Network Solutions For Tunnel Automation 1614004261

Whitepaper
Network solutions for

tunnel automation
Understanding and connecting mission
critical applications
Learn more about

 Comprehending industrial network technologies
 Cybersecurity through compliance (IEC 62443)
 Product and solutions overview
Whitepaper | Network solutions for tunnel automation
Summary
Abstract
work under specific tunnel conditions to provide
This white paper concentrates on guidelines for uninterrupted communication.
connecting tunnel applications by discussing each
pertinent network layer to meet the industrial
requirements.
Purpose of this paper
the intention of this paper is to create a descriptive

overview of all the required network technologies,
protocols and mandatory components to create a
secure, rapid and redundant network for tunnels.
Background
Whether we’re talking about a tunnel that serves

its respective purpose for a public highway or an
underground connection for pedestrians and bikers Content
to get to the other side of the river. A tunnel is
an excavation that serves multiple beneficial pur-  Industrial controllers 3
poses. You might assume that such construction
has a simplistic architecture. Yet lots of prepara-  Technical description 5
tion and calculations are required to even begin on
tunnels. When entering a tunnel, you might only  Layer 1 (L1) 7
notice a handful of applications such as lighting and
ventilation. However, a tunnel contains a complex  Layer 2 (L2) 14
combination of many different applications. There-
fore, communication with all applications becomes  Layer 3 (L3) 18
an absolute necessity in order to create reliability,
resiliency and sustainability. Utilizing the right net-  Use case (Train Tunnel Project) 33
work related equipment plays a crucial role in order
to control and monitor all applications. Equipment  Products and solutions 36
such as PLC’s, switches, cabling… are required to
PHOENIX CONTACT 2
1 Industrial controllers
Whitepaper | Network solutions for tunnel automation  Industrial controllers
Fan Fan Fan

Variable
Vari
message
mes Signal 230V 230V
sign light
230V Public
address
230V Sensors for 400V 400V system 400V 230V
230V
Flow velocity, 230V
Visibility,
CO2- Emergency
detection, exit sign
Fire detection Signal Signal
contact contact
230V 230V
Traffic detection
Power supply
Uninterruptible power supply
Data / Measurement and control signals
The majority of applications inside a tunnel are all its devices. This proven technology has been
of industrial nature. Some examples of these used for many years as the main communication
applications are (emergency) lighting, pump technology.
stations, ventilation, gas detection, radar vehicle
detection, … The second group describes devices which have a
network connection. This means all communication
Most industrial systems work using a central con- between the controller and these devices can be
troller or PLC. This controller is the beating heart sent over the tunnel network. The main difficulty is
of the industrial application. It is able to retrieve that industrial communication protocols can require
data from sensors in the field, process this data and specific functionalities or hardware to be present in
control devices based on these inputs. order to guarantee the real-time requirements or
redundancies of the applications. Some examples
The controller can use a network connection in are Profinet, EtherNet/IP, OPC UA, Modbus/TCP,
order to communicate with a SCADA solution or …
to be remotely controlled. The connection to the
sensors and devices in the field can be divided in At this moment, there is an ongoing shift from
2 groups: Serial and Ethernet connections. serial devices towards Ethernet connected devices.
Due to the growing number of these network
The first group uses a serial bus like RS232 or connected devices and their specific requirements,
RS485 in order to talk to the end devices. This the importance of a good design of tunnel
means the controller is connected directly with networks will continue to grow in the future.
PHOENIX CONTACT 4
2 Technical description
Whitepaper | Network solutions for tunnel automation  Technical description
In order to comprehend all network

“lower layers”. Each of these layers is responsible
functionalities, certain terms and topics
for the basic functionalities of networks nowa-
must be discussed to clarify their purpose.
days. We can link each of these layers to physical
components. Layer 4 – 7 describe protocols which
are built upon these lower layers. The responsible
The OSI Model for these protocols are the end applications. These
applications are end-to-end and thus aren’t aware of
Switches are used to create networks, linking net- all network components which are located between
work devices together and forwarding data from each end node.
one location to another based on gathered infor-
mation from the packets being transmitted. Infor- In this white-paper, we focus on how to build a
mation is organized to conform to the OSI (Open secure tunnel network and which components and
Systems Interconnection) seven-layer model, which technologies should be taken in consideration. This
is adhered to by networking vendors to insure implies that we solely focus on the lower layers of
interoperability between products the OSI model.
When taking a closer look at this model, it can

be divided in 2 major parts. Layer 1 – 3 describe
the basics of networks. Let’s call these layers the
The OSI model
Upper Application 7 Application layer

layers • Defines interface to user processses
• Provides standardized network services
6 Presentation layer
• Specifies architecture independent data transfer format
• Encodes and decodes data
5 Session layer
• Manages user sessions and dialogues
• Controls establishment and termination of logical links between users
4 Tranport layer
• Ensures delivery of files and messages
Lower Routers 3 Network layer

layers • Routes data to different LANs and WANs based on network address
Switches 2 Datalink layer

• Transmits packets from mode to mode based on station address
Cabling 1 Physical layer

• Defines physical means of sendig data over network devices
PHOENIX CONTACT 6
3 Layer 1 (L1)
Whitepaper | Network solutions for tunnel automation  Layer 1
The physical layer is the lower most layer Shielded vs Unshielded

of the OSI model. This layer is concerned High quality shielded cable includes a drain wire
with the hardware and its entire operation to provide grounding that cancels the effects of
that is limited to sending and receiving bits EMC (electromagnetic interference). It is essential
(1s and 0s). to use shielded jacks and couplers throughout
STP cabling. When choosing between these two
types in tunnels, it is always recommended to go
for the shielded cabling since this type prevents
Network cabling interference and supports higher transmission rates
across longer distances.
There are two cable types commonly used for
Ethernet cabling: twisted pair and fiber-optic
Fiber-Optic cabling
cabling. In general, the twisted-pair cabling is the
most frequently used type of cabling. However, this As opposed to twisted pair cabling, fiber optic cabling
type of cabling has some technical limitations. Fiber (also known as optical fiber) uses light instead of elec-
optic cabling can be used as an alternative. The tricity to transmit signals. N
aturally, light is the fastest
usage of this type of cabling is increasing, especially method of transmitting information, but fiber-optic
in high performance networks. cabling has the a dditional benefit of being impervious
to electrical interference. Since light meets very little
resistance or low attenuation, you can run fiber-op-
Twisted-Pair cabling
tic cables over very long distances without having
A twisted-pair cable has four pair of wires. These to boost or clean the signal. Fiber optic also affects
wires are twisted around each other to reduce speed in a positive way; you can send signals at more
crosstalk and outside interference. It comes in than 10GB per second and even at that transmis-
two versions, UTP (Unshielded Twisted-Pair) sion rate, the signal is much cleaner than traditional
and STP (Shielded Twisted-Pair). The difference electrical cabling. Fiber optics are generally used for
between them is that an STP cable has an extra connecting network segments, making short runs for
layer of insulation that protects data from outside high bandwidth connections e.g. cameras and con-
interferences. The main disadvantage of t wisted-pair necting tunnels over long distances. Fiber optics isn’t
Ethernet is the distance limitation of 100 meters. typically used for complete network wiring.
CAT5e CAT6A
Speed 10/100 Mbps 10/100 Mbps

1 Gbps 1/10 Gbps
Max. bandwidth 100 MHz 500 MHz
Cabling type Adjusted STP or UTP (Shielded/Unshielded)
Connector RJ-45 RJ-45
PHOENIX CONTACT 8
• Impervious to electromagnetic interference connectors have single mode and multimode toler-
• Infinite galvanic isolation against potential ances. Some advantages of the LC Fiber connector
equalizing currents and in high voltage distribution include:
• Light cannot catch on fire (not a fire hazard)
• Less prone to damage in comparison to copper • System cost reduction. The LC connector is half
wires the size of the traditional SC connector. There-
fore, it can double fiber density in shelves and
OM (Optical Multimode fiber) & outlets.
OS (Optical Single mode fiber) • Polarized feature helps maintain the transmitting/
receiving direction and assures high repeatability
Fiber optic cables are broadly categorized in two • Anti-snag latch, which improves durability and
types – Single mode fiber and multimode fiber reduces rearrangement work caused by the cross
cables. The main difference between them is in the connection
core diameter. OM multimode fibers have a much • Time-saving for installation, because there is no
larger core size. The large core gives OM cables need to install the field mountable connectors.
a higher light-gathering capacity compared to OS
cables. OS cables require more expensive laser Optical Transceiver
sources.
The SFP (Small Form-factor Pluggable) transceiver
OS cables are typically used for long distance (up to is a widely used compact and pluggable module.
80km), higher bandwidth applications. This transceiver mainly acts as an interface between
a networking device and its fiber optic cable. SFP
OM cables are typically used for short distance (up uses LC fiber optic connector for its interface.
to 2km), data and audio/video applications in LAN’s. This module has a robust design and performs
conversions between optical signals. They are
There is no possibility to mix single mode and flexible due to a wide range of detachable interfaces
multimode fiber. Due to their size difference in the to multimode/single-mode fiber optics.
core and different light mode transmission, it is not
recommended to combine them since it will result
in a large amount of optical loss.
Patch panels
Optical Connector
A patch panel or patch bay is a panel that houses
An optical connector is a flexible key piece that is cable connections. It contains Ethernet ports that
placed on each end of a fiber optic cable. A large are used to connect and manage incoming and
variety of fiber connectors are available such as outgoing LAN cables. The patch panel ports are
LC, SC, ST, FC, … Among them, the LC fiber optic configured to accommodate Ethernet cables in an
connector is one of the most common types. The enterprise network. It serves as a sort of static
LC connector is a small form factor (SFF) con- switchboard. Patch panels are recommended to
nector, which is designed to join LC fibers where have surge protection. This protects devices and
a connection or disconnection is required. LC applications against sudden high voltages. With the
PHOENIX CONTACT 9
use of patch panels, troubleshooting will become A PoE system is consisted of minimum four pieces
easier, avoiding a time-consuming cabling issue. Its of equipment:
primary benefit is creating a structure in your large
local network. This becomes necessary once a 1. Power Sourcing Equipment (PSE)
network expands. A patch panels serves to have no A PSE is a device which supplies power to the
other function except for acting as a connector. rest of the system. It will draw power from its
own conventional power source and provide
power to the rest of the PoE system.
Copper-based patch panels
Copper patch panels have the insulation displace- 2. Powered Device (PD)
ment connector style on one side and 8-pin mod- A PD is a device which receives power from
ular ports on the other. Wires coming into the the PSE device. It does not require its own
panel are therefore terminated to the insulation conventional power source.
displacement connector. On the opposite side,
the 8-pin modular connector plugs into the port 3. Ethernet cable
which corresponds to the terminated wires. With The Ethernet cable is the power and data
the copper patch panel, each pair of wires has an transmission medium of a PoE system. It is
independent port. used to provide the link between two devices
enabling bi-directional communication and
uni-directional supply of power.
Fiber optic patch panels
Fiber patch panels require two ports for a pair of 4. Power Supply
wires. One port is responsible for the transmitting There must be a power source from which the
end while the other looks after the receiving end. PSE draws power. Typically, a PoE system is
A fiber optical cable needs be split at one end in powered by a nominal power source.
order to gain access to the individual fibers.
Power sourcing equipment Power sourcing equipment Powered device Powered device
Power over Ethernet (PoE)
Power over Ethernet is a technology that enables

electrical power to pass over Ethernet cabling at
distances up to 100m. It is designed to provide
end devices with sufficient power (depending on
the PoE standard) to operate with no need for a
local power source. This technology complements
standard Ethernet communication without having
an effect on the data transmission throughout a
LWL / FO LWL / FO
network. Ethernet Ethernet
Power over Ethernet Power over Ethe
Power supply Power supply Feldbus Feldbus
PHOENIX CONTACT 10
Power feeding techniques

Alternative B uses a technique that supplies power
There are two different methods in which power via both unused wire pairs ( also called spare pair
can be fed into a PoE system: Alternative A (also feeding). The used technique depends entirely on
known as Endspan or mode A) and Alternative B the PSE utilized in the system; please note that all
(also known as Midspan or Mode B). Each alter- IEE 802.3af/at/bt compliant PD’s will support either
native utilizes a different cable power technique of these methods. Phantom feeding provides power
to “inject” the power at the PSE end of the sys- to the PD via the same Ethernet cable conductors
tem, Alternative A uses a technique that supplies as data. Spare pair feeding provides power to the
power via pairs of wires which are also used for PD via the spare wire pairs in an Ethernet cable.
data transmission (also called phantom feeding) and
Switch/Hub Powered End Station
1 1
1 1
Data pair Data pair
Data pair 2 2 Data pair
2 2
Power
Sourcing Powered
Power
Equipment Device
Powered
Sourcing
(PSE) (PD)
Device
Equipment
(PSE) (PD)
3 3
3 3
Data pair Data pair
6 6
A
A

1 1
1 1
Data pair Data pair
2
4 42
4 4
Power
Sourcing 5 5 Powered
Power
Equipment 5
7 57 Device
Powered
Sourcing
(PSE) 7 7 (PD)
Device
Equipment
(PSE) (PD)
8 8
8
3 83
3 3
Data pair Data pair
6 6
B
B
PHOENIX CONTACT 11
PoE Standards
IEEE Standard IEEE 802.3af IEEE 802.3at (PoE+) IEEE 802.3bt (PoE++)
Power budget Up to 15W Up to 30W Up to 60/90W
Voltage 44 – 57 V DC 50 – 57 V DC 50 – 57 V DC
Typical VoIP phones Wireless access points, PTZ Camera's,

applications Industrial lighting
Why PoE? Central power management

The ability to transmit data and power over Eth- In a PoE system you can distribute power and data
ernet cabling at significant distances creates many in many different ways. One possibility is to distrib-
opportunities for network tunnel infrastructure; ute power and data from a centered location. In
tunnels, ring topologies are typically adopted; which
Efficient network design results in the use of managed switches to provide
With a PoE system, there is no longer a require- efficient traffic management. Managed switches that
ment for power supplies to be positioned in close support PoE can be used to remotely manage the
proximity to the PD. With the restrictions of power supplied to end devices, resetting the power
power supply removed, the optimal placement of if an end device is not responding, or time sched-
end devices can be considered. uling the power so that energy can be saved when
the functionality of the end device is not required.
Low cost installation
The amount of materials/equipment required for
installations can be greatly reduced. End devices
no longer need power supplies, extensive power Power sourcing equipment
cabling or power outlets. Reducing the usual nec-
essary equipment also reduces the installation time
and complexity and ultimately, eliminates potential PoE Injector
points of failures in a tunnel. PoE injectors are typically used when PoE is the
only upgrade being made to the network, such as
Flexibility when adding IP phones or wireless access points to
The reduction of equipment required allows for an existing non-PoE network. This avoids replac-
the flexible deployment of networks; end devices ing switches that do not offer PoE but are still
can easily be relocated and temporary installations within their productive life cycles. Midspans may be
require much less time to implement. located anywhere, if they are installed in a stan-
dards-compliant facility, such as a telecommunica-
Safety tion room or enclosure, and are not installed as a
Since PoE voltages are typically less than 60V DC, part of a permanent link. The Injector also gives the
no licensed electrician is necessary. opportunity to increase the voltage (i.e. from 24V
DC to an acceptable PoE DC voltage range).
PHOENIX CONTACT 12
PoE Splitter
cally enable power. Managed PoE switches provide
Splitters are generally used to divide the data advanced network features and remote manage-
and power from an existing PoE cable so power ment capabilities. They are extremely useful when
can be redirected into the end device using more combined with PoE because the PoE power budget
conventional means, such as a DC power cable. can be managed from a central location, typically
This also results in 48V DC can be reduced to 24 V via a website based graphical user interface (GUI).
DC. They act as an intermediary device between a The switches use the original PoE standard (IEEE
compliant PSE and a non-compliant PD. 802.3at), which provides up to 15 W (per port)
to each powered device. There more supported
standards (IEEE 802.3af & bt), which can provide
PoE Switch
30 W per port.
A PoE switch is a network component that has
built in PoE injection. When connected with In conclusion, a PoE switch is an all-in-one box with
other n etwork devices, the switch will detect no additional appliance with ports that needs to be
whether they are PoE-compatible and automati- used to manage both network and power.
PHOENIX CONTACT 13
4 Layer 2 (L2)
Layer 2 is responsible for physical addressing,

error detection, and preparing data for the LAN (Local Area Network)
media. Since Layer 2 has a low cost and
requires only switching, no routing compo- In a tunnel, each end-device that requires a form
nents are necessary. This is an excellent way of data communication is connected to a program-
to assure a low latency. Bypassing virtual mable controller. These controllers are situated
Local Area Networks or VLAN security throughout a tunnel and are interconnected to L2
protocols and the spoofing of network inter- switches for communication possibilities. These
faces identifying media access control or switches are connected to each other to create
MAC addresses are typical vulnerabilities of a specific ring or mesh shaped topology. Thus, all
this layer, and successful exploits can go on these devices are indirectly connected to share
to compromise the security of the network information and resources. This is what makes a
layer (Layer 3). Filtering MAC addresses and local area network.
ensuring that all wireless applications have
authentication and encryption built in are
common security strategies for this layer.
Network redundancy
For a very good reason, an airplane crossing the

Switch ocean must have more than one engine. In the same
way, if a tunnel network failure creates a safety risk
A fundamental layer 2 component for transporting or other possible major loss, backup systems are
data on a physical layer and performing error check- necessary to reduce the risk. Many current intelli-
ing on each transmitted received frame. Switching gent traffic systems require a 24-hour service and
at Layer 2 of the OSI model involves forwarding to provide it is not as easy as it sounds. Since each
or filtering packets based on the MAC destination system or transmission medium has its life cycle
address. Switches allow different nodes of a net- and rate of failure, a typical network redundancy
work to communicate directly with one another in is required. Its purpose in a tunnel is to react to
a smooth and efficient manner. failures in a desired way to recover. Network out-
ages can be quite inconvenient, but they can result
When deciding what kind of switches are the most in expensive costs to tunnels that rely heavily on
efficient for tunnels, you have to take some critical IT staff to run their day-to-day tasks. Tunnels need
features into consideration: connectivity for their ongoing operations. Some
networks, such as those used by emergency ser-
• Switches are required to be managed to offer full vices, could be life critical.
management capabilities and security features
• Ethernet port number should completely depend
on the amount of tunnel applications
• Fiber optic port number should be considered to
cover long distances between cabinets in a tunnel
PHOENIX CONTACT 15
Fiber optic ring
Redundant ring
Switches connected in a ring + Redundant ring
Redundancy MRP RSTP
Topology Ring Ring, Mesh
Fail over time vs Nearly independent N * number of switches

number of switches
Configuration com- Simple (Master & Slave) Medium (root bridge, priority)
plexity
Number of switches Max. 50 Max. 40

in a ring
Deterministic confi- Yes (ca. 200ms) Not guaranteed

guration
Applications PROFINET Office-adjusted automation

(Industrial/process automation)
MRP and RSTP comparison
PHOENIX CONTACT 16
Media Redundancy Protocol (MRP)

built with bridges and containing ring structures
MRP is a network redundancy protocol originally due to redundant links to a tree shaped structure. If
developed for high availability industrial networks. there is a path interruption because of an inopera-
This protocol is specified for ring topologies with ble network component, RSTP reactivates the pre-
a number of switches not exceeding 50. MRP vious deactivated path. RSTP determines a bridge
guarantees defined network reconfiguration time that represents the RSTP tree structure’s base. This
(< 200ms) in case of a network failure. The MRP bridge is called the root bridge. Since RSTP was not
protocol requires the creation of a network ring primarily developed for ring topologies, its design
with switches inside a tunnel. One of the switches does exhibit a few disadvantages in comparison to
takes on the role of Media Redundancy Manager MRP. For network devices that support both MRP
(MRM) – it acts as the ‘main switch’ that controls and RSTP, and have no installation requirements
its network ring. This switch creates a data traffic that prescribe specific protocols, MRP is preferable
root and blocks one port to prevent data collisions. to RSTP. It should also be noted that RSTP contains
MRM controls network ring integrity by continu- built-in overload protection to prevent individual
ously sending data packets in both ring directions, network segments from being overloaded by large
irrespective of the blocked port(s). The rest of the numbers of event-driven BPDU’s (Bridge Protocol
switches in the ring are considered slave switches Data Unit). In a worst-case scenario, this overload
that transmit further data packets. If the MRM protection has the effect of greatly increasing the
doesn’t receive previously sent packets from the reconfiguration time caused by lost BPDU’s, up to
other side of the ring, it would then be considered the order of seconds. RSTP does not guarantee
as a network failure. However, to provide better deterministic reconfiguration (failure behavior).
reconfiguration times, even lower than 200ms, MRP Reaction times are completely depending on its
nodes do not only transmit data packets sent by failure location and individual configuration in the
the MRM but also send extra information regarding network. This can occur quite frequently in meshed
the status of its ring ports. networks, particularly in the case of complex topol-
ogies with a high number of switches and media
connections. One great benefit of RSTP is its sup-
Rapid Spanning Tree Protocol (RSTP)
port for all kinds of meshed topologies. The result-
RSTP, an enhanced version of STP operate in a ing flexibility is a clear advantage over the stringent
range of topologies, supporting a higher number of restrictions that are imposed by ring protocols such
switches and ameliorated switchover times. This as MRP and ring installations.
type of redundancy reduces network topologies
PHOENIX CONTACT 17
5 Layer 3 (L3)
The final media layer supervises the rout- filtering of packets is based on specific protocol
ing, control and logical addressing of data information and communication is contained within
and traffic on the network. A considerable specific IP subnets. Some of the reasons for utilizing
threat to application security on this layer Layer 3 routing are network segmentation, broad-
is IP address or packet spoofing, where data cast firewall security, intelligent wide area route
packets originating from malicious sources connectivity as well as overall relief from bandwidth
are cloaked so that they appear to come congestion.
from legitimate addresses within a network. The first feature you would expect to see on a
Route and anti-spoofing filters in conjunction switch that makes it no longer strictly L2 is static
with strongly configured firewalls can provide routing. The next stand out feature on a L3 switch
optimal security on this layer. is dynamic routing. The ability to support Dynamic
Routing Protocols is one of the true identifiers of a
Layer 3 switch. Dynamic Routing Protocols are used
to link large networks together and share rout-
Router / L3 Switch ing tables between them. They can also allow for
dynamic routing of multicast traffic on the network.
While switches allow different devices on a net-
work to communicate, routers allow communica-
tion between different networks. Forwarding and
LWL / FO
Tunnel control center Ethernet
Power over Ethernet
Feldbus
WAN
PHOENIX CONTACT 19
tunnel in order to create communication from the

WAN (Wide Area Network) TCC and vice versa. With the implementation of
routing features from a router, we can establish a
WAN is a typical network connection between remote connection from the TCC to the desired
multiple networking devices over a large geo- tunnel. The paths from the tunnel to a desired
graphical area. The connection extends over a tunnel control center must be discussed during the
large geographical distance like between different design phase.
cities or even countries. A WAN network can be
a collection of different tunnels that established a
connection to a main tunnel control center (TCC).
The WAN network is too complex to be managed Virtual Router Redundancy
by private administrators. Therefore, WANs usually Protocol (VRRP)
have a public ownership, where tunnel network
devices in this network can be connected either by Router or gateway high availability is a necessity
cables or through a wireless connection. Therefore, in tunnels where loss of connectivity is directly
a Layer 3 switch or a router will be required to a connected to loss of crucial communication.
Government / Public network
Layer 3 at
automation level
LWL / FO
Ethernet
Subnetwork 1 Subnetwork 2 Power over Ethernet
Feldbus
VRRP Redundancy example
PHOENIX CONTACT 20
When a router is defined as a static default gateway functions independently on any physical device. The
and no other dynamic routing protocol is being virtual router acts as a standalone network gateway
utilized, the gateway becomes a critical point in for all network devices in a tunnel’s LAN network.
the network. If that router fails, that critical link The VRRP eliminates the single point of failure
would be broken and all required network devices inherent in the static default routed environment.
in a tunnel for example, would not be providing or VRRP specifies a form of an ‘election’ protocol that
receiving any data in different subnetworks. There- dynamically assigns responsibility for a virtual router
fore, it should be taken into consideration to set to one of the network devices in a tunnel. The
up another router or routers as backup(s) that can physical router controlling the IP address associ-
serve as the static default gateway. ated with a virtual router is called the Master, and
It is possible to tell switches in a tunnel to use a forwards packets sent to those IP addresses. When
different gateway by adding extra interfaces and the master becomes unavailable, a Backup physical
routes on the switches (which adds to complex- router takes the place of the master. Utilizing
ity of the network and also slows down network VRRP guarantees network availability, stability and
communication at switch its level). Another alter- continuity.
native is to possess a virtual gateway or router that
PHOENIX CONTACT 21
5 Network segmentation
(VLANs)
Whitepaper | Network solutions for tunnel automation  Network segmentation (VLANs)
Splitting a network into smaller (virtual)

networks, each being a network segment Virtual Private Networks (VPN)
brings its advantages such as boosting per-
formance and improving security. When A Virtual Private Network (VPN) provides a simple,
unauthorized users gain access to your controllable and secure way of connecting to Inter-
network, segmentation can provide the net. A VPN creates a secure, encrypted connection
efficient limitation to prevent further move- just like a tunnel between the user and the net-
ment across a network. Segmentation also work server. In a VPN, all network traffic is passed
reduces packet-sniffing attempts, which is through a protected VPN tunnel, and outsiders
used by outside agitators to capture network are unable to track a user continuously. In this way,
traffic at the Ethernet frame level in order to both the data and privacy are protected while being
retrieve sensitive data. Segmentation is best connected to the Internet. Encryption through
visualized as a port that can accept a variety VPN is not foolproof; however, it is still the most
of devices. The port remains nonfunctional efficient method of keeping the identities of users’
until a device is introduced. Once a specific unknown to hackers or malicious software. A highly
device is connected, the information on it, skilled hacker can always breach security through
such as a MAC address or other identifier, the internet connections; however, a VPN can pro-
gets recognized. tect against mass data collection and casual access
LWL / FO Router
Ethernet
Power over
Ethernet
Feldbus
Switch
VLAN 11 – Ventilation VLAN 22 – Cameras VLAN 33 – Traffic displays
Network segmentation (VLANs) example
PHOENIX CONTACT 23
VPN tunnel
Overview of a VPN connection between Tunnel control center and tunnel
to personal data for commercial benefit or targeted if systems are connected to the internet. Cyber
attack. A VPN is very useful for users connecting security is an essential part for critical infra-
on public internet networks, because it can hide the structure. Due to the ever-increasing connectivity
IP address of users thereby preventing continuous of Industrial Control Systems (ICS), the attack
tracking of devices. A VPN can also be used for surface becomes larger.
protecting internet traffic. In general, a VPN is very
effective at encrypting all internet traffic and can ISA/IEC 62443 is a series of published international
ensure that all data is kept hidden. standards, developed by the ISA99 committee
and adopted by the International Electrotechnical
Commission (IEC) that focuses on the operational
technology (OT) and covers all aspects of secu-
Cyber security in a tunnel rity (processes, people, technology). It addresses
the different roles and responsibilities of the asset
owner, operator, maintainer, integrator and product
IEC 62443 Standards – a cornerstone of supplier. The process of the standard results in
industrial cyber security a collection of documentation, procedures and
When thinking of cyber threats, we immediately technologies. The objective of the standard is to
think of identity theft and other cyber-attacks reduce the risk, including prevention or mitigation
affecting sensitive information technology (IT). of cyber-attacks.
However, cyber threats to operational technology
(OT) systems can affect critical infrastructure and By complying with the IEC 62443 series of stan-
might result in serious consequences. Systems that dards, you have the protection of your tunnel
control the operations of chemical plants, water/ operational systems against vulnerabilities. The
utilities, power, … all face cyber threats. Especially compliance report gives insight at the current
PHOENIX CONTACT 24
maturity of the tunnel controls that you wish to be does not end at the monitor and maintaining phase.
assessed against. Because the framework consists of The cycle is repeated with the goal of improving
different modules, you can determine which one is cybersecurity maturity and getting as close to the
more applicable. Since the process is a life cycle, it defined target security levels as possible.
Office
ISO 27000 IT-Network
Information security
management systems – IT
Requirements
Factory
Backbone-Network
Production-Network
(DMZ)
IEC 62443 ICS
Industrial network Industrial Control
and system OT Systems
security
Machine-Network
Overview of a VPN
connection between Tunnel
control center and tunnel
ISA-62443-1-1 ISA-TR62443-1-2 ISA-62443-1-3 ISA-TR62443-1-4

General
Concepts Master glossary of System security IACS security

and models terms and abbreviations conformance metrics life-cycle and use-cases
Policies and
procedures
ISA-62443-2-1 ISA-62443-2-2 ISA-TR62443-2-3 ISA-62443-2-4 ISA-TR62443-2-5

