Ethernet to the Factory Factory

Ethernet to the Factory Factory
Ethernet to the
Factory
Mayo 2010
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Agenda
Industrial Automation Business Trends
Manufacturing
Ethernet to the Factory
Case Studies and Examples
Summary
Q&A
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Industrial
Automation Trends
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Manufacturing Operations
Business Pressures and Priorities
Top Business Priorities for
Manufacturing Operations?
Top Strategic Actions to
Achieve Business Objectives?
Reduce Costs
Reduce Production Variability
Ensure Quality
Optimize Asset Utilization
Competitive
Advantage
Improve Collaboration
Profitability
Targets
Synchronize Plant and Corporate
Objectives
Globalization
Visibility for Decision Making
0
10
20
30
40
50
60
70
0
10
20
All Others
All Others
30
40
50
60
Best in Class
Source: Manufacturing Performance Management, Aberdeen Group, May 2009
Presentation_ID
© 2009
2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Manufacturing 2.0
M1.0
Presentation_ID
M2.0
Speed Scale Silo
Integration Collaboration Agility
Industrial Revolution
Information Revolution
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Manufacturing 2.0:
Plant Operations Transformation
Integrated
Business and
Plant Data
…Multi-Site
Real-Time
Asset
Tracking,
Monitoring,
and
Notification
Collaborative
Tools and
Processes
Traditional
Plant
Real
Time
Restricted and
Isolated
Static Environment
“Solid State”
© 2010 Cisco Systems, Inc. All rights reserved.
IT and
Control
System
Flexibility
Mobile and
Remote
Workers
Sensor
Enabled
Manufacturing
Plant
of the Future
Dynamic, Integrated
Mobile, Real-Time
Connected
Environment
“Liquid State”
Source: AMR, Industry Week, Cisco Analysis
Presentation_ID
Enhanced
Security and
Personnel
Tracking
Cisco Confidential
6
Evolution of Manufacturing Systems
From
To
Inconsistent
architecture
Islands of information
Silo’d organizations
and goals
Poor resource
alignment
Resilient and
adaptive
Enterprise wide
visibility
Collaborative teams
Optimized resources
Separate, Disparate Networks
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Converged Plant Networks and Systems
7
Manufacturing Convergence
Impact from Shop Floor to Top Floor
Visibility—Continuous Improvement
Integration of plant-floor production information to Enterprise level
Detailed real-time reporting and measurement
Access to information at multiple levels
Effectiveness and productivity continuous monitoring
Tracking and Information
Regulatory compliance
Quality assurance
Real-Time order and resource status
Track and trace
Ethernet
and IP
Real Time
Enabling the
Information
Convergence of
Manufacturing
Accessand IT
Control
Asset and resource optimization
Reduce costs
Maximize equipment utilization
Demand driven, flexible manufacturing
Source: Rockwell Automation and Cisco
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Industrial Network Convergence
Corporate Network
Back-Office Mainframes and
Servers (ERP, MES,etc.)
Human Machine
Interface (HMI)
Corporate Network
Control Network
Gateway
Supervisory
Control
Office
Applications,
Internetworking
,
Data Servers,
Storage
Human Machine
Interface (HMI)
Controller
Robotics
Supervisory
Control
Motors, Drives
Actuators
Sensors and other
Input/Output Devices
Traditional
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Office
Applications,
Internetworkin
g,
Data Servers,
Storage
Back-Office Mainframes and
Servers (ERP, MES, etc.)
Motors, Drives
Actuators
Robotics
Controller
Sensors and other
Input/Output Devices
Converged Ethernet
Cisco Confidential
9
Manufacturing
Convergence
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Manufacturing and IT Convergence
Creating Challenges and Opportunities
Technology
Convergence
Wide Ethernet
Deployment
Network
Convergence
Organizational
Convergence
Business Model
Innovation
Business Agility
Competitive Advantage
Increasing Business
Pressures
Cultural
Convergence
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Source: Cisco and Rockwell Automation
11
Benefits of Industrial Ethernet
in Factory Networks
Increased Visibility
Connectivity to devices and controllers
Manufacturing—enterprise integration
Uptime and Performance
Security and reliability
Network resiliency
Increased Efficiency
Standard architecture—integration and support
Scalable network platform—multiple applications
Improved Event Response
Remote access
Improved diagnostics and support
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Greatest Benefits from Plant
to Business Convergence?
