Data Flow from Control Network

Data flow from control network is an IP-based data flow initiated on the control network.

Description

In order to control the access to communication servers in an embedded product, the access control management restricts the IP-based data flow from control network to an authorized source or subnet IP address.

Architecture Example

The purpose of the following figure is to show the role and impact of the access control settings. The access control manages the Ethernet data flow from devices communicating on the operation and control networks (located in the grayed out area).

(*) Some services require access to the device network (for example: firmware update, at source time stamping). In such cases, an optional router/VPN helps secure the access control.

Setting the Authorized Addresses in the Architecture Example

Access control goals:

  • Any equipment connected to the operation network (IP address = 192.200.x.x) can access the CPU Web server.

  • Any equipment connected to the control network (IP address = 192.200.100.x) can communicate with the CPU with Modbus TCP and can access the CPU Web server.

To restrict data flow in previous architecture example, the authorized addresses and services are set as follows in Control Expert access control table:

Source

IP address

Subnet

Subnet mask

FTP

TFTP

HTTP / HTTPS

Port502

EIP

SNMP

Network manager

192.200.50.2

No

+

Operation network

192.200.0.0

Yes

255.255.0.0

+

Automation Device Maintenance / Unity Loader

192.200.100.2

No

+

Control network

192.200.100.0

Yes

255.255.255.0

+

+ Selected

Not selected or no content

Settings Description

An authorized address is set for devices authorized to communicate with the CPU using Modbus TCP or EtherNet/IP.

Services settings explanation for each IP address in previous example:

192.200.50.2 (SNMP):

Set to authorize the access from the network manager using SNMP.
192.200.0.0 (HTTP/HTTPS):

Operation network subnet is set to authorize all Web browsers connected to the operation network to access the CPU web browser.
192.200.100.2 (FTP):

Set to authorize the access from Automation Device Maintenance / Unity Loader with FTP.
192.200.100.0 (Port502):

Control network subnet is set to authorize all equipment connected to the control network (OFS, Control Expert, Automation Device Maintenance, Unity Loader) to access the CPU via Port502 Modbus.
NOTE: The access list analysis goes through each access control list entry. If a successful match (IP address + allowed service) is found, then the other entries are ignored.

In Control Expert security screen, for a dedicated subnet enter the specific rules before the subnet rule. For example: To give a specific SNMP right to device 192.200.50.2, enter the rule before the global subnet rule 192.200.0.0/255.255.0.0 which allows HTTP access to all the devices of the subnet.