Bootp & dhcp

[daba]

Done correctly IMHO DHCP services should be run from the main switch in the machine.If it's down your line won't run anyway.

I think DHCP reservations are being confused with persistence. Reservations require the MAC ID and persistence does not.

I setup my devices as static but also make a DHCP persistence entry with the same address this way if bubba needs to replace a drive at 3 am he does not need to call an engineer in to program it. Logix will see the new drive and give it the correct IP and then flash firmware to correct level and download program.

That's confusing, it implies that your PLCs ("Logix") give the drives their IP addresses ? If that is the case, then that is a world away from DHCP or BOOTP... Please explain.

 

[The Plc Kid]

That's confusing, it implies that your PLCs ("Logix") give the drives their IP addresses ? If that is the case, then that is a world away from DHCP or BOOTP... Please explain.

The switch will give the new device the correct IP address for that port based on the persistence table and once logix see's the drive does not have the correct firmware and program then firmware supervisor will flash it and logix will download the configuration to the device.

This can be used with a switch using DHCP persistence or Dynamic IP address assignment per port.

The logix processor will give the device it's configuration once the switch or other DHCP device gives the correct IP address to the device.

 

[NetNathan]

I notice DHCP "Persistence" exists in the Stratix 5700 Managed Ethernet Switch on the "DHCP Address Assignment" tab.
This seems to make me a little leary, because what ever gets plugged into that port gets that assigned IP address. HOPEFULLY, no one moves around the Ethernet cables.
In my static setup I use the port number as the address already (Port 2 is 192.168.1.2, Port 3 is 192.168.1.3....and so on), but I am not running a "DHCP assigned Address" on the port. I worry too much about someone moving the cables.

 

[Geospark]

DHCP with Cisco/Rockwell Devices

...DHCP is used for assigning either static, or leased dynamic IP addresses...

...NB: Static is the preferred IP addressing schema for deterministic automation control networks. Dynamically assigning IP addressing on such a network could lead to many problems, complications, and potentially dangerous situations.

A bit of a discussion has sprung up here as a result of my "NB:..." statement above, so I'll clear up what I meant specifically.

When I stated that...

"...Dynamically assigning IP addressing on such a network could lead to many problems, complications, and potentially dangerous situations"

...I did not mean that DHCP Servers should not be used, at all, to assign IP addresses, but that DHCP Servers should not be used to Dynamically assign IP addresses i.e. lease IP addresses that may expire, potentially resulting in a different leased IP address upon renewal.

From my top statement, DHCP Servers can be used to assign Static IP addresses, which is the preferred addressing schema to use in industrial automation control systems. I just didn't elaborate on the recommended methods to do so (persistence/per port), as I was only giving a brief explanation to the OP and I didn't want to overload them with too much information too soon.

Static IP addressing does not necessarily mean that a device always uses a Static IP address stored in its internal memory. Static just means the IP address itself is statically allocated to that device, or port on a switch. "Where" the Static IP address is allocated from can vary, depending on the setup. It could be stored in the device's memory, or an embedded switch, or persistent to a port on a local managed switch, Rockwell calls this "DHCP per port", or from a pre-assigned MAC/IP address table on a remote server, known as "Automatic Allocation".

Static IP addressing does not necessarily imply no DHCP method should be used. What The Plc Kid is suggesting, DHCP Persistence, is very common in newer CPwE systems.

Let's see what some of the "experts" in this area have to say...

Cisco and Rockwell Automation recommend that IACS network developers use a static IP addressing schema for the Manufacturing zone, especially for allocating IP addresses to IACS devices in the Cell/Area zone. Cisco and Rockwell Automation now recommend DHCP Persistence as a valid option along with static addressing for deploying IP addresses for IACS devices...

...Static IP addressing is the traditional, default means to allocate IP addresses for both IACS devices (for example, drives and I/O) and network infrastructure devices (for example, Industrial Ethernet (IE) switches). Static IP addressing requires an implementer to manually configure an IP address on an IACS device as it is provisioned onto the IACS network. Static IP addressing is referenced directly (rather than a logical reference) by the IACS applications for communication and control purposes. Therefore, the IP addressing assigned must be consistent and defined for proper IACS application operation.

