GEH-6840.pdf Network PDF

GEH-6840F
NetworkST 3.1 / 4.0 for Mark* VIe Controls

Application Guide
June 2018
For public disclosure

These instructions do not purport to cover all details or variations in equipment, nor to provide for every possible
contingency to be met during installation, operation, and maintenance. The information is supplied for informational
purposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications,
and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected
herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to
the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced
herein.
GE may have patents or pending patent applications covering subject matter in this document. The furnishing of this
document does not provide any license whatsoever to any of these patents.
Public – This document is approved for public disclosure.
GE provides the following document and the information included therein as is and without warranty of any kind,
expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness for
particular purpose.
For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE Sales
Representative.
Revised: June 2018

Issued: April 2015
© 2015 - 2018 General Electric Company.

___________________________________
* Indicates a trademark of General Electric Company and/or its subsidiaries.
All other trademarks are the property of their respective owners.
We would appreciate your feedback about our documentation.

Please send comments or suggestions to controls.doc@ge.com

Document Updates
Revision Location Description
NetworkST 4.0 Architecture, High Availability for Added this section to provide content about Unified Threat Manager
F
External Communication (UTM) firewall devices in a High Availability (HA) system
Added this section to provide an illustration of the Cisco 4331 router and
Cisco 4331 Router Pair with Copper Trunk Ports
E a table containing Trunk ports
Throughout the document Added 4331 as a supported Redundant Cisco router
D Stacked Edge Switch Replacement Added step to edit the existing 2960S configuration
Corrected the figure arrows to point to Mark VIe TMR controller
C Mark VIe TMR Configuration Connections
connections to ENET1 ports
FortinetTM Fortigate© 300C UTM has been rendered obsolete. Added
B content for the replacement switch Fortinet Fortigate 300D UTM (ordering
Throughout the document part number 117T6409PX01AAAA)
Cisco® Catalyst© network switch 3750X module has been replaced with
B
3850; added content for the 3850 switch
Acronyms and Abbreviations

ACL Access Control List OPC DA Communication Protocol for point/variable data
BOP Balance of Plant PDH Plant Data Highway
CMS Configuration Management System PVC Polyvinyl chloride
DCS Distributed Control System RAID Redundant Array of Independent Disks
DMZ De-militarized Zone RFI Radio Frequency Interference
EAP Electronic Access Perimeter RSG Remote Services Gateway
EGD Ethernet Global Data SDB System Database
EMI Electromagnetic Interference SDI System Data Interface
EWS Engineering Workstation SFP Small Form-factor Pluggable
GbE Gigabit Ethernet SOE Sequence of Events
GSM GE Standard Messaging TCP Transmission Control protocol
GTS Global Time Source UDH Unit Data Highway
HMI Human-machine Interface UDP User Datagram Protocol
ICS Integrated Control System UPD USB Protection Device
IP Internet Protocol UPS Uninterruptible Power Supply
LAN Local Area Network USB Universal Serial Bus
MDH Monitoring Data Highway UTC Coordinated Universal Time
MTBF Mean Time Between Failure UTM Unified Threat Manager
NIC Network Interface Card UTP Unshielded Twisted Pair
NTP Network Time Protocal VLAN Virtual Local Area Networ
OSM On-site Monitor XDH External Data Highway
OPC A standard for data exchange
GEH-6840F Application Guide 3

Related Documents
GEH-6721_Vol_I Mark VIe and Mark VIeS Control Systems System Guide, Volume I
GEH-6721_Vol_II Mark VIe and Mark VIeS Control Systems System Guide, Volume II
GEH-6703 ToolboxST* User Guide for Mark Controls Platform
GEI-100620 WorkstationST Alarm Viewer
GEI-100621 WorkstationST OPC® DA Server
GEI-100623 WorkstationST Service
GEI-100624 WorkstationST OPC AE Server
GEI-100626 WorkstationST Alarm Server
GEI-100627 WorkstationST Recorder
GEI-100628 WorkstationST Historian
GEI-100629 WorkstationST HMI Configuration
GEI-100693 WorkstationST Network Monitor
GEI-100696 WorkstationST Modbus®
GEI-100697 WorkstationST/CIMPLICITY Advanced Viewer Integration
GEI-100795 Trender Instruction Guide
GEI-100828 WorkstationST OPC UA Server
GEZ-S2035 Product Life-cycle Announcement NetworkST 4.0 Fortinet Fortigate 300C Firewall Obsolescence
4 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Contents
1 Overview ............................................................................................................................................. 7
2 Network Requirements ................................................................................................................. 11
2.1 System Management .............................................................................................................................. 11
2.2 Time Synchronization............................................................................................................................. 11
2.3 Ethernet Network Equipment ................................................................................................................... 12
2.4 Network Switches.................................................................................................................................. 13
2.4.1 Switch Redundancy ......................................................................................................................... 14
2.4.2 Switch SFPs................................................................................................................................... 16
2.4.3 Network Design Considerations ......................................................................................................... 16
3 NetworkST 3.1 Architectures....................................................................................................... 17
3.1 Hub and Spoke Network ......................................................................................................................... 17
3.2 Device Connections to Network ............................................................................................................... 18
3.2.1 HMI Workstation Connections........................................................................................................... 18
3.2.2 Mark VIe TMR Configuration Connections ......................................................................................... 19
3.2.3 LS2100e Connections ...................................................................................................................... 19
3.3 System Structure for Hub and Spoke Networks............................................................................................ 20
3.4 Small System Design Notes ..................................................................................................................... 21
3.5 Small System Example ........................................................................................................................... 22
3.6 Small Extended System Design Notes........................................................................................................ 23
3.7 Small Extended System Example.............................................................................................................. 24
3.8 Large System Design Notes ..................................................................................................................... 25
3.9 Large System Example ........................................................................................................................... 27
3.10 Large Extended System Design Notes........................................................................................................ 28
4 NetworkST 4.0 Architecture......................................................................................................... 29
4.1 Design Descriptions ............................................................................................................................... 29
4.2 MDH................................................................................................................................................... 33
4.3 DMZ ................................................................................................................................................... 33
4.4 MDH and DMZ GE Standard Operation Capabilities Differences ................................................................... 33
4.5 UTM and DMZ ..................................................................................................................................... 34
4.5.1 Fortinet 300D UTM......................................................................................................................... 34
4.5.2 Fortinet 300C UTM......................................................................................................................... 34
4.6 XDH and XDH Switch ........................................................................................................................... 35
4.6.1 Cisco 2960 XDH Switch – Copper Access Ports ................................................................................... 35
4.7 Redundant Routers – Cisco 2901 or 4331 ................................................................................................... 36
4.7.1 Cisco 4331 Router Pair with Copper Ports ........................................................................................... 36
4.7.2 Cisco 2901 Router Pair With Copper Ports........................................................................................... 36
4.8 NetworkST 4.0 Device Connection Diagram............................................................................................... 37
4.9 Management VLAN (MGH) .................................................................................................................... 38
4.9.1 The Switch Management Interface ..................................................................................................... 38
4.9.2 Management Interface Locations........................................................................................................ 38
4.9.3 Network Monitor Functional IP Address.............................................................................................. 40
4.9.4 Switch Setup Using a Management VLAN........................................................................................... 41
4.9.5 Summary....................................................................................................................................... 41
4.10 High Availability for External Communication ............................................................................................ 42
GEH-6840F Application Guide 5

4.10.1 HA UTM Firewall – FortiGate 300D .................................................................................................. 44
4.10.2 HA XDH Switches – Cisco 2960X ..................................................................................................... 45
4.10.3 HA External Switches – Cisco 3850 ................................................................................................... 46
5 Project Engineering Considerations ......................................................................................... 61
5.1 Cabling Guidelines for Copper and Fiber-optic ............................................................................................ 61
5.2 Fiber-optic Cable Network Design ............................................................................................................ 62
5.2.1 Standards ...................................................................................................................................... 62
5.2.2 Cables........................................................................................................................................... 62
5.3 Legacy Device Compatibility ................................................................................................................... 64
5.3.1 Retrofit Cases................................................................................................................................. 64
5.4 System Upgrades ................................................................................................................................... 65
5.4.1 Small System Upgrades.................................................................................................................... 65
5.4.2 Small Extended System Upgrades ..................................................................................................... 65
5.4.3 Large System Upgrades.................................................................................................................... 65
5.4.4 Large Extended System Upgrades ...................................................................................................... 65
5.5 Legacy System Compatibility/Upgrade Paths .............................................................................................. 66
5.5.1 Mark V Control-ARCNET® .............................................................................................................. 66
5.5.2 Retrofit Cases................................................................................................................................. 66
5.5.3 Setup ............................................................................................................................................ 66
5.6 System Limitations ................................................................................................................................ 66
5.7 Cisco 3750X Switch Replacement with Cisco 3850 Switch............................................................................ 67
5.7.1 Stacked Root Bridge Switch Replacement............................................................................................ 67
5.8 Cisco 2960S Switch Replacement with Cisco 2960X Switch .......................................................................... 69
5.8.1 Stacked Edge Switch Replacement ..................................................................................................... 69
5.8.2 Stacked Root Bridge Switch Replacement............................................................................................ 71
6 Security ............................................................................................................................................. 73
6.1 Switch Configuration.............................................................................................................................. 73
6.2 Logging ............................................................................................................................................... 73
6.3 Passwords ............................................................................................................................................ 73
6.4 RSA Keys ............................................................................................................................................ 73
Appendix A: Common Procedures .................................................................................................. 75
Connect a Terminal to a Switch ................................................................................................................ 75
Log On to a Switch ................................................................................................................................ 76
Enable Command (EXEC) Mode .............................................................................................................. 77
Enable Configuration Mode ..................................................................................................................... 77
Determine the Management Interface, IP Address, and Network Mask ............................................................. 77
Determine the Relative Switch Number Within a Stack ................................................................................. 78
Determine USB Device Availability and Designation................................................................................... 78
Power-up in Pre-boot Command Mode ...................................................................................................... 79
Appendix B: Validate Communication to Devices ....................................................................... 81
Appendix C: Backup Existing Switch Configuration .................................................................. 83
Appendix D: Load a switch Configuration from a USB Port...................................................... 85
Appendix E: Set Switch IP Address and Hostname..................................................................... 87
Appendix F: Part Number Translation Matrix................................................................................ 89
Glossary of Terms ................................................................................................................................ 91

1 Overview
This document provides information to application engineers and procurement personnel for the NetworkST 3.1/4.0 Mark
VIe/Mark VIeS-based systems. It describes the concepts of the redundant Ethernet-based control network used in the
NetworkST 3.1 topology. It also describes the concepts of the NetworkST 4.0 topology that can be layered on top of
NetworkST 3.1 to provide additional security features.
The components are brought together in the following system designs:
• Small
• Small extended
• Large
• Large extended
The system designs are meant to provide comprehensive, overall system design guidance. They are the basic guidelines for
selecting the components, computers, network switches, their interconnections, and controller connections for building the
System Topology Diagram. System definitions and guidelines for fulfilling the system design are provided.
Engineering Workstations
Historian
- WorkstationST EGD/OPC Server
- WorkstationST Alarm Server
- WorkstationST Alarm Viewer
- CIMPLICITY Edit/View
- ToolboxST Application
- EGD Configuration Server
- SDB Configuration Server
- System Configuration Files
- Control System Toolbox
Root Bridge Switches
Edge Switches
HMI
LS2100e
8 Port
TMR EX2100e TMR Mark VIeS TMR Mark VIe
Switch
Plant Data Highway (PDH)

Stacking Cable
Unit Data Highway (UDH)
Monitoring Data Highway (MDH) Fiber-optic Cable
Trunk Cat 5e Cable
Small System
Overview GEH-6840F Application Guide 7

This document creates a starting point for the project to provide system architecture, component identification, project
drawings, computer locations, network media callout, switch number and switch location configuration file. This document is
designed to be the link between system specification activities (pre-order) and site system selection. Typical control systems
include:
• Gas turbines
• Steam turbines
• Turbo compressors
• Combined cycle systems
• Other distributed control systems (DCSs)
This document does not provide:
• Analysis of network architectures

• Protocol specifications
• Switch configuration details
• Compliance standards
• Computer specifications
• Outline drawings
• Printer, monitor, and peripheral specifications
• Typically supplied software specifics (ControlST* and eTCSS)
• CIMPLICITY* screen standards and instructions
• On-site Monitor (OSM)/Universal OSM/Gen-X OSM – On-site monitoring system
Note Refer to site specific details for additional information.
The NetworkST 3.1 topology design provides reliable communications between control system devices; controllers, HMIs,
Historian, OSM, Remote Services Gateway (RSG), relays, vibration and predictive monitoring equipment, and asset
monitoring system. The system supports TCP and UDP IP protocols.
NetworkST 4.0 topology design extends the NetworkST 3.1 topology by adding routing capability and a firewall that can be
used to separate functions to multiple VLANs and a DMZ. This capability can be used to enhance security by separating
devices into different VLANs based on their function.
Switches communicate over trunk lines that carry Virtual Local Area Networks (VLANs), which define the segmentation of
specific functions on the network:
• Unit Data Highway (UDH) for controller data distribution

• Plant Data Highway (PDH) for supervisory oversight and support functions
• Monitoring Data Highway (MDH) for remote access equipment with connections to off-site monitoring services provided
by GE.
• Management Highway (MGH) for switch and router management interfaces.
Note The network switches are preconfigured with ports for UDH, PDH, MDH, and Trunk lines.
The controllers referenced in this document do not use the above networks to communicate with their associated I/O. Network
traffic between a controller and I/O is done on IONet using unmanaged switches.
Note Customers should not connect additional equipment to the PDH. Additional equipment that needs to be added to the
system should be connected to the DMZ provided by the NetworkST 4.0 solution. If communication between these devices
and the PDH is required, network engineering will be required to define router and firewall rules to enable the
communication.

Note Interconnection of customer networks to the UDH integration network is NOT permitted.
The NetworkST 3.1 topology design improves network redundancy by providing rapid spanning tree capabilities. This allows
redundant network paths but does not allow data to loop, where packets are endlessly forwarded creating a data storm that
blocks other traffic on the network segment.
Overview GEH-6840F Application Guide 9

Notes

2 Network Requirements
2.1 System Management
Upon installation and startup of the system, change management should be implemented along with proper training of
participating personnel. Business network communications should not be mixed with the communications on this network.
However, the cables and fibers needed to accomplish this alternate communication can exist within the same conduits, cable
trays, chases, and fiber-optic bundles.
Monitoring of the network can be accomplished by any of several methods:
• WorkstationST Network Monitor

• Network switch web displays (Advanced)
• Network switch event logs (Advanced)
Note For further details, refer to the WorkstationST Network Monitor Instruction Guide (GEI-100693).
2.2 Time Synchronization

The time synchronization option synchronizes all turbine controls, generator controls, and operator interfaces (or HMIs) on
the UDH to a Global Time Source (GTS). The preferred time format is Coordinated Universal Time (UTC). SOE data
requires accurate time tags for event analysis. If the time master becomes inoperative, then each of the time slaves picks the
backup time master. This means that all nodes on the UDH lock onto the identical reference for their own time, even if the
primary and secondary time masters have different time bases for their reference. If multiple time masters exist, each time
slave selects the current time master based on whether or not the time master is tracking the GTS, which time master has the
best quality signal, and which master is listed first in the configuration file.
Note For more information, refer to the ControlST How-to Guides (GEH-6808), the section How to Configure Time
Synchronization in the ToolboxST Application.
The system can support two NTP Time sources. The primary time source can be an NTP Server with IRIG-B, GPS inputs if
high resolution time is needed. An EWS or HMI can be the primary time source if low resolution time is sufficient. One of
these should also be configured as the backup time source for the system.
Network Requirements GEH-6840F Application Guide 11

2.3 Ethernet Network Equipment
The NetworkST 3.1 design uses Gigabit Ethernet (10/100/1000) switches configured in a hub and spoke topology. Functional
redundancy is achieved by deploying switches in pairs. These switch pairs may be either unstacked pairs of switches that are
tied together by a trunk connection or a pair of stacked switches. If a link fails, the switches automatically calculate a new
path to the device(s).
Note Switch pairs are used to provide redundant links to devices on the network.
The Ethernet interfaces with RJ-45 connectors can be configured as 10BASE-T and 100BASE-TX. On some switches the
RJ-45 Ethernet interfaces can be configured as 1000BASE-T ports. (Review the individual part definition for more details.)
The supported Ethernet cabling depends on the interface configuration: 10BASE-T ports supports 2-pair Category 3, 4 and 5
unshielded twisted-pair (UTP) cable, 100BASE-TX ports support 2-pair Category 5 UTP cable, 1000BASE-T ports support
4-pair Category 5 UTP cabling. Fiber-optic cables plug into the appropriate ports on the front panel using small form-factor
pluggable (SFPs) transceivers. Data rate through the fiber-optic ports is 100 or 1000 Mbps, depending on the specific switch
configuration and choice of SFP. Switches are configured by GE; pre-configured switches should be purchased from GE.
Fiber-optic cable provides the best signal quality, completely free of electromagnetic interference (EMI) and radio frequency
interference (RFI). Large point-to-point distances are possible, and since the cable does not carry electrical charges, ground
potential problems are eliminated. Fiber-optic cable is to be used anytime the cable run leaves a building to go to another
building. It is also to be used between separate ground grids.
The NetworkST 3.1 design provides single switches for controls retrofit applications.

2.4 Network Switches
Approved network switches include:
Cisco® Catalyst© 2960-X

• 24 port switch
• Copper and fiber-optic ports
• New unit and retrofit applications
• Redundant network
• Switches used in stacked or unstacked pairs for edge
switches
• Switches used in stacked pairs for root switches
Cisco Catalyst 3850

• 12 or 24 port switch
• Fiber ports only
• Switches used in stacked pairs
Cisco Catalyst 3750X

• Fiber ports only
• Switches used in stacked pairs
Cisco Industrial Ethernet 2000

• Copper and fiber-optic ports
• Non-stacked switch
• Deploy in pairs to provide redundancy

2.4.1 Switch Redundancy
The NetworkST 3.1 architecture has been developed with a goal of providing redundancy at each of the networking
components. The architecture defines that redundant switches should be used for both root and edge switches in the network.
The redundant switches can be used with redundant control equipment to reduce the likelihood that a single device failure in
the network would cause a system outage.
2.4.1.1 Cisco Stacking Capability

For the 3850, 3750X, and 2960X units, Cisco provides stacking functionality that allows two or more switches to be
connected together and operate as one switch with the port capacity of the combined switches. Stacked switches are
connected through special stacking ports or plug sockets with two or more cables.
Switch stacking capability offers the following benefits:
• Built-in failover and recovery in the event of a switch failure.

• A switch that has not been configured can be used to replace a failed switch in the stack. The new switch will
automatically upload the running configuration from the surviving switch in the stack.
2.4.1.2 Root Switch Redundancy

The root switch in the system acts as the Rapid Spanning Tree Protocol (RSTP) focal point for the network. There is a single
root switch in the network. All other switches in the network are known as edge switches.
Root switches in the system are provided as stacked pairs. The network has been tested to validate that in each of the failure
scenarios on the root switch, the network will recover communication in less than one second (provided that the network is
configured to the defined architecture).
Stacking the root bridge allows for a single redundant root switch that can be used to connect each of the edge switches in a
large network.
2.4.1.3 Edge Switch Redundancy

The Edge switches are the other switches in the network that are not root switches. These switches provide the connection
points for the majority of the equipment in the system. For edge switches there are two options for providing redundancy;
unstacked or stacked.
Unstacked Edge Switches
The Cisco Catalyst 2960X can be deployed in an unstacked edge switch configuration. The Cisco IE2000 does not provide a
stacking option. In order to provide redundancy without the Cisco stacking option, the switches should be deployed in switch
pairs.
The network has been validated to use unstacked networking switches. In this configuration, two separate switches are
deployed at each edge location. The switches in the switch pair should be connected by a trunk connection. Each switch in the
pair should have a connection to the root bridge switch.

SY ST STAT S PEED RP S S YST STAT SPEE D RPS

LAN BASE 1G UPLINK Catalyst 2960-X Series LAN BASE 1G UPLINK Catalyst 2960-X Series
MAST STACK CONSOLE M AST STACK CONSOLE
1 11 13 23 1 11 13 23
2 12 14 24 2 12 14 24
MG MT CONS OLE 25 26 SFP 27 28 M GMT CO NSOLE 25 26 SFP 27 28

Unstacked 2960X Edge Switch Connections

IE2000 Edge Switch Connections
The unstacked edge switch configuration has been tested to validate that in the presence of various failure scenarios (failed
trunk connection, single edge switch failure, single root bridge failure) the unaffected switch in the pair will provide
redundant communication in less than one second.
In cases, where redundant control equipment is connected to the switch pair, the failover time can be much faster than one
second. It is recommended that the application developer understand the communication timing requirements for their system
validate that the designed network meets those requirements.
Stacked Edge Switches
The Cisco Catalyst 2960X can be deployed in a stacked edge switch configuration.
While the stacking capability does provide benefits, the failover timing that can occur when one of the stack members fails
may be unacceptable for some applications. Testing of the 2960X as an edge switch has shown that when one switch fails
there is a potential for up to a three second delay for the other switch to take over forwarding traffic. This can cause
communication from the equipment connected to the non-failed switch to become unavailable for up to three seconds.
Depending on the application, this failover timing may or may not be acceptable. The application developer must understand
the communication requirements for the system and decide if the 3 second failover time is acceptable.
If the three second failover timing is unacceptable, the edge switches can be deployed in unstacked pairs.

SY ST STAT S PEED RP S SYST STAT SPEE D RPS

MAST STACK CONSOLE MAST STACK CONSOLE
1 11 13 23 1 11 13 23
2 12 14 24 2 12 14 24
MG MT CONS OLE 25 26 SFP 27 28 MGMT CO NSOLE 25 26 SFP 27 28

Stacked 2960X Edge Switch Connections

2.4.2 Switch SFPs
The switches use small form-factor pluggable (SFPs) transceivers. They are a compact, hot-pluggable transceiver used in
network switch applications. They interface the network switch to a fiber-optic or copper networking cable. The network
switches used in the NetworkST 3.1 design use SFPs with LC connectors to connect to single-mode fiber-optic cable.
SFP
LC Connector
2.4.3 Network Design Considerations

All switches ordered as GE part numbers have port ranges identified and labeled according to which VLAN they participate
in. Switch specifications should be reviewed during building design to determine heat load and acceptable temperature
operating range. The Cisco 3850, 3750X, and 2960X switches are not ruggedized and can have shortened Mean-time
Between Failure (MTBF) if operated outside the specified temperature ranges. The Cisco IE2000 has industrial temperature
specification which should be considered when designing the application.

3 NetworkST 3.1 Architectures
3.1 Hub and Spoke Network
A hub and spoke network is made up of Edge Switches and a Root Bridge switch (refer to following example).
Historian
Edge Switches
HMI
LS2100e
8 Port
Switch

Stacking Cable
Trunk Cat 5e Cable
Small System
NetworkST 3.1 Architectures GEH-6840F Application Guide 17

The Root Bridge (switch) is a special bridge at the top of the network Spanning Tree (inverted tree). The branches (Ethernet
connections) are then branched out from the root switch, connecting to other switches in the Local Area Network (LAN). The
most important element to the spanning tree is the root bridge placement. It should be the most centralized switch on the
network. All data flow across the network is from the perspective of this switch.
In the NetworkST 3.1 design, certain switches use special configuration files that cause them to act as the Root Bridge. This
switch should be centrally located, typically in the Control Room.
The other switches in the network are configured as Edge Switches. Each Edge Switch should connect back to their
corresponding Root Bridge switch. Each of the Edge switch pair configurations (unstacked IE2000, unstacked 2960X, or
stacked 2960X) described in section 2.4.1.3 can be used in the described network architectures. The architecture drawings
show stacked 2960S edge switches.
There should be only one Root Bridge switch stack in the system. There are Cisco 2960X Root Bridge parts for small
systems. Cisco 3850 or 3750X switches serve as the Root Bridge in large systems(more than 4 units).
3.2 Device Connections to Network

3.2.1 HMI Workstation Connections
The following diagram shows the HMI connections for a Cisco 2960X unstacked pair.
PDH Primary
UDH Primary
Connection to Root Connection to Root

Bridge (trunk ) Bridge (trunk )
SY ST STAT S PEED RP S SYST S TAT SPE ED RPS

LAN BASE 1G UPLINK Catalyst 2960- X Series LAN BASE 1G UPLINK Catalyst 2960-X Series
MAST STACK CONSOLE MAST STACK CONSOL E
1 11 13 23 1 11 13 23
2 12 14 24 2 12 14 24
MG MT CONS OLE 25 26 SFP 27 28 MGMT CONSOL E 25 26 SFP 27 28

UDH Backup
PDH Backup

3.2.2 Mark VIe TMR Configuration Connections
The following diagram illustrates the Mark VIe TMR controller connections for the Cisco 2960X unstacked pair.
Connection to Root Connection to Root

Bridge (trunk ) Bridge (trunk )
SYST STAT SPEED RPS SYST STAT SPEED RPS

MAST STACK CO NSO LE MAST STACK CO NSO LE
1 11 13 23 1 11 13 23
2 12 14 24 2 12 14 24
MGMT CO NSO LE 25 26 SFP 27 28 MGMT CONS OLE 25 26 SFP 27 28
trunk
3.2.3 LS2100e Connections

The following diagram shows the LS2100e controller connections for the Cisco 2960S stacked pair.
LS2100e
8 Port
Switch

3.3 System Structure for Hub and Spoke Networks
The number of controllers in the system and other design considerations determine the appropriate network configuration:
• Number of controllers
− Large numbers of controllers in dispersed locations increase network design complexity
• Communications requirements
− Redundant communications are required for new units
− Redundant communications are available for retrofit jobs
− Simplex is in the controls retrofit market
• Power requirements
− Switches need reliable power
− Reliable power can be provided by a site uninterruptible power supply (UPS)
− Two power sources (one for each switch) is preferred
− Consider total power blackout in the PEECC for maintenance impact
• Distances between controllers
− Use a single switch pair for controllers clustered together
− Consider additional switch pairs connected by a fiber-optic trunk to the root switch for controllers that are widely
separated
− Use fiber-optic cable when copper distances are exceeded
• Outdoor cable runs
− Must be fiber-optic cable
− NetworkST 3.1 is standardized on single mode FO (10 km maximun)
− Use diverse cable routes
• Control room considerations
− Incorporate switches adequate for the numbers of computers in the design
• Numbers of controller sets supported
− Limited to the number of fiber-optic ports plus the number of copper trunk ports on the switches used in the design
Number of Mark VIe/Mark VIeS Controller Sets Suggested Network Configuration

1 Small
2 Small
3–4 Small Extended
5–11 Large
9–20 Large Extended

3.4 Small System Design Notes
The small system design provides dual redundancy, enabling online repair in the event of a switch, cable, or connector failure.
This system is intended for a system with two Mark VIe/Mark VIeS controller sets and supports one or two controller rings,
including:
• Dual redundant connections used between the computer and the switch pairs
• Switch pairs to allow for redundant connections to HMIs and control equipment
• Switches that use SFPs to allow different types of media to be used between switches
• IEEE 802.1w Spanning Tree Protocol to manage packet forwarding and avoid packet retransmission among redundant
paths around the field switch circular path
An Engineering Workstation (EWS) must be included in this system design. The EWS configures the HMI, Mark VIe, Mark
VIeS, EX2100e, and LS2100e, and stores the system configuration files. The EWS also serves as a HMI.
Additional HMIs can be included based on system requirements. Install HMIs where users need access to both operator
functions and system configuration tools. This system supports an optional Historian. The network supports up to two OSMs
at each controller and control room network switch pair.
Note For further details, refer to the Human-machine Interface (HMI) Product Line User Guide (GEH-6751).
The root switch in this configuration is a stacked pair of 2960X switches. The edge switches in this architecture can be
unstacked IE2000 switch pairs, unstacked 2960X switch pairs, or stacked 2960X switches.
The NetworkST 3.1 design provides non-stacked switches for controls retrofit applications. Devices connect with 100TX
connecting to RJ-45 ports with unshielded twisted pair (UTP) cabling. Fiber-optic cables plug into the appropriate ports on
the front panel using SFP transceivers.
Small System
System Required Comments

Engineering Workstation X Full-time
Use where both operator and configuration capability are

Human-machine Interface O
needed
Historian O Typical location – control room
X = required
O = optional

3.5 Small System Example
Historian
Edge Switches
HMI
LS2100e
8 Port
Switch

Stacking Cable
Trunk Cat 5e Cable
Small System

3.6 Small Extended System Design Notes
The small extended system has all the technologies in the small system, but supports more turbines and more locations. It
provides dual redundancy, enabling online repair in the event of a switch, cable, or connector failure. This system is intended
for a system with four Mark VIe/Mark VIeS controller sets and includes:
• Dual redundant connections used between the computer and the switch pairs
• Switch pairs to allow for redundant connections to HMIs and control equipment
• Switches that use SFPs to allow different types of media to be used between switches
• IEEE 802.1w Spanning Tree Protocol to manage packet forwarding and avoid packet retransmission among redundant
paths around the field switch circular path
An Engineering Workstation (EWS) must be included in this system design. The EWS configures the HMI, Mark VIe, Mark
VIeS, EX2100e, and LS2100e, and stores the system configuration files. The EWS also serves as a HMI.
Additional HMIs can be included based on system requirements. Install HMIs where users need access to both operator
functions and system configuration tools. This system supports an optional Historian. The network supports up to two OSMs
at each controller and control room network switch pair.
The root switch in this configuration is a 4 stack of 2960X switches. The edge switches in this architecture can be unstacked
IE2000 switch pairs, unstacked 2960X switch pairs, or stacked 2960X switches.
The NetworkST 3.1 design provides single switches for controls retrofit applications. Fiber-optic cables plug into the
appropriate ports on the front panel using SFP transceivers.
Any system with a combination of 10 or more HMIs and EWSs needs to be supported by a System Configuration Server and
a pair of redundant Alarm Servers. The System Configuration Server holds the master configuration files, operator screens,
CMS Server, EGD Configuration Server, SDB Server, and backup NTP source. The HMIs and EWSs are configured to use
the CMS to access the master configuration files stored on the System Configuration Server. The HMIs and EWSs are also
configured to collect alarm data from the Alarm Servers
Small Extended System

O Use where both operator and configuration capability are
Human-machine Interface
needed
Historian O Typical location - control room
System Configuration Server O Use if > 10 (HMIs + EWS)
Alarm Server Pair O Use if > 10 (HMIs + EWS)
Application Gateway O Special communication
X = required , O = optional

3.7 Small Extended System Example
HMI (Optional ) Combination of HMIs and
- WorkstationST EGD/OPC Server Engineering Workstations Engineering Workstation
- WorkstationST Alarm Server cannot exceed 8 - WorkstationST EGD/OPC Server
- WorkstationST Alarm Viewer - WorkstationST Alarm Server
- CIMPLICITY Edit/View - WorkstationST Alarm Viewer
- ToolboxST Trender (stand-alone)
Plant Data Highway(PDH) - EGD Configuration Server
Unit Data Highway - SDB Configuration Server
Monitoring Data Highway(MDH) - System Configuration Files
Trunk
Core Switch
- 24 ports
HMI
LS2100e
Turbine
TMR EX2100e TMR Mark VIe Control
8 Port
Switch
LS2100e
Turbine
TMR EX2100e TMR Mark VIe Control
8 Port
Switch
Edge
Switches
LS2100e
Turbine
TMR EX2100e TMR Mark VIeS TMR Mark VIe Control
8 Port
Switch
LS2100e
Turbine
TMR EX2100e TMR Mark VIeS TMR Mark VIe Control
8 Port
Switch
Stacking Cable Fiber Cable Cat 5e Cable
Small Extended System - Up to 4 Units

3.8 Large System Design Notes
The large system design allows a system to expand to a much larger size to cover a large plant. The main difference is the use
of a stacked pair of Cisco Catalyst 3850-12 or 3750-12 switches as the root switches. The topology characteristics allow up to
eight turbine units and up to 12 locations to be connected.
This system allows unit controllers to be clustered into rings, and connect to a central location in a multi-loop topology. This
system includes:
• A pair of redundant UDH and PDH connections from the HMI to the switches.
• Dual redundant connections used between the computer and the switch pairs.
• Switch pairs to allow for redundant connections to HMIs and control equipment.
• Switches that use SFPs to allow several different types of media that can be used to interconnect the switches.
• IEEE 802.1w Spanning Tree Protocol to manage forwarding and avoid packet retransmission among redundant paths
around the field switch circular path.
The control room network switch can support a combination of up to eight EWSs, HMIs, and Historians. A second set of
eight ports for EWSs, HMIs, and Historians use can be added either by adding a second switch pair to the control room
network switches, or by creating a second control room ring. Other HMIs are used to supplement the core set previously
described. Apply HMIs where users need access to both operator functions and system configuration tools, with at least one
HMI installed in the central control room.
An EWS must be included in this system design. The EWS configures the system, HMI, Mark VIe, Mark VIeS, EX2100e,
and LS2100e, and hosts the system configuration files, EGD Configuration Server, and SDB Server.
The root switch in this configuration is a stacked pair of 3850 or 3750X switches. The edge switches in this architecture can
be unstacked IE2000 switch pairs, unstacked 2960X switch pairs, or stacked 2960X switches.
Any system with a combination of 10 or more HMIs and EWSs needs to be supported by a System Configuration Server and
a pair of redundant Alarm Servers. The System Configuration Server holds the master configuration files, operator screens,
CMS Server, EGD Configuration Server, SDB Server, and backup NTP source. The HMIs and EWSs are configured to use
the CMS to access the master configuration files stored on the System Configuration Server. The HMIs and EWSs are also
configured to collect alarm data from the Alarm Servers.

This system supports optional Historians. The network also supports up to two OSMs at each controller and control room
network switch pair.
Large System
O Use where both operator and configuration capability
Human-machine Interface
are needed
System Configuration Server O Use if > 10 (HMIs + EWS)
Alarm Server Pair O Use if > 10 (HMIs + EWS)
X = required, O = optional

3.9 Large System Example
HMI (Optional ) Combination of HMIs and Engineering Workstation
- WorkstationST EGD/OPC Server Engineering Workstations - WorkstationST EGD/OPC Server
- WorkstationST Alarm Server cannot exceed 8 - WorkstationST Alarm Server
- WorkstationST Alarm Viewer - WorkstationST Alarm Viewer
- CIMPLICITY Edit/View System - CIMPLICITY Edit/View
- ToolboxST Trender (stand-alone) Configuration - ToolboxST
Historian Server - Control System Toolbox
Field Switch
- 24 ports Core Switch
- Layer 2 stackable switch -12 Fiber Only ports
- 2 Combo SFP slots - Layer 3 Stackable Switch
Supports
up to 8 Turbine or
BOP Controller
Sets Total
HMI
LS2100e
Turbine
Control
TMR EX2100e TMR Mark VIe
8 Port Switch
LS2100e
Turbine
Control
TMR EX2100e TMR Mark VIe
8 Port Switch
Edge
Switches
LS2100e
Turbine
Control
8 Port Switch
Plant Data Highway (PDH) Stacking Cable

Unit Data Highway Fiber Cable
Monitoring Data Highway (MDH) Cat 5e Cable
Trunk
Large System - Up to 11 Units

3.10 Large Extended System Design Notes
Custom engineering is required to support this system design. The large extended system design joins together two large
networks with fiber-optic cable using two sets of stacked pairs of the core fiber-optic switches. The topology characteristics
allow up to 16 Mark VIe/Mark VIeS controller sets, or up to 20 controller locations to be connected. Expansion beyond this
capability is possible with custom engineering review. This design includes:
• A pair of redundant UDH and PDH connections from the HMI to the switches
• Switch pairs to allow for redundant connections to HMIs and control equipment.
• Switches that use SFPs to allow several different types of media that can be used to interconnect the switches
• IEEE 802.1w Spanning Tree Protocol to manage forwarding and avoid packet retransmission among redundant paths
around the field switch circular path
The rules for HMIs used in the large system apply to extended capability system. The extended capability system is for a
larger plant and is essentially built with multiple blocks, where each block is equivalent to the large system design. There are
generally large numbers of HMIs and multiple EWSs supported by a pair of Alarm Servers and a System Configuration
Server in the system.
One or more EWSs are used to configure the control system. System configuration files are stored on the System
Configuration Server. Install HMIs where users need access to both operator functions and system configuration tools. Use
the Application Gateway for special purpose communications to external systems. Apply a pair of Alarm Servers to minimize
alarm traffic to the Mark VIe/Mark VIeS controllers. This system supports optional Historians. The network supports up to
two OSMs at each controller and control room network switch pair.
The root switch in this configuration is a stacked pair of 3750X or 3850 switches. The edge switches in this architecture can
be unstacked IE2000 switch pairs, unstacked 2960X switch pairs, or stacked 2960X switches.
Large Extended Sytem

Human-machine Interface O Optional
System Configuration Server O Use if > 10 (HMIs + EWSs)
Alarm Server Pair O Use if > 10 (HMIs + EWSs)
X = required, O = optional

4 NetworkST 4.0 Architecture
This chapter describes the NetworkST 4.0 architecture, which builds upon the existing NetworkST 3.1 system.
4.1 Design Descriptions

NetworkST 4.0 uses the concept of segmentation or zoning in accordance with ISA 99. Network segmentation of the GE ICS
Cyber Systems from other systems of differing trust levels is achieved by establishing a controlled Electronic Access
Perimeter (EAP) between the different trust zones. The figure GE ICS Architecture Based on ISA 99 Zoning Model illustrates
the external interfaces of the firewall instances. Communications that traverse the EAP are documented together with their
justification and are limited only to those that are specified and authorized. This includes but is not limited to communications
needed for normal operations, emergency operations, maintenance and support.
The UTM/Firewall provides an Electronic Access Point to the GE Industrial Control System (ICS). The UTM/Firewall GE
standard configuration allows limited access to forward OSM application data to the M&D center reducing the likelihood of
exposure to malicious exploits. The Electronic Security Perimeter is established by the customer and conforms to the site’s
topology and security requirements.
NetworkST 4.0 Architecture GEH-6840F Application Guide 29

EAP
Enterprise Zone

+!
"
*!
VPN
+ ""

'
)
EAP Remote Access Zone CSN

EAP

!"
#

ESP ESP ESP ESP
!&!
*!
)
MGH
Router
!!&
*!

SYST S T AT SPE ED R PS
LAN BASE 1G UPLIN K Ca t aly st 2 96 0 -X Se ri es
MA S T S T ACK CO NSO LE
1 11 13 23
2 12 14 24

MGMT CONSO LE 25 26 S FP 27 28

C ON S OL E
SYST XPS STAT SPEED DUPLX BLAN K
MDH
FN S-PWR M AST STACK MOD ULE
M ODE C at alyst 37 50 -X Se rie s
Catalyst 3750- XS eries

1 2 3 4 5 6 7 8 9 10 11 12
$ %
!&!
'!(

Layer
2
Switch

CSMS Zone Process Information Zone
OSM RSG RVC DC2 DC1 AP1

DCS Maintenance
Backup Historian Workstation
Identity Mgmt Security
Domain (Active Directory Change Mgmt
Controller Radius )
PDH

AP2 AP3 Control Zone
Certificate
SIEM
Authority

HMI
(Hardened )
UDH

GE ICS Architecture Based on ISA 99 Zoning Model

The NetworkST 4.0 design provides redundant routers and a firewall that layer on top of the NetworkST 3.1 system (refer to
the figure NetworkST 4.0 Layer Over NetworkST 3.1), which provides the control and supervisory communications
infrastructure for the control system. The routers provide the ability to route communication between various networks, and
the firewall allows for connecting to networks outside of the ICS networks. Together they provide for network segmentation
with controlled access from one network to another. They also control access to and from external networks such as
customer’s business, balance of plant, remote access services, and other third-party systems.
NetworkST 4.0 is designed to work with SecurityST 2.0 or higher. SecurityST 2.0 enhances the capability of NetworkST 4.0
by providing Event logging (Splunk) and Access Control (RADIUS server on Domain Controllers DC1/DC2). GE monitoring
devices (RSG/OSM) can be connected either inside (on the MDH) or outside the firewall (in the DMZ).

