manualshive.com logo in svg

Siemens SCALANCE, Расширенные настройки


Поделиться
Скачать
background image

1 Introduction 
 

Checklist 
Article ID: 109745536,    V2.0,    05/2022 

 

 

 

©

 S

iem

e

n

s A

2

0

2

2

 A

ll r

igh

ts 

re

se

rv

e

d

 

Introduction 

1.1 

Overview 

Background 

SCALANCE devices have a wide range of functions and specifications. These 
devices are often integrated into IT infrastructure with default settings unchanged 
or unused features left active. 
There is a risk that unauthorized users could access the modules and cause 
damage. 

To prevent unauthorized access over the network and thereby improve the 
operational security of SCALANCE devices, please note the following security-
related settings: 

 

Disable unused protocols 

 

Only allow write-protected access 

 

Change the default password 

 

Set up encryption 

Motivation 

The checklist in this overview document will support you when preparing 
SCALANCE devices. 

It guides you through the various functions of SCALANCE devices and gives you 
some general recommendations for parameter assignment. 

This checklist will help you prepare SCALANCE devices for operation without 
omitting any important settings.  

Document contents 

Topics covered in the checklist include: 

 

Latest firmware  

 

Time synchronization  

 

Unencrypted protocols  

 

Secure FTP  

 

Passwords  

 

PROFINET 

 

HTTPS certificates and SSH keys 

 

Dynamic Configuration Protocol (DCP)  

 

Quality of service 

– Traffic-shaping 

 

Redundancy  

 

Wireless LAN  

 

Configuration backup 

 

Scheduled restart and Trial Mode 

 

Additional settings 

 

Содержание SCALANCE

Страница 1: ...Checklist for setting up SCALANCE devices SCALANCE https support industry siemens com cs ww en view 109745536 Siemens Industry Online Support ...

Страница 2: ...s arising from a breach of material contractual obligations shall however be limited to the foreseeable damage typical of the type of agreement unless liability arises from intent or gross negligence or is based on loss of life bodily injury or damage to health The foregoing provisions do not imply any change in the burden of proof to your detriment You shall indemnify Siemens against existing or ...

Страница 3: ...DCP Discovery 15 3 10 Quality of service traffic shaping 16 3 11 Redundancy 17 3 11 1 Ring redundancy 17 3 11 2 Spanning tree 19 3 11 3 Passive listening 20 3 12 Wireless LAN 21 3 12 1 WLAN encryption 21 3 12 2 WLAN layer 2 tunnel 21 3 12 3 WLAN iPCF 22 3 13 Configuration 22 3 13 1 Storage information with MSPS devices 22 3 13 2 Configuration backup 23 3 13 3 C PLUG Key PLUG 24 3 13 4 Scheduled re...

Страница 4: ...able of contents Checklist Article ID 109745536 V2 0 05 2022 4 Siemens AG 2022 All rights reserved 4 1 Service and support 31 4 2 Industry Mall 32 4 3 Links and literature 32 4 4 Change documentation 32 ...

Страница 5: ...nused protocols Only allow write protected access Change the default password Set up encryption Motivation The checklist in this overview document will support you when preparing SCALANCE devices It guides you through the various functions of SCALANCE devices and gives you some general recommendations for parameter assignment This checklist will help you prepare SCALANCE devices for operation with...

Страница 6: ... command line interface CLI There are essentially two variants of the configuration software platform for SCALANCE devices The functions and the configuration of these functions are typically identical or very similar With these variations in mind the SCALANCE devices are classified as follows X 200 and X 300 X 400 Devices based on Modular Switching Platform SCALANCE MSPS The following devices are...

Страница 7: ... client Disable PROFINET interface if not using PROFINET Enable time synchronization With SCALANCE X disable preset ring ports Disable spanning tree if it is not needed Disable the option SINEMA Configuration Interface If PROFINET data traffic is running over the device and no custom VLAN configuration is being used then enable VLAN 0 aware mode X 300 or 802 1D Transparent Bridge Enable WLAN encry...

Страница 8: ...evices Information Versions With X 200 and X 300 Agent System Version Numbers Recommendation Use the Latest firmware version If the SCALANCE device does not have the latest firmware perform an update The current versions can be found in Siemens Industry Online Support see 1 in chapter 4 3 3 2 Set up time synchronization Menu path You can find this information in the following paths With MSPS Syste...

Страница 9: ...SNMPv3 variant Tick the SNMPv1 v2 Read Only checkbox to prevent changes to the device configuration via unsecure SNMP Set requests Change the Community Strings for SNMPv1 v2c Note With SNMPv1 v2 data are transmitted over the wire in cleartext With SNMPv3 the client can neither write nor read without a valid logon Data are transmitted in encrypted form Recommendations for MSPS devices Use SSH Serve...

Страница 10: ...able the SINEMA Configuration Interface option if the device is not managed with TIA or SINEC NMS This turns off the configuration interface for these tools After commissioning set the DCP server to Read Only 3 4 Use secure FTP Menu path You can find this information System Load Save for MSPS devices Note on X 200 and X 300 devices The switches only support TFTP Recommendations for MSPS devices Do...

Страница 11: ...unt if it is not used Note With the X 200 and X 300 you are neither able to rename or delete the admin and user accounts Note on MSPS devices The user account cannot change the configuration If the password is not changed the settings are visible to all With MSPS devices you will be automatically prompted on the first logon to change the admin password Optionally you can also change the name of th...

Страница 12: ...r 3 9 This setting does not depend on the PROFINET status Remarks A restart is required for the changes to become effective Without a restart an improperly configured PROFINET controller could push parts of the configuration even without valid login credentials The port and ring settings are also part of the PROFINET configuration Note on PROFINET update time and watchdog time Check which update t...

Страница 13: ...owser when you open the WBM over HTTPS You can load your own certificates into the devices via HTTPSCert SSHPrivateKeyECDSA SSHPrivateKeyRSA as an alternative If the container is password protected enter the passwords under Passwords before loading In combination with a certificate authority CA it is possible to check in the browser whether it is connecting with the correct device or the correct I...

Страница 14: ... PROFINET name to be modified and a reset can also be triggered This can happen even if the login credentials are not known Read only access means the device no longer responds to DCP Set Requests With this setting it is not possible to assign parameters using engineering tools not even if the device remains visible Note If you run the SCALANCE device as a PROFINET device and enable DCP read acces...

Страница 15: ...n networks that interface with multiple parties DCP disabled restricted forwarding of DCP telegrams This constellation can result in addresses or names of third parties being assumed to be unassigned even when they are already in use Duplicate addresses may occur and cause network problems 3 9 3 DCP Discovery Menu path You can find this information in MSPS devices under System DCP Discovery Note D...

Страница 16: ... untagged setting causes the VLAN tag to be lost once the first switch has forwarded it The COS priority information is thereby removed as well COS and PROFINET If the PROFINET data traffic passes the VLAN capable device and advanced VLAN isolation is not necessary then use the settings below These settings will cause the VLAN tag to be retained With an X 300 enable VLAN 0 Aware mode in the Switch...

Страница 17: ...guaranteed maximum times are 200 ms for MRP and 300 ms for HRP The higher level application must be able to handle these brief interruptions during the switchover For devices that communicate via the ring the response watchdog time in PROFINET must be larger than the failover time To achieve a higher response watchdog time increase the update time or the number of retries If the application does n...

Страница 18: ...s connected the device becomes an HRP client If an MRP manager is connected the device becomes an MRP client If no ring manager is connected the device becomes an MRP manager ARD will never cause the device to become an HRP manager Menu path You can find this information in the following paths With MSPS Layer 2 Ring Redundancy With X 200 and X 300 X200 X300 Ring Redundancy Recommendation If the de...

Страница 19: ...ar which is currently active Therefore all devices must be contacted in order to find the current manager and ascertain the state Note You can find application examples on redundancy in Siemens Industry Online Support see 4 in chapter 4 3 3 11 2 Spanning tree Menu path You can find this information in the following paths With MSPS Layer 2 Spanning Tree With X 300 Switch Configuration and Switch ST...

Страница 20: ... Passive Listening is disabled by default on most SCALANCE X devices If there is no constellation in the network that relies on a coupling from STP to an HRP ring or MRP ring for example then disable Passive Listening Note Passive Listening causes the SCALANCE device to forward BPDUs An incoming topology change causes it to delete its MAC address table The SCALANCE device deletes the MAC address t...

Страница 21: ... secure protocols over the wireless link as well 3 12 2 WLAN layer 2 tunnel Menu path You can find this information in IWLAN devices in the following menu Interfaces WLAN Client Recommendation Set the MAC mode to Layer 2 Tunnel if the client and the access point are SCALANCE W devices Note As of firmware V6 0 Layer 2 Tunnel is the default setting once you enable the iPCF function Note The Layer 2 ...

Страница 22: ...y in parallel Immediately after modification in volatile RAM With a 60 second delay after the modification permanently in the flash storage and C PLUG where applicable The goal is to minimize write access to the flash while the user is making changes After each change in the WBM the following message will appear in the upper half of the screen Changes will be saved automatically in xy seconds Pres...

Страница 23: ... devices there is a distinction between Config and ConfigPack Both contain the settings from the WBM The ConfigPack also receives information about the users passwords and certificates The Config represents the pure settings from the WBM Use the ConfigPack for a full backup of the device Password protect the Config and the ConfigPack if necessary You have the option of saving the configuration on ...

Страница 24: ...ways saved automatically both internally and on the C PLUG Versions PLUG variants in currently in circulation are Item number Description Use 6GK1900 0AB00 C PLUG 32MB X200 X300 MSPS 6GK1900 0AB10 C PLUG 256MB MSPS The 32MB C PLUG currently functions in all SCALANCE devices The 256MB version is recommended for current MSPS devices The reason for this is the option for saving the firmware on the PL...

Страница 25: ...lash Changes are only stored in volatile RAM As long as you do not use Write Startup Config to save the configuration before the specified time runs out the device will restart and discard all changes that were made after Trial Mode was activated Recommendation Use Trial Mode if you wish to test a configuration Trial Mode does apply new settings but it does not save them to the configuration file ...

Страница 26: ... Negotiation Note If you use a fixed speed or mode setting instead of Auto Negotiation apply the fixed setting on both devices If you mix Auto Negotiation and fixed settings the Auto Negotiation participant will revert to half duplex Half duplex results in worse network performance compared to full duplex 3 14 2 System information Menu path You can find this information in the following paths With...

Страница 27: ...cation with the Syslog server 3 14 4 Limit key functions Menu path You can find this information in the following paths With MSPS System Configuration of SELECT SET Button With X 200 and X 300 System Select Set Button Recommendation In this menu you can disable the Reset function of the physical reset key on the module housing If available you can also disable the switchover of the ring functions ...

Страница 28: ...t first and switch off the specific port before the higher level switch disconnects the entire cell 3 14 7 Port mirroring Menu path You can find this information in the following paths With MSPS Layer 2 Mirroring With X 300 Switch Port Mirroring Recommendation If using port mirroring with VLAN capable switches make sure that the monitoring port is not a member in any VLAN no U M or T in the VLAN t...

Страница 29: ...the faster failover time 3 14 9 Default gateway Menu path You can find this information in the following paths With MSPS Layer 3 Static Routes With X 200 and X 300 Agent Recommendation Even if the devices currently do not need a default gateway future expansions may necessitate one for example if more subnets are added or if you set up remote maintenance Always set a default gateway in the devices...

Страница 30: ...wall General Note With SCALANCE S M devices you can completely disable the firewall in the settings Disabling the firewall has a side effect that is easy to miss As one may expect all communication between the interfaces is no longer subjected to filtering In addition all rules that limit access to the module services become inactive This means that all settings made under Predefined become void A...

Страница 31: ...ts Please send queries to Technical Support via Web form support industry siemens com cs my src SITRAIN Digital Industry Academy We support you with our globally available training courses for industry with practical experience innovative learning methods and a concept that s tailored to the customer s specific needs For more information on our offered trainings and courses as well as their locati...

Страница 32: ...ry siemens com 4 3 Links and literature Table 4 1 No Topic 1 Siemens Industry Online Support https support industry siemens com 2 Link to this entry page of this application example https support industry siemens com cs ww en view 109745536 3 Library for SNTP Server Functionality in SIMATIC S7 CPUs https support industry siemens com cs ww en view 82203451 4 Application examples on redundancy Appli...

Отзывы:

Нет отзывов

Похожие инструкции для SCALANCE

Falcon 8230 Installation Instructions Manual preview
8230
Бренд: Falcon Страницы: 12
Velocitek SC-1 Reference Manual preview
SC-1
Бренд: Velocitek Страницы: 81
ABS ABS-Lock X-Flat Instruction Manual preview
ABS-Lock X-Flat
Бренд: ABS Страницы: 8
ABS ABS-Lock X-DURCH Instruction Manual preview
ABS-Lock X-DURCH
Бренд: ABS Страницы: 8
ABS ABS-Lock DH05 Installation Manual preview
ABS-Lock DH05
Бренд: ABS Страницы: 8
Danfoss iSave 21 User Manual preview
iSave 21
Бренд: Danfoss Страницы: 106
Hantek Tablet1000 Series User Manual preview
Tablet1000 Series
Бренд: Hantek Страницы: 98
IFM AC1401 Device Manual preview
AC1401
Бренд: IFM Страницы: 175
IFM VSE150 Installation Instructions preview
VSE150
Бренд: IFM Страницы: 5
Jaga OXRE.015 Service Manual preview
OXRE.015
Бренд: Jaga Страницы: 32
Taylor C712 Operator Training preview
C712
Бренд: Taylor Страницы: 41
BANDELIN Sonorex Super RK 31 Service Instructions Manual preview
Sonorex Super RK 31
Бренд: BANDELIN Страницы: 21
Balluff BTL7-A/E501-M Series User Manual preview
BTL7-A/E501-M Series
Бренд: Balluff Страницы: 194
B.Pro SAW 1 Operating Instructions Manual preview
SAW 1
Бренд: B.Pro Страницы: 48
ABB Tina 1A Product Manual preview
Tina 1A
Бренд: ABB Страницы: 16
ABB ACS280 Quick Installation And Start-Up Manual preview
ACS280
Бренд: ABB Страницы: 2
Kellfri 26-GAATV360 Manual preview
26-GAATV360
Бренд: Kellfri Страницы: 44
SHOWTEC Spectral M950 Q4 Tour Manual preview
Spectral M950 Q4 Tour
Бренд: SHOWTEC Страницы: 24

Бренды по названию

Популярные бренды

Загрузить еще бренды