RA TechED 2019 - NT03 - Building Converged Plantwide Ethernet Architectures

Building Converged
Plantwide Ethernet
(CPwE) Architectures

PUBLIC | TechEd | #ROKLive | Copyright ©2019 Rockwell Automation, Inc. 3
Abstract
 Presented by Cisco Systems and Rockwell Automation, learn the importance of using
reference architectures to build scalable, reliable, safe, secure, and future-ready
network architectures. This discussion provides an overview of the CPwE architectures,
why they're important, what's new, and how these architectures combined with products,
services and solutions support successful deployment of The Connected Enterprise. A
prior understanding of general Ethernet concepts, or attendance of the Fundamentals of
EtherNet/IP IIoT Network Technology session is recommended.

 NT01 - Fundamentals of EtherNet/IP IIoT Network
Technology
 NT02 - Fundamentals of CIP (EtherNet/IP) Packet
Delivery Process
 NT03 - Building Converged Plantwide Ethernet
Architectures
 NT04 - Design Considerations for Reliable EtherNet/IP
Networking
 NT05 - Deploy Resilient Network Architectures for The
Connected Enterprise
 NT06 - Applying EtherNet/IP Network Features for High-
Performance Machine-level Architectures
 NT07 - The Next Phase of the IT/OT Integration -
Extending IT Security to the Cell/Area Zone of the Plant
Architecture
 NT08 - Selecting the Right Stratix® Switch for your
Application
 NT09 - Stratix Traffic Visibility Capabilities
 NT10 - Basic Stratix® Switch and EtherNet/IP Features in
Converged Plantwide Ethernet (CPwE) Architectures
 NT11 - Advanced Stratix® Switch and EtherNet/IP
Features in Converged Plantwide Ethernet (CPwE)
Architectures
 NT12 - Improve Visibility and Diagnostics of your network
with FactoryTalk® Network Manager™ (FTNM) Software
 SS17 - Introduction to Network Security Lab
 SS18 - Deploy Secure Network Architectures for The
Connected Enterprise
Other CPwE Related Sessions
Converged Plantwide Ethernet (CPwE) Architectures

 Ecosystem Collaborations
 Cisco / Rockwell Automation
 Twelve plus years of collaboration to help enable OT-IT
convergence - trusted domain experts in OT and IT
 Ground-breaking networking and security solutions
 Content relevant to both OT and IT personnel
 Panduit / Rockwell Automation
 Seven plus years of collaboration to enable OT-IT
convergence
 Physical Layer Solutions for the Connected Enterprise
 Mining Smart Industry Architecture (SIA), testing and
validation
 Cisco / Panduit / Rockwell Automation
 Standards – for example, Single Pair Ethernet
 Workforce development - people and process optimization
 Converged Plantwide Ethernet (CPwE)
 Cisco, Panduit, and Rockwell Automation ecosystem
 A holistic blueprint for digital transformation
 Proven reference architectures - collection of
architected, tested & validated designs
 Design and Implementation Considerations
 Prepare industrial operations for the future:
 Helping to enable business agility, optimize production
yield and minimize risk
 Helps customers to reduce their costs by:
 Simplifying design, enabling quicker deployment, and
reducing risk in deploying newer technologies
 Enables OT-IT Collaboration and Convergence:
 Reliable and Secure Industrial IoT Architectures
 Industrial IT (bridging OT-IT)
Key Takeaways

Agenda
Cisco - Rockwell Automation
Strategic Alliance
Challenges Associated with
Converged Architectures that
CPwE Helps to Address
Introduction to Converged
Plantwide Ethernet (CPwE)
Reference Architectures
Key Tenets of CPwE
Architectures
Additional
Material
Training
Resources
1 2 3
4 65

Cisco - Rockwell Automation
Strategic Alliance

Market pressures are putting productivity and profitability
at risk for industrial operations
28% of
manufacturing
organizations reporting
a loss of revenue due
to security incidents in
the last year
Rapid
Globalization
$25 Trillion
Global GDP growth
from 2000 to 2016,
facilitated by rapid
globalization
Industrial
IoT
Aging
Infrastructure
87% of
manufacturing
executives report that
aging infrastructure
impacts their
operations
Security Risks
and Threats
By 2020, the number
of vertical-specific
Industrial IoT business
devices
3.2 Billion
Modernization
through digital
transformation
is needed…

Modernization is complex and
must address numerous pain points
Limited
Security
Traditional security
approaches are not
robust enough to
mitigate newer
security threats
Siloed
Networks
Aging infrastructure
results in proprietary
networks and
solutions that
increase network
complexity
The scale and volume of
data being generated is
difficult to capture
and manage
Data
Management
Solution
Complexity
A plethora of market
available products and
solutions is confusing
Skills
Gap
Workers are not
prepared to manage
modern networks

Supply
Chain
Headquarters
Distribution
Center
Smart Grid
Customers
Industrial IoT Architectures for The Connected Enterprise

Supply
Chain
Headquarters
Distribution
Center
Smart Grid
Customers
SMART
DEVICES
EQUIPMENT
PLANTS/OPERATIONS
Cybersecurity Threats
Hacktivist
Internal/Insiders
Hackers
Nation States
Cyber Criminals
Threat Types Threat Actors
Malware
DDoS
Spyware
Spear
Phishing
Ransomware
Increasing Risk
Powerful, yet simple to use
tools are readily available
Removable
Media
Convergence
Industrial IoT Architectures for The Connected EnterpriseConnected Architectures Industrial Standards
IETF

Supply
Chain
Headquarters
Distribution
Center
Smart Grid
Customers
SMART
DEVICES
EQUIPMENT
PLANTS/OPERATIONS
Hacktivist
Internal/Insiders
Hackers
Nation States
Cyber Criminals
Malware
DDoS
Spyware
Spear
Phishing
Ransomware
Increasing Risk
Removable
Media
Convergence
IETF
A scalable, reliable, safe,
secure and future-ready
Connected Enterprise requires
an ecosystem of partners.

Supply
Chain
Headquarters
Distribution
Center
Smart Grid
Customers
SMART
DEVICES
EQUIPMENT
PLANTS/OPERATIONS
Hacktivist
Internal/Insiders
Hackers
Nation States
Cyber Criminals
Malware
DDoS
Spyware
Spear
Phishing
Ransomware
Increasing Risk
Removable
Media
Convergence
IETF

Together, Cisco and Rockwell Automation can help
Leading digital transformation for The Connected Enterprise with industrial ready, world-
class control, power and information systems and IT networking and security technologies
Trusted domain experts with
a strategic alliance
Committed to future industry
success
Dedicated to developing
ground-breaking solutions
Global leader in industrial
control, power and
information solutions
Worldwide leader in IT
networking and security

Introducing Converged Plantwide Ethernet (CPwE),
a holistic blueprint for digital transformation
The CPwE Converged Network Architectures
Business SystemsProductions Systems
1010101 11001 1010 10110101 0011 101 110 1 1001 101 11 1
Hybrid-Cloud
Site B
Site A
Unified
Wireless
Industrial
Data Center
Industrial
Security/Safety
Network/Security
Standards
Smart IIoT
Devices
OEM Convergence
Ready
EtherNet/IP /
OPC UA
Identity/Mobility
Services
Data ServersDashboards
Office
Applications
Internetworking
Business
Systems
Smart Devices
1010101 11001 1010 10110101 0011 101 110 1 1001 101 11 1 1010101 11001 1010 10110101 0011 101 110 1 1001 101 11 1 1010101 11001 1010 10110101 0011 101 110 1 1001 101 11 1
CloudData Storage DatacenterEdge
Industrial Operations Enterprise Cloud
Secure and
Reliable
Data
Sharing
Secure and
Reliable
Data
Sharing
User Access and Control
Simplify network and security
design by connecting
industrial operations and
business systems
An open solution that
adheres to regulatory
standards creates
flexibility and scalability
A converged
infrastructure built on a
common architecture
framework makes the
network data-ready
Collection of tested and
validated network and
security architectures

Introducing Converged Plantwide Ethernet (CPwE),
a holistic blueprint for digital transformation
Simplify network and security
design by connecting
industrial operations and
business systems
An open solution that
adheres to regulatory
standards creates
flexibility and scalability
A converged
infrastructure built on a
common architecture
framework makes the
network data-ready
Collection of tested and
validated network and
security architectures
LAN A
Remote
Access
Server
Distribution
Switch Stack
Cell/Area Zone - Levels 0-2
Redundant LANs - Parallel Redundancy Protocol
Enhanced Interior Gateway Routing Protocol – EtherChannel
Hot Standby Router Protocol – Active/Standby
(Skids, Equipment)
Linear/Bus/Star Topology
Redundant Star Topology - EtherChannel Resiliency
Unified Wireless LAN
(Lines, Machines)
Industrial
Demilitarized Zone
(IDMZ)
Level 3.5
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
(Plant-wide Network)
Core
Switches
Ring Topology - Device Level Ring (DLR) Protocol
Redundant Star Topology - Flex Links Resiliency
(Lines, Machines, Skids, Equipment)
Instrumentation
Level 3 - Site Operations
(Control Room)
Active
SSID
5 GHz
WGB
LWAP
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
IES - RedBox
Active
Internet
Cloud
Cloud
Cloud
Thin ClientSafety
Controller
Safety I/O
RobotServo Drive
Controller
Soft Starter
IES - RedBox
Standby
NetFlow
LAN B
I/O
I/O
Controller
Drive
DriveHMI
NetFlow
Thin Client
Drive
Controller
Controller
I/OI/O
I/OI/OI/O
NetFlow
NetFlow
NetFlow
Physical or Virtualized Servers
• FactoryTalk® Application Servers and
Services Platform
• FactoryTalk® Network Manager™
• Network & Security Services – DNS,
AD, DHCP, Identity Services (AAA)
• NetFlow Collector - Stealthwatch
• Storage Array
• Patch Management
• AV Server, TLS Proxy
• Application Mirror, Reverse Proxy
• Remote Desktop Gateway Server
Plant Firewalls
• Active/Standby
• Inter-zone traffic segmentation
• ACLs, IPS and IDS
• VPN Services
• Portal and Remote Desktop Services proxy
Wide Area Network (WAN)
Data Center - Virtualized Servers
• ERP - Business Systems
• Email, Web Services
• Security Services - Active Directory (AD),
Identity Services (AAA), TLS Proxy
• Network Services – DNS, DHCP
• Call Manager
RedBox
Drive Controller
I/O
I/O NetFlow

Challenges Associated with
Converged Architectures that
CPwE Helps to Address

Industrial IoT (IIoT) – IACS Convergence
Challenges Associated with Converged Architectures that CPwE Helps to Address
Flat, Open and Non-Resilient
Industrial Automation and Control System (IACS)
Network and Security Infrastructure
Lacks Natural Boundaries and
Segmentation – Creates Larger LANs

Industrial IoT (IIoT) – IACS Convergence
Structured and Hardened
IACS Network and Security Infrastructure
Flat, Open and Non-Resilient
IACS Network and Security Infrastructure
Smaller Connected LANs - Creating
Boundaries and Segmentation
Lacks Natural Boundaries and
Segmentation – Creates Larger LANs

OT-IT Collaboration / Convergence / Integration
LAN A
Remote
Access
Server
Distribution
Switch Stack
(Skids, Equipment)
(Lines, Machines)
Industrial
Demilitarized Zone
(IDMZ)
Level 3.5
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
Core
Switches
Instrumentation
(Control Room)
Active
SSID
5 GHz
WGB
LWAP
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
IES - RedBox
Active
Internet
Cloud
Cloud
Cloud
Thin ClientSafety
Controller
Safety I/O
RobotServo Drive
Controller
Soft Starter
IES - RedBox
Standby
NetFlow
LAN B
I/O
I/O
Controller
Drive
DriveHMI
NetFlow
Thin Client
Drive
Controller
Controller
I/OI/O
I/OI/OI/O
NetFlow
NetFlow
NetFlow
Services Platform
• Storage Array
Plant Firewalls
• Active/Standby
• VPN Services
• Call Manager
RedBox
Drive Controller
I/O
I/O NetFlow
Industrial IoT
Operational Technology
Industrial IT
Internet of Things
Information Technology

Technology / Cultural Convergence – Similarities / Differences
Criteria Industrial OT Network Enterprise IT Network
Environment • Plant-floor
• Control Room
• Control Panel, Industrial Distribution Frame (IDF)
• Carpeted Space, Data Center
• Data Communication or Wiring Closet, Intermediate
Distribution Frame (IDF)
Switches • Managed and unmanaged
• Layer 2 is predominant
• DIN rail or panel mount is predominant
• Managed
• Layer 2 and Layer 3
• Rack mount
Wireless • Autonomous (locally managed) – point solutions
• Mobile equipment (emerging) and personnel
(prevalent)
• Unified (centrally managed) solutions
• Mobile personnel – corporate provided or BYOD
• Guest access
Computing • Industrial Hardened Panel Mount Computers and
Monitors
• Desktop, Notebook
• 19” Rack Server
• Virtualization - becoming prevalent
• Hardening – sporadic patching and whitelisting
• Desktop, Notebook
• Tablets
• 19” Rack Server and Blade Server
• Unified Computing Systems (UCS)
• Virtualization – widespread
• Hardening - patching and whitelisting

Network
Technology
• Standard IEEE 802.3 Ethernet and proprietary
(non-standard) versions
• Standard IETF Internet Protocol (IPv4) and
proprietary (non-standard) alternatives
• Sporadic use of standard Layer 2 and Layer 3
network and security services
• Standard IEEE 802.3 Ethernet
• Standard IETF Internet Protocol (IPv4 and IPv6)
• Pervasive use of standard Layer 2 and Layer 3
network and security services
Network
Availability
• Switch-Level and Device-Level topologies
• Ring topology is predominant for both,
Redundant Star for switch topologies is emerging
• Standard IEEE, IEC and vendor specific Layer 2
resiliency protocols
• Switch-Level topologies
• Redundant Star topology is predominant
• Standard IEEE, IETF, and vendor specific Layer 2
and Layer 3 resiliency protocols
Service Level
Agreement (SLA)
• Mean time to recovery (MTTR) - Minutes, Hours • Mean time to recovery (MTTR) - Hours, Days
IP Addressing • Mostly Static • Mostly Dynamic

Traffic Type • Primarily local – traffic between local assets
• Information, control, safety, motion, time
synchronization, energy management
• Smaller Ethernet frames for control traffic
• Industrial application layer protocols: CIP, Profinet,
IEC 61850, Modbus TCP, etc.
• Primarily non-local – traffic to remote assets
• Voice, Video, Data
• Larger IP packets and Ethernet frames
• Standard application layer protocols: HTTP, SNMP,
DNS, RTP, SSH, etc.
Performance • Low Latency, Low Jitter (1 ms, 100s ns)
• Data Prioritization – QoS – Layer 2 and 3
• Low Latency, Low Jitter (100s ms, 10s ms)
• Data Prioritization – QoS – Layer 3
Security • Open by default, must secure by design, architecture
and configuration
• Industrial security standards – for example, IEC,
NIST
• Inconsistent deployment of security policies
• No line-of-sight to the Enterprise or to the Internet
• Pervasive
• Enterprise security best practices
• Strong security policies
• Line-of-sight across the Enterprise and to the
Internet

Focus 24/7 operations, high OEE Protecting intellectual property and company assets
Precedence of Priorities
Availability
Integrity
Confidentiality
Confidentiality
Integrity
Availability
Types of Data Traffic
Converged network of data,
control, information, safety and motion
Converged network of data,
voice and video
Access Control
Strict physical access
Simple network device access
Strict network authentication
and access policies
Implications of a
Device Failure
Production is down
($$’s/hour … or worse)
Work-around or wait
Threat Protection Isolate threat but keep operating
Shut down access to
detected threat
Upgrades Scheduled during downtime Automatically pushed during uptime

 Corporate Culture Change Takes Time
 People, Process, and Technology changes are required
for Industrial IoT and Industrial IT transformation
 Behavior changes will be necessary to achieve success
 Create an OT-IT convergence plan early
 Define business outcomes early in the process with
KPIs to measure success
 Communicate and celebrate successes between
locations
 Early engagement of all plant disciplines:
 Operations, Engineering, Safety, Maintenance, and IT
 The Network is Foundational
 Good technology will be trumped by bad processes;
good technology will be trumped by bad data
 Data governance framework and teams must be in
place before beginning
 Define out-of-scope processes and applications
 Develop a mitigation plan early
 Provide enough runway and scheduling for knowledge
transfer
 A robust archiving framework and strategy is needed
Lessons Learned From Customers

Business Challenges
 Control operating costs
 Reduce unplanned multiple-line outages to increase OEE
 Troubleshoot and maintain network infrastructure with ease to reduce
MTTR
 Enable scalable, agile and a future-ready production
Products/Solutions Deployed
 CPwE Architectures – Network and Security Best Practices
 Stratix® 5700 Industrial Ethernet Switches
 Cisco Catalyst 3850 Distribution Switches
 FactoryTalk® Production and Performance Suite
Business Outcomes
 Revamped industrial network architecture with no interruption to the
production floor
 Better asset optimization through scalable and more standardized,
reliable, secure and future-ready to reduce MTTR and increase OEE
 Better business agility through secure OT and IT connectivity across
the enterprise
Business Challenges
 Deliver customized vehicles for consumers, better and faster
 Control costs by boosting manufacturing efficiency
 Improve agility and scalability to support innovation and future
production needs
Products/Solutions Deployed
 CPwE Architectures – Network and Security Best Practices
 Stratix® 5700 Industrial Ethernet Switches
 Cisco Catalyst 3850 and 4500 Distribution Switches
 Cisco Aironet 3700 access points, Cisco 5508 wireless controller
 FactoryTalk® Production and Performance Suite
Business Outcomes
 Pervasive wireless connectivity can be used by employees and
machines to stay connected everywhere across the plant
 Shared network helps keep managers more informed so they can
predict and respond to production or supply chain issues faster
 Robust, standards-based security helps meet compliance needs
Case Studies - CPwE – Proven Reference Architectures
Jack Daniels Daimler Trucks NA

 Valued resource
 Global Consumer Packaged Goods (CPG)
 To help us with our own OT-IT convergence –
Industrial IT
 Proven architectures – cost reduction, risk
reduction
 We’ve come to expect the testing and
validation results
 Global Pharmaceutical
 Reduces our risk in deploying newer technologies
 We adapt the CPwE blueprint into our global plant
and global OEM standards
 Unique in the industry
 System Integrator
 No other company, organization or consortia
provides the level of testing, validation and
documentation that CPwE provides
 Reduces the investment in our own test lab
 Our go-to collateral to educate our staff on
Industrial IoT and Industrial IT
 We use CPwE to help us justify network and
security projects
 Pharmaceutical
 Network and security architectural framework
 Best practices, design and implementation
guidance
Customer Feedback: (OT-IT) Value Statements: What We Do Together

 CPwE Model/Framework
 Industrial Network Security Framework
 CPwE WLAN – Unified Architecture
 Mobile Maintenance Personnel
 CPwE NAT
 Cloning of OEM Applications
 CPwE Identity and Mobility Services
 Identity Services PAN and PSN within Site Network –
Wired and Wireless
 CPwE IDMZ
 ASA Firewall Policies between OT and IT Networks
 CPwE IFW – Industrial Firewall Policies
 CPwE Resiliency
 Stratix® 5700 switch with Redundant Star
(EtherChannel), Catalyst 3850, Catalyst 4500-X with
VSS
 We value the OT-IT collaboration between
Rockwell Automation and Cisco
 Cost reductions
 Reduced investment and staffing into our own test labs
 Quicker startup times due to simplified designs
 Reduced risk due to documented configurations and test
results
 We standardized on Stratix® switches due to CPwE
Customer Feedback: (OT-IT) Value Statements: What We Do Together
Entertainment - we have adopted 12 of the 15 CPwE tested and validated
architectures into our global network design and specifications for our sites and OEMs

Prepare industrial operations for the future with CPwE to…
Optimize production yield
Increase connectivity and
interoperability to securely connect
disparate data sources, leverage data
effectively, and derive insights across
the enterprise
Minimize risk
Protect physical and network assets,
sensitive intellectual property,
system data, and workers with a
comprehensive security and safety
architecture
Enable business agility
Drive greater manufacturer
efficiencies by connecting
operational and business systems
for end-to-end visibility and control of
industrial operations
Together, Cisco and Rockwell Automation are leading the digital transformation towards a
Connected Enterprise with a secure and reliable, converged network architecture that enables
industrial operations to boost production yield, minimize asset risk, and enable business agility.

Introduction to
Converged Plantwide Ethernet
(CPwE) Reference Architectures

 Understand application and functional requirements
 Devices to be connected – industrial and non-industrial
 Data requirements for availability, integrity and confidentiality
 Communication patterns, topology and resiliency requirements
 Types of traffic – information, control, safety, time synchronization, drive control, voice, video
 Develop a logical framework (zoning)
 Define zones and segmentation (smaller connected LANs), place applications
and devices in the logical framework based on requirements
 Migrate from flat, open and non-resilient networks to structured and hardened networks
 Develop a physical framework to align with the logical framework
 Deploy a holistic and diverse defense-in-depth security model
 Reduce risk, simplify design, and speed deployment:
 Use information technology (IT) and operational technology (OT) standards
 Use reference models and reference architectures
Industrial Network Design Methodology
Introduction to Converged Plantwide Ethernet (CPwE) Reference Architectures
MANAGE /
MONITOR
IMPLEMENT
AUDIT DESIGN/PLAN
ASSESS
Avoiding
Network Sprawl!!
Convergence-Ready
OEM Solutions

 What are reference architectures?
 Baseline architectures, considerations and
best practices for design and implementation
 Reference Architectures:
 Marketectures – high-level marketing
architectures and illustrations
 White papers and knowledgebase articles
based on proof of concept (PoC) testing
 Accelerator Toolkits:
 Examples - Drives and Motion, Water/Wastewater
 System Configuration Drawings
 Examples – Stratix® switches, MCC, Wi-Fi, ControlLogix®
controllers
 Converged Plantwide Ethernet (CPwE)
Architectures:
 Cisco / Rockwell Automation Strategic Alliance
 Tested and Validated Architectures
 Test labs – Cisco, Panduit, and Rockwell Automation
 White papers, design guides, application guides
Reference Architectures

Technology, Network, Cultural and Organizational Convergence
Introduction to Converged Plantwide Ethernet (CPwE) Architectures
Combining the best of Rockwell Automation and Cisco - Stratix® 2500/Stratix 5000/Stratix 8000 families of
industrial Ethernet switches, Stratix® 5950 Security Appliance, and FactoryTalk® Network Manager™ software.
Collection of tested and validated architectures developed by subject matter authorities at Cisco and
Rockwell Automation. The content of CPwE is relevant to both operational technology (OT) and
information technology (IT) disciplines. CPwE consists of documented architectures, best practices,
design guidance and configuration settings to help manufacturers with development and deployment of a
scalable, reliable, safe, secure and future-ready plant-wide industrial network infrastructure.
A single scalable architecture, using open and standard Ethernet, IP and Wi-Fi networking technologies,
enabling the Industrial Internet of Things (IIoT) to help achieve the flexibility, visibility and efficiency required
in a competitive manufacturing environment.
Education, training, certifications and services to help facilitate OT and IT
technology, network and cultural convergence.
Workforce Development - People and Process Optimization:
Standard and Common Technology View:
Converged Plantwide Ethernet (CPwE) Architectures:
Joint Product Collaboration:
Note: not all inclusive, work in progress,
subject to change without prior notice.

 Tested, validated and documented reference architectures
 Comprised of a collection of Cisco and Rockwell Automation validated architectures,
following the Cisco Validated Design (CVD) program
 Developed from application and technology use cases
 Industry neutral, one-to-many approach, customers adapt to meet their application needs
 Tested for performance, availability, repeatability, scalability, and security by subject matter authorities at Cisco and
Rockwell Automation CPwE test labs
 Built on technology and industry standards (IEC, IEEE, IETF)
 “Future-ready” network and security design
 Content relevant to both OT and IT Engineers
 Deliverables
 White Papers, Design & Implementation Guides - architectures
design considerations, best practices, documented test results with configuration settings
 Proven architectures:
 Helps customers to reduce their costs by simplifying their designs, accelerating their deployments, and reducing their risk
in deploying new technology
Converged Plantwide Ethernet (CPwE)

Collection of Architected, Tested & Validated Designs
CPwE Test Labs
 Rockwell Automation – Mayfield Heights, OH
 Cisco – Raleigh, NC (RTP)
 Panduit – Tinley Park, IL
CPwE WLAN
Nov. 2014
CPwE IDMZ
July 2015
May 2017
Update 2019
CPwE Baseline
Sept. 2010 / 2011
Update 2019
CPwE NAT
May 2015
CPwE Identity
& Mobility
June 2015
Feb. 2018
CPwE
Migration
Jan. 2016
Update 2020
CPwE VPN
March 2016
CPwE Industrial
Firewall
Dec. 2016
Update 2020
CPwE Resiliency
Dec. 2015
Feb. 2018
Update 2019
CPwE DLR
April 2018
April 2019
Dec. 2019
CPwE Cloud
April 2018
Update 2019
CPwE IDC
May 2018
Update 2020
CPwE Network
Security
Dec. 2018
Update 2020
CPwE Time Sync
May 2019
Update 2020
Existing Recently
Published
Work in Progress
CPwE OEM
Oct. 2017
CPwE PRP
Summer 2019
CPwE CIP
Security
Fall 2019

CPwE Industrial Security Framework
MCC
Enterprise Zone: Levels 4-5
Soft
Starter
I/O
Level 0 - ProcessLevel 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk®
Client
Controller
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
LWAP
SSID
2.4 GHz
SSID
5 GHz
WGB
I/O
Active
Wireless LAN Controller
(WLC)
Standby
Core
Switches
Distribution
Switch Stack
Enterprise
Identity Services
External DMZ/
Firewall
IFW
Control System
Engineers (OT)
Control System Engineers
in Collaboration with IT
Network Engineers
(Industrial IT)
Security Architects (IT) in
Collaboration with Control
Systems Engineers
Internet
Cloud
Cloud
Personas
OpenDNS
Defense-in-Depth
- Architectural Best Practices for
Holistic and Diverse Threat
Detection and Protection
IEC 62443
- Zones & Conduits
- Availability, Integrity,
Confidentiality
NIST 800-82
- Cybersecurity Framework
- Identify, Protect, Detect,
Respond, Recover
DHS/INL/ICS-CERT
- Recommended Practices

OT-IT Collaboration / Convergence / Integration
FactoryTalk®
Network Manager™
V I S I B I L I T Y
OT Platform
ISE
pxGrid
IT Platform
I N T E N T
Industrial
Ethernet
Switching
Next
Generation
Firewall
Stealthwatch
Dynamic Security Group
Segmentation
On-Demand
Remote Access
Context based
Anomaly Detection
SXP
(IP to SGT Mappings)
Network Security Use CasesIndustrial Assets
Controller
HMI
Drive
I/O
CIP
CIP
CIP
CIP
Other Protocols
OT Intent-Based Security
Visibility into OT IIoT Devices,
Context & Intent from OT users,
Enforcement by IT
C O N T E X T
C O N T E X T
C O N T E X T

