Knowledge Base Articles

DeltaV Smart Switch and Safety Switch Software Release Information

Article ID: AK-1000-0022

Publish Date: 13 Dec 2018
Article Status: Approved
Article Type: General Product Technical Information
Required Action: As Needed

Recent Article Revision History:

Revision/Publish Description of Revision
13 Dec 2018 Modified section 1.3.1 to correct the link for KBA NK-1800-0298.
(See end of article for a complete revision history listing.)

Affected Products:
Product Line Category Device Version
DeltaV Network SS6041F01C1 DeltaV Safety Switch LSN20-
6TX2TX
DeltaV Network SS6041F01C2 DeltaV Safety Switch LSN20-
6TX2TX-ES
DeltaV Network SS6041F05C1 DeltaV Safety Switch LSN20-
6TX2MM
DeltaV Network SS6041F05C2 DeltaV Safety Switch LSN20-
6TX2MM-ES
DeltaV Network SS6041F06C1 DeltaV Safety Switch LSN20-
6TX2SM
DeltaV Network SS6041F06C2 DeltaV Safety Switch LSN20-
6TX2SM-ES
DeltaV Network SS6048 DeltaV Safety Network Switch SRM100
DeltaV Network VE6041 Smart Switch FP20 - DIN rail 8-port
switch. All RJ45 or with fiber uplink
DeltaV Network VE6042 Smart Switch MD20 - DIN rail 8, 16 or
24-ports switch. All 100MB ports
DeltaV Network VE6043 Smart Switch MD30 - DIN rail 10, 16 or
26-ports switch. Combination of 2 Gigabit and
100MB ports
DeltaV Network VE6046 Smart Switch RM100 - 24 ports
10/100BASE-TX RJ45, plus 2 Gigabit wired
uplinks
DeltaV Network VE6047 Smart Switch RM100 - 8 ports
10/100BASE-TX RJ45, plus 2 Gigabit wired
uplinks
DeltaV Network VE6048 Smart Switch RM100 - 8 ports
10/100BASE-TX RJ45, plus 2 Gigabit wired
uplinks. Has 2 expansion bays
DeltaV Network VE6053 Smart Switch RM104 - 24 ports; 20 x
(10/100/1000BASE-TX, RJ45) & 4 Gigabit
Combo ports(RJ45 or SFP)
DeltaV Network VE6054 Smart Switch RM1040 – 16 ports; 16
Gigabit Combo ports (RJ45 or SFP)

Page 2 of 20
Knowledge Base Article AK-1000-0022 is being re-released for DeltaV smart switch software version 09.0.15.
This Knowledge Base Article is divided into two sections:
1 Emerson DeltaV Smart Switches
1.1 Emerson 100 Mega-Bit Smart Switches
1.2 Emerson Giga-Bit Smart Switches (RM104 and RM1040)
1.3 Functional Changes/Corrections/Enhancements in DeltaV Smart Switches
1.4 Previous Emerson Smart Switch Firmware
2 Emerson DeltaV Safety Switches

1 Emerson DeltaV Smart Switches

DeltaV Smart Switches are installed on the DeltaV control networks and have a different network configuration from the
DeltaV Safety Switches, which are installed on the Local Safety Network. The network architecture and network traffic
patterns between the DeltaV Control Network and the DeltaV Local Safety Network are sufficiently different that separate
configurations are required for each type of network. Hence, the DeltaV Emerson Smart Switches and the DeltaV Safety
Switches are not inter-changeable.
The supplied checksums within this KBA were created with Sigcheck, Refer to the download link at the end of this
document for Sigcheck.
The following example documents the set up for checking file nsRM100.bin.
1. With Sigcheck downloaded and placed in a folder (for example a folder named Checksum Tools\Sigcheck) perform
the following:
a. Copy the downloaded smart switch .ZIP file into the folder location where Sigcheck was copied. Extract the files.
b. Open an MSDos command window.
c. Change the folder to the location where Sigcheck was copied.
d. Use the -h (for hash) option and enter:
c:\Checksum tools\Sigcheck>Sigcheck -h "name of the file to be verified"
For example: c:\Checksum tools\Sigcheck>Sigcheck -h nsRM100.bin

Page 3 of 20
The SHA256 checksum results are shown as follows:
Sigcheck v2.55 - File version and signature viewer
Copyright (C) 2004-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\Checksum tools\Sigcheck\nsRM100.bin:
Verified: Unsigned
File date: 11:48 AM 10/3/2017
Publisher: n/a
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: n/a
MD5: 75BE7D24D574A5FFB60ED6823C593D09
SHA1: B2760AAE4CA43A565665D62D2407A19E4DD0FAA3
PESHA1: B2760AAE4CA43A565665D62D2407A19E4DD0FAA3
PE256: FA8B6C769E4634EBA494188A0A15D129B7964AE6C15925BDCC358F3C6D705581
SHA256: FA8B6C769E4634EBA494188A0A15D129B7964AE6C15925BDCC358F3C6D705581
IMP: n/a

In this example the results for the SHA256 checksum of nsRM100.bin will be:
“fa8b6c769e4634eba494188a0a15d129b7964ae6c15925bdcc358f3c6d705581
Perform this step and compare this result to the respective table in this KBA.

