I/O Device Requirements and Restrictions

I/O devices in a high availability system that is
CIP Security
-enabled have the following requirements and restrictions.

Cannot Use CIP Security to Protect Communication to I/O Devices

In a high availability system, you cannot use
CIP Security
to protect communication to I/O devices directly.
CIP Security
does not support Datagram Transport Layer Security (DTLS) communication to I/O devices in a high availability system.
You can use alternative methods to protect communication to I/O devices. The following sections describe these methods.

I/O Devices on a Converged Network

If your system operates with a converged I/O network, you must include a firewall to create a trust zone around the redundancy chassis pair and the I/O devices that they operate.
IMPORTANT:
You must configure the firewall to restrict access to all unsecured Ethernet devices in the chassis and all I/O devices that are connected to them.
Converged I/O Network
Firewall between manufacturing level and I/O devices on a converged network
Item
Description
A
Manufacturing zone
B
Firewall
C
Converged I/O network

I/O Devices on a Non-converged Network

If your system operates with a non-converged I/O network, you are not required to include a firewall between the application’s manufacturing level and I/O devices. When you use a non-converged network, there is increased security for the communication between the controller and the I/O devices.
Non-converged I/O Network
No firewall between manufacturing level and I/O devices on a non-converged
            network
Item
Description
A
Manufacturing zone
B
Non-converged I/O network
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal