阅读说明：本技术 用于控制平面网络中的冗余连接的控制设备和方法 (Control device and method for redundant connections in a control plane network ) 是由 J-J.阿德拉尼亚 K.巴比尔 A.布鲁克 A.埃罗吉劳 F.加西亚马丁 Y.比谢 于 2020-01-23 设计创作，主要内容包括：本发明涉及一种控制设备,该控制设备具有集成交换机,并且被配置为逻辑上启用和禁用集成交换机的以太网端口。还公开了一种由至少两个现场设备、主控制设备和主交换机、辅控制设备和辅交换机组成的设备网络,该至少两个现场设备、主控制设备和主交换机、辅控制设备和辅交换机以菊花链环路拓扑连接。并且其中,辅控制设备被配置为逻辑上启用和禁用辅交换机的以太网端口。还公开了由这种设备网络组成的平面网络。还公开了一种用于控制平面网络中的冗余连接的方法,该方法包括：检测主控制设备的故障,发起故障转移,启用辅交换机的以太网端口,以及禁用主交换机的以太网端口。(The present invention relates to a control device having an integrated switch and configured to logically enable and disable an ethernet port of the integrated switch. Also disclosed is a device network comprised of at least two field devices, a primary control device and switch, a secondary control device and a secondary switch, the at least two field devices, the primary control device and switch, the secondary control device and switch being connected in a daisy chain loop topology. And wherein the secondary control device is configured to logically enable and disable the ethernet port of the secondary switch. A planar network consisting of such a network of devices is also disclosed. Also disclosed is a method for redundant connectivity in a control plane network, the method comprising: detecting a failure of the primary control device, initiating a failover, enabling an Ethernet port of the secondary switch, and disabling an Ethernet port of the primary switch.)

1. A network of devices, comprising:

at least two field devices (323, 324);

a master control device (321) and a master switch (326);

a secondary control device (322) and a secondary switch (327);

wherein the primary control device (321) and primary switch (326), secondary control device (322) and secondary switch (327), and at least two field devices (323, 324) are connected in a daisy chain loop topology; and is

Wherein the secondary control device (322) is configured to logically enable and disable the Ethernet port (327a) of the secondary switch (327).

2. The device network of claim 1, wherein the master control device (321) is configured to logically enable and disable the ethernet port (326a) of the master switch (326).

3. The device network of claim 1 or 2, wherein the primary switch and the secondary switch are each connected to a switch of a control room network (310).

4. The device network of any preceding claim, wherein the secondary and/or primary control devices (322, 321) are configured to logically enable and disable Ethernet ports (327a, 326a) via a port-based network access control protocol.

5. The device network of any preceding claim, wherein the secondary and/or primary control devices (322, 321) are configured to logically enable and disable Ethernet ports (327a, 326a) via a proprietary protocol for remotely configuring network equipment.

6. The device network of claim 5, wherein the proprietary protocol for remotely configuring network equipment includes Ethernet frames for transmitting commands and/or configuration settings.

7. Device network according to any of the preceding claims, wherein the secondary switch (327) is integrated in the secondary control device (322); and/or

Wherein the master switch (326) is integrated in the master control device (321).

8. The device network of any preceding claim, wherein the primary and secondary switches (326, 327) are integrated in the secondary or primary control device (322, 321).

9. The device network of claim 7 or 8, wherein the secondary and/or primary control device (322, 321) is configured to write an IC register of an integrated switch, the IC register comprising configuration settings of the switch.

10. A planar network, comprising:

the device network (320) of any of the preceding claims; and

a control room network (310) comprising a host computer system (311) and a control room switch (312) having at least two ethernet ports;

wherein the Ethernet port (326a) of the primary switch (326) and the Ethernet port (327a) of the secondary switch (327) are connected to the at least two Ethernet ports of the control room switch (312), respectively.

11. A method for controlling redundant connections in a planar network according to claim 10, the method comprising:

detecting (401) a failure of the main control device (321);

initiating (402) a failover;

enabling (403) an Ethernet port (327a) of the secondary switch (327); and

disabling (404) an Ethernet port (326a) of the primary switch (326).

12. A control device, comprising:

an integrated switch (326a, 327 a); and is

Wherein the control device is configured to logically enable and disable the Ethernet port (327a) of the integrated switch (326, 327).

13. The control device of claim 12, further comprising the control device configured to:

operating as a secondary control device (322) in a standby mode of a primary control device (321);

detecting (401) a failure of the main control device (321);

initiating (402) a failover;

enabling (403) an Ethernet port (327a) of the integrated switch (327);

disabling (404) an Ethernet port (327a) of the integrated switch (327).

14. The control device of claim 13, further comprising the control device configured to:

the ethernet port (326a) of the primary switch (326) is disabled.

15. The control device of claim 14, further comprising the control device configured to:

disabling the Ethernet port (326a) of the primary switch (326); and is

Wherein the control device is configured to logically enable and disable Ethernet ports of the master switch (326a) via a port-based network access control protocol; and/or

Wherein the control device is configured to logically enable and disable an Ethernet port (36a) of the master switch via a proprietary protocol for remotely configuring network equipment.

Technical Field

The present invention relates to a method for controlling redundant connections in a planar network and a system architecture implementing such control.

Background

Such Automation systems are also typically connected to enterprise Information Technology (IT) networks, i.e., control room networks, which use common IT protocols over TCP/IP and Ethernet IEEE802.3 to exchange data and signals with, for example, ERP systems or other data management systems.

Referring to FIG. 1, a first example of a configuration 100 is shown in which a control room network 110 is connected with an industrial device network 120. the control room network 110 includes a main computer system 111 and a layer 2 switch 112. the device network includes two field devices 123, 124, a primary P L C121, an secondary P L C122, and a layer 2 switch 125. P L C121, 122 and field devices 123, 124 are connected in a daisy chain loop topology (daisy chain loop topology). In the figure, indicated by square ports and cable links, the secondary P L C122 is provided for redundancy reasons in the event of failure of the primary P L C121 and is intended to facilitate high availability of the control system.

The device network 120 uses one of the known industrial protocols, such as Modbus, while the control network 110 uses the common IT protocol over IEEE802.3 Ethernet for the connection between the switch 112 of the control network 110 and the switch 125 of the device network, the Ethernet protocol is used the switch 125 then provides communication within the device network 120. since both P L C are part of the same daisy chain, the switch 125 provides loop detection to prevent so-called broadcast storms in which communication messages are continuously forwarded, as shown by the black X in the ports of the field devices 123.

Generally, switches operate at layer 2 of the OSI model and are equipped with multiple ports for providing connections between various devices within the local area network L AN various protocols may be used to transport messages over IEEE802.3 (commonly referred to as Ethernet).

The configuration of fig. 1 using switch-only interconnections is commonly referred to as a flat network architecture, which has the benefit of providing transparency and easy control management. There is no hierarchy and no means for routing traffic. A disadvantage of the configuration 100 of fig. 1 is that there is only one connection between the networks and no further connections for redundancy can be added without adding complexity to address the routing requirements.

Referring to FIG. 2, a second example of a configuration 200 is shown in which a control network 210 is connected with a device network 220. likewise, the control network 210 includes a main computer system 211 and a switch 212. the device network includes two field devices 223, 224, a primary P L C221 and a secondary P L C222. P L C221, 222 and field devices 223, 224 are connected in a daisy chain loop topology.

There are no switches in the device network and the primary P L C221 and secondary P L C222 are independently connected to the control room switch 212, increasing the level of redundancy and reducing the number of devices required in this configuration, it is now desirable to provide loop detection in the switch 212 to prevent broadcast storms.

Disclosure of Invention

It is an object of the present invention to provide redundant connections between a device network and a control network in a planar network architecture.

According to the present invention, this object is achieved by providing a device network comprising at least two field devices, a primary control device and a primary switch, a secondary control device and a secondary switch, the at least two field devices, the primary control device and the primary switch, the secondary control device and the secondary switch being connected in a daisy-chain loop topology. And wherein the secondary control device is configured to logically enable and disable the ethernet port of the secondary switch.

According to one aspect, there is provided a flat network comprised of the disclosed device network and a control room network including a host computer system and a control room switch having at least two ethernet ports. And wherein the ethernet port of the primary switch and the ethernet port of the secondary switch are connected to at least two ethernet ports of the control room switch, respectively.

According to another aspect, a control device with an integrated switch is provided and wherein the control device is configured to logically enable and disable ethernet ports of the integrated switch.

According to yet another aspect, there is provided a method for redundant connection in a control plane network, the method comprising: detecting a failure of the primary control device, initiating a failover, enabling an Ethernet port of the secondary switch, and disabling an Ethernet port of the primary switch.

Further objects, aspects, effects and details of certain embodiments of the invention are described in the following detailed description of exemplary embodiments with reference to the drawings.

Drawings

Embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:

fig. 1 schematically shows a prior art example of a planar network configuration;

fig. 2 schematically illustrates another prior art example of a planar network configuration;

fig. 3 shows an example of a flat network configuration according to the present invention; and

fig. 4 shows an example of a method according to the invention.

Detailed Description

Referring to FIG. 3, there is shown an example of an IT-OT configuration 300 in accordance with the present invention, the IT-OT configuration 300 includes a control network 310 and a device network 320, the control network 310 includes a main computer system 311 and a layer 2 switch 312, the device network includes two field devices 323, 324, a main P L C321 and a main switch 326, and an auxiliary P L C322 and an auxiliary switch 327. in this example, the switches are shown as stand-alone devices, in other examples they may be integrated within the main P L C321 and the auxiliary P L C322, respectively, the main P L C321 and the switch 326, the auxiliary P L C322 and the switch 327, and the field devices 323, 324 are connected in a daisy chain loop topology, P L C is connected by a dedicated connection 328, such as a redundant point-to-point fiber based connection, a backplane bus, a proprietary Ethernet link, or a field bus, in addition to the connections used to control the network.

In the event that primary P L C321 fails, a failover process will be initiated to cause secondary P L C322 to take over execution of the application.detection of the failure may include monitoring operation using, for example, a heartbeat signal or other known means.furthermore, during normal operation, active data of primary P L C321 is typically exchanged with secondary P L C322 to ensure that secondary P L C322 can immediately take over execution of the application at failover.in the example of FIG. 3, the high availability system is considered hot standby redundancy because P2C is already running and provided with current valid data and the redundancy may be implemented in the case of a primary P L C321, and to facilitate high availability of the control system (e.g., primary-standby) and/or secondary P L C321, respectively — backup data may be provided at first, or primary-standby data may be provided at a backup stage).

The control network 310 and the device network 320 are connected via two separate connections, namely the links between the layer 2 switch 312 and the switches 326, 327: a primary link between switch 312 and primary switch 326 and a secondary link between switch 312 and secondary switch 327. This increases the level of redundancy and reduces the amount of complex, intelligent, expensive equipment required.

The device network 320 uses one of the known industrial protocols, such as Modbus, while the control network 310 uses the common IT protocol over IEEE802.3 Ethernet. Since only switches 326, 327 operating at data link layer 2 according to the OSI model are used, rather than the more intelligent gateways operating at network layer 3 according to the OSI model, and due to the daisy-chain loop topology, there is a risk of broadcast storms.

Thus, the secondary P L C322 is arranged to logically enable and disable the port 327a of the secondary switch 327, the port 327a being connected to the switch 312 of the control network 310. preferably, the secondary P L C322 is also arranged to logically enable and disable the port 326a of the primary switch 326. the port 326a is primarily adapted for configurations having switches external to P L C.

Note that both the primary and secondary links between the switches 326, 327 and the layer 2 switch 312 may be joined, with logical connections enabled for only one of the switches 326, 327.

Thus, referring concurrently to FIG. 4, in the event that a failure is detected 401 to the primary P L C321, a failover process is initiated 402 and the Ethernet port of the secondary switch is enabled 403 and the Ethernet port of the primary switch is disabled 404.

More generally, if the fault is of a software or logical nature, such as due to erroneous calculations or user commands, the faulty P L C may enter a user-defined fallback (failback) or safe state.

It will be appreciated that once the failover process is complete and the standby secondary P L C takes over functions and tasks, the secondary P L C will operate as the primary P L C and once the failure of the original primary P L C is repaired, the original primary P L C may begin to operate as the secondary P L C.

To monitor this situation, the primary P L C321 and secondary P L C322 may use, for example, simple Network Management protocol SNMP (simple Network Management protocol) to monitor the switches 326, 327 and their links to the switch 312. thus, a failure in the primary connection, whether it be a switch or a link, may be detected by the primary P L C, and the primary P L C may decide to initiate a failover process.

In general, a hub or switch may learn of the network it is operating on by storing each source MAC address mentioned in incoming frames received on a particular port; thereby creating a MAC database that associates ports and MAC addresses. If the destination MAC address is not already known in the database, the incoming frame will be flooded to all other ports of the switch except the one that received the incoming frame. Since only one device will typically respond and mention its source MAC address, a new association of port and MAC address can be stored. In the presence of a physical loop, incoming frames will be sent via one or more ports, but will also be incoming again due to the loop. When a frame is repeatedly sent again, the frame will repeatedly loop around the loop, reducing capacity until the switch eventually begins to drop the frame and become unreliable.

As with the example of fig. 2, a spanning tree protocol or a loop detection protocol may be applied. However, this again carries similar risks of network segment isolation and network security. Furthermore, such spanning tree protocols may run too slowly in large, more complex infrastructures.

Thus, configuring at least secondary P L C or both primary P L C and secondary P L C as being capable of logically enabling and disabling ports of the respective switches allows for the prevention of broadcast storms.

The disclosed IT-OT plane network configuration and method adds redundancy to the single failure occurrence, meaning that only one of the links between the IT, control network 310 and the OT, device network 320 fails. The occurrence of a double failure, meaning that two links fail at the same time, can of course be addressed, although less likely, by enlarging the number of links between the IT and OT networks.

Depending on the settings, i.e., the configuration and equipment used, secondary P L C322 may use several different ways to configure switch port 327a, as described below.

1. Using port-based network access control protocols, such as IEEE802.1X

For example, for IEEE802.1X, this requires a supplicant (i.e., switch 312) that wants to connect an authenticator (secondary switch 327 in FIG. 3) acting as a guard with an authentication server (secondary P L C322 in FIG. 3) that verifies the supplicant's credentials, in the example of FIG. 3. if a failover process is initiated, port 327a of secondary switch 327 to which switch 312 is linked will be enabled by the credentials that verify switch 312.

2. Remote configuration of switches using proprietary protocols

Some network device manufacturers provide proprietary protocols for remotely configuring network equipment. For example, such proprietary protocols may use ethernet frames to transport new settings. In this case, the equipment is equipped with dedicated hardware for processing the remote commands included in the transmitted ethernet frames; in response to the remote command, the settings of the network device are adapted.

3. Using P L C with integrated switch

Thus, upon failover, the secondary P L C may change the logical setting of the secondary switch port by enabling it in the registry.

In the example described above in connection with FIG. 3, the programmable logic controller P L C acts as a control device in other examples, other suitable control devices may be deployed, such as a Programmable Automation Controller (PAC) or an embedded controller.

Although in the example described above in connection with fig. 3, the control devices 321, 322 may be functionally identical, it will be appreciated that different types of control devices may be deployed within the same device network. For example, a secondary control device includes an integrated switch with a primary control device, the secondary control device configured to enable and disable ports of the primary switch using ethernet frames or port-based network access control. Thus, a planar network architecture with redundant connections between the device network and the control room network is preserved regardless of the specific type of control devices and switches.

As described above, the main switch and the sub switch may be integrated in the main control device and the sub control device, respectively. In other embodiments, the primary switch and the secondary switch may be integrated into a single control device, either the primary or secondary control device. When such a control device is used in a device network, the control device may be configured to enable and disable the ports of the primary and secondary switches.

Although the present invention has been described above with reference to specific embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the invention is limited only by the accompanying claims and, other embodiments than the specific above are equally possible within the scope of these appended claims.

Moreover, although example embodiments have been described above in some example combinations of components and/or functions, it should be appreciated that alternative embodiments may be provided by different combinations of components and/or functions without departing from the scope of the disclosure. Furthermore, it is specifically contemplated that a particular feature described either individually or as part of an embodiment can be combined with other individually described features or parts of other embodiments.