Siemens SIMATIC NET CP 443-1 Advanced Скачать руководство пользователя

Страница: 64 / 126

Configuration and operation

6.1 Security recommendations

CP 443-1 Advanced (GX30)

Manual, 03/2019, C79000-G8976-C256-05

Security functions of the product

Use the options for security settings in the configuration of the product. These includes

among others:

●

Protection levels
Configure access to the CPU under "Protection".

●

Security function of the communication
–

Enable the security functions of the CP and set up the firewall.
If you connect to public networks, you should use the firewall. Think about the services

you want to allow access to the station via public networks. By using the

"Transmission speed" of the firewall, you can restrict the possibility of flooding and

DoS attacks.
The FETCH/WRITE functionality allows you to access any data of your PLC. The

FETCH/WRITE functionality should not be used in conjunction with public networks.

–

Use the secure protocol variants HTTPS, FTPS, NTP (secure) and SNMPv3.

–

Leave access to the Web server of the CPU (CPU configuration) and to the Web

server of the CP disabled.

●

Logging function
Enable the function in the security configuration and check the logged events regularly for

unauthorized access.

●

Protection of the passwords of program blocks
Protect the passwords that are stored for the blocks in data blocks from being viewed.

The procedure is described below.

Know-how protection of blocks (STEP 7 V5)
You can prevent the contents of data blocks (e.g. passwords) from being read out by

protecting the block with the "KNOW_HOW_PROTECT" option. Follow the steps outlined

below in STEP 7:
1.

Select the DB in the block folder.

Open the block in the editor.

Close the block in the editor.

Generate a source from the block in the editor.

Select the source of the DB in the sources folder.

Open the source.

Insert an empty line in the header of the source and write "KNOW_HOW_PROTECT" in

this line.

Compile the source.
Result: The block is protected. You can recognize this by the padlock symbol of the DB in

the block folder.

Содержание SIMATIC NET CP 443-1 Advanced

Страница 1: ...________________ ___________________ SIMATIC NET S7 400 Industrial Ethernet CP 443 1 Advanced GX30 Manual Manual Part B 03 2019 C79000 G8976 C256 05 Preface Properties and services 1 Performance data 2 Requirements for use 3 LEDs 4 Installation and commissioning 5 Configuration and operation 6 Diagnostics and upkeep 7 Technical specifications 8 Approvals 9 Documentation references A ...

Страница 2: ...e operated only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING...

Страница 3: ... at rear 3 Firmware version 4 LEDs 5 Gigabit interface 1 x 8 pin RJ 45 jack Security function The padlock symbol identifies the interface to the external non secure sub net 6 PROFINET interface 4 x 8 pin RJ 45 jack Security function Interface to the internal protected subnet 7 Label with MAC addresses Figure 1 CP 443 1 Advanced ...

Страница 4: ...he full product name CP 443 1 Advanced STEP 7 The name STEP 7 is used for the configuration tool instead of the names STEP 7 V5 5 and STEP 7 Professional New in this release New ATEX IECEx approval Revision of the system environment Editorial revision Note Make sure that you read the information relating to compatibility of the CP and enhanced functions in the section Enhanced functions Page 14 Re...

Страница 5: ... documentation in the Manual Collection article number A5E00069051 The SIMATIC NET Manual Collection DVD contains the manuals of all SIMATIC NET products current at the time it was created It is updated at regular intervals Version History Current Downloads for the SIMATIC NET S7 CPs The Version History Current Downloads for SIMATIC NET S7 CPs document provides information on all CPs available up ...

Страница 6: ...tect plants systems machines and networks against cyber threats it is necessary to implement and continuously maintain a holistic state of the art industrial security concept Siemens products and solutions constitute one element of such a concept Customers are responsible for preventing unauthorized access to their plants systems machines and networks Such systems machines and components should on...

Страница 7: ...ssary You will find the SIMATIC NET glossary on the Internet at the following address Link https support industry siemens com cs ww en view 50305045 Training Service Support You will find information on training service and support in the multilanguage document DC_support_99 pdf on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en view 38652101 ...

Страница 8: ...Preface CP 443 1 Advanced GX30 8 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 9: ...c data for PROFINET IO 28 2 6 Characteristic data for PROFINET CBA 29 2 6 1 Typical values and limit values 29 2 6 2 Cycle times 32 2 6 3 Reaction times 33 2 7 Characteristics of e mail mode 35 2 8 Characteristic data for FTP FTPS mode 36 2 9 Characteristic data of TCP connections for HTTP HTTPS 37 2 10 Characteristic data for the use of Java applets 37 2 11 Memory organization in the CP 4431 Adva...

Страница 10: ...as an IP router 73 6 6 Port configuration with redundant partners 73 6 7 PROFINET IO mode 74 6 7 1 How PROFINET IO devices start up in a large configuration 74 6 7 2 Reduce the communication allocation reserved for PROFINET IO when operating alongside other services 74 6 7 3 Prioritized startup in PROFINET IO 74 6 7 4 IRT communication Types of synchronization 75 6 7 5 Operating PROFINET IO device...

Страница 11: ... 3 The CP as Web server 96 7 4 Replacing older modules Module replacement upgrading 97 7 5 Replacing older modules CPs with configurable data management 100 7 6 Replacing a module without a programming device 101 7 7 Loading new firmware 103 7 8 Memory reset reset to factory defaults 104 8 Technical specifications 109 9 Approvals 111 A Documentation references 117 A 1 On configuring commissioning ...

Страница 12: ... 121 A 5 2 18 121 A 6 For application and configuration of PROFINET IO 122 A 6 1 19 122 A 6 2 20 122 A 7 On project engineering of PROFINET CBA 122 A 7 1 21 122 A 7 2 22 122 A 7 3 23 122 A 7 4 24 123 A 8 On setting up and operating an Industrial Ethernet network 123 A 8 1 25 123 Index 125 ...

Страница 13: ...imple diagnostics and is equipped with a combined RXD TXD LINK dual LED For special situations each port can also be set to a fixed mode manually using STEP 7 for example 10 or 100 Mbps half duplex full duplex Gigabit interface with security access The CP also has an Ethernet interface complying with the gigabit standard IEEE 802 3ab This is independent of the PROFINET interface and supports autoc...

Страница 14: ...LS see Characteristics of e mail mode Page 35 Use of the CP as a purely diagnostics CP via the gigabit interface without networking the PROFINET interface see Diagnostics options Page 95 Configuration of passive TCP connections between a CP and a redundant partner with the identical number of the local port see Port configuration with redundant partners Page 73 Expansion of the protection concept ...

Страница 15: ...ault tolerant systems H systems is also possible on the gigabit interface Expansions on the interface to the user program New program block AG_CNTEX for connection and system diagnostics with PING functionality Expanded program block FTP_CMD for FTP services allows the establishment of secure SSL connections Functional improvements The overall communication speed of the CP during simultaneous oper...

Страница 16: ...e optimizes data traffic as the result of topology planning Note IRT with the option high flexibility is now only supported when a CP GX20 is replaced Note IRT communication or MRP If you are using IRT communication no media redundancy is supported Shared device As a PROFINET IO controller individual submodules of an IO device can be assigned to the CP Read the information in 19 Page 122 regarding...

Страница 17: ...stablishment is always initiated by a SIMATIC S5 or a device from another range PC LOCK UNLOCK with FETCH WRITE services CPU dependent see section Requirements for use Page 41 Open TCP IP communication Open TCP IP communication provides a program interface for the transfer of connection oriented and connectionless services The establishment and termination of connections is initiated here only via...

Страница 18: ...rtual Private Network over IPsec tunnels the CP protects individual devices or even entire automation cells from unauthorized access The CP allows this protection flexibly without repercussions protocol independent as of Layer 2 according to IEEE 802 3 The secure protocols HTTPS FTPS NTP secure and SNMPv3 can also be activated Communication in the internal network PROFINET interface If security is...

Страница 19: ...zed in the entire S7 station If security is enabled the CP supports the NTP secure protocol for secure time of day synchronization and transfer of the time of day Addressable with the factoryset MAC address To assign the IP address to a new CP direct from the factory it can be accessed using the preset MAC address on the interface being used Online address assignment is made in STEP 7 SNMP agent T...

Страница 20: ...are updates The Web pages contain the following information Module and status information Information on security functions Special information on S7 connections Diagnostics buffer extract request With the aid of a Web browser the CP supports the option of obtaining an extract of the diagnostics buffer containing the most recent diagnostics events of the CPUs and CPs located in the same S7 station...

Страница 21: ...nterface CP during startup The CP remains in STOP mode CP in RUN mode There is an LED indication BUS2F LED and an entry in the diagnostics buffer the CP remains in RUN mode Characteristics of the gigabit interface CP during startup The CP changes to RUN the BUS1F LED is lit and the CP cannot be reached via the gigabit interface CP in RUN mode There is an LED indication BUS1F LED and an entry in th...

Страница 22: ...Properties and services 1 4 Further services and characteristics of the CP CP 443 1 Advanced GX30 22 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 23: ...described in 17 Page 121 You will find a complete overview of the permitted configuration limits on the Internet at the following address Link https support industry siemens com cs ww en view 58217657 2 1 General characteristic data Characteristic Explanation values Total number of connections on Industrial Ethernet 128 The value applies to the total number of connections of the following types S7...

Страница 24: ...128 max of those max 62 H connections LAN interface data field length generated by CP per protocol data unit sending receiving 480 bytes PDU 480 bytes PDU Number of PG connections Number of OP connections 2 max 30 max Note Effects of connections in the SPEED SEND RECV mode Note the effects of connections on the SEND RECEIVE interface that are used in the SPEED SEND RECEIVE mode The maximum configu...

Страница 25: ...es of a receiving CP are not permanently exceeded by the sender approximately 150200 messages per second 2 TCP connections for FTP Of the available TCP connections a maximum of 20 TCP connections can be configured used with the Use FTP protocol option see sec tion 5 7 Page 36 Number of SEND RECV connections in SPEED SEND RECV mode The number depends on the CPU type being used Per CPU 412 414 maxim...

Страница 26: ...other words the loss of messages is not detected or displayed by the send blocks AG_SEND or AG_LSEND No receipt of UDP broadcast To avoid overload due to high broadcast load the CP does not allow reception of UDP broadcasts As an alternative use the multicast function over a UDP connection This allows you to register the CP as a node in a multicast group UDP frame buffering Length of the frame buf...

Страница 27: ...ated by the CP At an assignment of 1 CP per CPU the maximum number of SEND RECEIVE calls that can be used at one time is limited as follows SEND calls short AG_SEND CPU 416 417 max 64 calls per CPU CPU 412 414 max 24 calls per CPU SEND calls long AG_LSEND CPU 416 417 max 32 calls per CPU CPU 412 414 max 12 calls per CPU RECEIVE calls short AG_RECV CPU 416 417 max 64 calls per CPU CPU 412 414 max 2...

Страница 28: ...munication provides a program interface for the transfer of connection oriented and connectionless services The establishment and termination of connections is initiated here only via the dynamic program interface The CP supports communication via ISO on TCP connections for this interface Table 2 3 Open TCP IP communication Characteristic Explanation values Number of dynamically generated connecti...

Страница 29: ...s when downloading the configuration data Note Note the following for PROFINET IO If you use modules with 32 bytes of input output data this can lead to I O access errors access errors are entered in the diagnostics buffer of the CPU These I O access errors occur during operation only in the consistent user data mode and with a low OB1 cycle time 2 6 Characteristic data for PROFINET CBA Note PROFI...

Страница 30: ...tures acyclic interconnections maximum 2048 bytes 8192 bytes 1452 bytes Data length for arrays and structures cyclic interconnections maximum 250 bytes 250 bytes 250 bytes Data length for arrays and structures local interconnections maximum 2400 bytes 1452 bytes Remote interconnections with acyclic transmission Scanning frequency Scanning inter val min Selectable values 100 200 500 and 1000 ms fas...

Страница 31: ...es of the type Char can be interconnected 1000 bytes 2000 bytes 1452 bytes Data length of all outgoing intercon nections 1000 bytes 2000 bytes HMI variables over PROFINET acyclic Number of stations that can register for HMI variables PN OPC iMap Stations are 2 PN OPC and 1 SIMATIC iMap 3 HMI variable update 500 ms minimum Number of HMI variables 200 maximum Data length of all HMI variables 1600 by...

Страница 32: ... sum of several input properties for example in the case of a byte array 8191 bytes 1 byte Lifestate The value is not checked by iMap Note Data length and data type in PROFINET CBA You will find information about the data length and data type in PROFINET CBA communication in the online help of SIMATIC iMap and in the manuals for PROFINET CBA See section On project engineering of PROFINET CBA Page ...

Страница 33: ...ion It can be seen that in contrast to operation over a CPU network attachment the OB1 cycle remains practically uninfluenced by the CBA communication if PROFINET CBA is operated over a CP 4431 Advanced Legend 1 OB1 cycle with 32 PROFINET CBA partners and network attachment on the CPU 317 2 PN DP 2 OB1 cycle with 5 PROFINET CBA partners and network attachment on the CPU 317 2 PN DP 3 OB1 cycle wit...

Страница 34: ...commissioning and if necessary change the configuration Measurements in a sample configuration Measurements were made to help you to estimate the influence of the configured transfer frequency and the configuration interface DB with cyclic PROFINET CBA interconnections These measured results relate to a certain sample device configuration Two S7400 stations each with a CP 4431 Advanced were used h...

Страница 35: ...rded lines 1 50 ms 2 20 ms 3 10 ms Figure 2 3 Reaction times of the interface DB Evaluation From the diagram you can see that the transfer frequencies configured at 10 ms or 20 ms in the sample configured are not achieved On the other hand at a configured transfer frequency of 50 ms a corresponding reaction time of 50 ms with 2400 bytes is kept to Note The values of the utilization parameters disp...

Страница 36: ...refer to the section Importing certificates for SMTP with STARTTLS or FTPS Page 82 2 8 Characteristic data for FTP FTPS mode TCP connections for FTP FTPS FTP actions are transferred from the CP over TCP connections Depending on the mode the following characteristic data applies FTP in client mode You can configure a maximum of 20 FTP connections Up to 2 TCP connections are occupied per configured ...

Страница 37: ...ctions for HTTP HTTPS For HTTP access up to 32 TCP connections are available When necessary these TCP connections are used by one or more Web browsers to display data or files of the CP 2 10 Characteristic data for the use of Java applets To transfer larger amounts of data efficiently from the S7BeansAPI using Java applets and the Java bean S7Variable you can make use of arrays Maximum array size ...

Страница 38: ...s data to be stored and retained if there is a power down Since the number of times it is possible to write to this area is restricted you should avoid repetitive write operations to this area when such operations are necessary write to RAM Note The flash area of the file system allows a limited number of write cycles approximately 100 000 You should therefore avoid writing data cyclically If you ...

Страница 39: ...le to make the file name casesensitive in the Options tab of the CP properties dia log File size The file size is limited to a maximum of 8 MB Memory area for the file system Flash area nonvolatile memory 30 MB RAM area volatile memory 30 MB 2 12 Characteristic data of the integrated 4port switch Learning addresses deleting addresses aging time The switch integrated in the CP reads the source addr...

Страница 40: ...Performance data 2 12 Characteristic data of the integrated 4port switch CP 443 1 Advanced GX30 40 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 41: ...ers in the S7400 station A total of 10 CPs can be operated as controllers for the distributed I O PROFINET IO controllers or DP masters of those however only up to 4 as PROFINET IO controllers Note the following regarding multiprocessor mode When operating the CP as a PROFINET IO controller only the process image of the assigned CPU can be distributed via the CP 3 2 System environment General requ...

Страница 42: ...ith CPUs with firmware versions up to and including V5 1 no PROFINET IO operation is possible Table of compatible CPUs The CP is supported by the S7400 CPUs with the article numbers and firmware versions as shown in the following table The table also contains the following information The number of CPs that can be operated with one CPU The number of CPU resources for SEND RECEIVE calls CPUs that s...

Страница 43: ...PN DP 414 3EM06 0AB0 as of V6 0 2 2 14 24 24 CPU 414 3 PN DP 414 3EM07 0AB0 V7 0 2 14 24 24 CPU 414F 3 PN DP 414 3FM06 0AB0 as of V6 0 2 2 14 24 24 CPU 414F 3 PN DP 414 3FM07 0AB0 V7 0 2 14 24 24 CPU 416 2 416 2XK04 0AB0 V4 1 2 14 64 64 CPU 416 2 416 2XN05 0AB0 V5 1 as of V5 2 2 2 14 14 64 64 64 64 CPU 416 2 416 2XP07 0AB0 V7 0 2 14 64 64 CPU 416 2F 416 2FP07 0AB0 V7 0 2 14 64 64 CPU 416 3 416 3XL...

Страница 44: ...8 0AB0 as of V8 0 x 2 14 64 64 CPU 410 SMART 3 410 5HN08 0AB0 as of V8 1 x 2 14 64 64 CPU 410E 3 410 5HM08 0AB0 V8 2 2 14 64 64 Legend The feature is supported the specified mode is possible The feature is not supported the specified mode is not possible 1 The calculation of the maximum number of SEND RECEIVE calls that can be used simultaneously per CP is described in the section Characteristic d...

Страница 45: ...ed in this document can be used STEP 7 Professional STEP 7 Professional V13 The following are not supported PROFINET CBA Innovations of firmware version V3 2 You will find the HSP on the Internet pages of Siemens Industry Online Support at the following address Link https support industry siemens com cs ww en view 23183356 You will find the program block library on the Internet pages of Siemens In...

Страница 46: ...VPN tunnels with PCs SOFTNET Security Client for VPN tunnels with PCs The operation of VPN tunnels between a SOFTNET Security Client and the CP 443 1 GX30 has been released as of the following version of the SOFTNET Security Client SOFTNET Security Client V4 0 Hotfix 1 3 5 Programming Program blocks For some communications services there are preprogrammed program blocks FCs FBs available as the in...

Страница 47: ...ks AG_SEND FC5 and AG_RECV FC6 or alternatively the program blocks AG_LSEND FC50 and AG_ LRECV FC60 Transfer of blocks of data 240 bytes to 8192 bytes You require the program blocks AG_LSEND FC50 and AG_LRECV FC60 Accelerated transfer of blocks of data 1452 bytes You require the program blocks AG_SSEND FC53 and AG_SRECV FC63 The length depends on the protocol Note Multicomputing mode Note that in ...

Страница 48: ...Requirements for use 3 5 Programming CP 443 1 Advanced GX30 48 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 49: ...ing meaning INTF Internal error EXTF External error BUS1F Gigabit interface bus fault BUS2F PROFINET interface bus fault TXD Frame traffic sending over Ethernet not relevant for PROFINET IO data RXD Frame traffic receiving over Ethernet not relevant for PROFINET IO data MAINT Maintenance necessary diagnostics buffer RUN RUN mode STOP STOP mode X1P1 Link status activity of the port of the gigabit i...

Страница 50: ...ve wrong C PLUG type or not inserted The following applies in this status The CPU or intelligent modules in the rack remain accessible using PG functions over MPI or the ISO protocol SNMP functionality and access over HTTP or FTP are not possi ble No link on any port or Double IP address detected during CP operation RUN with external error one or more IO devices are not obtainable only BUS2F RUN w...

Страница 51: ...er in Web diagnostics The firmware download was aborted STOP LED and RUN LED flash alter nately Firmware activation after loading us ing the Firmware Loader is active does not apply to loading via the update center in Web diagnostics Module fault system error The behavior applies to BUS1F and BUS2F if there is no restriction listed in the CP mode column See also the section Unused PROFINET interfa...

Страница 52: ...r PROFINET IO Note All received sent frames are signaled for each specific port including those simply forwarded by the switch Continuous data transfer at the port over Ethernet on PROFINET ports for example PROFINET IO Table 4 2 Legend Symbol Meaning ON OFF Flashing any Module identification with flashing LED PROFINET interface With the help of Web diagnostics or the online functions of STEP 7 yo...

Страница 53: ... equipment according to the standard IEC 61010 2 201or UL 508 CSA C22 2 No 142 To fulfill requirements for safe operation with regard to mechanical stability flame retardation stability and protection against contact the following alternative types of installation are specified Installation in a suitable cabinet Installation in a suitable enclosure Installation in a suitably equipped enclosed cont...

Страница 54: ...ional Electrical Code r ANSI NFPA 70 WARNING EXPLOSION HAZARD DO NOT CONNECT OR DISCONNECT EQUIPMENT WHEN A FLAMMABLE OR COMBUSTIBLE ATMOSPHERE IS PRESENT WARNING EXPLOSION HAZARD SUBSTITUTION OF COMPONENTS MAY IMPAIR SUITABILITY FOR CLASS I DIVISION 2 OR ZONE 2 WARNING When used in hazardous environments corresponding to Class I Division 2 or Class I Zone 2 the device must be installed in a cabin...

Страница 55: ...operating temperature of at least 80 C WARNING Take measures to prevent transient voltage surges of more than 40 of the rated voltage This is the case if you only operate devices with SELV safety extra low voltage 5 1 3 Notices on use in hazardous areas according to UL HazLoc WARNING EXPLOSION HAZARD DO NOT DISCONNECT WHILE CIRCUIT IS LIVE UNLESS AREA IS KNOWN TO BE NON HAZARDOUS This equipment is...

Страница 56: ... remove the CP when the power is on If you remove the CP when the power supply is on the CPU changes to STOP and indicates I O error After inserting the module with power applied it is essential to turn the power supply off and on again Note If the CP is operated without PROFINET IO it is possible to insert and remove the CP when the power is on without affecting the CPU 2 Plugging in the CP Fit i...

Страница 57: ...d the interfaces have been networked Note Autocrossing mechanism effects on the attachments For small local area networks or for attaching several Ethernet devices a 4port switch has been integrated in the CP 4431 Advanced With the autocrossing mechanism integrated in the switch it is possible to use a standard cable to connect the laptop or PG PC A crossover cable is not necessary Please note the...

Страница 58: ...e and gigabit interface physically to separate networks If the two interfaces are not separated problems can occur when establishing an S7 connection using the ISO protocol under the following conditions Connections to the same partner address were configured via different interfaces When an S7 connection configured at one end needs to be established 5 3 Commissioning The steps for commissioning t...

Страница 59: ...LINE access point 2 Use the diagnostics functions during commissioning and to analyze problems You will find an overview of the options in the section Diagnostics options Page 95 3 Optional when using with PROFINET CBA Download the PROFINET CBA component using SIMATIC iMap If the S7 station in which the CP is operated is used as a PROFINET CBA component the interconnections are downloaded using SI...

Страница 60: ...38 This configuration plug simplifies replacement of modules By simply exchanging the plug all the data can be transferred to the replacement module Under article number 6GK1 900 0AB00 the C PLUG is also available with a size of 256 MB Note Startup The CP will not start up without a CPLUG Area of application The C PLUG is an exchangeable medium for storage of the configuration data of the basic de...

Страница 61: ... by a compatible device type This allows fast and simple replacement of the basic device If a device is replaced the C PLUG is taken from the failed component and inserted in the replacement As soon as it starts up the replacement automatically has the same device configuration as the failed device Using a CPLUG with old configuration data Use only C PLUGs that are formatted for the CP 443 1 Advan...

Страница 62: ...el is configured for the CPU See section Effects of protection levels Page 67 for information on this Diagnostics displays on the device General malfunctions of the C PLUG are signaled by the diagnostics mechanisms of the CP LED display If you insert a C PLUG containing the configuration of an incompatible device type this is also indicated by the LED display See section LEDs Page 49 ...

Страница 63: ...tures on the Siemens Internet pages Here you can find information on Industrial Security Link http www siemens com industrialsecurity Here you will find information on security in industrial communication Link http w3 siemens com mcms industrial communication de ie industrial ethernet security Seiten industrial security aspx You will find a publication on the topic of network security 6ZB5530 1AP0...

Страница 64: ... FTPS NTP secure and SNMPv3 Leave access to the Web server of the CPU CPU configuration and to the Web server of the CP disabled Logging function Enable the function in the security configuration and check the logged events regularly for unauthorized access Protection of the passwords of program blocks Protect the passwords that are stored for the blocks in data blocks from being viewed The proced...

Страница 65: ...a certification authority including key revocation and management to sign certificates Make sure that user defined private keys are protected and inaccessible to unauthorized persons It is recommended that you use password protected certificates in the PKCS 12 format Verify certificates and fingerprints on the server and client to prevent man in the middle attacks It is recommended that you use ce...

Страница 66: ...otocol Default port status Open The port is open at the start of the configuration Closed The port is closed at the start of the configuration Configurable port The port can be configured The port cannot be configured Authentication Specifies whether the communication partner is authenticated Encryption Specifies whether the transfer is encrypted Ports of communication partners and routers Make su...

Страница 67: ...ctions ISO transport ISOonTCP TCP UDP connections are terminated Downloading interconnections for PROFINET CBA communication is not possible The following the functions are disabled Time of day synchronization PROFINET CBA PROFINET IO The following functions remain enabled The configuration and diagnostics of the CP system connections for configuration diagnostics and PG channel routing are retain...

Страница 68: ...the user program IP_CONFIG you cannot assign an IP address to the CP with the Primary Setup Tool PST Formatting the C PLUG It is not possible to format the C PLUG of the CP Remove the protection level of the CPU to take this action Resetting memory reset It is not possible to reset or to reset the memory of the CP Remove the protection level of the CPU to take this action Downloading configuration...

Страница 69: ... direct possible communications path to communications partner X Because it is not connected the gigabit interface is actually not available and communication cannot be established Separating the PROFINET and the gigabit interface It is advisable to separate the PROFINET interface and gigabit interface physically If the two interfaces are not separated problems can occur when establishing an S7 co...

Страница 70: ...al configuration If you have set a port to manual configuration and select the Disable autonegotiation option the autocrossing mechanism is also disabled for this port The port then behaves like the interface of a switch In this case the following applies Connecting an end device To connect an end device that does not have the autocrossing mechanism for example CP 4431 with article number 6GK7 443...

Страница 71: ...dual network settings only over MPI If you modify the LAN settings in the properties dialog of the CP in the Options tab using the Transmission medium Duplex drop down list these changes will be adopted by the CP and activated when the configuration data is downloaded to the target system STEP 7 In some situations the device may then no longer be obtainable over Ethernet We therefore recommend tha...

Страница 72: ...n level is configured for the CPU See section Effects of protection levels Page 67 for information on this 6 5 2 3 Restart after detection of a duplicate IP address in the network To save you timeconsuming troubleshooting in the network the CP detects double addressing in the network Behavior during operation CP in RUN If the CP detects double addressing on the network new node with an IP address ...

Страница 73: ...vice versa The CP controls access permission according to the configuration An extensive network with further IP subnets can be connected to one of the Ethernet interfaces To allow this an external router can be configured on this interface that handles the forwarding for nodes that are not reachable directly Enter the IP address of this router for the relevant interface in Default router in the S...

Страница 74: ... PROFINET IO when operating alongside other services If cyclic data exchange over PROFINET IO is operating at the same time on the same Ethernet subnet set the communications allocation for PROFINET IO in the properties dialog of the PROFINET IO system to a value 100 Reason At the default setting 100 the communication time is reserved primarily for PROFINET IO data exchange Reducing the communicat...

Страница 75: ...stem In STEP 7 select the properties of the PROFINET interfaces for the relevant IO devices Prioritized startup requires fixed port settings You will find further information on this in the system descriptions of PROFINET IO 19 Page 122 20 Page 122 Note Changing the configuration behavior on startup After changing the configuration of an IO device to prioritized startup the time required for the f...

Страница 76: ...t firmware versions on the Internet at the following address Link https support industry siemens com cs ww en view 22810435 6 7 6 Shared device using the router address Shared devices allow more than one PROFINET IO controller to access different submodules of the same PROFINET IO device CP as PROFINET IO controller with shared device The information below applies if all the following requirements...

Страница 77: ...a redundancy The CP itself can be redundancy manager For more detailed information on configuration refer to the online help of the Media redundancy parameter group and in Part A of the manual 2 Page 118 Note If you are using IRT communication no media redundancy is supported 6 9 Interface in the user program 6 9 1 Call interface for open communications services SEND RECV Change call parameters on...

Страница 78: ...controlled IP configuration in 12 Page 120 6 9 3 IP access protection with programmed communications connections In principle it is possible to set up communications connections using program block IP_CONFIG FB55 by programming and at the same time by configuring IP access protection When configuring specified connections active endpoints in STEP 7 the IP addresses of the partners are entered auto...

Страница 79: ... provides a UDT for the connection parameter assignment and four program blocks FBs UDT 65 TCON_PAR with the data structure for connection parameter assignment FB65 TCON for connection establishment FB66 TDISCON for connection termination FB63 TSEND for sending data FB64 TRCV for receiving data TCP IP communication is connectionoriented Data can be transmitted only when a connection has been estab...

Страница 80: ... high communications load Reason When using the CP described here the points below will help you to avoid overload situations on your CPU In particular when you replace an older CP with the CP described here and are then confronted with overload problems you should check your application for the pitfalls outlined below Known problems The program blocks for sending and receiving AG_SEND AG_RECV FC5...

Страница 81: ...cally in OB1 If necessary reduce the time taken for communication processing on the CPU by changing the parameter Scan cycle load from communication in the properties of the CPU 6 10 Security 6 10 1 Using VPN effects on communication Communication via VPN tunnel Communication via a VPN tunnel reduces speed compared with communication outside a VPN tunnel In mixed operation with S7 communication an...

Страница 82: ...sses not entered in the list becomes effective 6 10 4 Importing certificates for SMTP with STARTTLS or FTPS Certificate for authentication To import a certificate you need to enable the security functions of the CP in STEP 7 You import the certificate using the certificate manager in STEP 7 Follow the steps outlined below 1 Open the certificate manager STEP 7 V5 SCT Options Certificate manager STE...

Страница 83: ... extended NTP configuration you can create and manage additional NTP servers including those of the type NTP secure Note No automatic changeover to daylight saving is defined in the NTP protocol As a result you may need to implement this changeover using a program application If an NTP frame is detected by the CP as not exact the time of day frame is not forwarded on the K bus This can occur with ...

Страница 84: ... delivers the content of certain MIB objects according to the MIB II standard LLDP MIB Automation System MIB and MRP Monitoring MIB The CP continues to support data queries via SNMPv3 security enabled Supported MIBs The CP supports the following groups of MIB objects of the standard MIB II according to RFC1213 System Interfaces IP ICMP TCP UDP SNMP Address Translation AT The other groups of the MI...

Страница 85: ...ifTable provide the status information of the interfaces The ifIndex object identifier is assigned to the CP interfaces as follows Table 6 1 ifIndex ifIndex Type of interface 1 Gigabit interface 2 5 1 4 Port 1 4 PROFINET interface 6 5 Internal CP interface If the gigabit interface is not configured the value 1 is assigned to the first port of the PROFINET interface the next values then move accord...

Страница 86: ...h a packet size of more than 1000 bytes are evaluated as an attack and filtered by the CP This response is intentional and improves the robustness of the CP in an industrial environment A ping simply serves to check reachability There is therefore no need to support extremely long ICMP packets 6 14 Use in the H system H connections not via VPN The CP does not support operation of H connections fau...

Страница 87: ...nections between the PROFINET CBA components with SIMATIC iMap Note Requirements Configuration for PROFINET CBA is only possible with STEP 7 V5 5 For details see section Project engineering Page 45 Operation under PROFINET CBA is supported only via the PROFINET interface The following information on configuration therefore relates only to the configuration of the PROFINET interface Note PROFINET C...

Страница 88: ...ion with STEP 7 During configuration remember the following requirements for subsequent use with PROFINET CBA Configure the modules for the S7400 station in STEP 7 HW Config You can assign the option Use this module for PROFINET CBA communication to one and one only CP 4431 Advanced in an S7400 in the PROFINET tab In multicomputing the PROFINET CBA function is handled by the CPU that you assigned ...

Страница 89: ...one in the plant view of SIMATIC iMap Representation in SIMATIC iMap Network view in SIMATIC iMap The following graphic shows the network view of SIMATIC iMAP and illustrates how a CP 4431 Advanced in an S7400 station establishes a connection between DP slaves on PROFIBUS DP and the S7400 station on Industrial Ethernet over an IE PB Link 1 S7400 stations with CP 443 1 Advanced Figure 6 1 Network v...

Страница 90: ...only be changed in STEP 7 S7400 station as standard component Addresses and properties can only be changed in SIMATIC iMap Downloading configuration data When using PROFINET CBA downloading configuration data depends on the component type of the S7400 station as follows Case A S7400 station as singleton component To download with STEP 7 follow the steps below 1 Download the user program and config...

Страница 91: ...ding interconnections from SIMATIC iMap for example power down on the target station it is not always possible to download the interconnections again when the power returns If this error occurs SIMATIC iMap reports the station as being unreachable Remedy Put the CP 4431 Advanced through a STOP RUN cycle using the PG command This returns the target station to an operable status and allows the inter...

Страница 92: ...Map Communication with conventional devices on the other hand requires that the connections are configured in STEP 7 Recommended procedure For communication between a PROFINET CBA device and a conventional device use S7 or ISO transport TCP or ISOonTCP connections Configure the S7 and TCP connections in STEP 7 as follows for S7 communication PROFINET CBA device single ended passive partner unspeci...

Страница 93: ...ble user programs in STEP 7 to handle communication with the conventional devices 3 Then generate the PROFINET CBA component in STEP 7 and enter this in the SIMATIC iMap library 4 Interconnect the PROFINET CBA component in SIMATIC iMap 5 Download the user program and configuration data to the S7400 station with STEP 7 6 Downloading the interconnection information of the process inputs and process ...

Страница 94: ...Configuration and operation 6 15 Using the CP for PROFINET CBA CP 443 1 Advanced GX30 94 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 95: ...ne Diagnostics shortcut menu 3 In the Security parameter group click the Connect online button In this way you perform the security diagnostics via port 443 7 2 Diagnostics options Overview of the Diagnostics options The following diagnostics options are available LEDs of the module For information on the LED displays refer to the section LEDs Page 49 Web diagnostics For information on Web diagnos...

Страница 96: ...ta If you only want to use the CP as an intermediary for diagnostics data of the station as of firmware version 3 2 you can network only the gigabit interface and for example establish a VPN tunnel to a PC via this interface The PROFINET interface does not need to be networked 7 3 The CP as Web server The CP provides you with the functionality of a web server for access by means of a web browser N...

Страница 97: ...t Web diagnostics can be found in the general Part A of this manual 2 Page 118 Enabling the Web server function To use the Web server functionality of the CP enable the relevant option in STEP 7 in the module properties Web parameter group The Web server function is enabled as default For detailed information on the Web server and Web diagnostics refer to the general Part A of this manual 2 Page 1...

Страница 98: ...o be supported You can also upgrade modules listed in Module replacement This is necessary when new characteristics that were not available in the previously used module are required Note The modules CP 443 1 EX30 and CP 443 1 Advanced GX30 cannot be used as spares to replace each other see below You can however upgrade the EX30 with a GX30 if you change the configuration Replacing a device The CP...

Страница 99: ...r GX20 EX40 or EX41 this does not however affect the operation of the new CP GX30 If you do not however want to keep this identifier you will either have to use the C PLUG supplied with the new module or reformat the C PLUG of the old module You will then however have to provide the CP with its original IP address node initialization Step 2 Adapting the configuration upgrading an EX40 1 In the STE...

Страница 100: ...nt without PG in other words with data management on the CP Variant A Adapting the STEP 7 project preferred solution If you adopt the configuration data unchanged and therefore leave the data management on the CP do not use the option of data storage protected from power down with the new CP For this reason we recommend that whenever possible you adapt the existing configuration to the new CP type...

Страница 101: ...ing and diagnostics possible using the existing IP address The IT functionality available on the new CP corresponds to the range of functions of the predecessor module If you want to use the new IT functions of the GX30 you will need to change the configuration with the necessary STEP 7 version 7 6 Replacing a module without a programming device General procedure The configuration data of the CP i...

Страница 102: ...dule replacement Special feature of IP address assignment from a DHCP server When configuring in the Properties dialog you can specify the IP configuration of the CP One option here is that the CP obtains the IP address from a DHCP server Note Recommendation Configuring a client ID When replacing modules remember that the factoryset MAC address of the new module is different from the previous modu...

Страница 103: ...orts the storage of several firmware versions Using the firmware load function in the update center you can activate the required firmware version Requirement The Firmware download via Web option is selected in the configuration and the user rights have been set Note the descriptions of firmware downloads in the manual Part A 2 Page 118 Note Security functions enabled If the Security functions are...

Страница 104: ...s interrupted Disturbances or collisions on the network can lead to packets being lost In such cases this can lead to an interruption of the firmware download The firmware loader then signals a timeout or negative response from the module being loaded En entry is made in the diagnostics buffer The CP restarts with the firmware that existed before the aborted download Repeat the download using the ...

Страница 105: ...r information on this How to use the functions You can start the memory reset functions in STEP 7 The CP must be in STOP When you reset memory using special diagnostics the CP is automatically changed to STOP Memory reset In STEP 7 V5 5 with the menu command PLC Clear Reset In STEP 7 special diagnostics with the Operating Mode Clear Reset Module menu command In STEP 7 Professional with STEP 7 spec...

Страница 106: ...ou can also initiate this loading by cycling power OFF ON This has the following overall effect Figure 7 1 Memory following a memory reset Reset to factory defaults effects After resetting to factory defaults the CP always retains the factory set MAC address as supplied The IP address and the configuration data in the CP RAM are deleted The configuration data is retained on the CPU The data in the...

Страница 107: ...information is therefore deleted in this procedure Security configuration data when running a memory reset in STEP 7 V5 5 The behavior of the configuration data for the security functions when memory is reset depends on the STEP 7 version used for the reset STEP 7 V5 5 SP2 Memory reset with STEP 7 special diagnostics The security configuration is deleted during the memory reset Memory reset with t...

Страница 108: ...Diagnostics and upkeep 7 8 Memory reset reset to factory defaults CP 443 1 Advanced GX30 108 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 109: ... switch 5 minutes Special features of the X2P1R and X2P2R ports Integration in ring topology MRP possible Permitted cable lengths Ethernet Alternative combinations per length range 0 55 m Max 55 m IE TP Torsion Cable with IE FC RJ45 Plug 180 Max 45 m IE TP Torsion Cable with IE FC RJ45 10 m TP Cord via IE FC RJ45 Outlet 0 85 m Max 85 m IE FC TP Marine Trailing Flexible FRNC Festoon Food Cable with...

Страница 110: ...pacity 30 MB Number of write cycles Max approx 100 000 Product functions For details refer to the catalog IK PICabling technology You will find the product functions in the section Properties and services Page 13 Can be ordered separately as an accessory C PLUG 256 6GK1900 0AB01 Total capacity 256 MB Freely available capacity 126 MB Number of write cycles Max approx 200 000 For further data refer ...

Страница 111: ...ollers which are published in the official documentation of the European Union 94 9 EC ATEX explosion protection directive up to 19 04 2016 Directive of the European Parliament and the Council of March 23 1994 on the approximation of the laws of the Member States concerning equipment and protective systems intended for use in potentially explosive atmospheres 2014 34 EU ATEX explosion protection d...

Страница 112: ...type Certificates certificate type EC Declaration of Conformity IECEx The product meets the requirements of explosion protection according to IECEx IECEx classification nA IECEx classification Ex nA IIC T4 Gc Certificate no DEK 14 0034 X The products meet the requirements of the following standards IEC 60079 0 Hazardous areas Part 0 Equipment General requirements IEC 60079 15 Hazardous areas Part ...

Страница 113: ...N 60079 15 Hazardous areas Part 15 Equipment protection by type of protection n ec ATEX classification II 3 G Ex ec nC IIC T4 Gc Certificate no DEKRA 18ATEX0027 X The products meet the requirements of the following standards EN 60079 0 Hazardous areas Part 0 Equipment General requirements EN 60079 7 Hazardous areas Part 7 Equipment protection through increased safety e The current versions of the ...

Страница 114: ...Laboratories Inc UL 508 Listed Industrial Control Equipment Canadian Standards Association CSA C22 2 No 142 Process Control Equipment Report UL file E85972 NRAG NRAG7 cULus Hazardous Classified Locations Underwriters Laboratories Inc cULus IND CONT EQ FOR HAZ LOC Applied standards ANSI ISA 12 12 01 CSA C22 2 No 213 M1987 APPROVED for Use in Cl 1 Div 2 GP A B C D T4 Cl 1 Zone 2 GP IIC T4 Ta Refer t...

Страница 115: ...Customs union of Russia Belarus and Kazakhstan Declaration of the conformity according to the technical regulations of the customs union TR CU MSIP 요구사항 For Korea only Certification Number MSIP REM S49 S7400CP A급 기기 업무용 방송통신기자재 이 기기는 업무용 A급 전자파 적합기기로서 판매자 또는 사용자는 이 점을 주의하시기 바라며 가정 외의 지역에서 사용하는것을 목적으로 합니다 Current approvals SIMATIC NET products are regularly submitted to the relevant authorities and...

Страница 116: ...Approvals CP 443 1 Advanced GX30 116 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 117: ...e product information in the Siemens Industry Mall at the following address Link https mall industry siemens com Manuals on the Internet You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support Link https support industry siemens com cs ww en ps 15247 Go to the required product in the product tree and make the following settings Entry type Manuals Manuals on the d...

Страница 118: ...rent Downloads for the SIMATIC NET S7 CPs History document Siemens AG See also Link https support industry siemens com cs ww en view 9836605 A 1 4 4 SIMATIC S7 F FH Systems Configuring and Programming programming manual and user s guide Siemens AG Link https support industry siemens com cs ww en view 101509838 A 1 5 5 S7Beans Applets for IT CPs Programming Tips Siemens AG Link https support indust...

Страница 119: ...r configuration with STEP 7 NCM S7 A 3 1 8 SIMATIC NET Commissioning PC Stations Manual and Quick Start Configuration Manual Siemens AG Link https support industry siemens com cs ww en ps 15362 man A 3 2 9 SIMATIC Configuring Hardware and Connections with STEP 7 Siemens AG Part of the documentation package STEP 7 Basic Knowledge Part of the online documentation in STEP 7 Link https support industr...

Страница 120: ... the online documentation in STEP 7 A 4 On programming blocks OPC A 4 1 12 SIMATIC NET Program blocks for SIMATIC NET S7 CPs Programming Manual Siemens AG Link https support industry siemens com cs ww en view 30564821 A 4 2 13 SIMATIC NET Version history of the SIMATIC NET program blocks for S7 CPs Reference manual Siemens AG Link https support industry siemens com cs ww en view 9836605 A 4 3 14 S...

Страница 121: ...munication with PG PC Volume 1 Basics System Manual Volume 2 Interfaces programming manual Siemens AG Link https support industry siemens com cs ww en ps 15362 man A 5 Industrial Ethernet security A 5 1 17 SIMATIC NET Industrial Ethernet Security Security basics and applications Configuration manual Siemens AG Link https support industry siemens com cs ww en ps 15326 man A 5 2 18 You will find fur...

Страница 122: ...US DP to PROFINET IO Programming manual Siemens AG Link https support industry siemens com cs ww en view 19289930 A 7 On project engineering of PROFINET CBA A 7 1 21 SIMATIC Component Based Automation configuring systems with SIMATIC iMap manual Siemens AG Link https support industry siemens com cs ww en view 18404678 A 7 2 22 SIMATIC Component Based Automation configuring systems with SIMATIC iMa...

Страница 123: ...p on the Internet under the following entry ID Link https support industry siemens com cs ww en ps 14366 A 8 On setting up and operating an Industrial Ethernet network A 8 1 25 SIMATIC NET Industrial Ethernet PROFINET System manual Siemens AG Industrial Ethernet Link https support industry siemens com cs ww en view 60053848 Passive network components Link https support industry siemens com cs ww e...

Страница 124: ...Documentation references A 8 On setting up and operating an Industrial Ethernet network CP 443 1 Advanced GX30 124 Manual 03 2019 C79000 G8976 C256 05 ...

Страница 125: ... 17 Fault tolerant system 21 G Glossary 7 H H system 21 K KNOW_HOW_PROTECT 64 M Manual Collection 5 P Port 443 95 R Redundancy 73 Router address 76 S Safety notices 53 Security diagnostics 95 Service Support 7 Shared device Using router address 76 SIMATIC NET glossary 7 SIMATIC NET Manual Collection 5 SIMATIC Safety 17 STEP 7 4 T Training 7 V Version history 5 ...

Страница 126: ...Index CP 443 1 Advanced GX30 126 Manual 03 2019 C79000 G8976 C256 05 ...

Результаты поиска

Содержание SIMATIC NET CP 443-1 Advanced

Отзывы:

Похожие инструкции для SIMATIC NET CP 443-1 Advanced

Бренды по названию

Популярные бренды

Siemens SIMATIC NET CP 443-1 Advanced, Руководство пользователя

Результаты поиска

Содержание SIMATIC NET CP 443-1 Advanced

Отзывы:

Похожие инструкции для SIMATIC NET CP 443-1 Advanced

Бренды по названию

Популярные бренды