Table Of Contents
Cisco Connected Grid 2010 Router Software Configuration Guide
Protocol Translation Application
Configuring Protocol Translation
Enabling the CGR 2010 Serial Port and SCADA Encapsulation
Configuring T101 and T104 Protocol Stacks
Configuring the T101 Protocol Stack
Configuring the T104 Protocol Stack
Starting and Stopping the Protocol Translation Engine
Cisco Connected Grid 2010 Router Software Configuration Guide
First Published: November 2013Release: Cisco IOS Release 15.3(2)TOL-30756-03This document provides details about configuring Protocol Translation on the Cisco 2010 Connected Grid Router (hereafter referred to as CGR 2010 or router) for operation within a Supervisory Control and Data Acquisition (SCADA) system.
This chapter includes the following sections:
•Configuring Protocol Translation
Information About SCADA
SCADA refers to a control and management system employed in industries such as water management, electric power, and manufacturing. A SCADA system collects data from various types of equipment within the system and forwards that information back to a Control Center for analysis. Generally, individuals located at the Control Center monitor the activity on the SCADA system and intervene when necessary.
The Remote Terminal Unit (RTU) acts as the primary control system within a SCADA system. RTUs are configured to control specific functions within the SCADA system, which can be modified as necessary through a user interface.
Role of the CGR 2010
In the network, the Control Center always serves as the master in the network when communicating with the CGR 2010. The CGR 2010 serves as a proxy master station for the Control Center when it communicates with the RTU.
The CGR 2010 provides IEC 60870 T101 to IEC 60870 T104 protocol translation to serve as a SCADA gateway to do the following:
•Receive data from RTUs (T101) and relay configuration commands from the Control Center (T104) to RTUs.
•Receive configuration commands from the Control Center and relay RTU data to the Control Center
•Terminate incoming T104 requests from the Control Center, when an RTU is offline.
The CGR 2010 provides IEC 60870 T101 to IEC 60870 T104 protocol translation to serve as a SCADA gateway to do the following:
•Receive data from RTUs (T101) and relay configuration commands from the Control Center (T104) to RTUs.
•Receive configuration commands from the Control Center and relay RTU data to the Control Center
•Terminate incoming T104 requests from the Control Center, when an RTU is offline.
Key Terms
The following terms are relevant when you configure the T101 and T104 protocol stacks on the
CGR 2010:•Channel-A channel is configured on each CGR 2010 serial port interface to provide a connection to a single RTU for each IP connection to a remote Control Center. Each connection transports a single T101 (RTU) or T104 (Control Center) protocol stack.
•Link Address-Refers to the device or station address.
•Link Mode (Balanced and Unbalanced)-Refers to the modes of data transfer.
–An Unbalanced setting refers to a data transfer initiated from the master.
–A Balanced setting can refer to either a master or slave initiated data transfer.
•Sector-Refers to a single RTU within a remote site.
•Sessions-Represents a single connection to a remote site.
Protocol Translation Application
In Figure 1, the CGR 1120 (installed within a secondary substation of the Utility Network) employs Protocol Translation to provide secure, end-to-end connectivity between Control Centers and RTUs within a SCADA System. You can also employ a CGR 1240 in this configuration.
The CGR 1120 connects to the RTU (slave) through a RS232 connection. The CGR 1120 securely forwards SCADA data from the RTU to the Control Center in the SCADA system through an IPSec tunnel. You can terminate the IPSec tunnel on either a Cisco 2010 Connected Grid Router (CGR 2010) or a head-end router (such as the Cisco ASR 1000). However, only the CGR 2010 inspects the SCADA traffic before it forwards the traffic to the proper Control Center.
Figure 1 Cisco Connected Grid Routers Providing Connectivity and Security within a SCADA System
Prerequisites
RTUs must be configured and operating in the network.
For each RTU that connects to the CGR 2010, you will need the following information:
•Channel information
–Channel name
–Connection type: serial
–Link transmission procedure setting: unbalanced or balanced
–Address field of the link (number expressed in octets)
•Session information
–Session name
–Size of common address of Application Service Data Unit (ASDU) (number expressed in octets)
–Cause of transmission (COT) size (number expressed in octets)
–Information object address (IOA) size (number expressed in octets)
•Sector information
–Sector name
–ASDU address, (number expressed in octets)
Guidelines and Limitations
Each channel supports only one session.
Each sessions supports only one sector.
Default Settings
Configuring Protocol Translation
This section includes the following topics:
•Enabling the CGR 2010 Serial Port and SCADA Encapsulation
•Configuring T101 and T104 Protocol Stacks
•Starting and Stopping the Protocol Translation Engine
Note Before making any configuration changes to a CGR 2010 operating with Protocol Translation, please review the section on Starting and Stopping the Protocol Translation Engine.
Enabling the CGR 2010 Serial Port and SCADA Encapsulation
Before you can enable and configure Protocol Translation on the CGR 2010, you must first enable the serial port on the CGR 2010 and enable SCADA encapsulation on that port.
BEFORE YOU BEGIN
Determine availability of serial port on the CGR 2010.
DETAILED STEPS
EXAMPLE
This example shows how to enable serial port 0/0/1 and how to enable encapsulation on that interface to support SCADA protocols.
router# configure terminal
router(config)# interface serial 0/0/1
router (config-if)# no shutdown
router (config-if)# physical-layer async
router (config-if)# encapsulation scada
Configuring T101 and T104 Protocol Stacks
You can configure T101 and T104 protocol stacks, which allow end-to-end communication between Control Centers (T104) and RTUs (T101) within a SCADA system.
•Configuring the T101 Protocol Stack
•Configuring the T104 Protocol Stack
•Starting and Stopping the Protocol Translation Engine
BEFORE YOU BEGIN
Ensure that you have gathered all the required configuration information. (See Prerequisites)
Enable the serial port and SCADA encapsulation. (See Enabling the CGR 2010 Serial Port and SCADA Encapsulation)
Configuring the T101 Protocol Stack
Configure the channel, session, and sector parameters for the T101 protocol stack.
DETAILED STEPS
Command PurposeStep 1
configure terminal
Enters global configuration mode.
Step 2
scada-gw protocol t101
Enters the configuration mode for the T101 protocol.
Step 3
channel channel_name
Enters the channel configuration mode for the T101 protocol.
channel_name-Identifies the channel on which the serial port of the CGR 2010 communicates to the RTU.
Note When the entered channel name does not already exist, the router creates a new channel.
Entering the no form of this command deletes an existing channel. However, all sessions must be deleted before you can delete a channel.
Step 4
role master
Assigns the master role to the T101 protocol channel (default).
Step 5
link-mode {balanced | unbalanced}
Configures the link-mode as either balanced or unbalanced.
unbalanced-Refers to a data transfer initiated from the master.
balanced-Refers to either a master or slave data transfer.
Step 6
link-addr-size {none | one | two}
Defines the link address size in octets.
Step 7
bind-to-interface serial slot/port
Defines the CGR 2010 serial interface on which the system sends its T101 protocol traffic.
slot-Value of 1.
port-Value of 1 or 2.
Step 8
exit
Ends configuration of the channel and exits the channel configuration mode. Saves all settings.
Step 9
session session_name
Enters the session configuration mode and assigns a name to the session.
Step 10
attach-to-channel channel_name
Attaches the session to the channel.
Enter the same channel name that you entered in .
channel_name-Identifies the channel.
Step 11
common-addr-size {one | two | three}
Defines the common address size in octets.
Step 12
cot size {one | two | three}
Defines the cause of transmission such as spontaneous or cyclic data schemes in octets.
Step 13
info-obj-addr-size {one | two | three}
Defines the information object element address size in octets.
Step 14
link-addr-size {one | two | three}
Defines the link address size in octets.
Step 15
link-addr link_address
Refers to the link address of the RTU.
Note The link address entered here must match the value set on the RTU to which the serial port connects.
link_address-Value of 1 or 2.
Step 16
exit
Exits the session configuration mode.
Step 17
sector sector_name
Enters the sector configuration mode and assigns a name to the sector for the RTU.
sector_name-Identifies the sector.
Step 18
attach-to-session session_name
Attaches the RTU sector to the session.
Enter the same session name that you entered in Step 9.
session_name-Identifies the session.
Step 19
asdu-addr asdu_address
Refers to the ASDU structure address of the RTU.
Step 20
exit
Exits the sector configuration mode.
Step 21
exit
Exits the protocol configuration mode.
EXAMPLE
This example shows how to configure the parameters for the T101 protocol stack for RTU_10.
router# configure terminal
router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size onerouter(config-t101-channel)# bind-to-interface serial 1/1router(config-t101-channel)# exitrouter(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size onerouter(config-t101-session)# info-obj-addr-size tworouter(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit
router(config-t101)# exit
router(config)#Configuring the T104 Protocol Stack
Follow the steps below for each Control Center that you want to connect to over a T104 protocol.
BEFORE YOU BEGIN
Ensure that you have gathered all the required configuration information. (See Prerequisites)
Enable the serial port and SCADA encapsulation. (See Enabling the CGR 2010 Serial Port and SCADA Encapsulation)
DETAILED STEPS
Command PurposeStep 1
configure terminal
Enters configuration mode.
Step 2
scada-gw protocol t104
Enters the configuration mode for the T104 protocol.
Step 3
channel channel_name
Enters the channel configuration mode for the T104 protocol.
channel_name-Identifies the channel on which the router communicates with the Control Center.
Note When the entered channel name does not already exist, the router creates a new channel.
Entering the no form of this command deletes an existing channel. However, all sessions must be deleted before you can delete a channel.
Step 4
k-value value
Sets the maximum number of outstanding Application Protocol Data Units (APDUs) for the channel.
Note An APDU incorporates the ASDU and a control header.
value-Range of values from 1 to 32767. Default value is 12 APDUs.
Step 5
w-value value
Sets the maximum number of APDUs for the channel.
value-Range of values from 1 to 32767. Default value is 8 APDUs.
Step 6
t0-timeout value
Defines the t0-timeout value for connection establishment of the T104 channel.
Step 7
t1-timeout value
Defines the t1-timeout value for send or test APDUs on the T104 channel.
Step 8
t2-timeout value
Defines the t2-timeout value for acknowledgements when the router receives no data message.
Note The t2 value must always be set to a lower value than the t1 value on the T104 channel.
Step 9
t3-timeout value
Defines the t3-timeout value for sending s-frames in case of a long idle state on the T104 channel.
Note The t3 value must always be set to a higher value than the t1 value on the T104 channel.
Step 10
tcp-connection {0|1} local-port {port_number | default} remote-ip {A.B.C.D | A.B.C.D/LEN | any} [vrf WORD]
In a configuration where there are redundant Control Centers, sets the connection value for the secondary Control Center as defined on the primary Control Center.
port-number-value between 2000 and 65535.
default-value of 2404.
A.B.C.D-single host.
A.B.C.D/nn-subnet A.B.C.D/LEN.
any-any remote hosts 0.0.0.0/0.
WORD-VRF name.
Step 11
exit
Exits the channel configuration mode.
Step 12
session session_name
Enters the session configuration mode and assigns a name to the session.
session_name-Use the same name that you assigned to the channel in Step 3.
Step 13
attach-to-channel channel_name
Defines the name of the channel that transports the session traffic.
Step 14
cot size {one | two | three}
Defines the cause of transmission (cot), such as spontaneous or cyclic data schemes in octets.
Step 15
exit
Exits the session configuration mode.
Step 16
sector sector_name
Enters the sector configuration mode and assigns a name to the sector for the Control Center.
Step 17
attach-to-session session_name
Attaches the Control Center sector to the channel.
session_name-Use the same name that you assigned to the channel in Step 3.
Step 18
asdu-addr asdu_address
Refers to the ASDU structure address. Value entered here must match the ASDU value on the RTU.
asdu_address-asdu_address-Value of 1 or 2.
Step 19
map-to-sector sector_name
Maps the Control Center (T104) sector to the RTU (T101) sector.
Step 20
Return to Step 1.
Repeat all steps in this section for each Control Center active in the network.
EXAMPLE
This example shows how to configure the parameters for the T104 protocol stack on Control Center 1 and Control Center 2, both of which are configured as masters, and how to map the T104 sector to the T101 sector.
To configure Control Center 1 (cc_master1), enter the following commands.
router# configure terminal
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2050 remote-ip 209.165.200.225
router(config-t104-channel)# tcp-connection 1 local-port 2051 remote-ip 209.165.201.25
router(config-t104-channel)# exit
router(config-t104)# session cc_master1router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sectorrouter(config-t104-sector)# attach-to-session cc_master1router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit
router(config)#To configure Control Center 2 (cc_master2), enter the following commands.
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master2
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2060 remote-ip 209.165.201.237
router(config-t104-channel)# tcp-connection 1 local-port 2061 remote-ip 209.165.200.27
router(config-t104-channel)# exit
router(config-t104)# session cc_master2router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sectorrouter(config-t104-sector)# attach-to-session cc_master2router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)#Starting and Stopping the Protocol Translation Engine
You must start the Protocol Translation Engine to use Protocol Translation on the CGR 2010.
Starting-After enabling SCADA encapsulation on the CGR 2010 serial port and configuring the T101 and T104 protocols on the CGR 2010, you can start the Protocol Translation Engine.
Stopping-Before you can make any configuration changes to Protocol Translation on the CGR 2010 with an active Protocol Translation Engine, you must stop the engine.
BEFORE YOU BEGIN
Before starting the Protocol Translation Engine on the router for the first time, make sure you complete the following items:
"Enabling the CGR 2010 Serial Port and SCADA Encapsulation" section
"Configuring T101 and T104 Protocol Stacks" section
DETAILED STEPS
EXAMPLE
To start the protocol translation engine on the router, enter the following commands:
router# configure terminal
router(config)# scada-gw enable
To stop the protocol translation engine on the router, enter the following commands:
router# configure terminal
router(config)# no scada-gw enableVerifying Configuration
Configuration Example
The following example shows how to configure the serial port interface for T101 connection, configure T101 and T104 protocol stacks, and starts the Protocol Translation Engine on the CGR 2010.
router# configure terminal
router(config)# interface serial 0/0/1
router (config-if)# no shutdown
router (config-if)# physical-layer async
router (config-if)# encapsulation scada
router (config-if)# exit
router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size onerouter(config-t101-channel)# bind-to-interface serial 1/1router(config-t101-channel)# exitrouter(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size onerouter(config-t101-session)# info-obj-addr-size tworouter(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit
router(config-t101)# exit
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2050
router(config-t104-channel)# tcp-connection 1 local-port 2051
router(config-t104-channel)# exit
router(config-t104)# session cc_master1router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sectorrouter(config-t104-sector)# attach-to-session cc_master1router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master2
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2060
router(config-t104-channel)# tcp-connection 1 local-port 2061
router(config-t104-channel)# exit
router(config-t104)# session cc_master2router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sectorrouter(config-t104-sector)# attach-to-session cc_master2router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)# scada-gw enable
Feature History
Feature Name Release Feature InformationProtocol translation
Cisco IOS Release 15.3(2)T
Initial support of the feature on the CGR 2010 Series Routers.