Note: The DeltaV Smart Switch files are digitally unsigned. For downloaded files that are signed, Sigcheck
has the ability to verify the file's digital signature. For example, from a DeltaV v13.3.1 workstation bundle
download which is a signed file.

2. Use Windows directory and select Details under the View tab to determine file size. Compare the value to the File
Size Table included with this KBA (AK-1000-0022).
The Windows directory result will look similar to the following example result which includes file size.
Name Date modified Type Size

DESTINATION CONTROL STATEMENT.txt 8/24/2015 10:45 AM Text Document 1 KB

nsFPxx.bin 7/26/2018 7:59 AM BIN File 4,885 KB
nsMDxx.bin 7/26/2018 7:59 AM BIN File 5,046 KB
nsRM100.bin 7/26/2018 7:59 AM BIN File 4,884 KB
Readme.txt 7/30/2018 7:16 AM Text Document 1 KB
Once the checksums and file size of the downloaded files have been verified against the tables, proceed to the actual
upgrade procedure.

Page 4 of 20
1.1 Emerson 100 Mega-Bit Smart Switches
This section covers the three original 100 mega-bit smart switches (FP20, MD20/30, and the RM100).
Software version 09.0.15 build 2018-09-24 contains functional corrections to increase reliability. See section 1.3.1 for
additional details. It is recommended that all DeltaV Smart Switches in the field be upgraded to this latest version to take
advantage of the latest network enhancements.

Copyright (c) 2018 Emerson

All rights reserved

RM100 Release 09.0.15

(Build date 2018-09-24 04:25)

System Name: RM100-085504

Mgmt-IP : 10.4.129.12
Base-MAC : 00:22:E5:04:B1:2C
System Time: 2018-01-01 01:00:07

User:
Included in this release are upgrade file versions for the FP20, MD20/30, and RM100 DeltaV Smart Switches.
Perform the following to download the upgrade file versions:
3. Obtain this release from the following link:
https://gsuds.emerson.com/pickup/PSG/09_0_15_100MB_Smart_Switch_firmware.zip: (Size: 14815 KB)
Checksum: 39D17554AC5A3717C84B16479C6CE1844BDADEA71142BA950AB30FD98C69B100
4. Perform checksum verification on each of the downloaded files. Refer to the following tables for the expected
checksums for each file.

09.0.15 100MB Smart Switch Checksum Table (build date 09/24/2018 04:25)
File Name SHA256 Checksum
09_0_15_100MB_Smart_Switch_firmware.zip 39D17554AC5A3717C84B16479C6CE1844BDADEA71142BA950AB30FD98C69B100
nsFPxx.bin 5F9F0BA7212A32F469720DD042020D5BC6A221AF72AC3A268E7E3684BD1A6BFB
nsMDxx.bin 565F7128B374AA6F9950D1EF7EADBD92752DDB600CAD314D67FA8A492E6B42A5
nsRM100.bin AB744BFBC7D96D511CD983383813ACC5E318B3AB504A4A97EF050E3029A48911
09.0.15 100MB Smart Switch File Size Table (build date 09/24/2018 04:25)
File Name File Size
09_0_15_100MB_Smart_Switch_firmware.zip 14,815 KB
nsFPxx.bin 4,886 KB
nsMDxx.bin 5,047 KB
nsRM100.bin 4,886 KB

1.2 Emerson Giga-Bit Smart Switches (RM104 and RM1040)

Software version 09.0.15 build 2018-09-24 contains functional corrections to increase reliability. See section 1.3.1 for
additional details. It is recommended that all DeltaV Smart Switches in the field be upgraded to this latest version to take
advantage of the latest network robustness enhancements.
See NK-1500-0424: All Gigabit DeltaV Smart Switch for additional information about the DeltaV Giga-Bit Smart Switches.
The example login screen is from an RM1040. The RM1040 is a new release to the DeltaV Smart Switch product line.

Page 5 of 20
 Copyright (c) 2018 Emerson

All rights reserved

RM1040 Release 09.0.15

(Build date 2018-09-24 03:40

System Name: RM1040_PRI_$X

Mgmt-IP : 10.4.129.16
Base-MAC : 00:22:E5:17:09:40
System Time: 2018-01-01 00:01:01

User:
Included in this release are upgrade file versions for the RM104 and RM1040 DeltaV Smart Switches.
Perform the following to download the upgrade file versions:
5. Obtain this release from the following link:
https://gsuds.emerson.com/pickup/PSG/09_0_15_G-Bit_Smart_Switch_firmware.zip: (Size: 11506 KB)
Checksum: 758E080FAD7CEF344A0469A2FF2EBF046C070AB7E42BD3610D235116F60ECCD4
6. Perform checksum verification on each of the downloaded files. Refer to the following tables for the expected
checksums for each file.

09.0.15 G-Bit Smart Switch Checksum Table (build date 09/24/2018 03:40)
File Name SHA256 Checksum
09_0_15_G-Bit_Smart_Switch_firmware.zip 758E080FAD7CEF344A0469A2FF2EBF046C070AB7E42BD3610D235116F60ECCD4
nsRM104.bin B9A3F563C6B405A2BAC9435A76CC808973021E169419AABC98D0FEF09F256554
nsRM1040.bin 077CB547F9DC0462FF747CD818B2E14A7467B1F439B49D8F274994012459E459
09.0.15 G-Bit Smart Switch File Size Table (build date 09/24/2018 03:40)
File Name File Size
09_0_15_G-Bit_Smart_Switch_firmware.zip 11,506 KB
nsRM104.bin 6,073 KB
nsRM1040.bin 6,281 KB
For the installation instructions of this DeltaV Smart Switch release version, refer to AK-1000-0014: DeltaV Smart Switch
and DeltaV Safety Switch Flash Upgrade Procedure

1.3 Functional Changes/Corrections/Enhancements in DeltaV Smart Switches

Note: KBA NK-1800-0428: General Information on Smart Switch Secure Shell (SSH) contains information on
the DeltaV Smart Switch Secure Shell (SSH), its set up and other useful information. This KBA also includes
how the end user may implement PuttyGen to create keys, and Solarwinds as a TFTP server to transfer a
user generated key to the smart switch. The KBA also includes information to use the TFTP server and
DeltaV v13.3.1 NDCC to update the DeltaV Smart Switch firmware.

1.3.1 Functional Changes/Corrections/Enhancements in Release 09.0.15

 Correction for an incorrect handling of excessive ARP spoofing events which could cause the switches to get into
a deadlock state (TFS # 403164, see also KBA NK-1800-0298: DeltaV Nodes May Lose Communication While
Locking or Unlocking both Primary and Secondary Smart Switch)
 Improved the prompt regarding HiDiscovery protocol within the DeltaV wizard command. There are now three
options for HiDiscovery on switches (enabled read-write, enabled read-only, and disabled). The latter case is only
applied after the user acknowledges a warning message that explains the impact to options in NDCC (TFS #

Page 6 of 20
394428). The user has a choice between e (enabled), d (disabled), or r (read-only). From which ever state the
smart switch is currently in, the prompt will include which other two modes are available. With HiDiscovery
disabled, at the NDCC, the end user will be unable to flash the LED’s or update the smart switch firmware using a
TFTP server.

Page 7 of 20
 (Emerson RM100) >deltav wizard
DeltaV: Enter DeltaV IP address for the Switch [Currently 10.4.129.1]:
Previous DeltaV IP address not changed!

DeltaV: Enter Name for the Switch [max. 63 chars]:

DeltaV: Enter Location for the Switch [max. 255 chars]:

HiDiscovery is currently enabled

DeltaV: Do you want to disable it or set it to read-only? (d/r). Otherwise press
Return:d

HiDiscovery protocol is required for DeltaV v10 and higher, are you sure you want to disable it?
(y/n)

--------------------------------------------------------------------------------------------------

(Emerson RM100) >deltav wizard

DeltaV: Enter DeltaV IP address for the Switch [Currently 10.4.129.1]:
Previous DeltaV IP address not changed!

DeltaV: Enter Name for the Switch [max. 63 chars]:

DeltaV: Enter Location for the Switch [max. 255 chars]:

HiDiscovery is currently enabled

DeltaV: Do you want to disable it or set it to read-only? (d/r). Otherwise press
Return:r

--------------------------------------------------------------------------------------------------

(Emerson RM100) >deltav wizard

DeltaV: Enter DeltaV IP address for the Switch [Currently 10.4.129.1]:
Previous DeltaV IP address not changed!

DeltaV: Enter Name for the Switch [max. 63 chars]:

DeltaV: Enter Location for the Switch [max. 255 chars]:

HiDiscovery is currently in read-only mode

DeltaV: Do you want to enable or disable it? (e/d) Otherwise press Return:e

 Allow users to run the DeltaV wizard even if the switches were previously configured with IP addresses out of the
DeltaV ACN IP address ranges – e.g. L2.5 network (TFS # 234843 / 384065)
 Allow users to enter any IP address for Syslog server, SNMP traps, and Network time server using the DeltaV
wizard command through the CLI (TFS # 234843 / 384065)
 Allow standard network interface configuration (IP address, subnet, default gateway) via the CLI (i.e. network
parms …) (TFS # 234843 / 384065)

1.4 Previous Emerson Smart Switch Firmware

Note: For Emerson Smart Switch firmware changes/enhancements prior to firmware version 09.0.12, see
KBA NK-1800-0430: Functional Changes and Enhancements for DeltaV Smart Switch Firmware 08.0.13 and
Earlier.