!"#$

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Catalyst 2960-S Seri es
%&'% !$!$ $

CONSOLE M
G
M
T
SYST 1X 11X 13X 23X B
A
RPS S
E
MSTR T
STAT
DPLX
SPED
STCK
2X 12X 14X 24X

MODE
25 26 27 28

$#

!"#

CO NSO LE
SYST XPS STAT SPEED DUPLX NETWORK
BLANK
CON SOL E
SYST XPS STAT SPEED DUPLX NE TWORK
BLANK FN S-PWR MAST STACK C 3KX-N M -10G MODULE
MODULE
S-PWR MAST STAC K C3K X-N M-10G M ODULE
MODULE MODE
FN
Catalyst 3750-X Ser ies
MODE Catalyst 3750-X Series Catalyst 3750-X Series
Catalyst 3750-X Series
1 2 3 4 5 6 7 8 9 10 11 12 G1 G2/TE1 G3 G4/TE2
1 2 3 4 5 6 7 8 9 10 11 12 G1 G2/ TE1 G3 G4/TE2

SY ST STAT SP EED RP S
SYST S TAT SPEED RPS
LAN BASE 1G UPLINK Cat alyst 2960-X Series
MAS T STACK
LAN BASE 1G UPLINK Catalyst 2960- X Series CONSO LE
MAST STA CK CO NSOLE
1 11 13 23

1 11 13 23

2 12 14 24
2 12 14 24
MGMT CONS OLE 25 26 SFP 27 28
SYST
MAST
STAT
STACK
SPEED RPS
CONSOL E
LAN BASE 1G UPLINK
1 11 13 23
Catalyst 2960-X Series
SY ST
MAS T
STAT
STACK
SP EED RP S
CONSO LE
LAN BASE 1G UPLINK
1 11 13 23
Cat alyst 2960-X Series
2 12 14 24
2 12 14 24

MG MT CONSOL E 25 26 SFP 27 28

NetworkST 4.0 Layer Over NetworkST 3.1

The GE ICS local networks are the UDH, PDH, MDH, MGH and XDH as illustrated in the figure NetworkST 4.0
Connections. The UDH is the network that carries the GE controller-to-controller, and controller-to-HMI traffic. The access to
this network is limited to prevent unnecessary exposure to potential malware. The PDH is the plant-level supervisory
network. PDH connects the HMI server with the security servers, other HMI servers, remote viewers, printers, historian
applications, and external interfaces. The MDH is the plant-level Monitoring Data Highway for devices that only need to
perform monitoring operations. The MGH is the switch management network. This network contains the management
interfaces of the switches and routers (excluding the XDH networking components). The XDH is the External Data Highway
network section between the UTM/Firewall and the Routers.
The network devices supplied in NetworkST 4.0 include:
• Redundant pair of Cisco routers (2901 or 4331)

• Single Fortinet© UTM/Firewall (300C or 300D) device
• Single Cisco 2960X XDH switch
NetworkST 4.0 Connections

4.2 MDH
The (Monitoring Data Highway) MDH network as illustrated in the previous figure is for devices that must monitor the plant
operation but also communicate to devices outside the plant. The GE On-site Monitor (OSM) and Remote Services Gateway
(RSG) computers are often placed onto the MDH network. Devices located in the MDH communicate with site equipment
through the routers and can communicate with other devices located outside the plant through the UTM. The traffic allowed
in and out of the MDH is controlled by ACL (access control list) rules in the routers. If equipment is added to the MDH that
requires additional message traffic above and beyond the GE base standard configuration, the routers will need updates to the
list of approved traffic. Devices in the MDH are allowed to join the HMI domain, and can be protected by the site’s security
applications such as antivirus, patching and backups.
Standard routing rules allow WorkstationST devices located in the MDH running ToolboxST software to perform the
following operations:
• Consume EGD data from controllers in the UDH (Data on EGD is called published Data)
• Consume controller Live Data and Capture Buffer Data into the Data Recorder for Trip Log evaluation
• Receive controller alarms that can be displayed in the Alarm Viewer (Alarm Protocol)
• Upload controller configuration
• Display controller unpublished data (SDI data for variables not on EGD)
4.3 DMZ
The De-militarized Zone (DMZ) is the physical or logical sub-network that exposes the GE ICS external-facing services to
potentially untrusted networks and services. The figure NetworkST 4.0 Connections illustrates the location of the DMZ
network. By design, devices located in the DMZ (RSG/OSM) have very limited access to site equipment. The access is
provided by the UTM/Firewall. The GE UTM/Firewall standard configuration allows limited application data communication
to the M&D center, reducing the likelihood of exposure to malicious exploits. Devices in the DMZ are not allowed to join the
HMI domain. The GE standard UTM/Firewall rules only allow WorkstationST devices located in the DMZ and running
ToolboxST software to consume EGD data from controllers in the UDH (published data).
4.4 MDH and DMZ GE Standard Operation Capabilities

Differences
The following table illustrates the standard differences in operation capabilities for devices located in the MDH and the DMZ:
MDH Versus DMZ Capability Differences

Capability MDH DMZ
Consume EGD data from controllers Yes Yes
Consume Alarm, Event, SOE information from controllers Yes No
Consume unpublished data Yes No
Consume Trip Log information (create trip log) Yes No
Upload controller configuration Yes No
Join the HMI Domain and use Applications (Antivirus, Patching, Backup) Yes No

4.5 UTM and DMZ
The Unified Threat Manager (UTM) firewall establishes one or more Electronic Access Points (EAP) into the GE Industrial
Control System (ICS) for providing controlled access to help protect the critical infrastructure networks, which may be a
requirement for compliance with NECR-CIP V5. The firewall can be used to create external networks including the DMZ
(de-militarized zone) where devices with limited access can reside. Access to those networks can be controlled by the firewall
to allow only necessary trusted communication. The GE Standard Fortinet UTM/Firewall (300C or 300D) configuration
establishes the Electronic Access Point (EAP) to allow specified GE DMZ traffic through the firewall. Up to 6 networks can
be configured on the UTM to allow for connections to a customer enterprise networks or DMZ. If additional equipment is
added to the DMZ that requires additional message traffic above and beyond the GE base standard configuration, both the
UTM and the routers will need updates to the list of approved traffic.
The UTM/Firewall provides an EAP to support GE Services located in the established DMZ that need to deploy monitoring
equipment requiring a network connection back to GE. Examples are CEMS, PEMS, EDAS, RSG, OSM, Bentley* vibration
monitoring and Performance Testing. The UTM/Firewall also provides an EAP for a customer enterprise network. Examples
are DCS Systems communications for monitoring and control, Enterprise Historian system data collections and Asset
Management data collection. The standard UTM/Firewall configuration can be used as guidance for configuring additional
Electronic Access Point.
4.5.1 Fortinet 300D UTM
Fortinet 300D Port Assignment

Port Assignment
1 XDH Switch
2 GE DMZ
3 GE WAN
4 Enterprise
5–8 Available
4.5.2 Fortinet 300C UTM
Fortinet 300C Port Assignment

Port Assignment
1–2 Reserved
XDH switch
3
4 GE DMZ
5 GE WAN
6 Enterprise
7–10 Available

4.6 XDH and XDH Switch
The routers and the UTM are connected through a network switch in the External Data Highway (XDH). The XDH switch is
configured to pass only necessary communication between the UTM and the routers, which helps prevent unauthorized and
unwanted traffic.
XDH NetworkST Connections

The XDH switch provides network connectivity between the UTM/Firewall and the redundant pair of routers. The switch
configuration allows only the use of the first three ports (Ports G1/0/1, G1/0/2 and G1/0/3), all other ports in the XDH switch
are disabled. The XDH switch configuration is standard and does not require customization on a requisition basis.
4.6.1 Cisco 2960 XDH Switch – Copper Access Ports

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Catalyst 2960- S S eries
CONS OL E M
G
M
T
SYST 1X 11X 13 X 23X B
RPS A
S
E
MSTR T
STAT
DPLX
SPED
STCK
2X 12X 14 X 24X
MODE
25 26 27 28
Cisco 2960S XDH Switch Port Assignment

4.7 Redundant Routers – Cisco 2901 or 4331
The NetworkST 4.0 Cisco routers (2901 or 4331) provide the forwarding of authorized traffic between the MDH network and
the GE ICS network. The routers also filter and forward the XDH network traffic of devices located in networks outside the
UTM (such as the ADH, ENT or DMZ) to the GE network root bridge. The configured routing rules allow network traffic
based on several factors such as source, destination, and communication protocol type. The required routing rules are site
specific and depend among other factors such as network topology, device communication, and site security requirements.
Note The customizing of the GE network design to meet customer’s and third-party communication needs, and the
implementation and deployment of routing rules to achieve secure communication channels should be performed by
networking professionals.
The router and UTM/Firewall running configurations provided as part of the standard NetworkST 4.0 product have all
required policy routing rules for GE RSG and OSM communication from the MDH and the DMZ to the GE ICS network.
These configurations can be used as guidance to identify the required policy routing and firewall rule areas and implement the
necessary changes.
The Cisco routers use the Hot Standby Router Protocol (HSRP) for redundancy. Only one router is actively forwarding traffic
at a given time, the other is in standby mode. Upon failure or disconnection of the active router, the standby router takes over
the routing tasks.
4.7.1 Cisco 4331 Router Pair with Copper Ports
Cisco 4331 Router Port Assignment
4.7.2 Cisco 2901 Router Pair With Copper Ports
Cisco 2901 Router Port Assignment

4.8 NetworkST 4.0 Device Connection Diagram

4.9 Management VLAN (MGH)
One of the defense-in-depth concepts for providing cyber-security in a system is that you cannot attack that which you cannot
reach. This leads to architectures using segmented networks with routers between them that only allow trusted traffic through.
One device type that is a prime target is the network switch. If the switch functions can be compromised then the attacker can
snoop on network traffic and potentially reach areas of the network that they are not supposed to be able to reach. For that
reason, reducing the visibility of the switch's management interface provides a substantial benefit in network security.
This section introduces the concept of the Management VLAN and outlines the changes that this type of network hardening
causes in network equipment monitoring and management. The Management VLAN requires the routers supplied by
NetworkST 4.0.
4.9.1 The Switch Management Interface

Each network switch defines a management interface. The management interface is the network (VLAN) and IP address that
the switch will listen on for requests from clients. In our systems there are two main types of requests that the switch will
honor:
• SSH (Secure Shell) connections are used to manage and maintain the switch. This includes retrieving the configuration
for backup purposes, or altering the existing configuration in the switch. It is also used for advanced diagnostics.
• SNMP (Simple Network Monitoring Protocol) connections are used by the WorkstationST Network Monitor program to
provide a report on the network health. (Control System Health also uses this same interface.)
In addition, the switches also use the management interface for requests from the switch:
• Logging messages are created and sent to the system Syslog server.
• Network time requests may be issued to the site time server.
• RADIUS requests are made to the Domain Controllers to authenticate users.
4.9.2 Management Interface Locations

There are multiple options for which VLAN is used to monitor and maintain the switches, and each option has different
ramifications for the devices and subsystems that use the management interface.
4.9.2.1 Management Interface on the Plant Data Highway (PDH)

The switches can be configured to place their management interface on the Plant Data Highway (PDH). This was the original
scheme used by the NetworkST 3.1 architecture. Placing the management interface on the PDH means that each switch is
assigned an address on the PDH, and its management interface can be reached directly from any device that is also on the
PDH. No routing or filtering is done, the switch will respond to any client that makes a valid request.
This scheme is simple to implement and easy to maintain.
• SSH clients on the PDH connect to the switch using its PDH address.
• SNMP clients on the PDH make requests to the switch using its PDH address.
• The switch sends its logging messages to the Syslog server on the PDH.
• The switch can request time from the time server on the PDH.
• RADIUS requests are made directly to the Domain Controllers on the PDH.
The main disadvantage of this scheme is that any computer on the PDH has access to the switch management interfaces and
therefore presents a potential risk for impacting the switch operation.

4.9.2.2 Management Interface on the Management VLAN (MGH)
The switches can be configured to place their management interface on the Management VLAN (MGH). This is a separate
VLAN that typically does not have any physical ports allocated to it on the switches. Instead, a router is used to provide an
access control list that indicates what PDH devices are allowed to communicate with the switch management interface on the
MGH. Placing the management interface on the MGH means that each switch is assigned an address on the MGH, and its
management interface can only be reached from devices on the PDH by going through the access control lists on the router.
In addition to moving the management interface to the MGH, each switch is given its own independent access control list for
its inbound services (SSH, SNMP) to prevent access from rogue equipment that may reach the MGH. These two levels of
request filtering greatly improve the security of the networking equipment.
The access lists in the routers and the interface access lists in the switches combine to limit the devices on the PDH that may
interact with the switch management interface. The following types of inbound access to the switches are allowed:
• SSH clients will be allowed from the AP1 server in SecurityST systems (AP1 at 172.16.201.103) and from the primary
Engineering Workstation (EWS1_SVR at 172.16.201.22).
• SNMP clients will be allowed to make requests from the special Network Monitor functional IP address (NetMon1 at
172.16.201.60). (Refer to the section Network Monitor Functional IP Address.)
All other access to the management interface will be blocked.
Outbound functions, such as the switch logging to the Syslog server, will be allowed by the routers, but only to the expected
address (such as Syslog only to AP2 at 172.16.201.104). This prevents devices on the Management VLAN from being able to
attack entities on the PDH.

