The foregoing provisions do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection except where Siemens is mandatorily liable.
Table of contents Table of contents Legal information ......................2 Task and solution ....................5 The task ....................5 Solution....................6 Hardware and software components ........... 7 How the service bridge works and how to use it ........... 8 Ports ..................... 8 2.1.1 Enabling/disabling ports ...............
Table of contents Networks with a Y switch (XF204-2BA DNA) ........61 SNMP configuration for using the Maintenance Station ....62 Appendix ......................63 Service and Support ................63 References ..................64 Change documentation ..............64 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
1 Task and solution Task and solution The task The use of PROFINET as fieldbus opens up new possibilities for commissioning, maintenance and diagnostics in SIMATIC PCS 7 systems. The uniform Industrial Ethernet network standard forms the basis for vertical integration. For security and availability reasons, plant bus and field bus are set up separately in typical systems in the process industry.
SCALANCE SC, be provided between the plant bus and the service bridge. Figure 1-2 The basis for the Service Bridge are the switches of the SCALANCE XC-200 series from FW V4.0. This application example uses the SCALANCE XC216 as an example to describe the steps required to configure a SCALANCE XC-200 switch as a service bridge.
The application example was created with the following components: Hardware Table 1-1 Hardware Part number SCALANCE XC216 6GK5216-0BA00-2AC2 6GK5632-2GS00-2AC2 SCALANCE SC632-2C Software Table 1-2 Software Link PRONETA 126.96.36.199 https://support.industry.siemens.com/cs/ww/en/view/67460624 Security Configuration https://support.industry.siemens.com/cs/ww/en/view/109747539 Tool V5.0 Internet Explorer Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
2 How the service bridge works and how to use it How the service bridge works and how to use it Ports The basis for the functionality of the service bridge are the switches of the XC-200 series with a special configuration. These switches have between 8 (XC208) and 24 ports (XC224).
2 How the service bridge works and how to use it 2.1.1 Enabling/disabling ports Access from the system bus to the individual PN networks should only be active temporarily and can be realized by activating/deactivating the ports via the Web Based Management (WBM) of the service bridge.
2 How the service bridge works and how to use it Note The "Link down" port status is used for deactivation, as it is retained even after a device restart. If the port status is "disabled", please note that this is set to "enabled"...
Further information on configuring VLANs can be found in the following FAQ: "How is a Virtual Local Area Network (VLAN) configured in PCS 7?" https://support.industry.siemens.com/cs/ww/en/view/66807297 A firewall using the example of a SCALANCE SC It is recommended to use a firewall between the Service Bridge and the plant bus in order to protect the plant bus against unauthorized accesses from the field.
3 Configuration and commissioning of the Service Bridge Configuration and commissioning of the Service Bridge The following steps are necessary in order to configure a SCALANCE XC-200 switch to a Service Bridge: Figure 3-1 These steps can be carried out either in a separate network or directly on the plant bus using the switch.
4. Release the button and wait for the "F" fault LED to go out again. 5. The device restarts automatically with factory settings. Note You can download the pre-set configuration file at the following link: https://support.industry.siemens.com/cs/ww/en/view/109747975 The download of firmware version V4.0 can be found under the following link: https://support.industry.siemens.com/cs/ww/en/view/109757688 Assigning an IP address An XC-200 switch that is reset to factory settings has no network parameters (IP address/name).
Note Download and manual "PRONETA Commissioning and Diagnostics Tool for PROFINET" https://support.industry.siemens.com/cs/ww/en/view/67460624 1. Open PRONETA and click on "Settings". 2. Click on "Network Adapter Selection" (1) and select the network adapter with which the switch can be accessed (2).
4. After opening the network analysis view, a scan is automatically performed. The SCALANCE XC-200 switch is then listed in the graphic and tabular view. If the switch is not found, you can perform another scan using the "Refresh"...
3 Configuration and commissioning of the Service Bridge 5. Open the shortcut menu by right clicking on the switch and then click on "Set Network Parameters". Optionally, you can use the "Start Flashing LED" function in the shortcut menu to make sure that you have selected the correct switch.
3 Configuration and commissioning of the Service Bridge 6. You can also assign the IP address and optionally a device name via the "Set Network Parameters" dialog. Enter the desired IP address and subnet mask. Check whether the "Apply settings permanently" check box is enabled and then click on "Set" to assign the network parameters.
Download Firmware V4.1 The firmware V4.1 can be downloaded from the following link: https://support.industry.siemens.com/cs/de/en/view/109762982 The Web Based Management (WBM) of the switch is used for checking the firmware version and updating the firmware if necessary. To access the WBM, the ES must have an IP address in the same IP address range of the Service Bridge.
3 Configuration and commissioning of the Service Bridge Changing the password After the first login, a prompt will ask you to change the default password of the admin user. 1. Enter the current password (1). 2. Enter a new password (2). 3.
3 Configuration and commissioning of the Service Bridge Updating the firmware version If the firmware version of the switch is lower than V4.0, follow the steps below to update the firmware: 3. Navigate to the "System > Load&Save" menu (1)(2). 4.
Note You can download the pre-set configuration file at the following link: https://support.industry.siemens.com/cs/ww/en/view/109747975 The configuration of the Service Bridge is loaded to the Switch via Web Based Management (WBM). The WBM can only be accessed via HTTPS after loading the configuration because HTTP access is disabled.
3 Configuration and commissioning of the Service Bridge 9. Log on as Administrator. Note An automatically generated HTTPS certificate, including a key, is provided by default on the switches. To prevent the certificate warning appearing, it is possible to install it on the engineering station. It is recommended to create and use your own HTTPS certificates.
3 Configuration and commissioning of the Service Bridge Loading a configuration 1. Navigate to the "System > Load&Save" menu (1)(2). 2. If you are using the pre-set configuration script file from the Online Support, click on the "Load" button (3a). If that you are using a self-generated configuration file (ConfigPack), click on the "Load"...
3 Configuration and commissioning of the Service Bridge Performing a restart Before restarting the service bridge, the "Write Startup Config" must be completed. "Write Startup Config" is performed automatically 60 seconds after configuration changes, but can alternatively be performed manually. 5.
3 Configuration and commissioning of the Service Bridge Adjusting the configuration 3.5.1 Unicast filter A Unicast filter is provided for the Service Bridge; it allows access to the plant bus only for selected stations, e.g. the engineering station. As this configuration is plant-specific due to the MAC address, the Unicast filter is not included in the pre- set configuration file.
3 Configuration and commissioning of the Service Bridge Activating the Unicast filter The Unicast filter for the plant bus (port 1) can be activated after entering the MAC address of the ES in the filter table. From then on, all message frames from unknown participants on Port 1 will be rejected.
3 Configuration and commissioning of the Service Bridge 3.5.2 ACL management Access control to the Service Bridge management is configured by means of the Management ACL (Access Control List) function. A filter is provided for the Service Bridge; it only allows access from the engineering station. As this configuration is plant-specific due to the IP address, the Management ACL configuration is not included in the pre-set configuration file.
3 Configuration and commissioning of the Service Bridge Activating Management ACL The Management ACL function can be activated after the ES has been entered into the Management ACL list. 1. Activate the "Management ACL" check box (1). 2. Click the "Set Values" button (2) to confirm the settings. CAUTION Activate the management ACL function only after you have entered the engineering station in the list.
3 Configuration and commissioning of the Service Bridge 3.5.3 SNMP The Simple Network management Protocol (SNMP) allows network components, such as the Service Bridge, to be monitored and controlled. For security reasons, only SNMP version 3 is enabled in the configuration of the Service Bridge.
3 Configuration and commissioning of the Service Bridge 17. Select the following entries (1) in the drop down list: – As a "Group Name", select the group to which the new user should belong. – As "Authentication Protocol", select the "SHA" entry. –...
Alternatively or additionally, the C-PLUG can be used as a removable storage media for storing the configuration data of the service bridge. Further information about the C-PLUG can be found in the manual: "SIMATIC NET: SCALANCE XC-200 Industrial Ethernet switches https://support.industry.siemens.com/cs/ww/en/view/109743149 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4,...
3 Configuration and commissioning of the Service Bridge Commissioning the Service Bridge 3.7.1 Configuring the Network adapter in the engineering station For access to the various PROFINET networks, several IP addresses are assigned to the network adapter provided in the engineering station. The following is required: ...
3 Configuration and commissioning of the Service Bridge 23. Open "Properties" from the shortcut menu of the intended network adapter. 24. Double-click on "Internet Protocol Version 4 (TCP/IPv4)" to open its properties dialog. Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
3 Configuration and commissioning of the Service Bridge 25. In the Service Bridge address range, configure an unallocated IP address with its respective subnet mask (1). This is also needed for accessing the Web Based Management (WBM) and for enabling/disabling ports. Then click on the "Advanced…"...
3 Configuration and commissioning of the Service Bridge 26. Click on the "Add..." button to open the dialog box, where you can add further IP addresses. 27. Enter an unallocated IP address with the corresponding subnet mask in the address area of the PROFINET network you want to access, according to your plant planning (1).
2. Click on "Use PC Time" (3) and confirm the settings with the "Set Values" button (4). Note For instructions on how to set the time synchronization, refer to the manual of the switch: https://support.industry.siemens.com/cs/ww/en/view/109750283 Service Bridge – Setup and Configuration Entry ID: 109747975, V1.4, 05/2019...
IT security. The settings for the Service Bridge, which differ from the standard configuration (factory settings) of a SCALANCE XC-200 switch, are described in the following section. These settings are already included in the pre-set configuration file and are applied automatically by loading them in the switch.
4 Configuration file Figure 4-1 4.1.2 Ports System > Ports Figure 4-2 The type, status, etc. of the ports are set in the "System > Ports" menu. The following settings are provided for the Service Bridge: (1) Port Name: The port name can be adjusted if required. (2) Port type: –...
4 Configuration file Note The "Link down" port status is used for deactivation, as it is retained even after a device restart. If the port status is "disabled", please note that this is set to "enabled" again after a device restart using the "Loop Detection" function. Note Access from the plant bus to the individual PROFINET networks should only be active temporarily and can be done by activating/deactivating the ports via the...
4 Configuration file Layer 2 > VLAN: General Figure 4-4 In the menu "Layer 2 > VLAN: General" menu, you can set which message frames may be output at which ports. The following settings are provided for the Service Bridge: (1) Base Bridge Mode: 802.1Q VLAN Bridge means that VLAN information is taken into account in the Switch.
4 Configuration file 4.1.4 Private VLAN Layer 2 > Private VLAN Figure 4-5 All the Private VLAN types are configured in the "Layer 2 > Private VLAN" menu. For an explanation of the Private VLAN types, see Section 4.1.1. The following settings are provided for the Service Bridge: (1) Private VLAN Type: –...
4 Configuration file Operational reliability and IT Security The settings for increasing operational safety are based on the "Defense in Depth" philosophy. This means that individual, consecutive but independent protection measures are used so that an attacker has to invest time and effort again for each protection measure.
4 Configuration file 4.2.2 "SELECT/SET" button The "SELECT/SET" button function is configured in the "System > Button" menu. The settings of the "SELECT / SET" button are adjusted to prevent incorrect operation or incorrect configuration by unauthorized persons. The following settings are provided for the Service Bridge: System >...
4 Configuration file 4.2.3 Fault Monitoring The monitoring functions are configured in the "System > Fault Monitoring" menu. The following settings are provided for the Service Bridge: System > Fault Monitoring: Power supply Figure 4-8 The monitoring of the power supply is configured in the "Power Supply" tab. The power supply monitoring for connection 1 ("Line 1") is activated by default for the Service Bridge.
4 Configuration file System > Fault Monitoring: Link Change Figure 4-9 Link status change monitoring is configured in the "Link Change" tab. Monitoring of Port 1 is configured as "Down" for the Service Bridge, which means that an error will be triggered if a link (connection) is no longer present at this port. A fault leads to the triggering of the signaling contact and causes the fault LED on the device to light up.
4 Configuration file 4.2.4 PROFINET The PROFINET properties of the Service Bridge are configured in the "System > PROFINET" menu. Since the Service Bridge is only intended for access from the plant bus to the PROFINET networks, it is configured as an IE switch. Configuration/use as an IO device is not intended.
4 Configuration file 4.2.5 Rate control The rate limits of the individual ports are configured in the "Layer 2 > Rate Control" menu. The purpose is to limit the spread of broadcasting storms in the event of a fault. The following settings are provided for the Service Bridge: Layer 2 >...
4 Configuration file 4.2.6 Loop detection The loop detection values are configured in the "Layer 2 > Loop Detection" menu. Loop detection is a function which serves to detect loops in the network and to limit their effects. The following settings are provided for the Service Bridge: Layer 2 >...
4 Configuration file 4.2.7 Multicast filter The Multicast filter is configured in the "Layer 2 > Multicast" menu. The Service Bridge is provided with a Multicast filter which prevents the forwarding of time message frames according to the SIMATIC method. Layer 2 >...
4 Configuration file Other settings 4.3.1 Layer 2 configuration Higher-level functions can be configured in the basic configuration of layer 2 ("Layer 2 > Configuration"). The following settings are provided for the Service Bridge: Layer 2 > Configuration Figure 4-14 (1) The redundancy function is disabled with the setting "Redundancy Type": "-", since the Service Bridge is only provided with a stub connection to the plant bus.
5 Firewall configuration using the example of a SCALANCE SC632-2C Firewall configuration using the example of a SCALANCE SC632-2C The purpose of the firewall is to protect the plant bus against unauthorized access from the field. In the section below, the SCALANCE SC632-2C is thus configured in such a way that it only allows communication if is initiated by selected sources in the plant bus (e.g.
"F" LED is constantly lit. Furthermore, at least firmware version V2.0 is required. Note The firmware can be downloaded from the following entry: https://support.industry.siemens.com/cs/de/en/view/109764481 5.2.1 Setting up access to the Web Based Management of the SCALANCE SC632-2C To configure the SCALANCE SC632-2C, the first step is to establish the connection to Web Based Management.
5 Firewall configuration using the example of a SCALANCE SC632-2C 5.2.2 Firewall rule configuration The firewall rules are configured within the WBM in the "Security" tab. In the following section packet filter rules are defined based on MAC addresses (layer 2) and IP address (layer 3). Based on the MAC addresses (layer 2), a filter rule is created that only allows message frames that have the MAC address of selected devices (e.g.
5 Firewall configuration using the example of a SCALANCE SC632-2C 29. Go to the "Firewall" tab of the SCALANCE SC632-2C to start the configuration (1). 30. Switch to the IP Rules tab (2) and click the Create button (3) to create a new IP rule.
5 Firewall configuration using the example of a SCALANCE SC632-2C 33. Click the "Set Values" button (5) to confirm the settings. Note Depending on the applications used (e.g. PRONETA), additional IP rules may be required for automatically assigned IP addresses. By default, PRONETA temporarily uses the highest free IP address in the subnet during the network scan.
5 Firewall configuration using the example of a SCALANCE SC632-2C Definition of MA rules In the following, the MAC rules are created which only allow communication that has the MAC address of the ES as source or destination address. This means multicast, broadcast and message frames between other subscribers are rejected.
5 Firewall configuration using the example of a SCALANCE SC632-2C 36. Configure the rule as follows: This rule allows message frames starting from the Engineering Station. (1) Action "Accept" Message frames corresponding to the rule are permitted. (2) "From": "vlan1 (INT)" ("Internal") To: "External"...
5 Firewall configuration using the example of a SCALANCE SC632-2C 5.2.3 Bridge Mode Bridge mode is required for Layer 2 firewall. The bridge module is configured in the "Layer 2 > Inter-VLAN Bridge" menu. The following settings are provided for the SCLANCE SC632-2C: 40.
5 Firewall configuration using the example of a SCALANCE SC632-2C With this configuration, message frames with VLAN ID 1, i.e. coming from port 1 to port 2 with VLAN ID 2 and vice versa, can be output. 5.2.4 Activating the firewall In the last step the firewall is activated in the register "General"...
6 Additional information Additional information Continuous access, e.g. for SINEMA server If continuous access to the PN networks is needed (e.g. when using the SINEMA server) it is recommended not to use the Service Bridge on the plant bus. In the following plant configuration, apart from the Service Bridge for temporary access from the plant bus, a second, separate, Service Bridge is also provided for the SINEMA server.
6 Additional information Networks with a Y switch (XF204-2BA DNA) When the Service Bridge is used in a R1 network with a Y switch, the following devices are available depending on the access point (see Figure 6-2 (1) Access in the R1 network subnet 1 Devices in this subnet and behind the Y switch are accessible.
6 Additional information In order to be able to reach all the devices in the network, connection is possible either via access points (1) and (2) or, alternatively, via access point (3). The connection variant can be selected depending on the local conditions. SNMP configuration for using the Maintenance Station SNMP version v1 or v2c is required for integration of network components in the asset management of the Maintenance Station.
Industry Online Support Do you have any questions or need assistance? Siemens Industry Online Support offers round the clock access to our entire service and support know-how and portfolio. The Industry Online Support is the central address for information about our products, solutions and services.
7 Appendix References Table 7-1 Topic Siemens Industry Online Support https://support.industry.siemens.com Download page of this entry https://support.industry.siemens.com/cs/ww/en/view/109747975 Security guidelines by PROFIBUS & PROFINET International (PI): https://www.profibus.com/download/profinet-security-guideline PROFINET in Process Automation with SIMATIC PCS 7 https://support.industry.siemens.com/cs/ww/en/view/72887082 Change documentation Table 7-2 Version...