Setting Up Cisco Router and Tofino Firewall for MODBUS TCP/IP Communication: Allen Bradley PLC to Honeywell EPKS DCS
In industrial automation, secure and reliable network communication between Programmable Logic Controllers (PLCs) and Distributed Control Systems (DCS) is critical. This guide details the comprehensive steps for configuring a Cisco router and Tofino firewall to facilitate MODBUS TCP/IP communication between an Allen Bradley PLC (subnet 198.162.0.0) and a Honeywell EPKS DCS (subnet 10.0.1.0) with a subnet mask of 255.255.255.0. For detail setup and configuration, please visit my post about Successfully Reading Process Data via Modbus TCP/IP from Allen-Bradley CompactLogix to Honeywell DCS with Different IP/Subnet
Prerequisites
Before beginning the setup, ensure the following are available:
- Cisco router with suitable interface cards (e.g., Cisco ISR 4000 series)
- Tofino Industrial Firewall (e.g., Tofino Xenon)
- Ethernet cables and connectors
- Console cable for Cisco Router
- Access credentials for all equipment
- IP address details clearly documented
Step-by-Step Configuration Guide
Step 1: Cisco Router Initial Setup
Step 2: Cisco Router Security Measures
Step 3: Configure MODBUS TCP/IP Specific Rules
MODBUS typically uses port 502. Ensure router ACLs (Access Control Lists) permit traffic:
ip access-list extended MODBUS_TRAFFIC
permit tcp 198.162.0.0 0.0.0.255 host 10.0.1.10 eq 502
exit
interface GigabitEthernet0/0
ip access-group MODBUS_TRAFFIC inStep 4: Setting Up the Tofino Firewall
Tofino Firewall Initial Setup
- Connect via browser using default IP (e.g., 192.168.1.1).
- Login to the Tofino firewall management interface.
Configure Firewall Zones
- Define two zones:
- PLC Zone: 198.162.0.0
- DCS Zone: 10.0.1.0
- Assign relevant ports to each zone on Tofino.
Set Firewall Rules for MODBUS TCP/IP
Under the firewall rule configuration, set:
| Source Zone | Destination Zone | Protocol | Port | Action |
|---|---|---|---|---|
| PLC Zone | DCS Zone | TCP | 502 | Allow |
| Any | Any | Any | Any | Deny |
Intrusion Detection and Deep Packet Inspection (Optional but Recommended)
- Enable MODBUS DPI (Deep Packet Inspection) to inspect and validate MODBUS commands for enhanced security.
Step 5: Verify and Test Connectivity
- Perform Ping test from Allen Bradley PLC network (198.162.0.0) to Honeywell DCS network (10.0.1.0).
ping 10.0.1.10- Verify MODBUS communication using diagnostic software (Modscan or Wireshark).
Troubleshooting Tips
- Check Connectivity: Confirm cable connections, interface status, and router/firewall logs.
- ACL Verification: Review ACL rules, ensuring correct IP addresses and ports.
- Firewall Logs: Inspect Tofino logs to identify blocked packets.
Security Best Practices
- Regularly update firmware on routers and firewall devices.
- Regularly backup device configurations.
- Implement logging and alerting for unusual activity detection.
Conclusion
Configuring a Cisco router and Tofino firewall for MODBUS TCP/IP between Allen Bradley PLCs and Honeywell EPKS DCS is straightforward with proper planning and adherence to industrial cybersecurity standards. Proper setup ensures secure, reliable, and efficient communication crucial for operational excellence.