Checklist for Setting Up SCALANCE Devices

Checklist for Setting Up SCALANCE Devices

SCALANCE X, W, S, M

https://support.industry.siemens.com/cs/ww/en/view/109745536

Siemens Industry Online Support


Warranty and Liability

Checklist Entry ID: 109745536, V1.0, 03/2017 2

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.

Security informa-tion

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.

http://www.siemens.com/industrialsecurity



Table of Contents


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Table of Contents Warranty and Liability ................................................................................................. 2

1 Introduction ........................................................................................................ 4

1.1 Overview............................................................................................... 4 1.2 The SCALANCE devices...................................................................... 5

2 Shortened Checklist .......................................................................................... 6

3 Detailed Checklist .............................................................................................. 7

3.1 Using the latest firmware ...................................................................... 7 3.2 Setting up time synchronization ........................................................... 7 3.3 Disabling unencrypted protocols .......................................................... 8 3.4 Changing default passwords ................................................................ 9 3.5 PROFINET ......................................................................................... 10 3.6 Discovery and Basic Configuration Protocol (DCP) ........................... 11 3.6.1 DCP access ........................................................................................ 11 3.6.2 DCP forwarding .................................................................................. 12 3.7 Quality of service – traffic prioritization .............................................. 13 3.8 Redundancy ....................................................................................... 15 3.8.1 Ring redundancy ................................................................................ 15 3.8.2 Spanning tree ..................................................................................... 18 3.8.3 Passive listening ................................................................................. 18 3.9 Wireless LAN ...................................................................................... 19 3.9.1 WLAN encryption ............................................................................... 19 3.9.2 WLAN layer 2 tunnel .......................................................................... 19 3.9.3 WLAN iPCF ........................................................................................ 20 3.10 Configuration backup ......................................................................... 20 3.11 Additional settings .............................................................................. 21 3.11.1 Port settings ....................................................................................... 21 3.11.2 System information ............................................................................. 21 3.11.3 Syslog ................................................................................................. 22 3.11.4 Restricting button functions ................................................................ 22 3.11.5 Rate control ........................................................................................ 22 3.11.6 Loop detection .................................................................................... 23 3.11.7 Port mirroring ...................................................................................... 23 3.11.8 VRRP.................................................................................................. 24 3.11.9 Default gateway .................................................................................. 25

4 Appendix .......................................................................................................... 26

4.1 Service and Support ........................................................................... 26 4.2 Links and Literature ............................................................................ 27 4.3 Change documentation ...................................................................... 27

1 Introduction


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

1 Introduction

1.1 Overview

Reason

SCALANCE devices offer a variety of functions and properties. Very often, these devices are integrated into the IT infrastructure using standard settings or unused active functions. Thus, unauthorized users might access the modules and cause damage.

Please observe the following safety-relevant settings to prevent unauthorized access via the network and thus to safely operate the SCALANCE device:

Disable unused protocols

Limit access to read access only

Change default passwords

Set up encryption

Motivation

This overview document provides a checklist to support you in preparing the SCALANCE device.

The checklist guides you through the functions of the SCALANCE devices and provides general recommendations for configuration.

Using this checklist, you can optimally prepare the SCALANCE device for use without skipping important settings.

Content of the document

The checklist includes the following topics:

Using the latest firmware

Disabling unencrypted protocols

Changing default passwords

Setting up time synchronization

PROFINET

Discovery and Basic Configuration Protocol – DCP

Quality of service – traffic prioritization

Redundancy

Wireless LAN

Configuration backup

Additional settings

Note This overview document only provides some clues for configuration and does not include comprehensive configuration instructions. It is highly recommended to refer to the corresponding manual for detailed information and restrictions of individual features.

1 Introduction


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

1.2 The SCALANCE devices

All SCALANCE devices are configured via Web-Based Management (WBM) or CLI. For SCALANCE devices, there are basically two variants of software platforms for configuration. Normally, the functions and their configuration are identical or very similar.

Based on the variants mentioned above, the SCALANCE devices are divided as follows:

X-200 and X-300

Devices based on Modular Switching Platform SCALANCE (MSPS)

The following devices are based on MSPS:

SCALANCE XB-200

SCALANCE XC-200

SCALANCE XP-200

SCALANCE XM-400

SCALANCE X-500

SCALANCE S615

SCALANCE W-700 (802.11n types)

SCALANCE M800 (except for M875 and M873)

2 Shortened Checklist


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2 Shortened Checklist Check the steps listed below for each SCALANCE device:

Use the latest firmware

Disable “HTTP" and use “HTTPS” instead

Change default passwords of the “admin” and “user” users

Disable "Telnet" and use "ssh" instead for CLI If CLI is not used, disable "Telnet" and "ssh"

Restrict DCP access to “Read-Only”

Restrict SNMPv1/2 access at least to “Read-Only", preferably use SNMP V3

Disable the PROFINET interface, if no PROFINET is used

Enable time synchronization

For SCALANCE X: Disable preset ring ports

Disable “Spanning tree”, if it is not used

Disable the "SINEMA Configuration Interface” option

If PROFINET data traffic runs via the device and no own VLAN configuration is used, enable "VLAN 0 aware mode" (X-300) or "802.1D Transparent Bridge".

Enable WLAN encryption and use WPA2

Set the default gateway for all devices. If no gateway is used, set the gateway address to an unused IP address in the local network anyway.

Create a backup of the configuration via WBM and / or C-PLUG

Note Not all features described above are available for all SCALANCE devices. The available features depend on the SCALANCE type and on the firmware version used.

3 Detailed Checklist


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d


3.1 Using the latest firmware

Menu path

The information can be found under the following paths:

For MSPS devices: “Information > Versions”

For X-200 and X-300: "Agent > System > Version Numbers"

Recommendation

Use the latest firmware version. If the SCALANCE device is not run with the latest firmware, update the firmware version. The latest firmware versions are available in the Siemens Industry Online Support (see \1\ chapter 4.2). For some parts of the download, registration is required.

3.2 Setting up time synchronization

Menu path


For MSPS: "System > System time"

For X-200 and X-300: "Agent > Time config"

Recommendation

For troubleshooting or log analysis, continuously synchronize the time on all components. Without a valid time, the logs only contain the operating time since the last restart.

All current SCALANCE devices support the following synchronization options:

NTP

SNTP (S stands for “simple”)

Polling and lists

SIMATIC time

Use the secure NTP variant, if it is available.

With regard to the SIMATIC time, the SCALANCE devices only support the client function. For the master function, you can use e. g. a CP343-1 or CP443-1.

Remark

If no NTP server is available in the network, you will find an application example in the Siemens Industry Online Support (see \3\ in chapter 4.2). This application example provides a minimum SNTP server on the CPUs S7-300/400/1200/1500. You can use this SNTP server to apply the CPU time uniformly to all components.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.3 Disabling unencrypted protocols

Menu path


For MSPS: "System > Configuration"

For X-200 and X-300: "Agent"

Recommendations

1. Disable http by enabling "https only".

2. Disable “Telnet Server" and use “SSH Server” only instead. If you are not using the CLI, you should disable both Telnet and SSH.

3. Enable at least "Read-Only" for SNMPv1/v2 to ensure that the configuration of the device cannot be changed via insecure "SNMP Set” requests. Change the community strings for SNMPv1/v2. Attention:

With SNMPv1/v2, the data are transferred as plain text via the line.

4. Preferably disable SNMPv1/v2 completely and use the secure SNMPv3 instead.

5. Disable the "SINEMA Configuration Interface” option. With this setting, loading via TIA Portal is not possible.

Note: For SNMPv3, the client can neither read nor write without valid logon. The data are transferred in an encrypted way.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.4 Changing default passwords

Menu path


For MSPS: "Security > Users"

For X-200 and X-300: "System > Passwords"

Default setting

The preset accounts are "admin" and "user". The corresponding passwords are "admin" and "user".

Recommendation

Change the passwords of both accounts and use secure passwords.

Remark

The "user” account is not able to change the configuration. If the password remains unchanged, the settings are visible for anybody.

If your SCALANCE device is provided with a more recent MSPS firmware version, you will be prompted automatically to change the (admin) password when logging in for the first time.

For the latest versions, create a password that meets at least the following conditions:

One upper-case letter

One lower-case letter

One figure

One special character

Length of eight characters

Weaker passwords will not be accepted. For most MSPS devices, it is allowed to delete the "user” account completely.

For X-200 and X-300, you can neither rename nor delete the "admin" or "user" accounts.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.5 PROFINET

Menu path

This information is available for MSPS at "System > PROFINET / PN".

Recommendation

6. If the device is not assigned to any PROFINET controller, you should disable the PROFINET interface completely ("Off"). With this setting, the SCALANCE device will not accept any configuration changes made by a controller. If you disable the PN interface, the behavior between SCALANCE and DCP requests will not change.

7. You should set the DCP access at least to "Read-Only" (see chapter 3.6). This setting is independent of the PROFINET status.

8. SCALANCE X-200 and X-300 do not have any option to generally disable PROFINET. For this reason, do not assign any PROFINET name and restrict DCP to "Read-Only" (see chapter 3.6). Without a valid name, a standard-compliant PROFINET controller can neither exchange data with the device nor assign a new name.

Remarks

A restart is required to ensure that the change becomes effective. Without a restart, an incorrectly configured controller might take over parts of the configuration, even without valid logon data. The port and ring settings, for example, are part of the PROFINET configuration.

Note on PROFINET update time and monitoring time

Please check which update time and monitoring time the corresponding application really requires and configure reasonable times accordingly.

Choose values as large as possible for update time and repetitions.

In the default setting, STEP 7 assigns very short update times (1 or 2 ms) and three repetitions. This default setting results in a monitoring time of 3 ms or 6 ms. With a longer monitoring time, the PROFINET communication is less susceptible to failures in the network. If, for example, the CPU cycle time is already between 50 and 100 ms, an update time of 1 ms will be of little benefit.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.6 Discovery and Basic Configuration Protocol (DCP)

3.6.1 DCP access

Description

To assign basic parameters such as e. g. IP settings, PROFINET names etc. to the devices, the Discovery and Basic Configuration Protocol Configuration Protocol ("DCP") is used. DCP offers an additional option to reset the device to the factory settings.

Typically, DCP is used by PROFINET controllers or an engineering software (e. g. PST, STEP 7, PRONETA) to find devices and to configure them. With regard to IP addresses, DCP cannot be routed and therefor is restricted to the local layer 2 network.

Menu path


For MSPS: "System > Configuration"


Recommendation

Restrict the DCP access to "Read-Only".

"Read/Write" can be used for changing IP parameters and/or the PROFINET name or for triggering a reset. This can be done even if the logon data are not known.

With “Read-Only”, the device does not respond to "DCP Set Requests” any longer. Thus, no new parameters can be assigned via engineering tools, even if the device remains visible.

Remark

If you operate the SCALANCE device as a PROFINET devices despite of the "Read-Only" option being enabled, the following settings must comply with the controller:

IP address

Subnet mask

Gateway IP address

PROFINET name

However, the controller could not assign any parameters, because the devices does not respond to "DCP Set Requests".

If all parameters have already been entered correctly in the PROFINET device, DCP assignment is not required. PROFINET communication can be started immediately.

With the setting "DCP Disabled", the device does not provide any feedback and will become invisible with regard to DCP. With this setting, the SCALANCE device cannot be operated as a PROFINET device.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.6.2 DCP forwarding

Menu path


For MSPS: "Layer 2 > DCP Forwarding"

For X-200 and X-300: "Switch > DCP (Configuration)"

Recommendation

Normally, PROFINET devices without an extended configuration interface do not provide the option to set the DCP settings to "Read-Only".

If possible, prevent that the DCP telegrams are forwarded to the ports.

Note:

First, check where DCP is required in the network. If you disable the forwarding of DCP telegrams, the correct functioning of the controller or the PGs might be affected. DCP forwarding should remain disabled at least for ports that are switched and located at the boundaries of an unknown network.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

For standard PROFINET devices such as e. g. ET 200SP, the respective function can be found in the port options of STEP 7 under “End of detection of accessible

devices".

Remark

Particularly in networks to which several parties are connected, you should use "DCP Disabled" and restricted forwarding with caution.

"DCP Disabled" and/or restricted forwarding might lead to the fact that addresses or names of third parties are assumed to be not assigned, even if they are already being used. Double addresses might involve network problems.

3.7 Quality of service – traffic prioritization

Information

You can implement the prioritization of processing in two different ways:

Based on the VLAN tag "COS" (Ethernet)

Based on the VLAN tag "DSCP" (IP).

If both occur simultaneously in one telegram, the SCALANCE device must decide which one has a higher priority.

Current PROFINET devices send time-critical data using the following VLAN tag:

VLAN-ID: 0

Priority Code 6.

The mere PROFINET data traffic has no IP header and, as a consequence, no DSCP information.

Switches such as SCALANCE X-100 or X-200 that are not VLAN-capable forward data by means of the "COS" priority in the VLAN tag.

VLAN-capable switches such as e. g. XB/XC/XP-200, X-300, XM-400 and X-500 forward the data traffic according to their settings in the configuration. In the default settings, all ports are "untagged members" of the "default VLAN 1". With this setting (untagged), the VLAN tag will be lost after it has been forwarded by the first switch. Thus, the "COS" priority information will be removed as well.

COS and PROFINET

If the PROFINET data traffic passes the (VLAN-capable) device and an extended VLAN separation is not required, use the following settings. With these settings, the VLAN tag will be maintained.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

For X-300, go to the "Switch" menu item and enable "VLAN 0 Aware mode”.

For MSPS, go to "Layer 2 > VLAN" menu item and set the Bridged Mode to "802.1D Transparent Bridge". For XM-400 and X-500, tick the "Transparent" option for VLAN1.

Prioritization

If the device supports several trust options, make sure that the "COS" priority is preferred to "DSCP".

For MSPS devices, the "trust options" can be found under the menu item "Layer 2 > QoS > QoS Trust".

1. Set all ports with PROFINET traffic shares to "Trust COS".

2. If the network contains time-critical IP data traffic, e. g. VoIP or video streaming, select the "DSCP (over) COS" option.

3. If you are using PROFINET, prioritize with "COS".



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.8 Redundancy

3.8.1 Ring redundancy

Ring protocols

Many SCALANCE modules support the following two ring protocols:

MRP – Media Redundancy Protocol

HRP – High-Speed Redundancy Protocol

Among others, MRP is standardized for PROFINET. Thus, compatible devices can be included directly into the ring. HRP is a proprietary method which is (almost) exclusively limited to SCALANCE X.

Both methods require a switchover time when the connection is interrupted. The guaranteed maximum times are 200 ms for MRP and 300 ms for HRP. The higher-level application must be able to cope with these short-term interruptions during the switchover.

With PROFINET, the watchdog time for devices communicating via the ring must be longer than the switchover time. To achieve a longer watchdog time, increase the update time or the number of repetitions.

If the application does not allow any interruption, you have to use a redundancy method without switchover time. Uninterrupted redundancy methods are e. g. the following protocols:

HSR – High-availability Seamless Redundancy

PRP – Parallel Redundancy Protocol

MRPD – Media Redundancy for Planned Duplication

HSR and PRP are only available for the SCALANCE X204 RNA.

MRPD is normally used for SIMOTION, SINAMICS and IRT-PROFINET devices.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Note on abbreviations

Initially, HRP was also abbreviated as HSR.

As the new bumpless method uses the same abbreviation, HSR has been renamed as HRP. In previous firmware versions and manuals of X-200 or X-300, HSR is still used. In this case, the abbreviation stands for the “High-Speed Redundancy Protocol" with a switchover time of 300 ms. HSR is only available for the SCALANCE X204 RNA.

Factory settings

In the delivery state, the ring ports are enabled by default for almost all SCALANCE X components. The exact port numbers are indicated in the corresponding manuals of the different hardware types. Normally, P1/P2, optical or Gbit ports are used.

"Automatic Redundancy Detection" (ARD) is preset as the method used. A device with ARD being enabled works as follows:

If an HRP manager is connected, the device will become an HRP client.

If an MRP manager is connected, the device will become an MRP client.

If no ring manager is connected, the device will become an MRP manager.

Using ARD, the device never will become an HRP manager.

Menu path


For MSPS: "Layer 2 > Ring Redundancy"

For X-200 and X-300: "X200 / X300 > Ring (Redundancy)"



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Recommendation

If the device is not operated in a ring, make sure that ring redundancy is deactivated.

Remark

In the default setting ARD, a SCALANCE X device without connected ring manager will become an MRP manager itself. In this function, test frames monitoring the ring status are sent at both ring ports. The test frames are MAC multicasts. Most devices will interpret these frames as unknown multicast and therefore will flood all other ports. Depending on the setup, this might involve failures, e. g. for other ring managers, or if devices get too many multicasts in total.

For optical ports, the "Link Check" feature can be enabled to detect partial interruptions of the connection (if available in the device).

Note:

Configure the ring before it will be closed physically. Otherwise, there might be a loop that interrupts communication.

All devices in a ring must support the ring protocol used and be configured correspondingly. Other devices, e. g. unmanaged switches, must not be integrated into the ring. Fast switchover with approx. 300 ms will not work with such devices, even if the setup first seems to be functional.

Monitoring with MRP

If you want to monitor the status of the ring, e. g. via SNMP or in the S7-CPU program, define a fixed MRP manager. Set all other ring nodes to MRP client. When there are several MRP managers, it is not clear which one is currently active. As a consequence, all devices have to be addressed in order to find the current manager and to determine the status.

Note Application examples for redundancy are available in the Siemens Industry Online Support (see \4\ chapter 4.2).



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.8.2 Spanning tree

Menu path


For MSPS: "Layer 2 > Spanning Tree"

For X-300: "Switch"

Recommendation

1. In the default settings, "Spanning Tree" is enabled for some SCALANCE X devices. Disable "Spanning Tree", if it is not used.

2. If you are using Spanning Tree, preferably use RSTP (rapid) due to the shorter reconfiguration time. Select a reasonable position for the root bridge and the path cost to keep the reconfiguration time short.

Remark

SCALANCE X-200 and X-200 IRT do not support Spanning Tree.

Note An application example for RSTP is available in the Siemens Industry Online Support (see \4\ chapter 4.2).

3.8.3 Passive listening

Menu path


For MSPS: "Layer 2 > Configuration"

For X-200 and X-300: "Switch"

Recommendation

In the default settings, "Passive Listening" is enabled for most SCALANCE X devices.

Disable "Passive Listening”, unless there is a constellation in the network that depends on it, e. g. a coupling of STP to an HRP ring or MRP ring.

Remark

With "Passive Listening", the switch forwards BPDUs. With an incoming topology change, it will delete its MAC address table.

The switch will also delete the MAC address table, if STP is not enabled for the device or if the device itself generally does not support STP.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.9 Wireless LAN

3.9.1 WLAN encryption

Menu path

This information is available for IWLAN devices at the menu item "Security > WLAN > Basic".

Recommendation

Enable the "WPA2 with AES" encryption.

Remark

WEP should not be used due to major design errors. As of firmware version V6.0, WEP generally cannot be selected anymore. The "Preshared Key" encryption provides protection against external parties only. Other clients using the same password or knowing it could still decrypt the data traffic.

Use secure protocols for the radio link as well.

3.9.2 WLAN layer 2 tunnel

Menu path

This information is available for IWLAN devices at the menu item "Interfaces > WLAN > Client".

Recommendation

Set the MAC mode to "Layer 2 Tunnel", if the client and the access point are SCALANCE W devices

Note: As of firmware version V6.0, "Layer 2 Tunnel" is the default setting as soon as you enable the "iPCF" function.

Remark

With the "Layer 2 Tunnel" setting, the access point will also receive the real MAC addresses of the devices which are behind the client and not only the client MAC address.

If you are using the "Layer 2 Tunnel" MAC mode, you can connect up to eight nodes or MAC addresses to the client.

Note:

This is a proprietary function of SCALANCE devices and cannot be used with access points of third-party manufacturers.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.9.3 WLAN iPCF

Menu path

This information is available for IWLAN devices at the menu item "iFeatures > iPCF".

Recommendation

1. Use the deterministic "iPCF", if you want to transfer time-critical data, e. g. PROFINET, via the radio link.

2. Use "iPCF" together with 11a (Note: not 11n) to ensure a more stable connection.

Remark

"Standard DCF" does not guarantee fixed transmission times and therefore is not deterministic.

Note:

"iPCF" is a proprietary function of SCALANCE devices and cannot be used with access points or clients of third-party manufacturers.

3.10 Configuration backup

Menu path


For MSPS: "System > Load & Save"

For X-200 and X-300: "System > Save & Load http"

Recommendation

Create a backup of the configuration settings after commissioning and at regular intervals.

Remark

For SCALANCE X-200/X-300, all settings are included in the Config file.

For MSPS, there is a differentiation between Config and ConfigPack. Both include the settings from the WBM. The ConfigPack additionally includes information on users, passwords and certificates. The Config includes the mere settings from the WBM.

You can also save the configuration on a specified TFTP server. The backup can be triggered automatically, e. g. via an SNMP tag.

C-PLUG

The C-PLUG is a replaceable storage medium on which all settings of the device can be saved. In case of a replacement, you can remove the C-PLUG from the defective device and insert it into the replacement device. The replacement device will then automatically start with the same settings.

Newer MSPS devices are additionally provided with an option ensuring that the firmware version will be saved on the C-PLUG as well. In this case, the replacement device first will carry out an update (if required) and then apply the settings.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.11 Additional settings

3.11.1 Port settings

Menu path


For MSPS: "System > Ports > Configuration"

For X-200 and X-300: "Switch > Ports / Port Status"

Recommendation

1. To minimize risks, disable ports that are permanently unused.

2. If the partner is an unmanaged switch, do not use any fixed settings. Use Auto Negotiation only.

Remark

If you are using a fixed setting for speed or mode instead of Auto Negotiation, make the setting on both devices.

If you want to mix Auto Negotiation and fixed settings, the Auto Negotiation node will fall back to half-duplex mode. Compared to full-duplex mode, half-duplex involves poor performance of the network.

3.11.2 System information

Menu path


For MSPS: "System > General"

For X-200 and X-300: "System"

Recommendation

Configure plausible and expressive values for

System name

Contact

Installation location.

Normally, these values will be requested by a monitoring software or via SNMP clients.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.11.3 Syslog

Menu path


For MSPS: "System > Syslog Client"

For X-300: "Agent > Agent Syslog"

Information

If a Syslog server is present on the network, the device can send all log entries that have occurred to the server. Thus, there is a central point where all log entries can be viewed directly.

Recommendation

The Syslog protocol transfers the data in an unencrypted way. For this reason, the Syslog data traffic should not pass any insecure networks.

3.11.4 Restricting button functions

Menu path


For MSPS: "System > Button"

For X-200 and X-300: "System > Select/Set Button"

Recommendation

In this menu, you can disable the reset function of the physical button on the module housing. If available, you can also disable the switchover of ring functions.

3.11.5 Rate control

Menu path


For MSPS: "Layer 2 > Rate control"

For X-300: "Switch > Load Limits Rates"

Recommendation

In case of connection to third-party networks, you can limit potentially disturbing traffic by means of "Multicast or Broadcast Limits". As far as possible, you should carry out a layer 3 separation by means of a router.

Remark

Please observe that in case of a limitation essential protocols will be discarded, e. g. ARP. The limitation and you select and the extent of this limitation have to match the setup.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.11.6 Loop detection

Menu path


For MSPS: "Layer 2 > Loop Detection"

For X-200 and X-300: "Switch > Loop Detection"

Recommendation

Enable "Loop Detection", if you are frequently changing or extending the cabling within your network.

Loop Detection helps to detect loops that have been plugged unintendedly and to switch off the corresponding port thus ensuring that the network remains functional. The detailed settings depend on the setup of the network.

Remark

As a rule of thumb, the switches in the network should use increasing RX thresholds "from bottom to top". Using this rule, the local switches will respond first and directly switch off the port before the higher-level switch will disconnect the entire cell.

3.11.7 Port mirroring

Menu path


For MSPS: "Layer 2 > Mirroring"

For X-300: "Switch > Port Mirroring"

Recommendation

If you are using the port mirroring for VLAN-capable switches, make sure that the monitoring port not a member of any VLAN (no U/M or T in the "VLAN" tab).

Otherwise, double telegrams might occur.

Remark

When in doubt, the "Monitoring Barrier" should be enabled to make sure that the PC cannot cause any feedback within the network at the monitoring port.

With the barrier being enabled, the WBM of the device might not be accessible anymore via the monitoring port.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.11.8 VRRP

Menu path

This information is available for XM-400 and X500 devices at the menu path "Layer 3 > VRRP / VRRPv3".

Information

By means of VRRP, routers can provide a redundant gateway IP address for other routers or terminal devices. This address will be shared by all routers having the same VRID in the local network. The current master takes over the traffic at the virtual shared IP address.

Terminal devices can use the unique virtual IP address as a gateway.

Recommendation

Prefer VRRPv3 to VRRP due to the faster switchover time.



S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.11.9 Default gateway

Menu path


For MSPS: "System > Agent IP" or "Layer 3 > Static Routes"


Recommendation

Even if the devices currently do not need any default gateway, it might be required for future extensions, e. g. if further subnets are added or if you want to set up remote maintenance.

In the devices, always set a default gateway to an unused IP address in the local subnet. If you need a router later on, you can assign this address to the additional router.

This is particularly important for S7 controllers, as for those devices the gateway cannot be changed subsequently without setting the CPU to STOP.

Remark

Within the layer 3 menu, the default gateway is defined via a route with the target "0.0.0.0".

4 Appendix


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

4 Appendix

4.1 Service and Support

Industry Online Support

Do you have any questions or need assistance?

Siemens Industry Online Support offers round the clock access to our entire service and support know-how and portfolio.

The Industry Online Support is the central address for information about our products, solutions and services.

Product information, manuals, downloads, FAQs, application examples and videos – all information is accessible with just a few mouse clicks at: https://support.industry.siemens.com

Technical Support

The Technical Support of Siemens Industry provides you fast and competent support regarding all technical queries with numerous tailor-made offers – ranging from basic support to individual support contracts. You send queries to Technical Support via Web form: www.siemens.com/industry/supportrequest

Service offer

Our range of services includes, inter alia, the following:

Product trainings

Plant data services

Spare parts services

Repair services

On-site and maintenance services

Retrofitting and modernization services

Service programs and contracts

You can find detailed information on our range of services in the service catalog: https://support.industry.siemens.com/cs/sc

Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry Online Support" app. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067

https://support.industry.siemens.com/

http://www.siemens.com/industry/supportrequest

https://support.industry.siemens.com/cs/sc

https://support.industry.siemens.com/cs/ww/en/sc/2067

4 Appendix


S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

4.2 Links and Literature

Table 4-1

No. Topic

\1\ Siemens Industry Online Support

https://support.industry.siemens.com

\2\ Link to this entry page of this application example


\3\ Library for SNTP server functionality in S7-CPUs


\4\ Application examples for redundancy Application examples

\5\ Application example for RSTP


4.3 Change documentation

Table 4-2

Version Date Modifications

V1.0 03/2017 First version

https://support.industry.siemens.com/



https://support.industry.siemens.com/cs/products?search=Redundancy&dtp=ExampleOfUse&mfn=ps&o=DefaultRankingDesc&lc=en-WW


Checklist for Setting Up SCALANCE Devices

Documents

Transcript of Checklist for Setting Up SCALANCE Devices