Page 8 of 20
1.4.1 Functional Changes/Enhancements in Release 09.0.12
The following list documents all the additional functional changes introduced in version 09.0.12.
1. Clarification of an event log entry to make the reported result more understandable. The entry previously read as
follows. Control Line Failure has been changed to “Potential loop detected and prevented”. The entry is a
Spanning Tree logged event and the new description more accurately reports what the event is.
Emerson RM100) >show sysinfo
Device Status.................................. Control Line Failure
Last Alarm 1................................... Control Line Failure
Alarm 2........................................ None
System Description............................. Emerson Network Switch RM100
2. Login Banner – 256 Characters Max, CLI only
The following are the command lines required to enter a login banner.
(Emerson RM100) >set pre-login-banner text “User entered login banner text here”

(Emerson RM100) >set pre-login-banner operation (this command enables the login

banner once the text has been set)

(Emerson RM100) >deltav save (saves the previous configuration commands)

3. Configure DeltaV Passwords, CLI only

This allows the user to change the password on smart switches installed on non-DeltaV control networks where earlier
under the DeltaV wizard, the user was prevented from doing so because the IP address was not a control network IP
address. This command works on any smart switch regardless of which network the smart switch is installed on.
(Emerson RM100) >deltav passwords
Just follow through on the various prompts and entries and when complete, perform a deltav save command.
4. Secure Shell (SSH) Support, Enable/Disable SSH, Telnet, HTTP (new DeltaV “Access” menu in CLI)
(Emerson RM100) >deltav access
By enabling SSH, this provides the ability to log into the switch without using a clear text exchange. SSH is encrypted,
where Telnet and HTTP are not. When enabling SSH, factory default public and private keys are created on the switch
that are used for authentication. If the user wishes to create their own keys then see number 5.
Once the connection is started, the switch presents the fingerprint and the key exchange happens automatically as part of
the SSH handshake.
Emerson RM100) >deltav access

DeltaV: Enable Telnet Access (currently enabled)? (y/n)n

DeltaV: Enable SSHv2 Access (currently disabled)? (y/n)y

DeltaV: Enable HTTP Access (currently enabled)? (y/n)n

DeltaV: Do you want to save the configuration? (y/n)y

Page 9 of 20
 Saving Configuration

5. Download self-generated Key files, copy command using TFTP.

Used with SSH.
Prior to enabling SSH on the smart switch, use a third-party software package to create a set of user keys (example
software application - Putty).
Set up a TFTP server and copy these user keys to the smart switch. Then enable SSH on the smart switch through the
CLI or telnet.
The user generated private and public keys are loaded in the switch, the user doesn’t have to keep either of the keys, but
it would be wise to keep the fingerprint as this is what is presented to the user the first time they connect to the switch, to
authenticate the server (in this case the switch).
The fingerprint is what will be loaded in each machine’s Windows registry but that action is done as the user accepts to
trust the SSH server (in this case the switch) upon a first connection attempt.
Whether using the default public/private keys when SSH is enabled on the smart switch or using a user created set of
keys that are transferred to the switch, the switch operation will be the same, the switch presents the fingerprint to the
client and if accepted, then passes the public key to the client. The public key at the client is used to encrypt, and the
private key at the switch will de-encrypt.
6. ARP Inspection (matches original MAC address to original IP address) – alert (trap) only
ARP Inspection is turned on by default. No configuration is required.
Current configuration may be verified/modified with:
(Emerson RM100) >deltav lockdown arp-inspection

Other CLI ARP Inspection commands are:

(Emerson RM100) >show port-locking arp-inspection

(Emerson RM100) >show port-locking arp-inspection database

Must set up a Syslog server to send the trap to.

The FP20, MD20, MD30, and RM100 smart switches are layer 2 switches.
The RM104 and RM1040 are layer 3 switches. Layer 3 switches have more enhanced capability to inspect ARP traffic for
ARP spoofing.
The layer 2 switches can learn and pass to the switch CPU, ARP broadcast requests, and ARP request/response sent to
the switches own MAC address. Layer two switches cannot detect and send to the CPU, any ARP unicast replies as
these unicast messages are forwarded by the hardware.
The Layer 3 switches perform all the same functions as layer 2 switches but also can inspect unicast ARP replies.
The information passed to the smart switch CPU is stored in an ARP Inspection database.
With the smart switch unlocked (learning mode), as ARPs are seen, the ARP Inspection database inside the CPU will be
continuously updated. Once the smart switch is locked the ARP Inspection database is set to a static condition and no
further changes are added.
As ARP request/replies are seen at the switch, they will be compared to the ARP Inspection database held by the switch
CPU for discrepancies.
The following ARP conditions are checked:
a. ARP Header Verification (example Syslog entry below)
Source MAC Address Verification failed on Interface 1/4 for ARP-Request, DA:FF:FF:FF:FF:FF:FF
SA:0A:02:FF:1C:27:5A SHA:02:04:06:08:AA;AA;AA THA:00:00:00:AA;AA:AA SPA:10.1.2.3 TPA:10.1.2.4

where:
DA is destination address
SA is source address
SHA is source hardware address

Page 10 of 20
 THA is target hardware address
SPA is source protocol address
TPA is target protocol address

b. In Learning mode (switch unlocked), a changed MAC address on a switch port and a changed interface (port
number) for a MAC address. Example Syslog entries below.
Changed ARP entry in learning state (ARP-Request) on Interface 1/4, IP-Address(SPA):10.1.2.3
Original MAC Address: 02:00:33:44:55:66 New MAC Address (SHA): 00:44:AA:AA:AA:AA

Changed Interface (1/2) in learning state (ARP-Request) on Interface 1/4, IP-Address(SPA):10.1.2.3

Original MAC Address: 02:00:33:44:55:66 New MAC Address (SHA): 00:44:AA:AA:AA:AA

c. In Inspection mode (switch locked), a new MAC address on an interface, changed ARP entry for an interface, and
a changed interface for a MAC address. Example Syslog entries below.
New ARP entry in locked state (ARP-Request) on Interface 1/4, New)IP-Address(SPA):10.1.2.3,

MAC Address(SHA):02:00:33:44:55:66

Changed ARP entry in locked state (ARP-Request) on Interface 1/4, New)IP-Address(SPA):10.1.2.3,

MAC Address(SHA):02:00:33:44:55:66

Changed Interface (1/2) in locked state (ARP-Request) on Interface 1/4, IP-Address(SPA):10.1.2.3

Original MAC Address: 02:00:33:44:55:66 New MAC Address (SHA): 00:44:AA:AA:AA:AA

7. Exclude port lock-down ports for use in virtualization systems (for standby ports to switch over to available unlocked
ports). This could also be used for third party switches connected to smart switches where the third party switch does
not have storm control. See Figure 2 and the support text for further explanation.
(Emerson RM100) >deltav lockdown

Switch is currently unlocked.

Currently all Switch ports will be locked in future lock-cycles.

Enter new list of ports which should be excluded from lockdown for future lock-cycles.

NOTE! - You must reenter ALL ports you want excluded from lockdown every time you want

to add more excluded ports! Or the original excluded ports will be locked!

If no port is specified, all Switch ports (except probe Port) will be locked in

the future:1/1,1/3,1/5,1/7

The following ports will be excluded from lockdown in future lock-cycles: 1/1,1/3,1/5,1/7

Do you want to save the current configuration? (y/n): y

Page 11 of 20
 Saving Configuration

8. Uplink ports (switch to switch ports only) ignored by port lock down (but will ‘report’ a violation – not stop a criminal).
User must set up a Syslog Server to send the trap to.
9. If the switch port is not manually excluded from the port lock-down scheme (as mentioned item 7 above), nor it is
identified as an uplink (as mentioned in item 8), then it will be locked with whatever number of MAC addresses on it.
The lock is not dependent on the number or type of MAC addresses anymore. For example, ports with cascaded
CIOCs will be locked.

Note: To support the improved uplink lockdown handling, the static MAC address limit is increased from 256
to 1024 addresses per port.
In version 08.0.13 the capability to configure a probe port was introduced. This port was subject to lockdown.
With version 09.0.12, any configured probe port is automatically excluded (lockdown disabled).
(Emerson RM100) > deltav monitor
If the probe port is changed or deleted, the previous probe port is set back to lockdown enabled, meaning
this port will be locked when the switch is locked.

The following are additional details concerning items 7, 8, and 9.

All earlier versions of smart switch firmware called all ports where multiple MAC addresses (greater than two) detected, as
uplink ports regardless if this connection was to a switch. Uplink ports were not locked. For example, a CIOC cascade
(refer to Figure -1) where there are 8 MAC addresses on RM100 Smart Switch #1 port 24. Prior to smart switch firmware
09.0.12 this port would be treated as an uplink port and not locked.
Beginning with smart switch version 9.0.12, a new mechanism dependent on the storm control feature is being utilized to
detect uplink ports.
Beginning with version 09.0.12, port 24 on RM100 Smart Switch #1 in Figure 1 will not be treated as an uplink port and
when RM100 Smart Switch #1 is locked, port 24 will also be locked with the 8 MAC addresses from 4 pairs of redundant
CIOC’s. Ports connected to third party switches without storm control or non-updated smart switches running firmware
versions earlier than 04.2.14 (no storm control) will also not be considered uplink ports and upon the locking of a smart
switch at version 09.0.12, such ports to other non-storm control switches, will be locked with whatever learned MAC
addresses were present at the time the 09.0.12 smart switch was locked.
Only ports connected to network switches with network storm control enabled will be detected as uplink ports.
Refer to the following KBA for a list of Cisco switches that have storm control enabled:
NK-1500-0157: Additional DeltaV Compatible Cisco Switch Models Available

Note: For system-wide compatibility reasons, all switches on a system should be at the same level of
support regarding network storm control.

Refer to Figure-1 for the following examples to further understand the new port locking features:

Scenario 1: RM1040 (09.0.12) Smart Switch Uplink to Cisco 2960 (no storm control)
As an example, on port 15 of the RM1040 for the connection to the Cisco 2960 switch (no storm control on the Cisco),
when the RM1040 attempts to determine if the other network device is a switch, without storm control on the Cisco 2960,
it will not be detected as such and the RM1040 will not detect port 15 as an uplink port.
When the RM1040 is locked, port 15 will be locked with the 4 MAC addresses for the two DeltaV App Stations and two
DeltaV Op Stations connected to the Cisco 2960. Prior to Emerson Smart Switch version 09.0.12, such connections and
ports would not have been locked. Beginning with version 09.0.12, smart switch ports will be locked, if the Cisco switch
does not have storm control enabled.

Page 12 of 20
 Note: Earlier version DeltaV systems that also implemented the use of Cisco switches, the Cisco models
used did not have storm control enabled.
The example Cisco 2960 switch shown in Figure 1 has reached end of life. Emerson acknowledges that
customers may still be using these devices and thus may have combinations of Emerson Smart Switches
and Cisco. It is important to understand the operation of these older Cisco models and the interaction with
Emerson Smart Switches.
The current supported Cisco switch models do have storm control enabled. See KBA NK-1500-0157:
Additional DeltaV Compatible Cisco Switch Models Available for further details.

While the RM1040 is locked, if the user connects an additional DeltaV App Station to the Cisco 2960 switch in this
example without storm control, this will result in a port locking violation at the RM1040 Smart Switch on port 15.
Port violations are reported as they have always been (no change). This applies to switches with multiple MAC address
that do not have storm control and are not detected in the uplink port negotiation. The new alert within uplink ports will not
show up in NDCC or DeltaV, but using CLI a trap can be sent to a Syslog Server.
The Cisco switch in this case is not detected as a switch and therefore port 15 at the RM1040 is locked. All initially
available MAC addresses will still be allowed to communicate, but if new MAC addresses show up, they will not be
allowed through the link.
The newly added App Station at the Cisco 2960 is the only device not able to communicate (for example to controller #1
on the RM100 Smart Switch #1).
To prevent such issues as above from occurring, through the CLI of the RM1040, set port 15 to be excluded and remain
unlocked using the wizard. Or use a Cisco switch model from KBA NK-1500-0157 that comes with storm control enabled
To exclude lockdown ports, use the RM1040’s CLI and enter:
(Emerson RM1040) >deltav lockdown
Some informational text will be displayed followed by a field where excluded ports may be added.
For example, 1/15 in this scenario:
Switch responds with:
The following ports will be excluded from lockdown in future lock-cycles: 1/15

Scenario 2: RM1040 (09.0.12) Smart Switch Uplink to an RM100 Smart Switch #1 (09.0.12)
On port 1 at the RM1040 Smart Switch, it can detect RM100 Smart Switch #1 and thus identifies this port as an uplink
port. When the RM1040 is locked, port 1 will be left as unlocked.
With the RM100 Smart Switch #1 locked, if the RM1040 is unlocked to add an additional App Station, then at the RM100
Smart Switch #1 the user will get an alert (trap) that can be sent to a configured SysLog Server because of the additional
detected MAC address on port 1 of the RM100 Smart Switch #1 coming from the RM1040.
The App Station will be allowed to be connected and communicate once the RM1040 is unlocked as the uplink port alert
is used for detection rather than protection in this firmware version.
To prevent this alert, then also unlock the RM100 Smart Switch #1, add the App Station at the RM1040, wait for a period
of time for both switches to learn the new MAC address, then lock both switches when finished.
At the RM100 Smart Switch #1, port 1/1 is identified as an uplink port so this port will also not be locked when the
RM100 Smart Switch #1 switch is locked. Again, adding devices to the RM1040 will result in an alert but the
communication is allowed to pass through for the new MAC address.

Scenario 3: RM100 Smart Switch #1 (09.0.12) connection to cascaded CIOCs

The RM100 Smart Switch #1 detects multiple MAC addresses on port 24 from the four cascaded CIOC’s. The RM100
Smart Switch #1 will attempt to determine if this is an uplink port but will not be successful. When the RM100 Smart
Switch #1 is locked, port 24 will be locked with the 8 MAC addresses of the CIOC’s (4 redundant pairs of CIOC’s).
If the RM100 Smart Switch #1 is unlocked to add another DeltaV controller (or any other device or replace a controller
where the replacement has a different MAC address) if the RM1040 remains locked there will be an alert at the RM1040

Page 13 of 20
for the new MAC address coming from the RM100 Smart Switch #1. The alert will be a port violation available through the
CLI, NDCC and DeltaV. It can also be sent to a Syslog Server.
Same applies if one of the CIOC’s is replaced. The replacement CIOC will have a different MAC address so the RM100
Smart Switch #1 must first be unlocked and with the RM1040 still locked, there will be an alert at the RM1040 for the new
MAC address.

Scenario 4: RM100 Smart Switch #1 (09.0.12) Uplink to an RM100 Smart Switch #2 (older non-updated switch
without storm control)
Figure-1 also shows an older non-updated RM100 smart switch (RM100 #2) without storm control enabled. From the
perspective of RM100 Smart Switch #1 (port 2), when it is locked, the two MAC addresses for the DeltaV controller and
the Op Station attached to RM100 #2 will be locked on RM100 Smart Switch #1 port 2.
For compatibility purposes, it is important to keep all smart switches on the network at the same firmware version.

Page 14 of 20
Figure -1

Page 15 of 20
Below is a graphic rendition for a virtualized installation using VRTX clusters. This is functional item #7 previously listed.

Figure -2
The six VM’s are active and running in the VRTX #1 cluster. Three of them are running in the same blade (blade #1).
There will be three MAC addresses for these three virtual machines all of which will be seen on port 7 of the example
RM1040 Smart Switch #1. Since the RM1040 Smart Switch can’t identify these ports as uplinks to the virtual switch in the
VRTX, if the RM1040 Smart Switch #1 were to be locked from the virtual App Station running in VRTX#1, port 7 at the
RM1040 Smart Switch #1 will now be locked with the three active VM MAC addresses. If a fourth VM is added to blade
#1, while the RM1040 is locked, the additional VM will fail to communicate when active.
Because the virtual machines in VRTX#2 are standby, there is no communication seen at the RM1040 Smart Switch #2,
there will be no MAC addresses detected at ports 10, 12, 14, & 16 of the RM1040. When RM1040 Smart Switch #2 is
locked, these ports will be disabled if no other action is performed.
It will be necessary to telnet to the RM1040 Smart Switch #2 and use the CLI Lockdown option to exclude these ports
from being locked out. This step is performed prior to the locking of the smart switch from the NDCC. That way when a
switchover is made to make a VM at VRTX #2 active, these VM’s will be able to communicate. These steps should be part
of the VRTX commissioning and the DeltaV Virtualization setup.
In the previous example, the normal VRTX installation will have multiple VM’s running on each blade which results in
multiple MAC addresses seen at the smart switch for each of the ports where the various blades are connected.
Every RM1040 smart switch port associated with a connection to any of the VRTX blades should be excluded in the
lockdown to prevent any issues from occurring as additional virtual machines are created on the blades of the VRTX
cluster causing additional MAC addresses to be present at the RM1040 smart switch. This also includes when a standby
VM is made active and there are switchovers between pairs of VM’s.

Page 16 of 20
2 Emerson DeltaV Safety Switches
Emerson DeltaV Safety Switches are used on the Local Safety Network in conjunction with the DeltaV SIS with Electronic
Marshalling. DeltaV SIS with Electronic Marshalling is based on the CHARMs Smart Logic Solver (CSLS).
The DeltaV Safety Switches were originally introduced with firmware version 04.2.12.
The DeltaV Safety switches are not assigned IP addresses. There are no supported devices located on the Local Safety
Network that could be used to manage a DeltaV Safety Switch.
The HiDiscovery protocol used by the DeltaV Smart Switch Command Center (SSCC) for the DeltaV Smart Switches, has
been disabled on the DeltaV Safety Switches. So has the ingress and egress limits employed on the DeltaV Smart
Switches.
Due to the difference in configuration, DeltaV Smart Switches and DeltaV Safety Switches are not inter-changeable.
Below are examples of the DeltaV Safety Switches. There is a 19 inch rack mount SRM100 Safety Switch. This switch
has two expansion slots, where additional 8 port switch modules may be installed.
There are different options on expansion modules (all expansion modules are 100 MB) that include:
Eight RJ45 Twisted Pair ports
Eight Fiber Optic ports – the fiber may be ordered as either multi-mode fiber or single mode fiber
Eight Small Form Factor (SFP) ports – these ports will then be populated with SFP transceivers

There is also an eight port 24 volt DIN Rail mounted LSN20 Safety Switch. It comes with either 8 twisted pair ports or 6
twisted pair ports and two fiber optic ports. All ports are 100 MB. The fiber may be ordered as either multi-mode or single
mode fiber.
The following graphic shows the relationship between the DeltaV Control Networks and the DeltaV Local Safety Networks
and where they each apply.

Page 17 of 20
Shown below is a sample screenshot from an SRM100 DeltaV Safety Switch that is updated, showing “09.0.15” with a
build date of “2018-09-24”.