Topic Design Guide Whitepaper
Design Considerations for Securing IACS Networks N/A ENET-WP031A-EN-P
Converged Plantwide Ethernet – Baseline Document ENET-TD001E-EN-P N/A
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture ENET-TD006A-EN-P ENET-WP034A-EN-P
Deploying Identity and Mobility Services within a Converged Plantwide Ethernet Architecture ENET-TD008B-EN-P ENET-WP037C-EN-P
Securely Traversing IACS Data Across the Industrial Demilitarized Zone (IDMZ) ENET-TD009B-EN-P ENET-WP038B-EN-P
Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture ENET-TD007A-EN-P ENET-WP036A-EN-P
Migrating Legacy IACS Networks to a Converged Plantwide Ethernet Architecture ENET-TD011A-EN-P ENET-WP040A-EN-P
Deploying A Resilient Converged Plantwide Ethernet Architecture ENET-TD010B-EN-P ENET-WP039D-EN-P
Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture ENET-TD002A-EN-P ENET-WP011B-EN-P
Deploying Device Level Ring within a Converged Plantwide Ethernet Architecture ENET-TD015C-EN-P ENET-WP016D-EN-P
OEM Networking within a Converged Plantwide Ethernet Architecture ENET-TD018A-EN-P ENET-WP018A-EN-P
Cloud Connectivity to a Converged Plantwide Ethernet Architecture ENET-TD017A-EN-P ENET-WP019B-EN-P
Deploying Industrial Data Center within a Converged Plantwide Ethernet Architecture ENET-TD014A-EN-P ENET-WP013A-EN-P
Deploying Scalable Time Distribution within a Converged Plantwide Ethernet Architecture ENET-TD016A-EN-P ENET-WP017B-EN-P
Deploying Network Security within a Converged Plantwide Ethernet Architecture ENET-TD019A-EN-P ENET-WP023B-EN-P
Deploying Parallel Redundancy Protocol within a Converged Plantwide Ethernet Architecture ENET-TD021A-EN-P ENET-WP041A-EN-P

 Switching/Routing
 Stratix® 5700, 5400 and 5410
 FactoryTalk® Network Manager™ software
 Integrated Architecture® System
 FactoryTalk® Suite
 Logix Controllers, Kinetix® Servo Drives
 Intelligent Motor Control
 PowerFlex® Variable Frequency Drives
 Motor Control Centers
 Security
 Stratix® 5950 switch, FactoryTalk® AssetCentre
software, FactoryTalk® Security, CIP Security
 Connected Services
 Switching/Routing
 Catalyst 3850, 4500-X, 6800, 9300, 9500
 Unified WLAN
 Wireless LAN Controller (WLC)
 Lightweight Access Point (LWAP)
 Unified Computing System (UCS)
 Security
 NGFW - Firepower Firewall and Firepower
Management Center
 Identity Services Engine (PAN, PSN, MnT)
 Stealthwatch – Network Traffic Flow Analysis
 Umbrella - OpenDNS
 Advanced Services
Overview - Technologies/Products/Solutions Offerings

Panduit Physical Layer Solutions for the CPwE Logical Framework
Services Platform
• Storage Array
Remote
Access
Server
Distribution
Switch Stack
Cell/Area Zone - Levels 0–2
Autonomous Wireless LAN
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0–3
Core
Switches
Phone
Controller
Camera
Plant Firewalls
• Active/Standby
• VPN Services
Instrumentation
(Control Room)
Active
AP
SSID
5 GHz
WGB
Controller
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Drive
Distribution
Switch Stack
• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
Drive I/O Drive I/O
I/O I/O I/O
Industrial Data Center
(IDC)
Main Distribution Frame (MDF)
Industrial
Distribution
Frame (IDF)
IDF
Physical Network
Zone System (PNZS)
PNZS Control Panel (CP)
Cable Distribution
Solutions
Internet
Cloud
Cloud
Cloud
Thin Client
Thin Client
HMI Drive
Safety
Controller
Safety
I/O
RobotServo
Drive

Key Tenets of CPwE Architectures

 Converged Plantwide Ethernet (CPwE) is a collection of tested and
validated architectures that are developed by subject matter authorities
at Cisco and Rockwell Automation and that follow the Cisco Validated
Design (CVD) and Cisco Reference Design (CRD) program.
 The content of CPwE, which is relevant to both Operational
Technology (OT) and Informational Technology (IT) disciplines,
consists of documented architectures, best practices, guidance and
configuration settings to help industrial operations with design and
deployment of a scalable, reliable, safe, secure and future-ready plant-
wide industrial network infrastructure.
 CPwE also helps industrial operations achieve the benefits of cost
reductions using proven designs that can help lead to quicker
deployment and reduced risk in deploying new technology.

 CPwE follows the CVD and CRD Program
 Provide the foundation for systems design based on common use cases or current engineering system priorities. They
incorporate a broad set of technologies, features, and applications to address customer needs. Each CPwE CVD has
been comprehensively tested, validated and documented by Cisco and Rockwell Automation subject matter authorities to
enable faster, more reliable, and fully predictable deployment. CPwE CRD involves proof of concept (PoC) testing.
 CPwE CVDs and CRDs are organized by solution areas
with customer collateral published using
various types of documents:
 Design & Implementation Guides (DIGs)
 White Papers
 Application Guides

Key Tenets of CPwE:
• Smart IIoT Devices
• Zoning (Segmentation)
• Managed Infrastructure
• Resiliency
• Time-critical Data
• Wireless - Mobility
• Holistic and Diverse
Defense-in-Depth
Security
• Convergence-ready
LAN A
Remote
Access
Server
Distribution
Switch Stack
(Skids, Equipment)
(Lines, Machines)
Industrial
Demilitarized Zone
(IDMZ)
Level 3.5
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
Core
Switches
Instrumentation
(Control Room)
Active
SSID
5 GHz
WGB
LWAP
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
IES - RedBox
Active
Internet
Cloud
Cloud
Cloud
Thin ClientSafety
Controller
Safety I/O
RobotServo Drive
Controller
Soft Starter
IES - RedBox
Standby
NetFlow
LAN B
I/O
I/O
Controller
Drive
DriveHMI
NetFlow
Thin Client
Drive
Controller
Controller
I/OI/O
I/OI/OI/O
NetFlow
NetFlow
NetFlow
Services Platform
• Storage Array
Plant Firewalls
• Active/Standby
• VPN Services
• Call Manager
RedBox
Drive Controller
I/O
I/O NetFlow

IACS Application Requirements
Source: ARC
Advisory Group
What is real-time? What is resilient?What is secure?
Loss Critical
Multi-axis Motion Control
Hardware and Software
solutions, for example, CIP
Motion, PTP
Synchronization of multiple axes:
printing presses, wire drawing,
web making, picking and placing
Subset of Discrete automation
100 µs to 10 ms
Loss CriticalDiscrete Automation
Industrial Protocols - CIP
1 ms to 100 ms
Material handling, filling, labeling,
palletizing, packaging; welding,
stamping, cutting, metal forming,
soldering, sorting
Auto, food and beverage,
semiconductor, metals,
pharmaceutical
Process Automation
Information Integration,
Slower Process Automation
.Net, DCOM, TCP/IP
10 ms to 1 second or longer
Pumps, compressors,
mixers; monitoring of
temperature, pressure, flow
Oil & Gas, chemicals,
energy, water
Process Automation
Function
Communication
Technology
Period
Applications
Industries
Time-critical
Discrete Automation
Discrete Automation
• Only you can define
what this means for
your application.
• Application dependent.
• One size does not fit all!

