Escolar Documentos
Profissional Documentos
Cultura Documentos
Page 2-16
Robust and Secure Network Infrastructure
Enterprise Zone for IT networks
DMZ as a buffer zone to securely share data
and services
Manufacturing zone where critical production oor
systems exist
Cell/Area zone where devices and controllers reside
2009 PANDUIT / Physical Infrastructure Reference Architecture Guide 1.0
Section 2.4: Rockwell Automation & Cisco Systems
Page 2-17
Developed against tested and validated architectures
Hierarchical approach to segment key network
functions
Multiple topologies
Security built-in
High-availability options
Cisco Validated Design I
Network infrastructure services
Standard Ethernet, Standard IP, and EtherNet/IP
(Standard)
Expandable for future functions
2009 PANDUIT / Physical Infrastructure Reference Architecture Guide 1.0
Section 2.4: Rockwell Automation & Cisco Systems
Page 2-18
Industrial Ethernet Reference Architecture Best Practices
Manufacturing Zone best practices
Replicate critical services in the manufacturing zone,
consider the following:
- Domain Services e.g. LDAP or Active Directory
- Naming services e.g. DNS & WINS
- IP Address services e.g. DHCP
- Time services e.g. NTP or PTP
Availability: apply redundant network routers/switches
and links to maintain overall network availability
Scalability: small sites use combined core and
distribution switches; larger or growing sites should
separate to avoid oversubscription on uplinks.
Deploy Security and Network Management
Routing: Use link-state routing protocols or EIGRP for
Layer 3 load balancing and convergence
- Use EIGRP to simplify conguration
- If standard protocols are required, use OSPF
or IS-IS
No overlapping IP addresses with enterprise network. No
redundant IP addresses (Network Address Translation is
maintenance overhead).
Cell/Area Zone Design best practices
Design small Cell/Area zones in a VLAN to better
manage and shape the trafc devices that need to talk
to each other in one VLAN.
Use Managed Switches
Connect in Full-duplex mode to avoid collisions
Use Gigabit Ethernet ports for trunks/uplinks for lower
latency & jitter
Use IGMP Snooping/Querier functions to control CIP
multicast trafc volume
Use resilient network topologies, Ring or preferably
Redundant Star. Use RSTP to manage loops, recover
from connectivity loss for network convergence.
Apply port security to limit use of open ports.
Enable Layer 2 security features to protect
Cell/Area zone.
Security best practices
Implement network-wide security that is fully embedded into
the network infrastructure, to protect against and prevent
who has network access and what they can do.
Rockwell Automation Network & Security Services
e.g. consulting and audits
Device Hardening
Threat defense
- Defending the edge
- Protecting the interior
- Guarding the endpoints
Manufacturing and Enterprise Zone barrier with
Demilitarized zone (DMZ)
DMZ best practices
Only path to the Manufacturing zone
No Trafc traverses the DMZ.
- No common protocols in each logical rewall
Set-up functional sub-zones in the DMZ to segment
access to data and services (e.g. Partner zone)
Be prepared to turn-off access via the rewall
No Control Trafc into the DMZ
(or at a minimum not out of the DMZ)
Limit outbound connections from the DMZ
2009 PANDUIT / Physical Infrastructure Reference Architecture Guide 1.0
Section 2.4: Rockwell Automation & Cisco Systems