Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900D
Designing EtherNet/IP Machine/Skid Level Networks
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
EtherNet/IP provides a single network technology for motion, safety, discrete, drives, and process applications. In this session you will learn recommended machine level architectures with best practices, and design considerations for typical machine control system applications. A prior understanding of general Ethernet concepts, or attendance of the Fundamentals of EtherNet/IP session is recommended.
2
Session Description
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda
33
Selecting Infrastructure
Information Integration
3
Reference Architectures Solutions
Best Practices and Example Architectures
Where to learn more
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Machine level Network Considerations
44
Control Requirements• I/O and motion control how much how fast
Integration to upstream or downstream equipment• Line Controller• Safety interlocking
Integration of data• SQL or other servers for data collection and monitoring• Supply chain integration
Remote Access• Troubleshooting, monitoring, program changes
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda
55
Selecting Infrastructure
5
Reference Architectures Solutions
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Advantages Disadvantages
Managed Switches
Unmanaged Switches
Embedded Switches
• Segmentation services (VLANs)• Diagnostic information• Security services• Prioritization services (QoS)• Multicast management services• Network resiliency• Loop prevention
• Inexpensive• Simple to set up
• More expensive• Requires some level of support and
configuration to start up
• No management capabilities• No security• No diagnostic information• Difficult to troubleshoot• No resiliency support• No loop prevention
• Diagnostic information• Prioritization services (QoS)• Time Sync Services (1588 Transparent
Clock)• Network resiliency• Loop prevention
• Limited management capabilities• May require minimal configuration
Switch Considerations
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Topology Flexibility with EtherNet/IP
EtherNet/IP is topology neutral for maximum flexibility
HYBRID – Obtain maximum flexibilityLINEAR - Simplify cable management STAR– Connect broad range of devices
RING – Maximum availability
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Technology Segmentation
ControlLogix chassis
Stratix 8000 PowerFlex 755
ArmorBlock I/O
SERCOS
EtherNet/IP
DeviceNetPV+ EOI
Kinetix6000
POINT I/O
Safety System
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
ArmorBlock I/O
CIP Bridge Segmentation
ControlLogix chassis
Stratix 8000
PowerFlex 755
EtherNet/IPPV+ EOI
Kinetix6000
POINT I/O
Safety System
EtherNet/IP
Sercos
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Converged Network Segmentation
ControlLogix chassis
PowerFlex 755
ArmorBlock I/O
EtherNet/IPPV+ EOI
Kinetix6000
PV+ EOI
POINT I/O Safety System
Stratix 8300
Remote User VLAN
Control Vlan
Control VLAN
Safety VLAN
Control VLAN
Control VLAN
Video VLAN
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Cell/Area Zone #3 Cell/Area Zone #4Cell/Area Zone #1 Cell/Area Zone #2
IndustrialZone
DMZ
Enterprise Zone Enterprise Network
Mobile User
Lightweight AP (LWAP)
AP as WorkgroupBridge (WGB)
ERP, Email, Wide Area Network (WAN)
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
1 2 3 4
MODE
STACKSPEEDDUPLXSTATMASTRRPSSYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
1 2 3 4
Converged Network Segmentation
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Security Considerations
Physical Access Security Disable unused switch ports Lock a port to only allow specific devices to be
connected Change passwords from default settings
Access Control Lists and Firewall Features Limit access to secure areas of the network. Limit access to secure services on the
network Block remote access to secured devices
VLANs Simplify security enforcement by creating
function groups Control Access by function, by user, by
location, etc.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 13
Infrastructure PerformanceBandwidth
10ms RPI
1 at 4ms RPI
3 at 10ms RPI
4ms updates
Total 8,100 PPS (Less than 10% of bandwidth on a single link)
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 14
Infrastructure PerformanceJitter
10ms RPI
1 at 4ms RPI
3 at 10ms RPI
4ms updates
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
CIP Sync – System of Clocks
15
0000 0000 0000
HIPROM GPS
OB16IS
OB16IS
L63L63
CN
B/EC
NB
/E
EN2T
EN2T
HP-G
PSH
P-G
PS
Copy
M
SS
GMSM
S
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda
16Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16
Information Integration
16
Reference Architectures Solutions
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Physical vs. Logical segmentation
17
• Isolated networks - two NICs for physical network segmentation
• Converged networks - logical segmentation
• Benefits– Clear network ownership demarcation line
• Challenges– Limited visibility to control network devices
for asset management– Limited future-ready capability
• Benefits– Plantwide information sharing for data
collection and asset management– Future-ready
• Challenges– Blurred network ownership demarcation line– IP address management
Control Network
Information Network
Controland
InformationNetwork
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Network Address Translation
Machine 1 NAT10.104.x.x : 192.168.1.x
Machine 2 NAT10.104.x.x : 192.168.1.x
192.168.1.104 192.168.1.104
10.104.100.23
192.168.1.100
Within a Machine Between Machine and Line Network
Send message to Machine 2
CMX10.104.2.100
192.168.1.100
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Connectivity to Plant Dual NIC vs. NAT
19
CompactLogix L4
PowerFlex 4/40 AC Drive
PV+ or PV+ Compact
Plant
10.10.10.10
192.168.1.2 CompactLogix 5370 L3PowerFlex 4/40 AC Drive
PV+ or PV+ Compact
Plant
10.10.10.10 192.168.1.2
Dual NICPros:• IP Addresses private to machine• IT manage external IP address• Program does not change when IT address changesCons:• 2 Communications interfaces in controller• Web diagnostics not available outside machine• Many network services will not pass through this
gateway (SNMP, DNS, DHCP, etc.)• Knowledge of route path at the application level
NATPros:• IP Addresses private to machine• 1 Communications interface in controller• Web diagnostics available outside machineCons:• Additional cost for NAT device or switch• Some additional complexity and management
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Connectivity to Plant IP Routing vs. NAT
20
PowerFlex 4/40 AC Drive
PV+ or PV+ Compact
Plant VLAN
10.10.10.10
CompactLogix 5370 L3PowerFlex 4/40 AC Drive
PV+ or PV+ Compact
Plant
10.10.10.10 192.168.1.2
IP RoutingPros:• No machine level switch configuration needed if the
machine is a single VLAN• Removes “single point of failure” for NAT device• Designed to allow network services (SNMP, VPN,
DNS, DHCP)Cons:• IP addressing must be unique at the machine level
NATPros:• IP Addresses private to machine (not visible outside of
machine network)• Web diagnostics available outside machineCons:• Additional cost for NAT device or switch• Some additional complexity and management
Machine VLAN
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Strengths and Weaknesses NAT vs Layer 3 routingCriterion NAT router IP-routing
For pre-commissioning at equipment manufacturer
easily possible (+) Equipment manufacturer requires a planned address list (-)
Duplication of equipment easily possible (+) IP addressing in programs may differ (-)
Avoid address collision with other users of private addresses
easily possible (+) Centralized management of the entire address space needed (-)
Additional maintenance effort for the required 1:1 NAT address mappings (private ↔ public)
required (-) not required (+)
Failure probability NAT router is a "single point of failure" (-)
Low because of redundant router/layer 3 switch (+)
Availabilty of network services (ie. DHCP, DNS, Remote access)
difficult (-) easily possible (+)
Design andInstall
Operate andMaintain
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Remote Access Approaches
22
Inside-Out
• Remote Desktop
• Conference Technology
Outside-In
• VPN • Dial-Up
Modems
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Secure Remote AccessFrom Cisco and Rockwell Automation
23
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Manufacturing Zone Site Manufacturing
Operations and ControlLevel 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link FailoverDetection
Firewall(Active)Firewall
(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Access Server• RSLogix 5000• FactoryTalk View Studio
Catalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750StackWise
Switch Stack
EtherNet/IP
I PS ECVPN
SS LVPN
FactoryTalk Application Servers• View• Historian• AssetCentre• Transaction ManagerFactoryTalk Services Platform• Directory• Security/AuditData Servers
Secure remote access for employees and trusted partners such as machine builders and system integrators• Meeting the security requirements
of IT while enabling manufacturers to leverage shared, distributed company resources and trusted partners
• Management of assets - monitor, configure and audit
• Simplify change management, version control, regulatory compliance and software license management
• Simplify remote clienthealth management
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda
242424
Best Practices and Example Architectures
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Machine with motion and safety
Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 25
Vision
Kinetix 6500 Servo Drives
PanelView Plus HMI
GuardLogix Controller
EtherNet/IPEthernet Switch
I/O
EtherNet/IP
PowerFlexDrives
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 26
Process Skid application
HMI / SCADA System
CompactLogix
PowerFlex40 VFD’sPoint I/O
PanelviewPlusCE
836E Pressure Transmitters
837E Temperature Transmitters
839E Flow Transmitters
873P Ultrasonic Level Sensors
840E Level Sensor
Discrete (On / Off) Sensors836 Pressure Sensor
837 Temperature Sensor
OR
Plant Network Connectivity
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Machine level best practices summary
27
Best practices for machine level design:• Verify Physical Layer devices• Verify Speed and Duplex settings on
devices (should be running at 100/Full Duplex)
• Use Gigabit ports whenever possible for trunks and uplinks between switches
• Apply port security to protect open ports on the switch
• Apply password to the switches to prevent unauthorized changes
• Limit the size of broadcast domain with segmentation
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Agenda
282828
Reference Architectures SolutionsWhere to learn more
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Additional MaterialRockwell Automation
29
Networks Website: http://www.ab.com/networks/ EtherNet/IP Website: http://www.ab.com/networks/ethernet/ Publications:
ENET-UM001-EN-P EtherNet/IP Network Configuration ENET-AP005-EN-P Embedded Switch application guide ENET-RM002-EN-P EtherNet/IP Design Considerations
Network and Security Services Website: http://www.rockwellautomation.com/services/networks/ http://www.rockwellautomation.com/services/security/
ODVA Website http://www.odva.org
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Additional MaterialCisco and Rockwell Automation Alliance
30
Website http://www.ab.com/networks/architectures.html
Design Guides CPwE DIG 2.0
Education Series Whitepapers
Securing Manufacturing Computer andController Assets
Production Software within ManufacturingReference Architectures
Achieving Secure Remote Access to Plant FloorApplications and Data
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.
Additional MaterialCisco and Rockwell Automation Alliance
31
Education Series Webcasts
The Trend - Network Technology and Cultural Convergence
What every IT professional should know about Plant Floor Networking
What every Plant Floor Controls Engineer should know about working with IT
Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access
for Plant Floor Applications and Data Securing Architectures and Applications
for Network Convergence
Available Online
http://www.ab.com/networks/architectures.html
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900D
Questions?
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900D
Thank you for participating!Please remember to tidy up your work area for the next session.We want your feedback! Please complete the session survey!