Security program IACS security program Patch management in Security program Implementation
requirements for IACS ratings the IACS environment requirements for IACS guidance for IACS
asset owners service providers asset owners
ISA-TR62443-3-1 ISA-62443-3-2 ISA-62443-3-3

System
Security technologies Security risk assessment System security

for IACS and system design requirements and
security levels
Component
ISA-62443-4-1 ISA-62443-4-2
Secure product Technical security
development lifecycle requirements for IACS
requirements components
Parts of the IEC 62443 series
PHOENIX CONTACT 25
Cyber security goals:
• Recognize all risks from devices – listing all risks

and educate all necessary parties of such risks.
• Leverage standards to ensure life cycle security –
ensure compliance with relative industry stan-
dards.
• Support industrial cybersecurity initiatives –
comprehend and support industry security
efforts.
• Address deployment and update risks – Verify
all systems are properly installed, patched and
maintained
• Instructing key personnel in security – for
example, ensure all engineers to understand and
embrace security as a design priority.
PHOENIX CONTACT 26
6 Network
management system
Whitepaper | Network solutions for tunnel automation  Network management system
Tunnel applications are of critical importance. The mated network management systems (NMS). The
trend is towards larger, more complex networks increasing decentralization of network services are
supporting more applications and more users. As exemplified by the increasing importance of work-
these tunnel applications grow in scale, two facts stations. Client/Server computing makes coherent
become painfully evident: and coordinated network management increasingly
difficult. In such complex information systems,
• Each tunnel network and its associated resources significant network assets are dispersed far from
become indispensable to tunnel control centers network management personnel.
• More things can go wrong, disabling the network
or a portion of the network or degrading perfor- For any tunnel network environment, what is
mance to an unacceptable level needed is an NMS that includes a comprehensive
set of data gathering and control tools that is
integrated with the network hardware. An NMS is
A large tunnel network cannot be put together and designed to view an entire tunnel network infra-
managed by human effort alone. The complexity structure as a unified architecture, with addresses
of such infrastructure dictates the use of auto- and labels assigned to each point/node and the
Overview of a VPN connection between Tunnel control center and tunnel
PHOENIX CONTACT 28
Whitepaper | Network solutions for tunnel automation  Network management system
specific attributes of each element and link known Simple Network Management Protocol (SNMP)
to the NMS. The active elements of the tunnel net- was developed for use as a network management
work provide regular feedback of status information tool for networks operating TCP/IP. The model
to the tunnel control center. Each network compo- of network management that is used for SNMP
nent in a tunnel contains a collection of software includes the following elements:
devoted to the network management task:
• Management station / Manager (interface
• Collect statistics on communications and between human network manager and NMS)
network-related activities • Agent (Hosts, bridges, routers…)
-- Respond to commands from the tunnel control • Management information base (Collection of
center, including commands to; objects from a manageable node)
-- Transmit collected data to the tunnel control • Network management protocol (SNMP)
center
-- Change a parameter (e.g. a timer used in a Many of the functional deficiencies of SNMP
transport protocol) were addressed in SNMPv1/v2. To correct the
-- Provide status information security deficiencies, SNMPv3 was issued as a
-- … set of proposed standards. SNMPv3 provides
three important services that are crucial to any
• Send messages to the tunnel control center when critical infrastructure (authentication, privacy and
local conditions undergo a significant change. access control).
PHOENIX CONTACT 29
7 Network performance
monitoring (NPM)
Whitepaper | Network solutions for tunnel automation  Network performance monitoring (NPM)
The increasing demand of a proper network and after updates are made and monitoring
performance should also be acknowledged performance on an ongoing basis are the
and is more important than ever before. only valid methods to fully ensure the quality
When delivering services and applications of a network. While measuring and moni-
for tunnels, network downtime, bandwidth toring network performance parameters
issues and bottlenecks can quickly escalate are essential, the interpretation and actions
into a serious issue. Pro-active network per- stemming from these metrics are just as
formance management solutions that detect critical to understand.
and diagnose performance issues are the
best way to ensure a solid network infras- When looking for a tailor-made solution for
tructure for tunnels. The performance of a monitoring the performance of a network
network can never be fully modeled, so mea- infrastructure, please feel free to contact the
suring network performance before, during authors of this white paper.
Network performance monitoring
PHOENIX CONTACT 31
Whitepaper | Network solutions for tunnel automation  Network performance monitoring (NPM)
going to the layer 3 switches are realized by fiber

Synopsis optic cables with SFP modules and LC connectors.
All layer 2 switches in a ring are connected to each
If we can summarize our discussed topics, a tun- other through the same type of cabling, connector
nel network with its components should have the and transceiver. The ring topology is a common
following design: technique to ensure redundancy. All connections
to end-applications are done with CAT6A Fast
In a tunnel, there are two layer 3 switches. It is Ethernet cables. The same type of cabling is applied
recommended to utilize two of these L3 switches to PoE applications but is required to have a PoE
to ensure VRRP redundancy. Both switches are module such as a PoE switch or injector. When
connected to each fiber optic ring at different multiple tunnels are involved, they will all have to
nodes. This is done to prevent single point of be connected to the tunnel control network which
failure. The amount of fiber optic rings is a matter reports to tunnel control centers for managing and
of size and preference. All connections coming and monitoring purposes.
Tunnel #n Tunnel control center Redundant tunnel control center
Redundant tunnel control network
Tunnel #1
PoE Camera PoE Injector L3 Switch
L2 Switch Server Room

Lighting
Fiber-optic ring #1 Fiber-optic ring #n
Programmable
controller
Fiber-optic Application #n
Ethernet
Power over Ethernet
Feldbus Ventilation
Tunnel network design
PHOENIX CONTACT 32
8 Use case
(Train Tunnel Project)
Whitepaper | Network solutions for tunnel automation  Use Case (Train Tunnel Project)
The Train Tunnel Project is a key example tunnel infrastructure. A number of tunnel
of why a good network design is essential techniques were connected to the network:
for secure and reliable communication in a
Firecentral
Technical room 1 Technical room 2
L2 Switch
Primary BRS Backup BRS

PN Master PN Master
Server room
Primary DEG+TL L3 Switch Backup DEG+TL

PN Master PN Master
Railway tunnel
MSP-1 MSP-50 MSP-51 MSP-100
MSP-x
LWL / FO
Ethernet
TL Sensors Lighting Emergency exit
Power over Ethernet every 20 m
Feldbus
Network performance monitoring
• TMS: Tunnel Management System • Integration of sump pits - smoke curtains – eleva-
• BRS: Automated Fire Scenario’s tors – excavators - platform lighting
• DEG: Dynamic Evacuation Guidance • Main tunnel lighting and tunnel entrance lighting
• Development of static evacuation signs with built • T-switches - failsafe off-switching of the catenary
in acoustic alarming and integration of SwareFlex (ProfiSafe)
emergency lighting • Integration of L20 measurements and slumber
• Emergency doors luminance
• Train localisation
• RWA: Smoke- and heat extraction
• HVAC: Heat, Ventilation and Airconditioning
PHOENIX CONTACT 34
Whitepaper | Network solutions for tunnel automation  Use Case (Train Tunnel Project)
For the Train Tunnel Project, a backbone communi- Key to the design was redundancy and a secure
cation using PROFINET was chosen. The network communication, which also translates into ring
was designed with: networks and redundant layers and even servers.
Designing a network for a tunnel infrastructure
• 1 Backbone ring: needs to take care of all communication needs,
-- >20 switches considering safety, security and bandwidth
-- >8 Remote field controllers requirements, over a fail-safe, redundant design.
-- >2 redundant SQL Servers
• 12 Subrings:
-- ~100 switches
-- >100 Programmable controllers
-- 13km or >2500 DEG-profiles
PHOENIX CONTACT 35
9 Products and solutions
Whitepaper | Network solutions for tunnel automation  Products and solutions
Phoenix Contact has a whole portfolio of

suitable components that are applicable for
tunnel solutions. Every tunnel might have an
entrance and exit but not all tunnels require
the same provided network technology
and components.
Cabling and connectors
Complex automation processes call for high

volumes of data at ever-increasing transmission
speeds. Benefit now from high-performance
connectors and cables for on-site assembly. SFP
modules enable you to flexibly use the ports
of your ethernet switches whether you require
single-mode or multimode transmission, Fast
Ethernet or G
igabit. CAT5 CAT6A
Patch cables Patch cables
Copper-based data cabling
Length Ordner No. Ordner No.
Transmission speeds and data volumes are con-
0.3 m 1423032 1413158
stantly increasing. With category CAT6A com-
ponents you can use data transmission speeds of 0.5 m 1403926 1413159
up to 10 Gbps even in infrastructure and industry
applications 1m 1403927 1413160
2m 1403929 1413161
3m 1403930 1413162
5m 1403933 1413163
10 m 1403934 1413164
15 m 1410797 1413165
20 m 1423033 1413166
*Cables can also be sold up to 100m without connectors
PHOENIX CONTACT 37
tunnel automation  Products and solutions
Depending on the required range, Phoenix Contact

Fiber-optic-based data cabling offers specially developed cable variants for
different application and ambient conditions:
High transmission speed, low attenuation, resistant
to electromagnetic interference:
Pre-assembled fiber optic cables with
Fiber optic cables are among the modern
LC duplex connectors.
transmission media for industrial systems and
infrastructure applications. We offer patch cables in lengths of one, two and
five meters (Single mode & Multimode) fiberglass
Fiber optic cables round off the fiber optic range, options.
providing you with a complete transmission system.
LC Duplex LC Duplex
(OM2*/Multimode) (OS2*/Single mode)
Length Order No. Order No.
1m 2989158 2989187
2m 2989255 2989284
5m 2901799 2901826
*Fiber optical cables such as OM2, OM4 and OS1 are also available.
LC Duplex Single
Multimode
Coupler module mode
Fiber class Order No. Order No. 1411563 -
Multimode 2700312 Fiber category OM3 OS2
Single mode 2700313 Sheath color Aqua Yellow
Distances Up to 550 m Up to 10 km
PHOENIX CONTACT 38
Whitepaper | Network solutions for tunnel automation  Products and solutions
Overview of Fiber optic SFP modules
Transmission
Product Port Wavelength Order no.
speed
FL SFP FX LC MM (multimode) 100 Mbps 1310 nm 2891081
FL SFP FX SM LC SM (single mode) 100 Mbps 1310 nm 2891082
FL SFP SX2 LC MM (multimode) 1 Gbps 1310 nm 2702397
FL SFP LX LC SM (single mode) 1 Gbps 1310 nm 2891767
FL SFP RS LC SM (single mode) 1 Gbps 1500 nm 2989912
PHOENIX CONTACT 39
10 Copper-based
patch panels
Whitepaper | Network solutions for tunnel automation  Copper-based patch panels
The patch panels serve as interface modu-

les between the field and control cabinet
cabling. The new DIN rail devices now also
feature Push-in, IDC or screw connection, in
addition to the traditional RJ45 connection.
This can save you a great deal of time during
installation. These are available as versions
with integrated surge protection and shield
current monitoring.Cabling & connectors
Multiple connection technologies

and covered wiring space
Greater flexibility and time savings during installa-

tion: you can choose between IDC, Push-in, screw, Surge protection and shield
and RJ45 connections. current monitoring on the field
cable side
Covered cable wiring space: a hinged cover covers
the wiring space on the field cable side with con- The patch panels are
nection terminal blocks and shield contacting. This available as versions
ensures a uniform installation pattern. In addition to with the new surge
this visual extra, the sensitive connection wires are protection and shield
protected from external influences. current monito-
ring functions. The
The range is complemented with Power over Ether- integrated surge
net injectors, which can supply remote Ethernet protection protects
devices with data and power via the same cable. the devices and the
application against sudden high voltages in the data
cables. The cable shield current monitoring can be
used for diagnostics in applications with Power over
Tool-free shield connection Ethernet. An LED indicates if there are differences
in potential or other shield currents caused by the
The cable shielding can be connected to the device effects of EMC.
quickly and easily without tools – with strain relief
assured at the same time. Simply lay the cables
in the shaft provided and close the shroud – and
you're done. Your advantage: quick installation
thanks to tool-free connection with no loose parts.
PHOENIX CONTACT 41
Whitepaper | Network solutions for tunnel automation  Copper-based patch panels
Overview of the patch panels
Product PP-RJ-RJ-F PP-RJ-IDC-F
Ethernet patch panel, 8-pos., Ethernet patch panel, 8 pos.,

10/100/1000 Mbps 10/100/1000 Mbps
Description
With surge protection and shield With surge protection and shield
current diagnostics current diagnostics
Shielding Right on the DIN rail Right on the DIN rail
Cable shield
Using an RJ45 socket Toolless using shield contact spring
protection
Surge protection Yes, integrated Yes, integrated
Order no. 2703020 2703023
PHOENIX CONTACT 42
11 Fiber-optical
splice boxes
Whitepaper | Network solutions for tunnel automation  Fiber-optical splice boxes
Main features
• Robust metal housing

• Capacity from 12 up to 24 fibers
• For Multimode and Singlemode
• Available connectors: LC, SC, ST, E2000®
• Pre-assembled versions available
• Flexible mounting positions on DIN rail
• Cable gland for top or bottom installation
Splice box
Our splice boxes ensure continuously reliable data

transmission in real time. With their compact,
uniform design, the splice boxes ensure ample
interior space for secure connection of fiber optics.
FOC-SB-FR19: FOC-SB-FR19:
FOC-FDX20- FOC-FDX20-
Product 1U-LCD12- 1U-LCD24-
PP-LCD6-MM PP-LCQ6-MM
OM4 BK OM4 BK
Mounting type DIN rail DIN rail 19” mounting 19” mounting
Material 6x LC duplex 12x LC duplex 12x LC duplex 24x LC duplex
Additional Pigtails pre-assem- Pigtails pre-assem-

Without pigtails Without pigtails
information bled (OM4) bled (OM4)
Order no. 1019710 1019705 1418817 1418818
PHOENIX CONTACT 44
12 Injectors
Whitepaper | Network solutions for tunnel automation  Injectors
Power over Ethernet injectors supply your

devices in the field with data and power via
just one cable. The various IDC, Push-in or
screw connection technologies significantly
simplify the installation of the field cable.
Different performance standards

and electrical isolation
Electrical isolation of the internal power supply unit
The wide range of available performance classes

allows you to meet your individual requirements.
The PoE injectors are available in the standards
IEEE 802.3 at and af up to 30 watts. Furthermore, Versatile connection technologies
we already offer devices that will comply with the and covered wiring space
upcoming standard of up to 60 watts in accordance
with IEEE 802.3 bt. Greater flexibility and time savings during installa-
tion: you can choose between IDC, Push-in, screw,
Electrical isolation of the internal power supply unit and RJ45 connections.
concept: the supply voltage and Power over Ether-
net port are electrically is Covered cable wiring space: a hinged cover covers
the wiring space on the field cable side with con-
nection terminal blocks and shield contacting. This
ensures a uniform installation pattern. In addition to
this visual extra, the sensitive connection wires are
protected from external influences.
Overview of the Injectors
INJ 1000 INJ 1010
Temperature range 0°C… +60°C 0°C… +60°C
Powe budget 15/30W 60W
PoE Standard Prepared for IEEE802.3 af/at (PoE+) Prepared for IEEE802.3 bt (PoE++)
Connection method RJ45/RJ45 RJ45/RJ45
Order no. 2703005 2703007
PHOENIX CONTACT 46
13 PoE Splitter
Whitepaper | Network solutions for tunnel automation  PoE Splitter
The FL PD 1001 PoE splitter enables you

to easily connect end devices without a
PoE interface, such as WLAN or Bluetooth
access points, controllers, and I/O stations,
to a PoE interface. The splitter separates
the data and the power locally, enabling even
non-PoE-capable devices to be installed in
remote stations easily and inexpensively.
Compact and robust design
Thanks to its metal housing and extended tempera-

ture range, the FL PD 1001T GT Power over Ether- PoE Splitter
net splitter is suitable for use in harsh environments
and remote stations. Its narrow design and port
outlets facing both upwards and downwards mean (IEEE 802.3af) and PoE+ (IEEE 802.3at). A supply
that it is easy to install, even in flat control boxes. of 24 V DC, and, depending on feed-in, a power of
up to 25 W is available at the output. This enables
a multitude of usage scenarios for the widest range
of Ethernet devices. Furthermore, diagnostics is
Powerful and flexible in use available for the output voltage and power via LEDs.
Thanks to the support of Gigabit and Fast Ethernet, The PoE splitter can be used for all automation
the PoE splitter can be used for any transmission protocols, because it does not interfere with data
speed. Furthermore, the switch supports both PoE transmission.
Overview of the PoE Splitter
PoE splitter PD 1000
Transmission speed 10/100/1000 Mbps
Power supply Via PoE/PoE+ (48 V DC)
Temperature range -40°C … +70°C
Degree of protection IP20
Output voltage 24 V DC
Order no. 2891042
PHOENIX CONTACT 48
14 Managed Switches
Whitepaper | Network solutions for tunnel automation  Managed Switches
Thanks to easy startup and a variety of

versions with functions graded according to
the application, the 2300 & 2500 Managed
Switches enable the cost-effective manage-
ment for your tunnel network. In addition to
an extended range of functions, the switches
also feature communication via fiber glass.
Flexible use
The universal 2300 and 2500 switches have 6 to 16

RJ-45 ports and come with SFP fiberglass interfaces.
With these switch series, you can also benefit from Managed Switches 2000
Gigabit communication. Thanks to the extended
temperature range (-40 C … +70 C) and redundant
power supply, they can also be used under harsh
ambient conditions.
Optimum integration into

PROFINET and EtherNet/IP™
networks
Thanks to the integrated PROFINET device,
the 2300 Managed Switches support PROFINET
conformance class B and can be fully configured
and diagnosed via PC Worx and the TIA portal.
The switches can be used in the MRP ring as both
manager and client. With LLDP the switches also
support automatic recognition of the network
topology.
For EtherNet/IP™ networks, the switches support

functions for multicast filtering (IGMP snooping,
IGMP querier, multicast source detection).
PHOENIX CONTACT 50
ETH 1 ETH 2
LNK LNK
US ACT ACT
X21 X22
MODE
RDY BF SF
XF XF
1 5 PWR IN PWR OUT
US
XF XF UA
2 6 X31 X32
XF XF
3 7
30 31
X01 X02
XF XF
4 8
32 33
X03 X04
Switch I/O device

