manualshive.com logo in svg

Siemens SCALANCE, Расширенные настройки

Поделиться
Скачать
Siemens SCALANCE Скачать руководство пользователя страница 30

3 Detailed checklist 
 

Checklist 
Article ID: 109745536,    V2.0,    05/2022 

 

 

30 

 

©

 S

iem

e

n

s A

2

0

2

2

 A

ll r

igh

ts 

re

se

rv

e

d

 

3.14.10 

Brute Force Prevention 

Menu path 

You can find this information in MSPS devices under "Security > Brute Force 
Prevention" 

Recommendation 

"Brute Force Prevention" ("BFP") lets you limit the number of incorrect login 
attempts made within a certain time frame. 

Define a maximum number of invalid login attempts for a user whom the device 
accepts. Further login attempts for this user will be blocked for a certain period. 

3.14.11 

Turn off firewall with SCALANCE S/M 

Menu path 

You can find this information for MSPS devices under "Security > Firewall > 
General". 

Note 

With SCALANCE S/M devices, you can completely disable the firewall in the 
settings. 

Disabling the firewall has a side effect that is easy to miss. 
As one may expect, all communication between the interfaces is no longer 
subjected to filtering. 

In addition, all rules that limit access to the module services become inactive. This 
means that all settings made under "Predefined" become void. All services of the 
device are reachable at all interfaces. 

Especially with SCALANCE M devices with a direct WAN interface, disabling the 
firewall is strongly discouraged. 

Recommendation 

Do not disable the firewall. If you wish to disable the firewall for testing purposes, 
create pertinent rules under "IP rules". 

Modify the "TCP Idle Timeout". At 24 hours, the time preset is very long. A timeout 
on the order of UDP/ICMP typically works just as well. 

Содержание SCALANCE

Страница 1: ...Checklist for setting up SCALANCE devices SCALANCE https support industry siemens com cs ww en view 109745536 Siemens Industry Online Support ...

Страница 2: ...s arising from a breach of material contractual obligations shall however be limited to the foreseeable damage typical of the type of agreement unless liability arises from intent or gross negligence or is based on loss of life bodily injury or damage to health The foregoing provisions do not imply any change in the burden of proof to your detriment You shall indemnify Siemens against existing or ...

Страница 3: ...DCP Discovery 15 3 10 Quality of service traffic shaping 16 3 11 Redundancy 17 3 11 1 Ring redundancy 17 3 11 2 Spanning tree 19 3 11 3 Passive listening 20 3 12 Wireless LAN 21 3 12 1 WLAN encryption 21 3 12 2 WLAN layer 2 tunnel 21 3 12 3 WLAN iPCF 22 3 13 Configuration 22 3 13 1 Storage information with MSPS devices 22 3 13 2 Configuration backup 23 3 13 3 C PLUG Key PLUG 24 3 13 4 Scheduled re...

Страница 4: ...able of contents Checklist Article ID 109745536 V2 0 05 2022 4 Siemens AG 2022 All rights reserved 4 1 Service and support 31 4 2 Industry Mall 32 4 3 Links and literature 32 4 4 Change documentation 32 ...

Страница 5: ...nused protocols Only allow write protected access Change the default password Set up encryption Motivation The checklist in this overview document will support you when preparing SCALANCE devices It guides you through the various functions of SCALANCE devices and gives you some general recommendations for parameter assignment This checklist will help you prepare SCALANCE devices for operation with...

Страница 6: ... command line interface CLI There are essentially two variants of the configuration software platform for SCALANCE devices The functions and the configuration of these functions are typically identical or very similar With these variations in mind the SCALANCE devices are classified as follows X 200 and X 300 X 400 Devices based on Modular Switching Platform SCALANCE MSPS The following devices are...

Страница 7: ... client Disable PROFINET interface if not using PROFINET Enable time synchronization With SCALANCE X disable preset ring ports Disable spanning tree if it is not needed Disable the option SINEMA Configuration Interface If PROFINET data traffic is running over the device and no custom VLAN configuration is being used then enable VLAN 0 aware mode X 300 or 802 1D Transparent Bridge Enable WLAN encry...

Страница 8: ...evices Information Versions With X 200 and X 300 Agent System Version Numbers Recommendation Use the Latest firmware version If the SCALANCE device does not have the latest firmware perform an update The current versions can be found in Siemens Industry Online Support see 1 in chapter 4 3 3 2 Set up time synchronization Menu path You can find this information in the following paths With MSPS Syste...

Страница 9: ...SNMPv3 variant Tick the SNMPv1 v2 Read Only checkbox to prevent changes to the device configuration via unsecure SNMP Set requests Change the Community Strings for SNMPv1 v2c Note With SNMPv1 v2 data are transmitted over the wire in cleartext With SNMPv3 the client can neither write nor read without a valid logon Data are transmitted in encrypted form Recommendations for MSPS devices Use SSH Serve...

Страница 10: ...able the SINEMA Configuration Interface option if the device is not managed with TIA or SINEC NMS This turns off the configuration interface for these tools After commissioning set the DCP server to Read Only 3 4 Use secure FTP Menu path You can find this information System Load Save for MSPS devices Note on X 200 and X 300 devices The switches only support TFTP Recommendations for MSPS devices Do...

Страница 11: ...unt if it is not used Note With the X 200 and X 300 you are neither able to rename or delete the admin and user accounts Note on MSPS devices The user account cannot change the configuration If the password is not changed the settings are visible to all With MSPS devices you will be automatically prompted on the first logon to change the admin password Optionally you can also change the name of th...

Страница 12: ...r 3 9 This setting does not depend on the PROFINET status Remarks A restart is required for the changes to become effective Without a restart an improperly configured PROFINET controller could push parts of the configuration even without valid login credentials The port and ring settings are also part of the PROFINET configuration Note on PROFINET update time and watchdog time Check which update t...

Страница 13: ...owser when you open the WBM over HTTPS You can load your own certificates into the devices via HTTPSCert SSHPrivateKeyECDSA SSHPrivateKeyRSA as an alternative If the container is password protected enter the passwords under Passwords before loading In combination with a certificate authority CA it is possible to check in the browser whether it is connecting with the correct device or the correct I...

Страница 14: ... PROFINET name to be modified and a reset can also be triggered This can happen even if the login credentials are not known Read only access means the device no longer responds to DCP Set Requests With this setting it is not possible to assign parameters using engineering tools not even if the device remains visible Note If you run the SCALANCE device as a PROFINET device and enable DCP read acces...

Страница 15: ...n networks that interface with multiple parties DCP disabled restricted forwarding of DCP telegrams This constellation can result in addresses or names of third parties being assumed to be unassigned even when they are already in use Duplicate addresses may occur and cause network problems 3 9 3 DCP Discovery Menu path You can find this information in MSPS devices under System DCP Discovery Note D...

Страница 16: ... untagged setting causes the VLAN tag to be lost once the first switch has forwarded it The COS priority information is thereby removed as well COS and PROFINET If the PROFINET data traffic passes the VLAN capable device and advanced VLAN isolation is not necessary then use the settings below These settings will cause the VLAN tag to be retained With an X 300 enable VLAN 0 Aware mode in the Switch...

Страница 17: ...guaranteed maximum times are 200 ms for MRP and 300 ms for HRP The higher level application must be able to handle these brief interruptions during the switchover For devices that communicate via the ring the response watchdog time in PROFINET must be larger than the failover time To achieve a higher response watchdog time increase the update time or the number of retries If the application does n...

Страница 18: ...s connected the device becomes an HRP client If an MRP manager is connected the device becomes an MRP client If no ring manager is connected the device becomes an MRP manager ARD will never cause the device to become an HRP manager Menu path You can find this information in the following paths With MSPS Layer 2 Ring Redundancy With X 200 and X 300 X200 X300 Ring Redundancy Recommendation If the de...

Страница 19: ...ar which is currently active Therefore all devices must be contacted in order to find the current manager and ascertain the state Note You can find application examples on redundancy in Siemens Industry Online Support see 4 in chapter 4 3 3 11 2 Spanning tree Menu path You can find this information in the following paths With MSPS Layer 2 Spanning Tree With X 300 Switch Configuration and Switch ST...

Страница 20: ... Passive Listening is disabled by default on most SCALANCE X devices If there is no constellation in the network that relies on a coupling from STP to an HRP ring or MRP ring for example then disable Passive Listening Note Passive Listening causes the SCALANCE device to forward BPDUs An incoming topology change causes it to delete its MAC address table The SCALANCE device deletes the MAC address t...

Страница 21: ... secure protocols over the wireless link as well 3 12 2 WLAN layer 2 tunnel Menu path You can find this information in IWLAN devices in the following menu Interfaces WLAN Client Recommendation Set the MAC mode to Layer 2 Tunnel if the client and the access point are SCALANCE W devices Note As of firmware V6 0 Layer 2 Tunnel is the default setting once you enable the iPCF function Note The Layer 2 ...

Страница 22: ...y in parallel Immediately after modification in volatile RAM With a 60 second delay after the modification permanently in the flash storage and C PLUG where applicable The goal is to minimize write access to the flash while the user is making changes After each change in the WBM the following message will appear in the upper half of the screen Changes will be saved automatically in xy seconds Pres...

Страница 23: ... devices there is a distinction between Config and ConfigPack Both contain the settings from the WBM The ConfigPack also receives information about the users passwords and certificates The Config represents the pure settings from the WBM Use the ConfigPack for a full backup of the device Password protect the Config and the ConfigPack if necessary You have the option of saving the configuration on ...

Страница 24: ...ways saved automatically both internally and on the C PLUG Versions PLUG variants in currently in circulation are Item number Description Use 6GK1900 0AB00 C PLUG 32MB X200 X300 MSPS 6GK1900 0AB10 C PLUG 256MB MSPS The 32MB C PLUG currently functions in all SCALANCE devices The 256MB version is recommended for current MSPS devices The reason for this is the option for saving the firmware on the PL...

Страница 25: ...lash Changes are only stored in volatile RAM As long as you do not use Write Startup Config to save the configuration before the specified time runs out the device will restart and discard all changes that were made after Trial Mode was activated Recommendation Use Trial Mode if you wish to test a configuration Trial Mode does apply new settings but it does not save them to the configuration file ...

Страница 26: ... Negotiation Note If you use a fixed speed or mode setting instead of Auto Negotiation apply the fixed setting on both devices If you mix Auto Negotiation and fixed settings the Auto Negotiation participant will revert to half duplex Half duplex results in worse network performance compared to full duplex 3 14 2 System information Menu path You can find this information in the following paths With...

Страница 27: ...cation with the Syslog server 3 14 4 Limit key functions Menu path You can find this information in the following paths With MSPS System Configuration of SELECT SET Button With X 200 and X 300 System Select Set Button Recommendation In this menu you can disable the Reset function of the physical reset key on the module housing If available you can also disable the switchover of the ring functions ...

Страница 28: ...t first and switch off the specific port before the higher level switch disconnects the entire cell 3 14 7 Port mirroring Menu path You can find this information in the following paths With MSPS Layer 2 Mirroring With X 300 Switch Port Mirroring Recommendation If using port mirroring with VLAN capable switches make sure that the monitoring port is not a member in any VLAN no U M or T in the VLAN t...

Страница 29: ...the faster failover time 3 14 9 Default gateway Menu path You can find this information in the following paths With MSPS Layer 3 Static Routes With X 200 and X 300 Agent Recommendation Even if the devices currently do not need a default gateway future expansions may necessitate one for example if more subnets are added or if you set up remote maintenance Always set a default gateway in the devices...

Страница 30: ...wall General Note With SCALANCE S M devices you can completely disable the firewall in the settings Disabling the firewall has a side effect that is easy to miss As one may expect all communication between the interfaces is no longer subjected to filtering In addition all rules that limit access to the module services become inactive This means that all settings made under Predefined become void A...

Страница 31: ...ts Please send queries to Technical Support via Web form support industry siemens com cs my src SITRAIN Digital Industry Academy We support you with our globally available training courses for industry with practical experience innovative learning methods and a concept that s tailored to the customer s specific needs For more information on our offered trainings and courses as well as their locati...

Страница 32: ...ry siemens com 4 3 Links and literature Table 4 1 No Topic 1 Siemens Industry Online Support https support industry siemens com 2 Link to this entry page of this application example https support industry siemens com cs ww en view 109745536 3 Library for SNTP Server Functionality in SIMATIC S7 CPUs https support industry siemens com cs ww en view 82203451 4 Application examples on redundancy Appli...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды