Skip to main content

EtherNet/IP and CIP: How Industrial Controllers Actually Communicate [2026 Guide]

· 12 min read

If you've spent time on a plant floor wiring up Allen-Bradley PLCs, you've used EtherNet/IP — whether you realized you were speaking CIP or not. But most engineers treat the protocol like a black box: plug in the cable, configure the scanner, pray the I/O updates arrive on time.

This guide breaks open how EtherNet/IP actually works at the protocol level — the CIP object model, the difference between implicit and explicit messaging, how tag-based addressing resolves data paths, and the real-world timing constraints that catch teams off guard during commissioning.

The CIP Foundation: Objects All the Way Down

EtherNet/IP is just one transport layer for the Common Industrial Protocol (CIP). The same CIP stack runs over DeviceNet (CAN bus) and ControlNet (token-passing). What makes EtherNet/IP special is that it rides standard TCP/IP and UDP/IP — meaning your plant network equipment, your switches, and your diagnostic tools all speak the same language.

At its core, CIP models every device as a collection of objects. Each object has:

  • A Class ID (what kind of object — Identity, Connection Manager, Assembly, etc.)
  • An Instance ID (which specific one — circuit 1, circuit 2, etc.)
  • Attributes (the data fields — serial number, firmware version, current value)
  • Services (what you can do — Get_Attribute, Set_Attribute, Reset, etc.)

For example, every CIP device has an Identity Object (Class 0x01, Instance 1) with attributes like vendor ID, device type, product code, serial number, and firmware revision. This is how a scanner discovers what's sitting at a given IP address — it issues an explicit message to read the Identity Object and determines the device type, serial number, and capabilities before any I/O exchange begins.

Why Objects Matter for Real Deployments

Understanding the object model isn't academic — it directly impacts your commissioning workflow:

  • Assembly Objects (Class 0x04) define the I/O data layout. When you configure a scanner connection, you're pointing it at specific Assembly Instance IDs that map to the device's input and output data structures.
  • Connection Manager (Class 0x06) handles the setup and teardown of I/O connections. Every implicit messaging session starts with an explicit Forward_Open request through the Connection Manager.
  • Message Router (Class 0x02) routes incoming explicit messages to the appropriate object. If you're doing tag-based reads, the path goes through the Message Router to the tag name resolution logic.

This layered architecture means you can query any CIP-compliant device for its capabilities, register layout, and diagnostic state — all through the same standard service model.

Implicit vs. Explicit Messaging: Know the Difference

This is where most misunderstandings begin. EtherNet/IP uses two fundamentally different messaging modes, and confusing them is a recipe for dropped I/O or sluggish data acquisition.

Explicit Messaging (TCP, Request/Response)

Explicit messages are connected or unconnected request/response transactions carried over TCP (port 44818). Think of them as the "command channel." You use explicit messaging to:

  • Read or write individual tags by name
  • Query device identity and diagnostics
  • Configure parameters (setpoints, alarm thresholds)
  • Set up implicit messaging connections (Forward_Open)

The data format is fully described in the message itself — the request specifies the exact service, class, instance, and attribute. The response contains status codes and the requested data.

Timing characteristics: Explicit messages are reliable (TCP guarantees delivery) but not deterministic. Round-trip times typically range from 2–20ms on a clean network but can spike under load. You should never use explicit messaging for time-critical I/O data.

Explicit Message Path Example:
  Service: Get_Attribute_Single (0x0E)
  Class:   0x01 (Identity)
  Instance: 0x01
  Attribute: 0x07 (Product Name)
  
  Response: "Micro850" (string), Status: 0x00 (Success)

Implicit Messaging (UDP, Cyclic I/O)

Implicit messages are the real-time I/O data stream. After a Forward_Open establishes the connection, the adapter sends its input data at a configured Requested Packet Interval (RPI) — typically 10ms to 1000ms — using UDP multicast or unicast.

The key property: the data format is not described in every message. Both ends agreed on the Assembly Object layout during connection setup. Each UDP packet contains just the raw data bytes plus a 32-bit sequence counter. This keeps packets small and parsing instant.

Timing characteristics: Because it's UDP, there's no retransmission. If a packet drops, the scanner either uses the last known values (if within the connection timeout) or faults the connection. The connection timeout multiplier (typically 4x the RPI) determines how long the scanner waits before declaring the connection lost.

AspectExplicitImplicit
TransportTCP (port 44818)UDP (port 2222)
Use caseConfiguration, diagnosticsCyclic I/O data
Data descriptionSelf-describingPre-negotiated layout
TimingNon-deterministicDeterministic (RPI-based)
Failure modeRetry/timeoutConnection fault after multiplier

The Real-World Gotcha: Forward_Open Failures

The most common commissioning headache is a failed Forward_Open. The scanner sends a Forward_Open to the Connection Manager (Class 0x06) to establish an implicit connection, specifying:

  • O→T and T→O Connection Points (Assembly Instance IDs)
  • RPI (how often data should be sent)
  • Transport type (unicast vs. multicast, point-to-point vs. multipoint)
  • Connection size (expected payload bytes)

If any of these don't match what the adapter supports — wrong Assembly ID, unsupported RPI, size mismatch — the Forward_Open fails with an extended status code. The most common culprits:

  1. Assembly Instance mismatch — The device datasheet says Instance 100 for input data but your configuration tool defaulted to Instance 1.
  2. Connection size disagreement — You configured 32 bytes but the Assembly only produces 28.
  3. RPI too fast — You asked for 2ms but the device firmware only supports 10ms minimum.
  4. Connection limit exceeded — Many small adapters support only 1–4 simultaneous implicit connections.

Tag-Based Addressing: Reading Data by Name

One of EtherNet/IP's most powerful features — particularly with Allen-Bradley Micro800 and Logix-family controllers — is tag-based addressing. Instead of referencing raw memory addresses (like Modbus register 40001), you reference data by a human-readable name.

When a client reads a tag, the request includes:

  • The protocol identifier (e.g., ab-eip for Allen-Bradley EtherNet/IP)
  • The gateway IP address of the PLC
  • The CPU type (Micro800, ControlLogix, CompactLogix, etc.)
  • The tag name (e.g., Tank_Temperature, Blender_Status)
  • The element count and element size for array access

For example, to read a 16-bit integer tag from a Micro800 controller, you'd construct a path like:

protocol=ab-eip
gateway=192.168.1.100
cpu=micro800
elem_count=1
elem_size=2
name=Tank_Temperature

The CIP stack resolves this tag name to an internal memory location, reads the requested number of elements, and returns the raw bytes.

Array Access and Element Indexing

Tags can represent arrays. To read elements starting at a specific index, you append the index in brackets:

name=Process_Temperatures[5]
elem_count=10
elem_size=4

This reads 10 32-bit float values starting at index 5 of the Process_Temperatures array. The element size determines how bytes map to values:

Element SizeByte WidthTypical Types
1 byte8-bitBOOL, SINT, USINT
2 bytes16-bitINT, UINT
4 bytes32-bitDINT, REAL (float), UDINT

Getting the element size wrong is a silent killer — you'll read data but interpret it as the wrong type. A 32-bit float read as two 16-bit integers gives you garbage values that look plausible enough to confuse operators for hours.

Data Type Handling: The 2ms You Didn't Budget For

Reading tag values seems simple until you deal with the full spectrum of industrial data types. A production edge gateway typically handles:

  • BOOL — Single-bit values, often packed into status words
  • INT8/UINT8 — Byte-level data (sensor states, mode selectors)
  • INT16/UINT16 — The workhorse for analog values (temperature × 10, pressure × 100)
  • INT32/UINT32 — Counters, timers, accumulated values
  • FLOAT32 — IEEE 754 floating-point for engineering units

Each type has different byte-offset arithmetic when reading arrays. A common mistake: treating a 32-bit tag array with 2-byte offsets. Index 0 starts at byte 0, but index 1 starts at byte 4 (not byte 2). Getting this wrong means every value after the first is shifted — and the data looks "almost right" but never quite matches the HMI.

Bit Extraction from Status Words

Industrial controllers frequently pack multiple boolean status flags into a single 16-bit or 32-bit register. For example, a chiller compressor might report its status as a UINT16 word where:

  • Bit 0: Compressor Running
  • Bit 1: High Pressure Alarm
  • Bit 2: Low Pressure Alarm
  • Bit 3: Flow Fault
  • Bits 4–7: Operating Mode (4 bits)
  • Bits 8–15: Reserved

To extract individual bits, you apply a shift-and-mask operation:

value = (raw_register >> bit_position) & mask

For a single bit: mask = 1. For a 4-bit field: mask = 0x0F. This is standard practice, but the tricky part is knowing which bits map to which states — and that information lives in the PLC program, not in any CIP object. Without the PLC programmer's documentation, you're reverse-engineering status words by toggling things on the machine and watching bits change.

Connection Architecture: Scanner vs. Adapter

EtherNet/IP uses a scanner/adapter model (not client/server, though the mapping is close):

  • Scanner — The device that initiates connections and consumes I/O data. Typically the PLC or edge gateway.
  • Adapter — The device that responds to connections and produces I/O data. Typically I/O modules, drives, sensors.

A scanner can maintain connections to dozens of adapters simultaneously. Each connection has independent RPIs, timeout multipliers, and Assembly mappings. This means your edge data collection system needs to manage multiple concurrent connection states, handle partial failures (one adapter goes offline while others stay healthy), and track link state changes per device.

Monitoring connection health is critical for IIoT data quality. An edge gateway should track:

  1. Connection establishment — Did the Forward_Open succeed? Log the response.
  2. Continuous heartbeat — Is data arriving within the expected RPI window?
  3. Connection loss — When the timeout multiplier expires, mark the device offline and report the link state change immediately (don't wait for the next batch).
  4. Reconnection — After a connection drops, retry with backoff. Most production systems retry every 5–15 seconds with a maximum of 3 consecutive attempts before entering a longer backoff period.

Link state transitions should be treated as high-priority events — delivered immediately rather than batched with regular telemetry data. An operator needs to know within seconds that a critical device went offline, not find out when the next 60-second batch arrives.

Performance Considerations

Polling Interval Selection

The right polling interval depends on what you're monitoring:

Data TypeRecommended IntervalRationale
Alarm/status words1 secondSafety-critical, must detect quickly
Analog process values10–60 secondsThermal/mechanical processes change slowly
Counters/accumulators30–60 secondsRolling totals, no urgency
Firmware/config versions60+ secondsRarely changes, compare-on-change sufficient

Network Bandwidth Math

A single EtherNet/IP implicit connection with a 10ms RPI and 32 bytes of I/O data generates:

32 bytes × 100 packets/sec = 3,200 bytes/sec = ~25.6 Kbps

Scale that to 50 devices and you're at 1.28 Mbps — well within Gigabit Ethernet capacity. But factor in explicit messaging overhead, ARP traffic, IGMP for multicast, and competing IT traffic on a converged network, and you need headroom. Plan for 30% utilization maximum on your industrial VLAN.

Compare-on-Change: Reducing Upstream Data Volume

Not every data point needs to be transmitted on every poll cycle. If a tank temperature hasn't changed since the last read, there's no value in re-transmitting it. A compare-on-change strategy stores the last known value for each tag and only delivers upstream when:

  1. The value has changed from the previous read
  2. The tag hasn't been read at all yet (first read always delivers)
  3. A forced/manual read was triggered
  4. The read status changed (e.g., went from success to error)

This can reduce upstream data volume by 60–80% for slowly-changing analog values while ensuring fast-moving status bits (alarms, mode changes) still propagate instantly.

The tricky part: implementing this correctly for every data type. Comparing two FLOAT32 values requires awareness of IEEE 754 representation — bitwise comparison works for equality, but you might want a deadband threshold for analog values to avoid transmitting noise.

Where machineCDN Fits

machineCDN's edge infrastructure handles the complexity described above — multi-protocol PLC communication including EtherNet/IP tag-based reads, intelligent batching, change detection, and reliable delivery over MQTT to cloud analytics. If you're building an IIoT data pipeline and want to skip the months of protocol integration work, it's worth evaluating.

Key Takeaways

  1. CIP is the real protocol — EtherNet/IP is just the transport. Understanding the object model unlocks diagnostics, configuration, and troubleshooting across all CIP-based networks.
  2. Implicit messaging is for I/O, explicit is for everything else — Never poll real-time I/O data via explicit messages. Set up proper implicit connections with appropriate RPIs.
  3. Tag-based addressing is powerful but type-sensitive — Element size must match the tag's data type exactly, or you'll read garbage that looks plausible.
  4. Connection management is the hardest part — Forward_Open failures, timeout tuning, link state tracking, and reconnection logic consume more engineering time than the data processing itself.
  5. Compare-on-change saves bandwidth — But implement it per data type with proper first-read and error-state handling.

EtherNet/IP is a mature, well-documented protocol — but the gap between "it works in the lab" and "it runs reliably in production with 200 devices" is where most teams struggle. Build your connection management right from the start, and the rest follows.