SWITCH 2000
UA UA
X05 X06
XD1
UA UA
X07 X08
1 2 3 4 5
LINK ACT
70 71 72 73 74 75 76 77
60 61 62 63 64 65 66 67
X1
50 51 52 53 54 55 56 57
2701450
DI64/1
X2
LINK ACT
40
70
60
50
40
41
71
61
51
41
42
72
62
52
42
43
73
63
53
43
44
74
64
54
44
45
75
65
55
45
46
76
66
56
46
47
77
67
57
47
Configuration
Diagnosis
AXC 1050
2700988
BF RUN
SF FAIL
DBG
D D 00 01 02 03 04 05 06 07
E UI 10 11 12 13 14 15 16 17
20 21 22 23 24 25 26 27
30 31 32 33 34 35 36 37
a1 00 01 02 03 04 05 06 07
X3
SD-CARD
RUN/PROG a2 10 11 12 13 14 15 16 17
STOP
Controller
MRESET
b1 20 21 22 23 24 25 26 27
b2 30 31 32 33 34 35 36 37
LINK ACT
70 71 72 73 74 75 76 77
60 61 62 63 64 65 66 67
X1
50 51 52 53 54 55 56 57
2701450
DI64/1
X2
40 41 42 43 44 45 46 47
70 71 72 73 74 75 76 77
60 61 62 63 64 65 66 67
LINK ACT 50 51 52 53 54 55 56 57
BK PN 40 41 42 43 44 45 46 47
2701815
BF RDY
SF
D
E D 00 01 02 03 04 05 06 07
UI 10 11 12 13 14 15 16 17
20 21 22 23 24 25 26 27
30 31 32 33 34 35 36 37
a1 00 01 02 03 04 05 06 07
Switch X3
UL
a2 10 11 12 13 14 15 16 17
Bus coupler
a1 b1 b1 20 21 22 23 24 25 26 27
a2 b2
2 b2 30 31 32 33 34 35 36 37
The FL SWITCH 2300 devices support the MRP redundancy mechanism
Redundancy mechanisms are essential for failsafe In addition, errors in the network can be quickly
networks. The 2300 Managed Switches support localized and remedied, thanks the numerous
various redundancy mechanisms such as RSTP, diagnostic functions. Also, important device
Large Tree Support, Fast Ring Detection and Media information can be accessed during remote
Redundancy Protocol (MRP). The switches thus maintenance.
ensure that down_times are minimized through
media redundancy, irrespective of the manufacturer. In the event of a device failure, DHCP server
Furthermore, these functions prevent network functions for assigning IP addresses allow the
errors caused by inadvertently created loops and defective device to be replaced quickly and easily.
enable a ring structure in PROFINET environments.
PHOENIX CONTACT 51
Overview of the FL Switches 2300/2500 series
FL SWITCH 2300/2500
Alarm contact Yes
Temperature range -40°C ... +70°C
Supply voltage 12 ... 57 V DC (redundant)
Filter functions -
Quality of Service Yes
VLAN Yes
Multicast/IGMP snooping Yes
Redundancy
Rapid Spanning Tree (RSTP) Yes
MRP manager/client Yes / Yes
Fast Ring Detection (FRD) Yes
Large Tree Support Yes
Extended ring redundancy 15 ms No
Management functions
Port configuration, statistics, and utilization Yes
Link Layer Discovery Protocol (LLDP) Yes
Address Conflict Detection (ACD) Yes
DHCP server Pool/port-based, option 82
Command Line Interface (CLI) Yes
Automation protocols
PROFINET conformance class B
PROFINET device Yes
EtherNet/IP™, extended multicast filtering Yes
Approvals Maritime approvals, ATEX, IECEx
PHOENIX CONTACT 52
Redundancy mechanisms are essential for tunnel

A wide range of configuration networks. These managed switches support various
options for the flexible redundancy mechanisms such as RSTP, Large Tree
commissioning of your network Support, Fast Ring Detection and Media Redun-
dancy Protocol (MRP). Furthermore, these func-
When configuring the Managed Switches, the tions prevent network errors in a tunnel caused by
choice is yours... These switches can be configured inadvertently created loops and enable a ring struc-
conveniently with a memory card via the SD card ture in PROFINET environments. In addition, errors
slot on the rear of the device. Therefore, in the in the network can be quickly localized and reme-
event of a device failure, the replacement device died, thanks to the numerous diagnostic functions.
does not need to newly configured, but simply
equipped with the memory card. If you prefer to These managed switches assure convenient config-
configure via web interface, the switches feature a uration with a memory card via the SD card slot
user-friendly web-based management system. on the rear of the device. Therefore, in the event
of a device failure, the replacement device does not
The switches support SNMP for configuration via need to newly configured, but simply equipped with
management software, such as the FL NETWORK the memory card. If you prefer to configure via web
MANAGER, or directly via the controller. CLI interface, the switches feature a user-friendly web-
commands or the smart mode button directly on based management system.
the device are suitable for configuring the devices
directly, without using a web interface or software.
PHOENIX CONTACT 53
15 FL Switch 4000 Series
(Power Over Ethernet)
Whitepaper | Network solutions for tunnel automation  FL Switch 4000 Series (Power Over Ethernet)
The 4000 series of (PoE) Managed Switches

offer you optimum performance and avail-
ability for demanding infrastructure applica-
tions. These switches enable you to connect
up to 16 network devices. Both data and
power can be supplied to up to eight devices
via the Ethernet cable. Comprehensive con-
figuration options and special PoE functions
make the switches a powerful and flexible
solution for your tunnel.
Overview managed PoE Switches
Up to 60 W of power per port PoE watchdog function
The 4000 series managed With the PoE watchdog function, you can moni-
PoE switches supply end tor your PoE end devices to ensure that they are
devices with up to 60 W functioning correctly. Here, the switch sends a ping
per port. They are also to the powered device (PD) at regular intervals.
suitable for use in appli- After a configurable number of unanswered pings,
cations with end devices a power cycle is performed. The PD is restarted.
that comply with the With this approach, end devices that stop function-
pre-standard IEEE 802.3bt ing due to a malfunction during operation can be
(PoE++), such as high-power cameras. returned to the correct state, without the interven-
tion of a service technician. As an alternative, the
PoE Switch can also shut the PD down completely.
PoE configuration options
The 4000 series Managed PoE Switches enable you PoE scheduler function
to make user-defined PoE settings. The PoE func-
tion can be activated or deactivated for each port With the PoE scheduler, you can plan the days
separately for example. In addition, a PoE prioriti- and times during which the switch makes Power
zation feature is available and you can set maximum over Ethernet available to your end devices. This is
power budgets. This ensures that in the event of useful when end devices are only needed at certain
any problems with the power supply of the switch, times of the day. You thus reduce the consumption
your most important devices continue to be sup- of electricity and the data load on your network
plied with PoE. during the remaining periods.
PHOENIX CONTACT 55
Whitepaper | Network solutions for tunnel automation  FL Switch 4000 Series (Power Over Ethernet)
Overview of 4000 series Managed PoE Switches
FL SWITCH 4000T- 8POE-2SFP
Ports and Transmission speed 8 x RJ45 (PoE) 10/100 Mbps, 2x SFP 1000 Mbps
Alarm contact Yes
Degree of protection IP30
Supply voltage 52 … 55 V DC, redundant
Power over Ethernet

PoE standards IEEE 802.3at/af/bt (PoE, PoE+, PoE++)
Power over Ethernet power budget 60 W per port, Max. 180 W
PoE functions PoE configuration, PoE scheduling, PoE watchdog
Filter functions
VLAN Yes
Redundancy
MRP manager/client No / No
Fast Ring Detection (FRD) No
Large Tree Support No
Address Conflict Detection (ACD) No
DHCP server No
Command Line Interface (CLI) No
PROFINET conformance class A
PROFINET IO device No
EtherNet/IP™, extended multicast filtering No
Approvals CE, UL
Order no. 1026923
PHOENIX CONTACT 56
16 Smart Camera Box
Whitepaper | Network solutions for tunnel automation  Smart Camera Box
The Smart Camera Box is an all-in-one

solution that provides connectivity through
Power Over Ethernet. This solution
supports the latest PoE standard, 802.3bt
(90 W per port) and has a total PoE budget
of 160 W, making it compatible with all cur-
rent powered devices. The Smart Camera
Box lowers the total cost of ownership due
to its robust, manageable and reliable design.
The small, lightweight size of the solution
makes it easy to install and can easily be
mounted on a pole and/or wall.
Dissecting the box
Heatsink PoE switch

IP67 housing Power supply Splice cassette
Surge protection
Wal/pole mount
IP67 cable entry
Smart Camera Box Exploded view
PHOENIX CONTACT 58
Whitepaper | Network solutions for tunnel automation  Smart Camera Box
Features
• Integrated fiber optic splice box

• Direct connection of pre-assembled patch cables
• Integrated heat sink (-40° C … +70° C)
• Integrated, replaceable surge protection
• Sabotage alarm (integrated door opening sensor)
• Mechanical security (Metal door latch)
• Integrated DIN rail for additional equipment e.g.
Relay, 4G Router, WLAN access point
Product portfolio
Variants
Uplink ports 2x SFP slots 2x SFP slots 2x RJ-45 2x RJ-45
Camera ports 4x RJ-45 (PoE) 2x RJ-45 (PoE) 4x RJ-45 (PoE) 2x RJ-45 (PoE)
Type SCX 4POE 2LX SCX 2POE 2LX SCX 4POE 2T SCX 2POE 2T
Order No. 1102626 1108543 1108542 1108544
PHOENIX CONTACT 59
17 FL Switch
4800E Series
Whitepaper | Network solutions for tunnel automation  FL Switch 4800E Series
The 4800E (for 19" cabinets) are particularly

suitable for use in energy systems. They
satisfy the stringent requirements of the
standards IEC 61850-3 and IEEE 1613. These
versions ensure reliable operation around
the clock under extreme environmental con-
ditions. Tahis is possible thanks to their par-
ticularly high immunity to electromagnetic
and electrostatic interference, extended
temperature range, and extreme shock and
vibration resistance.
An overview of the FL Switch 4800E features
FL SWITCH 4800E
Alarm contact Yes
Temperature range -40°C … +70°C
Protection class IP20
Supply voltage 24 ... 48 V DC
Filter functions
VLAN Yes
Redundancy
MRP manager/client No / No
Fast Ring Detection (FRD) No
Large Tree Support No
Extended ring redundancy 15ms Yes
PHOENIX CONTACT 61
Whitepaper | Network solutions for tunnel automation  FL Switch 4800E Series
FL SWITCH 4800E
Address Conflict Detection (ACD) No
DHCP server No
Command Line Interface (CLI) No
PROFINET conformance class A
PROFINET IO device No
EtherNet/IP™, extended multicast filtering No
Approvals ATEX*, IECEx*, IEC 61850-3*
Requires replaceable, redundant power supply

