Siemens S7-1500, CP 1543-1 Operating Instructions Manual

Download

Page 1

___________________

SIMATIC NET

S7-1500 - Industrial Ethernet CP 1543-1

Operating Instructions

05/2017

C79000

Preface

Guide to the documentation

Product overview, functions

Installation, connecting up, commissioning, operation

Configuration, programming

Diagnostics and upkeep

Technical specifications

Approvals

-G8976-C289-07

Page 2

Siemens AG Division Process Indust ries and Drives Postf ach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C289-07

Ⓟ

Legal information

Warning notice system

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

Qualified Personnel

personnel qualified

Proper use of Siemens products

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

maintenance are required to ensure that the products operate safely and without any problems. The permissible

Trademarks

Disclaimer of Liability

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

The product/system described in this documentation may be operated only by task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Note the following:

documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and

ambient conditions must be complied with. The information in the relevant documentation must be observed.

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

for the specific

05/2017 Sub ject to c hange

Page 3

Preface

Purpose of the documentation

New in this issue

Version history

Replaced edition

Current manual release on the Internet

Sources of information and other documentation

This manual supplements the S7-1500 system manual.

With the information in this manual and the system manual, you will be able to commission the communications processor.

● Firmware version V2.1 with the following new functions:

– Extended security settings using IP routing via the backplane bus

See section IP routing (Page 35).

Firmware version V2.0 with the following new functions:

● Secure OUC (Open User Communication) via TCP/IP

● Secure Mail: New system data types (SDTs) for transferring e-mails

Alternative: Non secure transfer via port 25 or secure transfer via port 587

● Operation as FTP server: Access to the SIMATIC memory card of the CPU

● IP routing via the backplane bus

Edition 10/2016

You will find the current version of this manual on the Internet pages of Siemens Industry Online Support:

Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/man)

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

See section Guide to the documentation (Page 9).

Page 4

Preface

Abbreviations and names

Conventions

Note

A notice contains important information on the product described in the documentation, handling the product or about parts of the documentation you should pay particular attention to.

Product overview, functions

2.1

Product data

Article number, validity and product names

View of the CP 1543-1

①

LEDs for status and error displays

②

LED displays of the Ethernet interface for connection status and activity

③

Type plate

④

The padlock icon symbolizes the interface to the external, non-secure subnet.

⑤

Label with MAC address

This description contains information on the following product

CP 1543-1 article number 6GK7 543-1AX00-0XE0 hardware product version 2 firmware v communications processor for SIMATIC S7-1500

ersion V2.1

Ethernet port: 1 x 8-pin RJ-45 jack

Figure 2-1 View of the CP 1543-1 with closed (left) and open (right) front cover

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 12

Product overview, functions

Address label: Unique MAC address preset for the CP

Application

2.2

Communication services

The CP supports the following communication services:

Open User Communication (OUC)

S7 communication

2.2 Communication services

The CP ships with a default MAC address:

The MAC address is printed on the housing.

If you configure a MAC address (ISO transport connections), we recommend that you use the MAC address printed on the module for module configuration! This ensures that you assign a unique MAC address in the subnet!

The CP is intended for operation in an S7-1500 automation system. It allows the S7-1500 to be connected to Industrial Ethernet.

With a combination of different security measures such as firewall and protocols for data encryption, the CP protects the S7-1500 or even entire automation cells from unauthorized access. It also protects the communication between the S7 station and communications partners from spying and manipulation.

●

Open User Communication supports the following communications services via the CP using programmed or configured communications connections:

– ISO transport (complying with ISO/IEC 8073)

– TCP (complying with RFC 793), ISO-on-TCP (complying with RFC 1006) and UDP

(complying with RFC 768)

With the interface via TCP connections, the CP supports the socket interface to TCP/IP available on practically every end system.

– Multicast over UDP connection

The multicast mode is made possible by selecting a suitable IP address when configuring connections.

– Sending e-mail via SMTP (port 25) or SMTPS (port 587) with "SMTP-Auth" for

authentication on an e-mail server.

●

– PG communication

– Operator control and monitoring functions (HMI communication)

– Data exchange over S7 connections

CP 1543-1

12 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 13

Product overview, functions

IT functions

FETCH/WRITE

2.3

Further functions

Timeofday synchronization over Industrial Ethernet using the NTP mode (NTP: Network Time Protocol)

Addressable with the factoryset MAC address

SNMP agent

2.3 Further functions

●

– FTP functions (File Transfer Protocol FTP/FTPS) for file management and access to

data blocks on the CPU (client and server functions).

– For e-mail see above (OUC)

●

– FETCH/WRITE services as server (corresponding to S5 protocol) via ISO transport,

ISO-on-TCP and TCP connections

The S7-1500 with the CP is always the server (passive connection establishment).

The fetch or write access (client function with active connection establishment ) is performed by a SIMATIC S5 or a third-party device / PC.

The CP sends timeofday queries at regular intervals to an NTP server and synchronizes its local time of day.

The time is also be forwarded automatically to the CPU modules in the S7 station allowing the time to be synchronized in the entire S7 station.

Security function: The CP supports the NTP (secure) protocol for secure time-of-day synchronization and transfer of the time of day.

To assign the IP address to a new CP (direct from the factory), it can be accessed using the preset MAC address on the interface being used. Online address assignment is made in STEP 7.

The CP supports data queries over SNMP in version V1 (Simple Network Management Protocol). It delivers the content of certain MIB objects according to the MIB II standard and Automation System MIB.

If security is enabled, the CP supports SNMPv3 for transfer of network analytical information protected from eavesdropping.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 14

Product overview, functions

IP configuration - IPv4 and IPv6

IP routing

IPv6 addresses - area of use on the CP

Access to the Web server of the CPU

Note Web server access using the HTTPS protocol

The Web server of a SIMATIC S7-1500 station is located in the CPU. For this reason, when there is secure access (HTTPS) to the Web server of the station using the IP address of the CP 1543

S5/S7 addressing mode for FETCH/WRITE

2.3 Further functions

The essential features of IP configuration for the CP:

● The CP supports the use of IP addresses according to IPv4 and IPv6.

● You can configure how and with which method the CP is assigned the IP address, the

subnet mask and the address of a gateway.

● The IP configuration and the connection configuration (IPv4) can also be assigned to the CP by the user program (for program blocks refer to the section Programming (Page 21)).

Note: Does not apply to S7 connections.

The CP supports static IP routing (IPv4) to other CM 1542-1 V2.0 / CP 1543-1 V2.0.

For details, see section IP routing (Page 35).

An IP address according to IPv6 can be used for the following communications services:

● FTP server mode

● FETCH/WRITE access (CP is server)

● FTP client mode with addressing via a program block

● E-mail transfer with addressing via a program block

Via the LAN interface of the CP, you have access to the Web server of the CPU. With the aid of the Web server of the CPU, you can read out module data from a station.

Note the special description of the Web server; refer to the section Guide to the documentation (Page 9)

-1, the SSL certificate of the CPU is displayed.

The addressing mode can be configured for FETCH/WRITE access as S7 or S5 addressing mode. The addressing mode specifies how the position of the start address is identified during data access (S7 addressing mode applies only to data blocks / DBs).

Read the additional information in the online help of STEP 7.

CP 1543-1

14 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 15

Product overview, functions

2.4

Industrial Ethernet Security

All-round protection - the task of Industrial Ethernet Security

Security functions of the CP for the S7-1500 station

2.4 Industrial Ethernet Security

With Industrial Ethernet Security, individual devices, automation cells or network segments of an Ethernet network can be protected. The data transfer from the external network connected to the CP 1543-1 can be protected by a combination of different security measures:

● Data espionage (FTPS, HTTPS)

● Data manipulation

● Unauthorized access

Secure underlying networks can be operated via additional Ethernet/PROFINET interfaces implemented by the CPU or additional CPs.

As result of using the CP, the following security functions are accessible to the S7-1500 station on the interface to the external network:

● Firewall

– IP firewall with stateful packet inspection (layer 3 and 4)

– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3 (layer 2)

– Bandwidth limitation

– Global firewall rules

The firewall protective function can be applied to the operation of single devices, several devices, or entire network segments.

● Logging

To allow monitoring, events can be stored in log files that can be read out using the configuration tool or can be sent automatically to a syslog server.

● FTPS (explicit mode)

For encrypted transfer of files.

● NTP (secure)

For secure time-of-day synchronization and transmission

● SMTPS

Foe secure transfer of e-mails via port 587

● SNMPv3

For secure transmission of network analysis information safe from eavesdropping

Observe the information in section Security recommendations (Page 31).

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 16

Product overview, functions

2.5

Configuration limits and performance data

2.5.1

General characteristic data

Characteristic

Explanation / values

Note Connection resources of the CPU

Depending on the CPU type, different numbers of connection resources are available. The number of connection resources is the decisive factor for the number of configurable connections. This means that the values that can actually be achieved may be lower specified in this section describing the CP.

2.5.2

Characteristics for Open User Communication (OUC) and FETCH/WRITE

2.5 Configuration limits and performance data

Total number of freely usable connections on Industrial Ethernet

Open User Communication (OUC) provides access to communication over TCP, ISO-onTCP, ISO transport and UDP connections.

118 The value applies to the total number of connections of the

following types:

• S7 connections

• Connections for open communications services

• FTP (FTP client)

than

CP 1543-1

16 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 17

Product overview, functions

Characteristic

Explanation / values

(approximately 150200 messages per second).

Note Connection resources of the CPU

You will find detailed information on the topic of connection resources in the "Communication" function manual, refer to the section

2.5 Configuration limits and performance data

The following characteristics are important (OUC + FETCH/WRITE):

Number of connections

Maximum data length for program blocks Program blocks allow the transfer of user data in the following lengths:

LAN interface max. data field length generated by CP per protocol data unit(TPDU = transport protocol data unit)

• Number of configured and programmed +connections in total (ISO transport + ISO-on-TCP + TCP + UDP + FETCH/WRITE + e-mail): Max. 118

Of which maximum: – TCP connections: 1...118 – ISO-on-TCP connections: 1...118 – ISO transport connections: 1...118 – Total number of UDP connections (specified and free) that can be

configured: 1...118 – Connection for e-mail: 1 – Connections for FETCH/WRITE: 1...16

Notes:

Avoid receive overload The flow control on TCP connections cannot control permanent overload of the recipient. You should therefore make sure that the processing capabilities of a receiving CP are not permanently exceeded by the sender

• ISO-on-TCP, TCP, ISO transport: 1 to 64 kB

• UDP: 1 to 1452 bytes

• E-mail

– Job header + user data: 1 to 256 bytes – E-mail attachment: up to 64 kbytes

• sending

ISO transport, ISOonTCP, TCP: 1452 bytes / TPDU

• receiving

– ISO transport: 512 bytes / TPDU – ISO-on-TCP: 1452 bytes / TPDU – TCP: 1452 bytes / TPDU

tually be achieved may be lower than

Guide to the documentation (Page 9).

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 18

Product overview, functions

Restrictions for UDP

2.5.3

Characteristics of S7 communication

Feature

Explanation / values

Industrial Ethernet

Number of reserved OP connections

Number of reserved PG connections

Number of reserved connections for Web

Note Maximum values for an S7-1500 station

Depending on the CPU you are using, there are limit values for the S7-1500 station. Note the information in the relevant documentation.

2.5 Configuration limits and performance data

● Restrictions UDP broadcast / multicast)

To avoid overloading the CP due to high broadcast / multicast frame traffic, the receipt of UDP broadcast / multicast on the CP is limited

● UDP frame buffering

Length of the frame buffer: At least 7360 bytes

Following a buffer overflow, newly arriving frames that are not fetched by the user program are discarded.

S7 communication provides data transfer via the ISO Transport or ISO-on-TCP protocols.

Total number of freely usable S7 connections on

LAN interface - data field length generated by CP per protocol data unit (PDU = protocol data unit)

• for sending: 480 bytes / PDU

• for receiving: 480 bytes / PDU

Max. 118

CP 1543-1

18 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 19

Product overview, functions

2.5.4

Characteristic data for FTP / FTPS mode

TCP connections for FTP

Program block FTP_CMD (FB40) for FTP client mode

2.5.5

Characteristics security

IPsec tunnel (VPN)

Configuration limits

Value

Number of IPsec tunnels

16 maximum

Firewall rules (advanced firewall mode)

2.5 Configuration limits and performance data

FTP actions are transferred from the CP over TCP connections. Depending on the mode, the following characteristic data applies:

● FTP in client mode:

You can use a maximum of 32 FTP sessions. Up to 2 TCP connections are occupied per activated FTP session (1 control connection and 1 data connection).

● FTP in server mode:

You can operate a maximum of 16 FTP sessions at the same time. Up to 2 TCP connections are occupied per activated FTP session (1 control connection and 1 data connection).

For communication, use the FTP program block FTP_CMD.

The block execution time in FTP depends on the reaction times of the partner and the length of the user data. A generally valid statement is therefore not possible.

VPN tunnel communication allows the establishment of secure IPsec tunnel communication with one or more security modules.

The maximum number of firewall rules in advanced firewall mode is limited to 256.

The firewall rules are divided up as follows:

● Maximum 226 rules with individual addresses

● Maximum 30 rules with address ranges or network addresses

(e.g. 140.90.120.1 - 140.90.120.20 or 140.90.120.0/16)

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

● Maximum 128 rules with limitation of the transmission speed ("bandwidth limitation")

Page 20

Product overview, functions

2.6

Requirements for use

2.6.1

Configuration limits

Note Power supply via the CPU adequate or additional power supply modules required

You can operate a additional power supply. Make sure that you keep to the specified power feed to the backplane bus for the particular CPU type. Depending on the configuration of the S7 1500 station you may need t

2.6.2

Project engineering

Configuration and downloading the configuration data

STEP 7 version

Functions of the CP

(6GK7 543-1AX00-0XE0) can be configured.

2.6 Requirements for use

When using the CP type described here, the following limits apply:

● The number of CPs that can be operated in a rack depends on the CPU type being used.

By operating several CPs, you can increase the configuration limits listed below for the station as the whole. The CPU does, however, have set limits for the entire configuration. The size of the configuration made available by a CP can be increased by using more than one CP within the framework of the system limits.

Observe the information in the documentation on the CPU; see section Guide to the documentation (Page 9)

certain number of modules in the S7-1500 station without an

o provide additional power supply modules.

When the configuration data is downloaded to the CPU, the CP is supplied with the relevant configuration. The configuration data can be downloaded to the CPU via a memory card or any Ethernet/PROFINET interface of the S7-1500 station.

The following version of STEP 7 is required:

STEP 7 Professional V12 SP1 or higher The full functionality of the CP 1543-1

CP 1543-1

20 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 21

Product overview, functions

2.6.3

Programming

Program blocks

Protocol

Program block (instruction)

System data type

*User-defined data type

Function

Program block (instruction)

System data type

interface

2.6 Requirements for use

For communications services, there are preprogrammed program blocks (instructions) available as the interface in your STEP 7 user program.

Table 2- 1 Instructions for communications services

TCP Establish connection and

send/receive data via:

ISO-on-TCP

ISO

UDP

E-mail

FTP

• TSEND_C/TRCV_C or

• TCON, TSEND/TRCV

(termination of the connection using TDISCON possible)

• TCON, TUSEND/TURCV (termination of the connection using TDISCON possible)

• TMAIL_C • TMail_v4*

• FTP_CMD • FTP_CONNECT_IPV4*

• TCON_IP_v4

• TCON_Configured

• TCON_IP_RFC

• TCON_ISOnative

• TCON_IP_v4

• TMail_v6*

• TMAIL_FQDN*

• FTP_CONNECT_IPV6*

• FTP_CONNECT_NAME

• FTP_FILENAME*

• FTP_FILENAME_PART*

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Table 2- 2 Instructions for configuration tasks

Configuration of the Ethernet

• T_CONFIG • CONF_DATA

Refer to the documentation of the program blocks in the online help of STEP 7.

Page 22

Product overview, functions

2.7

LEDs

①

RUN LED

②

ERROR LED

③

MAINT LED

④

LINK/ACT LED

⑤

Reserve LED

Meaning of the LED displays of the CP

•

(one

•

(one

•

(one

2.7 LEDs

Figure 2-2 LED display of the CP 1543-1 (without front cover)

The CP has the following 3 LEDs to display the current operating status and the diagnostics status:

RUN

ERROR

MAINT

-color LED: green)

-color LED: red)

-color LED: yellow)

CP 1543-1

22 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 23

Product overview, functions

RUN

ERROR

MAINT

Meaning

LED off

LED lit green

LED lit red

LED lit yellow

LED lit green

LED lit red

LED off

CP is in RUN mode.

No disruptions

LED flashing red

LED lit green

LED off

LED lit yellow

yellow

green

No CP configuration exists

green

yellow

2.7 LEDs

The following table shows the meaning of the various combinations of colors of the RUN, ERROR and MAINT LEDs.

Table 2- 3 Meaning of the LEDs "RUN", "ERROR", "MAINT"

LED lit green

LED flashing

LED off

LED flashing red LED flashing

LED off

LED flashing

LED off

No supply voltage on the CP or supply voltage too low.

LED test during startup

Startup (booting the CP)

A diagnostics event has occurred.

Maintenance, maintenance is demanded.

Maintenance is required. Downloading the user program

Loading firmware

Module fault (LEDs flashing synchronized)

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 24

Product overview, functions

Meaning of the LED displays of the Ethernet interface: X1 P1

LINK/ACT

Meaning

via the Ethernet interface.

flashing green

interface of your CP and a communications partner.

cations partner on Ethernet.

2.8

Gigabit interface

Ethernet interface with gigabit specification and security access

2.8 Gigabit interface

The LED LINK/ACT (two color green/yellow) is assigned to the port of the Ethernet interface. The table below shows the LED patterns.

Table 2- 4 Meaning of the "LINK/ACT" LED

No connection to Ethernet There is no Ethernet connection between the Ethernet

interface of the CP and the communications partner. At the current time, there is no data being received/sent

The "node flash test" is being performed.

Connection to Ethernet exists. There is an Ethernet connection between the Ethernet

At the current time, data is being received/sent via the Ethernet interface of the Ethernet device of a communi-

green off

green on

yellow flickers

yellow off

The CP has an Ethernet interface according to the gigabit standards IEEE 802.3. The Ethernet interface supports autocrossing, autonegotiation and autosensing.

The Ethernet interface allows a secure connection to external networks via a firewall. The CP provides the following protective function:

● Protection of the S7-1500 station in which the CP is operated;

● Protection of the underlying company networks connected to the other interfaces of the

S7-1500 station.

You will find the pin assignment of the sub RJ-45 jack in section Installing and commissioning the CP 1543-1 (Page 28).

CP 1543-1

24 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 25

3.1

Important notes on using the device

Safety notices on the use of the device

WARNING

LAN attachment

voltage supply system and within a single building. Make sure that the LAN is in an of type

3.1.1

Notes on use in hazardous areas

WARNING

EXPLOSION HAZARD

WARNING

EXPLOSION HAZARD

Note the following safety notices when setting up and operating the device and during all associated work such as installation, connecting up or replacing the device.

A LAN or LAN segment with the attachments belonging to it should be within a single low-

A environment according to IEEE 802.3 or in a type 0 environment according to IEC TR

62101.

Never establish a direct electrical connection to TNV networks (telephone network) or WANs (Wide Area Network).

The device may only be operated in an environment with pollution degree 1 or 2 (see IEC 60664-1).

Do not connect or disconnect cables to or from the device when a flammable or combustible atmosphere is present.

Replacing components may impair suitability for Class 1, Division 2 or Zone 2.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 26

Installation, connecting up, commissioning, operation

WARNING

DIN rail

3.1.2

Notes on use in hazardous areas according to ATEX / IECEx

WARNING

Requirements for the cabinet/enclosure

WARNING

ambient in excess of 50 °C, only use cables with admitted maximum operating temperature

WARNING

Take measures to prevent transient voltage surges of more than 40% of the rated voltage.

3.1 Important notes on using the device

When used in hazardous environments corresponding to Class I, Division 2 or Class I, Zone 2, the device must be installed in a cabinet or a suitable enclosure.

In the ATEX and IECEx area of application only the Siemens DIN rail 6ES5 710-8MA11 may be used to mount the modules.

To comply with EU Directive 94/9 (ATEX95), the enclosure or cabinet must meet the requirements of at least IP54 in compliance with EN 60529.

If the cable or conduit entry point exceeds 70 °C or the branching point of conductors exceeds 80 °C, special precautions must be taken. If the equipment is operated in an air

of at least 80 °C.

This is the case if you only operate devices with SELV (safety extra-low voltage).

CP 1543-1

26 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 27

Installation, connecting up, commissioning, operation

3.1.3

Notes on use in hazardous areas according to UL HazLoc

WARNING

EXPLOSION HAZARD

You may only connect or disconnect cables carrying electricity when the power supply is

3.1.4

General notices on use in hazardous areas according to FM

WARNING

EXPLOSION HAZARD

You may only connect or disconnect cables carrying electricity when the power supply is

WARNING

EXPLOSION HAZARD

The equipment is intended to be installed within an ultimate enclosure. The inner service temperature of the enclosure corresponds to the ambient temperature of the module. Use

3.1 Important notes on using the device

switched off or when the device is in an area without inflammable gas concentrations.

This equipment is suitable for use in Class I, Division 2, Groups A, B, C and D or nonhazardous locations only.

This equipment is suitable for use in Class I, Zone 2, Group IIC or non-hazardous locations only.

switched off or when the device is in an area without inflammable gas concentrations.

This equipment is suitable for use in Class I, Division 2, Groups A, B, C and D or nonhazardous locations only.

This equipment is suitable for use in Class I, Zone 2, Group IIC or non-hazardous locations only.

installation wiring connections with admitted maximum operating temperature of at least 30 ºC higher than maximum ambient temperature.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 28

Installation, connecting up, commissioning, operation

3.2

Installing and commissioning the CP 1543-1

Installation and commissioning

WARNING

Read the system manual "S7-1500 Automation System"

Configuration

Procedure for installation and commissioning

Step

Execution

Notes and explanations

tomation System".

RJ45 jack.

Turn on the power supply.

them closed during operation.

3.2 Installing and commissioning the CP 1543-1

Prior to installation, connecting up and commissioning, read the relevant sections in the system manual "S7-1500 Automation System" (references to documentation, refer to the section Guide to the documentation (Page 9)).

Make sure that the power supply is turned off when installing/uninstalling the devices.

Commissioning the CP fully is only possible if the STEP 7 project data is complete.

When installing and connecting up, keep to

the procedures described for installing I/O modules in the system manual "S7-1500 Au-

Connect the CP to Industrial Ethernet via the

Close the front covers of the module and keep

The remaining steps in commissioning involve

downloading the STEP 7 project data.

Underside of the CP

The STEP 7 project data of the CP is transferred when you download to the station. To load the station, connect the engineering station on which the project data is located to the Ethernet interface of the CPU.

You will find more detailed information on loading in the following sections of the STEP 7 online help:

• "Compiling and loading project data"

• “Using online and diagnostics functions"

CP 1543-1

28 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 29

Installation, connecting up, commissioning, operation

Ethernet interface

View

10/100 Mbps operation

10/100 Mbps or gigabit operation

Signal name

Pin assignment

Signal name

Pin assignment

Transmit Data +

D1+

D1 bidirectional +

TD_N

Transmit Data -

D1-

D1 bidirectional -

Receive Data +

D2+

D2 bidirectional +

GND

Ground

D3+

D3 bidirectional +

GND

Ground

D3-

D3 bidirectional -

RD_N

Receive Data -

D2-

D2 bidirectional -

GND

Ground

D4+

D4 bidirectional +

GND

Ground

D4-

D4 bidirectional -

3.3

Mode of the CPU - effect on the CP

Changing the CPU from RUN to STOP:

3.3 Mode of the CPU - effect on the CP

The table below shows the pin assignment of the Ethernet interface (RJ-45 jack). The assignment corresponds to the Ethernet standard IEEE 802.3.

Table 3- 1 Pin assignment of the Ethernet interface

You will find additional information on the topics of "Connecting up" and "Accessories (RJ-45 plug)" in the system manual: Link: (https://support.industry.siemens.com/cs/ww/en/view/59191792)

You can change the mode of the CPU between RUN and STOP using the STEP 7 configuration software.

Depending on the operating status of the CPU, the CP behaves as described below.

When the CPU is in STOP mode, the CP remains in RUN and behaves as follows:

● For established connections (ISO transport, ISOonTCP, TCP, UDP connections), the following applies depending on the configuration:

– Programmed connections are retained.

– Configured connections are terminated.

● The following functions remain enabled:

– The configuration and diagnostics of the CP (system connections for configuration,

diagnostics, and PG channel routing are retained);

– Web diagnostics

– S7 routing function

– Time-of-day synchronization

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 30

Installation, connecting up, commissioning, operation

Note RUN/STOP LED of the CP

The green RUN/STOP LED of the CP continues to be lit green regardless of the STOP mode of the CPU.

3.3 Mode of the CPU - effect on the CP

CP 1543-1

30 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 31

4.1

Security recommendations

General

Physical access

Network attachment

Keep to the following security recommendations to prevent unauthorized access to the system.

● You should make regular checks to make sure that the device meets these recommendations and other internal security guidelines if applicable.

● Evaluate your plant as a whole in terms of security. Use a cell protection concept with suitable products.

● Do not connect the device directly to the Internet. Operate the device within a protected network area.

● Keep the firmware up to date. Check regularly for security updates of the firmware and

● Check regularly for new features on the Siemens Internet pages.

Restrict physical access to the device to qualified personnel.

use them.

– Here you will find information on network security:

Link: (http://www.siemens.com/industrialsecurity)

– Here you will find information on Industrial Ethernet security:

Link: (http://w3.siemens.com/mcms/industrial-communication/en/ie/industrial-ethernet-

security/Seiten/industrial-security.aspx)

– You will find an introduction to the topic of industrial security in the following

publication:

Link: (http://w3app.siemens.com/mcms/infocenter/dokumentencenter/sc/ic/InfocenterLangu

agePacks/Netzwerksicherheit/6ZB5530-1AP010BA4_BR_Netzwerksicherheit_en_112015.pdf)

Do not connect the PC directly to the Internet. If a connection from the CP to the Internet is required, arrange for suitable protection before the CP, for example a SCALANCE S with firewall.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 32

Configuration, programming

Security functions of the product

Passwords

Protocols

Secure and non-secure protocols

4.1 Security recommendations

Use the options for security settings in the configuration of the product. These includes among others:

● Protection levels

Configure access to the CPU under "Protection and Security".

● Security function of the communication

– Enable the security functions of the CP and set up the firewall.

If you connect to public networks, you should use the firewall. Think about the services you want to allow access to the station via public networks. By using the "bandwidth restriction" of the firewall, you can restrict the possibility of flooding and DoS attacks.

The FETCH/WRITE functionality allows you to access any data of your PLC. The FETCH/WRITE functionality should not be used in conjunction with public networks.

– Use the secure protocol variants HTTPS, FTPS, NTP (secure) and SNMPv3.

– Use the program blocks for secure OUC communication (Secure OUC).

– Leave access to the Web server of the CPU (CPU configuration) and to the Web

server of the CP disabled.

● Protection of the passwords for access to program blocks

Protect the passwords stored in data blocks for the program blocks from being viewed. You will find information on the procedure in the STEP 7 information system under the keyword "Know-how protection".

● Logging function

Enable the function in the security configuration and check the logged events regularly for unauthorized access.

● Define rules for the use of devices and assignment of passwords.

● Regularly update the passwords to increase security.

● Only use passwords with a high password strength. Avoid weak passwords for example

"password1", "123456789" or similar.

● Make sure that all passwords are protected and inaccessible to unauthorized personnel.

See also the preceding section for information on this.

● Do not use one password for different users and systems.

● Only activate protocols that you require to use the system.

● Use secure protocols when access to the device is not prevented by physical protection

measures.

CP 1543-1

32 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 33

Configuration, programming

Table: Meaning of the column titles and entries

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication

DHCP outgoing)

DCP

93 (UDP)

Open

DCE enabled.

S7 communication

Online security diagnostics

NTP outgoing)

HTTP

HTTPS

443 (TCP)

Closed

Open after configuration

Yes

4.1 Security recommendations

The following table provides you with an overview of the open ports on this device.

●

Protocols that the device supports.

●

Port number assigned to the protocol.

●

– Open

The port is open at the start of the configuration.

– Closed

The port is closed at the start of the configuration.

●

– Open

The port is always open and cannot be closed.

– Open after configuration

The port is open if it has been configured.

– Open (login, when configured)

As default the port is open. After configuring the port, the communications partner needs to log in.

– Open with block call

The port is only opened when a suitable program block is called.

●

Specifies whether or not the protocol authenticates the communications partner during access.

68 (UDP) Open Open after configuration (only

135 (TCP) Open Open Yes, when security is

102 (TCP) Open Open No

123 (UDP) Closed Open after configuration (only

80 (TCP) Closed Open after configuration No

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

8448 (TCP) Closed Open after configuration

Page 34

Configuration, programming

Protocol / function

Port number (protocol)

Default of the port

Port status

Authentication

FTP 21 (TCP)

FTPS 990 (TCP)

SNMP

161 (UDP)

Open

Open after configuration

Yes (with SNMPv3)

SMTP going)

SMTPS going)

4.2

Network settings

Automatic setting

Note In normal situations, the basic setting ensures trouble

Autocrossing mechanism

Note Connecting a switch

To connect a switch, that does not support the autocrossing mechanism, use a crossover cable.

4.2 Network settings

20 (TCP)

989 (TCP)

25 (TCP) Closed Open with block call (only out-

587 (TCP) Closed Open with block call (only out-

Closed Open after configuration No

Closed Open after configuration Yes

The Ethernet interface of the CPU is set permanently to autosensing.

free communication.

With the integrated autocrossing mechanism, it is possible to use a standard cable to connect the PC/PG. A crossover cable is not necessary.

CP 1543-1

34 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 35

Configuration, programming

4.3

IP configuration

4.3.1

Points to note about IP configuration

Configured S7 and OUC connections cannot be operated if the IP address is assigned using DHCP

Note

If you obtain the IP address using DHCP, any S7 and OUC connections you may have configured will not work. Reason: The configured IP address is replaced by the address obtained via DHCP during operation.

4.3.2

Restart after detection of a duplicate IP address in the network

Behavior when the CP starts up

4.3.3

IP routing

IP routing via the backplane bus

Configuration

4.3 IP configuration

To save you timeconsuming troubleshooting in the network, during startup the CP detects double addressing in the network.

If double addressing is detected when the CP starts up, the CP changes to RUN and cannot be reached via the Ethernet interface. The ERROR LED flashes.

The CP supports static IP routing (IPv4) to other CM 1542-1 / CP 1543-1. You can use IP routing, for example, for Web server access by lower-level modules.

With IP routing, the data throughput is limited to 1Mbps. Remember this in terms of the number of modules involved and the expected data traffic via the backplane bus.

You can activate the IP routing in STEP 7 via the function "IP routing between communication modules". In the security settings, the corresponding function is called "IP routing via the backplane bus". When you activate the function, additional IP firewall rules are created which you can modify in the advanced firewall mode of the security settings.

IP routing runs via the configured default router. If you use several CPs in a station, of the modules in the station only one may be configured as a router.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 36

Configuration, programming

4.4

Security

4.4.1

VPN

What is VPN?

Properties

Areas of application

4.4 Security

Note the range and application of the security functions of the CP in the section Industrial Ethernet Security (Page 15).

For the configuration limits, see section Characteristics security (Page 19).

The security functions are configured in STEP 7.

Virtual Private Network (VPN) is a technology for secure transportation of confidential data in public IP networks, for example the Internet. With VPN, a secure connection (= tunnel) is set up and operated between two secure IT systems or networks via a non-secure network.

One of the main characteristics of the VPN tunnel is that it forwards all network packets regardless of higher protocols (HTTP, FTP).

The data traffic between two network components is transported practically unrestricted through another network. This allows entire networks to be connected together via a neighboring network.

● VPN forms a logical subnet that is embedded in a neighboring (assigned) network. VPN

● VPN allows communication of the VPN partners with the assigned network.

● VPN is based on tunnel technology, can be individually configured, is customer-specific

● Communication between the VPN partners is protected from eavesdropping or

● Local area networks can be connected together securely via the Internet ("site-to-site"

● Secure access to a company network ("end-to-site" connection).

uses the usual addressing mechanisms of the assigned network, however in terms of the data, it transports its own network packets and therefore operates independent of the rest of this network.

and is self-contained.

manipulation by using passwords, public keys or a digital certificate (= authentication).

connection).

● Secure access to a server ("end-to-end" connection).

● Communication between two servers is possible without being accessible to third parties

("end-to-end" or "host-to-host" connection).

● Ensuring information security in networked automation systems.

CP 1543-1

36 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 37

Configuration, programming

Cell protection concept

4.4.1.1

Creating VPN tunnel communication between S7-1500 stations

Requirements

Note Communication also possible via an IP router

Communication between the two S7-1500 stations is also possible via an IP router. To use this communications path, however, you need to make further settings.

Procedure

4.4 Security

● Securing the computer systems including the associated data communication within an automation network or secure remote access via the Internet.

● Secure remote access from a PC/programming device to automation devices or networks protected by security modules is possible via public networks.

With Industrial Ethernet Security, individual devices, automation cells or network segments of an Ethernet network can be protected:

● The access to individual devices or even to entire automation cells protected by security modules is allowed.

● Secure connections via non-secure network structures becomes possible.

Due to the combination of different security measures such as firewall, NAT/NAPT routers and VPN via IPsec tunnels, security modules protect against the following:

● Data espionage

● Data manipulation

● Unwanted access

To create a VPN tunnel between two S7-1500 stations, the following requirements must be met:

● Two S7-1500 stations have been configured.

● Both CPs are configured with a firmware version ≥ V1.1.

● The Ethernet interfaces of the two stations are located in the same subnet.

To create a VPN tunnel, you need to work through the following steps:

1. Create a security user.

If the security user has already been created: Log on as a user.

2. Select the "Activate security features" check box.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 38

Configuration, programming

Creating a security user

Selecting the "Activate security features" check box

Creating the VPN group and assigning security modules

Note Current date and current time of day on the security modules

When using secure communication (for example HTTPS, VPN...), make sure that the security modules involved have the current time of day and the current date. Otherwise the certificates used will n

4.4 Security

3. Create the VPN group and assign security modules.

4. Configure properties of the VPN group.

Configure local VPN properties of the two CPs.

You will find a detailed description of the individual steps in the following paragraphs of this section.

To create a VPN tunnel, you require appropriate configuration rights. To activate the security functions, you need to create at least one security user.

1. In the local security settings of the CP, click the "User logon" button. Result: A new window opens.

2. Enter the user name, password and confirmation of the password.

3. Click the "User login" button. You have created a new security user. The security functions are now available to you.

With all further logons, log on as user.

● After logging on, select the "Activate security features" check box for both CPs. You now have the security functions available for both CPs.

ot be evaluated as valid and the secure communication will not work.

1. In the global security settings, select the entry "Firewall" > "VPN groups" > "Add new VPN group".

2. Double-click on the entry "Add new VPN group", to create a VPN group. Result: A new VPN group is displayed below the selected entry.

3. In the global security settings, double-click on the entry "VPN groups" > "Assign module to a VPN group".

4. Assign the security modules between which VPN tunnels will be established to the VPN group.

CP 1543-1

38 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 39

Configuration, programming

Configuring properties of the VPN group

Note Specifying the VPN properties of the CP

You specify the VPN properties of the required CP in the local properties of the module ("Security" > "Firewall"

Result

4.4.1.2

Successfully establishing VPN tunnel communication between the CP 1543-1 and SCALANCE M

4.4.1.3

VPN tunnel communication with SOFTNET Security Client

VPN tunnel communication works only if the internal node is disabled

4.4 Security

1. Double-click on the newly created VPN group.

Result: The properties of the VPN group are displayed under "Authentication".

2. Enter a name for the VPN group. Configure the settings of the VPN group in the

properties. These properties define the default settings of the VPN group that you can change at any time.

> "VPN")

You have created a VPN tunnel. The firewalls of the CPs are activated automatically: The "Activate firewall" check box is selected as default when you create a VPN group. You cannot deselect the check box.

● Download the configuration to all modules that belong to the VPN group.

Creating VPN tunnel communication between the CP 1543-1 and SCALANCE M is the same as described in Procedure for S7-1500 stations (Page 37).

VPN tunnel communication will only be established if you have selected the check box "Perfect Forward Secrecy" in the global security settings of the created VPN group ("VPN groups > Authentication").

If the check box is not selected, the CP 1543-1 rejects establishment of the tunnel.

Creating VPN tunnel communication between the CP SOFTNET Security Client and CP 1543-1 is the same as described in Procedure for S7-1500 stations (Page 37).

Under certain circumstances the establishment of VPN tunnel communication between SOFTNET Security Client and the CP 1543-1 fails.

SOFTNET Security Client also attempts to establish VPN tunnel communication to a lowerlevel internal node. This communication establishment to a non-existing node prevents the required communication establishment to the CP 1543-1.

To establish successful VPN tunnel communication to the CP 1543-1, you need to disable the internal node.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 40

Configuration, programming

4.4.1.4

CP as passive subscriber of VPN connections

Setting permission for VPN connection establishment with passive subscribers

4.4 Security

Use the procedure for disabling the node as explained below only if the described problem occurs.

Disable the node in the SOFTNET Security Client tunnel overview:

1. Remove the checkmark in the "Enable active learning" check box.

The lower-level node initially disappears from the tunnel list.

2. In the tunnel list, select the required connection to the CP 1543-1.

3. With the right mouse button, select "Enable all members" in the shortcut menu.

The lower-level node appears again temporarily in the tunnel list.

4. Select the lower-level node in the tunnel list.

5. With the right mouse button, select "Delete entry" in the shortcut menu.

Result: The lower-level node is now fully disabled. VPN tunnel communication to the CP 1543-1 can be established.

If the CP is connected to another VPN subscriber via a gateway, you need to set the permission for VPN connection establishment to "Responder".

This is the case in the following typical configuration:

VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP address) ⇔ CP (passive)

Configure the permission for VPN connection establishment for the CP as a passive subscriber as follows:

1. In STEP 7, go to the devices and network view.

2. Select the CP.

3. Open the parameter group "VPN“ in the local security settings.

4. For each VPN connection with the CP as a passive VPN subscriber, change the default setting "Initiator/Responder" to the setting "Responder".

CP 1543-1

40 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 41

Configuration, programming

4.4.2

Firewall

4.4.2.1

Firewall sequence when checking incoming and outgoing frames

4.4.2.2

Notation for the source IP address (advanced firewall mode)

4.4.2.3

HTTP and HTTPS not possible with IPv6

4.4.2.4

Firewall settings for connections via a VPN tunnel

IP rules in advanced firewall mode

Online functions

4.4.3.1

Online diagnostics via port 8448

Security diagnostics without opening port 102

4.4.3.2

Online diagnostics and downloading to station with the firewall activated

Setting the firewall for online functions

4.4 Security

If you want to perform security diagnostics without opening port 102, follow the steps below:

1. Select the CP in STEP 7.

2. Open the "Online & diagnostics" shortcut menu (right mouse button).

3. In the parameter group "Security > Status" click the "Connect online" button.

In this way you perform the security diagnostics via port 8448.

With the security functions enabled, follow the steps outlined below:

1. In the global security settings (see project tree), select the entry "Firewall > Services > Define services for IP rules".

2. Select the "ICMP" tab.

3. Insert a new entry of the type "Echo Reply" and another of the type "Echo Request".

4. Now select the CP in the S7 station.

5. Enable the advanced firewall mode in the local security settings of the CP in the "Security > Firewall" parameter group.

6. Open the "IP rules" parameter group.

7. In the table, insert a new IP rule for the previously created global services as follows:

– Action: Allow; "From external -> To station " with the globally created "Echo request"

service

– Action: Allow; "From station -> to external" with the globally created "Echo reply"

service

8. For the IP rule for the Echo Request, enter the IP address of the engineering station in "Source IP address". This ensures that only ICMP frames (ping) from your engineering station can pass through the firewall.

CP 1543-1

42 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 43

Configuration, programming

4.4.4

Filtering of the system events

Communications problems if the value for system events is set too high

4.5

Time-of-day synchronization

General rules

Note Recommendation for setting the time

Synchronization with a external clock at intervals of approximately 10 seconds is recommended. This achieves as small a deviation as possible between the internal time and the absolute time.

Note Special feature of time-of-day synchronization using NTP

If the option "Accept time from non response is as follows:

If the CP receives a time of day frame from an unsynchronized NTP server with stratum 16, the time of day is not set according to the frame. In this case, none of the NTP servers is displayed as "NTP master" in the diagnostics; but rather only as being "re

Security

Note Ensuring a valid time of day

If you use security functions, a valid time of day is extremely important. If you do not obtain the time NTP

4.5 Time-of-day synchronization

If the value for filtering the system events is set too high, you may not be able to achieve the maximum performance for the communication. The high number of output error messages can delay or prevent the processing of the communications connections.

In "Security > Log settings > Configure system events", set the "Level:" parameter to the value "3 (Error)" to ensure the reliable establishment of the communications connections.

The CP supports the following mode for timeofday synchronization:

● NTP mode (NTP: Network Time Protocol)

-synchronized NTP servers" is not selected, the

achable".

In the extended NTP configuration, you can create and manage additional NTP servers.

-of-day from the station (CPU), we therefore recommend that you use the

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

(secure) method.

Page 44

Configuration, programming

Configuration

4.6

Program blocks for OUC

Programming Open User Communication (OUC)

Note Different program block versions

Note that in STEP 7 you cannot use different versions of a program block in a station.

Supported program blocks for OUC

TSEND_C V3.1 / TRCV_C V3.1

TCON V4.0 / TDISCON V2.1

TUSEND V4.0 / TURCV V4.0

4.6 Program blocks for OUC

For more detailed information on configuration, refer to the STEP 7 online help of the "Timeof-day synchronization" parameter group.

The instructions (program blocks) listed below are required for the following communication services via Ethernet:

● ISO transport

● TCP

● ISO-on-TCP

● UDP (Multicast)

● E-mail

For this, create suitable program blocks. The program block can be found in STEP 7 in the "Instructions > Communication > Open user communication" window.

You will find details on the program blocks in the information system of STEP 7.

The following instructions in the specified minimum version are available for programming Open User Communication:

●

Compact blocks for connection establishment/termination and for sending and receiving data

●

Connection establishment / connection termination

●

Sending and receiving data via UDP

CP 1543-1

44 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 45

Configuration, programming

TSEND V4.0 / TRCV V4.0

TMAIL_C V4.0

Connection establishment and termination

Note Connection abort

If an existing connection is aborted by the communications partner or due to disturbances on the network, the connection must also be terminated by calling TDISCON. Make sure that you take this into account in your programming.

Connection descriptions in system data types (SDTs)

Creating an SDT for the data blocks

4.6 Program blocks for OUC

●

Sending and receiving data via TCP or ISOonTCP

●

Sending e-mails

Note the description of TMAIL_C as of version V4.0 in the STEP 7 information system.

Connections are established using the program block TCON. Note that a separate program block TCON must be called for each connection.

A separate connection must be established for each communications partner even if identical blocks of data are being sent.

After a successful transfer of the data, a connection can be terminated. A connection is also terminated by calling "TDISCON".

For the connection description, the blocks listed above use the parameter CONNECT (or MAIL_ADDR_PARAM with TMAIL_C). The connection description is stored in a data block whose structure is specified by the system data type (SDT).

You create the SDT required for every connection description as a data block. You generate the SDT type in STEP 7 by entering the name (e.g. "TCON_IP_V4") in the "Data type" box manually in the declaration table of block instead of selecting an entry from the "Data type" drop-down list. The corresponding SDT is then created with its parameters.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 46

Configuration, programming

Configured connections:

TCON_Configured

Programmed connections:

TCON_IP_V4

TCON_IP_V4_SEC

TCON_QDN

TCON_QDN_SEC

TCON_IP_RFC

TCON_ISOnative

TMail_V4

TMail_V6

TMail_FQDN

TMail_V4_SEC

TMail_V6_SEC

TMail_QDN_SEC

4.6 Program blocks for OUC

The following SDTs can be used.

●

–

For transferring frames via TCP

●

–

For transferring frames via TCP or UDP

–

For the secure transfer of frames via TCP

–

For transferring frames via TCP or UDP

–

For the secure transfer of frames via TCP

–

For transferring frames via ISO-on-TCP

–

For transferring frames via ISO transport

–

For transferring e-mails addressing the e-mail server using an IPv4 address

–

For transferring e-mails addressing the e-mail server using an IPv6 address

–

For transferring e-mails addressing the e-mail server using the host name

–

For secure transfer of e-mails addressing the e-mail server using an IPv4 address

–

For secure transfer of e-mails addressing the e-mail server using an IPv6 address

–

For secure transfer of e-mails addressing the e-mail server using the host name

You will find the description of the SDTs with their parameters in the STEP 7 information system under the relevant name of the SDT.

You can find a description of the parameters of SDTs TMail_V4_SEC, TMail_V6_SEC and TMail_QDN_SEC in the online help section on TCON_IP_V4_SEC.

CP 1543-1

46 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 47

Configuration, programming

4.7

Setting up FTP communication

4.7.1

The program block FTP_CMD (FTP client function)

Meaning

Note Block versions

You can use the version V2.x of FTP_CMD in a station only in conjunction with a CPU and a CP V2.x V2.x.

As soon as the station obtains a CPU V1.x or CP V1.x, you must use FTP_CMD in the older version V1.x (e.g. V1.4). To do this, change the version of the "SIMATIC V3.4. You can then select an older ver

The table below shows the compatibility.

FTP_CMD

CPU

CP 1543-1

V1.5

V1.x

Any

V1.5

Any

V1.x

V2.0

V2.x

Note FTPS: Comparing certificates

FTPS requires a comparison of the certificates between FTP server and FTP client. If the FTP server is configured outside the STEP 7 project of the FTP client, the certificate needs to be imported from the FTP server. Import the certificate of the FTP serv certificate in the certificate manager.

How it works

4.7 Setting up FTP communication

Using the FTP_CMD instruction, you can establish FTP connections and transfer files from and to an FTP server.

NET CP" library to

sion of the block.

Table 4- 1 Compatibility of the block FTP_CMD with versions of the CPU and CP

Data transfer is possible using FTP or FTPS (secure SSL connections).

er as a trusted

The FTP_CMD instruction references a job block (ARG) in which the FTP command is specified. Depending on the type of FTP command (CMD), this job block uses different data

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

structures for parameter assignment. Suitable data types (UDTs) are available for these various structures.

The following diagram shows the call structure:

Page 48

Configuration, programming

Job blocks

Data transfer in the File_DB

Requirements in the CPU configuration

FTP access using the FTP_CMD instruction - parameters for command types NOOP and QUIT

4.7 Setting up FTP communication

The following data structures are used for the job blocks:

● Connection establishment

Various data structures are available for the connection establishment using the following types of access:

– FTP_CONNECT_IPV4: Connection establishment with IP addresses according to IPv4

– FTP_CONNECT_IPV6: Connection establishment with IP addresses according to IPv6

– FTP_CONNECT_NAME: Connection establishment with server name (DNS)

● Data transfer

For the data transfer, two different data structures are available: – FTP_FILENAME: Data structure for access to a complete file

– FTP_FILENAME_PART: Data structure for read access to a data area

The data transfer is achieved using data blocks containing a header for job data and the area for the user data. The data block is specified in the job buffer.

Use the following settings to allow FTP access:

● For all data blocks being used as file DBs, disable the "Optimized block access" attribute.

● Only when using a CPU V1.x and a CP V1.1.x:

Enable the "Access via PUT/GET communication" option in the configuration data of the CPU under "Protection & Security" (PUT/GET must be released).

Supply the FTP_CMD with a reference to a job block with the following command types as well:

CP 1543-1

48 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 49

Configuration, programming

Note Response if the reference to the FTP job block is missing

If this reference is not supplied, the command is not executed. The instruction remains blocked in an apparent execution interface.

Evaluating the "LOCKED" and "NEW" status bits from the FTP_CMD program block

Note Avoiding data inconsistency

Make sure that you do not access the same file DB more than once at the same time.

4.7.2

Configuring the FTP server function

CP configuration

4.7 Setting up FTP communication

CMD = 0 (NOOP)

CMD = 5 (QUIT)

The content of the job block is not evaluated when these command types execute, the type (UDT) of the specified job block is therefore unimportant.

status without any feedback to the user program on the

● In version 1.2 of the "FTP_CMD" program block, the status bits "LOCKED" and "NEW" of

the FILE_DB_HEADER are not evaluated.

With the functions of the FTP server or when using the same file DB, the possibility of multiple simultaneous access to the same data area cannot be excluded. This can lead to data inconsistency.

● As of version 1.5 of the "FTP_CMD" program block, the status bits "LOCKED" and "NEW"

of the FILE_DB_HEADER are set correctly. The two status bits are evaluated. Version 1.5 is available as of STEP 7 Professional V12 SP1.

Configure the FTP server function of the CP in the following parameter group.

● With security functions disabled: "FTP server configuration"

● With security functions enabled: "Security > FTP server configuration"

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 50

Configuration, programming

Requirements in the CPU configuration and programming

S7-1500 CP as FTP server

RAM of the CP

Data blocks of the CPU

SIMATIC memory card of the CPU

Note FTP access to the SIMATIC memory card of the CPU: CPU STOP possible

Note that the cards have a limited capacity If the memory space of the SIMATIC memory card is completely occupied due to storage of large amounts of data, the CPU changes to STOP.

•

4.7 Setting up FTP communication

Use the following settings to allow FTP access:

● In the CPU configuration in "Protection & Security > Connection mechanisms":

Disable the option "Access via PUT/GET communication...".

● As file DBs create data blocks of the type "Array of byte".

● For all data blocks being used as file DBs, disable the "Optimized block access" attribute.

The functionality described here allows you to transfer data in the form of files to or from an S7-1500 station using FTP commands. At the same time, the conventional FTP commands for reading, writing and managing files can also be used.

Access to the following data of the S7-1500 is possible:

●

Name of the directory:

/ram

●

Name of the directory:

/cpu1 / DBx

"DBx" is the name of the relevant data block e.g. DB10.

●

The function is supported as of CP firmware V2.0 and CPU firmware V2.0.

Name of the directory:

/mmc_cpu1

Access to the following folders of the SIMATIC memory card is possible: – /DATALOGS

Directory for log files

– /RECIPES

Directory for recipe files

Use a card with adequate storage capacity. Avoid writing large amounts of data often to the SIMATIC memory card using FTP.

CP 1543-1

50 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 51

Configuration, programming

Reading/writing via DBs of the CPU

DB assignment in STEP 7

Column title

CPU

File name

Comment

Meaning

ble.

Example 1

4.7 Setting up FTP communication

To transfer data with FTP via data blocks, create the required DBs in the CPU. Due to their special structure, these are known as file DBs.

When it receives an FTP command, the CP acting as FTP server queries its assignment table to find out how the data blocks used for file transfer in the CPU will be mapped to files. You make the data block assignment in the STEP 7 configuration of the CP (FTP configuration).

Figure 4-1 S7 CPU with CP 1543-1 as FTP server for the S7 CPU data

The fields of the table in the data block assignment in STEP 7 have the following meaning and syntax:

Assignment of the CPU

Selectable from dropdown list

cpu1 [PLC_1] 20 cpu1_db20.dat Measured values plant

No. of the data block (file DB)

Selectable from dropdown list

The file name assigned to the file DB

Automatic name proposal; entry can edita-

Informal comment

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 52

Configuration, programming

Notes on the syntax

Note

Keep to the notation (lower case for "cpu" and no leading spaces at the start of the row). Otherwise, the files will not be recognized.

FTPS access only with security functions enabled

4.8

IP access protection with programmed communications connections

Restrictions with programmed connections and configured security functions

4.8 IP access protection with programmed communications connections

The following applies to the file name of a file DB:

● The file name begins with "cpuX" (where X=1 for S7-1500).

● Length: maximum 64 characters (including "cpuX")

FTPS access to the S7-1500 station as an FTP server is only possible if a user with suitable rights has been created in the STEP 7 project. This means that the security functions must be enabled on the CP. For this, security settings are available in the global user administration.

In principle, it is possible to set up communications connections program-controlled using the program block TCON and at the same time by configuring the firewall.

When configuring specified connections (active endpoints) in STEP 7, the IP addresses of the partners are not entered automatically in the firewall configuration.

The configuration of IP access protection and the aspects of activated security are described in the online help of STEP 7.

CP 1543-1

52 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 53

5.1

Diagnostics options

5.2

Diagnostics with SNMP

Requirement

SNMP (Simple Network Management Protocol)

You have the following diagnostics options available for the module:

● The LEDs of the module

● STEP 7: The "Diagnostics" tab in the Inspector window

● STEP 7: Diagnostics functions in the "Online > Online and diagnostics" menu

For information on the LED displays, refer to the section LEDs (Page 22).

Here, you can obtain the following information on the selected module: – Information on the online status of the module

Here, you can obtain static information on the selected module: – General information on the module

– Diagnostics status

– Information on the Ethernet interface

– Security (with security enabled)

You can obtain further information on the diagnostics functions of STEP 7 in the STEP 7 online help.

● SNMP

You will find detailed information about the supported functions in the section Diagnostics with SNMP (Page 53).

The requirement for using SNMP is the enabling of the function in the configuration.

SNMP is a protocol for diagnostics and managing networks and nodes in the network. To transmit data, SNMP uses the connectionless UDP protocol.

The information on the properties of SNMP-compliant devices is entered in MIB files (MIB = Management Information Base).

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 54

Diagnostics and upkeep

Performance range of the CP

Supported MIBs in SNMPv1

MIB II (acc. to RFC1213)

LLDP MIB

Siemens Automation MIB

5.2 Diagnostics with SNMP

You will find detailed information on SNMP and the Siemens Automation MIB in the manual "Diagnostics and Configuration with SNMP" that you will find on the Internet: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15392/man)

The CP supports the following SNMP versions:

● SNMPv1

● SNMPv3 (with activated Security functions)

Traps are not supported by the CP.

The CP supports the following MIBs:

●

The CP supports the following groups of MIB objects:

– System

– Interfaces

– IP

– ICMP

– TCP

– UDP

– SNMP

●

Note the rights for writing to the MIB objects, see the next section (SNMPv3).

CP 1543-1

54 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 55

Diagnostics and upkeep

Supported MIB objects in SNMPv3

MIB II (acc. to RFC1213)

LLDP MIB

Siemens Automation MIB

Access rights using community names (SNMPv1)

Type of access

Community string *)

Read access

public

Read and write access

private

*) Note the use of lowercase letters!

5.2 Diagnostics with SNMP

If SNMPv3 is enabled, the CP returns the contents of the following MIB objects:

●

The CP supports the following groups of MIB objects: – System

– Interfaces

The "Interfaces" MIB object provides status information about the CP interfaces. – IP (IPv4/IPv6)

– ICMP

– TCP

– UDP

– SNMP

The following groups of the standard MIB II are not supported: – Adress Translation (AT)

– EGP

– Transmission

●

Note that write access is permitted only for the following MIB objects of the "System" group:

– sysContact

– sysLocation

– sysName

A set sysName is sent as the host name using DHCP option 12 to the DHCP server to

For all other MIB objects and groups, only read access is possible for security reasons.

TCP uses the following community strings to control the permissions for access to the SNMP agent:

Table 5- 1 Access rights in the SNMP agent

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 56

Diagnostics and upkeep

5.3

Replacing a module without a programming device

General procedure

Note Configured MAC address is adopted

When setting the ISO protocol, remember that MAC address set previously during configuration is transferred by the CPU to the new CP module.

Module replacement: Special feature of IP address assignment from a DHCP server (IPv4)

Note Recommendation: Configuring a client ID

When replacing modules, remember that the factory different from the previous module. When the factory sent to the DHCP server, this will return either a different or no

Ideally, you should therefore configure IP as follows:

• Always configure a client ID and configure your DHCP server accordingly. This makes

If, in exceptional situations, you have configured a new MAC address instead of the MAC address set in the factory, the configured MAC address will always be transferred to the DHCP server. In this case, the new CP also has the same IP addre module.

5.3 Replacing a module without a programming device

The configuration data of the CP is stored on the CPU. This makes it possible to replace this module with a module of the same type (identical article number) without a PG.

During configuration of the CP you can specify the IP configuration in the properties dialog; one option is to obtain the IP address from a DHCP server.

sure that after replacing the module, you always obtain the same IP address from the DHCP server.

set MAC address of the new module is

IP address.

ss as the previous

CP 1543-1

56 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 57

Technical specifications - CP 1543-1

Article number

6GK7 543-1AX00-0XE0

Attachment to Industrial Ethernet

Electrical data

Power supply

Current consumption

Insulation

Insulation tested with

707 VDC (type test)

Design, dimensions and weight

Module format

Compact module S7-1500, single width

Degree of protection

IP20

Weight

Approx. 350 g

Dimensions (W x H x D)

35 x 142 x 129 mm

Installation options

Mounting in an S7-1500 rack

Permitted cable lengths

(Alternative combinations per length range) *

Note the information in the System description of SIMATIC S7-1500 (Page 9).

In addition to the information in the system description, the following technical specifications apply to the module.

Product name

• Number

• Design

• Transmission speed

• via S7-1500 backplane bus

• From backplane bus

• Power dissipation

CP 1543-1

1 x Ethernet (gigabit) interface

RJ-45 jack

10 / 100/ 1000 Mbps

15 V

350 mA

5.3 W

0 ... 55 m

0 ... 85 m

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

• Max. 55 m IE TP Torsion Cable with IE FC RJ45 Plug 180

• Max. 45 m IE TP Torsion Cable with IE FC RJ45 + 10 m

TP Cord via IE FC RJ45 Outlet

• Max. 85 m IE FC TP Ma- rine/Trailing/Flexible/FRNC/Festoon/Food Cable with IE FC RJ45 Plug 180

• Max. 75 m IE FC TP Ma- rine/Trailing/Flexible/FRNC/Festoon/Food Cable + 10 m TP Cord via IE FC RJ45 Outlet

Page 58

Technical specifications

Technical specifications - CP 1543-1

Product functions **

0 ... 100 m

• Max. 100 m IE FC TP Standard Cable with IE FC RJ45 Plug 180

• Max. 90 m IE FC TP Standard Cable + 10 m TP Cord via

IE FC RJ45 Outlet

* For details, refer to the IK PI catalog, cabling technology

** You will find the product functions in the section Product overview, functions (Page 11).

CP 1543-1

58 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 59

Approvals issued

Note Issued approvals on the type plate of the device

The specified approvals been obtained when there is a corresponding mark on the product. You can check which of the following approvals have been granted for your product by the markings plate. The approvals for shipbuilding are an exception to this.

Certificates for shipbuilding and national approvals

EC declaration of conformity

2014/34/EU (ATEX explosion protection directive)

2014/30/EU (EMC)

2011/65/EU (RoHS)

- with the exception of the certificates for shipbuilding - have only

on the type

The device certificates for shipbuilding and special national approvals can be found in Siemens Industry Online Support on the Internet: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert)

The product meets the requirements and safety objectives of the following EC directives and it complies with the harmonized European standards (EN) for programmable logic controllers which are published in the official documentation of the European Union.

●

Directive of the European Parliament and the Council of 26 February 2014 on the approximation of the laws of the member states concerning equipment and protective systems intended for use in potentially explosive atmospheres, official journal of the EU L96, 29/03/2014, pages. 309-356

●

EMC directive of the European Parliament and of the Council of February 26, 2014 on the approximation of the laws of the member states relating to electromagnetic compatibility; official journal of the EU L96, 29/03/2014, pages. 79-106

●

Directive of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment

The EC Declaration of Conformity is available for all responsible authorities at:

Siemens Aktiengesellschaft Division Process Industries and Drives Process Automation

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 60

Approvals

IECEx

ATEX

DE-76181 Karlsruhe Germany

You will find the EC Declaration of Conformity on the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert)

The current versions of the standards can be seen in the EC Declaration of Conformity and in the certificates.

The product meet the requirements of explosion protection according to IECEx.

IECEx classification: Ex nA IIC T4 Gc

The product meets the requirements of the following standards:

● EN 60079-0

Hazardous areas - Part 0: Equipment - General requirements

● EN 60079-15

Explosive atmospheres - Part 15: Equipment protection by type of protection 'n'

You can see the current versions of the standards in the IECEx certificate that you will find on the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert)

The conditions must be met for the safe deployment of the product according to the section Notes on use in hazardous areas according to ATEX / IECEx (Page 26).

You should also note the information in the document "Use of subassemblies/modules in a Zone 2 Hazardous Area" that you will find on the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/view/78381013)

The product meets the requirements of the EC directive:2014/34/EC "Equipment and Protective Devices for Use in Potentially Explosive Atmospheres".

Applied standards:

● EN 60079-0

Hazardous areas - Part 0: Equipment - General requirements

● EN 60079-15

Explosive atmospheres - Part 15: Equipment protection by type of protection 'n'

The current versions of the standards can be seen in the EC Declaration of Conformity, see above.

ATEX approval: II 3 G Ex nA IIC T4 Gc

Test number: DEKRA 12 ATEX 0240X

The conditions must be met for the safe deployment of the product according to the section Notes on use in hazardous areas according to ATEX / IECEx (Page 26).

CP 1543-1

60 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 61

Approvals

EMC

RoHS

c(UL)us

cULus Hazardous (Classified) Locations

You should also note the information in the document "Use of subassemblies/modules in a Zone 2 Hazardous Area" that you will find here:

● In the SIMATIC NET Manual Collection in "All documents" > "Use of subassemblies/modules in a Zone 2 Hazardous Area"

● On the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/view/78381013)

Until 19.04.2016 the product meets the requirements of the EC Directive 2014/30/EU "Electromagnetic Compatibility” (EMC directive).

Applied standards:

● EN 61000-6-4

Electromagnetic compatibility (EMC) - Part 6-4: Generic standards - Emission standard for industrial environments

● EN 61000-6-2

Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - Immunity for industrial environments

The product meets the requirements of the EC directive 2011/65/EU on the restriction of the use of certain hazardous substances in electrical and electronic equipment.

Applied standard:

● EN 50581:2012

Applied standards:

● Underwriters Laboratories, Inc.: UL 61010-1 (Safety Requirements for Electrical Equipment for Measurement, Control, and Laboratory Use - Part 1: General Requirements)

● IEC/UL 61010-2-201 (Safety requirements for electrical equipment for measurement, control and laboratory use. Particular requirements for control equipment)

● Canadian Standards Association: CSA C22.2 No. 142 (Process Control Equipment)

Report / UL file: E 85972 (NRAG, NRAG7)

Underwriters Laboratories, Inc.: cULus IND. CONT. EQ. FOR HAZ. LOC.

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 62

Approvals

Note

For devices with C removed when the power is off.

CSA

Australia - RCM

Applied standards:

● ANSI ISA 12.12.01

● CSA C22.2 No. 213-M1987

APPROVED for Use in:

● Cl. 1, Div. 2, GP. A, B, C, D T3...T6

● Cl. 1, Zone 2, GP. IIC T3...T6

Ta: Refer to the temperature class on the type plate of the CP

Report / UL file: E223122 (NRAG, NRAG7)

Note the conditions for the safe deployment of the product according to the section Notes on use in hazardous areas according to UL HazLoc (Page 27).

-PLUG memory: The C-PLUG memory module may only be inserted or

CSA Certification Mark Canadian Standard Association (CSA) nach Standard C 22.2 No. 142:

● Certification Record 063533–C-000

Factory Mutual Approval Standards:

● Class 3600

● Class 3611

● Class 3810

● ANSI/ISA 61010-1

Report Number 3049847

Class I, Division 2, Group A, B, C, D, T4

Class I, Zone 2, Group IIC, T4

You will find the temperature class on the type plate on the module.

The product meets the requirements of the AS/NZS 2064 standards (Class A).

CP 1543-1

62 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 63

Approvals

Canada

AVIS CANADIEN

MSIP 요구사항 - For Korea only

A급 기기(업무용 방송통신기자재)

Current approvals

This class A digital device meets the requirements of the Canadian standard ICES-003.

Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

이 기기는 업무용(A급) 전자파 적합기기로서 판매자 또는 사용자는 이 점을 주의하시기 바라며, 가정 외의 지역에서 사용하는것을 목적으로 합니다.

Note that in terms of the emission of interference, this device corresponds to limit class A. This device can be used in all areas except for residential environments.

SIMATIC NET products are regularly submitted to the relevant authorities and approval centers for approvals relating to specific markets and applications.

If you require a list of the current approvals for individual devices, consult your Siemens contact or check the Internet pages of Siemens Industry Online Support:

Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert)

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 64

Approvals

CP 1543-1

64 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 65

Autocrossing mechanism, 34 Autosensing, 34

Bandwidth limitation, 15 Block execution time, 19

Cell protection concept

VPN, 37

Changing CPU mode

From RUN to STOP, 29

Commissioning

Completeness of the STEP 7 project data, 28 Configuration, 28 Configuration and downloading the configuration data, 20 Configuration of the Ethernet interface, 21

Instruction, 21 Connecting a switch, 34 Connection resources of the CPU, 16 Connections for Web

Number, 18 Crossover cable, 34

FETCH/WRITE, 13, 17

S5/S7 addressing mode, 14 Firewall, 15 Firewall configuration, 52 Firmware version, 11 FTP, 21, 47 FTP (FTP client), 16 FTP in client mode

Configuration limits, 19 FTP in server mode

Configuration limits, 19 FTP_CMD, 47 FTPS, 47 FTPS - Security, 52 FTPS (explicit mode), 15

Gateway, 40 Gigabit specification, 24 Global firewall rules, 15 Glossary, 5

Hardware product version, 11 HMI communication, 12

Data storage of the configuration data of the CP, 56 DHCP server, 56 Diagnostics options, 53 Disposal, 5 Double addressing in the network, 35 Downloading project data, 28 Downloads, 10

E-mail, 12, 17, 21 EMC - electromagnetic compatibility, 59 Ethernet interface, 11, 24

Pin assignment, 29

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Installation and commissioning, 28

Procedure, 28 Instruction

FTP_CMD, 19, 21

T_CONFIG, 21

TCON, TSEND/TRCV, 21

TDISCON, 21

TMAIL_C, 21

TSEND_C/TRCV_C, 21

TUSEND/TURCV, 21 IP access protection, 52

Page 66

Index

IP address

IPv6, 14 Via DHCP, 35

IP configuration

IPv4 / IPv6, 14 IP routing, 35 IPsec tunnel

Number, 19 ISO, 21 ISO transport (complying with RFC 8073), 12 ISO transport connections, 17 ISO-on-TCP, 21 ISO-on-TCP (acc. to RFC 1006), 12 ISO-on-TCP connections, 17 IT functions, 13

Passive VPN connection establishment, 40 PG communication, 12 PG connections

Number, 18 Port 8448, 42 Power supply modules

Additional, 20 PROFINET interface

LEDs, 24 Program block, (Instruction) Programmed communications connections, 52

Recycling, 5

LED display, 22 Logging, 15

MAC address, 11, 13, 56 Manual Collection, 10 Maximum data length for program blocks, 17 MIB, 53 Module replacement

Special feature of IP address assignment from a DHCP server (IPv4), 56

Multicast

via UDP, 12

NTP (secure), 15, 43 NTP mode, 13 NTP server, 43 Number

Operable CPs, 20

Number of connections, 17

Online help of STEP 7, 28 OP connections

Number, 18 Open User Communication (OUC), 12 OUC (Open User Communication), 44 Overall configuration limits, 20

S5/S7 addressing mode, 14 S7 communication, 12 S7 connections, 12, 16

Number of freely usable, 18 S7 routing function, 29 Safety notices, 25 Security diagnostics without port 102, 42 Security SDTs, 45 SIMATIC NET, 10 SIMATIC NET glossary, 5 SMTPS, 15 SNMP, 53 SNMP agent, 13 SNMPv3, 15 Special notes

Connecting a switch, 34

Ensuring a valid time of day, 43

Recommendation for setting the time, 43

Response if the reference to the FTP job block is

missing, 49 Stateful packet inspection (layer 3 and 4), 15 STEP 7, 4, 20 System data type

CONF_DATA, 21

FTP_CONNECT_IPV4, 21

FTP_CONNECT_IPV6, 21

FTP_CONNECT_NAME, 21

FTP_FILENAME, 21

FTP_FILENAME_PART, 21

TCON_Configured, 21

TCON_IP_v4, 21, 21

TCON_ISOnative, 21, 21

CP 1543-1

66 Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 67

Index

TMAIL_FQDN, 21 TMail_v4, 21 TMail_v6, 21

System data types (SDTs), 45

TCON, 52 TCP, 21 TCP (acc. to RFC 793), 12 TCP connections, 17 TCP connections for FTP, 19 Time synchronization, 13 Time-of-day synchronization, 29

UDP

Restrictions, 18 UDP (acc. to RFC 768), 12 UDP connections, 17 UDP frame buffering, 18

Version history, 10 Virtual Private Network

Definition, 36 VPN, (Virtual Private Network)

Areas of application, 36

Cell protection concept, 37

Web diagnostics, 29 Web server, 14

CP 1543-1

Operating Instructions, 05/2017, C79000-G8976-C289-07

Page 68

Index

CP 1543-1

68 Operating Instructions, 05/2017, C79000-G8976-C289-07

Siemens S7-1500, CP 1543-1 Operating Instructions Manual

Preface

Table of contents

Product overview, functions

Product data

2.2 Communication services

2.3 Further functions

2.4 Industrial Ethernet Security

General characteristic data

Characteristics for Open User Communication (OUC) and FETCH/WRITE

2.5 Configuration limits and performance data

Characteristics of S7 communication

Characteristic data for FTP / FTPS mode

Characteristics security

Configuration limits

Project engineering

2.6 Requirements for use

Programming

2.7 LEDs

2.8 Gigabit interface

Important notes on using the device

Notes on use in hazardous areas

Notes on use in hazardous areas according to ATEX / IECEx

Notes on use in hazardous areas according to UL HazLoc

General notices on use in hazardous areas according to FM

3.2 Installing and commissioning the CP 1543-1

3.3 Mode of the CPU - effect on the CP

Security recommendations

4.2 Network settings

Points to note about IP configuration

Restart after detection of a duplicate IP address in the network

IP routing

4.3 IP configuration

VPN

4.4 Security

Creating VPN tunnel communication between S7-1500 stations

Successfully establishing VPN tunnel communication between the CP 1543-1 and SCALANCE M

VPN tunnel communication with SOFTNET Security Client

CP as passive subscriber of VPN connections

Firewall

Firewall sequence when checking incoming and outgoing frames

Notation for the source IP address (advanced firewall mode)

HTTP and HTTPS not possible with IPv6

Firewall settings for connections via a VPN tunnel

Online functions

Online diagnostics via port 8448

Online diagnostics and downloading to station with the firewall activated

Filtering of the system events

4.5 Time-of-day synchronization

4.6 Program blocks for OUC

The program block FTP_CMD (FTP client function)

4.7 Setting up FTP communication

Configuring the FTP server function

4.8 IP access protection with programmed communications connections

Diagnostics options

Diagnostics with SNMP

5.3 Replacing a module without a programming device