 Drivers for stance … determining overall
tolerance to risk and developing risk
management policies:
 Business practices
 Corporate / local standards
 Application requirements
 Applicable industry standards
– for example, NERC CIP
 Government regulations and compliance
 Security/safety policies and procedures
for 1) access control and 2) network and
security ownership:
 Alignment with industrial functional safety
standards such as IEC 61508, IEC 62061
(SIL), ISO 13849 (PL)
 Alignment with industrial security standards
such as IEC-62443 (formerly ISA99), NIST
800-82 and ICS-CERT
 Alignment with IEEE and IETF network and
security standards
Policy Development: Balanced Stance: Cost vs. Risk vs. Convenience
“one-size-fits-all”
Early, open and two-way
OT-IT dialogue is critical!
Stance on … Availability, Safety and Security

OT Standards: Operational Levels: Zones - Functional / Security
Key Tenets of CPwE Architectures - Zoning
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Desktop
Gateway Services
Patch
Management
AV
Server
Application
Mirror
Web Services
Operations
Reverse
Proxy
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalk®
Application
Server
FactoryTalk®
Directory
Engineering
Workstation
Remote
Access
Server
FactoryTalk®
Client
Operator
Interface
FactoryTalk®
Client
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise Security Zone
Levels 4-5
Industrial DMZ
Level 3.5
Industrial Security Zone(s)
Levels 0-3
Cell/Area Zones(s)
Levels 0-2
Web
E-Mail
CIP
Firewall
Firewall
Site Operations
Area
Supervisory
Control
Basic Control
Process
• Levels – ISA 95, Purdue Reference Model
• Zones – IEC 62443, NIST 800-82, DHS/INL/ICS-CERT Recommended Practices
CPwE
Logical Model

 International Electrotechnical Commission
 IEC-62443 (Formerly ISA-99),
Industrial Automation and Control Systems (IACS)
Security
 Zones and Conduits
 Defense-in-Depth
 Zoning, IDMZ
 National Institute of Standards and
Technology
 NIST 800-82, Industrial Control System (ICS)
Security
 Cybersecurity Framework: Identify, Protect,
Detect, Respond, Recover
 Zoning, IDMZ
 Department of Homeland Security
 The Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT)
 National Cybersecurity & Communication Integration
Center (NCCIC)
 Recommended Practices, Secure Network
Architecture
 Zoning, IDMZ
 Department of Homeland Security
 Idaho National Lab
 DHS INL/EXT-06-11478
 Control Systems Cyber Security: Defense-in-Depth
Strategies
 Zoning, IDMZ
Zoning – Segmentation – Physical / Logical / Virtual

Established Industrial Security Standards
IEC 62443
- Series of Standards
- Availability, Integrity, Confidentiality
- Security Zones & Secure Conduits
- Multiple Levels of Foundational
Requirements
- Multiple System Security Levels
(SL 1 – SL 4)
Holistic and Diverse Defense-
in-Depth Plant-wide Security for
Threat Detection and Protection

Plant-wide Zoning
 Functional Areas / Security Groups
 Smaller Connected LANs
 Smaller Broadcast and Fault Domains
 Smaller Domains of Trust (Security Groups)
 IACS application micro-segmentation
 Alignment with Security Standards
 IEC 62443-3-2, Security Zones
and Secure Conduits Model
 DHS/INL/ICS-CERT Recommendations
 Industrial IoT Technology Mix
 Building Block Approach for Scalability
Plant-wide Zoning: OT Standards: Functional Areas / Security Groups

OT-IT Standards - OSI 7-Layer Reference Model
CIP - IEC 61158Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 7
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Network Services to User App
Encryption/Other processing
Manage Multiple Applications
Reliable End-to-End Delivery Error Correction
Logical Addressing, Packet Delivery, Routing
Framing of Data, Error Checking
Signal type to transmit bits, pin-outs, cable type
IETF TCP/UDP
IETF IP
IEEE 802.3/802.1/802.11
IEEE : TIA-1005
Layer NameLayer No. Function Examples
Routers
Switches
Cabling/RF
IES
Open Systems
Interconnection
Industrial Internet of
Things (IIoT)

 Hierarchal, modular and scalable building blocks
 Smaller Connected LANs - clear demarcations and segmentation
 Fault domain (for example, Layer 2 loops), broadcast domain, domains of trust (security)
 Easier to grow, understand and troubleshoot
 Multi-tier switch model
 Core – Layer 3
 Aggregates distribution switches
 Backbone of network
 Industrial DMZ connectivity
 Distribution / Aggregation – Layer 3
 Aggregates access switches
 Provides Layer 3 services
 Access – Layer 2
 Aggregates industrial automation and
control system (IACS) devices
 Provides Layer 2 services
IT Standards: Network Switch Hierarchy: Campus Network Model
Access
Distribution
Core

Zoning - CPwE Logical Framework – Modular Building Blocks
Levels 0-2
Phone
Controller
Safety
Controller
Camera
Safety
I/O
Instrumentation
HMI
Industrial Zone
Levels 0-3
Media &
Connectors
Cell/Area Zone #1
Redundant Star Topology
Cell/Area Zone #2
Ring Topology
MCC Soft
Starter
Level 2 HMI
Level 0 Drive
I/O
Level 1 Controller
Servo
Drive
Levels 0-2Levels 0-2
Cell/Area Zone #3
Bus/Star Topology
Layer 2
Access Switch
Layer 3
Distribution
Switch
Layer 2
Building Block
Layer 2
Building Block
Layer 3
Building Block
Layer 2
Building Block

Zoning - CPwE Logical Framework – Modular Building Blocks
LAN A
Remote
Access
Server
Distribution
Switch Stack
(Skids, Equipment)
(Lines, Machines)
Industrial
Demilitarized Zone
(IDMZ)
Level 3.5
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
Core
Switches
Instrumentation
(Control Room)
Active
SSID
5 GHz
WGB
LWAP
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
IES - RedBox
Active
Internet
Cloud
Cloud
Cloud
Thin ClientSafety
Controller
Safety I/O
RobotServo Drive
Controller
Soft Starter
IES - RedBox
Standby
NetFlow
LAN B
I/O
I/O
Controller
Drive
DriveHMI
NetFlow
Thin Client
Drive
Controller
Controller
I/OI/O
I/OI/OI/O
NetFlow
NetFlow
NetFlow
Services Platform
• Storage Array
Plant Firewalls
• Active/Standby
• VPN Services
• Call Manager
RedBox
Drive Controller
I/O
I/O NetFlow

Segmentation (Zoning) - Functional Areas / Security Groups
Physical
Air Gap
Challenges?
Physical
Multiple NIC
Challenges?
Isolated
Networks
Plant-wide Network
Control Network
Levels 0-2
Plant-wide Network
Control Network
Levels 0-2
Isolated
Networks

Authentication,
Authorization and
Accounting (AAA)
Logical
VLANs with Static ACLs
Challenges?
Logical
VLANs with Dynamic ACLs
Challenges?
Plant-wide Network Plant-wide Network
I/O_10
Drive_20PAC_20
IES IES
IES IES
IES
PAC_10
Enforcement
ACLs
Cell/Area Zone 10
Levels 0-2
VLAN 10
Cell/Area Zone 20
Levels 0-2
VLAN 20
EWS
IES
I/O_10
Drive_20PAC_20
IES IES
IES IES
IES
PAC_10
Cell/Area Zone 10
Levels 0-2
VLAN 10
Cell/Area Zone 20
Levels 0-2
VLAN 20
EWS
IES
Enforcement
DACLs

Virtual
Software-Defined
Security Group Segmentation
SGT 100 SGT 30 SGT 10 SGT 20
SGT 100 - N Y Y
SGT 30 N - Y Y
SGT 10 Y Y Y N
SGT 20 Y Y N Y
Sample SGACL Policy Table
Role-based Enforcement
I/O_10
Drive_20
Industrial Zone
Levels 0-3
PAC_20
IES IES
Enterprise WAN
IDMZ
IES IES
IES
PAC_10
FTNM
ISEpxGrid
Context
SGT 10 SGT 10 SGT 20 SGT 20
Enforcement
SGACLs
Cell/Area Zone 10
Levels 0-2
Security Group 10
VLAN 10
Cell/Area Zone 20
Levels 0-2
Security Group 20
VLAN 20
EWS
IES
SGT 30
SGT 100
FactoryTalk®
Application(s)
Level 3
Site Operations
OT User
IT User
NetFlow
NetFlow
NetFlow
NetFlow
Stealth
Watch
SGT – Scalable Group Tag

Convergence-Ready Network Solutions
Partner Solution(s) for
example, Process
Skid
Plant-wide Industrial
Automation & Control System
Partner Solution(s)
e.g. Machine
Plant-wide Industrial
Automation & Control System
Design and deployment considerations that a partner (for example, OEM, SI, Contractor) has to take
into account to achieve seamless integration of their solution (for example, equipment, skid, machine)
into their customers’ plant-wide/site-wide network infrastructure.
Early, open and two-way
OT-IT dialogue is critical!
“one-size-fits-all”
The OEM Guide to Networking ENET-RM001_-EN-P

CPwE: Enabling Industrial IoT and Industrial IT (Bridging OT-IT)
Scalable, Reliable, Safe, Secure and Future-Ready Industrial IoT Architectures
Industrial IoT
Operational Technology
Industrial IT
Internet of Things
Information Technology
LAN A
Remote
Access
Server
Distribution
Switch Stack
(Skids, Equipment)
(Lines, Machines)
Industrial
Demilitarized Zone
(IDMZ)
Level 3.5
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
Core
Switches
Instrumentation
(Control Room)
Active
SSID
5 GHz
WGB
LWAP
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Access
Switches
Access
Switches
IFW
IFW
IES - RedBox
Active
Internet
Cloud
Cloud
Cloud
Thin ClientSafety
Controller
Safety I/O
RobotServo Drive
Controller
Soft Starter
IES - RedBox
Standby
NetFlow
LAN B
I/O
I/O
Controller
Drive
DriveHMI
NetFlow
Thin Client
Drive
Controller
Controller
I/OI/O
I/OI/OI/O
NetFlow
NetFlow
NetFlow
Services Platform
• Storage Array
Plant Firewalls
• Active/Standby
• VPN Services
• Call Manager
RedBox
Drive Controller
I/O
I/O NetFlow

 Business outcomes drive modernization projects
 Agility to quickly adapt to new market trends
(future-ready)
 Cost reduction through lower MTTR and higher OEE
(reliability, safety and security)
 Risk reduction – reliable and secure plant-wide
architectures based on proven reference architectures
 Assessment, design and planning are key steps
to modernizing aging network infrastructure
 Know where you are starting from
 Have a vision, based on business drivers, for scalable,
reliable, safe, secure, and future-ready Industrial IoT
architectures
 Standard and open managed network and
security services enable modernization
 Zoning through Segmentation
 Virtual Local Area Networks (VLANs)
 Switch Hierarchy – Layer 2/Layer 3
 Network Address Translation (NAT)
 Connected Routing
 Stratix® managed infrastructure devices – best
of OT-IT, Rockwell Automation and Cisco, to
enable Industrial IoT architectures
 Converged Plantwide Ethernet (CPwE) tested
and validated reference architectures
 Leverage NSS as a trusted partner, which has
knowledge and expertise with IIoT applications
and OT-IT Cybersecurity
Key Takeaways

Additional Material
Network Architecture Icon Key
Layer 2 Access Link (EtherNet/IP Device Connectivity)
Layer 2 Interswitch Link/802.1Q Trunk
Layer 3 Link
Layer 2 Access Switch, Catalyst 2960
Multi-Layer Switch - Layer 2 and Layer 3,
Stratix® 8300, Stratix® 5700, Stratix® 5400, Stratix® 5410 Switches
Layer 3 Router
Autonomous Wireless Access Point (AP)
Layer 2 IES with NAT, Stratix® 5700, Stratix® 5400 Switches
Layer 2 IES with NAT and Connected Routing,
Stratix® 5700, Stratix® 5400 Switches
NAT
NAT - CR
Layer 3 Distribution Switch Stack,
Catalyst 3750-X, Catalyst 3850, Catalyst 9300
Layer 3 Core Switch,
Catalyst 4500, 4500-X, 6500, 6800, 9500
Layer 3 Core Switch with Virtual Switching System (VSS)
Catalyst 4500-X, 6500, 6800, 9500
Firewall, Adaptive Security Appliance (ASA) 55xx
Wireless workgroup bridge (WGB)
Unified Wireless Lightweight Access Point (LWAP),
Catalyst 3602E LWAP
Unified Wireless LAN Controller (WLC), Cisco 5508 WLC
Unified Computing System (UCS), UCS-C series
Identity Services Engine (ISE) for Authentication,
ISE - PAN/PSN/MnT
Layer 2 Access, Industrial Ethernet Switch (IES),
Stratix® 2500, Stratix® 5700, Stratix® 5400, Stratix® 8000, Stratix® 5800
Switches
IES
IFW
Layer 3 Router with Zone-based Firewall
Industrial Firewall, Stratix® 5950 Switch

Additional Material
CPwE Architectures - Collection of Architected, Tested & Validated Designs
 CPwE websites
 Graphic
 White Papers and Design Guides
 Overview Documents
 Alliance Profile
 Top 10 Recommendations for
Plant-wide EtherNet/IP
Deployments
 Design Considerations for
Securing Industrial Automation
and Control System Networks

Additional Material
CPwE Architectures - Collection of Architected, Tested & Validated Designs
Topic Design Guide White Paper
Design Considerations for Securing IACS Networks N/A ENET-WP031A-EN-P
Converged Plantwide Ethernet – Baseline Document ENET-TD001E-EN-P N/A
Deploying 802.11 Wireless LAN Technology within a Converged Plantwide Ethernet Architecture ENET-TD006A-EN-P ENET-WP034A-EN-P
Deploying Identity and Mobility Services within a Converged Plantwide Ethernet Architecture ENET-TD008B-EN-P ENET-WP037C-EN-P
Securely Traversing IACS Data Across the Industrial Demilitarized Zone (IDMZ) ENET-TD009B-EN-P ENET-WP038B-EN-P
Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture ENET-TD007A-EN-P ENET-WP036A-EN-P
Migrating Legacy IACS Networks to a Converged Plantwide Ethernet Architecture ENET-TD011A-EN-P ENET-WP040A-EN-P
Deploying A Resilient Converged Plantwide Ethernet Architecture ENET-TD010B-EN-P ENET-WP039D-EN-P
Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture ENET-TD002A-EN-P ENET-WP011B-EN-P
Deploying Device Level Ring within a Converged Plantwide Ethernet Architecture ENET-TD015C-EN-P ENET-WP016D-EN-P
OEM Networking within a Converged Plantwide Ethernet Architecture ENET-TD018A-EN-P ENET-WP018A-EN-P
Cloud Connectivity to a Converged Plantwide Ethernet Architecture ENET-TD017A-EN-P ENET-WP019B-EN-P
Deploying Industrial Data Center within a Converged Plantwide Ethernet Architecture ENET-TD014A-EN-P ENET-WP013A-EN-P
Deploying Scalable Time Distribution within a Converged Plantwide Ethernet Architecture ENET-TD016A-EN-P ENET-WP017B-EN-P
Deploying Network Security within a Converged Plantwide Ethernet Architecture ENET-TD019A-EN-P ENET-WP023B-EN-P
Deploying Parallel Redundancy Protocol within a Converged Plantwide Ethernet Architecture ENET-TD021A-EN-P ENET-WP041A-EN-P

Additional Material
Rockwell Automation® Industrial Network Architectures Website
http://www.rockwellautomation.com/global/products-
technologies/network-technology/architectures.page

 Ethernet Design Considerations
Reference Manual
 ENET-RM002C-EN-P
 EtherNet/IP Overview, Ethernet
Infrastructure Components, EtherNet/IP
Protocol, Predict System Performance
 EtherNet/IP IntelliCENTER® System
Reference Manual (MCC-RM001)
 The OEM Guide to Networking
 ENET-RM001A-EN-P
 This guide is intended to help OEMs
understand relevant technologies, networking
capabilities and other considerations that
could impact them as they develop
EtherNet/IP solutions for the machines, skids
or equipment they build
 Segmentation Methods Within the
Cell/Area Zone ENET-AT004B-EN-E
Additional Material
Rockwell Automation® Reference Documents

 Integrated Architecture® Builder (IAB)
 Updates and additions to better-reflect CPwE
structure, hierarchy and best practices
 Improved Switch Wizard for distribution (for
example, Stratix® 5410 switches) and access (for
example, Stratix® 5700 switches )
 Implemented VLANs in the EtherNet/IP network
editor
 Parallel Redundancy Protocol (PRP) Support
 CIP traffic is measured per segment, not just
controller scanner and adapter centric
 EtherNet/IP Capacity Tool
 System Configuration Drawings
 Updates and additions to better reflect
CPwE recent enhancements
Additional Material
Rockwell Automation® Tools

Additional Material
Rockwell Automation Industrial Security Website

 Website:
 http://www.odva.org/
 EtherNet/IP
 https://www.odva.org/Technology-
Standards/EtherNet-IP/OverviewSecuring
EtherNet/IP™ Networks
 EtherNet/IP Network Infrastructure
Guide
 https://www.odva.org/Portals/0/Library/Pu
blications_Numbered/PUB00035R0_Infras
tructure_Guide.pdf
 Common Industrial Protocol (CIP™)
Standards/Common-Industrial-Protocol-
CIP/Overview
 The Family of CIP Networks
 https://www.odva.org/Portals/0/Library/Publica
tions_Numbered/PUB00123R1_Common-
Industrial_Protocol_and_Family_of_CIP_Netw
orks.pdf
 CIP Security
Standards/Common-Industrial-Protocol-
CIP/CIP-Security
Additional Material
ODVA, Inc.

 Cisco Industrial Networking Specialist
Training and Certification
– Classroom training
• Managing Industrial Networks with Cisco
Networking Technologies (IMINS)
– Exam: 200-401 IMINS
– CPwE Design Considerations
and Best Practices
 CCNA Industrial Training and
Certification
– Classroom training
• Managing Industrial Networks for
Manufacturing with Cisco Technologies
(IMINS2)
– Exam: 200-601 IMINS2
– CPwE Design Considerations
and Best Practices
Training Resources
Training and Certification – Industrial IoT / Industrial IT (Bridging OT-IT)

Training Resources
Training and Certification – Industrial IoT / Industrial IT (Bridging OT-IT)
Industrial Networking Specialist
Module 1
Industrial Networking Solutions and
Products
Module 2
Industrial Network Documentation and
Deployment Considerations
Module 3
Installing Industrial Network Switches,
Routers, and Cabling
Module 4 Deploying Industrial Ethernet Devices
Module 5
Maintaining Industrial Ethernet
Networks
Module 6
Troubleshooting Industrial Ethernet
Networks
CCNA Industrial
Module 1
Industrial Networking Concepts and
Components
Module 2 General Troubleshooting Issues
Module 3 EtherNet/IP
Module 4 Troubleshooting EtherNet/IP
Module 5 PROFINET
Module 6 Configuring PROFINET
Module 7 Troubleshooting PROFINET
Module 8 Exploring Security Concerns
Module 9 802.11 Industrial Ethernet Wireless Networking

Training Resources
Cisco Training & Certifications
Cisco
Certification
Track

Share your feedback
 Please complete the session
survey on the mobile app
Select TechEd and login
Use your email and last name that
you used to register for the event.
Click on Schedule on the main
menu
• Select the session you are attending
• Click on the survey tab
• Complete the survey and submit
2
3
Download the Events ROK
mobile app
1

www.rockwellautomation.com
Thank you

RA TechED 2019 - NT03 - Building Converged Plantwide Ethernet Architectures

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to RA TechED 2019 - NT03 - Building Converged Plantwide Ethernet Architectures

Similar to RA TechED 2019 - NT03 - Building Converged Plantwide Ethernet Architectures (20)

More from Rockwell Automation

More from Rockwell Automation (20)

Recently uploaded

Recently uploaded (20)

RA TechED 2019 - NT03 - Building Converged Plantwide Ethernet Architectures