LUTRON Athena Lighting Control System User Guide

Athena
Commercial Lighting Control System
IT Implementation Guide
Revision C
16 June 2021

Lutron Security Statement

Lutron takes Cybersecurity very seriously We vigorously monitor the threat landscape and take a proactive approach to security and privacy, continuously working to update and enhance our systems and processes.
At Lutron, we call our approach to cyber security “Secure Lifecycle, ” and we would like to present the following steps we take to protect your security and privacy:

• Security by Design. When building a new system, Lutron utilizes a dedicated security team to ensure best practices are implemented Security is built in It is not an afterthought or add-on
• Third-Party Validation. Security is complicated Lutron has a dedicated team of internal experts, but we also leverage external experts to double- and triple-check our work, and to make security recommendations
•   Continuous Monitoring and Improvements. Security is a constantly moving target Lutron uses a dedicated security team to continuously monitor the market for potential threats and, when needed, send out security patches to update installed systems
• Ongoing Support. Lutron has the resources you need to answer questions about security when they arise
  We incorporate a variety of security features into our product designs These features include recommendations from the National Institute of Standards and Technology (NIST) among others, and they are aimed at meeting our Secure Lifecycle protections While we do not publish a comprehensive list of our security features, the following list is a small example of some of the techniques employed in our system design for Lutron Athena processors and associated  ervices (such as mobile applications and cloud resources):

1.  Secure and authenticated remote access with unique keys for every system’s processor
2. A secure hardware element (“chip”) on every processor to guard the keys used for secure communication and authentication
3.  We are enforcing industry-standard encrypted communication and techniques for our integration protocols
4.  Secure commissioning – all communication between the system programming software tool/app and the processors is encrypted and authenticated Programming a system requires permission to access that system
5.  Security updates pushed out automatically to the processors for urgent security patches
6. Use of industry-standard techniques for integrations, such as OAuth2 0
7.  Signed processor firmware to ensure a firmware update is authentically from Lutron If you have additional questions, feel free to reach out via our 24/7 Technical Support line at 1 844 LUTRON1 or email support@lutron.com

Glossary and Abbreviations

Athena Edge Processor – This is the basic Athena controller supporting an embedded Linux operating system and will be the main Athena component onnected to any network Each Athena processor has two RJ45 female connectors – one for the Athena LAN/VLAN connection and the other for serviceability The two ports in the processor are connected via an unmanaged switch
Athena Hub – Metal enclosure containing the Athena Edge processors Wall- mounted vertically, predominantly located in electrical closets The QP5 enclosure houses up to two Athena processors and may also house a Lutron- provided a 8 port unmanaged layer 2 network switch with PoE (Power over Ethernet) for connectivity PoE is provided to power devices such as Clear Connect Gateways – Type X and Athena touchscreens
Athena Touchscreen – This is a wall-mounted digital control that manages Athena-connected lights and shades through the wired Athena Edge processor This device is required to be on the same
network as the Athena Edge processor, but maybe on a different subnet if desired It is Ethernet connected and utilizes power over Ethernet for power and
communication These touchscreens are powered by PoE switches included in the Athena hub or may be powered by customer provided Ethernet PoE switches
Clear Connect Gateway – Type X (Q-RF) – This is an optional controller that supports communication between the Athena system and 2 4 GHz Clear Connect – Type X devices such as Ketra wireless fixtures and lamps This controller is required to be on the same network as the Edge processor This controller is ethernet connected and utilizes PoE for power These gateways are powered by PoE switches included in the Athena hub or may be powered by  customer provided Ethernet switches
Field Service Engineer (FSE) – Is a Lutron Services Company representative that is tasked with programming and commissioning a system.

Networking Overview

System Startup and Commissioning

For new system startup, electricians will typically interconnect the various Athena hubs and gateways to create a standalone network that is used by Field Service Engineers (FSE) to start up and commission an Athena system without the need for a building network These interconnections utilize unmanaged PoE Ethernet switches, such as those contained in QP5 hubs In typical applications Lutron processors and hubs are placed on their own LAN/VLAN FSEs can work with
IT to configure DHCP-provided custom IP addresses on each processor Information on IP address requirements can be obtained from the FSE In certain instances, some system features require the processors to have Internet access
For customers who do not wish to have unmanaged Ethernet switches on their network, customerprovided managed Ethernet switches may be used Each processor and gateway shall have a single connection from the processor to the Ethernet switch For Q-RF gateways and Athena touchscreens in a system, an
Ethernet switch supporting IEEE 802 3af or 802 3at is  required to power them

In a QP5 hub there may be two processors enclosed While the Athena Edge Processor has two Ethernet ports, the second port may not be used for daisy chaining to other processors Edge processors with a single Ethernet port may also be present depending on the specification of your system The Ethernet port should be used to connect the processor to the network, and every processor must have a dedicated Ethernet cable home run back to the switch.
When the customer-provided network becomes available for use with the lighting system, a transition from the network used for commissioning to the customer network can be scheduled and carried out, see “Commissioning Internet Connection” below for details Because of this anticipated network transition, IP addresses set via DHCP are recommended Refer to the firewall and routing table in this document for information on ports required for communication between
the Athena processors and Cloud connectivity
Network Architecture Overview
The typical Athena system network architecture contains Athena Edge processors, optional Clear Connect Gateways – Type X (Q-RF), Athena touchscreens, and client devices (e g , PC, laptop, tablet, mobile device, etc )
The Athena network architecture does NOT include the lighting actuators, sensors, and load controllers This includes keypads, wired and wireless daylight sensors, wired and wireless occupancy sensors, load controllers, dimmers, switches, lighting panels, fluorescent lamp ballasts, or LED drivers These devices communicate on a Lutron proprietary wired or wireless communication network

RF Considerations

While Lutron’s Radio Powr Savr RF occupancy sensors, daylight sensors and Pico controls operate on a frequency outside of Wi-Fi, Clear Connect Gateway – Type X and Ketra fixtures and lamps operate in the 2 4 GHz band 2 4 GHz Wi-Fi networks deployed on standard channels (1-6-11), or that operate in the 5 GHz band, will not interfere with communication between Clear Connect gateways – Type X and other Clear Connect – Type X devices There are five Clear Connect – Type X channels that are preferred for Athena system deployment because they avoid or minimize interference from standard Wi-Fi channels; these will be used by default unless other requirements are communicated to the FSE

• Channel 25 (2475 MHz)

• Channel 11 (2405 MHz)

• Channel 24 (2470 MHz)

•  Channel 20 (2450 MHz)

•  Channel 26 (2480 MHz)
  Clear Connect gateways – Type X should be kept at least 5 ft (1 5 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices  ommunicating via 2 4 GHz Wi-Fi Other Clear Connect – Type X devices should be kept at least 3 ft (1 0 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices communicating via 2 4 GHz Wi-Fi myLutron users can access Lutron App Note #745 (P/N 048745) at www.lutron.com for further details
  Physical Medium
  IEEE 802.3 Ethernet – Is the physical medium standard for the network between Athena processors.
  CAT5e – The minimum network wire specification of the Athena LAN/VLAN.
  IP Addressing
  IPv4/IPv6 – The Athena system supports communications and IP addressing over IPv4/IPv6 Either static IP or DHCP can be used DHCP is the enabled default setting Link Local IP addresses are not permitted to be used as static IP addresses If a DHCP server is not present on the network, the processors will self-assign link-local IP addresses
  Class D addressing
  Multicast communication is required and provides communication in order to share events between Athena processors This communication is based on UDP multicast groups

• Each group of Athena processors that need to share events will need a unique and common class D address The class D multicast address can be field set by the FSE and specified by the customer

•  Any source multicast is used because any Athena processor may be enacting the event

•  Multicast communication in the Athena system is primarily event based (e g , system trigger or change in state for monitoring) Polling is not a basis of communications in an Athena system
  Note: Multicast communication is always required for communication among the processors within an Athena system
  Latency Requirements for Managed Networks
  Note that for managed networks, the maximum latency between any two Athena processors should be less than 10 ms
  Communication Speed and Bandwidth
  100 BaseT full duplex – Is the maximum link speed supported by the Athena processor communications
  1.88 Mbps – Worst case bandwidth in a fully loaded system Most systems include only 1 to 4 processors

Other Protocols Supported

IGMP – Athena supports IGMP versions 1, 2, and 3 for multicast communication between the Athena processors Any possible flooding of multicast traffic can be constrained to a set of interested ports by using IGMP snooping
mDNS – Multicast DNS is used by the Athena design software or Athena touchscreen and the Lutron mobile app to discover the processor and gateway devices The processors and gateways will respond to any mDNS discovery requests sent by any compatible device These responses are used to discover the IP address, version and other information required to allow the design software and mobile app to operate with the lighting system For proper system operation, mDNS
must be routed through the entire subnet, both wired and wireless networks
SSH/SCP – Secure Shell is used by both the Athena design software and Lutron mobile app The Athena design software utilizes this protocol for database transfer and diagnostic log download from the processors and gateways The mobile app utilizes this protocol for diagnostic log download only Connections using this protocol can only be made by an authorized/paired device using the mobile app, or computer with the design software and current system configuration
database
TLS – Transport Layer Security is used specifically for external integration with the Athena system This is used by the Lutron mobile app to allow control of lights In addition, this is used by AV integration systems to make a connection to the processor/gateway device to allow control Access to this is either certificate-based with approved vendors, or with custom username/ passphrase logins Custom logins may be configured by the FSE during system commissioning Lutron’s Athena system supports TLS 1 2
Telnet – a Lutron QSE-CI-NWK-E can be added to the system for Telnet AV integration This device provides a RS232 or Telnet connection for system integration For Telnet integration, the QSE-CI-NWK-E is not required to be connected to the same Network/VLAN as the Athena processors For limitations, see the QSE-CI-NWK-E specification submittal (P/N 369373) at www.lutron.com
System Internet Connectivity
The Lutron Athena system is enhanced when coupled with Internet connectivity This connectivity provides the following enhancements:

1. Lutron App connectivity to the system for control and monitoring

2. Automatic firmware updates of the Athena processors

3.  Remote factory service options provided by Lutron
   A permanent network connection provided by the customer is recommended for Athena systems to provide the processor with Internet connectivity
   If there is no Internet connection provided to the Athena system, the following is true:

4. Local physical controls of the system will continue to operate as expected, and existing timeclockevents will continue as scheduled

5.  The Athena processor will not receive firmware updates

6. There will be no control or reprogramming of the system via the Lutron App
   Commissioning Internet Connection
   During the startup of an Athena system, an LTE modem may be provided by Lutron to facilitate ease of commissioning by Lutron Field Service Engineers (FSE) This device may be installed by the electrical contractor as part of the system The modem will not be used to connect any non-Lutron components to the Internet This LTE modem will be removed or deactivated by the Lutron FSE within 30 days of the end of jobsite startup.
   If the customer network is already up and running when a Lutron FSE is scheduled for startup, the temporary LTE modem will not be used.

Internet/Cloud Services and Mobile App Connectivity

•  DNS Resolution
  – The processor will use the IT-specified DNS server to resolve IP addresses to access Internet connected services The DNS server’s IP address can be set either manually by the Lutron FSE or via DHCP

• Internet connectivity test
  – The processor will ping public DNS servers to verify Internet connectivity:
  o 8 8 4 4, 8 8 8 8, 208 67 220 220, 208 67 222 222, 209 244 0 3, 209 244 0 4
  – The processor will also attempt to make an HTTP connection to www.google.com

• Time Sync
  – The processor will reach out the below list of Internet time servers NTP is used to allow accurate execution of automatic timeclock and other scheduled events In the event that a time server is not available, the clock on the processor is set during system programming and is retained during power outages When Internet connectivity is available, the processors will reach out to time iot lutron io, which may resolve to one or more of the following NTP servers:
  o 0 pool ntp org, 1 pool ntp org, 2 pool ntp org 3 pool ntp org, 0 north- america pool ntp org

• Automatic Firmware Updates
  – The processor will attempt automatic firmware upgrades by establishing an HTTPS connection to firmwareupdates lutron com which may resolve to one or more s3 amazon aws com addresses
  – This feature is enabled by default

•  Cloud App Connectivity
  – The optional Lutron mobile app is an app that is available on iOS and Android mobile device platforms This app is typically used by facility managers to allow control of lighting loads including Ketra color selection and window shade position The app will also allow creation and editing of timeclock events, as well as scene editing In the mobile app, Floors and Rooms are presented to users in a tree format, allowing access to control all of the lighting and shade
  zones in each area Use of the mobile app also requires that a myLutron cloud- based account be created which is then paired to the lighting processors If more than one user is to utilize the mobile app, the single myLutron cloud account which was created will need to be logged into the app on each device Note: If the password on the shared cloud account is changed, devices which were already logged in with an old password will retain access to the system
  – Initial setup of the app requires the mobile device to be on the same subnet as the Athena processors so that discovery and secure authentication can be performed Following initial setup of the mobile app, the mobile device will no longer be required to be on the same network as the Athena processors as long as the processors have an Internet connection
  – If the mobile app is on the same subnet as the processors, direct communication is used If the subnet is different, mobile app to processor communication routes through Lutron’s cloud services
  – Device-login lutron com & iot amazonaws com are used for cloud connectivity
  – All cloud connectivity functions utilize outbound connections only Both the processor hardware and the mobile app originate connections to the cloud servers to exchange messages
  No inbound connections are made from the cloud server to the processor

Firewall/Routing Requirements (continued)

Required for System Startup and Programming
These ports are used for system startup and database transfer to processors and gateways After the system has been started up these ports may be closed if desired If changes to the system are needed to be made, these ports will need to be re-opened to allow upload of programming changes to the system

utilized for processor discovery and initial configuration
All Athena Edge Wired Processors and Clear Connect-Type X Wireless Gateways| 224.0.0.251| 5353| UDP IPv4 Multicast| This is the mDNS discovery response sent from the processor/gateway back to the Athena configuration software
Athena Commissioning Device’| All Athena Edge Processors and Type X Gateways| 8083
8081| TCP IPv4APv6| These ports are used to configure processors
Athena Commissioning Device’| All Athena Edge Processors and Type X Gateways| 22| TCP
IPv4| Used for database transfer, support file generation and diagnostics
Athena Commissioning Device’| Sqltofb.lutron.com Firmwareupdates.lutron.com| 443| TCP IPv4APv6| Allows Lutron software to obtain the Latest processor firmware
Athena Commissioning Device’| All Athena Edge Processors and Clear Connect — Type X Wireless Gateways| 51023| TCP IPv4APv6| Unicast communication between design software and processors
Athena Commissioning Device’| Athena Touchscreens| 8080| TCP
IPv4| Touchscreen diagnostics

Required for System Runtime
These ports are required for system runtime, and must remain open for system functionality

All Athena Edge Processors and Clear Connect – Type X
Wireless Gateways| Multicast Address of the Athena system
(239.0.38.1 – 239.0.38.m)2| 2056-3055| UDP
IPv4
Multicast| Used to share events and
status of lights between Athena processors and gateways
All Athena Edge Processors and Clear Connect – Type X
Wireless Gateways| All Athena Edge Processors and Clear Connect – Type X Wireless Gateways| 443| TCP IPv4/1Pv6| Used to share events and
status of fights between Athena processors and gateways
Athena Touchscreen| 224.0.0.251| 5353| UDP IPV4 Multicast| mDNS is utilized for Athena
Edge processor discovery by the Athena touchscreen
Athena Touchscreen| All Athena Edge Processors| 8083
8081| TCP IPv4| These ports are used to communicate between the Athena Edge processors and Athena touchscreens

1. The Athena Commissioning Device is the IP address of the computer used to commission the Athena system This is typically a laptop operated by the Lutron FSE during system startup
2.  Multicast addresses by the system will be configured by the FSE during system startup

Optional Features and Functions
These are optional feature ports used for integration and are outbound from the Lutron processor only

which utilize Telnet, an NWK is the only means for Telnet integration to Athena
AV Integration System IP| IP Address of the Athena Edge Processor| 8081| TCP IPv4/IPv6| For third-party external
integration with a processor via TLS

Mobile App, Internet and Cloud Connectivity Features
These ports are used for various cloud, app, and Internet connectivity functions All are optional, but may result in limited or no use of the Lutron mobile app for system monitoring or adjustment if not permitted

IPv4
Multicast| MUMS IS utiliZed for processor discovery during setup and system pairing
Mobile Device on Local Processor Network| All Athena Edge Processors and Type-X Gateways| | TCP IPv4/1Pv6| Lutron mobile app authentication and configuration and local connection on same network
Mobile Device on Local Processor Network| All Athena Edge Processors and Type-X Gateways| 22| TCP
IPv4| SSH is used for support file generation and diagnostics
All Athena Edge Processors and Type X Gateways| *.ior.amazonaws.com| 8883| TCP IPv4/1Pv6| Lutron Cloud connectivity for mobile app runtime on network other than processor network. The destination address can be dynamic based on region. For example, it could look like: a32jcyk7azp7b5-ats.iot.us-east-1. amazonaws.com
All Athena Edge Processors and Type X Gateways| firmwareupdates.lutron.com| 443| TCP IPv4/IPv6| Used for automatic firmware
upgrades, may resolve to one or more s3.amazonaws.com addresses
All Athena Edge Processors and Type X Gateways| Device-login.lutron.com| 443| TCP IPv4/1Pv6| Device Registration and secure processor remote access
All Athena Edge Processors and Type X Gateways| 8.8.4.4
208.67.220.220
209.244.0.3
209.244.0.4
8.8.8.8
208.67.222.222| ICMP| ICMP| Processor Internet connectivity check
All Athena Edge Processors and Type X Gateways| google.com| 8| TCP IPv4/1Pv6| Processor Internet connectivity check
All Athena Edge Processors and Type X Gateways| Customer Specified DNS Server| 53| UDP IPv4/1Pv6| DNS resolution is required for cloud connectivity and NTP time sync
All Athena Edge Processors and Type X Gateways| 0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
0.north-america.pool.ntp.org
time.iot.lutron.io| 123| UDP IPv4| NTP is used for automatic time sync which allows time based events to trigger accurately

Configuration Examples

The following diagrams depict some of the various configurations of an Athena system
System Deployment Utilizing Built-in Unmanaged Ethernet Switches
This diagram shows Ethernet interconnections between Lutron panels using built-in unmanaged Ethernet switches, which may be included in QP5 processors The interconnected panels are then connected to the building’s IT network, allowing the Athena Edge processors, Clear Connect gateways – Type X and Athena touchscreens to communicate to the Internet and the Lutron mobile app Each wired processor may contain two RJ-45 Ethernet jacks, which should not be
used for daisy-chaining (the second port is used for FSE diagnostics) Each processor shall have a single connection to an Ethernet switch

System Deployment Utilizing Customer-Provided PoE Ethernet Switches

Customer Assistance
If you have questions concerning the installation or operation of this product, call the Lutron Customer Assistance.
Please provide the exact model number when calling Model number can be found on the product packaging
Example: SZ-CI-PRG.

U S A , Canada, and the Caribbean: 1 844 LUTRON1
Other countries call:  +1 610 282 3800
Fax: +1 610 282 1243
Visit us on the web at www.lutron.com
Lutron, Lutron, Clear Connect, Pico, Radio Powr Savr and Athena are trademarks or registered trademarks of Lutron Electronics Co , Inc in the US and/or other countries
Ketra is a trademark or registered trademark of Lutron Ketra, LLC, in the US and/or other countries
All other product names, logos, and brands are property of their respective owners

Lutron Electronics Co , Inc
7200 Suter Road
Coopersburg, PA 18036 USA
© 2020-2021 Lutron Electronics Co , Inc
P/N 040453 Rev C 06/2021

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>