Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server

Demilitarized Zone (DMZ)

Gbps Link Failover


Detection

Cisco
ASA 5500

Firewall
(Standby)

Firewall
(Active)

Remote Desktop
Protocol (RDP)
Demilitarized Zone (DMZ)

FactoryTalk Application Servers

View
Historian
AssetCentre
Transaction Manager

FactoryTalk Services
Platform
Directory
Security/Audit

Data Servers

Remote Access Server

Catalyst
6500/4500

RSLogix 5000
FactoryTalk View Studio

Catalyst 3750
StackWise
Switch Stack

EtherNet/IP

Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones
Levels 02

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

23

Agenda

Best Practices and Example Architectures

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

24
24

Machine with motion and safety

PanelView Plus
HMI

Ethernet Switch

EtherNet/IP
Vision
I/O

GuardLogix
Controller
EtherNet/IP

PowerFlex
Drives
Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Kinetix 6500
Servo Drives
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

25

Process Skid application


Discrete (On / Off) Sensors
840E Level 837
Sensor
Temperature
Sensor

836
Pressure
Sensor

CompactLogix
Plant Network
Connectivity

Point I/O
PowerFlex40 VFDs

PanelviewPlusCE
837E
Temperature
Transmitters

836E
Pressure
Transmitters

839E Flow
Transmitters

HMI / SCADA System

O
R
873P
Ultrasonic
Level
Sensors
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

26

Machine level best practices summary


Best practices for machine level design:
Verify Physical Layer devices
Verify Speed and Duplex settings on
devices (should be running at
100/Full Duplex)
Use Gigabit ports whenever possible
for trunks and uplinks between
switches
Apply port security to protect open
ports on the switch
Apply password to the switches to
prevent unauthorized changes
Limit the size of broadcast domain
with segmentation
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

27

Agenda

Where
to learn more
Reference
Architectures
Solutions
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

28
28

Additional Material
Rockwell Automation

Networks Website: http://www.ab.com/networks/


EtherNet/IP Website: http://www.ab.com/networks/ethernet/
Publications:
ENET-UM001-EN-P EtherNet/IP Network Configuration
ENET-AP005-EN-P Embedded Switch application guide
ENET-RM002-EN-P EtherNet/IP Design Considerations
Network and Security Services Website:
http://www.rockwellautomation.com/services/networks/
http://www.rockwellautomation.com/services/security/
ODVA Website
http://www.odva.org

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

29

Additional Material
Cisco and Rockwell Automation Alliance

Website
http://www.ab.com/networks/architectures.html
Design Guides
CPwE DIG 2.0
Education Series
Whitepapers
Securing Manufacturing Computer and
Controller Assets
Production Software within Manufacturing
Reference Architectures
Achieving Secure Remote Access to Plant Floor
Applications and Data
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

30

Additional Material
Cisco and Rockwell Automation Alliance

Education Series Webcasts

The Trend - Network Technology and Cultural Convergence

What every IT professional should know about Plant Floor Networking

What every Plant Floor Controls Engineer should know about working with IT

Industrial Ethernet: Introduction to Resiliency


Fundamentals of Secure Remote Access
for Plant Floor Applications and Data
Securing Architectures and Applications
for Network Convergence

Available Online

http://www.ab.com/networks/architectures.html
Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

31

Questions?

Rev 5058-CO900D

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Thank you for participating!


Please remember to tidy up your work area for the next session.
We want your feedback! Please complete the session survey!

Rev 5058-CO900D

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.