Download Print this page

Siemens SCALANCE XC-200 Set Up And Configuration

Service bridge
Hide thumbs

Advertisement

Table of Contents
Service Bridge
Setup and
Configuration
SCALANCE XC-200
https://support.industry.siemens.com/cs/ww/en/view/109747975
Siemens
Industry
Online
Support

Advertisement

Table of Contents
loading

  Related Manuals for Siemens SCALANCE XC-200

  Summary of Contents for Siemens SCALANCE XC-200

  • Page 1 Service Bridge Setup and Configuration Siemens SCALANCE XC-200 Industry Online https://support.industry.siemens.com/cs/ww/en/view/109747975 Support...
  • Page 2: Legal Information

    The foregoing provisions do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection except where Siemens is mandatorily liable.
  • Page 3: Table Of Contents

    Table of contents Table of contents Legal information ......................2 Task and solution ....................5 The task ....................5 Solution....................6 Hardware and software components ........... 7 How the service bridge works and how to use it ........... 8 Ports ..................... 8 2.1.1 Enabling/disabling ports ...............
  • Page 4 Table of contents Networks with a Y switch (XF204-2BA DNA) ........61 SNMP configuration for using the Maintenance Station ....62 Appendix ......................63 Service and Support ................63 References ..................64 Change documentation ..............64 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
  • Page 5: Task And Solution

    1 Task and solution Task and solution The task The use of PROFINET as fieldbus opens up new possibilities for commissioning, maintenance and diagnostics in SIMATIC PCS 7 systems. The uniform Industrial Ethernet network standard forms the basis for vertical integration. For security and availability reasons, plant bus and field bus are set up separately in typical systems in the process industry.
  • Page 6: Solution

    SCALANCE SC, be provided between the plant bus and the service bridge. Figure 1-2 The basis for the Service Bridge are the switches of the SCALANCE XC-200 series from FW V4.0. This application example uses the SCALANCE XC216 as an example to describe the steps required to configure a SCALANCE XC-200 switch as a service bridge.
  • Page 7: Hardware And Software Components

    The application example was created with the following components: Hardware Table 1-1 Hardware Part number SCALANCE XC216 6GK5216-0BA00-2AC2 6GK5632-2GS00-2AC2 SCALANCE SC632-2C Software Table 1-2 Software Link PRONETA 2.5.0.27 https://support.industry.siemens.com/cs/ww/en/view/67460624 Security Configuration https://support.industry.siemens.com/cs/ww/en/view/109747539 Tool V5.0 Internet Explorer Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
  • Page 8: How The Service Bridge Works And How To Use It

    2 How the service bridge works and how to use it How the service bridge works and how to use it Ports The basis for the functionality of the service bridge are the switches of the XC-200 series with a special configuration. These switches have between 8 (XC208) and 24 ports (XC224).
  • Page 9: Enabling/Disabling Ports

    2 How the service bridge works and how to use it 2.1.1 Enabling/disabling ports Access from the system bus to the individual PN networks should only be active temporarily and can be realized by activating/deactivating the ports via the Web Based Management (WBM) of the service bridge.
  • Page 10: Separate Network Adapter And Ip Addresses

    2 How the service bridge works and how to use it Note The "Link down" port status is used for deactivation, as it is retained even after a device restart. If the port status is "disabled", please note that this is set to "enabled"...
  • Page 11: A Firewall Using The Example Of A Scalance Sc

    Further information on configuring VLANs can be found in the following FAQ: "How is a Virtual Local Area Network (VLAN) configured in PCS 7?" https://support.industry.siemens.com/cs/ww/en/view/66807297 A firewall using the example of a SCALANCE SC It is recommended to use a firewall between the Service Bridge and the plant bus in order to protect the plant bus against unauthorized accesses from the field.
  • Page 12: Configuration And Commissioning Of The Service Bridge

    3 Configuration and commissioning of the Service Bridge Configuration and commissioning of the Service Bridge The following steps are necessary in order to configure a SCALANCE XC-200 switch to a Service Bridge: Figure 3-1 These steps can be carried out either in a separate network or directly on the plant bus using the switch.
  • Page 13: Preparing The Switch

    4. Release the button and wait for the "F" fault LED to go out again. 5. The device restarts automatically with factory settings. Note You can download the pre-set configuration file at the following link: https://support.industry.siemens.com/cs/ww/en/view/109747975 The download of firmware version V4.0 can be found under the following link: https://support.industry.siemens.com/cs/ww/en/view/109757688 Assigning an IP address An XC-200 switch that is reset to factory settings has no network parameters (IP address/name).
  • Page 14 Note Download and manual "PRONETA Commissioning and Diagnostics Tool for PROFINET" https://support.industry.siemens.com/cs/ww/en/view/67460624 1. Open PRONETA and click on "Settings". 2. Click on "Network Adapter Selection" (1) and select the network adapter with which the switch can be accessed (2).
  • Page 15 4. After opening the network analysis view, a scan is automatically performed. The SCALANCE XC-200 switch is then listed in the graphic and tabular view. If the switch is not found, you can perform another scan using the "Refresh"...
  • Page 16 3 Configuration and commissioning of the Service Bridge 5. Open the shortcut menu by right clicking on the switch and then click on "Set Network Parameters". Optionally, you can use the "Start Flashing LED" function in the shortcut menu to make sure that you have selected the correct switch.
  • Page 17 3 Configuration and commissioning of the Service Bridge 6. You can also assign the IP address and optionally a device name via the "Set Network Parameters" dialog. Enter the desired IP address and subnet mask. Check whether the "Apply settings permanently" check box is enabled and then click on "Set" to assign the network parameters.
  • Page 18: Checking The Firmware Version And Updating It If Required

    Download Firmware V4.1 The firmware V4.1 can be downloaded from the following link: https://support.industry.siemens.com/cs/de/en/view/109762982 The Web Based Management (WBM) of the switch is used for checking the firmware version and updating the firmware if necessary. To access the WBM, the ES must have an IP address in the same IP address range of the Service Bridge.
  • Page 19 3 Configuration and commissioning of the Service Bridge Changing the password After the first login, a prompt will ask you to change the default password of the admin user. 1. Enter the current password (1). 2. Enter a new password (2). 3.
  • Page 20 3 Configuration and commissioning of the Service Bridge Updating the firmware version If the firmware version of the switch is lower than V4.0, follow the steps below to update the firmware: 3. Navigate to the "System > Load&Save" menu (1)(2). 4.
  • Page 21: Loading The Configuration File In The Switch

    Note You can download the pre-set configuration file at the following link: https://support.industry.siemens.com/cs/ww/en/view/109747975 The configuration of the Service Bridge is loaded to the Switch via Web Based Management (WBM). The WBM can only be accessed via HTTPS after loading the configuration because HTTP access is disabled.
  • Page 22 3 Configuration and commissioning of the Service Bridge 9. Log on as Administrator. Note An automatically generated HTTPS certificate, including a key, is provided by default on the switches. To prevent the certificate warning appearing, it is possible to install it on the engineering station. It is recommended to create and use your own HTTPS certificates.
  • Page 23 3 Configuration and commissioning of the Service Bridge Loading a configuration 1. Navigate to the "System > Load&Save" menu (1)(2). 2. If you are using the pre-set configuration script file from the Online Support, click on the "Load" button (3a). If that you are using a self-generated configuration file (ConfigPack), click on the "Load"...
  • Page 24 3 Configuration and commissioning of the Service Bridge Performing a restart Before restarting the service bridge, the "Write Startup Config" must be completed. "Write Startup Config" is performed automatically 60 seconds after configuration changes, but can alternatively be performed manually. 5.
  • Page 25: Adjusting The Configuration

    3 Configuration and commissioning of the Service Bridge Adjusting the configuration 3.5.1 Unicast filter A Unicast filter is provided for the Service Bridge; it allows access to the plant bus only for selected stations, e.g. the engineering station. As this configuration is plant-specific due to the MAC address, the Unicast filter is not included in the pre- set configuration file.
  • Page 26 3 Configuration and commissioning of the Service Bridge Activating the Unicast filter The Unicast filter for the plant bus (port 1) can be activated after entering the MAC address of the ES in the filter table. From then on, all message frames from unknown participants on Port 1 will be rejected.
  • Page 27: Acl Management

    3 Configuration and commissioning of the Service Bridge 3.5.2 ACL management Access control to the Service Bridge management is configured by means of the Management ACL (Access Control List) function. A filter is provided for the Service Bridge; it only allows access from the engineering station. As this configuration is plant-specific due to the IP address, the Management ACL configuration is not included in the pre-set configuration file.
  • Page 28 3 Configuration and commissioning of the Service Bridge Activating Management ACL The Management ACL function can be activated after the ES has been entered into the Management ACL list. 1. Activate the "Management ACL" check box (1). 2. Click the "Set Values" button (2) to confirm the settings. CAUTION Activate the management ACL function only after you have entered the engineering station in the list.
  • Page 29: Snmp

    3 Configuration and commissioning of the Service Bridge 3.5.3 SNMP The Simple Network management Protocol (SNMP) allows network components, such as the Service Bridge, to be monitored and controlled. For security reasons, only SNMP version 3 is enabled in the configuration of the Service Bridge.
  • Page 30 3 Configuration and commissioning of the Service Bridge 17. Select the following entries (1) in the drop down list: – As a "Group Name", select the group to which the new user should belong. – As "Authentication Protocol", select the "SHA" entry. –...
  • Page 31: Backing Up The Configuration

    Alternatively or additionally, the C-PLUG can be used as a removable storage media for storing the configuration data of the service bridge. Further information about the C-PLUG can be found in the manual: "SIMATIC NET: SCALANCE XC-200 Industrial Ethernet switches https://support.industry.siemens.com/cs/ww/en/view/109743149 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4,...
  • Page 32: Commissioning The Service Bridge

    3 Configuration and commissioning of the Service Bridge Commissioning the Service Bridge 3.7.1 Configuring the Network adapter in the engineering station For access to the various PROFINET networks, several IP addresses are assigned to the network adapter provided in the engineering station. The following is required: ...
  • Page 33 3 Configuration and commissioning of the Service Bridge 23. Open "Properties" from the shortcut menu of the intended network adapter. 24. Double-click on "Internet Protocol Version 4 (TCP/IPv4)" to open its properties dialog. Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
  • Page 34 3 Configuration and commissioning of the Service Bridge 25. In the Service Bridge address range, configure an unallocated IP address with its respective subnet mask (1). This is also needed for accessing the Web Based Management (WBM) and for enabling/disabling ports. Then click on the "Advanced…"...
  • Page 35 3 Configuration and commissioning of the Service Bridge 26. Click on the "Add..." button to open the dialog box, where you can add further IP addresses. 27. Enter an unallocated IP address with the corresponding subnet mask in the address area of the PROFINET network you want to access, according to your plant planning (1).
  • Page 36: System Time

    2. Click on "Use PC Time" (3) and confirm the settings with the "Set Values" button (4). Note For instructions on how to set the time synchronization, refer to the manual of the switch: https://support.industry.siemens.com/cs/ww/en/view/109750283 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
  • Page 37: Configuration File

    IT security. The settings for the Service Bridge, which differ from the standard configuration (factory settings) of a SCALANCE XC-200 switch, are described in the following section. These settings are already included in the pre-set configuration file and are applied automatically by loading them in the switch.
  • Page 38: Ports

    4 Configuration file Figure 4-1 4.1.2 Ports System > Ports Figure 4-2 The type, status, etc. of the ports are set in the "System > Ports" menu. The following settings are provided for the Service Bridge: (1) Port Name: The port name can be adjusted if required. (2) Port type: –...
  • Page 39: Vlan

    4 Configuration file Note The "Link down" port status is used for deactivation, as it is retained even after a device restart. If the port status is "disabled", please note that this is set to "enabled" again after a device restart using the "Loop Detection" function. Note Access from the plant bus to the individual PROFINET networks should only be active temporarily and can be done by activating/deactivating the ports via the...
  • Page 40 4 Configuration file Layer 2 > VLAN: General Figure 4-4 In the menu "Layer 2 > VLAN: General" menu, you can set which message frames may be output at which ports. The following settings are provided for the Service Bridge: (1) Base Bridge Mode: 802.1Q VLAN Bridge means that VLAN information is taken into account in the Switch.
  • Page 41: Private Vlan

    4 Configuration file 4.1.4 Private VLAN Layer 2 > Private VLAN Figure 4-5 All the Private VLAN types are configured in the "Layer 2 > Private VLAN" menu. For an explanation of the Private VLAN types, see Section 4.1.1. The following settings are provided for the Service Bridge: (1) Private VLAN Type: –...
  • Page 42: Operational Reliability And It Security

    4 Configuration file Operational reliability and IT Security The settings for increasing operational safety are based on the "Defense in Depth" philosophy. This means that individual, consecutive but independent protection measures are used so that an attacker has to invest time and effort again for each protection measure.
  • Page 43: Select/Set" Button

    4 Configuration file 4.2.2 "SELECT/SET" button The "SELECT/SET" button function is configured in the "System > Button" menu. The settings of the "SELECT / SET" button are adjusted to prevent incorrect operation or incorrect configuration by unauthorized persons. The following settings are provided for the Service Bridge: System >...
  • Page 44: Fault Monitoring

    4 Configuration file 4.2.3 Fault Monitoring The monitoring functions are configured in the "System > Fault Monitoring" menu. The following settings are provided for the Service Bridge: System > Fault Monitoring: Power supply Figure 4-8 The monitoring of the power supply is configured in the "Power Supply" tab. The power supply monitoring for connection 1 ("Line 1") is activated by default for the Service Bridge.
  • Page 45 4 Configuration file System > Fault Monitoring: Link Change Figure 4-9 Link status change monitoring is configured in the "Link Change" tab. Monitoring of Port 1 is configured as "Down" for the Service Bridge, which means that an error will be triggered if a link (connection) is no longer present at this port. A fault leads to the triggering of the signaling contact and causes the fault LED on the device to light up.
  • Page 46: Profinet

    4 Configuration file 4.2.4 PROFINET The PROFINET properties of the Service Bridge are configured in the "System > PROFINET" menu. Since the Service Bridge is only intended for access from the plant bus to the PROFINET networks, it is configured as an IE switch. Configuration/use as an IO device is not intended.
  • Page 47: Rate Control

    4 Configuration file 4.2.5 Rate control The rate limits of the individual ports are configured in the "Layer 2 > Rate Control" menu. The purpose is to limit the spread of broadcasting storms in the event of a fault. The following settings are provided for the Service Bridge: Layer 2 >...
  • Page 48: Loop Detection

    4 Configuration file 4.2.6 Loop detection The loop detection values are configured in the "Layer 2 > Loop Detection" menu. Loop detection is a function which serves to detect loops in the network and to limit their effects. The following settings are provided for the Service Bridge: Layer 2 >...
  • Page 49: Multicast Filter

    4 Configuration file 4.2.7 Multicast filter The Multicast filter is configured in the "Layer 2 > Multicast" menu. The Service Bridge is provided with a Multicast filter which prevents the forwarding of time message frames according to the SIMATIC method. Layer 2 >...
  • Page 50: Other Settings

    4 Configuration file Other settings 4.3.1 Layer 2 configuration Higher-level functions can be configured in the basic configuration of layer 2 ("Layer 2 > Configuration"). The following settings are provided for the Service Bridge: Layer 2 > Configuration Figure 4-14 (1) The redundancy function is disabled with the setting "Redundancy Type": "-", since the Service Bridge is only provided with a stub connection to the plant bus.
  • Page 51: Firewall Configuration Using The Example Of A Scalance Sc632-2C

    5 Firewall configuration using the example of a SCALANCE SC632-2C Firewall configuration using the example of a SCALANCE SC632-2C The purpose of the firewall is to protect the plant bus against unauthorized access from the field. In the section below, the SCALANCE SC632-2C is thus configured in such a way that it only allows communication if is initiated by selected sources in the plant bus (e.g.
  • Page 52: Scalance Sc632-2C Configuration

    "F" LED is constantly lit. Furthermore, at least firmware version V2.0 is required. Note The firmware can be downloaded from the following entry: https://support.industry.siemens.com/cs/de/en/view/109764481 5.2.1 Setting up access to the Web Based Management of the SCALANCE SC632-2C To configure the SCALANCE SC632-2C, the first step is to establish the connection to Web Based Management.
  • Page 53: Firewall Rule Configuration

    5 Firewall configuration using the example of a SCALANCE SC632-2C 5.2.2 Firewall rule configuration The firewall rules are configured within the WBM in the "Security" tab. In the following section packet filter rules are defined based on MAC addresses (layer 2) and IP address (layer 3). Based on the MAC addresses (layer 2), a filter rule is created that only allows message frames that have the MAC address of selected devices (e.g.
  • Page 54 5 Firewall configuration using the example of a SCALANCE SC632-2C 29. Go to the "Firewall" tab of the SCALANCE SC632-2C to start the configuration (1). 30. Switch to the IP Rules tab (2) and click the Create button (3) to create a new IP rule.
  • Page 55 5 Firewall configuration using the example of a SCALANCE SC632-2C 33. Click the "Set Values" button (5) to confirm the settings. Note Depending on the applications used (e.g. PRONETA), additional IP rules may be required for automatically assigned IP addresses. By default, PRONETA temporarily uses the highest free IP address in the subnet during the network scan.
  • Page 56 5 Firewall configuration using the example of a SCALANCE SC632-2C Definition of MA rules In the following, the MAC rules are created which only allow communication that has the MAC address of the ES as source or destination address. This means multicast, broadcast and message frames between other subscribers are rejected.
  • Page 57 5 Firewall configuration using the example of a SCALANCE SC632-2C 36. Configure the rule as follows: This rule allows message frames starting from the Engineering Station. (1) Action "Accept" Message frames corresponding to the rule are permitted. (2) "From": "vlan1 (INT)" ("Internal") To: "External"...
  • Page 58: Bridge Mode

    5 Firewall configuration using the example of a SCALANCE SC632-2C 5.2.3 Bridge Mode Bridge mode is required for Layer 2 firewall. The bridge module is configured in the "Layer 2 > Inter-VLAN Bridge" menu. The following settings are provided for the SCLANCE SC632-2C: 40.
  • Page 59: Activating The Firewall

    5 Firewall configuration using the example of a SCALANCE SC632-2C With this configuration, message frames with VLAN ID 1, i.e. coming from port 1 to port 2 with VLAN ID 2 and vice versa, can be output. 5.2.4 Activating the firewall In the last step the firewall is activated in the register "General"...
  • Page 60: Additional Information

    6 Additional information Additional information Continuous access, e.g. for SINEMA server If continuous access to the PN networks is needed (e.g. when using the SINEMA server) it is recommended not to use the Service Bridge on the plant bus. In the following plant configuration, apart from the Service Bridge for temporary access from the plant bus, a second, separate, Service Bridge is also provided for the SINEMA server.
  • Page 61: Networks With A Y Switch (Xf204-2Ba Dna)

    6 Additional information Networks with a Y switch (XF204-2BA DNA) When the Service Bridge is used in a R1 network with a Y switch, the following devices are available depending on the access point (see Figure 6-2 (1) Access in the R1 network subnet 1 Devices in this subnet and behind the Y switch are accessible.
  • Page 62: Snmp Configuration For Using The Maintenance Station

    6 Additional information In order to be able to reach all the devices in the network, connection is possible either via access points (1) and (2) or, alternatively, via access point (3). The connection variant can be selected depending on the local conditions. SNMP configuration for using the Maintenance Station SNMP version v1 or v2c is required for integration of network components in the asset management of the Maintenance Station.
  • Page 63: Appendix

    Industry Online Support Do you have any questions or need assistance? Siemens Industry Online Support offers round the clock access to our entire service and support know-how and portfolio. The Industry Online Support is the central address for information about our products, solutions and services.
  • Page 64: References

    7 Appendix References Table 7-1 Topic Siemens Industry Online Support https://support.industry.siemens.com Download page of this entry https://support.industry.siemens.com/cs/ww/en/view/109747975 Security guidelines by PROFIBUS & PROFINET International (PI): https://www.profibus.com/download/profinet-security-guideline PROFINET in Process Automation with SIMATIC PCS 7 https://support.industry.siemens.com/cs/ww/en/view/72887082 Change documentation Table 7-2 Version...