You are on page 1of 59

L03 - Applying Advanced EtherNet/IP Features in

Converged Plant-wide Ethernet Architectures

For Classroom Use Only!


Important User Information

This documentation, whether illustrative, printed, online or electronic (hereinafter Documentation) is intended for use only as a
learning aid when using Rockwell Automation approved demonstration hardware, software and firmware. The Documentation
should only be used as a learning tool by qualified professionals.

The variety of uses for the hardware, software and firmware (hereinafter Products) described in this Documentation, mandates
that those responsible for the application and use of those Products must satisfy themselves that all necessary steps have been
taken to ensure that each application and actual use meets all performance and safety requirements, including any applicable
laws, regulations, codes and standards in addition to any applicable technical documents.

In no event will Rockwell Automation, Inc., or any of its affiliate or subsidiary companies (hereinafter Rockwell Automation) be
responsible or liable for any indirect or consequential damages resulting from the use or application of the Products described
in this Documentation. Rockwell Automation does not assume responsibility or liability for damages of any kind based on the
alleged use of, or reliance on, this Documentation.

No patent liability is assumed by Rockwell Automation with respect to use of information, circuits, equipment, or
software described in the Documentation.

Except as specifically agreed in writing as part of a maintenance or support contract, equipment users are responsible for:
properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell
Automation or third-party provided instructions, warnings, recommendations and documentation;
ensuring that only properly trained personnel use, operate and maintain the Products at all times;
staying informed of all Product updates and alerts and implementing all updates and fixes; and
all other factors affecting the Products that are outside of the direct control of Rockwell Automation.

Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation
is prohibited.

Throughout this manual we use the following notes to make you aware of safety considerations:

Identifies information about practices or circumstances that can cause an explosion in a hazardous
environment, which may lead to personal injury or death, property damage, or economic loss.

Identifies information that is critical for successful application and understanding of the product.

Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you:
identify a hazard
avoid a hazard
recognize the consequence

Labels may be located on or inside the drive to alert people that dangerous voltage may be present.

Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.
About This Lab

Welcome to the Applying Advanced EtherNet/IP Features in Converged Plant-wide Ethernet Architectures Lab. The Stratix
5700 and Stratix 8000 are Rockwell Automation managed Ethernet switches that utilize Cisco technology and offer the best of
both worlds. These switches offer the Best of Cisco and the Best of Allen-Bradley.
The Stratix family of switches utilizes the Cisco Catalyst switch architecture and feature set, leveraging powerful configuration
tools, to provide secure integration with the enterprise network while at the same time supporting a familiar structure for IT
professionals.
Both the Stratix 5700 and 8000 Switches allow for easy setup and comprehensive diagnostics from within the Rockwell
Automation Integrated Architecture. These switches can be configured using Studio 5000 programming software. They also
automatically generate Logix tags for integrated diagnostics and include FactoryTalk View faceplates for status monitoring and
alarming. Together these features provide for an easy integration of networking devices into control and automation
architectures.
This lab covers a variety of advanced techniques, best practices, software packages, and products using EtherNet/IP. It will
demonstrate Network Address Translation (NAT) in Layer 2 as well as Layer 3 architectures, Virtual LAN (VLAN) segmentation,
and Connected Routing. A prior understanding of general Ethernet concepts, including switching and routing is recommended.
It is also recommended (but not required) to complete Applying Basic EtherNet/IP Features in Converged Plant-wide Ethernet
Architectures lab before starting this lab.

What You Will Accomplish In This Lab

As you complete the exercises in this hands-on session, you will:


Learn how to set up the advanced functions of a Stratix family managed Ethernet switches.
Learn how to configure the Stratix 5700 and Stratix 8000 via either of the following methods:
o Device Manager outlines basic and advanced configurations along with troubleshooting tools
o Studio 5000 outlines basic and advanced configurations along with diagnostics and troubleshooting tools
available for use within a Studio 5000 program
Learn how to set up NAT in Layer 2 and 3 Architectures.
Learn how to segment a network with multiple VLANs and set up Connected Routing.
Learn how to use DHCP Persistence for automatic IP address assignment.
Lab 1 will walk you through the steps of setting up NAT for Layer 2 architecture system using Device Manager .
Lab 2 will walk you through the steps of VLAN assignment and network segmentation, Connected Routing and NAT in a Layer 3
architecture.

3 of 59
About Stratix 5700

In this lab, we will introduce you to the Stratix 5700 Ethernet managed switch with Cisco technology. The Stratix 5700
Managed Ethernet Switch is equipped with up to 20 ports that can include standard 10/100Mbps copper ports,
10/100/1000Mbps copper ports (optional), and SFP (Small Form factor Pluggable) fiber optic ports (optional).

There are two power connectors on the top right of the switch. You can connect the switch to two separate 24VDC
power sources for redundancy.
Additional connectors on the bottom right provide hardwired contacts for major and minor alarms.
The Express Setup button is located on the top. Express Setup allows you to easily configure the switch for
EtherNet/IP networks.
The Console ports on the top (RJ-45 or USB connector) allow direct access to the switch via Ciscos Command Line
Interface (CLI).
The Secure Digital (SD) card slot is located in the bottom. The optional SD card allows you to simplify device
replacement by storing switch configuration and firmware.
The Stratix 5700 can be managed via the Device Manager Web interface for configuration, troubleshooting and monitoring.
Using this software, real-time information can be viewed. In addition to the Device Manager, the switch can also be managed via
the Studio 5000 environment after Express Setup on the switch is complete.

The advanced features of the Stratix 5700 switch that are covered in this lab include Virtual LAN (VLAN) and Network
Address Translation (NAT).

A complete description of the hardware and software features of the Stratix 5700 switch can be found in the
Stratix Managed Switches User Manual (Publication 1783-UM007).

4 of 59
About Stratix 8000

In this lab, we will also use the Stratix 8000 Ethernet managed switch with Cisco technology. The Stratix 8000 Managed
Ethernet Switch is a modular switch that can be expanded up to 26 ports with the use of expansion modules.

There are two 24VDC power connectors on the top left of the switch. Additional connections on the power connectors
provide hardwired contacts for major and minor alarms.
The Express Setup button is located below the power connections. Express Setup allows you to easily configure the
switch for EtherNet/IP networks.
The Console port on the left (RJ-45 connector) allows direct access to the switch via Ciscos Command Line Interface
(CLI).
The CompactFlash card slot is located in the bottom. The flash card stores the switch configuration and firmware and
can be used for quick hardware replacement.
The Stratix 8000 can be managed via the Device Manager Web interface for configuration, troubleshooting and monitoring.
Using this software, real-time information can be viewed. In addition to the Device Manager, the switch can also be managed via
the Studio 5000 environment after Express Setup on the switch is complete.

The advanced features of the Stratix 8000 switch that are covered in this lab include Virtual LAN (VLAN), Dynamic Host
Configuration Protocol (DHCP) and Connected Routing.

A complete description of the hardware and software features of the Stratix 8000 switch can be found in the
Stratix Managed Switches User Manual (Publication 1783-UM007).

5 of 59
Before You Begin

Instructor Information
The Instructor Information outlines the setting up, resetting and troubleshooting the Lab. Please refer to Appendix A in the back
of the Lab Manual for additional Instructor Information.

Tools and Prerequisites


PC with Microsoft Internet Explorer V9, V10, V11 or Mozilla Firefox V25, V26 with JavaScript enabled, Studio 5000
v26, FactoryTalk View Studio 8
Stratix 5700 with IOS 15.2(3).EA1 preloaded
Stratix 8000 with IOS 15.2(3).EA1 preloaded
Stratix switch Add-On Profile (AOP) v8.01.01 for Studio 5000
Stratix 5700 AOI and Factory Talk View Faceplate v3.0
Stratix 8000 AOI and FactoryTalk View Faceplate v6.0

Hardware

This hands-on lab uses the following hardware:


ENET 21 Demo Box

Machine Controller POINT I/O Stratix 5700

Line Controller Stratix 8000

6 of 59
Connecting your Lab Station

Look at the lab diagram below. This system is comprised of two ControlLogix controllers, a Stratix 8000 and Stratix 5700,
Point I/O, ETAP, ArmorBlock I/O and a computer.

The top ControlLogix chassis is called Machine Controller in the lab. It has two Ethernet modules the module in slot 1
is connected to the Stratix 5700 switch, the module in slot 3 is connected to the Device Level Ring.

The bottom ControlLogix chassis is called Line Controller in the lab. The Ethernet module in slot 1 is connected to the
Stratix 8000 switch.

We have already made the connections for you. Note that numbers on the cables in the demo box may not match
numbers on the diagram.

7 of 59
Lab 1: Network Address Translation (NAT) in a Layer 2 Architecture

Introduction
Machine or process skid integration into a plants network can be difficult for several reasons. OEMs IP-address
assignments rarely match those of the end-users addresses, and network IP addresses are generally unknown until
the machine is being installed adding cost and time to the commissioning of the equipment. Multiple machines with
identical IP address schemes may create duplicate address issues. In some cases, there may be not enough free IP
addresses in the plant network to accommodate all new devices.
Network Address Translation (NAT) may help to solve these problems. NAT in the Allen-Bradley Stratix 5700 switch
is a hardware implementation that provides high performance wire speed translations and allows for:
Simplified IP-address mapping between machine-level IP addresses to the end users plant IP addresses
Commissioning of standard cookie cutter machines to end users without reprogramming IP addresses
Easier machine maintenance because machine configuration and controller programs remain standard
The Stratix 5700 switch with NAT technology also allows users to isolate some of the machine traffic by determining
which devices should be exposed to the larger network via NAT translation. Limiting access only to certain devices
can help optimize network performance at the local level.

NAT in a Layer 2 architecture


The simplest architecture to apply NAT is a small scale Layer 2 network with a single VLAN and no Layer 3 switch.
The network diagram below depicts a Layer 2 architecture where the inside and outside zones comprise only one
VLAN. The inside zone would be the equivalent of a machine being added into a larger outside network. A Layer 3
device with routing capability is not required since all network traffic stays within the same VLAN.

8 of 59
Lab 1 Scenario
We want to add several machines to our current architecture with a single VLAN and no Layer 3 switch. Each
machine will have identical equipment and network layout. In order for us to have the same IP addressing for all
additional machines we will need to implement NAT.
Each demo box has a Line controller for supervisory control and a Machine controller for machine level operation.
We want to keep existing IP addresses on the machine and maintain only one Studio 5000 program for all machines
instead of having to reconfigure every device on each machine with new IP addresses. We will have to configure
NAT in the Stratix 5700 such that devices with existing Private IP addresses will be assigned a unique Public
address. We will also have to configure NAT to translate Public IP addresses, such as the Line controller and the PC,
to unique Private IP addresses.
The NAT and IP address configuration for Lab 1 is shown in the diagram below.
For the purposes of this lab, the upper ControlLogix chassis in your demo box represents the Machine
controller and the lower chassis represents the Line controller.

Note: NAT devices may use words such as "public" or outside to identify larger (i.e. plant-wide) network
with unique IP addressing scheme, and "private" or inside to describe smaller (i.e. machine-level) networks
with reusable IP addresses. The Stratix 5700 switch uses public / private terminology in the Device Manager.

9 of 59
Configuring NAT in the Stratix 5700 using the Device Manager Interface
First we will connect our PC to the machine level Stratix 5700 switch that has an IP Address of 192.168.1.2 and
configure NAT on this switch. The IP address of the PC is currently 192.168.1.30.
Because the 5700 switch has not been configured to do NAT yet, we cannot access the machine network
192.168.1.x from the line level switch (Stratix 8000) which operates in the 10.10.10.x IP subnet.

1. Unplug the PC cable from port Fa1/2 on the Stratix 8000.

Connect the PC cable to port Fa1/1 on the Stratix 5700.

2. Double-click on the desktop shortcut for the Local Area Connection.

10 of 59
3. Click Details. Verify that the IP address is set to 192.168.1.30. Close the open windows.

11 of 59
4. Now, lets open the Device Manager Interface for the Stratix 5700 switch by launching Internet Explorer icon

on taskbar

5. Type the IP address 192.168.1.2 of the Stratix 5700 in the address bar and press Enter.

6. In the authentication box shown below, leave username blank and type rockwell (all lowercase, no
quotes) as the password.

12 of 59
7. You are now in the Stratix 5700 Device Manager. Go to the Configure menu and then click on NAT.

8. You will configure your NAT Instances on this page. Click the Add button.

13 of 59
9. The Add / Edit NAT Instance configuration window will appear. This is where the NAT translations for the
instance and other parameters are entered.

10. Type Advanced_Lab in the Name field of the NAT instance.

Next we need to select what interfaces and VLANs we are assigning to this instance.

When assigning VLANs to a NAT instance, consider the following:


NAT implementation on the Stratix 5700 does NOT change VLAN tags. This means both your private
and public subnets, while different, need to share the same VLAN to communicate.
By default, each instance is assigned to all VLANs on port Gi1/1 and no instances on port Gi1/2:
If a VLAN is assigned to a NAT instance, its traffic is being translated or dropped according to the NAT
tables and configuration parameters of the NAT instance.
If a VLAN is not assigned to a NAT instance, its traffic remains untranslated and is permitted to pass
through the uplink (trunk) port.

14 of 59
8. In this lab we are using VLAN 10 and interface Gi1/1. Leave VLAN 10 checked and deselect all others.

9. Click the Add Row button in the Private to Public section. We are going to enter our Private to Public
translations first in the General tab. Make sure you click Save after each pair of addresses.

15 of 59
10. In the Private IP Address field and in the Public IP Address field, type the addresses shown in the table
above. Use type Single for each translation. Click Save after each pair of addresses. Click Add Row to
enter a new pair. See the table below for translations.

Device Private Public


Private to Public Stratix 5700 192.168.1.2 10.10.10.2
NAT Table EN2TR 192.168.1.3 10.10.10.3
EN2TR DLR 192.168.1.4 10.10.10.4

16 of 59
11. Now click on the Public to Private tab and enter the translations for Public devices as shown in the table.

Device Public Private


Public to Private Stratix 8000 10.10.10.1 192.168.1.1
NAT Table Line EN2TR 10.10.10.20 192.168.1.20
PC 10.10.10.30 192.168.1.30

We entered translations for one IP address at a time (Single translation type). You can also select a Range
type to translate a number of consecutive IP addresses, or a Subnet type to translate the whole IP subnet.

12. Click Submit to finalize the configuration and close the Device Manager.

17 of 59
Verifying NAT operation

13. After NAT is configured, we now want to connect our PC at the line (supervisory) level to the Stratix 8000
and change our PCs IP Address to the line network address of 10.10.10.30.

Remove the PC cable from Stratix 5700 Fa1/1. Connect the PC cable to Stratix 8000 Fa1/2 (lower switch).

14. Double-click on the Local Area Connection shortcut on the desktop and click on the Properties.
Select the IPv4 item and click Properties.

18 of 59
15. Change the PCs address to 10.10.10.30 and the local gateway address to 10.10.10.1.

16. Click OK and Close for both open windows to apply IP address changes.

Since we configured NAT on the Stratix 5700, we can now communicate with the machine network while
being connected to the line network (Stratix 8000).

17. Verify that the NAT configuration is working by opening Device Manager for the Stratix 5700. The address
we will now have to use to access the Stratix 5700 is the translated IP address of 10.10.10.2.

19 of 59
18. Once again you will be prompted to enter the authentication credentials in the box shown below, leave
username blank and type rockwell (all lowercase, no quotes) as the password. (Same as before)

19. By being able to access the switch from the translated address and from the Device Manager Dashboard
we can see the NAT Instances are being applied.

20 of 59
20. We can also check the NAT instances are working by clicking the Monitor tab and then selecting NAT
Statistics

21 of 59
Verifying EtherNet/IP Communication through NAT
Now with the NAT instances configured and working we are ready to download the programs to the Line
and Machine controllers.

21. Open the Logix Files folder by using the shortcut on the desktop. Open Bottom_CLX_Line_Lab1.ACD file
to download the program to the Line controller (bottom chassis). Make sure that you select the right file
(Line_Lab1).

22. Click on the Who Active button. Expand the VLAN10 Ethernet driver. Browse to the Line processor
10.10.10.20, slot 0 and click Download.

22 of 59
23. Click Download.

24. Click Yes to change the controller to Remote Run mode.

25. If a pop-up window did not appear and ask to go to the Run Mode, click the drop-down in the online bar and
select Run Mode.

23 of 59
Now we are ready to download the program to the Machine controller (top chassis).

26. Open the Logix Files folder by using the shortcut on the desktop. Open Top_CLX_Machine_Lab1.ACD file
to download the program to the Machine controller (top chassis). Make sure that you select the right file
(Machine_Lab1).

27. Click on the Who Active button. Expand the VLAN10 Ethernet driver. Browse to the Machine processor
10.10.10.3, slot 0 and click Download.

24 of 59
28. Click Download. Click Yes to change the controller to Remote Run mode.

29. If a pop-up window did not appear and ask to go to the Run Mode, click the drop-down in the online bar and
select Run Mode.

30. Once downloaded, the Line_Control tag data will be received via the Produced Consumed connection
between the Line and Machine Controllers.

Go to the Main routine in the Main program, rung 0. If the Produced Consumed connection is established,
the program makes the Point I/O outputs on the demo case to blink on and off, proving and illustrating the
communication through a NAT boundary.

25 of 59
31. Go to the Machine program I/O tree, right-click on the Local EN2TR 1756-EN2TR module in slot 1 and
click Properties.

Note that we had to use the public (outside) IP address 10.10.10.3 of the EN2TR when downloading to the
Machine controller since the PC was connected to the outside network (the Stratix 8000 switch). However,
the EN2TR module in the Machine program is configured with the actual IP address of 192.168.1.3.

26 of 59
32. Open the Properties window of the RemoteEN2TR 1756-EN2TR module on the Ethernet network.

The IP address of the remote (Line) module is configured as 192.168.1.20 in the Machine program. The
actual address of the module is 10.10.10.20 since it is located on the Public (Outside) network.

27 of 59
33. Click on the RSLinx Classic shortcut on the desktop and open the RSWho window. Expand the
VLAN10 Ethernet driver. Remember that we are browsing from the PC on the Public network 10.10.10.0:

The RSLinx Classic application shows both the actual (untranslated) and translated addresses for
the EN2TR modules in the Machine chassis because we added them to the NAT table.
We do NOT see other devices on the Machine network, for example the POINT I/O adapter, in
RSLinx since we did not configure translations for it.
We only see the real IP addresses of the Stratix 8000 switch (10.10.10.1) and the Line controller
module (10.10.10.20) since the PC is on the same network with these devices.

28 of 59
34. Start the FactoryTalk View SE Client application by clicking on the desktop shortcut. It may take
about a minute to load. The HMI application shows the overall network status. Make sure all connections
are green.

You have successfully completed Lab 1.

29 of 59
Lab 2: VLAN Segmentation, Connected Routing and Network Address Translation (NAT) for a Layer
3 Architecture.

Introduction
In the previous lab, we reviewed NAT in a Layer 2 architecture without VLAN segmentation and routing. Such
architecture may be appropriate for a very small network, but quickly becomes insufficient as the network grows.
Using NAT in a single VLAN architecture provides some level of segmentation by isolating untranslated devices
behind the NAT boundary. However, this method does not provide full segmentation since broadcast traffic would still
propagate across the network.
Larger production systems require hierarchal network design that include Layer 3 distribution switches to provide
VLAN segmentation and routing. Adding NAT into such network allows us to integrate multiple machines or skids
with identical IP addresses while providing VLAN segmentation for each machine.

NAT in a Layer 3 Architecture


The diagram below demonstrates multiple machines or skids being integrated into a larger network using Stratix
5700 NAT, with each machine using a separate VLAN in a Layer 3 architecture. Utilizing a NAT device in each
machine allows them to use identical IP addresses and to be connected to the network without having to modify
programs or device settings. VLAN segmentation limits the broadcast domain and helps to prevent network problems
in one machine from affecting rest of the network.
In this architecture, each Stratix 5700 does NAT for the VLAN associated with the machine. The Layer 3 switch in the
Public network is a default gateway for each VLAN and routes the traffic between VLANs.

30 of 59
Lab 2 Scenario
We want to add several machines to our current network. Each machine will have identical equipment and network
layout. In order for us to have the same IP addressing for all the additional machines we will still need to implement
NAT.
This time, we do not want to have a Layer 2 architecture and to create one big flat network with a single VLAN. We
will add network segmentation by using multiple VLANs and inter-VLAN routing in our new design. The desired
architecture is shown in the diagram below.
For the purposes of this lab, the upper ControlLogix chassis in your demo box represents the Machine
controller and the lower chassis represents the Line controller.

31 of 59
In order for this architecture to work, we will need to configure Connected Routing in the Stratix 8000 which enables
devices on any VLAN to communicate with each other if they use the switch as their default gateway.
First, we will create VLANs and assign them to the appropriate ports on the Stratix 8000 switch.
Then we will enable Connected Routing to be able to communicate between VLANs.
Finally, we will re-configure the previous NAT configuration in the Stratix 5700 switch for the new Layer 3
architecture.
The Line Controller will be configured on VLAN 20 and the PC will be configured to VLAN 30. The Machine devices
private IP addresses will be translated to the configured VLAN 10 addresses.
Instead of using a Public-to-Private translation for every device in the Public network, we will create a gateway
translation for the IP address of the Stratix 8000 switch in VLAN 10.

Ports that connect the switches are configured in the VLAN trunk mode. This means that Ethernet frames will
be tagged with a corresponding VLAN number when going out of these ports. Trunking allows switches to
send data from multiple VLANs over the same link while still maintaining segmentation between VLANs.

The new configuration will allow communication (produce/consume tags) between the two controllers (Line and
Machine) that will trigger the I/O lights to turn ON.

32 of 59
Configuring VLANs and Connected Routing

1. Launch Internet Explorer by clicking the internet explorer icon on taskbar


2. Type the IP address 10.10.10.1 of the Stratix 8000 in the address bar and press enter.

3. In the authentication box shown below, leave username blank and type rockwell (all lowercase, no
quotes) as the password.

4. You are now in the Stratix 8000 Device Manager. In the Stratix 8000, we will create multiple VLANs to
segment our network and we will also configure Connected Routing.

33 of 59
5. Expand the Configure tab and select VLAN Management.

6. In VLAN Management, you will see that VLAN 10 and VLAN 20 are already created. We used VLAN 10 for
the previous lab and VLAN 20 was created in advance. We will be creating VLAN 30 for the PC and HMI
application.
To create the VLAN 30, click the Add button.

34 of 59
7. To create a VLAN, you must give it a name and unique ID number. You can always modify the name of the
VLAN but not its number.
Enter a VLAN ID of 30, Name of VLAN30, select IP Assignment Mode to Static with an IP address of
10.10.30.1 and click OK to create the new VLAN.

Since we are configuring a VLAN on the Layer 3 switch, we need to assign an IP address to the Switch
VLAN Interface (SVI). This IP address will be the default gateway address for devices on that VLAN.

8. After creating the VLAN, we need to assign a port to our new VLAN. Before assigning the port, we will verify
that the port has the appropriate configuration (port role).
Expand the Configure tab and select Smartports.

35 of 59
9. Select port Fa1/6 and verify that it is set to Virtual Desktop for Automation. If not, select the role from the
list and click Save.

Virtual Desktop for Automation smartport optimizes port parameters for a PC connection and allows two
MAC addresses (one for a physical NIC, one for a VM). For information about smartports, see Stratix
Managed Switches User Manual (Publication 1783-UM007).

10. Now, go to the Configure tab and select Port Settings.

36 of 59
11. Port Fa1/6 is currently configured for the default VLAN 1. Select port Fa1/6 and click Edit.

12. Verify that the Administrative Mode is set to Access and change the Access VLAN to VLAN30-30. Click
OK to save configuration.

37 of 59
Before changing our PC IP address and moving it to the VLAN30 network, we will need to setup up
Connected Routing.
13. To enable connected routing, the Switch Management Database (SDM) template should be set as Lanbase
Routing. The SDM templates optimize how switch memory is allocated for specific features.
Go to the Admin Menu and select SDM-Template.

14. Verify that the SDM template is set to Lanbase Routing.


To save time, the SDM template has already been configured for you. Do NOT CHANGE the template.
The process of changing the template causes the switch to automatically restart.

38 of 59
15. From the Configure menu, choose Routing.

16. To enable connected routing, check Enable Routing and click Submit. Leave the gateway address field
blank.

17. Click Yes at the pop-up window. The gateway address specifies the next-hop router for the default route out
of the Layer 3 switch. Since our Stratix 8000 switch is not connected to a larger network, we do not need to
provide a gateway address.

39 of 59
By enabling Connected Routing on the switch, we allow communication between devices on all VLANs.
These devices should use the switch as their default gateway. To restrict inter-VLAN communication for
certain devices, you can configure access control lists (ACLs) in the CLI.
Stratix 5700 with Full software option also supports Connected Routing.

Verifying Connected Routing operation

With routing enabled, we can now move our PC to VLAN 30 and the Line controller to VLAN 20.
18. Change the IP address of the PC to 10.10.30.30 and the gateway to 10.10.30.1. Make sure that the third
octet is set to 30.

19. Click OK and close open windows to apply IP address changes.

40 of 59
20. Plug the PC cable into the Stratix 8000 port Fa1/6, which we configured for VLAN30 in the previous steps.

21. Verify that the Connected Routing is working by first accessing Device Manager for the Stratix 8000 using
the 10.10.10.1 address.

22. Next try to ping the Line controller. Open the Command Prompt by clicking on the desktop shortcut
and type ping 10.10.10.20.

At this point, the Line controller is still on VLAN 10 with an IP address of 10.10.10.20. We will move the Line
controller to VLAN 20 in the next step.