4.9.3 Network Monitor Functional IP Address
The WorkstationST Network Monitor function requires ICMP Echo and SNMP access to the switch management interface of
each switch in order to report on the switch health, port status, and traffic counts. This is a little different in that the Network
Monitor is not a separate device - it is a function running in any one of the WorkstationST based devices that already have
their assigned IP address.
The goal is to allow the WorkstationST Network Monitor function to be able to be run in any WorkstationST computer
without having to:
• Reconfigure the routers with the address of the computer running the Network Monitor.
• Reconfigure every switch with the address of the computer running the Network Monitor.
To accomplish the above the access control lists in the routers and the switches are configured with a Functional IP Address.
This is an IP address that is assigned to a computer that is designated to run a particular function, but it is not the primary IP
address of that computer. Instead, the functional IP address is a second IP address that is added to the computer in addition to
its primary address. By using a second functional IP address it allows the function to be landed on any WorkstationST class
computer without having to change the primary address of that computer or any of the access control lists in the routers or the
switches.
To accomplish this, the following steps are taken on the computer that is designated to run the Network Monitor function:
• A second IP address is added to the PDH network adapter of the selected HMI (NetMon1 at 172.16.201.60).
• The Network Monitor software is configured to use the IP address of the Network Monitor function (NetMon1 at
172.16.201.60).
Note Use of a secondary IP address for the Network Monitor function was first introduced in ControlST V06.00.
Using with the above information, the Network Monitor function knows to issue all ICMP Echo and SNMP requests using the
secondary (NetMon1) IP address as the source address. The access control lists in the routers and the switches have been
configured to pass/accept messages from that source address, so the messages will make it to their intended destination. The
replies will go back to the source address, which routes them back to the computer running the Network Monitor function.
By using a Network Monitor Functional IP address the Network Monitor can access the management network:
• Without having to change the main IP address on the computer running the Network Monitor function. This prevents
having to make any changes to the network drawings or the WorkstationST configurations associated with changing the
IP address of a computer.
• Without having to change the access control lists in the router and every switch.

4.9.4 Switch Setup Using a Management VLAN
The use of a Management VLAN can complicate the procedures used for initial switch configuration loading, but the impact
is not too great. A number of schemes are available for the initial loading:
• A PDH management address can temporarily be assigned to the switch and its configuration can be loaded as it was prior
to the Management VLANs implementation. Once the configuration is loaded the switch will revert to the Management
VLAN which will be present on all its trunk ports and no additional change needs to be made.
• An unused switch port on any switch can be assigned to the Management VLAN and a technician computer can be
plugged into that port and given a Management VLAN address. This technician computer (often a laptop) can then be
used for network transfer of the configuration to the switch.
• [Preferred solution] A non-network-based method can be used to transfer the switch configuration to the switch, such as a
USB drive. This prevents any networking or VLAN changes from being required on the switch, it can go directly from
out-of-the-box configuration to the final configuration with no temporary reassignments required. The Cisco Catalyst
3850, 3750X, and 2960X switches and routers in the NetworkST product line can transfer configurations via a USB drive
formatted with the FAT32 file system.
4.9.5 Summary
Placing the management interface for network equipment on its own VLAN and then controlling access to it through access
lists in both the routers and the switches themselves offers a much higher degree of isolation, and therefore security, than
placing the management interface on the Plant Data Highway with no access list support. By using the concept of a
Functional IP Address for the WorkstationST Network Monitor function site-specific configurations can be addressed without
having to modify the access lists in the routers and the switches. Systems with management interfaces on a separate VLAN
are now quite common, and this architecture is less likely to trigger questions and concerns when it comes to site security
audits.

4.10 High Availability for External Communication
The NetworkST 4.0 Unified Threat Manager (UTM) firewall devices, as well as the routers, control data communication
between devices outside of the Electronic Security Perimeter (ESP) and the GE Industrial Control System (ICS), such as the
PDH or UDH networks. The UTM devices provide an Electronic Access Point (EAP) into the ICS, as illustrated in the
following figure.
UTM Firewall External Network Device One-line Diagram
The NetworkST 4.0 High Availability (HA) system topology includes two Cisco 2960X XDH switches, two FortiGate 300D
UTM firewall devices, and two Cisco 3850 External (EXT) switches. The following figure illustrates the relationship between
an external network hosting (Example PC) and an Application Server (AP1) present on the PDH network inside the GE ICS.
The highlighted devices complete the HA system.
HA UTM System Network Diagram

The following figure is a more detailed diagram of the HA external communication topology that displays the redundant
external switches. External switches (EXT-1 and EXT-2) can be stacked or non-stacked and inter-connected by trunk, 12 or
24–port Cisco 3850 switches. The HA UTM devices (UTM-1 and UTM-2) are shown with port 1 connected to the ICS
network through the XDH switches, port 4 connected to the external switches, and port 7 and 8 inter-connected in each UTM
for the HA heartbeat. The XDH switches connect the UTM devices with the NetworkST 4.0 redundant routers. The redundant
routers (HSRP1 and HSRP2) complete the connectivity to the GE ICS network root switches.
Typical NetworkST HA Connection Diagram

4.10.1 HA UTM Firewall – FortiGate 300D
The NetworkST 4.0 HA UTM cluster consists of two FortiGate 300D firewall devices. The cluster units use the FortiGate
Clustering Protocol (FGCP) to share communication and synchronization information, also known as FGCP heartbeat or HA
heartbeat, using the configured heartbeat interfaces. With both UTM devices sharing state and configuration information, if
one unit fails, the other unit automatically takes over the functionally of the failed unit with virtually no interruptions.
The UTM cluster units are configured to operate in the Active-Passive mode. One unit will take the primary (Master) role and
the other unit will assume the backup (Slave) role. The UTM configuration is done on a requisition basis. There are three
common interfaces configured in most UTM devices: port 1 (router), port 7 (HA Link 1), and port 8 (HA Link 2). The
remaining interfaces are configured during the requisition or commissioning phase based on the specific-site and customer
requirements. A network engineer will be needed for design and customization activities for NetworkST 4.0 routers and UTM
devices.
Fortinet 300D UTM (Front Panel View)
The following table is an example of port assignment showing the three common interfaces on port 1, 7 and 8.
Example of Inter-connection in UTM-1

Ports Assignment Description
1 Router To XDH-01 switch port 1
2 GE DMZ
3 GE WAN
4 Enterprise
5 Available
6 Available
7 HA Link 1 HA Link 1 (to UTM-2 port 7)
8 HA Link 2 HA Link 1 (to UTM-2 port 8)
Part Numbers and Descriptions

The following table provides HA UTM Firewall device part numbers and descriptions. For a description of the FortiCare
services, refer to the following document located on the Fortinet website at:
https://www.fortinet.com/content/dam/fortinet/assets/brochures/FortiCare-Services.pdf
Note Parts were created to allow for ordering individual units (replacement parts).
Note For a UTM HA system with a 3-year FortiCare agreement, order one 117T6409PX02A and one 117T6409PX03A. If a
1-year FortiCare agreement is preferred, order one 117T6409PX02B and one 117T6409PX03B.
HA UTM Individual Part Numbers

Part Number Description
117T6409PX02A HA UTM-1 (Unified Threat Manager) for NetworkST 4.0 (3-year FortiCare agreement)
117T6409PX02B HA UTM-1 (Unified Threat Manager) for NetworkST 4.0 (1-year FortiCare agreement)
117T6409PX03A HA UTM-2 (Unified Threat Manager Unit 2) for NetworkST 4.0 (3-year FortiCare agreement)
117T6409PX03B HA UTM-2 (Unified Threat Manager Unit 2) for NetworkST 4.0 (1-year FortiCare agreement)

4.10.2 HA XDH Switches – Cisco 2960X
Two Cisco 2960X switches provide connectivity between the redundant UTM devices UTM-1 and UTM-2 and the redundant
routers HSRP1 and HSRP2. The two XDH switches are inter-connected through trunk on port 24 for HA functionality.
HA XDH Switches (Front Panel View)

The part number for 2960X XDH switches for NetworkST 4.0 HA UTM systems is 117T6409P027B.
The following table provides the Cisco part number and description.
Cisco Part Number

Quantity Part Number Description
2 WS-C2960X-24TS-L Catalyst 2960X 24 GigE, 4 x SFP LAN base

4.10.3 HA External Switches – Cisco 3850
The NetworkST 4.0 External switches for HA UTM systems provide segregation, redundancy, and connectivity. The
NetworkST 4.0 solution provides single or stacked switches with 12 or 24–ports per switch, depending on customer needs.
Each external switch is segregated into four VLAN regions to accommodate up to four customer external networks requiring
communication links to the GE ICS networks.
All unused ports should be administratively disabled before placing the switches in
service.
Caution
The following sections provide further details about the available HA External switches:
• Non-stacked 12-port External Switch Solution with Single Mode SFP

• Non-stacked 12-port External Switch Solution with Multi Mode SFP
• Stacked 12-port External Switch Solution with Single Mode SFP
• Stacked 12-port External Switch Solution with Multi Mode SFP
• Non-stacked 24-port External Switch Solution with Single Mode SFP
• Non-stacked 24-port External Switch Solution with Multi Mode SFP
• Stacked 24-port External Switch Solution with Single Mode SFP
• Stacked 24-port External Switch Solution with Multi Mode SFP

4.10.3.1 Non-stacked 12-port External Switch Solution with Single Mode SFP
Two C3850 12–port External switches with Single Mode SFP and one Copper Trunk for external switch inter-connection are
required. Two 117T6409P051X1 items are needed to complete the External switch pair.

The part number for a Non-stacked 12-port External switch with Single Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P051X1.
The following table provides the Cisco part numbers and descriptions.
Cisco Part Numbers

1 WS-C3850-12S-S Catalyst 3850 12–port GE SFP IP base
1 CAB-SPWR-30CM Catalyst 3850 stack power cable 30 CM
1 PWR-C1-350WAC Catalyst 350 W AC power supply
5 GLC-T or GLC-TE Cisco 1000BASE-T SFP transceiver module for Copper
GLC-LH-SM=GE or
4 SFP, LC connector LX/LH transceiver
GLC-LH-SMD
Non-stacked 12-port External Switch Solution with Single Mode SFP Network Segregation Configuration
Port Designation per Switch

External SW-1
Port # VLAN 50 VLAN 51 VLAN 52 VLAN 53 Trunk Comments
1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-1 port 3
4 ✔ UTM-1 port 4
5 ✔ UTM-1 port 5
6 ✔ UTM-1 port 6
7 ✔ Lockbox connection
8 ✔ Open for connection
12 ✔ Trunk connection to EXT-2

4.10.3.2 Non-stacked 12-port External Switch Solution with Multi Mode SFP
Two C3850 12–port External switches with Multi Mode SFP and one Copper Trunk for external switch inter-connection are
required. One 117T6409P051X2 item is needed to complete the External switch pair.

The part number for a 12-port External switch with Multi Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P051X2.
Cisco Part Numbers

GLC-LH-SM=GE or
GLC-LH-SMD
Non-stacked 12-port External Switch Solution with Multi Mode SFP Network Segregation Configuration

External SW-1
1 ✔ Spare
2 High-speed internet
✔
connection
3 ✔ UTM-1 port 3
4 ✔ UTM-1 port 4
5 ✔ UTM-1 port 5
6 ✔ UTM-1 port 6
12 ✔ Trunk connection for EXT-2

4.10.3.3 Stacked 12-port External Switch Solution with Single Mode SFP
Two stacked C3850 12–port External switches with Single Mode SFP are required. One 117T6409P051Y1 item is needed to
complete the External switch pair.

The part number for a Stacked 12-port External switch with Single Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P051Y1.
Cisco Part Numbers

2 STACK-T1-50CM Cisco StackWise-480 50CM stacking cable
GLC-LH-SM=GE or
GLC-LH-SMD
Stacked 12-port External Switch Solution with Single Mode SFP Network Segregation Configuration

External SW (Stacked)
1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6
Stacking cable should be connected between the two switches.

4.10.3.4 Stacked 12-port External Switch Solution with Multi Mode SFP
Two stacked C3850 12–port External switches with Multi Mode SFP are required. One 117T6409P051Y2 item is needed to

The part number for a Stacked C3850 12–port External switch with Multi Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P051Y2.
Cisco Part Numbers

GLC-LH-SM=GE or
GLC-LH-SMD
Stacked C3850 12–port External Switch with Multi Mode SFP Network Segregation Configuration

1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6

4.10.3.5 Non-stacked 24-port External Switch Solution with Single Mode SFP
Two C3850 24–port External switches with Single Mode SFP and one Copper Trunk for external switch inter-connection are

The part number for a non-stacked C3850 24–port External switch with Single Mode SFP for NetworkST 4.0 HA UTM
systems is 117T6409P052X1.
Cisco Part Numbers

1 WS-C3850-24S-S Catalyst 3850 24 Port GE SFP IP base
GLC-LH-SM=GE or
GLC-LH-SMD
Non-stacked C3850 24–port External Switch with Single Mode SFP Network Segregation Configuration

External SW-1
1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6

4.10.3.6 Non-stacked 24-port External Switch Solution with Multi Mode SFP
Two C3850 24–port External switches with Multi Mode SFP and one Copper Trunk for external switch inter-connection are

The part number for a non-stacked C3850 24–port External switch with Multi Mode SFP for NetworkST 4.0 HA UTM
systems is 117T6409P052X2.
Cisco Part Numbers

1 WS-C3850-24S-S Catalyst 3850 24 Port GE SFP IP base
4 GLC-GE-100FX SFP, LC connector LX/LH transceiver
Non-stacked C3850 24–port External Switch with Multi Mode SFP Network Segregation Configuration

External SW-1
1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6

4.10.3.7 Stacked 24-port External Switch Solution with Single Mode SFP
Two stacked C3850 24–port External switches with Single Mode SFP are required. Two 117T6409P052Y1 items are needed
to complete the External switch pair.

The part number for a stacked C3850 24–port External switch with Single Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P052Y1.
Cisco Part Numbers

GLC-LH-SM=GE or
GLC-LH-SMD
Stacked C3850 24–port External Switch with Single Mode SFP Network Segregation Configuration

1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6

4.10.3.8 Stacked 24-port External Switch Solution with Multi Mode SFP
Two stacked C3850 24–port External switches with Multi Mode SFP are required. One 117T6409P052Y2 items are needed to

The part number for a stacked C3850 24–port External switch with Multi Mode SFP for NetworkST 4.0 HA UTM systems is
117T6409P052Y2.
Cisco Part Numbers

8 GLC-GE-100FX SFP, LC connector LX/LH transceiver
Stacked C3850 24–port External Switch with Multi Mode SFP Network Segregation Configuration

1 ✔ Spare
High-speed internet
2 ✔
connection
3 ✔ UTM-X port 3
4 ✔ UTM-X port 4
5 ✔ UTM-X port 5
6 ✔ UTM-X port 6

5 Project Engineering Considerations
5.1 Cabling Guidelines for Copper and Fiber-optic
A summary of cabling design guidelines follow with respect to copper and fiber-optic technologies:
• Electrical connections within a building for distances less than 90 m (295 ft) can be provided by copper CAT 5e or CAT 6
cables.
• The maximum limit for 100Base-T and 1000Base-T Ethernet is defined as 100 m (328 ft), with 10 m (32.8 ft) allocated
for potential patch cable connections at the switch and the network device. (Splitting cable conductors at patch panels can
slightly reduce the signal strength and distance allowed for copper Ethernet connections).
• Copper GbE connections cannot exceed 15 m (49 ft).
• Fiber-optic connections are required between buildings. Fiber-optic cables provide electrical isolation between differing
ground potentials that occur between buildings. This is normally most important with lightning strikes within a distance
of a few miles of a plant with the resulting electrical potential wave reaching different buildings at different times. With
the electrical ground wave reaching one building before the next, generating large electrical potential spikes across
inter-building links. A large spike can destroy the network switch or its port, and smaller spikes can disrupt data
transmission.
• PVC conduit is recommended underground for fiber-optic connections because the bends can be formed with a much
larger radius as opposed to metal conduit. Gradual bends can be implemented to bring the conduits above ground to meet
pull boxes as required to minimize pull stress
Project Engineering Considerations GEH-6840F Application Guide 61

5.2 Fiber-optic Cable Network Design
When designing a fiber-optic network, note the following system considerations:
• Redundancy should be considered for continuing central control room (CCR) access to the turbine controls. Redundant
HMIs, fiber-optic links, Ethernet switches, and power supplies are recommended.
• The optical power budget for the link should be considered. The total budget refers to the brightness of the light source
divided by the sensitivity of the receiver. These power ratios are measured in dBs to simplify calculations. The difference
between the dB power of the source and the dB power of the receiver represents the total power budget. This must be
compared to the link losses made up of the connector and cable losses.
• Installation of the fiber-optic cable can decrease its performance compared to factory-new cable. Installers might not
make the connectors as well as experts can, resulting in more loss than planned. The LED light source can get dimmer
over time, the connections can get dirty, the cable loss increases with aging, and the receiver can become less sensitive.
There must be a margin between the available power budget and the link loss budget of a minimum of three (3) dB.
Having a six (6) dB margin is more comfortable, helping assure a fiber-optic link that will last the life of the plant.
5.2.1 Standards
1000BaseLX – Single-mode fiber-optic (SMF)
5 km over 9-µm single-mode fiber-optic
1000SX – Multi-mode fiber-optic (MMF)

550 m (1804 ft) - 50/125-µm fiber-optic (exceeding 550 m (1804 ft) will probably function but can reduce signal quality and
link reliability).
5.2.2 Cables
Fiber-optic cable is an effective substitute for copper cable, especially when longer distances are required, or electrical
disturbances are a serious problem. The main advantages of fiber-optic transmission in the power plant environment are:
• Fiber-optic segments can be longer than copper because the signal attenuation per foot is less. Fiber-optics is a good
choice for high-bandwidth transmission over longer distances.
• In high-lightning areas, copper cable can pick up currents, which can damage the communications electronics. Since the
glass fiber does not conduct electricity, it provides immunity to lightning and reduces lightning caused outages.
• Grounding problems are avoided with optical cable. The ground potential can rise when there is a ground fault on
transmission lines caused by currents coming back to the generator neutral point.
• Optical cable can be routed through a switchyard or other electrically noisy area and not pick up any interference. This
can shorten the required runs and simplify the installation.
• Fiber-optic cable with proper jacket materials can be run direct buried, in trays, or in conduit.
• High quality optical fiber cable is light, tough, and easily pulled. With careful installation, it can last the life of the plant.
• The total cost of installation and maintenance of a fiber-optic segment can be less than a copper segment.
• Fiber-optic cables can be run in the same conduit or path as the power cables.
Fiber-optic network connections should always be used when:
• The distance between components exceeds the communications specifications limits of copper transmission.
• The grounding conditions require isolation.
• Outside runs are required.
Note Refer to the Fiber-optic Cable and Patch Panel Selection (GHT-200001).

The NetworkST 3.1 topology design is standardized on SMF cable for the following reasons:
• To minimize variation of equipment, therefore simplifying the network switches’ Bill of Material (BOM)
• Simplification of network design due to elimination of the 550 m (1804 ft) limit for Gigabit Ethernet with multi-mode
fiber-optic cable.
• SMF cable is the standard for network applications using Gigabit Ethernet.
Two connectors are required for duplex operation of each fiber-optic link. Each link consists of two fibers, one outgoing and
the other incoming, to form a duplex channel. The outgoing fiber is driven by a light emitting diode, and the incoming fiber
illuminates a photo-transistor, which generates the incoming electrical signal.
The fiber is protected with buffering which is the equivalent of insulation on metallic wires. Mechanical stress is bad for
fibers so a strong sheath is used, sometimes with pretension Kevlar® fibers to carry the stress of pulling and vertical runs.
Connectors for a power plant need to be fastened to a robust cable with its own buffering.

5.3 Legacy Device Compatibility
The following table provides a summary of GE Mark Controls legacy device compatibility information with references.
Legacy Device Reference Documents NetworkST 3.1 Compatibility Notes

GEDS Standard Message (GSM) Gateway
Mark V Turbine Control Application Guide
Mark V Control required that acts as bridge between Stage Link
(GEH-6195)
and Ethernet.
Early forms of Mark VI controllers used coaxial
Ethernet cabling. Use Mark VI Control System
Mark VI Control Mark VI Control System Guide - Vol I-II (GEH-6421)
Guide Vol II to determine supported cable
connections.
EX2100 Excitation EX2100 Excitation Control User's Guide ACLE or ACLA board provides Ethernet interface,
Control (GEH-6632) limited to 10Base-T.
LS2100 Static LS2100 Static Starter Control User Guide Early forms of UCVx controller used coaxial
Starter Control (GEH-6679) Ethernet cabling.
5.3.1 Retrofit Cases

Connection of new equipment to previous generation field networks should be done in accordance with diagrams and
specifications prepared on a job specific basis. Care should be taken when ordering new switches such that their IP addresses
do not overlap with existing switch IP addresses. The IP address of each device on the network should be contained in the
host file of every computer on the network.

5.4 System Upgrades
This section describes how to upgrade from one system to the next. All equipment is reusable. Refer to the system network
diagrams in this document as you read through this section.
5.4.1 Small System Upgrades

System upgrades are limited by the number of switch ports available.
To upgrade from a small system to a small extended system, add an additional set of root switches and sets of edge switches
(up to the maximum allowed) as necessary to support the expanded system design.
5.4.2 Small Extended System Upgrades

To upgrade from a small extended system to a large system, add a pair of core fiber-optic stacked switches between the
control room switches and the switches for the edge switches. Connect the edge switches and the control room switches to the
fiber-optic stacked switches.
5.4.3 Large System Upgrades

This requires custom engineering. The large system supports a control room switches and up to 11 edge switch sets. To
upgrade from a large system to a large extended system, create as many large system designs as needed. Connect the
fiber-optic stacked switch pairs in their own edge switches with fiber-optic cable.
5.4.4 Large Extended System Upgrades

The large extended system can support two control room switch sets and up to 20 sets of edge switches. Extension beyond
these limits requires custom engineering.

5.5 Legacy System Compatibility/Upgrade Paths
5.5.1 Mark V Control-ARCNET®
The technology referenced in this document does not contain any changes to ARCNET Stagelink used for Mark V units.
When Mark V unit controls are migrated to Mark Ve or Mark VIe control, the network technology presented in this manual
should be applied to the network design as part of the retrofit process.
5.5.2 Retrofit Cases

Connection of new equipment to previous generation field networks should be done in accordance with diagrams and
specifications prepared on a job specific basis. Care should be taken when ordering new switches such that their IP addresses
do not overlap with existing switch IP addresses. The IP address of each device on the network should be contained in the
host file of every computer on the network.
5.5.3 Setup
Network switches are set up according to the Site Network Topology drawing. The core fiber-optic switches for the new
simplified network topology are connected to the legacy network root bridge or control room fiber-optic switch by
multi-mode fiber-optic cables.
5.6 System Limitations

Component Limitations
Controllers can support up to a maximum of 10 supervisory computers with individual
alarm communication connections to the controller. The OSM and Historian require
System
individual alarm communication connections to the controller. These should not be
included in the 10 connection limit calculation.
Windows® XP and Windows 7 support a maximum of 10 simultaneous network
Operating System connections. This is a Microsoft limitation and additional network connections will be
refused.
On any computer, a recommended maximum of 16 CIMPLICITY HMI screens (windows)
CimView Application should be active at any point in time, including those in cache (eight active screens + eight
in cache). Exceeding this limit could result in poor computer performance.
A single supervisory computer running the WorkstationST application can monitor up to
WorkstationST application
100 devices. The WorkstationST OPC DA Server is limited to 500 k points maximum.
Alarm transitions per second on a single controller - 400 per frame (burst)
Alarms configured - 4096 (These can be all Boolean, all analog, or any combination.)
GE Controller 10 commands per second total from any command source: Modbus, GSM, OPC, HMI
(EGD commands).
Communications connections (exclusive of EGD) - maximum of 100.

5.7 Cisco 3750X Switch Replacement with Cisco 3850
Switch
The Cisco 3750X stacked network switch has been marked for end of life. As such, a new switch, the Cisco 3850 stacked
network switch has been qualified as a replacement. The 3850 can be used to replace 3750X switches in an existing
installation. It has been validated that a 3850 stack operates correctly in an existing network comprised of 2960S stacks and
2960X stacks and IE2000 switches. A 3850 switch stack can be used as a replacement for a 3750X switch stack.
There is one caveat when using the 3850 as a replacement for the 3750X. In the existing configuration, the switches operate in
a configuration of two or more switches that are stacked to form a single functional switch. A 3850 switch cannot be
stacked with a 3750X switch. When replacing a failed 3750X switch in a stack, it is necessary to replace all switches in
the stack.
5.7.1 Stacked Root Bridge Switch Replacement

This procedure defines the process of replacing a Cisco 3750X stacked switch (Root) with a Cisco 3850 stacked switch
(Root). When preforming this procedure on a running system, careful planning and procedure execution must be performed to
reduce the risk of causing an outage to the system.
Replacing a root bridge switch in a running system is a high risk procedure and
should only be performed under circumstances in which the replacement cannot be
delayed until a system outage. The root bridge is the focal point of the network and
significant network disturbances leading to an unplanned outage may occur. It is
recommended that this procedure only be undertaken by experienced network
Warning professionals.
This procedure is dependent on redundant communication links on all of the devices that are connected to the network. Any
devices that do not have redundant communication links could lose communication during this replacement procedure. The
system owner needs to understand which devices do not provide redundant communication links and understand the impacts
of communication loss on their system.
The system owner needs to confirm that there are no lurking communication faults in the system prior to preforming this
procedure. When replacing a 3750X stacked switch when one of the switches in the stack is failed, confirm that
communication can be established with the devices connected to the switch that is still functioning.

The steps in the following procedure must be performed in the exact order given.
Attention
➢ To replace an 3750X root bridge switch stack
Note The 3750X switch configuration is not compatible with the 3850. Any changes that may have been made to the
existing 3750X will need to be made on the new 3850. If network customizations were made, update the 3850 configuration
to include the modifications prior to adding it to the network.
1. Identify an unused switch IP address on the network (on the switch management network).
2. Apply power to the new 3850 and allow it to boot.
3. Using Appendix E: Set Switch IP Address and Hostname, log onto the new 3850 and set the IP address of the new 3850
switch to the unused IP address that was identified in step 3. Set the Hostname to NewSwitch.
4. One at a time, move the trunk links from the failed switch in the 3750X stack to the same switch and port position in the
new 3850 stack. Be sure to leave the trunk links to the functional 3750X switch connected.
5. At this point half of the connections should be to the existing 3750X switch and half of the connections should be to
the new 3850 switch.
6. At a minimum, verify the link presence light on the replacement switch device ports is lit. The light is typically green, but
may be amber to indicate the port is configured at a slower speed. The light should be the same color as the
corresponding port on the functional 3750X stack. For additional assurance, verify communication to equipment
connected to the new switch following the procedure in Appendix B: Validate Communication to Devices.
7. One at a time, move the trunk links from the remaining switch in the 3750X stack to the same switch and port position in
the new 3850 stack.
corresponding port of the other members of the 3850 stack. For additional assurance, verify communication to equipment
9. The 3750X switch stack should now be powered down and removed. Any functional switches in the stack can be retained
to act as spares to address future failures.
10. Using the procedure in Appendix E: Set Switch IP Address and Hostname on the new 3850 stacked switch, set the
management interface IP address and Hostname to match the values of the replaced switch.

5.8 Cisco 2960S Switch Replacement with Cisco 2960X
Switch
The Cisco 2960S stacked network switch has been marked for end of life. As such, a new switch, the Cisco 2960X stacked
network switch has been qualified as a replacement.
It has been validated that the 2960X can be used to replace 2960S switches in an existing installation. It has been validated
that a 2960X stack operates correctly in an existing network comprised of 2960S stacks and 3750X root switches. A 2960X
switch stack can be used as a replacement for a 2960S switch stack.
There is one caveat when using the 2960X as a replacement for the 2960S. In the existing configuration, the switches operate
in a configuration of two or more switches that are stacked to form a single functional switch. A 2960X switch cannot be
stacked with a 2960S switch. When replacing a failed 2960S switch in a stack, it is necessary to replace all switches in
the stack.
5.8.1 Stacked Edge Switch Replacement

This procedure defines the process of replacing a Cisco 2960S stacked switch (Edge) with a Cisco 2960X stacked switch
(Edge). When preforming this procedure on a running system, careful planning and procedure execution must be performed to
reduce the risk of causing an outage to the system.
This procedure is for 2960S switches that are not acting as the root bridge switch. For 2960S switches that are operating as the
root bridge switch, follow the procedure in the next section "Replace Cisco 2960S Stack Switch Root Bridge…"
The system owner needs to understand the equipment that is connected to the stacked switch that is to be replaced and
understand the potential impacts of communication loss from the equipment.
This procedure is dependent on redundant communication links on all of the devices that are connected to the 2960S stacked
network switch that is being replaced. Any devices that do not have redundant communication links will lose communication
during this replacement procedure. The system owner needs to understand which devices do not provide redundant
communication links and understand the impacts of communication loss on their system.
The system owner needs to confirm that there are no lurking communication faults in the system prior to preforming this
procedure. When replacing a 2960S stacked switch when one of the switches in the stack is failed, confirm that
communication can be established with the devices connected to the switch that is still functioning.
The steps in the following procedure must be performed in the exact order.
➢ To replace an edge switch stack

1. Back up the existing 2960S switch configuration using the procedure in Appendix C: Backup Existing Switch
Configurations.
2. Edit the existing 2960S configuration as follows to replace 's' with 'x':
switch 1 provision ws-c2960x-24ts-l
3. Load the backed up 2960S switch configuration into the 2960X stack using the procedure in Appendix D: Load Switch
Configuration from USB Port.
4. Identify an unused switch IP address on the network (on the switch management network).
5. Using Appendix E: Set Switch IP Address and Hostname, log onto the new 2960X and set the IP address of the new
2960X switch to the unused IP address that was identified in step 3. Set the Hostname to NewSwitch.
6. One at a time, move the trunk links from the failed switch in the 2960S stack to the same switch and port position in the
new 2960X stack. Be sure to leave the trunk links to the functional 2960S switch connected.

7. One at a time, move the equipment links from the failed switch in the 2960S stack to the same switch and port position in
the new 2960X stack. Be sure to leave the equipment links to the functional 2960S switch connected.
8. At this point half of the connections should be to the existing 2960S switch and half of the connections
should be to the new 2960X switch.
corresponding port on the functional 2960S stack. For additional assurance, verify communication to equipment
10. One at a time, move the equipment links from the remaining switch in the 2960S stack to the same switch and port
position in the new 2960X stack.
11. One at a time, move the trunk links from the remaining switch in the 2960S stack to the same switch and port position in
the new 2960X stack.
corresponding port of the other members of the 2960X stack. For additional assurance, verify communication to
equipment connected to the new switch following the procedure in Appendix B: Validate Communication to Devices.
13. The 2960S switch stack should now be powered down and removed. Any functional switches in the stack can be retained
to act as spares to address future failures.
14. Using the procedure in Appendix E: Set Switch IP Address and Hostname on the new 2960X stacked switch, set the
management interface IP address and Hostname to match the values of the replaced switch.

5.8.2 Stacked Root Bridge Switch Replacement
Replacing an entire 2960S stacked root bridge switch with a 2960X stacked root bridge switch is not recommended on
operating equipment. If it is necessary to replace a 2960S root bridge with a 2960X root bridge it is recommended that it be
scheduled when the equipment is out of service to eliminate the risk of a communication failure causing an unplanned outage.
During an equipment outage, the 2960S root bridge stacked switch can be replaced with a new 2960X root bridge stacked
switch as a drop in replacement. As was mentioned above, it is not possible to mix 2960X switches and 2960S switches in the
same stacked pair. The entire stacked switch pair must be replaced.
If it is not possible to wait for a system outage to repair the equipment, it is recommended that the system owner replace a
2960S edge stacked switch in the system with a 2960X edge stacked switch. The system owner can then replace the failed
switch in the root bridge using one of the 2960S edge switches that were removed from the system. When the 2960S switch is
attached in place of the failed 2960S switch, it will read the configuration from the running switch and configure itself to
match the running switch. Prior to connecting the replacement 2960S it is recommended to remove the former configuration
of the switch using the following procedure:
➢ To remove a switch configuration

1. Isolate the switch to act as a single switch (remove all stacking cables).
2. Attach to the console connection of the switch.
3. Power-up the switch in the pre-boot command mode (Refer to Appendix A: Common Procedures).
a. Hold down the Mode button when powering up until the Syst light is on solid (about 45 seconds).
4. Issue the following commands:
a. flash_init
b. dir flash: (Optional, shows the files that will be deleted)
c. delete flash:config.text
d. delete flash:vlan.dat
5. Power down the switch
The switch can now be used as a replacement for the failed 2960S switch in a 2960S root bridge switch stack.

Notes

6 Security
6.1 Switch Configuration
Network access to the switch is limited to the SSH protocol. Telnet and Web access is turned off by default. Local access may
be obtained through the console but only after successful authentication time-out of requests for authentication to SecurityST.
The authentication mechanism is via RADIUS which is integrated to Windows Active Directory in SecurityST. In the event
that SecurityST does not exist in the control system then console access will be enabled after a predefined time-out.
6.2 Logging
Login/out data is available via the syslog protocol and can be accessed using the SecurityST SIEM console
6.3 Passwords
Passwords associated with privileged access to the switches will be changed by the customer at time of commissioning.
6.4 RSA Keys

Communication to a switch using an SSH client requires shared keys to be generated on each switch device. The keys are
generated at the time of commissioning using the following command:
crypto key generate rsa general-keys modulus 2048
Security GEH-6840F Application Guide 73

Notes

Appendix A: Common Procedures
This section defines some common procedures used in switch management.
Connect a Terminal to a Switch

Switches will accept making console connections to the switches for the purpose of managing or diagnosing switch
configurations and operation. There are three common methods used for connecting to the switch console, two using physical
connections and one using the switch's management interface over the network. The latter is not available until after the
switch has been configured.
➢ To connect a terminal to a switch using a RS-232 port

1. Obtain a computer (typically a laptop) with an RS-232 port or a USB to RS-232 adapter and a terminal emulation
program (such as PuTTY or TeraTerm)
2. Use a Cisco cable (typically DB-9 to RJ-45) to connect to the RJ-45 port marked Console on the switch.
3. Set the terminal emulator program to use the proper COM port at 9600 Baud, 8 Data Bits, 1 Stop Bit, no Parity, and no
Flow Control.
➢ To connect a terminal to a switch using a USB port

1. Obtain a computer (typically a laptop) with an open USB port, the Cisco USB port driver (the Cisco USB port driver
emulates a COM port), and a terminal emulation program (such as PuTTY or TeraTerm).
2. Use a Cisco cable (USB to RJ-45 or USB to micro-USB) to connect to either the RJ-45 port or the micro USB port
marked Console on the switch.
3. Set the terminal emulator program to use the proper COM port at 9600 Baud, 8 Data Bits, 1 Stop Bit, no Parity, and no
Flow Control.
Appendix A: Common Procedures GEH-6840F Application Guide 75

➢ To connect via the Ethernet Management Interface (Configured switches only)
1. Obtain a computer connected to a network that can access the management interface network for the switch with an SSH
client program (such as PuTTY or the Tectia™ SSH Client).
2. Request that the SSH client connect to the switch management IP address.
Note To prevent providing your switch credentials during a man-in-the-middle attack, use the capabilities of the SSH client
to verify the public keys on the switch prior to providing your credentials. Do not provide network credentials to switches that
you do not recognize or trust.
Log On to a Switch
Logging onto a switch establishes the user's identity, which determines the privilege level of the user.
If a switch is connected to a SecurityST* system then the username and password used should be a domain account that is a
member of the Network Administrators group.
If the switch is not connected to a SecurityST system then the switch local username and password should be used.
➢ To log on to a switch
1. Connect a console terminal to the switch, or use an SSH client to connect to the management interface on the switch.
2. Select <ENTER> on the terminal session.
3. When prompted, enter the Username and Password for access to the switch.
Note The GE configurations include using RADIUS servers to validate the user's identity and establish their privilege level.
If no RADIUS servers are present the local switch account(s) will be enabled. It will take up to a minute for the switch to give
up trying to contact the RADIUS servers and use the local account(s).

Enable Command (EXEC) Mode
After logging into a switch it will typically be in a non-privileged mode. To issue commands or view the configuration you
must enable command (EXEC) mode on the switch.
➢ To enable command (EXEC) mode

1. Enter the command: enable
2. When prompted, enter the EXEC mode password
Enable Configuration Mode

Configuration mode is a mode that is entered from EXEC mode, where the switch configuration can be edited or altered.
When in normal EXEC mode the prompt will be: <hostname>#
To enter configuration mode: config term (or the simplified: config t)
When in configuration mode the prompt will be: <hostname>(config)#
Entering configuration sub-modes (such as VLANs, interfaces, or subsystems) will alter the prompt to include the subsystem
as well, making the prompt: <hostname>(config-mode)#
To leave the current level to the next higher level: <hostname>(config)# exit
To leave configuration mode (from any depth): <hostname>(config)# end
Determine the Management Interface, IP Address, and

Network Mask
Each switch will listen on (typically one) VLAN network for management connections at a particular IP address. Sometimes
you may have a switch where you need to find out what VLAN and IP address the switch is using. The easiest way to do this
is to check the special management VLAN (VLAN 32), and if it is not found then check the PDH VLAN (VLAN 201).
➢ To determine the management interface, IP address, and network mask

1. Connect to the console port, log in, and enable commands
2. Check for the management VLAN using the command: show running-config interface vlan 32.
3. If the above command returns the switch IP address and network mask, then use those values for the VLAN, IP address,
and network mask.
4. If the above did not return the management interface information, check the PDH by using the command: show
running-config interface vlan 201.
5. If the above command returns the switch IP address and network mask, then use those values for the VLAN, IP address,
and network mask.
6. If the above did not return the management interface information, then the switch has not been configured with a
management interface on either VLAN and may need an initial configuration load.

Determine the Relative Switch Number Within a Stack
There are a few commands that require knowing the relative switch number within a stack - these typically have to do with
the naming of the physical ports or USB ports. In some procedures it is required to know the switch number (1..n) of a switch
within the stack.
➢ To determine the relative switch number within a stack

1. Press the Mode button on any switch in the stack until the Stack light is lit.
2. The number of port lights that are on will indicate the number of switches in the stack. The port light that is
slow-blinking will indicate the number of that switch. (The port 1 light will blink on switch 1, the port 2 light will blink
on switch 2, and so forth.)
3. The switch will eventually revert back to the normal display. If needed, use the Mode button to re-select the Stack mode
again.
Determine USB Device Availability and Designation

Different switches have different capabilities when it comes to USB ports. On switches with multiple ports the ports are
typically numbered from top-to-bottom (low numbers on top, higher numbers at bottom) and left-to-right (low numbers on
left, higher numbers to the right).
Within a stack, the numbering of the USB ports follows the relative switch number in the stack. (Refer to the previous
procedure for determining the relative switch number within a stack.)
The standard names for the USB ports is: "usbflash<n><s>”
• <n> is the port number on the switch (0..n)

• <s> is the switch number within the stack (1..n)
• Leaving the <s> off defaults to switch number 1, so "usbflash0:" is the same as "usbflash01:", and "usbflash1:" is the
same as "usbflash11:"
➢ To view a list of the available flash devices

1. Log on to the switch and enable command mode
2. Issue the following command: show file system
3. The available flash devices will be shown, look for "usbflash<n>:” and "usbflash<n><s>:” lines, which indicate USB
devices that are attached and available.

Power-up in Pre-boot Command Mode
Booting a switch into pre-boot command mode allows a console terminal to be able to issue commands before the switch has
actually booted into the operating system and loaded a configuration. This mode can be used to alter configurations prior to
the actual boot process. Typically this is done to access the flash file system and remove configurations, returning the switch
to a factory clean configuration in preparation for it to receive the actual desired configuration.
➢ To power-up in pre-boot command mode

1. Remove power from the switch.
2. Press and hold the Mode button on the switch while applying power.
3. Keep the Mode button depressed until the Syst light stays on solid. (This is typically about 45 seconds.)
4. Release the button, the console should report that it is ready to accept commands and offers the list of commands needed
to enable the flash file system and continue to boot the switch.

Notes

Appendix B: Validate Communication to
Devices
To verify that communication is possible through a switch it is necessary to trigger a communication path that must go
through the switch under test. This is difficult when using equipment that supports network teaming (such as an HMI or
Historian) but is rather easy for equipment that does not.
Mark VI and Mark VIe controllers are ideal for testing switch communication paths since they provide redundancy by having
separate controllers on separate switches. For example: The <R> controller may be fed through one stacked switch while the
<S> and <T> controllers are fed through a different switch in the stack. In this case a ping or ToolboxST connection to the
<R> controller would test one switch in the stack while a ping or ToolboxST connection to the <S> or <T> controller would
test the other switch.
➢ To verify devices that support network teaming connected directly to the switch being tested
1. From the switch, verify the port light is showing as being connected.
2. In the teamed device (HMI, Historian, Engineering Workstation…) open the Control Panel (View by: Small icons) -
Network and Sharing Center - Change Adapter Settings and verify that the UDH and PDH ports show as being
connected.
➢ To verify devices that do not support network teaming

1. Go to any computer (HMI, Historian, Engineering Workstation…) that is not connected to the switch under test.
2. Open a command line prompt and use PING to test connections to the controllers attached to the switch under test.
3. Open the ToolboxST application from an HMI or EWS and establish a connection to the controllers attached to the switch
under test.
To verify 3rd-party devices connected to the switch under test, use PING or some other application level connection to verify
that the switch is forwarding traffic to the device.
Appendix B: Validate Communication to Devices GEH-6840F Application Guide 81

Notes

Appendix C: Backup Existing Switch
Configuration
➢ To backup existing switch configuration
1. Insert a USB flash drive into the USB port located in the front part of a functional Cisco 2960-S switch.
USB
2. Attach to the console port of a functional Cisco 2960-S switch, log on, and enable commands.
3. Determine the designation of the USB drive (in this example we will use "usbflash0:")
4. Verify the USB flash drive by entering the following command at the switch prompt:
a. dir usbflash0:
b. The command returns the content of the USB flash drive if any. Example:
5. Enter the following command to copy the running configuration into the startup configuration:
a. copy running-config startup-config
6. Copy the content of the startup-config to a new file in the USB flash drive. Example:
a. copy startup-config usbflash0:/sw25_startup_config.txt The command results are the following:
Appendix C: Backup Existing Switch Configuration GEH-6840F Application Guide 83

Notes

Appendix D: Load a switch
Configuration from a USB Port
➢ To load a switch configuration from a USB Port
1. Place the USB flash drive containing the configuration file in the switch USB port. If the destination is a stack, then the
USB port on any switch can be used.
2. Attach to the console port of a switch, log on, and enable commands.
a. If the switch has had its configuration erased, then the switch will pause asking if you wish to enter the configuration
wizard. Answer no and you will be returned to a switch prompt - enter the enable command (there will be no
password) and continue.
b. If the switch already has a GE configuration loaded, then logon as usual, remembering that with no trunk ports it will
not be able to contact the security servers so the local switch Username and Password should be used.
3. Determine the designation of the USB drive (in this example we will use "usbflash0:")
4. At the configuration prompt (hostname#) copy the appropriate configuration file from the USB drive to nvram:
startup-config. At the prompt execute:
a. copy usbflash0:/sw25_startup_config.txt nvram:startup-config
b. Destination filename [startup-config]? <enter>
5. When the copy is completed and the prompt is displayed, remove the USB drive from the USB port in the switch.
Note If this step is skipped the switch will hang, reading from the USB port during the next step. If that happens, then
remove the USB drive and power cycle the switch
6. Enter the following command:

a. reload
b. The switch stack will reboot and load the new configuration from the nvram:startup-config file.
7. After the switch reboots, log on to the switch and verify that the prompt is the hostname of the desired switch - this
verifies that the configuration was loaded correctly.
Appendix D: Load a switch Configuration from a USB Port GEH-6840F Application Guide 85
8. Generate the switch crypto key by entering the following commands:
a. <hostname>#config t
b. <hostname>(config)# crypto key generate rsa general-keys modulus 2048
c. Example output:
The name for the keys will be: <hostname>.HMI.local
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 54 seconds)
9. Exit from the config mode prompt, then exit the connection.
a. <hostname>(config)# exit
b. <hostname># exit

Appendix E: Set Switch IP Address and
Hostname
The following sets the switches IP address and subnet mask on a given management interface. If you are unsure of the
management VLAN or subnet mask to use, you can look at an existing (valid) configuration in another switch (or the switch
that this switch is replacing) using the procedure provided in Appendix A: Common Procedures section. The management
VLAN and subnet mask should be the same on each switch, the IP address must be unique on each switch.
➢ To set the switch IP address and hostname

1. Attach to the console, log on, and enter command mode.
2. Enter Config Mode by typing:
a. config t
3. Set the hostname of the switch by typing the commands:
a. hostname <required switch hostname>
4. Set the management VLAN, IP address, and subnet mask by typing the commands where <required ip address> and
<required subnet mask> are the appropriate values for the system:
a. interface vlan <management VLAN number>
b. ip address <required ip address> <required subnet mask>
c. end
5. Save the running configuration:
a. copy running-config startup-config
6. Exit enable mode by typing:
a. exit
Example: This configures SW5-1 for a management interface on the PDH at address 172.16.201.240
config t
hostname SW5-1
interface vlan 201
ip address 172.16.201.240 255.255.240.0
end
copy running-config startup-config
exit
Appendix E: Set Switch IP Address and Hostname GEH-6840F Application Guide 87

Notes

Appendix F: Part Number Translation
Matrix
When ordering a replacement Cisco 2960X stacked switch for a Cisco 2960S it is necessary to order an equivalent part for the
type of switch that will be replaced. The following matrix provides a translation between the 2960S part numbers and the
2960X part numbers:
Previous Part New Part

General Description Notes
Number Number
2960X is replacing 2960S.
2960X Root Bridge Switch Stacked When ordering replacement parts, an entire
323A4747CSP13A 117T6409P023A
Pair, w/Single Mode Fiber SFPs 2960S stack needs to be replaced. It is not
possible to mix 2960X and 2960S in a stack.
2960X Root Bridge Switch 4-Stack, When ordering replacement parts, an entire
323A4747CSP13B 117T6409P023B
w/Single Mode Fiber SFPs 2960S stack needs to be replaced. It is not
2960X Root Bridge Switch Stacked When ordering replacement parts, an entire
323A4747CSP14A 117T6409P024A
Pair, w/Multimode Fiber SFPs 2960S stack needs to be replaced. It is not
2960X Root Bridge Switch 4-Stack, When ordering replacement parts, an entire
323A4747CSP14B 117T6409P024B
w/Multimode Fiber SFPs 2960S stack needs to be replaced. It is not
2960X Edge Switch Stacked Pair, When ordering replacement parts, an entire
323A4747CSP15A 117T6409P025A
w/Single Mode Fiber SFPs 2960S stack needs to be replaced. It is not
2960X Edge Switch Stacked Pair,
When ordering replacement parts, an entire
323A4747CSP15B 117T6409P025C w/Single Mode Fiber SFPs (4 trunk
2960S stack needs to be replaced. It is not
SFPs included)
2960X Edge Switch Stacked Pair, When ordering replacement parts, an entire
323A4747CSP16A 117T6409P025B
w/Multimode Fiber SFPs 2960S stack needs to be replaced. It is not
2960X XDH Switch Copper Trunk
323A4747CSP17A 117T6409P027A Equivalent replacement parts.
Ports
Appendix F: Part Number Translation Matrix GEH-6840F Application Guide 89

Notes

Glossary of Terms
The following terms apply to a GE installed network at a customer site. These terms can have a broader definition that are not
addressed here.
Broadcast Storm A transient condition within a network characterized by a repetitive forwarding of Ethernet packets in
such a way that cannot automatically be resolved through RSTP mechanisms. This condition causes an effective bandwidth
decrease experienced by equipment connected to the network such as controllers, HMIs, and so forth.
Edge Switch A switch in the system that translates messages from copper connections to and from the fiber-optic backbone
channels and connects to both types of media.
Engineering Work Station (EWS) An HMI computer that contains software necessary for an engineer to change system
configuration, change operating logic of the plant/process and many other functions that normally would not be available to
an operator. The EWS does retain all functions that an Operator can do at their station.
Human-machine Interface (HMI) This term is used to describe any computer on the network even if it does not interact
with the operator. Servers, Alarm Servers and Engineering Work Stations can all be referred to as HMIs.
Multi-mode Fiber (MMF) A type of fiber where the optical refraction index across the cross section of the cable is uniform
and homogenous. This results in the light beam traveling through the fiber in a bouncing and reflecting way, which induces
losses in the signal. This type of fiber does not require as much precision as single-mode fiber in making terminations and is
cheaper per mile. This type of network media is characterized by having a shorter communication distance than single-mode
fiber, is easier to terminate because it doesn’t require special polishing of the ends to eliminate optical distortion, and it is
more flexible and has smaller bend radii. Preassembled harnesses are more readily available for connecting switches within a
control room or building.
Plant Data Highway (PDH) The plant level supervisory network. PDH connects the HMI server with remote viewers,
printers, historians, and external interfaces. Usually there is no direct connection to the Mark VIe controllers, which
communicates over the UDH. Use of Ethernet with the TCP/IP protocol over PDH provides an open system for third-party
interfaces.
Rapid Spanning Tree Protocol (RSTP) A service that locates redundant paths in access to each attached device and
manages traffic to provide one active path to a device. This eliminates the risk of broadcast storms where multiple paths allow
broadcast traffic to repeat and re-circulate using up network capacity required for other devices.
Ring Topology A fiber-optic network connection scheme whereby edge switches are connected to core switches using fiber,
in a ring such that each edge switch has two paths available back to the core switch present on each ring. A ring can be
assigned per area in a plant, or an entire plant can be present on one ring. The edge switches use RSTP to determine which
path is still available in the event of a failure of one component somewhere in the system.
Segmentation This architectural planning process divides the network into compartments that do not allow LAN faults
such as jabbering. Ethernet devices to impact normal operation of other compartmentalized network segments. Segmentation
restricts the forwarding of broadcast data such as the EGD data distribution protocol and acts to limit network traffic within
the network by forwarding data only to the immediate devices with the segment. This makes the network more scalable so
that more controllers and devices can be added without increasing the data forwarded to each device.
Single-mode Fiber (SMF) A type of fiber where the optical refraction index is graduated in layers from the core of the
glass fiber. This causes the light beam to travel in the core of the fiber in a more direct way, therefore with fewer losses. The
lower losses allow for greater distances of transmission to be achieved as much as 31 km in some cases. This fiber requires
high precision when making terminations and connections there by contributing to higher costs. The cable itself costs more
because control of the optical gradient needs to be maintained during manufacturing. This type of Network media is
characterized by having a longer communication distance than multi-mode fiber, is more difficult (costly) to terminate
because it requires special polishing of the ends to eliminate optical distortion, and it is less flexible and has larger bend radii.
Preassembled harnesses are not typically used because the length of a SMF segment is dependent upon conduit run
under-ground and/or through a building structure.
GEH-6840F Glossary of Terms 91

Small Form Pluggable (SFP) Transceiver A compact transceiver used for both telecommunication and data
communications applications. It interfaces a network device motherboard (for a network switch router fiber media converter
or similar device) to a fiber-optic unshielded twisted pair networking cable. It is a popular industry format supported by many
network component vendors. SFP transceivers are designed to support SONET, gigabit Ethernet, Fibre Channel, and other
communications standards.
Simple Network Management Protocol (SNMP) Allowing remote monitoring and configuration management of
network switches and routers backbone (core) switch.
Unit Data Highway (UDH) This is the portion of the network, now a VLAN, that carries controller to controller data, or
controller to HMI data. The UDH is an Ethernet-based network, which provides direct or broadcast peer-to-peer
communication between controllers, as well as between controllers and one or more operator or maintenance interfaces. It
uses EGD, a message-based protocol for sharing information with multiple nodes based on the UDP/IP standard.
Virtual Local Area Network (VLAN) services Where multiple Local Area Networks share the same hardware and
connections but do not allow any packets to travel between the Virtual Networks.
92 NetworkST 3.1/4.0 for Mark VIe Controls


GEH-6840.pdf Network PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

GEH-6840.pdf Network PDF

Hochgeladen von

Copyright:

Verfügbare Formate

GEH-6840F

NetworkST 3.1 / 4.0 for Mark* VIe Controls

For public disclosure

Revised: June 2018

© 2015 - 2018 General Electric Company.

We would appreciate your feedback about our documentation.

For public disclosure

Acronyms and Abbreviations

GEH-6840F Application Guide 3

4 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

GEH-6840F Application Guide 5

6 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Root Bridge Switches

Plant Data Highway (PDH)

Overview GEH-6840F Application Guide 7

• Analysis of network architectures

Note Refer to site specific details for additional information.

• Unit Data Highway (UDH) for controller data distribution

8 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Overview GEH-6840F Application Guide 9

10 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

• WorkstationST Network Monitor

2.2 Time Synchronization

Network Requirements GEH-6840F Application Guide 11

12 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Cisco® Catalyst© 2960-X

Cisco Catalyst 3850

Cisco Catalyst 3750X

Cisco Industrial Ethernet 2000

Network Requirements GEH-6840F Application Guide 13

2.4.1.1 Cisco Stacking Capability

• Built-in failover and recovery in the event of a switch failure.

2.4.1.2 Root Switch Redundancy

2.4.1.3 Edge Switch Redundancy

   

SY ST STAT S PEED RP S S YST STAT SPEE D RPS

MG MT CONS OLE 25 26 SFP 27 28 M GMT CO NSOLE 25 26 SFP 27 28

14 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

SY ST STAT S PEED RP S SYST STAT SPEE D RPS

MG MT CONS OLE 25 26 SFP 27 28 MGMT CO NSOLE 25 26 SFP 27 28

Network Requirements GEH-6840F Application Guide 15

2.4.3 Network Design Considerations

16 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Root Bridge Switches

Plant Data Highway (PDH)

NetworkST 3.1 Architectures GEH-6840F Application Guide 17

3.2 Device Connections to Network

Connection to Root Connection to Root

SY ST STAT S PEED RP S SYST S TAT SPE ED RPS

MG MT CONS OLE 25 26 SFP 27 28 MGMT CONSOL E 25 26 SFP 27 28

18 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

Connection to Root Connection to Root

SYST STAT SPEED RPS SYST STAT SPEED RPS

MGMT CO NSO LE 25 26 SFP 27 28 MGMT CONS OLE 25 26 SFP 27 28

3.2.3 LS2100e Connections

NetworkST 3.1 Architectures GEH-6840F Application Guide 19

Number of Mark VIe/Mark VIeS Controller Sets Suggested Network Configuration

9–20 Large Extended

20 GEH-6840F NetworkST 3.1/4.0 for Mark VIe Controls

System Required Comments

Use where both operator and configuration capability are

NetworkST 3.1 Architectures GEH-6840F Application Guide 21

Root Bridge Switches

%&'% !$!$ $