Enhanced Management
Visibility Across Plants
Plant Performance
Operational Efficiency
Security
Improved System
Recovery and
Troubleshooting
Team Performance
0
10
Significant Impact
20
30
40
50
60
Great Impact
Source: Come Together: It-Controls Engineering Convergence Furthers Manufacturers’ Success © 2007 Rockwell Automation
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Challenges
with Manufacturing Convergence
Organizational
Issues
Misaligned
objectives
Support
requirements
Different
models and
language
Presentation_ID
Industrial
Applications
Industrial
protocols and
traffic patterns
Hardened
products
Determinism,
latency, etc.
Motion control
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Security
Increased risk
with COTS
technology
Patching issues
Implications of
issues
Impact on
performance &
ease of use
MFG and IT
Skill Alignment
Ease of use
Multiple
management
tools
Understanding
of industrial
applications
14
Cisco and Rockwell
Automation Partnership
Common Technology View
Support use of open, unmodified standards, with
intelligent networking features in automation networks
through ODVA, ISA and others
Collaborating on Reference Architectures
Tested and validated design and implementation
guidance and best practices for a converged network
architecture
People and Process Optimization
Develop process guidelines for help with
convergence, facilitate training and dialogue with IT
and Manufacturing
Product Collaboration
Developed Industrial Ethernet switch incorporating the
best of Cisco and the best of Rockwell Automation
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Ethernet to
the Factory
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Ethernet to the Factory Solution
Validated with Rockwell Automation
Integrated Architecture as part of Converged
Plantwide Ethernet solution
Designed for industrial applications
Real-Time predictability
Enables secure visibility and access
Common model for IT and manufacturing
Key features
Industrial Ethernet switching
Security services
Scalable network platform
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Converged Plantwide Ethernet
Converged Plantwide Ethernet
Built on standards
Plant specific design and
implementation guidance
Extensive system-level
validation testing
Enables secure
remote access
Future enabled innovation
platform
United IT and
industrial expertise
Ethernet-to-the-Factory
Industrial Ethernet Switches
Integrated Architecture
Framework
Network Architecture
Security Architecture
CIP integration via
native EtherNet/IP
support
Enhanced Ease Of
Use
FactoryTalk Platform
Logix Control
Platform
Industrial
Infrastructure
System-Level Validated Reference Architectures for Industrial
Automation and Control Systems (IACS)
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Logical Architecture
Built on Industry Standards
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area
Zone
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Enterprise Network
Level 5
Site Business Planning and
Logistics Network
Level 4
Demilitarized Zone—
Shared Access
Site Manufacturing Operations
and Control
Level 3
Area Control
Level 2
Basic Control
Level 1
Process
Level 0
Cisco Confidential
19
Typical Applications and Systems
MES—Manufacturing Execution System measures and controls
production facilities; it tracks and measures key operational criteria
such as product, equipment, labor, inventory, defects, etc.; a key
interface to the Enterprise-level applications
Historian—Collects historical data from the factory floor applications
and reports or displays them in various report formats. Level 3
SCADA—Supervisory Control and Data Acquisition; large scale
distributed measurement and control systems, usually covers
a geographical area
PAC (a.k.a. PLC)—Programmable Automation Controller or
Programmable Logic Controller; controls a subset (cell/area) of
manufacturing, e.g. a line or function, as well as the relevant
devices in that cell/area
HMI—Human Machine Interfaces display operational status to
manufacturing personnel and may allow them to perform basic
functions (e.g. start/stop a process)
I/O—Input/Output device; a device that measures or controls key
functions or aspects of the manufacturing process; Level 0
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
C o n v e r g e d
P la n t w id e
Ethernet Architecture
Enterprise Network
Levels 4–5
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link for
Failover
Detection
Demilitarized Zone
(DMZ) Firewalls
Firewall
Cisco
(Standby) ASA 5500
Firewall
(Active)
Cisco Catalyst
6500/4500
FactoryTalk
Application
Servers
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Drive
Controller
HMI Distributed
I/O
Cell/Area #1
(Redundant Star Topology)
Presentation_ID
Controller
Cell/Area #2
(Ring Topology)
© 2010 Cisco Systems, Inc. All rights reserved.
