CONFIDENTIAL DOCUMENT

Network Configuration

Prepared for

Aera Energy San Ardo Facility

Aera Energy San Ardo Facility Ethernet Network Configuration

1.1 Disclaimer
All information contained herein is provided without any warranty, expressed or implied, as to the accuracy or relevance of such information to the Aera Energy environment. This information is to be considered as preliminary and informative, and is subject to review and revision at any time by Aera Energy or Rockwell Automation. This document further includes information that may be proprietary, confidential, or otherwise sensitive from both Aera Energy and Rockwell Automation. Prior to any dissemination outside of Aera Energy or Rockwell Automation of any part or whole of this document, both companies must agree in writing. The information contained herein may be considered volatile and preliminary, subject to revision, addition, or removal.

Page 2 of 6

Location/Network:

San Ardo Facility

10/22/2013

CONFIDENTIAL DOCUMENT Aera Energy and Rockwell Automation use only

Proprietary or confidential to Rockwell Automation, Inc. Any disclosure, reproduction, use or re-distribution of this information by or to an unintended recipient is prohibited. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Aera Energy San Ardo Facility Ethernet Network Configuration

2 BACKGROUND AND OVERVIEW
2.1 Executive Summary
Aera Energy has elected to implement the network design developed by Processes Unlimited. The Network Configuration document details the recommended switch configuration settings for the chosen design.

2.2 Objective
The primary objective is to design an Industrial Automation and Control Systems (IACS) Ethernet Network for the Aera Energy San Ardo Facility. Industrial Ethernet standards, guidelines and best practices were used to develop configuration recommendations for the Processes Unlimited network design.

2.3 Ethernet Network

The configuration recommendations are based on the design and bill of materials selected by Aera Energy. Industrial Process Control System (IPCS) Network o Ring topology connecting servers and control room to the rest of the facility. Electrical Room Device Level Networks o Each electrical room uses a Device Level Ring network for communication. o DLR networks are isolated from each other and the IPCS network.

2.4 Bill of Material and Physical Topology

Aera Energy has chosen to use the design proposed by Processes Unlimited without any modifications. The Bill of Materials and Physical Topology have been reviewed and will remain as submitted.

Page 3 of 6

Location/Network:

San Ardo Facility

10/22/2013

CONFIDENTIAL DOCUMENT Aera Energy and Rockwell Automation use only

Proprietary or confidential to Rockwell Automation, Inc. Any disclosure, reproduction, use or re-distribution of this information by or to an unintended recipient is prohibited. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Aera Energy San Ardo Facility Ethernet Network Configuration

3 VLAN Configuration
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. You can design a VLAN structure that allows you to group stations that are segmented logically by functions, line, and other plant floor characteristics without regard to the physical location of the devices. You can assign each end-device switch port to only one VLAN, thereby adding a layer of security. Ports in a VLAN share broadcasts; ports in different VLANs do not, although broadcasts can be directionally routed (needed for a data server such as RSLinx Classic). Containing broadcasts in a VLAN improves the overall performance of the network. A VLAN is a switched network segmented on a functional, application, or organizational basis as opposed to a physical or geographical basis. Switches filter destination MAC addresses and forward VLAN frames only to ports that serve the VLAN to which the traffic belongs. A VLAN consists of several end systems, either hosts or network equipment (such as switches and routers), all of which are members of a single logical broadcast domain. A VLAN no longer has physical proximity constraints for the broadcast domain. Cisco and Rockwell Automation recommend not using VLAN 1 for any purpose. Some security threats assume that VLAN 1 is the default VLAN for data and/or management traffic and may target VLAN 1 in their attacks. The IPCS Network has the potential for outside contact so VLAN 1 should not be used in the IPCS network. VLAN names can be created and edited for new VLANS. VLAN id numbers are assigned by the Stratix Switch and cannot be changed. All of the devices in the IPCS network can reside in the same VLAN. The same VLAN ID should be used to identify the IPCS VLAN on all of the switches in the IPCS network. o Create a new VLAN on the switches used in the IPCS network. o Assign each port used in the IPCS network to the new VLAN. The Device Level Ring networks used in the Electrical Rooms are isolated from each other and the IPCS network, there is no access to the network from outside of the network. Using the default VLAN in these networks does not pose as severe a threat as using the default VLAN on the IPCS network. To comply with Cisco and Rockwell Automation recommendations a second VLAN should be created on the switches used in the DLR networks.

Refer to the accompanying Switch Configuration Spreadsheets for details on VLAN port assignments.

Page 4 of 6

Location/Network:

San Ardo Facility

10/22/2013

CONFIDENTIAL DOCUMENT Aera Energy and Rockwell Automation use only

Proprietary or confidential to Rockwell Automation, Inc. Any disclosure, reproduction, use or re-distribution of this information by or to an unintended recipient is prohibited. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Aera Energy San Ardo Facility Ethernet Network Configuration

4 Network Switch Configuration
Switches may be configured through the Device Manager web interface, Cisco Network Assistant software or the Command Line interface. Express Setup can be used for the initial switch configuration. The following features must be enabled on all switches: RSTP IGMP Auto Negotiate Speed/Duplex (These features are enabled by default after the initial switch setup.) Individual port connections are detailed in the accompanying Switch Configuration Spreadsheets.

Page 5 of 6

Location/Network:

San Ardo Facility

10/22/2013

CONFIDENTIAL DOCUMENT Aera Energy and Rockwell Automation use only

Proprietary or confidential to Rockwell Automation, Inc. Any disclosure, reproduction, use or re-distribution of this information by or to an unintended recipient is prohibited. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Aera Energy San Ardo Facility Ethernet Network Configuration

5 IP Addressing
Aera Energy specified Class A addressing for the IPCS network and Class C addressing for the Electrical Room DLR networks. No specific address ranges were identified by Aera so IP addresses representative of the class requirements in each area were used. The following concepts were used to develop the IP addresses: IPCS: 10.xxx.VLAN ID.xxx DLRs: 192.xxx.ER#.xxx The first octet is representative of a value within the class specified for the area. The second octet is arbitrary. The third octet was chosen to provide a functional area reference within the IP address. The fourth octet is arbitrary. A detailed breakdown of the addressing scheme is provided in the accompanying Switch Configuration Spreadsheets. All networks use a subnet mask of: 255.255.255.0 The Default Gateway of the IPCS network is the IP address of the Cisco 3750 Layer 3 switch. Communications will not be routed from the Device Level Ring networks in the electrical rooms so the Default Gateway should be left blank. Leaving the Default Gateway blank will keep devices from searching for a router that does not exist.

Page 6 of 6

Location/Network:

San Ardo Facility

10/22/2013

CONFIDENTIAL DOCUMENT Aera Energy and Rockwell Automation use only

Proprietary or confidential to Rockwell Automation, Inc. Any disclosure, reproduction, use or re-distribution of this information by or to an unintended recipient is prohibited. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.