As IACS networks grow in size, so does the task of maintaining static IP addresses on IACS devices. During maintenance operations, where downtime cost and mean time to recovery (MTTR) is a significant issue, manual configuration of a static IP address for each replaced IACS device can take valuable time.

DHCP Persistence enables IACS implementers to reserve and pre-assign an IP address to a specific IE switch port.

This enables an IACS device connected to that IE switch port, configured for dynamic IP allocation, to always receive a consistent IP address regardless of its MAC address. This capability helps to reduce the amount of time required to provision or replace IACS devices, such as drives and I/O. This also helps to reduce the required level of skilled resources to provision or replace an IACS device.

However, they also state that...

Although Cisco and Rockwell Automation now recommend DHCP Persistence as a valid option for IACS devices, Cisco and Rockwell Automation still recommend that network developers use a static IP addressing schema for IACS network infrastructure devices.

In other words, DHCP Persistence is a "valid option", but not their first preference.

If you read Rockwell's EtherNet/IP Network Configuration (ENET-UM001K-EN-P), which applies to all of the following Catalog Numbers...

1756-ENBT, 1756-EN2F, 1756-EN2T, 1756-EN2TR, 1756-EN2TXT, 1756-EN3TR, 1756-EN2TSC, 1756-EN2TRXT, 1768-ENBT, 1769-L23E-QB1B, 1769-L23E-QBFC1B, 1769-L32E, 1769-L35E, 1783-ETAP, 1783-ETAP1F, 1783-ETAP2F, 1794-AENT, 20-COMM-E, 22-COMM-E, 1734-AENT, 1734-AENTR

...it states the following...

Configure an EtherNet/IP Communication Module to Operate on the Network

Use DHCP Software

Dynamic Host Configuration Protocol (DHCP) software automatically assigns IP addresses to client stations logging onto a TCP/IP network. DHCP is based on BOOTP and maintains some backward compatibility. The main difference is that BOOTP allows for manual configuration (static), while DHCP allows for both static and dynamic allocation of network addresses and configurations to newly attached modules.

Be cautious when using DHCP software to configure a module. A BOOTP client, such as the EtherNet/IP communication modules, can start from a DHCP server only if the DHCP server is specifically written to also handle BOOTP queries. This is specific to the DHCP software package used. Consult your system administrator to see if a DHCP package supports BOOTP commands and manual IP allocation.

IMPORTANT If you do not click Disable BOOTP/DHCP, on a power cycle, the host controller clears the current IP configuration and begins sending BOOTP requests again.

ATTENTION: The EtherNet/IP communication module must be assigned a fixed network address. The IP address of this module must not be dynamically provided. Failure to observe this precaution may result in unintended machine motion or loss of process control.

As some read all this, a little confusion might be arising?

They say it's "not ok" to dynamically assign IP addresses?

...but it's "ok" to assign IP addresses Dynamically using DHCP Persistence?

The author is referring to the historical meaning of Dynamically assigning leased IP addresses, which should be avoided, but is not specifically saying not to use DHCP Persistence. Most likely that text is a few years old, and has not been updated as the publication was superseded.

Dynamically just means, "actively", or "on-the-fly", or simply "as needed". So using DHCP you can Dynamically assign leased IP addresses, or Dynamically assign Static addresses.

Persistence is a "valid" method of Dynamically assigning Static IP addresses, to devices connected to a port, as and when needed.

G.

 

[Geospark]

DHCP Persistence - Cisco/Rockwell

There are two "typical use cases" for implementing DHCP Persistence:

Replacement of a failed IACS device

Or...

Setting up a new "out-of-the-box" IACS device.


Using DHCP Persistence to Replace a Failed IACS Device

Consider the example of a municipal water distribution system that has multiple pumping stations located over a large geographic area. Often, these networks are tied together into a central location for monitoring purposes. Because of this centralization, it is convenient to have only a few network administrators who must maintain addressing for the entire system.

If an IACS device on a pumping station fails, maintenance staff on site could replace the IACS device. However, special training in all IACS products may be required to properly set IP addressing. If dynamic allocation is enabled on this IACS device, the maintenance staff would simply connect the new IACS device to the DHCP Persistence server (the IE switch to which the IACS device is connected), which allocates the correct IP address, enabling the maintenance staff to complete the IACS device configuration.

