Network Segmentation Methodology Application Guide
Network Segmentation Methodology Application Guide
                               Contents
                               Segmentation Methodologys within the Converged Plantwide
                               Ethernet Cell/Area Zone  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
CIP Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
CIP Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Conclusions .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 29
4 | Network Segmentation Methodology Application Guide
                               Introduction
                               The purpose of this application guideis to highlight the design considerations of various
                               network segmentation methodologies to enable:
                               •	 Plant/site engineers to segment their industrial automation and control system (IACS)
                                  plant-wide/site-wide network infrastructure to help manage IACS traffic flow and
                                  segment policies – e.g. data prioritization and security
                               •	 OEMs (machine builders/process skid builders) to develop convergence-ready solutions
                                  to help simplify integration into their customer’s plant-wide/site-wide network
                                  infrastructure
                               The first half of this document reviews segmentation methodology for the ControlLogix®
                               programmable automation controller (PAC). The second portion of the document reviews
                               segmentation methodology for the CompactLogix™ 5370 PAC.
                               This application guide is an extension ofthe design recommendations sitedin the
                               Cisco® and Rockwell Automation Converged Plantwide Ethernet (CPwE) Design and
                               Implementation Guide (DIG), Rockwell Automation publication ENET-TD001E-EN-P.
                               Relevant chapters:
                               •	   Chapter 3, “CPwE Solution Design-Cell/Area Zone”
                               •	   Chapter 5, “Implementing and Configuring the Cell/Area Zone”
                               •	   Chapter 8, “CIP Motion”
                               •	   Chapter 9, “CIP Sync Sequence of Events”
                               As noted within the CPwE DIG, the Cell/Area Zone is where the industrial automation and
                               control system (IACS) end-devices are logically grouped, then connected into the Cell/
                               Area IACS network. This could be a specific machine/process skid, geographic area, or
                               operational function. Figures 1a and 1b show a representative example of Cell/Area Zones
                               divided by operational functions, such as procession, filling, and material handling. Careful
                               planning is required to achieve the optimal design, deployment and performance from
                               both the Cell/Area IACS network and IACS device perspective. This extension of the CPwE
                               references architectures focus on EtherNet/IP™, which is driven by the ODVA™ Common
                               Industrial Protocol (CIP™).
Traditionally, it was typical to have a 3-Tier networking model with different network
technologies performing different control disciplines – e.g. motion, safety. These different
communication standards provided natural network technology segmentation. Today, a
continuing trend in industrial networking is the convergence of technology- specifically
industrial automation technology with information technology. This convergence enables
engineers to help enable the connection of multiple control and information application
disciplines including data collection, configuration, diagnostics, discrete, process, batch,
safety, time synchronization, drive, motion, energy management, voice and video through
a plant-wide/site-wide EtherNet/IP network using a single industrial network technology,
over a common network infrastructure.
This network technology convergence requires an industrial network design methodology
utilizing network structure and hierarchy to help maintain real-time network performance.
A key objective is to create smaller Layer 2 networks to create scalable and future-ready
network infrastructures, minimize broadcast and fault domains, create smaller domains
of trust, and reduce overall network sprawl (undisciplined network growth). Examples of
structure and hierarchy would be:
•	 CPwE logical model – geographical and functional organization of industrial
   automation and control system (IACS) devices
•	 Campus network model - multitier switch model with Layer 2 and Layer 3 switching
•	 CPwE logical framework
•	 Segmentation methodologies
   -	 Multiple network interface cards (NICs) – e.g. CIP Bridge
   -	 Network Address Translation (NAT) appliance
   -	 Virtual Local Area Networks (VLANs)
   -	 VLANs with NAT
   -	 Unified Threat Management (UTM) Security Appliance
6 | Network Segmentation Methodology Application Guide
NAT
1.	Network Address Translation can be implemented with one of three available devices
    from Rockwell Automation:
   a.	Stand-alone NAT Appliance (9300-ENA)
   b.	Switch based NAT (Stratix 5700)
   c.	Unified Threat Management Security Appliance (Stratix 5900)
2.	NAT can be combined with VLANs to provide repeatable IP subnets, providing easy
    application replication for machine and process skid builders
VLANs
1.	It is recommended to segment networks by configuring one VLAN and one IP subnet
    per Cell/Area Zone for similar traffic types
2.	In some cases it may be advantageous to divide individual Cell/Area Zones into smaller
    VLANs (Layer 2) to separate traffic types (i.e. voice/video within the Cell/Area Zone)
3.	Networks utilizing multiple Virtual LANs (VLANs) require a Layer 3 capable switch to
    route traffic between the VLANs
4.	Always utilize Inter-VLAN routing vs. VLAN trunking between Cell/Area Zones to
    maintain smaller Layer 2 networks
5.	The native VLAN should be a dedicated VLAN (other than VLAN 1) that does not carry
    any user traffic
For additional information on VLANs, refer to publications:
•	 ENET-TD001, Converged Plantwide Ethernet (CPwE) Design and Implementation Guide
•	 ENET-RM002, Ethernet Design Considerations
8 | Network Segmentation Methodology Application Guide
                               When segmenting an IACS Network there are a few initial design considerations to
                               make, demonstrated in example topologies below. First, will you segment your network
                               physically by using multiple ENxT(R) cards within a single ControlLogix chassis? Or will
                               you utilize logical segmentation using VLANs? Second, how will you segment your traffic
                               within the Cell/Area Zone; control (I/O) and information (HMI) from the same ENxT(R) card,
                               or segment among multiple cards?
                               This application guide will present multiple examples of topologies for each segmentation
                               methodology. As noted earlier, it is up to the customer to understand their application
                               requirements when choosing the appropriate segmentation methodology and making
                               the final design and deployment decisions.
Advantages:
•	 Segmented network ownership demarcation lines between industrial automation and
   IT. Minimized network traffic loading by segmenting the multiple Cell/Area Zones from
   each other using VLANs
•	 Minimized network traffic loading by preventing unwanted network traffic (i.e.
   streaming video, VoIP, rogue PCs, etc.) from entering the Cell/Area Zone via VLAN
   configuration
•	 Visibility into IACS network devices for asset management
•	 Provides future-ready information enabled capabilities
•	 Scalable network architecture
•	 Structured approach reducing network “sprawl”
Disadvantages:
•	 Extended network skillset is required to configure switches, routers, network topologies
   and protocols
 
10 | Network Segmentation Methodology Application Guide
Advantages:
•	 Segmented network ownership demarcation lines between industrial automation
   and IT.
•	 Minimized network traffic loading by segmenting the multiple Cell/Area Zones
   from each other
•	 Minimized network traffic loading by preventing unwanted network traffic
   (i.e. streaming video, VoIP, rogue PCs, etc.) from entering the Cell/Area Zone via
   the ControlLogix backplane
•	 Minimal impact on ENxT(R)s CPU Utilization with traffic segmented amongst
   multiple cards
Disadvantages:
•	 Limited visibility to other IACSnetwork devices for asset management
•	 Limited scalability due to limited number of ENxT(R)s
•	 Limited future-ready information enabled capabilities
12 | Network Segmentation Methodology Application Guide
Figure 4a: Segregating I/O traffic from Information Traffic in the CPwE Cell/Area Zone #2 using twoENxT(R)s
                                Advantages:
                               •	 Minimal impact on ENxT(R)s CPU Utilization with traffic is segmented among
                                  multiple cards
                               •	 Visibility to all IACS network devices for asset management
                               •	 Provides future-ready information enabled capabilities
                               Disadvantages:
                               •	 Blurred network ownership demarcation line
                               •	 Unwanted traffic (i.e. streaming video, VoIP, rogue PCs, etc.) could pass into control
                                  network (Levels 0-1) – this can be minimized with managed switch technologies,
                                  including VLANs
                               •	 Unwanted control traffic (i.e. multicast and broadcast traffic) could pass into information
                                  network–this can be minimized with managed switch technologies, including VLANs
                             Network Segmentation Methodology Application Guide | 13
                               Advantages:
                               •	 Segmented network ownership demarcation lines between industrial automation
                                  and IT
                               •	 Minimized network traffic loading by segmenting the multiple Cell/Area Zones from
                                  each other
                               •	 Minimized network traffic loading by preventing unwanted network traffic (i.e.
                                  streaming video, VoIP, rogue PCs, etc.) from entering the Cell/Area Zone via the
                                  VLAN configuration
                               •	 Minimized impact to information network by preventing unwanted control traffic (i.e.
