某知名企业思科数字化制造解决方案.pptx

1Digital Manufacturing Solutions数字制造解决方案2 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialAgenda 议程Connected Factory ChallengesConnected Factory NetworksIndustrial ProtocolsConnected Factory WirelessConnected Factory SecurityConnected MachinesConnected Factory Challenges互联工厂的挑战Cost and inefficiency of dedicated networks for individual plant floorInability to increase plant productivity,production velocity,quality,uptimeCustomer and market pressure to accelerate product and service4 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidentialapplications(OEE)introductionsHigh unplanned downtime(wasting,on average,at least 5%of production)Securing factories from cyber threatsHigh cabling and re-cabling costs(60%of deployment costs)制造商今天的痛点!What Pains Manufacturers Today 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialCisco Confidential55 2015 Cisco and/or its affiliates.All rights reserved.融合的工厂网络优势Converged Plant Network Benefits2IncreaseManufacturingFlexibility ProductionFlexibly Changeproductionrecipes at clickof a button Enable newproductinnovation4EnableNext GenVisual Factories Integrated videoon the samefloor Digital Media forquickerdecisions3Reduce PlantDowntime withManageability Greatervisibility andmanageability HMI quickresponse Granularcontrol overshut-downs Resiliency andfaster recovery6Platform toEnable NewServices Mobility Visualization Machinemonitoring Remoteaccess Physicalsecurity5Speed NewProductIntroduction Fasternew line set up Collaboratebetween plantand R&D tospeed NPI1AutomateProductionProcesses High speed Lower latencyand jitter QoSConnected Factory Networks互联工厂网络Industrial ZoneLevels 0-3StackWisePrimary WLCPhoneWGBWGB 2015Redundant Star TopologyAll rights Resiliency2.4 GHzSafetyControllerControlleIE1000Robot互联工厂系统架构 The Connected Factory ArchitectureProductionFlexibilityLowerOperations TCOManufacturingIntelligenceAdvancedProcess ControlWorkforceProductivityCisco Confidential 77RemoteAccessServerEnterprise ZoneLevels 4 and 5Firewall(Standby)ASA 5500Ringits affiliates.ACLs,IPS and IDS VPN Services Portal and Remote Desktop Services proxySwitch StackWide Area Network(WAN)Physical or Virtualized Servers ERP,Email Active Directory(AD),AAA Radius Call ManagerEnterpriseSafetyI/OPhysical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway ServerPhysical or Virtualized Servers Site Ops Servers&Services Platform Network Services e.g.DNS,AD,DHCP,AAA Call Manager Storage ArraySite OperationsLevel 3InternetWGBSSID5 GHzSafetyI/OCameraController ControllerUCSLinkfor FailoverDetectionFirewall(Active)Catalyst6800/4500IndustrialPlant Firewalls Demilitarized Zone Inter-zone traffic segmentation (IDMZ)5500 WirelessLAN Controller(WLC)Secondary WLCISE Policy Service NodeCatalyst29603850,4500-XIE5000ISA3000LWAP APHMISSIDIndustrial EthernetLayer 2 Access SwitchSoftStarterMCCr Servo HMIDriveCell/Area Zone-Levels 0-2 Cell/Area Zone-Levels 0-2 2017 Cisco and/or Topology All rights reserved.Cisco Confidential Linear/Bus/Star TopologyUnified Wireless LAN Autonomous Wireless LANIE4010LWAP LWAPSSID5 GHzCell/Area Zone-Levels 0-2Unified Wireless LAN 2015 Redundant Star TopologyAll rights ResiliencyCisco Confidential88MCCHMICell/Area Zone-Levels 0-2Unified Wireless LANCell/Area Zone-Levels 0-2Linear/Bus/Star TopologyAutonomous Wireless LANIndustrial EthernetLayer 2 Access SwitchControllerSafetyControllerRobotSoftStarterRingits affiliates.Cell/Area Zone-Levels 0-2 2017 Cisco and/or Topology All rights reserved.Cisco ConfidentialUnified Wireless LANSafetyI/OServoDriveHMIAPSSID5 GHzWGBSafetyI/OControllerCameraPhoneWGBLWAPSSID5 GHzWGBLWAPControllerLWAPSSID2.4 GHz互联工厂网络 Connected Factory Networks Resilient network supports continuous manufacturing operation Cisco Validated Design for IACS applications Fast ring convergence allows non-disruptive I/O communication EtherChannel/FlexLink for redundant pathsIndustrial ZoneLevels 0-33850,4500-XIE5000ISA3000IE4010IE1000Industrial Protocols工业协议10 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialUsed for data communication between automation and control devicesMajor industrial automation protocols include:CIP EtherNet/IP Profinet Modbus TCPMajor network redundancy protocols include:REP MRP DLR(Resilient Ethernet Protocol)(Media Redundancy Protocol)(Device Level Ring)工业自动化协议 Industrial Automation Protocols11 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialIndustrial Ethernet Standard published by PI(PROFIBUS&PROFINETInternational)Protect legacy asset(compatible with PROFIBUS),improve efficiency,increase uptimeAn object-oriented application to serve in device network to collectinformation,push configuration and diagnosis including monitor switchalarmsPROFINET uses GSD file(General Station Description)to describeproperties and functions of field devicesUsed in discrete,process application,motion control,vertical integration,safety,power energy savingPROFINET 介绍 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialPROFINET NRT(Non Real-Time)Standard TCP(UDP)/IPPROFINET CBAConfiguration,diagnostics,managementNon time critical status informationPROFINET RT(Real Time)Primarily PROFINET IO,some PROFINET CBAControl traffic,time critical alarms and messagingPROFINET IRT(Isochronous Real-Time)All device clock/bus cycles synchronizedPROFINET 应用IRTScheduledEthernetPC/HMIRemote IOPLCDrive12PROFINETHTTP(S),SNMP,Socket RTTCP/UDPIPEthernet13故障恢复-弹性以太网协议Failure Recovery-Resilient Ethernet Protocol REP segment is a chain of switch ports configured withthe same REP segment ID Redundant path ring switch-level topology can be builtwith REP segments,ring is a single fault tolerant network REP is suitable for IACS applications that can tolerate upto a 100 ms network convergence recovery time Cisco innovation,included with CiscoCatalyst 3750-X,3850-X,4500E,IE 2000,3000,4000and 5000,Stratix 5700,8000,5400,and 5410 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialSegment 1VLAN 10Segment 1VLAN 10Segment 2VLAN 2014MRC Medium Redundancy ClientForward test and supervision framesCloses the ringMany per ring弹性以太网协议-MRP MRM Medium Redundancy ManagerControls the ring,sends test framesProvides logical break in the ringCloses ring if failure detectedOne per ringMRMWith Link FailureMRM 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialNormal OperationProfinet Solution Use CasesProfinet 解决方案-用户案例16 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialIE交换机的互通IE Switch InteroperabilityIE 3000IE4000IE4000IE2000IE2000IE2000MRP ring withdifferent vendorsIE2000HMIIE2000SiemensswitchIE 200Hirschmannswitch17 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential投资保护支持混合环境部署Protect Investment Support Hybrid EnvironmentPLCPLCDriveHMIREPIE2000MRPMRPDLRREPIndustrialswitchesIE2000,IE4000RAStratix5700,5400,5410AllIEswitches&CiscocatalystsConvergencetime50-200ms4ms10)SmallnumberofAPs(10)Plant-widecoverageforvarietyofapplicationsandclientsStandaloneapplications(skids/machines),mostlyWGBclientsExistingUnifiedWLANinEnterpriseZoneAd-hocWLANinstallationApplicationsrequirefastwirelessroamingApplicationswithnoroamingornon-operationalroamingManagedjointlybyITandcontrolengineersgreaterlevelofexpertise/costManagedmostlybycontrolengineerslowerlevelofexpertise/costAdditionalservices:RFanalysis,WirelessIntrusionPrevention,RTLSLowerinitialcost22 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential设计考虑点 Design ConsiderationsConnected Factory Security互联工厂安全24 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential深度防御整体网络安全Defense in Depth-Holistic Cyber SecurityIndustrial DMZIdentity ServicesNATIndustrial Firewall25 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential网络地址转化(NAT)Network Address TranslationCommon Security Practice to hide operation IPaddressesNetwork Segmentation to reduce cyber attack riskEase of Use with IP Address Reuse End User OEMUse Cases Multiple Skids/Machines Each Skid/Machine Aggregated by One NAT Switch;Single VLAN Each Skid/Machine Aggregated by Multiple NAT Switch;MultipleVLAN Multiple Skids/Machines Aggregated by One NAT Switch;Multiple VLAN26 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential身份认证服务 Identity ServicesIdentity Services Engine(ISE)Policy Administration Node(PAN)Policy Service Node(PSN)Monitoring Node(MnT)Authentication vs.AuthorizationUse Cases Wired Convenience Port Wireless Guest/Employee Access Remote Access VPN2 2017 Cisco and/or FactoryTalk Client rights I/ODrive27用户许可控制（Shop Floor User Admission Control）EnterpriseWANFirewalls(Active/Standby)Level 3Site OperationsEnterprise Zone:Levels 4-5Industrial Demilitarized Zone(IDMZ)WGBWLC(Active)WLC(Standby)LWAPControllerCoreswitchesDistributionswitchInternetWLC(Enterprise)ISE PAN/PSNISE MnTISE PSNExternalDMZ/FirewallCoreswitches21its affiliates.All reserved.Cisco Confidential ControllerControllerIndustrial ZoneLevels 0-3(Plant-wide Network)Cell/Area Zones-Levels 0-2(Lines,Machines,Skids,Equipment)工业DMZIndustrial De-Militarized Zone(IDMZ)Architectural Framework Resiliency-firewall active/standby configuration ASA w/Sourcefire Industrial security policies-Industrial Zone,IDMZ Use Cases-Traversing the IDMZ Network Services(Active Directory,Identity Service Engine,WLC CAPWAP)FactoryTalk Applications-PI to PI,reverse proxy,webproxy,RDP Secure Remote Access-ASA/RDP,RDG/RDP 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialProtect shop floornetworkSeparation of enterpriseand operationControl remote accessTrackinginbound/outbound dataflow2829 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential思科工业防火墙Industrial Firewall ISA3000-4C-K9 Copper SKU with 4x10/100/1000Base-T with a management port.ISA3000-2C2F-K9 Fiber SKU with 2x1GbE SFP and 2x10/100/1000Base-T with amanagement port.30 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential工业防火墙保护自控单元区域Industrial Firewall Protecting Industrial ZoneDistributionSwitchHMISoftStarterIESIESIESIESIESIESIESIESMachineIESIESIESSkidIESIESIESIESDriveSkidIESIESEquipmentIESTransparentModeIndustrialEthernetSwitchControllerIndustrial ZoneLevels 0-3Monitor ModeTransparentModeTransparentModeCoreSwitchesTransparentModeFireSIGHTCisco Security ManagerIndustrial Firewall(ISA3000)Connected Machines互联机器32 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialMachine VisibilityConverged PlatformMachine AnalyticSecure AccessCustomerChallengesBusinessOutcomesNo machine green lightactivityNo operatorAccountabilityOEE ImprovementReduce DowntimeUnmanaged switchedOperation silos withdedicate switch/compute/Security hardwareLegacy system andWindows patchIntegrate with IT servicemodelSecurity from within(Embedded Linux)Unexpected Down TimeHigh defect rateManual maintenancescheduleReal time anomalydetections and reducedefectPredictive maintenance机器为什么需要互联？Why Machines Need to be Connected?Unauthorized access todeviceComplex remote accessand troubleshootingPlatform utility,notstandalone separatesolutionSecurity from outside(IP/Hacking/Sabotage)IE 400033 2017 Cisco and/or its affiliates.All rights reserved.Cisco Confidential从机器数据到可执行的信息From Machine Data to Actionable InformationMerlin OEE on UCSApplicationAdapterData CollectionIDC ComputeOEE SoftwareIE4000,IR8x9CNCMTC AgentIOxRobotMTC AgentIOxMemex MerlinOEECell/Area Zone-Levels 02Cisco and/orDPL-2Cell/Area Zone-Levels 0234HMIRedundant Star Topology-Flex Links Resiliency 2017Unified Wireless LAN(Lines,Machines,Skids,Equipment)Cell/Area Zone-Levels 02Linear/Bus/Star TopologyAutonomous Wireless LAN(Lines,Machines,Equipment)IndustrialDemilitarized Zone(IDMZ)Enterprise ZoneLevels 4 and 5Industrial ZoneLevels 03(Plant-wide Network)ControllerAll rights -Resilient Protocol(REP)its affiliates.Ring Topologyreserved.Ethernet Cisco ConfidentialUnified Wireless LAN(Lines,Machines,Skids,Equipment)Plant Firewalls Active/Standby Inter-zone traffic segmentation ACLs,IPS and IDS VPN Services Portal and Remote Desktop Services proxy互联机器解决方案Connected Machines SolutionEnterpriseInternetExternal DMZ/FirewallAPSSID5 GHzLWAPSSID5 GHzControllerCoreSwitchesDistributionSwitch 5KIESCameraPhoneWGBIESIESMemex MerlinOEELevel 3-Site Operations(Control Room)LWAPMTCMTCMTCMTCMTCISA 3000Port SecurityIR8x9IE MTC AdapterOEEDashboardIESIESSSID5 GHzCSA MTCIE4KCSACSA MTCIEISA 3000Monitor onlyDPL-1DPL-3Additional Resources其他资源36 2017 Cisco and/or its affiliates.All rights reserved.Cisco ConfidentialSolution Collateral Design ZoneAvailable today:Cisco Design Z Solutionshttp:/ Connected Factoryhttp:/