Access Control
Threat Protection
Manufacturing Zone Multi-Service Networks
Level 3
Distribution and Core Network and Security
Management
Network Services
Routing
EtherNet/IP (Industrial
Protocols)
HMI
Controller
HMI
Drive
Application and Data share
Site Operations and Control
Cisco
Catalyst
Switch
Cisco Cat. 3750
StackWise
Switch Stack
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Distributed I/O
Cisco Confidential
Cell/Area #3
(Linear Topology)
Drive
Cell/Area Zone
Levels 0–2
Layer 2 Access
Real–Time Control
Fast Convergence
Traffic Segmentation and
Management
Ease of Use
21
Enabling Plant to Business Convergence
Requirements for a High Performance Industrial Network
Industrial
Design
System level,
validated
design
Key industrial
features
Predictable
performance
Resiliency
Presentation_ID
Efficiency
Security
IT Integration
Ease of use
tools
Common tools
and features
Remote access
support
Integrated
network
security
Defense-inDepth
Meet IT & MFG
requirements
Protect
manufacturing
assets
Support IT
tools and
features—meet
needs of MFG
Scalable
network
platform
Integration with
business
systems
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Cisco IE 3000 Series
Industry Leading Industrial Switching
Rugged
Extended shock, vibration, humidity
and thermal environments
Easy-to-Use
Device Manger, Smart Ports, CIPSupport, IE SwapDrive, DHCP
persistance
Designed for industrial applications
Efficient deployment, management and
replacement
Secure
Layer 2-4 ACL’s, Port Security, User
Based Authentication (802.1x/NAC),
Secure CIP
IT and Industrial Integration
IEEE 1588 PTP, ODVA CIP, VLAN,
802.xx, QoS, IGMP, Profinet, REP
convergence
Integrated security— for IT and industrial
applications
Leading Cisco switching capabilities and key
features for industrial applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Rockwell Automation Stratix 8000
Managed Switches with Cisco Technology
Best of Cisco
Cisco IOS™
Catalyst™ switch architecture and feature set
CLI and Device Manager
Secure integration with enterprise network
Best of Rockwell Automation
Common Industrial Protocol (CIP) interface to Rockwell
Automation Integrated Architecture™
RSLogix 5000™ for configuration via Add-on Profile (AOP)
Predefined logic tags for diagnostics
FactoryTalk™ view faceplates
Best for the Plant Floor
A Unique Product in
the Market…
…Integrating the
Enterprise and
Manufacturing
Environments
Compact flash for “zero-config” replacement
Industrial environmental ratings
Default configurations for Industrial Automation
Easy to maintain
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Rockwell Automation Stratix 8000
Full Integration with Rockwell
Management Applications
Status
Configuration
Alarms
Trending
Help
Integration with Both IT and Manufacturing Applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Switching Portfolio for End-to-End
Manufacturing Architecture
Built on Cisco Campus network framework
and best practices
Cisco IOS based platforms and
consistent features
Integration with Cisco and IT network
management applications
Resiliency and availability features
REP, Flexlinks, HSRP, Stackwise, ISSU
Integrated catalyst network security
Optimized delivery of application traffic
QoS, IGMP, PTP (IEEE1588)
Scalable network framework—integrate video,
communication, wireless, and support new
manufacturing applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
EttF Standards
Technology
IEEE 802.3—standard
Ethernet, Precision
Time Protocol (PTP—
1588)
IETF—standard Internet
Protocol (IP)
Manufacturing
Purdue Reference Model
for Control Hierarchy
ISA-95 Enterprise—
Control System Integration
ISA-99—Manufacturing
and Control Systems
Security
NIST 800-82 — Industrial
Control System Security
ODVA—Common
Industrial Protocol (CIP)
Profinet —
Built on Industry Standards
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Cell/Area Design
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Cell/Area Zone Overview
Levels 0–2
Layer 2 Access
Switch
Layer 3
Distribution
Switch
Catalyst 3750
Stackwise
Switches
Media and
Connectors
IE Switch
Level 1
Controller
HMI
Level 2 HMI
Controller
Legend:
VFD
Controller
Layer 2
Interswitch UplinkVLAN Trunk,
Layer 2 Resiliency
IE Switch
Level 0 Device
(Drive)
Cell/Area
Zone
Layer 2 Access
Link-Single
VLAN Assigned
to Port
HMI
DIO
Controller
Controller
Cell/Area
Zone
The Cell/Area Zone Is a Layer 2 Network for a Functional Area of a Production Facility.
Key Network Considerations Include:
Environmental constraints
Range of device intelligence
Time-sensitive applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Networking Best Practices – Cell/Area Zone
Best Practices For Reducing Latency and Jitter, and to
Increase Data Availability, Integrity and Security
IP Multicast Control
IGMP Management
Segmentation
Virtual LANs (VLANs)
Prioritization
Quality of Service (QoS)
Apply Resiliency Protocols and
multi-path topologies
Use Fiber-media uplinks for fast
convergence
Defense-in-Depth Security
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Cisco Catalyst 3750 Series
Enterprise-class Services
Wire-speed switching and routing
Cisco StackWise™ Technology
Fault-tolerant, Bi-directional 32-Gbps
stack interconnection
Innovative Stacking
Sets New Standards for
Resiliency and Management
Automated configuration and
management
Single network instance (IP, SNMP, CLI,
Spanning-Tree Protocol , VLAN)
Master/secondary architecture with
master failover
Cross-Stack EtherChannel®, cross-stack
QoS
Next Generation in Desktop
Switching
Optimized for Gigabit Ethernet
IPv6-capable in hardware
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Cell/Area Traffic Flows
Cell/area traffic is predominately (>80%)
local, cyclical I/O (a.k.a. Implicit) traffic
Producers generated UDP multi-cast
messages
Consumer generated UDP uni-cast messages
Packets are small: 100-200 Bytes, but
communicated very frequently (every 0.5 to
10’s of ms).
Typically un-routable (TTL=1 by application)
The rest is informational control and
administration (or Explicit) traffic flows
intra- and inter-cell/area
CIP-based, non-critical administrative or data
traffic
Diagnostic information via HTTP
Status and fault warnings via SNMP or SMTP
Packets are larger, ~500 bytes but infrequent
(100s of ms)
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
DMZ
Engineering Laptop
(RSLogix)
Manufacturing Zone
Network
Management
Mail Gateway
Cisco Cat.® 3750
StackWise™Switch Stack
HMI
HMI
Controller
Cisco
IE3000
Drive
Cell/Area Zone
Cisco IE3000
Cell/Area Zone
32
Resiliency for Industrial Applications
Supporting Multiple Topologies
Ring Convergence
Resilient Ethernet Protocol (REP)
Achieves ~50 ms convergence
in large, complex networks
Si
Redundant Star Convergence
Multiple protocol options
Convergence times of <100ms for
Flexlinks and Etherchannel
Tested with Rockwell applications
and multicast traffic
Fast convergence avoids application
reset and improves uptime
Critical for industrial applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
CZ-3750
Before (FlexLink Up)
After (FlexLink Up)
Flexlink Standby
Disruption
(FlexLink Down)
33
Reliability, Availability and Network Segmentation
Cell/Area Zone Topology Options
Redundant Star
Flex Links
EtherChannel
Star/Bus Linear
Ring
Catalyst 3750 Stackwise
Switches
Resilient Ethernet
Protocol (REP)
Catalyst 3750
Stackwise Switches
Catalyst 3750
Stackwise
Switches
Cisco
Catalyst 2955
HMI
HMI
HMI
Controller
HMI
Controllers
Controllers
Controllers,
Drives, and Distributed I/O
Cell/Area Zone
Controllers, Drives, and Distributed I/O
Cell/Area Zone
Controllers, Drives, and Distributed I/O
Cell/Area Zone
Cabling Requirements