                                  multicast and broadcast traffic) from exiting the Cell/Area Zone via VLAN configuration
                               •	 Minimal impact on ENxT’s CPU utilization due to segmentation of I/O and information
                                  traffic between two different ENxTs
                               •	 Visibility to other IACS network devices for asset management
                               •	 Provides future-ready information enabled capabilities
                               Disadvantages:
                               •	 Requires more advanced configuration abilities
                                          Network Segmentation Methodology Application Guide | 15
Advantages:
•	 Embedded switch enabled IACS devices enable simple connectivity of devices to form a
   linear device-level topology
•	 Visibility to other control network devices for asset management
•	 Provides future-ready information enabled capabilities
Disadvantages:
•	 Blurred network ownership demarcation line
•	 May impact the ENxT(R)’s CPU Utilization due to I/O and information traffic being routed
   through oneENxT(R)
•	 Unwanted information traffic (i.e. streaming video, VoIP, rogue PCs, etc.) could pass into
   the control network –this the could be minimized with managed switch technologies,
   including VLANs
•	 Unwanted control traffic (broadcast and multicast), could pass into the information
   network–this could be minimized with managed switch technologies, including VLANs
•	 A single fault within the linear device-level topology would interrupt communications
   to downstream IACS devices 
16 | Network Segmentation Methodology Application Guide
Figure 5b: Segmenting the CPwE Cell/Area Zone #3 Using One ENxT(R) and VLANs
                               Advantages:
                               •	 Embedded switch technology IACS devices enable easy connectivity of devices
                                  to form a linear device-level topology
                               •	 Unwanted information traffic (i.e. streaming video, VoIP, rogue PCs, etc.) can be
                                  restricted from the control network
                               •	 Visibility to other control network devices for asset management
                               •	 Unwanted control traffic (broadcast and multicast) can be restricted from the
                                  information network
                               •	 Provides future-ready information enabled capabilities
                               Disadvantages:
                               •	 May impact the ENxT(R)’s CPU Utilization due to I/O and information traffic being
                                  forwarded through one ENxT(R)
                               •	 A single fault within the linear device-level topology would stop communications
                                   to downstream nodes
                               •	 Requires more advanced configuration abilities
                                           Network Segmentation Methodology Application Guide | 17
Figure 6a: Separating the network traffic within the CPwE Cell/Area Zone #4 using two ENxT(R)s
Advantages:
•	 Minimal impact on ENxT(R)’s CPU Utilization due to I/O and information traffic
   segmented between two different ENxT(R)s
•	 Separate Ethernet cards used for segmentation of traffic
•	 Converged network minimizes utilization of each ENxT(R) card
•	 Embedded switch technology IACS devices allow easy connectivity of devices to form
   either a linear or ring device-level topology
•	 Device Level Ring (DLR) resiliency protocol provides a single fault tolerant network
   within the device-level ring redundant pathtopology
•	 Visibility to other control network devices for asset management
•	 Provides future-ready information enabled capabilities
Disadvantages:
•	 Blurred network ownership demarcation line
•	 Unwanted information traffic (i.e. streaming video, VoIP, rogue PCs, etc.) could pass
   into control network–this can be minimized with managed switch technologies,
   including VLANs
•	 Unwanted control traffic (broadcast and multicast) could pass into information network
18 | Network Segmentation Methodology Application Guide
                               Figure 6b: Separating the network traffic within the CPwE Cell/Area Zone #4 using two ENxT(R)’s and from outside the CPwE
                               Cell/Area Zone VLANs
                               Advantages:
                               •	 Minimal impact on ENxT(R)’s CPU Utilization due to I/O and information traffic
                                  segmentation between two different ENxT(R)s
                               •	 Separate Ethernet cards used for segmentation of types of traffic
                               •	 Converged network that minimizes utilization of each ENxT(R) card
                               •	 Unwanted information traffic (i.e. streaming video, VoIP, rogue PCs, etc.) can be
                                  restricted from the control network
                               •	 Visibility to other control network devices for asset management
                               •	 Unwanted control traffic (broadcast and multicast) can be restricted from the
                                  information network
                               •	 Clear network ownership demarcation line (i.e. responsibility for certain section of
                                  the network) accomplished with VLANs
                               •	 Embedded switch technology IACS devices allow easy connectivity of devices to
                                  form either a linear or ring device-level topology
                               •	 Device Level Ring (DLR) resiliency protocol provides a single fault tolerant network
                                  within the device-level ring redundant path topology toprovide visibility to other
                                  control network devices for asset management
                               •	 Provides future-ready information enabled capabilities
                               Disadvantages:
                               •	 Requires more advanced configuration abilities
                               •	 Requires the use of multiple ENxT(R) cards to separate types of traffic
                                           Network Segmentation Methodology Application Guide | 19
Figure 7: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP Addresses using network address translation appliances
•	 IP Schema – separate from plant/site, all nodes within the machine/process skid must
   have a unique IP address, IP addresses can be reused across process skids
•	 In this example a device is placed between each Cell/Area Zone to provide Network
   Address Translation (NAT)
•	 From Level 3, the site operations are able to access all devices
•	 Between each individual Cell/Area Zone, IP addresses can be re-used
•	 Each NAT appliance must be programmed to translate from the 192.168.1.0/24 IP
   subnet to the plant-wide IP subnet
•	 Although the NAT appliance does breakup the Layer 2 network, it does not provide
   true logical segmentation between Cell/Area Zones- VLANs must be implemented
   to achieve this
20 | Network Segmentation Methodology Application Guide
                               Figure 8: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP addresses using Stratix 5700 series switches.
                               VLAN’s implemented to logically segment CPwECell/Area Zones.
                               •	 IP Schema – separate from plant/site, all nodes within the process skid must have a
                                  unique IP address, IP addresses can be re-used across machines/process skids
                               •	 In this example a device is placed between each Cell/Area Zone to provide Network
                                  Address Translation
                               •	 From the Level 3, the site operations are able to access all devices
                               •	 Between each individual Cell/Area Zone, IP addresses can be re-used
                               •	 Each NAT appliance must be programmed to translate from the 192.168.1.0/24 subnet
                                  to the plant-wide/site-wide subnet
                               •	 Cell/Area Zones are segmented from each other by logically implementing VLANs
                                          Network Segmentation Methodology Application Guide | 21
Figure9: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP Addresses using Stratix 5900 Unified Threat Management
Security Appliance.
•	 IP Schema – separate from plant/site, all nodes within the machine/process skid must
   have a unique IP address, IP addresses can be reused across machines/process skids
•	 In this example a UTM Appliance is placed between each Cell/Area Zone to provide
   Network Address Translation
•	 From the Level 3, the site operations are able to access all devices
•	 Between each individual Cell/Area Zone, IP addresses can be re-used
•	 Each UTM security appliance must be programmed to translate from the 192.168.1.0/24
   IP subnet to the plant-wide/site-wide IP subnet
 
22 | Network Segmentation Methodology Application Guide
                               NAT
                               1.	Network Address Translation can be implemented with one of three Rockwell
                                   Automation available devices:
                                   a.	NAT Appliances (9300-ENA)
                                   b.	Switch based NAT (Stratix 5700)
                                   c.	Unified Threat Management Security Appliances (Stratix 5900)
                               2.	NAT can be combined with VLANs to not only provide repeatable IP subnets, which
                                    enables repeatable machine or process skid applications, but also Layer 2 segmentation.
                               VLANs
                               1.	It is recommended to segment networks by configuring one VLAN and one IP subnet
                                   per Cell/Area Zone for similar traffic types
                               2.	In some cases it may be advantageous to divide individual Cell/Area Zones into smaller
                                   VLANs (Layer 2) to separate traffic types (i.e. voice/video within the Cell/Area Zone)
                               3.	Networks utilizing multiple Virtual LANs (VLANs) require a Layer 3 capable switch to
                                   route traffic between the VLANs
                               4.	Always utilize Inter-VLAN routing vs. VLAN trunking between Cell/Area Zones to
                                   maintain smaller Layer 2 networks
                               5.	The native VLAN should be a dedicated VLAN (other than VLAN 1) that does not carry
                                   any user traffic
                                
                                          Network Segmentation Methodology Application Guide | 23
Figure10: PACs with multiple NICs vs. 2 port embedded switch technology
Note that the ControlLogix and CompactLogix L4x platforms can support multiple
network interface cards (NICs) to segment network traffic. However, the CompactLogix
5370 platform is not capable of this method of network segmentation. The two ports of
the CompactLogix 5370 PAC are part of an embedded switch, not a dual NIC.