41 of 59
The VLAN 20 was already preconfigured for this lab. The port Fa1/4 is configured for VLAN 20. The Line
Controllers 1756-EN2TR module is set to DHCP mode (bottom chassis, slot 1).
The Stratix 8000 switch is configured with the DHCP Persistence feature that will assign an IP address in
the corresponding VLAN based on the port where a device is plugged in.
23. In the Stratix 8000 Device manager, select Configure DHCP and click on the DHCP Persistence tab. As
you see, the DHCP server on the switch is configured to assign the 10.10.20.20 address on Fa1/4 interface.

24. From the Configure menu, select Port Settings. Here we see that port Fa1/4 is in the VLAN 20.

42 of 59
25. Remove the Line Controllers cable from the Stratix 8000 port Fa1/3 and plug it into Fa1/4.

Line Controller
(bottom chassis)

26. In order for DHCP to assign the new address of 10.10.20.20 to the Line controller, the 1756-EN2TR will
have to be power cycled after changing the connected port.
Open the power supply door of the bottom chassis and flip the switch off and on to power cycle the chassis
(alternatively, you can pull out and reset the EN2TR module in the chassis). Watching the display on the
EN2TR, you will see that it receives the new IP address of 10.10.20.20.
27. To verify the result, ping the new IP address 10.10.20.20.
We now are able to communicate between the PC in VLAN 30 and the Line Controller in VLAN 20.

43 of 59
Configuring NAT for the Layer 3 Architecture

We have not yet configured the NAT instance for the Layer 3 architecture we just created. At this point, we are still
using the NAT instance from the previous lab for a single VLAN network.
We will need to edit the current NAT instance in the Stratix 5700 by removing the Public to Private translations and
by adding a gateway translation.

To configure NAT, you create one or more unique NAT instances. In a typical implementation, only one
instance is required. A NAT instance contains entries that define each address translation, as well as other
configuration parameters.
The translations you define depend on whether traffic is routed through a Layer 3 switch / router or not.
If traffic is routed through a Layer 3 switch or router (Layer 3 architecture), you define the following:
A private-to-public translation for each device on the private subnet that needs to communicate on the
public subnet.
A gateway translation for the Layer 3 switch or router.
In a Layer 3 architecture, you do not need to provide translations for all devices on the public subnet that
belong to other VLANs. Private devices can reach public devices by using the translated gateway address
(i.e. the address of the Layer 3 switch / router).
You also do not need to configure NAT for every device on the private subnet. For example, you can choose
to omit some devices from NAT to increase security, decrease traffic, or conserve public address space.

28. Go the Device Manager interface for the Stratix 5700. Launch Internet Explorer by clicking the Internet
Explorer icon on taskbar
29. Type the translated IP address 10.10.10.2 of the Stratix 5700 in the address bar and press enter.

44 of 59
30. In the authentication box shown below, leave username blank and type rockwell (all lowercase, no
quotes) as the password.

31. Go to the Configure menu, and select NAT.

32. Select Advanced_Lab NAT instance, and click Edit.

45 of 59
33. Select the Public to Private tab. We need to delete all Public-to-Private translations used for the Layer 2
architecture lab. Select all three translations, and click Delete.
Make sure that the correct tab is selected!

You will be asked if you are sure you would like to delete the selected items. Click OK.

DO NOT CLICK SUBMIT AT THIS POINT YET!!!


34. In the General tab, we will leave all the Private-to-Public translations as configured earlier. We need to enter
a Gateway Translation so devices in the machine can reach the default gateway (the Stratix 8000 switch).
Go to the Gateway Translation section and click Add Row.

46 of 59
35. Enter the Gateway Translation of 10.10.10.1 for the Public and 192.168.1.1 for the Private. Click Save.

36. Click Submit to save changes in NAT configuration.


37. Now we will verify if the new NAT configuration with gateway translation is working properly.
Open the command prompt and ping the Machine controller at 10.10.10.3.

47 of 59
Verifying EtherNet/IP communication through NAT

We are now ready to download new programs for the Line Controller and then the Machine Controller.
These programs will use the IP address 10.10.20.20 of the Line Controller in VLAN 20.

38. Open the Logix Files folder by using the shortcut on the desktop. Open Bottom_CLX_Line_Lab2.ACD file
to download the program to the Line controller (bottom chassis). Make sure that you select the right file
(Line_Lab2).

39. Click the Who Active button. Expand the VLAN20_Lab2 Ethernet driver and browse to 10.10.20.20 slot 0.
Click Download.

48 of 59
40. Click Download

41. Click Yes to change the controller to Remote Run mode.

49 of 59
Next we will download the Machine controller program.

42. In the Logix Files folder, open Top_CLX_Machine_Lab2.ACD file to download the program to the Machine
controller (bottom chassis). Make sure that you select the right file (Machine_Lab2).

43. Click the Who Active button. Expand the VLAN10 Ethernet driver and browse to 10.10.10.3 slot 0. Click
Download.

50 of 59
44. Click Download. Click Yes to change the controller to Remote Run mode.

Once both programs are downloaded, the Point I/O outputs in the demo case will be solid green, proving
and illustrating the communication between the Line and Machine Controllers.

45. Right-click on the RemoteEN2TR module in the Machine program and select Properties.

As you see, the Machine program uses the real (untranslated) address 10.10.20.20 of the Line Controller.
Since we configured the gateway translation, we can use public IP addresses to communicate to the
devices in other VLANs.

