1 / 32

Network Segmentation

Network Segmentation. KTAC – Dan Pelton, Tony Bishop, Tom Herbstreith. Agenda. 1. Plant Layout Review. 2. Control Network Specifications. 3. Control Network Strategies. 4. Demo 9300-ENA (NAT). Company – Kendall Brewing Company. Kendall Brewing Company. Raw Material Area. Brewing Area.

colin-guerrero
Download Presentation

Network Segmentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Segmentation KTAC – Dan Pelton, Tony Bishop, Tom Herbstreith

  2. Agenda 1. Plant Layout Review 2. Control Network Specifications 3. Control Network Strategies 4. Demo 9300-ENA (NAT)

  3. Company – Kendall Brewing Company Kendall Brewing Company

  4. Raw Material Area

  5. Brewing Area

  6. Filling Area

  7. Packaging Area

  8. Shipping Area

  9. Office Area

  10. Sampling Area

  11. Plant Layout

  12. Control Network Specifications 1. Each Control Panel has a Switch 2. Equipment shall be accessible from the Plant Network 3. Equipment shall be interlocked 4. Network Traffic shall be controlled 5. Security / Limited Access

  13. Plant Network Layout per I.T. Filling Brewing Shipping Raw Material Packaging VLAN’s PC’s = 101 – 10.10.172.XX Phones = 102 – 10.10.178.XX Video = 103 – 10.10.188.XX MDF Finished Goods IDF Office / Data Center

  14. Network Options ???? 1. Physical Controls Network with 1 Convergence Point 2. Vlan’s using existing plant back bone 3. Network Address Translation (NAT) 4. CIP Bridges

  15. Rockwell / Cisco Model

  16. Rockwell / Cisco Model

  17. Physical Controls Network Brewing Filling Shipping Raw Material Packaging VLAN’s PC’s = 101 – 10.10.172.XX Phones = 102 – 10.10.178.XX Video = 103 – 10.10.188.XX Plant MDF IDF Finished Goods Controls MDF Office / Data Center IDF Control Panel

  18. Physical Controls Network Level 4 & 5 DMZ Level 3 Level 2 Brewing Area Filling Area Packaging Area Level 0 & 1 System 1 System 2 I/O I/O PLC PLC HMI HMI VFD Drive VFD Drive

  19. VLAN’s Filling Brewing Shipping Raw Material Packaging VLAN’s PC’s = 101 – 10.10.172.XX Phones = 102 – 10.10.178.XX Video = 103 – 10.10.188.XX MDF Finished Goods IDF Office / Data Center Control Panel

  20. Vlan’s VLAN’s PC’s = 101 – 10.10.172.XX Phones = 102 – 10.10.178.XX Video = 103 – 10.10.188.XX Brewing Area = 201 – 192.168.1.XX Filling Area = 202 – 192.168.5.XX Packaging Area = 203 – 192.168.15.XX WAN Internet Level 4&5 Plant MDF Level 3 Plant IDF’s 102 201 102 101 101 202 202 202 201 201 103 203 102 101 203 Stratix 5900 - Security Level 2 Brewing Area Filling Area Packaging Area Level 0 & 1 System 1 System 2 I/O I/O PLC PLC HMI HMI VFD Drive VFD Drive

  21. Network Address Translation (NAT) Filling Brewing Shipping Raw Material Packaging MDF Finished Goods IDF NAT Office / Data Center Control Panel

  22. What is NAT? Short for Network Address Translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.

  23. What is the 9300-ENA? The uplink and local ports are used to translate between 2 networks. ‘ENA’ means Ethernet Network Appliance The ENA is a three-port network device that translates IP addresses between 2 networks. Network address translation is called ‘NAT’.

  24. Ethernet Interfaces (ports) • The two main Ethernet ports are called ‘uplink’ and ‘local’. Customer traffic flows through these 2 ports. • Other names for these 2 ports are: • Outside or public (uplink) • Insideor private (local) • The ‘Config’ port is intended as a secure port if remote (network) configuration is not desired.

  25. Basic Example This example is part of the ENA web sever.

  26. Machine to Machine Example Messages can go from any source (Uplink or Local networks) to any destination if the addresses are in the table(s).

  27. Functionality Supported • Functionality supported • RSLogix5000, HTTP, RSLinx, FTView, unicast I/O and produce tag, unicast EtherNet/IP Safety (with the exception of 1791ES devices), web browsing, ping, etc. • Limit of 2 levels of NAT (2 ENAs in a linear topology) • IP addresses in the NAT table will be translated. All others are blocked. • Functionality not supported • Multicast is not supported • CIP sync* (aka. PTP, IEEE1588) and CIP Motion always uses multicast. • Multicast is an option for Safety EIP and standard EIP. * In addition to the ENA not supporting multicast, the ENA was not designed to support any CIP sync feature, including ENA latency offset (input to output latency).

  28. Network Address Translation (NAT) Level 4&5 Plant MDF “Plant I.T. will Assign Available IP Addresses” Level 3 Plant IDF’s Level 2 Stratix 5900 - Security Note: The the Stratix 5900 and 5700 Support NAT 9300-ENA - NAT Level 0 & 1 Brewing Area Brewing Area System 1 System 2 I/O I/O PLC PLC HMI HMI VFD Drive VFD Drive

  29. CIP Bridge Filling Brewing Shipping Raw Material Packaging VLAN’s PC’s = 101 – 10.10.172.XX Phones = 102 – 10.10.178.XX Video = 103 – 10.10.188.XX MDF Finished Goods IDF Office / Data Center Control Panel Second ENxT required in each 1756 Chassis

  30. CIP Bridge Level 4&5 Plant MDF “Plant I.T. will Assign Available IP Addresses” Level 3 Plant IDF’s For Secure Access Use a 1756-EN2TSC Level 2 Level 0 & 1 Brewing Area System 1 I/O PLC HMI VFD Drive

  31. Segmentation Methods - Review

  32. Thank you!

More Related