Cell/Area Zone
Redundant Star
Ring
Linear
Best
OK
Worst
East of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Testing Results: Topology
Ring Topologies Converges Slower than Redundant Star
Redundant Star vs Ring (Fiber Uplinks)
Ring
Red. Star
Ring
Red. Star
Ring
Red. Star
Compare tests from a variety of topologies and resiliency protocol
8 access switches
MSTP enabled
Multimode fiber
Redundant Star convergence was faster and more consistent
Results expected as topology change propagation drives higher, less
consistent network convergence
REP expected to significantly lower the convergence time in especially
Ring topologies
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Testing Results:
Copper vs Fiber media
Fiber Media for Uplinks Significantly
Improves Network Convergence
Compare test with same topologies
with fiber vs. copper uplinks
Multimode LC fiber cables
Cat 5e and Cat 6 copper cables
All fiber topologies converged
faster than copper topologies,
approx. 500ms faster
Ethernet standards allow for higher
range of link-down notification for
copper-based links
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Testing Results:
FlexLinks and Etherchannel
Redundant Star, Fiber Uplink
Topologies With Etherchannel and
Flexlinks support “Time-critical”
Plant Applications
Etherchannel Topology
Flexlinks Topology
Measured convergence
consistently under 100 ms target
Multicast and unicast test streams
measured
Application timeouts occurred
rarely
Time Critical
Convergence
Target
1.5% of physical disconnects
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Network Resiliency Protocols
Selection Is Application Driven
Resiliency
Protocol
Mixed
Vendor
Ring
Redundant
STP (802.1D)
X
X
X
RSTP (802.1w)
X
X
X
X
MSTP (802.1s)
X
X
X
X
PVST+
X
X
X
REP
X
EtherChannel
(LACP 802.3ad)
Star
X
X
Net Conv
70-100 ms
Net Conv
> 1 ms
Layer 3
Process and Information
Time Critical
X
X
X
X
X
X
Motion
X
X
X
X
X
X
HSRP
X
X
X
X
GLBP
X
X
X
X
X
X
X
X
Presentation_ID
Net Conv: Network Convergence
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
X
X
X
X
X
X
StackWise
VRRP
(IETF RFC 3768)
Layer 2
X
X
Flex Links
DLR
(IEC & ODVA)
Net Conv
>250 ms
X
38
Spanning Tree Protocol (STP)
Most common standard protocol for
network resiliency—IEEE 802.1D
Distribution
Switches
Supports Redundant Star and Ring
Topology
Catalyst 3750
Switch Stack
Provides alternate path in case of
failures, avoiding loops
Unmanaged switches don’t support
STP
Versions: STP, RSTP, MSTP and
RPVST+ - there are differences
Coordinate with IT before
implementing
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
X
F
X
F
B
B
Stratix 8000
Access
Switches
F- Forwarding
B- Blocking
39
Layer 2 Hardening
Spanning Tree Should Behave the Way You Expect
Place the root where you want it—
Distribution Switch
Root primary/secondary macro
The root bridge should stay where
you put it
RootGuard
LoopGuard
LoopGuard
STP Root
Si
Si
RootGuard
LoopGuard
UplinkFast
UDLD
Only end-station traffic should be
seen on an edge port
BPDU Guard
BPDU Guard or
RootGuard
PortFast
Port Security
RootGuard
PortFast
Port-security
Presentation_ID
Standard setup applies the
above
© 2010 Cisco Systems, Inc. All rights reserved.