Other
(4800E-P1 / 4800E-P5)
PHOENIX CONTACT 62
18 Layer 3
switches
Whitepaper | Network solutions for tunnel automation  Layer 3 switches
You can use the industrial switch with routing

functionalities and Layer 3 switches from
Phoenix Contact to integrate machines,
production systems or entire subnetworks
into your higher-level company network.
FL NAT 2304 Switch
Cost-effective integration in higher-level

networks – With virtual addressing (NAT)
If identical machines are operated in parallel in a
network, each machine must be configured individ-
ually. This is the only way to integrate them into the
higher-level communication network. Various NAT Smart Camera Box Exploded view
mechanisms enable you to operate entire produc-
tion cells with the same IP address space, without
having to configure the machines individually.
Redundancy in the LAN and WAN
In order to ensure a high degree of reliability
Very flexible
both within the system and when connecting to
The FL NAT 2304 offers a high degree of flexibility, higher-level networks, FL NAT 2304 switch support
as each of its 8 ports can be freely assigned as LAN redundancy mechanisms on the LAN and WAN
or WAN ports. This means that you can use the FL side.
NAT 2304 as a simple NAT switch with one WAN
port and seven LAN ports. There is no need for an For redundant connection to higher-level WAN
additional switch in the system. interfaces, you can integrate the FL NAT 2304 into
an RSTP ring with two WAN ports.
Alternatively, you can use the NAT switch to con-
nect a machine to multiple higher-level networks, On the LAN side, you can use both RSTP and MRP
such as production and diagnostics networks. as the master or client to redundantly connect
You can choose from various NAT mechanisms: parts of a machine to the NAT switch.
1:1 NAT, virtual NAT, IP masquerading, and port
forwarding.
PHOENIX CONTACT 64
NAT switches support PROFINET

RUN/PROG DISPLAY RUN/PROG DISPLAY
STP STP
MRESET MRESET
functions LNK
LAN
1.1
ACT
LNK
LAN
1.2
ACT
LNK
RFC 470S PN 3TX
Ord.No 29 16 79 4
I/O LNK
LAN
1.1
ACT
LNK
LAN
1.2
ACT
LNK
RFC 470S PN 3TX
Ord.No 29 16 79 4
I/O
WAN
LAN LAN
USB USB
2 2
ACT ACT
24 VDC 24 VDC
+ +
REMOTE
REMOTE
COM1
COM1
– –
• On the LAN side, the FL NAT 2304 offers full

PROFINET integration:
US1
US2 MODE
FAIL
XF XFF
1 5
RSTP
• Integration in PROFINET control environments,
XF XFF
2 6
XF XFF
3 7
XF XFF
4 8
e.g., TIA or PC Worx RSTP/MRP LAN
FL NAT 2000
XD1
• MRP support for increased availability 1 2 3 4 5
• LLDP for topology detection US1

US2
FAIL
MODE
US1
US2
FAIL
MODE
XF XF XF XF
• Hardware-based PROFINET prioritization

1 5 1 5
XF XF
6 2
XF XF
7 3
• Extended diagnostics for PROFINET

XF XF XF XF
4 8 4 8
1 2 3 4 5 1 2 3 4 5
The FL SWITCH 2300 devices support the MRP

redundancy mechanism
Overview of the FL NAT 2304
FL NAT 2304-2GC-2SFP
Order no. 2702981
4 x RJ45
Ports 2 x combo ports (SFP/RJ45)
2x SFP
Alarm contact Yes
Protection class IP20
Supply voltage 12 ... 57 V DC (redundant)
1:1 NAT, virtual NAT,

NAT functions IP masquerading, port forwarding
(source/destination)
Routing Static routing
PHOENIX CONTACT 65
FL NAT 2304-2GC-2SFP
Filter functions
VLAN Yes
Redundancy
MRP manager/client Yes/yes
Fast Ring Detection (FRD) Yes
Large Tree Support Yes
Extended ring redundancy of 15 ms No
Address Conflict Detection (ACD) Yes
DHCP server Pool-based/port-based, option 82
Command Line Interface (CLI) Yes
PROFINET conformance class B
PROFINET device Yes
EtherNet/IP™, extended multicast filtering Yes
Approvals Maritime approvals, ATEX, IECEx
PHOENIX CONTACT 66
Basic Features
Management Http(s), SNMP (v1/v2/v3), RMON, 802.1ab (LLDP)
VLAN + QoS 802.1p(Cos), 8 queues per port, 802.1Q (Tagged frames), GVRP
Security MAC address filtering, 802.1X (LAN Access Control)
802.1D (STP),
L2 Redundancy 802.1W (RSTP),
802.1S (MSTP)
Static Routing,
RIPv2,
L3
OSPFv2,
VRRP (Router redundancy)
802.3AD (Link aggregation),

Jumbo frame,
Other features IGMP snooping,
DHCP Option 82,
Alarm contact
PHOENIX CONTACT 67
19 FL SWITCH
EP7400 Series
Whitepaper | Network solutions for tunnel automation  FL SWITCH EP7400 Series
The FL SWITCH EP 7400 series of advanced

modular managed network switches provides
an adaptable platform to meet the electric
power industry’s increasing requirements for
scalable network performance, uptime, and
security.
The modular 19" rack-mount switch is hardened for
areas heavily affected by EMI, such as switchgear, FL SWITCH
transformer stations and local substations. The
switch works reliably under extreme environmental
conditions (-40°C to +75°C / 85°C) and com- port modules (up to 8 ports) for device
plies with the IEC 61850-3 Ed 2, and IEEE 1613 connections, and a 4th slot supports a 4-port SFP
specifications. The expandable “all gigabit capable” module with 1 or 10 Gigabit uplinks for device
architecture combines cost-effective answers connections. SFP module options provide further
for near-term needs with upgrade paths for port single-point TX/fiber connection customization,
quantity/bandwidth and functions. while allowing for electrically isolated and secure
communication lines between the control house
A powerful Layer 2 and Layer 3 feature set with and equipment throughout the station. Power is
hardware-based IEEE 1588 V2 PTP synchronization provided by redundant modular power supplies.
based on the IEC 61850-9-3 Utility Power Profile The modules are designed for power source
provides extensive options to meet changing per- flexibility (AC/DC) and allow hot-swappable
formance and security needs. The 28-port switch replacement for uninterrupted 24/7 operation.
has 4 module slots. 3 slots accept 10/100/1000Mbps
Front
Color LCD Display: Diagnostic and Modular Power Supplies

Port Status Management • 24 V DC (10-36 V DC)
• 48 V DC (36-72 V DC)
• 120/240 V AC/DC (88-300 V DC, 85-264 V AC)
• SD2 Memory: Store System Log Files (up to 32G)

• USB 3.0/RS232: Transfer System Log Files, Backup/Restore Configs, FW Updates
• Mgmnt Port/SD1: Factory Service
• LED Display: Power Supply (1&2) and Alarm
PHOENIX CONTACT 69
Whitepaper | Network solutions for tunnel automation  FL SWITCH EP7400 Series
Power and Alarm Downlink Connections Uplink Connections

Contact Connections • Up to 3 slots for port modules • 1 Slot
• Upt to 8 ports per module • 4x SFP (1 G / 10 Gbps)
(8x RJ-45 10/100/1000 Mbps)
(8x SFP 10/100/1000 Mbps)
net switches deployed in over 40 countries. Modu-

Managed switch functions lar power supplies with hot-swap capabilities help
overcome unusual situations. Optional DIN rail-
mount (with rack-mount option) PRP redundancy
Increase network performance modules provide zero packet loss recovery to
As the demand for intelligent power distribution communication disruption events.
and control increases, more devices are connec-
ted at a growing number of sites. The ability to
Scalable security options
define and prioritize peer-to-peer messages such
as GOOSE messages, which travel horizontally Strong security is required in critical infrastructure
through a substation’s station bus but extend into applications. State-of-the-art managed switch
the lower process bus, are critical to the operation security functions provide the tools to limit local
of breakers and relays. This will be increasingly access, remote access, and network access to
needed as more utilities utilize sequence of events switch management. The switch is based on a sca-
fault identification and finer control using sampled lable platform approach that will provide a growing
values (SV). Whether it is needed for a remote array of security options in the future. Features
local municipality installation or multisite regional such as VLANs allow utilities to segment various
control through a region, the FL SWITCH EP 7400 critical zones within the electronic security peri-
managed switch series has hardware and firmware meter that connect systems, such as IEDs, RTUs,
functions that can manage the growing bandwidth and PLCs within the substation infrastructure. With
and data traffic flows. the increasing deployment of protocols such as IEC
61850, this segmentation prevents unauthorized
access or interference by non-critical substation
Maximize system uptime
processes on networks that are processing and
Power automation networks are required to run transmitting time-sensitive and critical communi-
24/7. Period. The FL SWITCH EP 7400 switch con- cations for measurement and control. Additionally,
tains hardware designed for extreme environments the use of user authentication and Syslog support
using IEC 61850-3 and IEEE 1613 standards and is allows for monitoring and auditing to detect change
backed by Phoenix Contact’s experience with sel- to network hardware and status by users, further
ling and supporting over 2 million industrial Ether- ensuring a secure and reliable network.
PHOENIX CONTACT 70
Tunnel
core zone
Critical
infrastructure
network
Tunnel Control Center
Local tunnel
distribution zone
Modular Router/Firewall Modular

Managed Layer 3 Managed Layer 3
Switch Switch
VRRP
Local tunnel control room
Local tunnel
Redundancy Protocol Redundancy Protocol access zone
Fiber optic Fiber optic

Backbone 1 Backbone 2
Local tunnel
control zone
a 0 1 2 3 a 0 1 2 3 a 0 1 2 3 a 0 1 2 3 a 0 1 2 3 a 0 1 2 3
AI2 AO2 XC RTD4 XC DI 16/1 AI2 AO2 XC RTD4 XC DI 16/1

1035429 1035430 2688310 1035429 1035430 2688310
D 00 01 02 03 D 00 01 02 03 D 00 01 02 03 D 00 01 02 03 D 00 01 02 03 D 00 01 02 03
UA 10 11 12 13 UA 10 11 12 13 UI 10 11 12 13 UA 10 11 12 13 UA 10 11 12 13 UI 10 11 12 13
E1 20 21 22 23 E1 20 21 22 23 20 21 22 23 E1 20 21 22 23 E1 20 21 22 23 20 21 22 23
E2 30 31 32 33 E2 30 31 32 33 30 31 32 33 E2 30 31 32 33 E2 30 31 32 33 30 31 32 33
a1 00 01 02 03 a1 00 01 02 03 a1 00 01 02 03 a1 00 01 02 03 a1 00 01 02 03 a1 00 01 02 03
a2 10 11 12 13 a2 10 11 12 13 a2 10 11 12 13 a2 10 11 12 13 a2 10 11 12 13 a2 10 11 12 13
b1 20 21 22 23 b1 20 21 22 23 b1 20 21 22 23 b1 20 21 22 23 b1 20 21 22 23 b1 20 21 22 23
b2 30 31 32 33 b2 30 31 32 33 b2 30 31 32 33 b2 30 31 32 33 b2 30 31 32 33 b2 30 31 32 33
PLC PLC
Copper based ethernet

Fiber optic
PHOENIX CONTACT 71
20 FL Switch
GHS Series
Whitepaper | Network solutions for tunnel automation  FL Switch GHS Series
The Gigabit Modular Switch is a high-

performance managed switch, which covers
the port requirements of industrial applica-
tions in a modular and flexible way. It also
supports all popular Gigabit and Fast Ether-
net transmission standards, IT standard
protocols, and the PROFINET and
EtherNet/IP™ automation protocols.
For use in the production backbone, the FL
SWITCH GHS 12G/8 is the first switch, which has Modular Gigabit Switch GHS fg
integrated 12 Gigabit ports and also supports the
accommodation of interface modules for up to 16
additional 100 Mbps ports.
With the integrated Layer 3 license, the switch

can be configured as a router. The GHS switch can
provide routing in up to 28 different subnetworks.
With VRRP, it can also be operated as a redundant
router.
PHOENIX CONTACT 73
Whitepaper | Network solutions for tunnel automation  FL Switch GHS Series
Overview of the Layer 3 switches
FL Switch IN6908-
FL Switch GHS 4G/12 FL Switch EP7400
16SFP-4SFP+
Modular Yes Yes No
Port count 4-port 1000BASE SFP Combo 4 x Hot-swappable 8-port 10/100/1000BASE-TX

4-port 10/100BASE-TX port-modules 16-port 1000BASE SFP
Max. 16 port 10/100 BASE-TX Max. 3 Down-links and 4-port 1G/10G SFP+
1 up-link module
(Up to 28 ports)
Power 24 V Redundant • 24 V DC (10-36V DC) TR: 48 V DC Redundant

supply • 48 V DC (36-72V DC) (Terminal Block)
• 120/240 V AC/DC WR: 100 – 240 V AC
(88 – 300 V DC, Redundant
85 – 264 V AC) (Terminal block/AC inlet)
(2 x Hot-swappable power
supplies)
Mounting DIN-rail Rack mountable Rack mountable
Profinet Profinet CC B (MRP), No No

support PROFIenergy supported
Redundancy RSTP, LTS, MRP STP, RSTP, MSTP STP, RSTP, MSTP
functions (Manager/Client) VRRP VRRP
VRRP
Routing Unicast Routing: Unicast Routing: Unicast Routing:

functions • IPv4 (Static, RIPv2, OSPF) • IPv4 (Static, RIPv2, OSPF) • IPv4 (Static, RIP v1/v2, OSPF)
• VRRP v2/v3 • VRRP v2/v3 • VRRP v2/v3
Unicast: Unicast: IPv4 Multicast:
• OSPF • OSPF • PIM-SM
Proxy ARP: Proxy ARP: IPv6 Unicast Routing:
• DHCP Relay • DHCP Relay • RIPng
• OSPFv3
Multicast Routing: Multicast Routing:
• IGMP (v1/v2/v3) • IGMP (v1/v2/v3) IPv6 Multicast Routing:
• PIM-DM
IPv4 Multicast: IPv4 Multicast:
• PIM-SM
• PIM-SM • PIM-SM
IPv6 Routing Redundancy:
• VRRP v3
Approvals/ IEC 61850-3

certificates
PHOENIX CONTACT 74
21 FL Network
Manager
Whitepaper | Network solutions for tunnel automation  FL Network Manager
Managed Switches, WLAN components, and

security appliances from Phoenix Contact
can be started up easily using the new
FL Network Manager software. You can
also monitor these network components
and keep your firmware up to date. With
multi-device configuration, you save a lot
of time when setting up and using your
Ethernet network.
• Update firmware on multiple devices quickly and

easily
• IP address planning for the convenient rollout of
IP addresses via DCP, BOOTP, and DHCP FL Network Manager Basic, Order no. 2702889
• Overview of all network components, thanks to
the network scan, even for unknown IP addresses
• Integrated TFTP, DHCP/BOOTP server
• Easily configure multiple infrastructure
components using multi-device configuration
• Secure communication with network components
via SNMPv3
• Configure any SNMP-capable device, thanks to
SNMP scripting
PHOENIX CONTACT 76
Contact
Need a more detailed

look into the possibilities?
Don't hesitate to reach
out!
As certified security providers, we

enable you to detect potential threats
and vulnerabilities within the control
systems environment at an early John Paul Morgan Peter-Jan Deltour
stage with the necessary preventive Product Specialist Industrial Product Specialist Industrial
measures. Let us assist you with Networks & Security Networks & Security
at Phoenix Contact Belgium at Phoenix Contact Belgium
validating key components, build
secure architectures in line with the jpmorgan@phoenixcontact.be pdeltour@phoenixcontact.be
Defense in Depth approach, implement
security in accordance with IEC 62443.
You need to take responsibility for all
the security aspects of your tunnel
infrastructure.
Our range of services at a glance

VMM12-20.000.L3
 Evaluation and planning: Inspect and analyze your individual threat and risks
 Implementation: On-site assistance and increasing performance and availability
 Maintenance and support: Eliminating anomalies and identify security gaps
 Seminars: Providing awareness instructions and practical tailored training sessions
https://phoe.co/TunnelTechnology
77

Network Solutions For Tunnel Automation 1614004261

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Solutions For Tunnel Automation 1614004261

Uploaded by

Copyright:

Available Formats

Whitepaper

Network solutions for

Learn more about

Purpose of this paper

the intention of this paper is to create a descriptive

Whether we’re talking about a tunnel that serves

Fan Fan Fan

In order to comprehend all network

When taking a closer look at this model, it can

The OSI model

Upper Application 7 Application layer

Lower Routers 3 Network layer

Switches 2 Datalink layer

Cabling 1 Physical layer

The physical layer is the lower most layer Shielded vs Unshielded

Speed 10/100 Mbps 10/100 Mbps

Max. bandwidth 100 MHz 500 MHz

Cabling type Adjusted STP or UTP (Shielded/Unshielded)

Connector RJ-45 RJ-45

Power over Ethernet is a technology that enables

Power feeding techniques

Switch/Hub Powered End Station

Power budget Up to 15W Up to 30W Up to 60/90W

Typical VoIP phones Wireless access points, PTZ Camera's,

Why PoE? Central power management

Layer 2 is responsible for physical ­addressing,

For a very good reason, an airplane crossing the

Fiber optic ring

Switches connected in a ring + Redundant ring

Redundancy MRP RSTP

Topology Ring Ring, Mesh

Fail over time vs Nearly independent N * number of switches

Number of switches Max. 50 Max. 40

Deterministic confi- Yes (ca. 200ms) Not guaranteed

Applications PROFINET Office-adjusted automation

MRP and RSTP comparison

Media Redundancy Protocol (MRP)

tunnel in order to create communication from the

Government / Public network

VRRP Redundancy example

Splitting a network into smaller (virtual)

VLAN 11 – Ventilation VLAN 22 – Cameras VLAN 33 – Traffic displays

Network segmentation (VLANs) example

Overview of a VPN connection between Tunnel control center and tunnel

ISA-62443-1-1 ISA-TR62443-1-2 ISA-62443-1-3 ISA-TR62443-1-4

Concepts Master glossary of System security IACS security

ISA-62443-2-1 ISA-62443-2-2 ISA-TR62443-2-3 ISA-62443-2-4 ISA-TR62443-2-5

ISA-TR62443-3-1 ISA-62443-3-2 ISA-62443-3-3

Security technologies Security risk assessment System security

Parts of the IEC 62443 series

Cyber security goals:

• Recognize all risks from devices – listing all risks

Overview of a VPN connection between Tunnel control center and tunnel

Network performance monitoring

going to the layer 3 switches are realized by fiber

Tunnel #n Tunnel control center Redundant tunnel control center

Redundant tunnel control network

PoE Camera PoE Injector L3 Switch

L2 Switch Server Room

Fiber-optic ring #1 Fiber-optic ring #n

Tunnel network design

Primary BRS Backup BRS

Primary DEG+TL L3 Switch Backup DEG+TL

Layer 2 is responsible for physical addressing,

Depending on the required range, Phoenix Contact