Operational Telecom Network for the Connected Pipeline System Design
Total Page:16
File Type:pdf, Size:1020Kb
Operational Telecom Network for the Connected Pipeline System Implementation Guide Last Updated: June 30, 2016 Building Architectures to Solve Business Problems About Cisco Validated Design (CVD) Program The CVD program consists of systems and solutions designed, tested, and documented to facilitate faster, more reli- able, and more predictable customer deployments. For more information visit http://www.cisco.com/go/designzone. ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DIS- CLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FIT- NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFES- SIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R). Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Operational Telecom Network for the Connected Pipeline System Implementation Guide © 2016 Cisco Systems, Inc. All rights reserved. ii Operational Telecom Network for the Connected Pipeline System CONTENTS Document Objective and Scope v Contributors vi CHAPTER 1 Implementation Overview 1-1 Solution Architecture 1-3 Connected Pipeline Network Overview 1-4 Availability 1-5 Security 1-6 Multiservice Support 1-7 Integrated Management 1-8 Control Center 1-8 CHAPTER 2 System Testbed 2-1 CHAPTER 3 System Components and Software Matrix 3-1 Test Components from Cisco 3-1 Test Components from Schneider 3-2 CHAPTER 4 Connected Pipeline Network Implementation 4-1 Operational Telecom Network Implementation 4-1 Pipeline Station Implementation 4-2 Station Availability 4-3 Controller/RTU Connectivity & Availability 4-3 Dedicated Switch and VLAN 4-4 Layer 2 Redundancy with REP 4-5 Platform Redundancy for Cisco ASR 903 and Cisco ASA 5525-X 4-6 Station Security 4-9 Security for SCADA Traffic - Pipeline and Control Center 4-9 Shutdown Unused Ports 4-9 Trunk Ports 4-9 Port Security 4-9 Infrastructure Management 4-10 Pipeline Telecom Network Implementation 4-11 Operational Telecom Network for the Connected Pipeline System Implementation Guide iii Contents Pipeline Telecom Availability 4-11 EoMPLS Pseudowire 4-16 Resilient Ethernet Protocol (REP) 4-17 Pipeline Telecom Security 4-19 MPLS WAN 4-21 MPLS WAN Availability 4-22 MPLS Core Router Platform Redundancy 4-23 Remote Loop-Free Alternate Fast Reroute 4-24 MPLS WAN Segmentation 4-25 Network Management and Time Synchronization 4-27 Network Management 4-27 Cisco Adaptive Security Device Manager 4-27 SNMP and Logging Server 4-28 Out of Band Management 4-28 Time Synchronization 4-29 CHAPTER 5 Operational Telecom Network: Validation 5-1 Functionality Testing 5-1 High Availability Testing 5-1 Security Testing 5-2 CHAPTER 6 Operational Telecom Network: Verification 6-1 Functional Verification - Communication between Edge Router in Terminal Station 1 and Control Center 6-1 ASA/Firewall Failover 6-2 APPENDIX A Related Documentation A-1 Network Infrastructure A-1 Security A-2 Network Time Protocol A-2 APPENDIX B Acronyms and Initialisms B-1 Operational Telecom Network for the Connected Pipeline System iv Implementation Guide Preface This Cisco Operational Telecom Network for the Connected Pipeline System Cisco Validated Design (CVD) documents the best practice design and implementation of safe, highly available, and secure Oil and Gas pipeline infrastructure and applications. It also: • Describes implementation of the communication network for the Connected Pipeline System and guidance for supporting Supervisory Control and Data Acquisition (SCADA) communication from the Pipeline Network to the Control Center. • Documents best practices from real world implementations, detailing the designs and architectures that are mapped back to the customer use cases. • Addresses real-life customer deployment scenarios by providing a solution that supports implementation of a scalable, secure, and redundant operational network supporting both industrial and multiservice applications. • Details support for implementing redundancy and security for SCADA communication in the Connected Pipeline System. • Specifies topology for high availability, security services, and network management services implementations. • Documents suggested equipment and technologies, system level configurations, and recommendations. • Describes caveats and considerations that pipeline operators should understand as they implement best practices. Document Objective and Scope In this initial release, Cisco has partnered with Schneider Electric to provide architecture, design, and technologies for the Control Centers, Operational Telecoms Network, and the pipeline stations. Cisco provides infrastructure expertise with its unified compute and networking security platforms while Schneider Electric provides the Pipeline Management System (PMS) leadership with its OASyS Dynamic Network of Applications (DNA) SCADA system hardware and software. This document focuses on the pipeline communications network and security architectures to support pipeline operators. It is recommended that the reader become familiar with the following joint Cisco/Schneider Electric white papers: • Integrated Enterprise SCADA System Architectures for Safe and Efficient Pipeline Operations at the following URL: – http://www.cisco.com/c/dam/en/us/solutions/collateral/industry-solutions/dlfe-683318406.pdf Operational Telecom Network for the Connected Pipeline System Implementation Guide v Preface Contributors • Converged Telecommunication Architectures for Effective Integrated Pipeline Operations at the following URL: – http://www.cisco.com/c/dam/en/us/solutions/collateral/industry-solutions/dlfe-683318407.pdf As with any architecture and design program, functional requirements, use cases, and architectures evolve. Therefore, this CVD will evolve and will be updated in future phases. Contributors • Kiran Ramaswamy, Senior Software Engineer, IoE Vertical Solutions Group, Cisco Systems, Inc. • Brandon O'Gorman, Software Engineer, IoE Vertical Solutions Group, Cisco Systems, Inc. Operational Telecom Network for the Connected Pipeline System vi Implementation Guide CHAPTER 1 Implementation Overview This chapter includes the following major topics: • Solution Architecture, page 1-3 • Connected Pipeline Network Overview, page 1-4 Cisco has designed an Operational Telecom Network architecture to satisfy communication requirements between the Pipeline Network and the Control Center in the Oil and Gas industry. This is in partnership with Schneider Electric and uses their Programmable Logic Controllers (PLCs) in various pipeline stations such as terminal, pump, and block valve stations. These PLCs provide real-time measurements of the pipeline segment such as temperature and pressure. These measurements have to be reliably communicated to the Control Center, which may be located along the pipeline or situated remotely. Schneider's Enterprise Pipeline Management (ePLM) solution helps operators in Control Centers receive real-time data from the pipeline segment. A Pipeline Management System combines operational SCADA with oil and gas industry-specific real-time applications, host-based leak detection, and historical flow measurement. A well-designed pipeline network architecture provides secure and reliable communication infrastructure. Such an infrastructure uses hardware and software that allows functions to be mobile, scalable, flexible, and robust. The communication infrastructure must provide real-time sharing and collection of pipeline data to the Control Center in safe and efficient manner. Figure 1-1 provides a brief overview of different stations located along the length of a pipeline segment. Some of these stations include: • Terminal Stations—Usually mark the start or end of the pipeline segment for a product. Such