1. Manuals
  2. Brands
  3. TAPKO Manuals
  4. Cables and connectors
  5. MECip-Sec
  6. Product description

TAPKO MECip-Sec Product Description

Knx ip secure router
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
MECip
SECURE
MECip-Sec
KNX IP Secure Router
Technical & Application Description

Advertisement

Table of Contents
loading

Related Manuals for TAPKO MECip-Sec

Summary of Contents for TAPKO MECip-Sec

  • Page 1 MECip SECURE MECip-Sec KNX IP Secure Router Technical & Application Description...
  • Page 2 MECip SECURE This document is property of the company named at the last page. Without written approval, it may not be reproduced or commercialized, distributed or presented to other individuals for commercial purpose. Details and information contained within may be subject to change without notice.

  • Page 3: Table Of Contents

    MECip SECURE Content Product Description Front Panel LED Indication LED Indication of Special Functions Commissioning Secure Commissioning Important Notes 1.6.1 Installation and Commissioning 1.6.2 Mounting and Safety 1.6.3 Maintenance Safekeeping of Device Certificate Feature Summary KNXnet/IP IP Secure Tunneling IP Secure Routing IP Firmware Update KNX Secure Operational Description...
  • Page 4 SECURE ETS Database General Main Line (IP) Subline (KNX TP) IP (Secure) Tunneling Address Assignment Web Front-end Protection of the MECip-Sec Web Front-end Accessing the MECip-Sec Web Front-end 6.2.1 via Windows Explorer 6.2.2 via IP Address 6.2.3 via MAC Address...

  • Page 5: Product Description

    Security functions “Secure Commissioning”, “Secure Tunneling” and “IP Backbone Security”. MECip-Sec can also work as a KNX IP Secure Interface for connecting KNX IP devices, a PC, or an Ethernet network to KNX TP. It establishes access to bus devices for commissioning, address assignment, setting parameters, visualization, protocolling, and diagnostics.

  • Page 6: Front Panel

    MECip Product Description SECURE Front Panel Figure 1: Front View Table 1: Front Panel Elements LEDs Buttons / Connectors State IP (Main line) Ethernet Connector Bus State KNX TP (Subline) Function Button Telegram Traffic IP (Main line) Programming Button Telegram Traffic KNX TP (Subline) KNX TP Connector Group Address Routing Individual (Physical) Address Routing...

  • Page 7: Led Indication

    MECip Product Description SECURE LED Indication Following table gives a general description of the LED display indication intended for normal operation. Constellations of LED lighting during active special functions are further described in next chapter. Table 2: Normal LED Display Number Color Explanation / Range...

  • Page 8: Led Indication Of Special Functions

    MECip Product Description SECURE LED Indication of Special Functions During an active special function, only LEDs described here are lighting. Other LEDs are off. Table 3: LED Status Display for Manual Function Number Color Comment lights red if not State IP orange connected Bus State KNX TP...

  • Page 9: Commissioning

    Figure 2: Connection Scheme To start a secured configuration download, Secure Commissioning must be activated in the ETS project before. Without activation, MECip-Sec is working as plain device and will behave like MECip (without supporting KNX Secure). Please also read chapter 1.6 Important Notes...

  • Page 10: Secure Commissioning

    Before the secured download of a configuration setting and/or the Individual Address can start, the individual Device Certificate of MECip-Sec must have been added to the ETS project. To be able to add it, the ETS project must be password-protected.

  • Page 11: Important Notes

    MECip Product Description SECURE Important Notes It is recommended to participate the standardized courses of a KNX-certified training center before installing, programming, and commissioning a KNX system. Here, the participant gains the necessary knowledge and skills, also required for troubleshooting, by practical exercises. Please read this chapter carefully before first use and installation: 1.6.1 Installation and Commissioning...

  • Page 12: Safekeeping Of Device Certificate

    MECip Product Description SECURE Safekeeping of Device Certificate The Device Certificate can be found on a label that is adhered on side of the housing. To avoid unwanted access, the label consists of two parts. The upper part must remain on the housing, for identifying the device.