51 of 59
46. Go to the FactoryTalk View SE client application, click on Lab 2 Display button, and verify that all lines are
showing green.

You have successfully completed the Lab.

52 of 59
Lab Summary

In this lab, you have worked through exercises that demonstrated the power and flexibility of the Stratix 5700 and the Stratix
8000 Ethernet Managed Switches, and reviewed Network Address Translation, VLANs, Connected Routing and DHCP
Persistence features of Stratix switches. You have completed the following tasks:

Stratix 5700 Layer 2 Ethernet Managed Switch


Configured a NAT instance in a Layer 2 architecture by specifying Private-to-Public and Public-to-Private
translations.
Configured a NAT instance in a Layer 3 architecture by specifying a Gateway translation.

Stratix 8000 Ethernet Managed Switch


Configured a VLAN, an SVI for the VLAN and assigned a port to a VLAN.
Enabled Connected Routing between VLANs.
Reviewed the DHCP Persistence feature.

53 of 59
Instructors Use Only
Lab Configuration and Setup Guide

Lab Information

Lab Name Applying Advanced EtherNet/IP Features in Converged Plant-wide Ethernet Architectures
Lab Description This hands-on lab will demonstrate Network Address Translation (NAT) in Layer 2 and Layer 3
architectures, VLAN segmentation, and Connected Routing. A prior understanding of general
Ethernet concepts, including switching and routing is recommended.
Lab Creator Eduard Polyakov Sr. Commercial Engineer
Date Created 9/1/2014
Updates: 3/31/2015 minor cleanup, updated screenshots
9/14/2015 added DLR on 5700 switch, updated screenshots and diagrams
12/8/2015 added startup script to configure switches automatically, minor revisions

Hardware Configuration
Qty Demo Cat.# / Description Slot IP Address Firmware
1 ENET21 Demo Box
Top CLX Chassis
1756-L75 Slot 0 26.013
1756-EN2TR Slot 1 192.168.1.3 5.008
1756-IB16ISOE Slot 2 2.009
1756-EN2TR Slot 3 192.168.1.4 5.008
Bottom CLX Chassis
1756-L75 Slot 0 26.013
1756-EN2TR Slot 1 10.10.x.20 (DHCP) 5.008
1756-IB16ISOE Slot 2 2.009
1756-SFM Slot 3 N/A
Stratix 5700 Ethernet Switch N/A 192.168.1.2 IOS 15.2(3)EA1
Stratix 8000 Ethernet Switch N/A 10.10.10.1 (VLAN 10) IOS 15.2(3)EA1
1783-ETAP 192.168.1.6 2.002
1734-AENTR Slot 0 192.168.1.5 3.012
1734-IB8 Slot 1 3.022
1734-OB8E Slot 2 3.022
1734-OE2V Slot 3 3.005
1732E-IB16M12SOEDR 192.168.1.7 1.007

54 of 59
Computer/Host Settings
IP Address Configured as outlined in the various lab sections
Windows 7 with Internet Explorer V9, V10, V11 or Mozilla V26,
Operating System V27 installed

Application Versions
Vendor Software Version Service Pack
RA Studio 5000 Logix Designer 26.01
RA RSLinx 3.73
RA FTViewSE 8.00
Cisco Cisco Network Assistant 6.2

Note: Please be aware that IP addresses of some of the devices change during the lab. The Stratix 8000 switch
has several VLAN interfaces, each with its own IP address.

This hands-on lab uses the ENET21 Demo Box. This system is comprised of 2 Control Logix controllers, 2 different types of
Stratix Ethernet Switches, 1 Point I/O module, 1 Armor Block module, 3 different styles of Ethernet modules, and 1 Computer.

Note: The same demo box is used for this Advanced EtherNet/IP lab and the Basic EtherNet/IP
lab. The switch configuration and cabling for some of the devices is different between the labs.
Please make sure that correct reset steps are followed since the box may be configured for a
different lab.

55 of 59
Lab Resetting and Startup Procedures

This section describes how to reset the hardware and verify configuration when setting up the lab and between the sessions.
Please read all steps through one time before hooking and starting up the lab.
1. Connect all Ethernet devices to the corresponding Ethernet ports on the Stratix 8000 and 5700 switches as seen
below. Note that the Line Controller (connected to the Stratix 8000) is in the bottom chassis of the demo box.
The Machine Controller (connected to the Stratix 5700 and DLR) is in the top chassis.

a. Make sure that Line EN2TR Slot 1 Port 1 (Bottom CLX) is connected to the Stratix 8000 Fa1/3. This is
necessary for the correct IP address assignment in the Lab 1.
b. Note that during the lab users will move some cables to different switch ports. Please make sure that
connections are restored between the sessions according to the diagram.
2. Restart the Advanced EtherNet/IP lab image on the PC. The IP address of the VM is set to 192.168.1.30.

56 of 59
When the lab image is restarted, a script is running to restore switch configurations. Please follow
the steps below to make sure that it executes correctly.

3. You should see the message on the screen. Connect the PC Ethernet cable to the Stratix 8000 port Fa1/1. This is
a temporary connection to restore the Stratix 8000 switch configuration. Click OK to continue.

4. The script verifies connectivity to the switch and if the TFTP server is running, then copies the correct configuration
to the Stratix 8000 switch. DO NOT close or click on any open windows.
5. Wait until you see the next message on the screen. Connect the PC Ethernet cable to the Stratix 5700 port Fa1/1.
This is a temporary connection to restore the Stratix 5700 switch configuration. Click OK to continue.

6. The script verifies connectivity to the switch and if the TFTP server is running, then copies the correct configuration
to the Stratix 5700 switch. DO NOT close or click on any open windows.
7. Move the PC Ethernet cable back to the Stratix 8000 port Fa1/2. This completes the cabling for the lab
according to the diagram.
The IP address can remain as 192.168.1.30. Lab 1 uses this address in the beginning.
8. Power cycle the bottom ControlLogix chassis to reset the EN2TR module and get the new IP address via DHCP.
9. Verify IP address assignment for the EN2TR modules.
a. Machine EN2TR slot 1 (Top CLX) - 192.168.1.3
b. Machine EN2TR slot 3 (Top CLX) - 192.168.1.4
c. Line EN2TR slot 1 (Bottom CLX) 10.10.10.20
10. During the initial setup before the event, make sure that DLR Supervisor mode is disabled on EN2TR modules
192.168.1.3 and 192.168.1.20 and enabled on the EN2TR module 192.168.1.4.
11. Review the list of known issues and troubleshooting steps on the next page before conducting the lab.

It is recommended to run through the lab on all stations before the event starts.

57 of 59
Lab Troubleshooting

Some of the issues that may happen during the lab and during the reset are listed here.

Possible Issues During the Lab


Problem Troubleshooting Steps
Cannot communicate to devices and switches Verify the following to resolve the issue:
when supposed to during the lab (i.e. cannot ping, 1. Correct IP address and the port for the PC according to the place in the
connect to a switch via the webpage or go online lab. There are several steps where IP addresses and ports should
with the controller) change.
2. NAT configuration on the Stratix 5700 switch. Common mistakes are
reversing private and public IP addresses, mistyping IP addresses, not
configuring Public to Private tab, not configuring Gateway addresses in
the Lab 2.
3. Correct VLAN assignment on the Stratix 8000 switch (Lab 2).
4. SDM template should be Lanbase Routing (Lab 2).
5. Routing should be enabled (Lab 2).
Unsupported device message on the Dashboard Clear IE cache, restart the browser
in Device Manager
FactoryTalk Security logon prompt when opening Try the following steps:
Studio 5000 1. Open FactoryTalk Directory Configuration Wizard (Start Rockwell
Software FactoryTalk Tools).
2. Select both Network and Local directories as options.
3. Configure directories using username labuser and password rockwell
as the local Windows administrator.
1756-IB16ISOE module (slot 2) may blink red, Reset the module in the chassis (note that this module is NOT used during
connection fault in I/O tree the lab)

Possible Issues When Preparing or Resetting the Lab


Problem Troubleshooting Steps
Cannot login to the switch using rockwell Try to enter username admin and password rockwell. The issue may be
password. that the switch has been updated with the new firmware and the Express
Setup procedure applied. The latest firmware requires a username for the
Express Setup. After the correct lab configuration is restored, only password
is required.
Cannot restore configurations using the script. Verify the following:
Restore process fails. 1. Check if the PC cable is plugged in the correct port on the correct
switch. Port Fa1/1 on both switches must be used to reset switch
configurations.
2. Verify that the TFTP server is running on the PC (it is used to upload
configurations to switches).
3. Check that Windows firewall is disabled and Symantec or other antivirus
software is not running on the PC. The Symantec software on the
computers with a standard RA image requires connection to the
corporate network to allow TFTP connections. There should be no
issues with the event PCs.

58 of 59
Cannot restore configurations using Cisco CNA Shut down the TFTP server that is running on the image.
(message says The embedded TFTP server
cannot start).
Cannot connect to the switch via the script, CNA Try the following steps to resolve the issue:
or webpage using the normal steps. Cannot ping 1. Make sure that direct connection is made to the switch through the
the IP address of the switch from the PC. correct port (see reset steps above).
2. Verify the IP address of the PC (see reset steps above).
3. Reset the demo box.
4. Reboot the PC (physical machine, not VM).
5. Verify that the correct physical NIC on the PC is used (typically event
computers have two NICs, one for the demo box connection, and
another for classroom connection)
6. In case if the switch configuration has been altered (wrong IP address,
wrong VLAN on the port etc.), the switch needs to be reset to the factory
default configuration and the correct IP address should be assigned.
This can be done using the Express Setup button. Please refer to the
Stratix switch manual.
7. Serial console connection and CLI can also be used to correct the
configuration (requires knowledge of IOS commands).
8. After the switch has been reset to the factory default configuration and
correct IP address has been assigned, use the startup script to restore
the lab configuration.
Duplicate IP Address error in one of the EN2TR Try the following steps to resolve the issue:
modules 1. Check the IP address of the physical NIC of the PC (not the VM). Make
sure that it has NOT been assigned in the 192.168.1.1 192.168.1.7
range, or .20, .30. If the PCs NIC is set to DHCP and keeps getting the
overlapping address, do the following in the command prompt:
ipconfig /release
net stop dhcp
net start dhcp
ipconfig /renew
2. Verify settings for other devices.
3. Reset the EN2TR module.
4. Power cycle the demo box.
5. Restart the VM image.

59 of 59