The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides details about configuring Protocol Translation on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as the CGR 1000) for operation within a Supervisory Control and Data Acquisition (SCADA) system.
This chapter includes the following sections:
•Configuring Protocol Translation
SCADA refers to a control and management system employed in industries such as water management, electric power, and manufacturing. A SCADA system collects data from various types of equipment within the system and forwards that information back to a Control Center for analysis. Generally, individuals located at the Control Center monitor the activity on the SCADA system and intervene when necessary.
The Remote Terminal Unit (RTU) acts as the primary control system within a SCADA system. RTUs are configured to control specific functions within the SCADA system, which can be modified as necessary through a user interface.
In the network, the Control Center always serves as the master in the network when communicating with the CGR 1000. The CGR 1000 serves as a proxy master station for the Control Center when it communicates with the RTU.
The CGR 1000 provides IEC 60870 T101 to IEC 60870 T104 protocol translation to serve as a SCADA gateway to do the following:
•Receive data from RTUs (T101) and relay configuration commands from the Control Center (T104) to RTUs.
•Receive configuration commands from the Control Center and relay RTU data to the Control Center
•Terminate incoming T104 requests from the Control Center, when an RTU is offline.
The following terms are relevant when you configure the T101 and T104 protocol stacks on the
CGR 1000:
•Channel-A channel is configured on each CGR 1000 serial port interface to provide a connection to a single RTU for each IP connection to a remote Control Center. Each connection transports a single T101 (RTU) or T104 (Control Center) protocol stack.
•Link Address-Refers to the device or station address.
•Link Mode (Balanced and Unbalanced)-Refers to the modes of data transfer.
–An Unbalanced setting refers to a data transfer initiated from the master.
–A Balanced setting can refer to either a master or slave initiated data transfer.
•Sector-Refers to a single RTU within a remote site.
•Sessions-Represents a single connection to a remote site.
In Figure 1-1, the CGR 1120 (installed within a secondary substation of the Utility Network) employs Protocol Translation to provide secure, end-to-end connectivity between Control Centers and RTUs within a SCADA System.
The CGR 1120 connects to the RTU (slave) through a RS232 connection. The CGR 1120 securely forwards SCADA data from the RTU to the Control Center in the SCADA system through an IPSec tunnel. You can terminate the IPSec tunnel on either a Cisco 2010 Connected Grid Router (CGR 2010) or a head-end router (such as the Cisco ASR 1000). However, only the CGR 2010 inspects the SCADA traffic before it forwards the traffic to the proper Control Center.
Figure 1-1 Cisco Connected Grid Routers Providing Connectivity and Security within a SCADA System
RTUs must be configured and operating in the network.
For each RTU that connects to the CGR 1000, you will need the following information:
•Channel information
–Channel name
–Connection type: serial
–Link transmission procedure setting: unbalanced or balanced
–Address field of the link (number expressed in octets)
•Session information
–Session name
–Size of common address of Application Service Data Unit (ASDU) (number expressed in octets)
–Cause of transmission (COT) size (number expressed in octets)
–Information object address (IOA) size (number expressed in octets)
•Sector information
–Sector name
–ASDU address, (number expressed in octets)
Each channel supports only one session.
Each sessions supports only one sector.
|
|
---|---|
Role for T101 |
Master |
Role for T104 |
Slave |
This section includes the following topics:
•Enabling the CGR 1000 Serial Port and T101 Encapsulation
•Enabling Protocol Translation
•Configuring T101 and T104 Protocol Stacks
Before you can enable and configure Protocol Translation on the CGR 1000, you must first enable the serial port on the CGR 1000 and enable T101 encapsulation on that port.
Determine availability of serial port on the Cisco CG-OS router.
This example shows how to enable serial port 1/1 and how to enable encapsulation on that port to support T101 communication.
router# configure terminal
router(config)# interface serial 1/1
router (config-if)# no shutdown
router (config-if)# encapsulation t101
To enable the CGR 1000 to act as a SCADA Gateway, you must enable the Protocol Translation feature on the router.
Enable the serial port on the router and T101 encapsulation on that serial port.
See Enabling the CGR 1000 Serial Port and T101 Encapsulation.
|
|
|
---|---|---|
Step 1 |
configure terminal |
Enters global configuration mode. |
Step 2 |
feature scada-gw |
Enables the Protocol Translation feature on the CGR 1000. |
This example shows how to enable the Protocol Translation feature on the CGR 1000 to allow it to operate as a SCADA gateway for RTUs and Control Centers.
router# configure terminal
router(config)# feature scada-gw
router(config)#
After enabling Protocol Translation feature on the CGR 1000, you must configure the T101 and T104 protocol stacks, which allow end-to-end communication between Control Centers (T104) and RTUs (T101) within a SCADA system.
•Configuring the T101 Protocol Stack
•Configuring the T104 Protocol Stack
•Starting the Protocol Translation Engine
Ensure that you have gathered all the required configuration information. See Prerequisites.
Enable Protocol Translation. See Enabling Protocol Translation.
Configure the channel, session, and sector parameters for the T101 protocol stack.
|
|
|
---|---|---|
Step 1 |
configure terminal |
Enters global configuration mode. |
Step 2 |
scada-gw protocol t101 |
Enters the configuration mode for the T101 protocol. |
Step 3 |
channel channel_name |
Enters the channel configuration mode for the T101 protocol. channel_name-Indentifies the channel on which the serial port of the CGR 2010 communicates to the RTU. Note When the entered channel name does not already exist, the router creates a new channel. Entering the no form of this command deletes an existing channel. However, all sessions must be deleted before you can delete a channel. |
Step 4 |
role master |
Assigns the master role to the T101 protocol channel (default). |
Step 5 |
link-mode {balanced | unbalanced} |
Configures the link-mode as either balanced or unbalanced. unbalanced-Refers to a data transfer initiated from the master. balanced-Refers to either a master or slave data transfer. |
Step 6 |
link-addr-size {none | one | two} |
Defines the link address size in octets. |
Step 7 |
bind-to-interface serial slot/port |
Defines the CGR 2010 serial interface on which the system sends its T101 protocol traffic. slot-Value of 1. port-Value of 1 or 2. |
Step 8 |
exit |
Ends configuration of the channel and exits the channel configuration mode. Saves all settings. |
Step 9 |
session session_name |
Enters the session configuration mode and assigns a name to the session. |
Step 10 |
attach-to-channel channel_name |
Attaches the session to the channel. Enter the same channel name that you entered in . channel_name-Indentifies the channel. |
Step 11 |
common-addr-size {one | two | three} |
Defines the common address size in octets. |
Step 12 |
cot size {one | two | three} |
Defines the cause of transmission such as spontaneous or cyclic data schemes in octets. |
Step 13 |
info-obj-addr-size {one | two | three} |
Defines the information object element address size in octets. |
Step 14 |
link-addr-size {one | two | three} |
Defines the link address size in octets. |
Step 15 |
link-addr link_address |
Refers to the link address of the RTU. Note The link address entered here must match the value set on the RTU to which the serial port connects. link_address-Value of 1 or 2. |
Step 16 |
exit |
Exits the session configuration mode. |
Step 17 |
sector sector_name |
Enters the sector configuration mode and assigns a name to the sector for the RTU. sector_name-Indentifies the sector. |
Step 18 |
attach-to-session session_name |
Attaches the RTU sector to the session. Enter the same session name that you entered in Step 9. session_name-Indentifies the session. |
Step 19 |
asdu-addr asdu_address |
Refers to the ASDU structure address of the RTU. |
Step 20 |
exit |
Exits the sector configuration mode. |
Step 21 |
exit |
Exits the protocol configuration mode. |
This example shows how to configure the parameters for the T101 protocol stack for RTU_10.
router# configure terminal
router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size one
router(config-t101-channel)# bind-to-interface serial 1/1
router(config-t101-channel)# exit
router(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size one
router(config-t101-session)# info-obj-addr-size two
router(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit
router(config-t101)# exit
router(config)#
Ensure that you have gathered all the required configuration information. See Prerequisites.
Enable Protocol Translation. See Enabling Protocol Translation.
Follow these steps below for each Control Center that you want to connect to over a T104 protocol.
|
|
|
---|---|---|
Step 1 |
configure terminal |
Enters configuration mode. |
Step 2 |
scada-gw protocol t104 |
Enters the configuration mode for the T104 protocol. |
Step 3 |
channel channel_name |
Enters the channel configuration mode for the T104 protocol. channel_name-Indentifies the channel on which the router communicates with the Control Center. Note When the entered channel name does not already exist, the router creates a new channel. Entering the no form of this command deletes an existing channel. However, all sessions must be deleted before you can delete a channel. |
Step 4 |
k-value value |
Sets the maximum number of outstanding Application Protocol Data Units (APDUs) for the channel. Note An APDU incorporates the ASDU and a control header. value-Range of values from 1 to 32767. Default value is 12 APDUs. |
Step 5 |
w-value value |
Sets the maximum number of APDUs for the channel. value-Range of values from 1 to 32767. Default value is 8 APDUs. |
Step 6 |
t0-timeout value |
Defines the t0-timeout value for connection establishment of the T104 channel. |
Step 7 |
t1-timeout value |
Defines the t1-timeout value for send or test APDUs on the T104 channel. |
Step 8 |
t2-timeout value |
Defines the t2-timeout value for acknowledgements when the router receives no data message. Note The t2 value must always be set to a lower value than the t1 value on the T104 channel. |
Step 9 |
t3-timeout value |
Defines the t3-timeout value for sending s-frames in case of a long idle state on the T104 channel. Note The t3 value must always be set to a higher value than the t1 value on the T104 channel. |
Step 10 |
tcp-connection primary local-port port_number |
In a configuration where there are redundant Control Centers, sets the value for the primary Control Center as defined on the primary Control Center. |
Step 11 |
tcp-connection secondary local-port port_number |
In a configuration where there are redundant Control Centers, sets the value for the secondary Control Center as defined on the primary Control Center. |
Step 12 |
exit |
Exits the channel configuration mode. |
Step 13 |
session session_name |
Enters the session configuration mode and assigns a name to the session. session_name-Use the same name that you assigned to the channel in Step 3. |
Step 14 |
attach-to-channel channel_name |
Defines the name of the channel that transports the session traffic. |
Step 15 |
cot size {one | two | three} |
Defines the cause of transmission (cot), such as spontaneous or cyclic data schemes in octets. |
Step 16 |
exit |
Exits the session configuration mode. |
Step 17 |
sector sector_name |
Enters the sector configuration mode and assigns a name to the sector for the Control Center. |
Step 18 |
attach-to-session session_name |
Attaches the Control Center sector to the channel. session_name-Use the same name that you assigned to the channel in Step 3. |
Step 19 |
asdu-addr asdu_address |
Refers to the ASDU structure address. Value entered here must match the ASDU value on the RTU. asdu_address-asdu_address-Value of 1 or 2. |
Step 20 |
map-to-sector sector_name |
Maps the Control Center (T104) sector to the RTU (T101) sector. |
Step 21 |
Return to Step 1. |
Repeat all steps in this section for each Control Center active in the network. |
This example shows how to configure the parameters for the T104 protocol stack on Control Center 1 and Control Center 2, both of which are configured as masters, and how to map the T104 sector to the T101 sector.
To configure Control Center 1 (cc_master1), enter the following commands.
router# configure terminal
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection primary local-port 2050
router(config-t104-channel)# tcp-connection secondary local-port 2051
router(config-t104-channel)# exit
router(config-t104)# session cc_master1
router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sector
router(config-t104-sector)# attach-to-session cc_master1
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit
router(config)#
To configure Control Center 2 (cc_master2), enter the following commands.
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master2
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection primary local-port 2060
router(config-t104-channel)# tcp-connection secondary local-port 2061
router(config-t104-channel)# exit
router(config-t104)# session cc_master2
router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sector
router(config-t104-sector)# attach-to-session cc_master2
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)#
After configuring the T101 and T104 protocols on the CGR 1000, you can start the Protocol Translation Engine.
|
|
|
---|---|---|
Step 1 |
configure terminal |
Enters global configuration mode. |
Step 2 |
scada-gw enable |
Starts the Protocol Translation Engine on the CGR 1000. |
router# configure terminal
router(config)# scada-gw enable
|
|
---|---|
show running-config |
Shows the configuration of the router including those features that are active and their settings. |
The following example shows how to configure the serial port interface for T101 connection, configure T101 and T104 protocol stacks, and starts the Protocol Translation Engine on the CGR 1000.
router# configure terminal
router(config)# interface serial 1/1
router (config-if)# no shutdown
router (config-if)# encapsulation 101
router (config-if)# exit
router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size one
router(config-t101-channel)# bind-to-interface serial 1/1
router(config-t101-channel)# exit
router(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size one
router(config-t101-session)# info-obj-addr-size two
router(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit
router(config-t101)# exit
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection primary local-port 2050
router(config-t104-channel)# tcp-connection secondary local-port 2051
router(config-t104-channel)# exit
router(config-t104)# session cc_master1
router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sector
router(config-t104-sector)# attach-to-session cc_master1
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master2
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection primary local-port 2060
router(config-t104-channel)# tcp-connection secondary local-port 2061
router(config-t104-channel)# exit
router(config-t104)# session cc_master2
router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sector
router(config-t104-sector)# attach-to-session cc_master2
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)# scada-gw enable
|
|
|
---|---|---|
Protocol translation |
Cisco CG-OS Release CG2(1) |
Initial support of the feature on the CGR 1000 Series Routers. |