  • Page 13: Feature Summary

    • Activation of “IP Backbone Security” for protection of IP routing. • Configuring MECip-Sec plus devices on the main line from the subline can be switched off. (This is very useful, when there are sublines that bear a high risk of being misused.) •...

  • Page 14: Knxnet/Ip

    Secure. The KNX Secure part, that is relevant for IP, is called KNX IP Secure. IP Firmware Update To provide updating the firmware remotely via IP, MECip-Sec has a bootloader functionality integrated. This function is called IP Firmware Update and can be executed in the web front- end.

  • Page 15: Knx Secure

    MECip KNX Secure SECURE KNX Secure KNX devices that support KNX Secure are able to use a special protection basing on telegram encryption. Also, access to the device for configuring is protected and limited to the user that knows its Device Certificate. The Device Certificate is a device-specific protection code that is enclosed with the device on delivery.

  • Page 16: Operational Description

    DHCP server was found, MECip-Sec starts an AutoIP procedure and autonomously assigns the IP address. For MECip-Sec having a fixed IP configuration (IP address as well as subnet mask and standard gateway), this can also be set by ETS.

  • Page 17: Ip Network

    SECURE IP Network In the IP network, MECip-Sec sends and receives telegrams in accordance with the KNXnet/IP protocol specification. According to the default setting, IP telegrams are sent as IP Multicast to the IP address 224.0.23.12. Multicast IP address 224.0.23.12 and port 3671 are the defined values for KNXnet/IP by KNX Association in conjunction with IANA.

  • Page 18: Knx Network Installation

    SECURE KNX Network Installation For MECip-Sec´s usage in a KNX installation, one of the available Individual Addresses must be chosen. Having set an Individual Address (x.y.0), a TP Line is connected to KNX IP. To connect a TP Area to the IP Backbone, an area coupler address (x.0.0) must be set.

  • Page 19: Adding Device Certificate

    MECip Operational Description SECURE Adding Device Certificate The Device Certificate can be found printed on a side label on the housing. Every KNX Secure device uses its own Device Certificate. Entering this Device Certificate in ETS is mandatory before activating or using KNX Security functions. Please also follow the advice on handling the tear-off part of the side label in chapter 1.7 Safekeeping of Device Certificate.
  • Page 20 MECip Operational Description SECURE Figure 8: Adding Device Certificate - 20 -...

  • Page 21: Programming

    4.5.1 Programming of Individual Address (and Application) The Individual Address (IA) can be assigned to MECip-Sec by setting the desired address in the properties window of ETS. After downloading it into the device, MECip-Sec can be addressed and identified by its new Individual Address.

  • Page 22: Ip Configuration

    4.5.2 IP Configuration The IP configuration of MECip-Sec can be set in the Properties window of the ETS. To activate DHCP/AutoIP, the “Obtain an IP address automatically” option must be set. For more details and information about configuring IP networks, please ask your local network administrator.
  • Page 23 Backbone´s Properties window. It appears after a click on the blue Topology bar. When MECip-Sec is used as ETS Current Interface and its IP address is changed by a configuration download, ETS tries to maintain the connection to the Current Interface (having the previous IP address).

  • Page 24: Special Functions

    Reset. With the Manual Function, the device switches to a special filter setting and with the Factory Reset, MECip-Sec can be reset to its manufacturer default state. Pressing the Function Button is also necessary during the Firmware Update process. The active special function status is indicated by the LED display (see chapter 1.3 LED Indication of Special...

  • Page 25: Ip Firmware Update Request

    To start the Firmware Update download process, a short press on the Function Button is necessary during Programming Mode is active. After a click on the “request update” button in the web front-end, MECip-Sec switches to its boot mode (see chapter 6.5 Firmware Update) and ‘Status: update authorized’...

  • Page 26: Ets Database

    MECip ETS Database SECURE ETS Database General For UDP, support of slow tunneling connections can be activated. Figure 14: General Tab Parameters Table 9: General Tab Parameter Settings Settings ETS Parameter Comment [Default Parameter] Slow tunneling Enable or disable support of slow connections support tunneling connections.

  • Page 27: Main Line (Ip)

    MECip ETS Database SECURE Main Line (IP) Setting “transmit all” is intended only for testing use. Please do not use this setting for normal operation. Figure 15: Main Line (IP) Tab Parameters Table 10: Main Line (IP) Tab Parameter Settings Settings ETS Parameter Comment...

  • Page 28: Subline (Knx Tp)

    Setting “transmit all” is intended only for testing use. Please do not use this setting for normal operation. If the parameter “Send confirmation on own telegrams” is set to “yes”, MECip-Sec systematically sends an ACK on any own routed telegram. For example, since repeaters do not use filter tables, it is useful to have an ACK sent along with routed telegrams.
  • Page 29 ACK. Send confirmation on Telegrams sent out to the subline can be own telegrams confirmed by an added ACK. [no] ‘Block’ means MECip-Sec can only be allow Configuration from configured from its main line side and block subline (KNX TP)

  • Page 30: Ip (Secure) Tunneling Address Assignment

    Figure 17: Configuring of IP (Secure) Tunneling Cannels To use IP Secure Tunneling both Secure Commissioning and Secure Tunneling must be activated in the Properties window of MECip-Sec. After that, the passwords for protection of each Tunneling Channel can be entered (or changed).

  • Page 31: Web Front-End

    SECURE Web Front-end The web front-end can be used to read out MECip-Sec´s actual device settings (HTTP port, IP address, MAC address, …), to update the firmware and to set (additional) Individual Addresses for Tunneling. For identifying a certain MECip-Sec in a KNX network, Programming Mode can be remotely switched on and off without having to press the on-device Programming Button.

  • Page 32: Accessing The Mecip-Sec Web Front-End

    SECURE Accessing the MECip-Sec Web Front-end There are three ways to access the MECip-Sec web front-end. It can be accessed via Windows explorer directly, or by a web browser. For access via web browser, either the IP address or the MAC address, together with the HTTP port, have to be known. How to use IP address and MAC address with the browser´s URL bar is described in the following.

  • Page 33: Via Ip Address

    When IP address and HTTP port are known, this information is sufficient to access the MECip-Sec web front-end by a web browser. As MECip-Sec is able to work as ETS Current Interface, its IP address is also shown under Discovered Interfaces in ETS. For MECip-Sec, the HTTP port can be set either to 80 or 8080.

  • Page 34: Via Mac Address

    When NetBIOS is installed (by default on Windows systems), the MAC address that is printed on a label on the side of the MECip-Sec housing can be used. The MAC address is also shown in the ETS listing of Discovered Interfaces and in the properties window (of the network device) in the Windows explorer.

  • Page 35: Device Info

    MECip Web Front-end SECURE Device Info After accessing the web front-end, the Device Info tab appears. General information about actual device state, current settings, device parameters (like addresses, names, etc.), and software versions are shown. Figure 23: Device Info Tab - 35 -...

  • Page 36: Knx

    Programming Mode can be activated (same as a Programming Button press). Together with the Device Info tab, this function is useful to distinguish the regarded MECip-Sec device (having a certain IP address, MAC address and serial number) from other MECip-Sec devices used in the installation network.
  • Page 37 MECip Web Front-end SECURE Care must be taken with using the Set button for reassignment. Clients maybe loose connectivity due to reassignment. It must be made sure the new assigned addresses have not been existing in the project before, or in the installation. When Security is active, it is highly recommended not to press the Set button and to assign the additional Individual Addresses only by ETS projects and configuration downloads (see also chapter...

  • Page 38: Ip Firmware Update

    Under the Update tab the MECip-Sec firmware can be updated via IP i.e. the Ethernet network. The complete remote update process is described in following steps. During this process, MECip-Sec enters its boot mode. Then LEDs 1, 2, 3 and 7 light as described in Table 5: LED Status Display for Firmware Update.
  • Page 39 MECip Web Front-end SECURE Step 3: After Programming Mode activation, give a short press to the Function Button. Then click on the “refresh” button. Figure 27: Update Authorized Step 4: When the „request update“ button appears, it has to be pressed to select the update file and enter boot mode.

  • Page 40: Glossary

    MECip Glossary SECURE Glossary An ACK is a positive IACK frame. If the sender detects an ACK, then the sender´s data has been received correctly, meaning the data has been successfully transmitted to the receiver. Acknowledgement frames Acknowledgment on the KNX Link Layer is also called Immediate ACK (IACK) in KNX jargon, presumably to differentiate it from other ack methods on the upper layers.
  • Page 41 MECip Glossary SECURE Group Communication Group communication objects contain the datapoints which Object are transmitted via runtime communication. One or more group addresses are assigned to one group communication object. One of these assigned group addresses is the sending group address (to send the group communication object value to the bus).
  • Page 42 MECip Glossary SECURE Security functions For using ETS Security functions, a minimum ETS version is necessary. Security functions have been available since ETS version 5.7.2 (ETS Inside 1.4.0). Short Telegrams Short telegrams or short frames are telegrams having an APDU length that is not exceeding 15 octets. Short telegrams use the standard frame format.

  • Page 43: Technical

    MECip Technical SECURE Technical State of Delivery Table 12: Factory Default Setting General Individual Address 15.15.0 Individual Addresses for (Secure) Tunneling • 15.15.241 • 15.15.242 • 15.15.243 • 15.15.244 IP configuration IP address assignment DHCP/AutoIP IP routing multicast address 224.0.23.12 IP (IP Main line to KNX TP Subline) Group telegrams (main group 0…13) filter (filter table is empty)

  • Page 44: Datasheet

    MECip Technical SECURE Datasheet Marking/Design MECip-Sec Current consumption < 20 mA IP (line): RJ45 socket for 100 Mbit and 10 Mbit BaseT, IEEE 802.3 networks Connections KNX TP line: KNX TP connector (red/black), screwless, for single-core cable Ø 0.6…0.8 mm...

  • Page 45: Drawings

    MECip Technical SECURE Drawings Dimensions shown here are specified in mm. The total device width is 2 modules at 18 mm. Figure 30: Dimension drawings - 45 -...

  • Page 46: Legal Notice

    Legal Notice SECURE Legal Notice lwIP is used in developing the MECip-Sec. lwIP is licenced under the BSD licence. Copyright (c) 2001-2004 Swedish Institute of Computer Science. All rights reserved. Providing that the following conditions are met redistribution and use in source and binary...

  • Page 47: 10 Faq

    MECip-Sec doesn´t work. Either use Commissioning Password and Authentication Code from your former project or make a factory reset to set MECip-Sec´s tool key back to its FDSK. I lost the Device Certificate and the password for the project where it was •...
  • Page 48 • In the web front-end, the Device Info tab shows the actual IP address. When ETS can connect to MECip-Sec via IP, the IP address is contained in the list of Discovered Interfaces. In Windows, with a right click on the network device the properties window can be opened.
  • Page 49 It is highly recommend using a VPN connection or making use of an available web or KNX IoT solution. I use MECip-Sec as the Current Interface in ETS. Can I change its IP address? •...
  • Page 50 (x = 0,1,2, ... and y = a,b,c, …) Databases R1-0y ETS version ETS5.7.3 and higher Weblink to actual ETS Database: https://www.tapko.de/mecip-sec Contact: sales@tapko.de Telephone: +49 941 30747-0 © 1999-2022 TAPKO Technologies GmbH Im Gewerbepark A15 93059 Regensburg Germany - 50 -...

Table of Contents