Checklist for Setting Up SCALANCE Devices
Transcript of Checklist for Setting Up SCALANCE Devices
Checklist for Setting Up SCALANCE Devices
SCALANCE X, W, S, M
https://support.industry.siemens.com/cs/ww/en/view/109745536
Siemens Industry Online Support
Warranty and Liability
Checklist Entry ID: 109745536, V1.0, 03/2017 2
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Warranty and Liability
Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.
We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.
Security informa-tion
Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.
Table of Contents
Checklist Entry ID: 109745536, V1.0, 03/2017 3
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Table of Contents Warranty and Liability ................................................................................................. 2
1 Introduction ........................................................................................................ 4
1.1 Overview............................................................................................... 4 1.2 The SCALANCE devices...................................................................... 5
2 Shortened Checklist .......................................................................................... 6
3 Detailed Checklist .............................................................................................. 7
3.1 Using the latest firmware ...................................................................... 7 3.2 Setting up time synchronization ........................................................... 7 3.3 Disabling unencrypted protocols .......................................................... 8 3.4 Changing default passwords ................................................................ 9 3.5 PROFINET ......................................................................................... 10 3.6 Discovery and Basic Configuration Protocol (DCP) ........................... 11 3.6.1 DCP access ........................................................................................ 11 3.6.2 DCP forwarding .................................................................................. 12 3.7 Quality of service – traffic prioritization .............................................. 13 3.8 Redundancy ....................................................................................... 15 3.8.1 Ring redundancy ................................................................................ 15 3.8.2 Spanning tree ..................................................................................... 18 3.8.3 Passive listening ................................................................................. 18 3.9 Wireless LAN ...................................................................................... 19 3.9.1 WLAN encryption ............................................................................... 19 3.9.2 WLAN layer 2 tunnel .......................................................................... 19 3.9.3 WLAN iPCF ........................................................................................ 20 3.10 Configuration backup ......................................................................... 20 3.11 Additional settings .............................................................................. 21 3.11.1 Port settings ....................................................................................... 21 3.11.2 System information ............................................................................. 21 3.11.3 Syslog ................................................................................................. 22 3.11.4 Restricting button functions ................................................................ 22 3.11.5 Rate control ........................................................................................ 22 3.11.6 Loop detection .................................................................................... 23 3.11.7 Port mirroring ...................................................................................... 23 3.11.8 VRRP.................................................................................................. 24 3.11.9 Default gateway .................................................................................. 25
4 Appendix .......................................................................................................... 26
4.1 Service and Support ........................................................................... 26 4.2 Links and Literature ............................................................................ 27 4.3 Change documentation ...................................................................... 27
1 Introduction
Checklist Entry ID: 109745536, V1.0, 03/2017 4
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
1 Introduction
1.1 Overview
Reason
SCALANCE devices offer a variety of functions and properties. Very often, these devices are integrated into the IT infrastructure using standard settings or unused active functions. Thus, unauthorized users might access the modules and cause damage.
Please observe the following safety-relevant settings to prevent unauthorized access via the network and thus to safely operate the SCALANCE device:
Disable unused protocols
Limit access to read access only
Change default passwords
Set up encryption
Motivation
This overview document provides a checklist to support you in preparing the SCALANCE device.
The checklist guides you through the functions of the SCALANCE devices and provides general recommendations for configuration.
Using this checklist, you can optimally prepare the SCALANCE device for use without skipping important settings.
Content of the document
The checklist includes the following topics:
Using the latest firmware
Disabling unencrypted protocols
Changing default passwords
Setting up time synchronization
PROFINET
Discovery and Basic Configuration Protocol – DCP
Quality of service – traffic prioritization
Redundancy
Wireless LAN
Configuration backup
Additional settings
Note This overview document only provides some clues for configuration and does not include comprehensive configuration instructions. It is highly recommended to refer to the corresponding manual for detailed information and restrictions of individual features.
1 Introduction
Checklist Entry ID: 109745536, V1.0, 03/2017 5
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
1.2 The SCALANCE devices
All SCALANCE devices are configured via Web-Based Management (WBM) or CLI. For SCALANCE devices, there are basically two variants of software platforms for configuration. Normally, the functions and their configuration are identical or very similar.
Based on the variants mentioned above, the SCALANCE devices are divided as follows:
X-200 and X-300
Devices based on Modular Switching Platform SCALANCE (MSPS)
The following devices are based on MSPS:
SCALANCE XB-200
SCALANCE XC-200
SCALANCE XP-200
SCALANCE XM-400
SCALANCE X-500
SCALANCE S615
SCALANCE W-700 (802.11n types)
SCALANCE M800 (except for M875 and M873)
2 Shortened Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 6
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2 Shortened Checklist Check the steps listed below for each SCALANCE device:
Use the latest firmware
Disable “HTTP" and use “HTTPS” instead
Change default passwords of the “admin” and “user” users
Disable "Telnet" and use "ssh" instead for CLI If CLI is not used, disable "Telnet" and "ssh"
Restrict DCP access to “Read-Only”
Restrict SNMPv1/2 access at least to “Read-Only", preferably use SNMP V3
Disable the PROFINET interface, if no PROFINET is used
Enable time synchronization
For SCALANCE X: Disable preset ring ports
Disable “Spanning tree”, if it is not used
Disable the "SINEMA Configuration Interface” option
If PROFINET data traffic runs via the device and no own VLAN configuration is used, enable "VLAN 0 aware mode" (X-300) or "802.1D Transparent Bridge".
Enable WLAN encryption and use WPA2
Set the default gateway for all devices. If no gateway is used, set the gateway address to an unused IP address in the local network anyway.
Create a backup of the configuration via WBM and / or C-PLUG
Note Not all features described above are available for all SCALANCE devices. The available features depend on the SCALANCE type and on the firmware version used.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 7
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3 Detailed Checklist
3.1 Using the latest firmware
Menu path
The information can be found under the following paths:
For MSPS devices: “Information > Versions”
For X-200 and X-300: "Agent > System > Version Numbers"
Recommendation
Use the latest firmware version. If the SCALANCE device is not run with the latest firmware, update the firmware version. The latest firmware versions are available in the Siemens Industry Online Support (see \1\ chapter 4.2). For some parts of the download, registration is required.
3.2 Setting up time synchronization
Menu path
The information can be found under the following paths:
For MSPS: "System > System time"
For X-200 and X-300: "Agent > Time config"
Recommendation
For troubleshooting or log analysis, continuously synchronize the time on all components. Without a valid time, the logs only contain the operating time since the last restart.
All current SCALANCE devices support the following synchronization options:
NTP
SNTP (S stands for “simple”)
Polling and lists
SIMATIC time
Use the secure NTP variant, if it is available.
With regard to the SIMATIC time, the SCALANCE devices only support the client function. For the master function, you can use e. g. a CP343-1 or CP443-1.
Remark
If no NTP server is available in the network, you will find an application example in the Siemens Industry Online Support (see \3\ in chapter 4.2). This application example provides a minimum SNTP server on the CPUs S7-300/400/1200/1500. You can use this SNTP server to apply the CPU time uniformly to all components.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 8
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.3 Disabling unencrypted protocols
Menu path
The information can be found under the following paths:
For MSPS: "System > Configuration"
For X-200 and X-300: "Agent"
Recommendations
1. Disable http by enabling "https only".
2. Disable “Telnet Server" and use “SSH Server” only instead. If you are not using the CLI, you should disable both Telnet and SSH.
3. Enable at least "Read-Only" for SNMPv1/v2 to ensure that the configuration of the device cannot be changed via insecure "SNMP Set” requests. Change the community strings for SNMPv1/v2. Attention:
With SNMPv1/v2, the data are transferred as plain text via the line.
4. Preferably disable SNMPv1/v2 completely and use the secure SNMPv3 instead.
5. Disable the "SINEMA Configuration Interface” option. With this setting, loading via TIA Portal is not possible.
Note: For SNMPv3, the client can neither read nor write without valid logon. The data are transferred in an encrypted way.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 9
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.4 Changing default passwords
Menu path
The information can be found under the following paths:
For MSPS: "Security > Users"
For X-200 and X-300: "System > Passwords"
Default setting
The preset accounts are "admin" and "user". The corresponding passwords are "admin" and "user".
Recommendation
Change the passwords of both accounts and use secure passwords.
Remark
The "user” account is not able to change the configuration. If the password remains unchanged, the settings are visible for anybody.
If your SCALANCE device is provided with a more recent MSPS firmware version, you will be prompted automatically to change the (admin) password when logging in for the first time.
For the latest versions, create a password that meets at least the following conditions:
One upper-case letter
One lower-case letter
One figure
One special character
Length of eight characters
Weaker passwords will not be accepted. For most MSPS devices, it is allowed to delete the "user” account completely.
For X-200 and X-300, you can neither rename nor delete the "admin" or "user" accounts.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 10
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.5 PROFINET
Menu path
This information is available for MSPS at "System > PROFINET / PN".
Recommendation
6. If the device is not assigned to any PROFINET controller, you should disable the PROFINET interface completely ("Off"). With this setting, the SCALANCE device will not accept any configuration changes made by a controller. If you disable the PN interface, the behavior between SCALANCE and DCP requests will not change.
7. You should set the DCP access at least to "Read-Only" (see chapter 3.6). This setting is independent of the PROFINET status.
8. SCALANCE X-200 and X-300 do not have any option to generally disable PROFINET. For this reason, do not assign any PROFINET name and restrict DCP to "Read-Only" (see chapter 3.6). Without a valid name, a standard-compliant PROFINET controller can neither exchange data with the device nor assign a new name.
Remarks
A restart is required to ensure that the change becomes effective. Without a restart, an incorrectly configured controller might take over parts of the configuration, even without valid logon data. The port and ring settings, for example, are part of the PROFINET configuration.
Note on PROFINET update time and monitoring time
Please check which update time and monitoring time the corresponding application really requires and configure reasonable times accordingly.
Choose values as large as possible for update time and repetitions.
In the default setting, STEP 7 assigns very short update times (1 or 2 ms) and three repetitions. This default setting results in a monitoring time of 3 ms or 6 ms. With a longer monitoring time, the PROFINET communication is less susceptible to failures in the network. If, for example, the CPU cycle time is already between 50 and 100 ms, an update time of 1 ms will be of little benefit.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 11
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.6 Discovery and Basic Configuration Protocol (DCP)
3.6.1 DCP access
Description
To assign basic parameters such as e. g. IP settings, PROFINET names etc. to the devices, the Discovery and Basic Configuration Protocol Configuration Protocol ("DCP") is used. DCP offers an additional option to reset the device to the factory settings.
Typically, DCP is used by PROFINET controllers or an engineering software (e. g. PST, STEP 7, PRONETA) to find devices and to configure them. With regard to IP addresses, DCP cannot be routed and therefor is restricted to the local layer 2 network.
Menu path
The information can be found under the following paths:
For MSPS: "System > Configuration"
For X-200 and X-300: "Agent"
Recommendation
Restrict the DCP access to "Read-Only".
"Read/Write" can be used for changing IP parameters and/or the PROFINET name or for triggering a reset. This can be done even if the logon data are not known.
With “Read-Only”, the device does not respond to "DCP Set Requests” any longer. Thus, no new parameters can be assigned via engineering tools, even if the device remains visible.
Remark
If you operate the SCALANCE device as a PROFINET devices despite of the "Read-Only" option being enabled, the following settings must comply with the controller:
IP address
Subnet mask
Gateway IP address
PROFINET name
However, the controller could not assign any parameters, because the devices does not respond to "DCP Set Requests".
If all parameters have already been entered correctly in the PROFINET device, DCP assignment is not required. PROFINET communication can be started immediately.
With the setting "DCP Disabled", the device does not provide any feedback and will become invisible with regard to DCP. With this setting, the SCALANCE device cannot be operated as a PROFINET device.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 12
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.6.2 DCP forwarding
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > DCP Forwarding"
For X-200 and X-300: "Switch > DCP (Configuration)"
Recommendation
Normally, PROFINET devices without an extended configuration interface do not provide the option to set the DCP settings to "Read-Only".
If possible, prevent that the DCP telegrams are forwarded to the ports.
Note:
First, check where DCP is required in the network. If you disable the forwarding of DCP telegrams, the correct functioning of the controller or the PGs might be affected. DCP forwarding should remain disabled at least for ports that are switched and located at the boundaries of an unknown network.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 13
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
For standard PROFINET devices such as e. g. ET 200SP, the respective function can be found in the port options of STEP 7 under “End of detection of accessible
devices".
Remark
Particularly in networks to which several parties are connected, you should use "DCP Disabled" and restricted forwarding with caution.
"DCP Disabled" and/or restricted forwarding might lead to the fact that addresses or names of third parties are assumed to be not assigned, even if they are already being used. Double addresses might involve network problems.
3.7 Quality of service – traffic prioritization
Information
You can implement the prioritization of processing in two different ways:
Based on the VLAN tag "COS" (Ethernet)
Based on the VLAN tag "DSCP" (IP).
If both occur simultaneously in one telegram, the SCALANCE device must decide which one has a higher priority.
Current PROFINET devices send time-critical data using the following VLAN tag:
VLAN-ID: 0
Priority Code 6.
The mere PROFINET data traffic has no IP header and, as a consequence, no DSCP information.
Switches such as SCALANCE X-100 or X-200 that are not VLAN-capable forward data by means of the "COS" priority in the VLAN tag.
VLAN-capable switches such as e. g. XB/XC/XP-200, X-300, XM-400 and X-500 forward the data traffic according to their settings in the configuration. In the default settings, all ports are "untagged members" of the "default VLAN 1". With this setting (untagged), the VLAN tag will be lost after it has been forwarded by the first switch. Thus, the "COS" priority information will be removed as well.
COS and PROFINET
If the PROFINET data traffic passes the (VLAN-capable) device and an extended VLAN separation is not required, use the following settings. With these settings, the VLAN tag will be maintained.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 14
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
For X-300, go to the "Switch" menu item and enable "VLAN 0 Aware mode”.
For MSPS, go to "Layer 2 > VLAN" menu item and set the Bridged Mode to "802.1D Transparent Bridge". For XM-400 and X-500, tick the "Transparent" option for VLAN1.
Prioritization
If the device supports several trust options, make sure that the "COS" priority is preferred to "DSCP".
For MSPS devices, the "trust options" can be found under the menu item "Layer 2 > QoS > QoS Trust".
1. Set all ports with PROFINET traffic shares to "Trust COS".
2. If the network contains time-critical IP data traffic, e. g. VoIP or video streaming, select the "DSCP (over) COS" option.
3. If you are using PROFINET, prioritize with "COS".
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 15
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.8 Redundancy
3.8.1 Ring redundancy
Ring protocols
Many SCALANCE modules support the following two ring protocols:
MRP – Media Redundancy Protocol
HRP – High-Speed Redundancy Protocol
Among others, MRP is standardized for PROFINET. Thus, compatible devices can be included directly into the ring. HRP is a proprietary method which is (almost) exclusively limited to SCALANCE X.
Both methods require a switchover time when the connection is interrupted. The guaranteed maximum times are 200 ms for MRP and 300 ms for HRP. The higher-level application must be able to cope with these short-term interruptions during the switchover.
With PROFINET, the watchdog time for devices communicating via the ring must be longer than the switchover time. To achieve a longer watchdog time, increase the update time or the number of repetitions.
If the application does not allow any interruption, you have to use a redundancy method without switchover time. Uninterrupted redundancy methods are e. g. the following protocols:
HSR – High-availability Seamless Redundancy
PRP – Parallel Redundancy Protocol
MRPD – Media Redundancy for Planned Duplication
HSR and PRP are only available for the SCALANCE X204 RNA.
MRPD is normally used for SIMOTION, SINAMICS and IRT-PROFINET devices.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 16
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Note on abbreviations
Initially, HRP was also abbreviated as HSR.
As the new bumpless method uses the same abbreviation, HSR has been renamed as HRP. In previous firmware versions and manuals of X-200 or X-300, HSR is still used. In this case, the abbreviation stands for the “High-Speed Redundancy Protocol" with a switchover time of 300 ms. HSR is only available for the SCALANCE X204 RNA.
Factory settings
In the delivery state, the ring ports are enabled by default for almost all SCALANCE X components. The exact port numbers are indicated in the corresponding manuals of the different hardware types. Normally, P1/P2, optical or Gbit ports are used.
"Automatic Redundancy Detection" (ARD) is preset as the method used. A device with ARD being enabled works as follows:
If an HRP manager is connected, the device will become an HRP client.
If an MRP manager is connected, the device will become an MRP client.
If no ring manager is connected, the device will become an MRP manager.
Using ARD, the device never will become an HRP manager.
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Ring Redundancy"
For X-200 and X-300: "X200 / X300 > Ring (Redundancy)"
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 17
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Recommendation
If the device is not operated in a ring, make sure that ring redundancy is deactivated.
Remark
In the default setting ARD, a SCALANCE X device without connected ring manager will become an MRP manager itself. In this function, test frames monitoring the ring status are sent at both ring ports. The test frames are MAC multicasts. Most devices will interpret these frames as unknown multicast and therefore will flood all other ports. Depending on the setup, this might involve failures, e. g. for other ring managers, or if devices get too many multicasts in total.
For optical ports, the "Link Check" feature can be enabled to detect partial interruptions of the connection (if available in the device).
Note:
Configure the ring before it will be closed physically. Otherwise, there might be a loop that interrupts communication.
All devices in a ring must support the ring protocol used and be configured correspondingly. Other devices, e. g. unmanaged switches, must not be integrated into the ring. Fast switchover with approx. 300 ms will not work with such devices, even if the setup first seems to be functional.
Monitoring with MRP
If you want to monitor the status of the ring, e. g. via SNMP or in the S7-CPU program, define a fixed MRP manager. Set all other ring nodes to MRP client. When there are several MRP managers, it is not clear which one is currently active. As a consequence, all devices have to be addressed in order to find the current manager and to determine the status.
Note Application examples for redundancy are available in the Siemens Industry Online Support (see \4\ chapter 4.2).
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 18
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.8.2 Spanning tree
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Spanning Tree"
For X-300: "Switch"
Recommendation
1. In the default settings, "Spanning Tree" is enabled for some SCALANCE X devices. Disable "Spanning Tree", if it is not used.
2. If you are using Spanning Tree, preferably use RSTP (rapid) due to the shorter reconfiguration time. Select a reasonable position for the root bridge and the path cost to keep the reconfiguration time short.
Remark
SCALANCE X-200 and X-200 IRT do not support Spanning Tree.
Note An application example for RSTP is available in the Siemens Industry Online Support (see \4\ chapter 4.2).
3.8.3 Passive listening
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Configuration"
For X-200 and X-300: "Switch"
Recommendation
In the default settings, "Passive Listening" is enabled for most SCALANCE X devices.
Disable "Passive Listening”, unless there is a constellation in the network that depends on it, e. g. a coupling of STP to an HRP ring or MRP ring.
Remark
With "Passive Listening", the switch forwards BPDUs. With an incoming topology change, it will delete its MAC address table.
The switch will also delete the MAC address table, if STP is not enabled for the device or if the device itself generally does not support STP.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 19
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.9 Wireless LAN
3.9.1 WLAN encryption
Menu path
This information is available for IWLAN devices at the menu item "Security > WLAN > Basic".
Recommendation
Enable the "WPA2 with AES" encryption.
Remark
WEP should not be used due to major design errors. As of firmware version V6.0, WEP generally cannot be selected anymore. The "Preshared Key" encryption provides protection against external parties only. Other clients using the same password or knowing it could still decrypt the data traffic.
Use secure protocols for the radio link as well.
3.9.2 WLAN layer 2 tunnel
Menu path
This information is available for IWLAN devices at the menu item "Interfaces > WLAN > Client".
Recommendation
Set the MAC mode to "Layer 2 Tunnel", if the client and the access point are SCALANCE W devices
Note: As of firmware version V6.0, "Layer 2 Tunnel" is the default setting as soon as you enable the "iPCF" function.
Remark
With the "Layer 2 Tunnel" setting, the access point will also receive the real MAC addresses of the devices which are behind the client and not only the client MAC address.
If you are using the "Layer 2 Tunnel" MAC mode, you can connect up to eight nodes or MAC addresses to the client.
Note:
This is a proprietary function of SCALANCE devices and cannot be used with access points of third-party manufacturers.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 20
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.9.3 WLAN iPCF
Menu path
This information is available for IWLAN devices at the menu item "iFeatures > iPCF".
Recommendation
1. Use the deterministic "iPCF", if you want to transfer time-critical data, e. g. PROFINET, via the radio link.
2. Use "iPCF" together with 11a (Note: not 11n) to ensure a more stable connection.
Remark
"Standard DCF" does not guarantee fixed transmission times and therefore is not deterministic.
Note:
"iPCF" is a proprietary function of SCALANCE devices and cannot be used with access points or clients of third-party manufacturers.
3.10 Configuration backup
Menu path
The information can be found under the following paths:
For MSPS: "System > Load & Save"
For X-200 and X-300: "System > Save & Load http"
Recommendation
Create a backup of the configuration settings after commissioning and at regular intervals.
Remark
For SCALANCE X-200/X-300, all settings are included in the Config file.
For MSPS, there is a differentiation between Config and ConfigPack. Both include the settings from the WBM. The ConfigPack additionally includes information on users, passwords and certificates. The Config includes the mere settings from the WBM.
You can also save the configuration on a specified TFTP server. The backup can be triggered automatically, e. g. via an SNMP tag.
C-PLUG
The C-PLUG is a replaceable storage medium on which all settings of the device can be saved. In case of a replacement, you can remove the C-PLUG from the defective device and insert it into the replacement device. The replacement device will then automatically start with the same settings.
Newer MSPS devices are additionally provided with an option ensuring that the firmware version will be saved on the C-PLUG as well. In this case, the replacement device first will carry out an update (if required) and then apply the settings.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 21
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.11 Additional settings
3.11.1 Port settings
Menu path
The information can be found under the following paths:
For MSPS: "System > Ports > Configuration"
For X-200 and X-300: "Switch > Ports / Port Status"
Recommendation
1. To minimize risks, disable ports that are permanently unused.
2. If the partner is an unmanaged switch, do not use any fixed settings. Use Auto Negotiation only.
Remark
If you are using a fixed setting for speed or mode instead of Auto Negotiation, make the setting on both devices.
If you want to mix Auto Negotiation and fixed settings, the Auto Negotiation node will fall back to half-duplex mode. Compared to full-duplex mode, half-duplex involves poor performance of the network.
3.11.2 System information
Menu path
The information can be found under the following paths:
For MSPS: "System > General"
For X-200 and X-300: "System"
Recommendation
Configure plausible and expressive values for
System name
Contact
Installation location.
Normally, these values will be requested by a monitoring software or via SNMP clients.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 22
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.11.3 Syslog
Menu path
The information can be found under the following paths:
For MSPS: "System > Syslog Client"
For X-300: "Agent > Agent Syslog"
Information
If a Syslog server is present on the network, the device can send all log entries that have occurred to the server. Thus, there is a central point where all log entries can be viewed directly.
Recommendation
The Syslog protocol transfers the data in an unencrypted way. For this reason, the Syslog data traffic should not pass any insecure networks.
3.11.4 Restricting button functions
Menu path
The information can be found under the following paths:
For MSPS: "System > Button"
For X-200 and X-300: "System > Select/Set Button"
Recommendation
In this menu, you can disable the reset function of the physical button on the module housing. If available, you can also disable the switchover of ring functions.
3.11.5 Rate control
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Rate control"
For X-300: "Switch > Load Limits Rates"
Recommendation
In case of connection to third-party networks, you can limit potentially disturbing traffic by means of "Multicast or Broadcast Limits". As far as possible, you should carry out a layer 3 separation by means of a router.
Remark
Please observe that in case of a limitation essential protocols will be discarded, e. g. ARP. The limitation and you select and the extent of this limitation have to match the setup.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 23
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.11.6 Loop detection
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Loop Detection"
For X-200 and X-300: "Switch > Loop Detection"
Recommendation
Enable "Loop Detection", if you are frequently changing or extending the cabling within your network.
Loop Detection helps to detect loops that have been plugged unintendedly and to switch off the corresponding port thus ensuring that the network remains functional. The detailed settings depend on the setup of the network.
Remark
As a rule of thumb, the switches in the network should use increasing RX thresholds "from bottom to top". Using this rule, the local switches will respond first and directly switch off the port before the higher-level switch will disconnect the entire cell.
3.11.7 Port mirroring
Menu path
The information can be found under the following paths:
For MSPS: "Layer 2 > Mirroring"
For X-300: "Switch > Port Mirroring"
Recommendation
If you are using the port mirroring for VLAN-capable switches, make sure that the monitoring port not a member of any VLAN (no U/M or T in the "VLAN" tab).
Otherwise, double telegrams might occur.
Remark
When in doubt, the "Monitoring Barrier" should be enabled to make sure that the PC cannot cause any feedback within the network at the monitoring port.
With the barrier being enabled, the WBM of the device might not be accessible anymore via the monitoring port.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 24
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.11.8 VRRP
Menu path
This information is available for XM-400 and X500 devices at the menu path "Layer 3 > VRRP / VRRPv3".
Information
By means of VRRP, routers can provide a redundant gateway IP address for other routers or terminal devices. This address will be shared by all routers having the same VRID in the local network. The current master takes over the traffic at the virtual shared IP address.
Terminal devices can use the unique virtual IP address as a gateway.
Recommendation
Prefer VRRPv3 to VRRP due to the faster switchover time.
3 Detailed Checklist
Checklist Entry ID: 109745536, V1.0, 03/2017 25
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.11.9 Default gateway
Menu path
The information can be found under the following paths:
For MSPS: "System > Agent IP" or "Layer 3 > Static Routes"
For X-200 and X-300: "Agent"
Recommendation
Even if the devices currently do not need any default gateway, it might be required for future extensions, e. g. if further subnets are added or if you want to set up remote maintenance.
In the devices, always set a default gateway to an unused IP address in the local subnet. If you need a router later on, you can assign this address to the additional router.
This is particularly important for S7 controllers, as for those devices the gateway cannot be changed subsequently without setting the CPU to STOP.
Remark
Within the layer 3 menu, the default gateway is defined via a route with the target "0.0.0.0".
4 Appendix
Checklist Entry ID: 109745536, V1.0, 03/2017 26
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
4 Appendix
4.1 Service and Support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire service and support know-how and portfolio.
The Industry Online Support is the central address for information about our products, solutions and services.
Product information, manuals, downloads, FAQs, application examples and videos – all information is accessible with just a few mouse clicks at: https://support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent support regarding all technical queries with numerous tailor-made offers – ranging from basic support to individual support contracts. You send queries to Technical Support via Web form: www.siemens.com/industry/supportrequest
Service offer
Our range of services includes, inter alia, the following:
Product trainings
Plant data services
Spare parts services
Repair services
On-site and maintenance services
Retrofitting and modernization services
Service programs and contracts
You can find detailed information on our range of services in the service catalog: https://support.industry.siemens.com/cs/sc
Industry Online Support app
You will receive optimum support wherever you are with the "Siemens Industry Online Support" app. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067
4 Appendix
Checklist Entry ID: 109745536, V1.0, 03/2017 27
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
4.2 Links and Literature
Table 4-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to this entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/109745536
\3\ Library for SNTP server functionality in S7-CPUs
https://support.industry.siemens.com/cs/ww/en/view/82203451
\4\ Application examples for redundancy Application examples
\5\ Application example for RSTP
https://support.industry.siemens.com/cs/ww/en/view/109742120
4.3 Change documentation
Table 4-2
Version Date Modifications
V1.0 03/2017 First version