L03 - Applying Advanced EtherNet/IP™ Features in Converged Plant-wide Ethernet Systems

Networks Infrastructure and Security Portfolio Overview Addressing the needs of Automation… Stratix 5900™ ArmorStratix™ 5700 Stratix 8000™/Stratix 8300™ Stratix 5100™ Stratix 5410™ …and Operations and IT Stratix 5700™ Stratix 2000™ Stratix 5400™ 1783-NATR Advanced switching, routing and security features Plant-floor and Enterprise integration Common tools for Controls and IT “On-Machine™” connectivity Wireless connectivity Improved Maintainability Customization based on your plant’s needs

Stratix Managed Switch Positioning 19" rack mount design with Layer 2 or Layer 3 routing and 10 Gigabit support Stratix 5400™ Supports Layer 2 and Layer 3 routing capabilities with an all Gigabit (GE) platform Stratix 8000™/Stratix 8300™ Supports Layer 2 and Layer 3 routing with expansion modules for maximum flexibility Stratix 5700™/ArmorStratix™ 5700 Support Layer 2 switching with NAT, PoE and integrated DLR

Simplified Setup and Maintenance Common Configuration and Support Tools Configure, Manage and Diagnose your network with familiar tools Automation (OT) Professionals FactoryTalk® Services tightly integrate into the Integrated Architecture® system Studio 5000AOP, Predefined Logix tags FactoryTalk® View Faceplates – Sample Code website Device Manager web Interface IT Professionals Cisco IOS software and Command Line Interface (CLI) IT management tools: Cisco CNA, CiscoWorks, Cisco Prime, SNMP-based tools Tight integration into joint Cisco and Rockwell Automation® Converged Plantwide Ethernet (CPwE) Architecture

Stratix 5700 Managed Switches Stratix 5700™ Advanced Features Power over Ethernet (PoE and PoE+) delivers power over a single Ethernet cable Network Address Translation (NAT) reduces commissioning time Integrated Device Level Ring (DLR) connectivity helps optimize the network architecture and provide consolidated network diagnostics Optimized Integration Embedded Cisco technology provides integration with enterprise network FactoryTalk® View Faceplates for status monitoring and alarming Predefined Logix tags help diagnostics retrieval Studio 5000® add-on profiles for configuration and monitoring Simplified Setup & Maintenance SD card for easy device replacement Default configurations Common Smartports DHCP per port IP addressing Diagnostics and tools Enhanced Security Options Application/project based port access for machine protection Encrypted administrative traffic and advanced security features such as centralized authentication for plant protection Let’s go into depth on each of these four key values – in the next several slides.

ArmorStratix 5700 Managed Switches ArmorStratix™ 5700 Access Switching Using virtual LAN (VLAN) with trunking from plant cell to cell Quality of Service (QoS) Power over Ethernet (PoE) delivers 48 V DC or 54V DC of power over the same copper cable as Ethernet Network Address Translation (NAT) reduces commissioning time Efficient Design Built-in SD card for simplified device replacement Gigabit ports (X-coded) for high performance Optimized Integration with Single Network Embedded Cisco technology provides integration with enterprise network FactoryTalk® View Faceplates for status monitoring and alarming Studio 5000® add-on profiles for configuration and monitoring “On-Machine™” Technology IP67-rated for dust and washdown protection Rugged M12 (D-coded) Ethernet connectors for extreme environments

Stratix 8000/Stratix 8300 Modular Managed Switches Access Switching Stratix 8000™ / Stratix 8300™, Layer 2 switch using virtual LAN (VLAN) with trunking from plant cell to cell Quality of Service (QoS) Provides storm control with alarming Distribution Routing Stratix 8300, Layer 3 routing providing connection from the plant to enterprise Optimized Integration Embedded Cisco technology provides integration with enterprise network FactoryTalk® View Faceplates for status monitoring and alarming Studio 5000® add-on profiles for configuration and monitoring Enhanced Scalability with Expansion Modules Multiple configuration options for increased distance, speed and transmission wavelength PoE, SFP and additional port options available for up to 26 ports

Stratix 5400 Managed Switches Advanced Networking Features Power over Ethernet (PoE) for simplified end device wiring Network Address Translation (NAT) reduces commissioning time Enhanced security options Stratix 5400™ Enhanced Switching and Routing All gig port options for high performance resilient network requirements Layer 3 routing capability for segmented network and plant to enterprise integration Optimized Integration Embedded Cisco technology provides integration with enterprise network FactoryTalk® View faceplates for status monitoring and alarming Predefined Logix 5000® tags for monitoring and alarming Studio 5000® Add-on Profiles (AOPs) for configuration and monitoring Simplified Setup and Maintenance Common configuration and support tools Default automation configurations Optimized “Smartport “ configurations DHCP per port device IP addressing SD card for easy device replacement

Stratix 5410 Distribution Switches Advanced Networking Features High performance capabilities with Four 10 Gigabit (GE) uplink ports and 24 Gigabit downlink ports Power over Ethernet (PoE/PoE+) support for up to 12 ports Network Address Translation (NAT) support for up to 8 ports simultaneously Enhanced security options Optimized Integration Embedded Cisco technology provides integration with enterprise network FactoryTalk® View faceplates for status monitoring and alarming Predefined Logix 5000® tags for monitoring and alarming Studio 5000® Add-on Profiles (AOPs) for configuration and monitoring Design Flexibility 19" rack mount for increased port density Front, rear and wall mounting options for ease of access Rugged design to help withstand harsh environmental conditions Support for up to two integrated power supplies with AC and DC voltage ranges Fiber support for applications where longer distance connectivity is required

Stratix 5100 Wireless Access Point and Workgroup Bridge Wireless Technology Configure as a Wireless Access Point or Work Group Bridge Connect hard-to-reach and remote areas Mobile access to equipment and key business systems Minimizes hardware and wiring Innovative Design Four external dual-band dipole antennas Supports 3x4 multiple input/ multiple-output (MIMO) feature with three spatial streams Power over Ethernet (PoE) helps minimize power connections Optimized Integration Embedded Cisco technology provides integration with enterprise network Studio 5000® add-on profiles for configuration and monitoring

Network Segmentation VLANs and Connected Routing Segmentation through smaller building blocks enables scalable, robust and future-ready network infrastructure Minimization of network sprawl Smaller fault domains Smaller broadcast domains Smaller domains of trust (security) Segmentation techniques Multiple Ethernet modules Virtual Local Area Networks (VLANs) Network Address Translation (NAT) VLANs with NAT Network segmentation through smaller Layer 2 domains must be used as building blocks in order to minimize network sprawl, and to provide scalable, robust and future-ready networks. These networks will have smaller fault domains, smaller broadcast domains and smaller domains of trust. Avoiding large layer 2 networks helps simplify network management. To create smaller Layer 2 domains, you must leverage – Structure: users should create smaller Layer 2 Cell/Area Zone logical network segments of IACS devices organized by function or geographic area. Segmentation: To reduce network latency and jitter, the CPwE model recommends segmenting and prioritizing network traffic. Segmented networks (Layer 2 – VLANs and Layer 3 – Subnet, Services Router) reduce the impact of broadcast and multicast traffic. VLANs segment network traffic and help restrict broadcast and multicast traffic as well as simplify security policy management. As a best practice, use the layer 3 distribution switches to route information between Cell/Area Zone VLANs and plant-wide operations in the Industrial Zone.

Network Address Translation (NAT) What is NAT? NAT is a service that allows the translation of a packet from one IP address to another IP address: NAT One to Many (1:n) – allows multiple devices to share one “public” IP address, most common for Internet connections NAT One to One (1:1) – allows the assignment of a unique “public” IP address to an existing “private” IP address NAT in Layer 2 switches (Stratix 5700/5400/5410 only): Hardware-based translations with NO impact on performance Supports multiple VLANs through NAT boundary NAT in Layer 3 devices Software-based translations with CPU loading NAT device acts as the default gateway (router) for the devices on the inside network Outside Subnet (ex. 10.0.0.x) Inside (Private) Subnet (ex. 192.168.1.x) NAT-enabled device NAT allows a single device, commonly a router, to act as an agent between the Internet (public network) and the private network. For example, this means that only a single, unique IP address is required to represent an entire group of computers. NAT is a service that allows the translation of a packet from one IP address to another. It can take a number of different forms and work in several different ways, but mapping and lookup tables are the basic tools behind NAT. The focus of this lab is NAT one to one (which is currently supported on some Rockwell Automation devices) which allows the assignment of a unique “public” IP address to an existing “private” IP address (belonging to an end device). The end device can thus communicate on both the “public” and “private” networks by using an “alias” of the IP address physically programmed on the end device.

Layer 2 vs. Layer 3 NAT Layer 3 Layer 2* Typically a software implementation NAT device acts as the default gateway (router) for the devices on the inside network NAT device will intercept traffic, perform translation, and route traffic Translations are handled by the NAT CPU Performance of translation is directly tied to the loading of the NAT CPU Hardware-based implementation NAT device does not act as a router and uses two translations tables – inside to outside and outside to inside Performance is at wire speed throughout switch loading Supports multiple VLANs through NAT boundary enhancing segmentation flexibility (Communication between VLANs requires a separate layer 3 device) There are distinctions between Layer 2 and Layer 3 NAT implementations: At layer 3, NAT is typically a software implementation where the NAT device acts as the default gateway (router) for the devices on the inside network. This NAT device will intercept traffic, perform the Network Address Translation and route traffic. Performance is typically lower at Layer 3 than Layer 2 as translations are handled by the NAT CPU. At layer 2, however, NAT is a hardware-based implementation where the NAT device does not act as a router and uses two translation tables: an inside to outside and outside to inside table. Performance in this case at wire speed. Layer 2 NAT devices support multiple VLANs through the NAT boundary thus enhancing segmentation flexibility. Layer 2 NAT is available on only the Stratix 5700 switch. *Layer 2 NAT is available only in the Stratix 5700™ and 5400™ switches

NAT Capable Devices Stratix 5700™ Stratix™ 5400TM Stratix™ 5900TM 9300-ENA 1783-NATR Catalog Number Integrated - 1783-BMS10 GGN or 1783-BMS20GGN Integrated – 4 GE port Layer 2, All GE port Layer 2, All GE port Layer 3 1783-SRKIT Port count 10 or 20-port versions (select versions) 8, 12 16 and 20-port versions (all versions) 1 Gb, 4 FE 2, plus configuration port 2 Configuration Web Interface Integrated Architecture® Studio 5000® Interface Command Line Interface Stratix™ Configurator SW Electronic Data Sheet (EDS) Add-on Profile (AOP) Performance Best – HW Wire-speed Translations Better – SW implementation Better – SW implementation Nested NAT 2 levels Port Speed 2 - 1 Gb ports 4 – 1 Gb ports 1 - 1 Gb port 1–100 Mb port Supported Topologies Star Ring Redundant Star Ring or Dual Ring Translations supported 128 with subnets No fixed limit 128 32 * 128 individual NAT Entries per NAT table. An entry can be an entire subnet.

Device Manager will be used to complete all configurations Lab Agenda This lab will demonstrate Network Address Translation (NAT), VLAN segmentation, and Connected Routing Lab 1 will show how to set up NAT for a single VLAN Architecture Lab 2 will demonstrate: VLAN assignment and network segmentation Connected Routing NAT in a multi-VLAN (Layer 3) Architecture Device Manager will be used to complete all configurations

Lab 1 – Single VLAN (Layer 2) Architecture A common situation that machine builders find themselves in, is one where there is already a single, flat network on the manufacturing floor. The addition of a new machine or line would add numerous devices to a limited network space. Many of these on-machine devices do not need to communicate with devices outside of the machine. This is where layer 2 NAT can be leveraged to integrate one or more machines to an existing network, without having to assign unique addresses to each machine IP enabled component. The network diagram depicts a layer 2 network, in that the inside and outside zones comprise only one VLAN. The inside zone would be the equivalent of a machine being added into a larger outside network. A layer 3 device with routing capability is not required since all network traffic in this network stays within the same VLAN. We want to add several machines to our current architecture. Each machine will have identical equipment and network architecture. In order for us to have the same IP addressing for all the additional machines we will need to implement layer 2 NAT. Each Station has a Line controller for supervisory control and a Machine controller for machine level operation. We want to maintain only one Studio 5000 program for all future machines instead of having to reconfigure every device on each machine with new IP addresses to connect to the plant network. We will have to configure NAT in the Stratix 5700 such that devices with existing “Private” IP addresses will be assigned a unique “Public” address. We will also have to configure Public devices with unique Private IP address. This allows communication to and from the devices on the private (inside) side and public (outside) side as shown on this slide. We will configure NAT to allow communication (produce/consume) between the two controllers (Line and Machine) that will trigger the I/O lights to flash through a sequence. For the purposes of this lab, the upper ControlLogix chassis in your demo box represents the Machine controller and the lower chassis represents the Line controller.

Lab 2 – Multi-VLAN (Layer 3) Architecture VLAN Segmentation Connected Routing NAT Now consider a scenario where we want to add several identical machines to our current process. Each machine will have identical equipment and network architecture. In order for us to have the same IP addressing for all additional machines we will still need to utilize NAT but not NAT in a layer 2 architecture. Knowing we will have a large network, we don’t want to create one big flat network. So we will add various levels of network segmentation by adding multiple VLANs and routing to our new architecture. We will utilize all the equipment in our demo box to create our new architecture. In this Layer 3 architecture, the Line Controller will be configured on VLAN20 and the PC will be configured to VLAN30. The Machine device’s private IP addresses will be translated to the configured VLAN10 addresses. In order for this architecture to work, we will need to configure routing in the Stratix 8000. We will configure Connected Routing which enables all devices on any VLAN that use the switch to communicate with each other if they use the switch as their default gateway. The Line controller will be used for the supervisory control and a Machine controller for machine level operation. In this lab, we will re-configure the previous NAT configuration in the Stratix 5700 switch that will enable devices with existing “Private” IP addresses to be assigned a unique “Public” addressing allowing communication to and from the devices on the private (inside) side and public (outside) side as show in the above architecture. Instead of using a Public to Private translation, a default gateway needs to be assigned to the instance. The new configuration will allow communication (produce/consume) between the two controllers (Line and Machine) that will trigger the I/O lights to turn ON.