UplinkFast
Cisco Confidential
40
EtherChannel
Link Aggregation Control Protocol
(LACP) port aggregation—IEEE
802.3ad
Redundant Star Topology
Distribution Switches
Catalyst 3750
Switch Stack
A way of combining several physical
links between switches into one
logical connection to aggregate
bandwidth (2 to 8 ports)
Provides resiliency between
connected switches if a connection
is broken
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Stratix 8000
Access
Switches
41
Resilient Ethernet Protocol
Summary
REP is a segment concept
A segment is a chain of bridges
If all the links are available, REP blocks
If there is a failure, REP unblocks
Redundant networks can be built with
REP segments
Support for flexible topologies supports both closed and open rings
in various topologies, but requires
manual configuration
Ring recovery time is less than 70 ms
for fiber implementations
Cisco innovation, included with Stratix
8000
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
Reliability, Availability and Network Segmentation
Cell/Area Zone Topology Options
Redundant Star
Flex Links
EtherChannel
Star/Bus Linear
Ring
Catalyst 3750 Stackwise
Switches
Resilient Ethernet
Protocol (REP)
Catalyst 3750
Stackwise Switches
Catalyst 3750
Stackwise
Switches
Cisco
Catalyst 2955
HMI
HMI
HMI
Controller
HMI
Controllers
Controllers
Controllers,
Drives, and Distributed I/O
Cell/Area Zone
Controllers, Drives, and Distributed I/O
Cell/Area Zone
Cell/Area Zone
Controllers, Drives, and Distributed I/O
Cell/Area Zone
Use Fiber over Copper for uplinks
Spanning Tree (MSTP/rPVST+) recovery for CIP Explicit Messaging such
as HMI
Flex Links or EtherChannel for Redundant Star for CIP Implicit I/O
applications
REP for Ring CIP Implicit I/O applications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
VLANs in an Industrial Ethernet System
Assign VLANs to devices
when traffic patterns are
known
Backbone
Network
Limit the flow of produce of
required devices (e.g.: one
VLAN per cell or zone)
Use L3 switch such as IE
3000 to exchange data
between VLANs (i.e. PLC
interlock layer)
Si
VLAN
101
Si
Zone
VLAN 102
VLAN 103
Cell
VLAN 104
VLAN
105
Cell
Learn Your Traffic Patterns: Safemap.Sourceforge.Net
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
VLAN Considerations for Cell/Area zone
Design small Cell/Area zones, segment traffic types into VLANs
and IP Subnets to better manage the traffic
Requires Layer-3 switch or router to communicate between
VLANs
Use Layer 2 VLAN trunking between switches
When trunking, use 802.1Q, VTP in transparent mode
Set native VLAN to something other than 1
Use switchport mode host command to assign VLAN to end
device
Do not use VLAN 1 for EtherNet/IP Control & Information
Traffic
Enable IP directed Broadcast on Cell/Area VLANs with
EtherNet/IP traffic for easy configuration and maintenance from
IACS applications
Prune unused VLANs for security
Use VLAN 1 for data is viewed as a security risk
Create a Network Management VLAN, don’t use VLAN 1
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Not All Traffic Is Created Equal
Prioritization Is Required
Control
(e.g., CIP)
Bandwidth
Video
Data
(Best Effort)
Voice
Low to Moderate Moderate to High Moderate to High Low to Moderate
Random Drop
Sensitivity
High
Low
High
Low
Latency
Sensitivity
High
High
Low
High
Jitter Sensitivity
High
High
Low
High
Control Networks Must Prioritize Control Traffic over Other Traffic Types to
Ensure Deterministic Data Flows with Low Latency and Low Jitter
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
Quality of Service Operations
Classification
and Marking
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Queuing and
(Selective) Dropping
Cisco Confidential
Post-Queuing
Operations
47
Cell/Area Zone QoS Priorities
Output Queue traffic prioritization
Typical Enterprise QoS
Voice
Priority
Queue 1
Video
Output
Queue 4
Critical Data
Best Effort
Output
Queue 3
Call Signaling
Output
Queue 4
Video
Critical Data
Bulk Data
Output
Queue 2
Bulk Data
Note: Due to queue characteristics of the IE3000, the queue
order of priority is different than general enterprise.
© 2010 Cisco Systems, Inc. All rights reserved.
Priority
Queue 1
Voice
CIP Explicit
Messaging
Scavenger
Presentation_ID
CIP Motion
Network Control
Network Control
Output
Queue 3
PTP-Event
PTP Management,
Safety I/O and I/O
Call Signaling
Output
Queue 2
Cell/Area Zone QoS
Cisco Confidential
Best Effort
Scavenger
48
Cultural Convergence
Common Tools
Device Manager
FactoryTalk View,
Faceplates
Command Line Interface
Cisco Network Assistant
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
RSLogix 5000, Add-on
Profile
49
IP Addressing
Management
Option
Description
Static
All devices hard coded
with an IP Address
Static via BOOTP
Configuration
Server assigns devices
IP addresses
Precursor to DHCP
DHCP
Server assigns IP
addresses from a pool
(NOT
RECOMMENDED for
Cell/Area devices)
DHCP Option 82
DHCP port-based
allocation
Presentation_ID
Advantages
Simple to commission
and replace
Supported by every
device
Disadvantages
In large environments, can be
burdensome to maintain
Limited ranged of IP addresses and
subnet
Not all devices support
Requires technician to configure IP
address/Mac address when a device
is replaced
Adds complexity and point of failure
Efficient use of IP
More complex to implement and adds
address range
a point of failure
Can reduce
Devices get different IP addresses
administration work load
when they reboot
Efficient use of IP
More complex to implement and adds
Server assigns
a point of failure
consistent IP addresses Address range
Can
reduce
Mixed environments may not work
from a pool (NOT
administration work load
RECOMMENDED)
Automatically assign IP
address per physical
switch port
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Efficient use of IP
Address range
Eases commissioning
and maintenance in
large environments
Cisco/Rockwell Automation only
Requires some maintenance and
upkeep, on a per switch basis
50
Manufacturing and
Demilitarized Zones
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Industrial Security
Source of Industrial
Security Incidents
3% Wireless System
7% VPN Connection
7% Dial-up Modem
Source: BCIT (2009)
7% Telco Network
Average Cost of
Manufacturing Downtime
= $210,000 per Hour
Source: Infonetics (2005)
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10%
Trusted Third-Party Connection
(Includes Infected Laptops
and Is Growing)
17%
49%
Internet Directly
Via Corporate WAN and
Business Network
52
Ethernet to the Factory
Built on Cisco Self-Defending Network
Firewall
and VPN
Traffic access
control
Encryption
Intrusion
Prevention
Detection
Precision
response
Content
Security
Email Spam
Web filtering
Endpoint
Security
Host IPS
AV solutions
Centralized Policy Management and Monitoring
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Security Architecture
Would like cleaner graphic. Should
we remove CSA ?
Protecting Critical Manufacturing Assets
Deploy zone concept for enterprise,
DMZ and manufacturing areas
Network infrastructure security
Port security (MAC filtering, etc.)
End-Point security
Identity access control with ACLs
and firewalls
Security management for all
security devices and services
Threat control and containment—IPS
Security Services Must not Compromise
Manufacturing Operation or Impact Control Traffic
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
DMZ Deployment
Components and Traffic Flow
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
DMZ and Secure Remote Access
Guiding Principals
IACS Protocols Stay home
Control the Application
Remote Access Server
Application level security (FT Security)
No direct traffic
No common protocols
Only one path in and out of
manufacturing zone—the firewalls
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Enterprise
Data Center
Enterprise
WAN
SSL VPN
VPN for secure remote access
Enterprise Access and Authentication servers
(e.g Active Directory, Radius, etc.)
IPSEC VPN
Use IT-Approved Access and
Authentication
Internet
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
56
Adaptive Security Appliance Overview
5500 Series
Firewall with
Application Layer
Security
Multi-layer packet and traffic analysis
Advanced application and protocol inspection services
Network application controls
IPS and Anti-X
Defenses
Real-time protection from application and OS level attacks
Network-based worm and virus mitigation
Spyware, adware, malware detection and control
On-box event correlation and proactive response
Access Control
and
Authentication
Flexible user and network based access control services
Stateful packet inspection
Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA Secure ID
SSL and IPSec
Connectivity
Threat protected SSL and IPSec VPN services
Zero-touch, automatically updateable IPSec remote access
Flexible clientless and full tunneling client SSL VPN services
QoS/routing-enabled site-to-site VPN
Intelligent
Networking
Services
Low latency
Diverse topologies
Multicast support
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Services virtualization
Network segmentation and partitioning
Routing, resiliency, load-balancing
57
Secure Remote Access
Components
IPSEC VPN
Internet Edge and Plant
Firewall (ASA 5500)
Web portal
IPS/IDS
Terminal server
Manufacturing applications (RSLogix
5000, RSView, etc.)
RSLogix 5000
FT Security for application security
Combine with Collaboration Solutions
for Remote Support
Enterprise
WAN
SSL VPN
Enterprise
Data Center
Remote Access Server
Internet
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
58
Secure Remote Access
Remote engineer or partner
establishes VPN to corporate
network; access is restricted
to IP address of plant DMZ
firewall
Firewall proxies a client
session to remote
access server
Access to applications on
remote access server is
restricted to specified plant
floor IACS resources through
IACS application security
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
SSLVPN
Enterprise
Data Center
Portal on plant firewall
enables access to IACS data,
files and applications
Intrusion protection system
(IPS) on plant firewall detects
and protects against attacks
from remote host
IPSEC VPN
Remote Engineer
or Partner
Cisco
VPN
Client
Internet
Enterprise Edge
Firewall
Enterprise Zone
Levels 4 and 5
HTTPS
Enterprise Zone
Levels 4 and 5
Enterprise
Connected
Engineer
Enterprise
WAN
Patch Management
Terminal Services
Application Mirror
AV Server
FactoryTalk Application Servers
View
Historian
AssetCentre
Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
Gbps Link
Failover
Detection
Cisco
ASA 5500
Demilitarized Zone (DMZ)
Firewall
(Standby)
Firewall
(Active)
Catalyst
6500/4500
Catalyst 3750
StackWise
Switch Stack
EtherNet/
IP
Remote Desktop
Protocol (RDP)
Remote Access Server
RSLogix 5000
FactoryTalk View Studio
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Cell/Area Zones
59
Secure Remote Access
Applied Technology
Remote Engineers and Partners
Authentication, Authorization and Accounting
Access Control Lists (ACLs)
Secure Browsing (HTTPS)
Intrusion Protection and Detection
Remote Terminal Session
Application Security
Defense in Depth
Security Technologies Applied
IPsec Encryption and SSL VPN
VLANs
Plant Floor IACS Applications and Data
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
Summary
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Advanced Technology Solutions:
Building on the EttF Platform
Lean
Manufacturing
Machine Uptime
Management
Supply Chain
Management
Integrated
communications
(phone, radio,
etc.), presence,
and applications
Plantwide wireless
access—for guests
and manufacturing
personnel
Wi-Fi asset tracking
using location-based
mobility services
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
Combining Remote Access with
Collaboration for Remote Expert Support
Source: Cisco IBSG Automotive 2009
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
63
Solutions Require Partnerships
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
64
Roadmap to Operations Excellence
Ethernet to the
Factory
Secure Wireless
Plant
Location-Based
Services
Industrial
Wireless Video
Surveillance
Plant VoWLAN
Achieve real-time
visibility and
integration with
business systems
Efficiently expand
plant-monitoring
capabilities
Locate and track
valuable assets
and resources
Boost efficiency
and security of
manufacturing
assets
Communicate in
real-time,
regardless of
location
Protect and
secure production
assets
Integrate data,
voice, video, and
sensor networks
Optimize the
movement of
material and
people
Deploy rapidly and
cost-effectively in
harsh locations
Improve efficiency
and mobility of
communications
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
65
Where to Find More Information
Website
Operations Excellence (Internal)
Operations Excellence (External)
Design guides
Rockwell Automation and Cisco –
Converged Plantwide Ethernet - DIG 2.0
ODVA—Network Infrastructure for
EtherNet/IP: Introduction and
Considerations
ODVA—EtherNet/IP Media Planning and
Installation Manual
Education series
Whitepapers
Securing Manufacturing Computer and
Controller Assets
Production Software within Manufacturing
Reference Architectures
Achieving Secure Remote Access to
Plant Floor Applications and Data
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
66
Cisco Manufacturing Solutions
Not just products…business
solutions
Unrivaled
partnerships…tailored for
Manufacturing
Roadmaps for solutions to
address manufacturing needs
Scalable architectures provide
platform for growth
Presentation_ID
© 2010 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement