These best practices/design considerations apply to Tofino Configurator 03.0.01
1. How many Tofino SAs for the application?
+ If not possible, feasible or over budget: Add switches in between (Managed Hirschmann) minding the following topics:
2. Keep maximum 20 Tofino Xenon's per project file (or per productive area).
3. Keep maximum 3-5 (depending on data rate) PLC’s CPUs behind every Tofino SA.
4. Keep <200 firewall rules for every Tofino SA. This avoids download or configuration sessions timeouts. If you got a huge rule-set, bigger than 200 rules, maybe you need to verify if the location of your Tofino SA is the best to secure the process.
5. Same for any other network participant: Servers, HMIs, Remote I/O modules, VFDs, etc.
6. If traffic is NOT passing and the rules seem to be ok:
+Check direction of your rules.
7. If you got a Layer 2 flat network: Use a Tofino Xenon SA.
8. If you got different network segments (Layer 3 required): Use an EAGLE One or EAGLE 20/30 with DPI. Now the HiSecOS version 3.0 in the EAGLE 20/30 platform support DPI for:
9. VLAN's: ensure TC and SA’s are members of the sam VLAN (same VLAN-TAG).
10. Configure several at the same time? You can do Multi-Config by connecting in parallel.
11. The TC programming PC/station’s (IP+MAC+Interface connected+Project file) get married with SAs once you make the first “apply” or get the first settings downloaded.
12. USB support for v2.0, FAT32.
13. Direction of Enforcer Rules should be set in the direction of the REQUEST packets. The REPLY is implied and will be validated by the Enforcer.
14. EtherNet/IP CIP Enforcer is only for Class 3 Explicit messaging. It also supports PLC.