Note: While this firmware release has the same security and correction improvements discussed in section 1
concerning firmware version 09.0.15. on the DeltaV Smart Switches, due to the unmanaged nature of the
DeltaV Safety Switches (no IP address) the changes listed in section 1 do not apply to the safety switches.
The purpose of the DeltaV Safety Switch 09.0.15 firmware release is primarily to maintain consistency with
the DeltaV Smart Switches. The DeltaV Safety Switches also do not support the configuration of a monitor
session.

Copyright (c) 2018 Emerson

All rights reserved
SRM100 Release 09.0.15
(Build date 2018-09-24 12:00)

System Name: SRM100-0DC114

Mgmt-IP : 0.0.0.0
Base-MAC : 00:22:E5:0D:C1:14
System Time: 2018-01-01 01:00:06

User:

DeltaV Safety Switches are updated in a similar process as the DeltaV Smart Switches.
Refer to AK-1000-0014: DeltaV Smart Switch and DeltaV Safety Switch Flash Upgrade Procedure for instructions:

Page 18 of 20
Included in this release are upgrade file versions for the LSN20 and SRM100 Emerson Safety Switches.
 This release may be obtained from the following link:
https://gsuds.emerson.com/pickup/PSG/09_0_15_Safety_Switch_firmware.zip: (Size: 0 KB)
Checksum: E2C52AFAD2AE5E2C43113EEA514C7D81E9445A0DEE91E60A1C6D2260728AECC6
 Perform checksum verification on each of the downloaded files. Refer to the following tables for the expected
checksums for each file.
Below are the DeltaV Safety Switch 09.0.15 checksums and file sizes. Refer to Section 1.0 Emerson DeltaV Smart
Switches for the procedure on verifying the checksums.

09.0.15 Safety Switch Checksum Table (build date 09/24/2018 12:00)

File Name SHA256 Checksum
09_0_15_Safety_Switch_firmware.zip E2C52AFAD2AE5E2C43113EEA514C7D81E9445A0DEE91E60A1C6D2260728AECC6
nsLSNxx.bin FA63DD5738EB5FE939802969181EC01FDD36B75FECB8338FDC327C058964A2B3
nsSRM100.bin F45D249DF6F4974851FE7463D4C660848490381A907B5830AB415DEFE3DFEB7E
09.0.15 Safety Switch File Size Table (build date 09/24/2018 12:00)
File Name File Size
09_0_15_Safety_Switch_firmware.zip 9,758 KB
nsLSNxx.bin 4,881 KB
nsSRM100.bin 4,880 KB

Contact Information
Services are delivered through our global services network. To contact your Emerson local service provider, click Contact
Us. To contact the Global Service Center, click Technical Support.

Download the Sigcheck tool: Click This Link

To get information on how to use the Sigcheck tool: Click This Link

Related products and services: DeltaV DCS | Lifecycle Services

Complete Article Revision History:

Revision/Publish Description of Revision
13 Dec 2018 Modified section 1.3.1 to correct the link for KBA NK-1800-0298.
07 Nov 2018 Corrected the checksum result details for bin files of 100MB and G-Bit Smart Switch
Firmware 09.0.15. No change in installer files.
02 Nov 2018 Added download links for Smart Switch Firmware 09.0.15. Removed functional changes for
firmware 08.0.13 and earlier. Added reference to Smart Switch Secure Shell (SSH)
11 Jul 2018 Added link to KBA NK-1800-0298 in the Note in Sections 1.1 and 1.2.
29 Jun 2018 Removed download link for the latest firmware 09.0.12. Added download link
for 8.0.13. Added Note in Section 1.2. Updated Note in Section 1.3.2.6.
20 Dec 2017 Updated the KBA with the latest software version release 09.0.12 for DeltaV Smart Switches
14 Feb 2017 Added Emerson TFS312873 for resolved issues under build 08.0.13.
26 Oct 2016 Added Switch firmware release 08.0.13 and added section 1.1 and 1.2 differentiating the
100MB switches from Giga-Bit switches
16 Oct 2015 Updated KBA with the latest software version release 04.2.15 build 2015-05-04

Page 19 of 20
07 Sep 2015 Added checksum code.
15 Sep 2014 Added the DeltaV Safety Switch in the Affected Products
04 Aug 2014 Added software version 04.2.14 build 03/07/2014
17 Dec 2012 Re-release of firmware 4.2.11
24 Oct 2012 Added information regarding firmware revision 4.2.11
31 Jul 2012 Added software version 04.2.11 build 10/14/2011
24 Mar 2010 Original release of article

©Emerson Automation Solutions 2009-2019. All rights reserved. For Emerson Automation Solutions trademarks and service marks, click this link to
see trademarks. All other marks are properties of their respective owners. The contents of this publication are presented for informational purposes
only, and while diligent effort has been made to ensure their accuracy, they are not to be construed as warrantees or guarantees, express or implied,
regarding the products or services described herein or their use or applicability. All sales are governed by our terms and conditions, which are
available on request. We reserve the right to modify or improve the design or specification of such products at any time without notice.

View Emerson Products and Services: Click This Link

Page 20 of 20