show the entry list
Industrial Ethernet S7-300/400 CPs -- Setting up and parameterizing hardware -- Initializing and parameterizing modules
Why is there no entry with the current firmware version for my module in the STEP 7 hardware catalog?
What should you watch out for when a MAC address is entered for the PROFINET interface or GBIT interface in the configuration of the Industrial Ethernet CP343-1/CP443-1?
How do you configure a shared device when you are using a CPx43-1 Advanced as PROFINET IO controller and the GBIT interface of the module is networked?
Which "local_device_id" do you parameterize in order to establish a connection to FB65 "TCON" for open communication via Industrial Ethernet?
Which Industrial Ethernet CPs support the DHCP Option 12 (Host Name) and how do you configure the DHCP Option 12?
What should you watch out for when parameterizing the watchdog time when a ring redundancy is established with the Media Redundancy Protocol?
How do you use an Industrial Ethernet CP or SCALANCE S as a gateway?
How do you disable the "Link Layer Discovery Protocol" function at the ports of an IE CP of S7-300 or S7-400?
Where can you find sample S7 programs and documentation for communication via gateways and network components, and for security in networks on the SIMATIC NET Quick Start Collection?
What should you watch out for when operating a CP443-1EX20 V2.0 on a CPU V5.1?
Changing the configuration data of users for CP 343-1 IT and CP 443-1 IT
Loading the configuration via LAN into the IE-CP in "STOP" mode
Special points when setting the LAN medium for Industrial Ethernet CPs
Starting up automation systems with Industrial Ethernet without previous node initiation via MPI
Rejected diagnostics connection via TCP/IP protocol after changing the MAC address
Establishing an online connection to an S7-300/S7-400 CPU through several Ethernet interfaces
What should you pay attention to when formatting the file system in the S7-300 and S7-400 Industrial Ethernet CPs?
What should you watch out for when replacing the CP443-1 (6GK7443-1EX11-0XE0) with a CP443-1 (6GK7443-1EX20-0XE0 V1.0) in STEP 7 V5.4 SP3?
What is the meaning of the configuration option "Activate Web server" with CP443-1 EX20?
Why with CP443-1 Advanced is a different firmware version than the module displayed in the C-PLUG info text in the NCM S7 Diagnostics?
Which options are available for assigning the PROFINET IO controller a new IP address?
How can you configure an S7 CP during runtime?
How do you disable the S7 routing functions?
Which manufacturer ID, in other words OUI (Organizationally Unique Identifier), does SIEMENS AG use for the MAC addresses of network-compatible devices?
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
What should you watch out for when using the function block FB55 "IP_CONFIG" to configure an Industrial Ethernet CP?
Why are some of the newer versions of the names of SIMATIC NET modules not used in the hardware catalog?
Why can't my SIMATIC S7-300 Ethernet CP run as many S7 communication connections as specified?
How does connection multiplexing work and how do you configure it for SIMATIC S7-300 Ethernet CPs?
S7-300 CPU 31x -- Setting up and parameterizing hardware -- Initializing and parameterizing modules (GSD, Updates)
How can I prevent error 13:76 and 3311 when compiling the technology of a Technology CPU?
How do you have the web pages updated automatically in STEP 7 (TIA Portal) and how do you incorporate the user-defined web pages with relative path names?
Why must you never remove a memory card when the S7-300/S7-400/S7-1200 CPU is in operation (RUN)?
How do you configure the SIMATIC MV440 / MV420 code reader device with STEP 7 (TIA Portal) as a PROFINET IO device on the PROFINET IO system of a SIMATIC S7-300?
How do you connect the SIMATIC Field PG to the bus system to parameterize and diagnose the distributed I/O devices?
How do you configure the SIMATIC MV440 code reading system as PROFINET IO device on the PROFINET IO system of a SIMATIC S7-300?
How can time and date be acquired from a GPS signal?
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
What options exist for assigning passwords?
Master / Slave (SIMOVERT) communication on the DP PROFIBUS
What can you do if new modules, e.g. CPUs, are missing in the STEP 7 module catalog?
Where can I procure the GSD files for my S7-300 CPUs?
How do you configure time synchronization?
What is the startup behavior of an S7-300/400 CPU when you have configured an "empty" DP master system with "Startup when expected/actual configuration differ", but no slave is incorporated?
What are the conditions for assigning the addresses of I/O modules (central or distributed) to an S7 CPU?
How do you connect a SIMATIC S7-300 as DP slave to a Y link in the hardware configuration of STEP 7?
S7-400 CPU 41x -- Setting up and parameterizing hardware -- Initializing and parameterizing modules (GSD, Updates)
How do you standardize and destandardize analog values with STEP 7 (TIA Portal)?
How do you have the web pages updated automatically in STEP 7 (TIA Portal) and how do you incorporate the user-defined web pages with relative path names?
How can you read out the identification data (the serial number of the MMC, for example) with the SFC 51 in STEP 7 V5.5?
Why must you never remove a memory card when the S7-300/S7-400/S7-1200 CPU is in operation (RUN)?
How do you connect the SIMATIC Field PG to the bus system to parameterize and diagnose the distributed I/O devices?
How can time and date be acquired from a GPS signal?
How do you configure time synchronization?
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
What options exist for assigning passwords?
What can you do if new modules, e.g. CPUs, are missing in the STEP 7 module catalog?
What are the conditions for assigning the addresses of I/O modules (central or distributed) to an S7 CPU?
Which DP slaves can be added to and removed from a PROFIBUS DP master system using the CiR function (Configuration in RUN) and which configuration changes are permissible?
Where can I procure the GSD files for my S7-400 CPUs?
How do you do a cold start with SIMATIC S7-400 CPUs version V4.0 and higher?
Why should you switch the operating mode of the CPU from Test to Process after commissioning the STEP 7 program?
How do you use or update process image partitions for S7-400 CPU modules during an interrupt OB?
Only up to 27 configured blocks are displayed
What should you watch out for with the "forcing inputs" function in the S7-400?
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
Part number:

Description
If you are using an Industrial Ethernet CP that supports the "IP access list" function in the S7-300/400, you can prevent unauthorized access via the LAN (local area network).

The following modules support the "IP access list" function:

6GK7 343-1GX20-0XE0 - from V1.0 (CP343-1 IT)
6GK7 343-1GX21-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1GX30-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1EX21-0XE0 - from V1.0 (CP343-1)
6GK7 343-1EX30-0XE0 - from V2.0 (CP343-1)
6GK7 443-1EX10-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX11-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX20-0XE0 - from V1.0 (CP443-1)
6GK7 443-1EX40-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1EX41-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1GX20-0XE0 - from V2.0 (CP443-1 Advanced)

IP access list
The IP access list is configured in the Properties dialog of the Industrial Ethernet CP concerned.
In the configuration, it is possible to define a list of IP addresses that are permitted access to the module. For example, in the configuration you can enter all the IP addresses of the programming devices that are authorized to have access. This then prevents unauthorized access from PCs, for example, to the S7-300/400 via the LAN.

The CP works on the following principle
Every time a message is received via the LAN, a check is made to see whether the sender's IP address is on the IP access list. If not, the message is discarded, and the partner receives neither a positive nor a negative response. If the IP address is on the IP access list, i.e. it has access authorization, the message is forwarded and processed.

Special feature of the IP access list
If you want double IP addresses to be recognized in the network, then you must enter the IP address of the Industrial Ethernet CP in the IP access list.
Otherwise, no reply is made to the PING sent by the partner module, because the IP access list check reveals that it does not have access authorization. The double IP address in the network is not recognized otherwise.

Configuration of the IP access list

  1. Open the HW Config of your S7-300/400.
  2. Double-click on the Industrial Ethernet CP. The Properties dialog opens.
  3. Select the "IP Access Protection" tab.
  4. Check the "Activate access protection for IP communication" function to activate the IP access list.
  5. Now enter the IP addresses or IP address bands of the devices that have access authorization.


Fig. 01

Note
The IP Access List is only effective in TCP / UDP or ISO-on-TCP communication. It does not take into account messages sent via the ISO transport protocol and MAC addresses.

Loading the configuration into the module
You have the following options for loading the configuration data.

  • Loading via the MPI interface of the CPU.
  • Loading via the LAN (ISO protocol or TCP/IP protocol).

The following points should be noted here.

  1. Loading via MPI
    There are no restrictions for loading configuration data via MPI.
     
  2. Loading via ISO protocol
    The
    Industrial Ethernet CP, via which the configuration data is to be loaded, must support the ISO protocol.
     
  3. Loading via the TCP/IP protocol
    If the configuration is to be loaded with the IP access list into the module via TCP/IP, the IP address of the configuration PC/PG has to be entered in the IP access list!
    The IP access list becomes effective before the loading into the module procedure has been terminated. The IP address of the PC/PG then suddenly no longer has access authorization to the S7-300/400. STEP 7 then reports a faulty loading procedure and the CPU reports inconsistent configuration.

Remedy
Enter the IP address of the configuration PC/PG into the IP access list and the load the configuration again via ISO protocol or MPI.

Note
If the IP address of the PC/PG is not to be entered in the IP access list, then the configuration usually has to be loaded via MPI or ISO protocol.

Keywords
Security, LAN, Access authorization, Module protection, Network

 Entry ID:17662057   Date:2010-01-11 
I regard this article....as helpfulas not helpful                                 
mySupport
My Documentation Manager 
Newsletter 
CAx-Download-Manager 
Support Request
To this entry
Print
Create PDF 
Send to a friend
QuickLinks
Compatibility tool 
Themen
Help
Online Help
Guided Tour