Figure 11: No network segmentation (not recommended) - common Layer 2 domain with each device requiring a unique IP address
In this system there are three Cell/Area Zones, each with different hardware and potentially
from three unique OEMs who would like to protect their Intellectual Property (IP). Let’s
examine different techniques to accomplish the following:
1.	 Protect intellectual property of machine/process skid builders
2.	 Provide small Layer 2 domains of trust and broadcast domains
3.	 Provide logical Layer 2 building blocks to ensure a future-ready network
4.	Enable Network Address Translation on a plant-wide/site-wide network to provide IP
    subnet repeatability at the Cell/Area Zone level, providing faster commissioning time
    for machine/process skid builders
24 | Network Segmentation Methodology Application Guide
                               Figure 12: Repeating IP subnets between CPwE Cell/Area Zones. ControlLogix with multiple NICs providing logical segmentation for both Layer
                               2 domains and IP subnetting
                               In this example, a ControlLogix platform has been added to provide physical segmentation
                               CIP Bridge between the plant-wide/site-wide network and the Cell/Area Zones
                               •	 The plant/site network is on a separate IP subnet than the Cell/Area Zones
                               •	 The Cell/Area Zones are able to re-use IP subnets, as they are physically segmented
                                  from each other via the ControlLogix backplane
                               •	 CIP traffic can still traverse the ControlLogix backplane, so other methods should be
                                  applied by OEMs to protect their intellectual property
                               •	 This is not a converged architecture, nor a scalable future-ready network-each time a
                                  new Cell/Area Zone is added, reconfiguration of the Line/Area controller will need to
                                  take place
                                           Network Segmentation Methodology Application Guide | 25
Figure 13: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP addresses using network address translation appliances
In this example, all nodes within the Cell/Area Zones must have a unique IP address. IP
addresses can be reused across Cell/Area Zones, allowing OEMs to repeat IP subnets while
still allowing for a converged network.
•	 In this example a NAT appliance is placed between each Cell/Area Zone to provide
   Network Address Translation (ex. 9300-ENA)
•	 From the Level 3, the site operations are able to access all devices
•	 Between each individual Cell/Area Zone, IP addresses can be re-used
•	 Each NAT appliance must be programmed to translate from the 192.168.1.0/24 IP
   subnet to the plant-wide/site-wide IP subnet. If the entire Cell/Area Zone needs to
   communicate with the plant-wide/site-wide network, then all devices must have their
   addresses manually translated
•	 This architecture complicates the plant-wide/site-wide side of the architecture to
   provide simplicity to the Cell/Area Zones and OEMs
 
26 | Network Segmentation Methodology Application Guide
                               Figure 14: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP addresses using Stratix 5900 Unified Threat Management
                               Security Appliance.
                               •	 IP Schema – separate from plant/site, all nodes within the machine/process skid must
                                  have a unique IP address, IP addresses can be reused across machines/process skids
                               •	 In this example a UTM security appliance is placed between each Cell/Area Zone to
                                  provide Network Address Translation
                               •	 From the Level 3, the site operations are able to access all devices
                               •	 Between each individual Cell/Area Zone, IP Addresses can be re-used
                               •	 Each UTM security appliance must be programmed to translate from the 192.168.1.0/24
                                  IP subnet to the plant-wide/site-wide IP subnet	
                               •	 This architecture complicates the plant-wide/site-wide side of the architecture to
                                  provide simplicity to the Cell/Area Zones and machine/process skid builders 
                                            Network Segmentation Methodology Application Guide | 27
Figure 15: Non repeating IP subnets (with each device requiring a unique IP address) between CPwE Cell/Area Zones. Stratix 5700 series
switches - VLANs implemented to logically segment CPwE Cell/Area Zones.
In this example, all nodes within the Industrial Zones must have a unique IP address. IP
addresses cannot be reused across machines/process skids or anywhere else within the
Industrial Zone.