Using DHCP Persistence to Provision a New IACS Device

To reduce the amount of time necessary to configure a new system, Cisco and Rockwell Automation have enabled specific technology to allow a more efficient out-of-the-box experience when deploying IP-enabled devices in an IACS application. Manually configuring network addresses on IACS devices can add extra time and complexity to system setup. To configure DHCP, the following tasks must be performed:

Creating a DHCP pool

Assigning the pool to a VLAN

Assigning an IP address on the VLAN

Configuring Reserved Only, DHCP Snooping, and DHCP Persistence

In a typical IACS application, in which the IACS network infrastructure supports DHCP Persistence, these steps can be skipped. All IACS devices that have DHCP/BOOTP enabled out-of-the-box require only that power be applied, and the switch be connected via the appropriate switch port so that the switch can communicate. This saves the user valuable configuration time. Other applications can be configured to download the firmware, operating system, or program, and configure the IACS device.

DHCP Snooping is a feature applied to ensure the security of an existing DHCP infrastructure. DHCP Snooping prevents unauthorized DHCP servers from assigning addresses to clients. When DHCP Snooping is enabled on an IE switch, the switch uses a series of Layer 2 techniques to do the following:

Track the physical location of hosts

Ensure that hosts use only the IP addresses assigned to them

Ensure that only responses from authorized DHCP servers are communicated to the end device

This feature is available on Stratix 8000 and 8300 switches, as well as the 5700 you mentioned NetNathan, along with many other Cisco Catalyst switches used in IACS. This feature helps ensure the deterministic nature similar to static IP addressing by ensuring only the appropriate server (in this case the switch to which the end device is connected) assigns the IP address.

Note: Because DHCP Persistence allows only a single device to be connected per port, do not use DHCP Persistence with two-port Ethernet modules, such as the 1756-EN2TR, 1756-EN3TR, or 1734-AENTR modules. If you attempt to use DHCP Persistence with these modules, only one of the modules is assigned an IP address. The remaining modules are not assigned IP addresses.

See also...

60143 - What are the limitations of using the DHCP by port functionality in a Stratix 8000 switch?
Access Level: TechConnect

G.

 

[Geospark]

Defense-in-Depth

I notice DHCP "Persistence" exists in the Stratix 5700 Managed Ethernet Switch on the "DHCP Address Assignment" tab.
This seems to make me a little leary, because what ever gets plugged into that port gets that assigned IP address. HOPEFULLY, no one moves around the Ethernet cables.
In my static setup I use the port number as the address already (Port 2 is 192.168.1.2, Port 3 is 192.168.1.3....and so on), but I am not running a "DHCP assigned Address" on the port. I worry too much about someone moving the cables.

Defense-in-Depth

In the CPwE, security is embedded throughout the IACS network by following a Defense-in-Depth approach, and to ensure the availability, integrity, confidentiality and of data, IACS applications, IACS endpoints, the IACS network and the plant and its personnel. For enhanced visibility and control, a rich set of security technologies and capabilities are deployed in multiple layers, but under a common strategy.

The recommended IACS network security framework using Defense-in-Depth includes the following:

Manufacturing Security Policy - This security policy roadmap identifies vulnerability mitigation. A multi-discipline team of operations, engineering, IT and safety should develop this manufacturing security policy.

Demilitarized Zone (DMZ) - This buffer zone provides a barrier between the Manufacturing and Enterprise zones, while allowing users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. No traffic traverses the DMZ, which means that traffic does not directly travel between the Enterprise and Manufacturing zones.

Defending the manufacturing edge - Users should deploy stateful packet inspection (SPI) firewalls (barriers) with intrusion detection/prevention systems (IDS/IPS) around and within the IACS network.

Protecting the Interior - Users should implement access control lists (ACLs) and port security on network infrastructure devices such as switches and routers.

Endpoint Hardening - This restricts access, prevents "walk up, plug in" access and uses change management to track access and changes.

Domains of Trust - Users should segment the network into smaller areas based on function or access requirements.

Physical Security - This restricts physical access to manufacturing assets and network infrastructure devices.

Security, Management, Analysis and Response System—This monitors, identifies, isolates, and counters network security threats.

Remote Access Policy - For employee and partner remote access, implement policies, procedures and infrastructure.


I know, your thinking yeah, yeah, yeah, in the ideal world!

But if you're in charge of an IACS on-site where you work, you should be in the habit of at least physically securing who has access to the network server room, patch-panels and switch cabinets. On-site here, only a couple of us have access to all these enclosures and the server room, so no one can be playing "switch-board operator" when something isn't working. If you're talking about a fear of clients swapping around or unplugging their own patch-cords, then it's their management's duty to secure the equipment, but integrators should be advising them to do so.

Another method that helps if someone gets mixed up is labeling. Label tags on the patch-cords denoting the assigned switch/port number.

But you don't want people whose work stations looks like this getting in there!...

G.

 

[NetNathan]

Great explanation G.

 

[The Plc Kid]

To add to detailed post G. provided. I recommend using static addressing set in the memory of the end device in addition to having DHCP persistence setup on your local switch.

This way if a device needs to be replaced by someone without IT level skills it can be without issue.

If anyone wants details there are ways you can report when MAC ID has chnaged so you will know when Bubba on 3rd shift replaced a drive even if you were on vacation and on next shutdown you can set the end device to static.

This way you have the best of both worlds.

NetNathan if you have people chnaging cables on you that is a whole seperate issue which should be addressed quickly IMHO.

There are devices made to block ports on switches and device made to lock cables in place so that they can not be moved as well as devices that only let specific cables plug into a specific port.

I use all of these as well as limited access to switch cabinets on each line. Any information needed from the switch status can be obtained from Logix or from the HMI so need for bubba to be in the switch cabinet. Depending on how you set things up you can also have switch redundancy. We use that at my site also.

 

[The Plc Kid]

Defense-in-Depth

In the CPwE, security is embedded throughout the IACS network by following a Defense-in-Depth approach, and to ensure the availability, integrity, confidentiality and of data, IACS applications, IACS endpoints, the IACS network and the plant and its personnel. For enhanced visibility and control, a rich set of security technologies and capabilities are deployed in multiple layers, but under a common strategy.

The recommended IACS network security framework using Defense-in-Depth includes the following:

Manufacturing Security Policy - This security policy roadmap identifies vulnerability mitigation. A multi-discipline team of operations, engineering, IT and safety should develop this manufacturing security policy.

Demilitarized Zone (DMZ) - This buffer zone provides a barrier between the Manufacturing and Enterprise zones, while allowing users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. No traffic traverses the DMZ, which means that traffic does not directly travel between the Enterprise and Manufacturing zones.

Defending the manufacturing edge - Users should deploy stateful packet inspection (SPI) firewalls (barriers) with intrusion detection/prevention systems (IDS/IPS) around and within the IACS network.

Protecting the Interior - Users should implement access control lists (ACLs) and port security on network infrastructure devices such as switches and routers.

Endpoint Hardening - This restricts access, prevents "walk up, plug in" access and uses change management to track access and changes.

Domains of Trust - Users should segment the network into smaller areas based on function or access requirements.

Physical Security - This restricts physical access to manufacturing assets and network infrastructure devices.

Security, Management, Analysis and Response System—This monitors, identifies, isolates, and counters network security threats.

Remote Access Policy - For employee and partner remote access, implement policies, procedures and infrastructure.


I know, your thinking yeah, yeah, yeah, in the ideal world!

But if you're in charge of an IACS on-site where you work, you should be in the habit of at least physically securing who has access to the network server room, patch-panels and switch cabinets. On-site here, only a couple of us have access to all these enclosures and the server room, so no one can be playing "switch-board operator" when something isn't working. If you're talking about a fear of clients swapping around or unplugging their own patch-cords, then it's their management's duty to secure the equipment, but integrators should be advising them to do so.

Another method that helps if someone gets mixed up is labeling. Label tags on the patch-cords denoting the assigned switch/port number.

But you don't want people whose work stations looks like this getting in there!...

G.

G. we have many server rooms on this site but we had 3 that look as bad or worse than the picture you posted when I started here several years ago.

Those were some of my many 100% rip out and replace jobs here.