LUTRON 040453 Athena Commercial Lighting Control System IT Implementation Installation Guide

040453 Athena Commercial Lighting Control
System IT Implementation
Installation Guide

Lutron Security Statement

Lutron takes Cybersecurity very seriously We vigorously monitor the threat landscape and take a proactive approach to security and privacy, continuously working to update  and enhance our systems and processes
At Lutron, we call our approach to cyber security “Secure Lifecycle,” and we would like to present the following steps we take to protect your security and privacy:

• Security by Design. When building a new system, Lutron utilizes a dedicated security team to ensure best practices are implemented Security is built in It is not an  afterthought or add-on
• Third-Party Validation. Security is complicated Lutron has a dedicated team of internal experts, but we also leverage external experts to double- and triple-check our  work, and to make security recommendations
• Continuous Monitoring and Improvements. Security is a constantly moving target Lutron uses a dedicated security team to continuously monitor the market for potential  threats and, when needed, send out security patches to update installed systems
• Ongoing Support. Lutron has the resources you need to answer questions about security when they arise.

We incorporate a variety of security features into our product  designs These features include recommendations from the National Institute of Standards and Technology (NIST) among others, and they are aimed at meeting our  Secure Lifecycle protections While we do not publish a comprehensive list of our security features, the following list is a small example of some of the techniques  employed in our system design for Lutron Athena processors and associated services (such as mobile applications and cloud resources):

1. Secure and authenticated  remote access with unique keys for every system’s processor
2. A secure hardware element (“chip”) on every processor to guard the keys used for secure communication  and authentication
3. We are enforcing industry-standard encrypted communication and techniques for our integration protocols
4. Secure commissioning – all  communication between the system programming software tool/app and the processors is encrypted and authenticated Programming a system requires permission to access that system
5. Security updates pushed out automatically to the processors for urgent security patches
6. Use of industry-standard techniques for integrations, such  as OAuth2 0
7. Signed processor firmware to ensure a firmware update is authentically from Lutron If you have additional questions, feel free to reach out via our 24/7  Technical Support line at 1 844 LUTRON1 or email support@lutron.com

Glossary and Abbreviations

Athena DIN Rail System Panel – Pre-assembled and tested lighting control power panels that are configurable to control multiple load types Panels are available in different  sizes and panel types System panels come with DPMs (DIN Power Modules) and a control equipment compartment that an Athena Edge processor and power supply, and  other low-voltage equipment can be installed into Athena Edge Processor – This is the basic Athena controller supporting an embedded Linux operating system and will be  the main Athena component connected to any network Each Athena processor has two RJ45 female connectors – one for the Athena LAN/VLAN connection and the other  for serviceability The two ports in the processor are connected via an unmanaged switch Athena Hub – Metal enclosure containing the Athena Edge processors Wall- mounted vertically, predominantly located in electrical closets The QP5 enclosure houses up to two Athena processors and may also house a Lutron-provided a 8 port  unmanaged layer 2 network switch with PoE (Power over Ethernet) for connectivity PoE is provided to power devices such as Clear Connect Gateways – Type X and Athena touchscreens.
Athena Touchscreen – This is a wall-mounted digital control that manages Athena-connected lights and shades through the wired Athena Edge processor This device is  required to be on the same network as the Athena Edge processor, but may be on a different subnet, if desired It is Ethernetconnected and utilizes power over Ethernet for  power and communication These touchscreens are powered by PoE switches included in the Athena hub or may be powered by customerprovided Ethernet PoE switches Clear Connect Gateway – Type X (Q-RF) – This is an optional controller that supports communication between the Athena system and 2 4 GHz Clear Connect – Type X devices such as Ketra wireless fixtures and lamps This controller is required to be on the same network as the Edge processor This controller is Ethernet connected and  utilizes PoE for power These gateways are powered by PoE switches included in the Athena hub or may be powered by customerprovided Ethernet switches Field Service  Engineer (FSE) – Is a Lutron Services Company representative that is tasked with programming and commissioning a system.

Networking Overview

System Startup and Commissioning
For new system startup, electricians will need to interconnect the various Athena hubs and gateways to create a standalone network prior to startup and commissioning of the  Athena system by the Field Service Engineer (FSE) These interconnections utilize unmanaged PoE Ethernet switches, such as those contained in QP5 hubs In typical  applications Lutron processors and hubs are placed on their own LAN/VLAN FSEs can work with IT to configure DHCP-provided IP addresses on each processor The  network must be capable of supporting IPV6 traffic, although IPV6 addresses do not need to be allocated via DHCP Information on IP address requirements can be  obtained from the FSE Some system features require the processors to have Internet access, such as mobile app control
For customers who do not wish to have unmanaged Ethernet switches on their network, customerprovided managed Ethernet switches may be used Each processor and  gateway shall have a single connection from the processor to the Ethernet switch For Q-RF gateways and Athena touchscreens in a system, an Ethernet switch supporting  IEEE 802 3af or 802 3at is required to power them In a QP5 hub there may be two processors enclosed While the Athena Edge Processor has two Ethernet ports, the  second port may not be used for daisy chaining to other processors Edge processors with a single Ethernet port may also be present depending on the specification of your system The Ethernet port should be used to connect the processor to the network, and every processor must have a dedicated Ethernet cable home run back to the switch
When the customer-provided network becomes available for use with the lighting system, a transition from the network used for commissioning to the customer network can  be scheduled and carried out, see “Commissioning Internet Connection” below for details Because of this anticipated network transition, IP addresses set via DHCP are  recommended Refer to the firewall and routing table in this document for information on ports required for communication between the Athena processors and Cloud  connectivity.

Network Architecture Overview
The typical Athena system network architecture contains Athena Edge processors, optional Clear Connect Gateways – Type X (Q-RF), Athena touchscreens, and client  devices (e g , PC, laptop, tablet, mobile device, etc )
The Athena network architecture does NOT include the lighting actuators, sensors, and load controllers This includes keypads, wired and wireless daylight sensors, wired and  wireless occupancy sensors, load controllers, dimmers, switches, lighting panels, fluorescent lamp ballasts, or LED drivers These devices communicate on a Lutron  proprietary wired or wireless communication network

RF Considerations
While Lutron’s Radio Powr Savr RF occupancy sensors, daylight sensors and Pico controls operate on a frequency outside of Wi-Fi, Clear Connect Gateway – Type X and  Ketra fixtures and lamps operate in the 2 4 GHz band 2 4 GHz Wi-Fi networks deployed on standard channels (1-6-11), or that operate in the 5 GHz band, will not interfere  with communication between Clear Connect gateways – Type X and other Clear Connect – Type X devices There are five Clear Connect – Type X channels that are preferred  for Athena system deployment because they avoid or minimize interference from standard Wi-Fi channels; these will be used by default unless other requirements  are communicated to the FSE

• Channel 25 (2475 MHz)
• Channel 11 (2405 MHz)
• Channel 24 (2470 MHz)
• Channel 20 (2450 MHz)
• Channel 26 (2480 MHz)

Clear Connect gateways – Type X should be kept at least 5 ft (1 5 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices communicating via 2 4 GHz  Wi-Fi Other Clear Connect – Type X devices should be kept at least 3 ft (1 0 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices communicating  via 2 4 GHz Wi-Fi myLutron users can access Lutron App Note #745 (P/N 048745) at www.lutron.com for further details.

Physical Medium
IEEE 802.3 Ethernet – Is the physical medium standard for the network between Athena processors
CAT5e – The minimum network wire specification of the Athena LAN/VLAN
IP Addressing
IPv4/IPv6 – The Athena system requires communications and IP addressing over IPv4 and IPv6 Either static IP or DHCP can be used DHCP for IPV4 addresses is the  enabled default setting, but hard-coded IP addresses may be used if desired Link Local IP addresses are not permitted to be used as static IP addresses If a DHCP server is  not present on the network, the processors will self-assign link-local IP addresses
Class D addressing
Multicast addressing is used for two primary functions in an Athena system: device discovery via mDNS, and inter-processor communication utilizing multicast groups  Multicast traffic for mDNS discovery is always required Multicast traffic for inter-processor communication may not be needed for newly-installed systems, but may have  been utilized in previously-installed systems; check with the FSE for details For systems that utilize multicast for inter-processor communications, this communication is  required, and has the following properties:

• Each group of Athena processors that need to share events will need a unique and common class D address The class D multicast address can be field set by the FSE  and specified by the customer
• Any source multicast is used because any Athena processor may be enacting the event
• Multicast communication in the Athena system is primarily event based (e g , system trigger or change in state for monitoring) Polling is not a basis of communications  in an Athena system Latency Requirements for Managed Networks
  Note that for managed networks, the maximum latency between any two Athena processors should be less than 10 ms

Communication Speed and Bandwidth
100 BaseT full duplex – Is the maximum link speed supported by the Athena processor communications
2 Mbps – Worst case bandwidth in a fully loaded system Most systems include only 1 to 4 processors

Other Protocols Supported
IGMP – Athena supports IGMP versions 1, 2, and 3 for multicast communication between the Athena processors Any possible flooding of multicast traffic can be  constrained to a set of interested ports by using IGMP snooping
mDNS – Multicast DNS is used by the Athena design software or Athena touchscreen and the Lutron mobile app to discover the processor and gateway devices The  processors and gateways will respond to any mDNS discovery requests sent by any compatible device These responses are used to discover the IP address, version and other  information required to allow the design software and mobile app to operate with the lighting system For proper system operation, mDNS must be routed through the entire  subnet, both wired and wireless networks SSH/SCP – Secure Shell is used by both the Athena design software and Lutron mobile app The Athena design software utilizes  this protocol for database transfer and diagnostic log download from the processors and gateways The mobile app utilizes this protocol for diagnostic log download only  Connections using this protocol can only be made by an authorized/paired device using the mobile app, or computer with the design software and current system  configuration database
TLS – Transport Layer Security is used specifically for external integration with the Athena system This is used by the Lutron mobile app to allow control of lights In  addition, this is used by AV integration systems to make a connection to the processor/gateway device to allow control Access to this is either certificate-based with approved  vendors, or with custom username/ passphrase logins Custom logins may be configured by the FSE during system commissioning Lutron’s Athena system  supports TLS 1 2
Telnet – a Lutron QSE-CI-NWK-E can be added to the system for Telnet AV integration This device provides a RS232 or Telnet connection for system integration For  Telnet integration, the QSE-CI-NWK-E is not required to be connected to the same Network/VLAN as the Athena processors For limitations, see the QSE-CI-NWK-E  specification submittal (P/N 369373) at www.lutron.com

System Internet Connectivity
The Lutron Athena system is enhanced when coupled with Internet connectivity This connectivity provides the following enhancements:

1. Lutron App connectivity to the system for control and monitoring
2. Automatic firmware updates of the Athena processors
3. Remote factory service options provided by Lutron

A permanent network connection provided by the customer is recommended for Athena systems to provide the processor with Internet connectivity
If there is no Internet connection provided to the Athena system, the following is true:

1. Local physical controls of the system will continue to operate as expected, and existing timeclock events will continue as scheduled
2. The Athena processor will not receive firmware updates
3. There will be no control or reprogramming of the system via the Lutron App
4. Certain cloud based features such as DALI emergency testing dashboard will NOT be available

Commissioning Internet Connection
During the startup of an Athena system, an LTE modem may be provided by Lutron to facilitate ease of commissioning by Lutron Field Service Engineers (FSE) This device  may be installed by the electrical contractor as part of the system The modem will not be used to connect any non-Lutron components to the Internet This LTE  modem will be removed or deactivated by the Lutron FSE within 30 days of the end of jobsite startup.
If the customer network is already up and running when a Lutron FSE is scheduled for startup, the temporary LTE modem will not be used.

Internet/Cloud Services and Mobile App Connectivity

• DNS Resolution
  – The processor will use the IT-specified DNS server to resolve IP addresses to access Internet connected services The DNS server’s IP address can be set either  manually by the Lutron FSE or via DHCP
  • Internet connectivity test
  – The processor will ping public DNS servers to verify Internet connectivity:
  o 8 8 4 4, 8 8 8 8, 208 67 220 220, 208 67 222 222, 209 244 0 3, 209 244 0 4
  – The processor will also attempt to make an HTTP connection to www.google.com

• Time Sync
  – The processor will reach out the below list of Internet time servers NTP is used to allow accurate execution of automatic timeclock and other scheduled events In the  event that a time server is not available, the clock on the processor is set during system programming and is retained during power outages When Internet connectivity is  available, the processors will reach out to time iot lutron io, which may resolve to one or more of the following NTP servers:
  o 0 pool ntp org, 1 pool ntp org, 2 pool ntp org 3 pool ntp org, 0 north- america pool ntp org

• Automatic Firmware Updates
  – The processor will attempt automatic firmware upgrades by establishing an HTTPS connection to firmwareupdates lutron com which may resolve to one or more s3  amazonaws.com addresses
  – This feature is enabled by default

• Cloud Connectivity
  – The optional Lutron mobile app is available on iOS mobile devices This app is typically used by facility managers to allow control of lighting loads including Ketra  color selection and window shade position The app will also allow creation and editing of timeclock events, as well as scene editing In the mobile app, Floors and Rooms  are presented to users in a tree format, allowing access to control all of the lighting and shade zones in each area.
  – Use of the mobile app requires that a myLutron cloud-based account be created, which is then paired to the Athena processors If more than one user will need to  access the system via the app, each user will need to create a myLutron cloud-based account, and the original account holder will need to share access with the new users  Shared access can be set for a limited time or indefinitely, or revoked at any time.
  – Initial setup of the app requires the mobile device to be on the same subnet as the Athena processors so that discovery and secure authentication can be performed  Following initial setup of the mobile app, the mobile device will no longer be required to be on the same network
  – The mobile app requires a connection to Lutron’s cloud services to control the system The appto-processor communication connects to Lutron’s cloud services as  defined in the “Mobile App, Internet, and Cloud Connectivity Features” section in this document
  – Device-login lutron com & iot amazonaws com are used for cloud connectivity
  – All cloud connectivity functions utilize outbound connections only Both the processor hardware and the mobile app originate connections to the cloud servers to  exchange messages No inbound connections are made from the cloud server to the processor.

Firewall/Routing Requirements

Required for System Startup and Programming
These ports are used for system startup and database transfer to processors and gateways After the system has been started up these ports may be closed if desired If changes to the system are needed to be made, these ports will need to be re-opened to allow upload of programming changes to the system

IPv4
Multicast| mDNS is utilized for processor discovery and initial configuration
All Athena Edge Wired Processors and Clear Connect-Type X Wireless Gateways| 224.0.0.251| 5353| UDP IPv4 Multicast| This is the mDNS discovery response sent from the processor/gateway back to the Athena configuration software
Athena Commissioning Device’| All Athena Edge Processors and Type X Gateways| 8083
8081| TCP IPv4APv6| These ports are used to configure processors
Athena Commissioning Device’| All Athena Edge Processors and Type X Gateways| 22| TCP
IPv4| Used for database transfer, support file generation and diagnostics
Athena Commissioning Device’| Sqltofb.lutron.com Firmwareupdates.lutron.com| 443| TCP IPv4/1Pv6| Allows Lutron software to obtain the latest processor firmware
Athena Commissioning Device’| All Athena Edge Processors and Clear Connect — Type X Wireless Gateways| 51023| TCP IPv4/1Pv6| Unicast communication between design software and processors
Athena Commissioning Device’| Athena Touchscreens| 8080| TCP
IPv4| Touchscreen diagnostics

Required for System Runtime
These ports are required for system runtime, and must remain open for system functionality

All Athena Edge Processors and Clear Connect — Type X
Wireless Gateways| Multicast Address of the Athena system
(239.0.38.1 — 239.0.38.xx)2| 2056-3055| UDP
IPv4
Multicast| Used to share events and
status of lights between Athena processors and gateways. Only needed if system is configured for inter-processor communication via multicast.
All Athena Edge Processors and Clear Connect — Type X
Wireless Gateways| All Athena Edge Processors and Clear Connect — Type X Wireless Gateways| 443| TCP IPv4/1Pv6| Used to share events and status of lights between Athena processors and gateways.
Athena Touchscreen| 224.0.0.251| 5353| UDP IPV4 Multicast| mDNS is utilized for Athena Edge processor discovery by the Athena touchscreen
Athena Touchscreen| All Athena Edge Processors| 8083
8081| TCP IPv4| These ports are used to communicate between the Athena Edge processors and Athena touchscreens

1. The Athena Commissioning Device is the IP address of the computer used to commission the Athena system This is typically a laptop operated by the Lutron FSE  during system startup
2. Multicast addresses by the system will be configured by the FSE during system startup

Optional Features and Functions
These are optional feature ports used for integration and are outbound from the Lutron processor only

for Telnet integration to Athena
AV Integration System IP| IP Address of the Athena Edge Processor| 8081| TCP IPv4/IPv6| For third-party external integration with a processor via TLS

Mobile App, Internet and Cloud Connectivity Features
These ports are used for various cloud, app, and Internet connectivity functions

IPv4
Multicast| mDNS is utilized for processor discovery during setup and system pairing
Mobile Device on Local Processor Network| All Athena Edge Processors and Type-X Gateways| 8083
8081| TCP IPv4/1Pv6| Lutron mobile app authentication and configuration
Mobile Device on Local Processor Network| All Athena Edge Processors and Type-X Gateways| 22| TCP
IPv4| SSH is used for support file generation and diagnostics
All Athena Edge Processors and Type X Gateways| .iot..amazonaws.com| 8883| TCP IPv4/1Pv6| Lutron Cloud connectivity for mobile app runtime on network other than processor network. The destination address can be dynamic based on region. For example, it could look like: a32jcyk7azp7b5-ats.iot.us-east-1. amazonaws.com
All Athena Edge Processors and Type X Gateways| firmwareupdates.lutron.com| 443| TCP IPv4/1Pv6| Used for automatic firmware
upgrades, may resolve to one or more s3.amazonaws.com addresses
All Athena Edge Processors and Type X Gateways| Device-login.lutron.com| 443| TCP IPv4/1Pv6| Device Registration and secure processor remote access
All Athena Edge Processors and Type X Gateways| 8.8.4.4
208.67.220.220
209.244.0.3 209.244.0.4 8.8.8.8
208.67.222.222| ICMP| ICMP| Processor Internet connectivity check
All Athena Edge Processors and Type X Gateways| google.com| 80| TCP IPv4/1Pv6| Processor Internet connectivity check
All Athena Edge Processors and Type X Gateways| Customer Specified DNS Server| 53| UDP IPv4/1Pv6| DNS resolution is required for cloud connectivity and NTP time sync
All Athena Edge Processors and Type X Gateways| 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
0.north-america.pool.ntp.org time.iot.lutron.io| 123| UDP Rvit| NTP is used for automatic time sync which allows time based events to trigger accurately
All Athena Edge Processors and Type X Gateways| .iot.lutron.io| 443| TCP IPv4/1Pv6| Connectivity for Cloud based functionality

Configuration Examples

The following diagrams depict some of the various configurations of an Athena system
System Deployment Utilizing Built-in Unmanaged Ethernet Switches
This diagram shows the system Ethernet link interconnections between Lutron panels using built-in unmanaged Ethernet switches, which may be included in QP5 processors The interconnected panels are then connected to the building’s IT network, allowing the Athena Edge processors, Clear Connect gateways – Type X and Athena touchscreens  to communicate to the Internet and the Lutron mobile app Each wired processor may contain two RJ-45 Ethernet jacks, which should not be used for daisy  chaining (the second port is used for FSE diagnostics) Each processor shall have a single connection to an Ethernet switch

Note: Connecting all Athena processors, Clear Connect Gateways – Type X, touchscreens, and LTE modems via the system Ethernet link is required for startup and operation of the system.

System Deployment Utilizing Customer-Provided PoE Ethernet Switches
This digram shows the use of customer-provided Ethernet switches to connect processors to the building network infrastructure for the system Ethernet link In this example the Clear Connect gateways–Type X and Athena touchscreens are provided power from the customer-provided PoE switch Each processor may contain two RJ-45 Ethernet jacks, which should not be used for daisy chaining (the second port is used for FSE diagnostics) Each processor shall have a single connection to an Ethernet switch

Note: Connecting all Athena processors, Clear Connect Gateways – Type X, touchscreens, and LTE modems via the System Ethernet Link is required for startup and  operation of the system

Customer Assistance
If you have questions concerning the installation or operation of this product, call the Lutron Customer Assistance
Please provide the exact model number when calling Model number can be found on the product packaging
Example: SZ-CI-PRG

U S A , Canada, and the Caribbean: 1 844 LUTRON1
Other countries call: +1 610 282 3800
Fax: +1 610 282 1243
Visit us on the web at www.lutron.com
The Lutron logo, Lutron, Clear Connect, Pico, Radio Powr Savr and Athena are trademarks or registered trademarks of Lutron Electronics Co , Inc in the US and/or other  countries Ketra is a trademark or registered trademark of Lutron Ketra, LLC, in the US and/or other countries
All other product names, logos, and brands are property of their respective owners

© 2020-2022 Lutron Electronics Co , Inc
P/N 040453 Rev E 05/2022
Lutron Electronics Co , Inc
7200 Suter Road
Coopersburg, PA 18036 USA

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>