•	 Each Cell/Area Zone is segmented via a unique VLAN and IP subnet
•	 Note that CPwE VLAN best practices dictates that each Cell/Area Zone must have a
   unique IP subnet
•	 If Cell/Area Zones need to communicate between each other, they must communicate
   through a Layer 3 switch that can provide inter-VLAN routing
•	 This architecture provides small layer 2 domains of trust, fault domains and broadcast
   domains
•	 This architecture can help limit access between Cell/Area Zones to help provide
   restrictive access to machine/process skid builders’ intellectual property
•	 Machine/process skid builders must adhere to addressing schema of plant-wide/
   site-wide network, potentially adding complication and time to commissioning
 
28 | Network Segmentation Methodology Application Guide
                               Figure 16: Repeating IP subnets between CPwE Cell/Area Zones. Translating IP addresses using Stratix 5700 series switches.
                               VLANs implemented to logically segment CPwE Cell/Area Zones.
                               In this example all nodes within the Cell/Area Zones must have a unique IP address. IP
                               addresses can be reused across Cells/Areas. The Cell/Area Zones repeat IP subnets and are
                               segmented from each other by utilizing VLANs.
                               •	 Each Cell/Area Zone is segmented via a unique VLAN
                               •	 If Cell/Area Zones need to communicate between each other, they must communicate
                                  through a Layer 3 switch that can provide inter-VLAN routing
                               •	 This architecture provides small layer 2 domains of trust, fault domains and broadcast
                                  domains
                               •	 This architecture can help limit access between Cell/Area Zones to help provide
                                  restrictive access to machine/process skid builders’ intellectual property
                               •	 This architecture utilizes Network Address Translation provided by the Stratix 5700
                                  switches
                               •	 From Level 3, the site operations are able to access all devices
                               •	 Between each individual Cell/Area Zone, IP Addresses can be re-used
                               •	 Each NAT appliance must be programmed to translate from the 192.168.1.0/24 IP
                                  subnet to the plant-wide/site-wide IP subnet. If the entire Cell/Area Zone needs to
                                  communicate with the plant-wide/site-wide network, then all devices must have their
                                  addresses manually translated
                               •	 This architecture complicates the plant-wide/site-wide side of the architecture to
                                  provide simplicity to the Cell/Area Zones and machine/process skid builders
                            Network Segmentation Methodology Application Guide | 29
Conclusions
A continuing trend in industrial networking is the convergence of technology, specifically
industrial automation technology with information technology. This network technology
convergence enables a plant-wide/site-wide EtherNet/IP network, utilizing a single
industrial network technology over a common network infrastructure for multiple control
and information disciplines. This network technology convergence requires an industrial
network design methodology utilizing network structure and hierarchy to help maintain
real-time network performance. A key objective is to create smaller Layer 2 networks to
create scalable and future-ready network infrastructures, minimize broadcast and fault
domains, create smaller domains of trust and reduce overall network sprawl (undisciplined
network growth).
The purpose of this application guide was to highlight the design considerations of various
network segmentation methodologies for ControlLogix and CompactLogix 5370 to enable:
•	 Plant/site engineers to segment their industrial automation and control system
   (IACS) plant-wide/site-wide network infrastructure to help manage IACS traffic flow
   and segment policies – e.g. data prioritization and security
•	 OEMs (machine builders/process skid builders) to develop convergence-ready
   solutions to help simplify integration into their customer’s plant-wide/site-wide
   network infrastructure
The choice of methodology to segment IACS traffic is dependent on multiple factors.
Examples could be:
•	 Plant-wide/site-wide IACS application requirements
•	 OEM convergence-ready IACS applications – e.g. machine builders and process skid
   builders
•	 Company policies and procedures
•	 Applicable industry and regulatory standards
•	 Company organizational and support structure – e.g. lines of responsibilities for control
   system engineers and IT network engineers
The customer should understand these factors as well as the design considerations
presented in this application guide when making design and deployment decisions during
the process of choosing the appropriate segmentation methodology. Table 1 provides a
general summary of design considerations for the various segmentation methodologies
covered in this application guide.
Depending on a company’s organizational structure, IACS networks might be owned by a
plant-wide/site-wide control system engineer, an IT network engineer or combination of
the two. Regardless, a collaboration of industrial automation and information technology
domains is essential for successful design and deployment of IACS network architectures.
Table 1: General summary of design considerations for the various segmentation methodologies
Allen-Bradley, LISTEN. THINK. SOLVE. and Rockwell Software are trademarks of Rockwell Automation, Inc. CIP, EtherNet/IP, CIP Motion, CIP Safety and CIP Sync are property of ODVA.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Publication ENET-AT004B-EN-E – June 2013 Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. Printed in USA.