Siemens SIMATIC NET CP 443-1 Advanced Manual

___________________

SIMATIC NET

S7-400 - Industrial Ethernet CP 443-1 Advanced (GX30)

Manual

Manual Part B

03/2019

C79000

Preface

Properties and services

Performance data

Requirements for use

LEDs

Installation and commissioning

Configuration and operation

Diagnostics and upkeep

Technical specifications

Approvals

Documentation references

-G8976-C256-05

Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C256-05

Ⓟ

Legal information

Warning notice system

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

Qualified Personnel

personnel qualified

Proper use of Siemens products

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

Disclaimer of Liability

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

The product/system described in this documentation may be operated only by task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Note the following:

documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

for the specific

03/2019 Subject to change

Preface

Legend:

X = placeholder for hardware product version

CPLUG (at rear)

Firmware version

LEDs

net.

Security function: Interface to the internal, protected subnet

Label with MAC addresses

5 Gigabit interface: 1 x 8-pin RJ-45 jack

Security function: The padlock symbol identifies the interface to the external, non-secure sub-

6 PROFINET interface: 4 x 8-pin RJ-45 jack

Figure 1 CP 443-1 Advanced

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Preface

Validity and product names

Product names

STEP 7

New in this release

Note

Make sure that you read the information relating to compatibility of the CP and enhanced functions in the section

Replaced manual issue

Structure of the documentation

This description contains information on the following product:

● CP 443-1 Advanced

Article number 6GK7 443-1GX30-0XE0

● CP 443-1 Advanced (conformal coating)

CP with coated printed circuit board

Article number 6GK7 443-1GX30-0XE1

Hardware product version 1

Firmware version V3.2

Communications processor for SIMATIC S7-400 / S7-400H

● CP

In this document, the term "CP" is also used instead of the full product name CP 443-1 Advanced.

●

The name STEP 7 is used for the configuration tool instead of the names STEP 7 V5.5 and STEP 7 Professional.

● New ATEX/IECEx approval

● Revision of the system environment

● Editorial revision

Edition 11/2015

Enhanced functions (Page 14).

The documentation for this device consists of the following parts:

● Manual Part A: Configuration manual "Configuring and Commissioning S7CPs for Industrial Ethernet", see /2/ (Page 118).

● Manual Part B: Manual "CP 443-1 Advanced" (this manual)

CP 443-1 Advanced (GX30)

4 Manual, 03/2019, C79000-G8976-C256-05

Preface

Current version of the manual and Information on the Internet

CP documentation in the Manual Collection (article number A5E00069051)

Version History / Current Downloads for the SIMATIC NET S7 CPs

Address label: Unique MAC address preset for the CP

● SIMATIC NET Industrial Ethernet Security - Basics and Application, configuration manual,

see /17/ (Page 121)

● Program blocks for SIMATIC NET S7 CPs - programming manual, see /12/ (Page 120)

Contains the detailed description of the program blocks for the following services:

– Open communications services

– Access coordination with FETCH/WRITE

– Connection and system diagnostics

– FTP services

– Programmed connections and IP configuration

– PROFINET

You will find the current version of this document and further information (e.g. FAQs) on using the CP on the Internet at the following address:

Link: (https://support.industry.siemens.com/cs/ww/en/ps/15353)

Select the appropriate entry type in the filter settings.

The "SIMATIC NET Manual Collection" DVD contains the manuals of all SIMATIC NET products current at the time it was created. It is updated at regular intervals.

The "Version History/Current Downloads for SIMATIC NET S7 CPs" document provides information on all CPs available up to now for SIMATIC S7 (Industrial Ethernet, PROFIBUS, IE/PB Link).

The current version of these documents can be found on the Internet at the following address:

Link: (https://support.industry.siemens.com/cs/ww/en/view/9836605)

The CP is supplied with total of 6 default MAC addresses with the following assignment:

● Gigabit interface

● PROFINET interface

● 1 MAC address for each port of the PROFINET interface

The two MAC addresses of the PROFINET interface and the gigabit interface are printed on the housing.The MAC address of the PROFINET interface is printed on the housing.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Preface

License conditions

Note Open source software

The product contains open source software carefully before using the product.

Firmware

Security information

If you configure a MAC address (ISO transport connections), we recommend that you use the MAC address of the relevant interface printed on the module for module configuration!

● This ensures that you assign a unique MAC address in the subnet!

● If you replace a module, the MAC address of the predecessor is adopted when you load

the configuration data. Configured ISO transport connections remain operable.

software. Read the license conditions for open source

You will find license conditions in the following document on the supplied data medium:

● OSS_CP4431_99.pdf

The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks.

In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions constitute one element of such a concept.

Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.

For additional information on industrial security measures that may be implemented, please visit Link: (https://www.siemens.com/industrialsecurity)

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customers’ exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under Link: (https://www.siemens.com/industrialsecurity)

CP 443-1 Advanced (GX30)

6 Manual, 03/2019, C79000-G8976-C256-05

Preface

SIMATIC NET glossary

Training, Service & Support

Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary.

You will find the SIMATIC NET glossary on the Internet at the following address:

Link: (https://support.industry.siemens.com/cs/ww/en/view/50305045)

You will find information on training, service and support in the multilanguage document "DC_support_99.pdf" on the Internet pages of Siemens Industry Online Support:

Link: (https://support.industry.siemens.com/cs/ww/en/view/38652101)

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Preface

CP 443-1 Advanced (GX30)

8 Manual, 03/2019, C79000-G8976-C256-05

Preface ................................................................................................................................................... 3

1 Properties and services ......................................................................................................................... 13

2 Performance data ................................................................................................................................. 23

3 Requirements for use ............................................................................................................................ 41

4 LEDs..................................................................................................................................................... 49

5 Installation and commissioning .............................................................................................................. 53

1.1 Properties of the CP ................................................................................................................ 13

1.2 Enhanced functions ................................................................................................................ 14

1.3 Communication services ......................................................................................................... 16

1.4 Further services and characteristics of the CP ....................................................................... 18

2.1 General characteristic data ..................................................................................................... 23

2.2 Characteristics of S7 communication ..................................................................................... 24

2.3 SEND/RECEIVE interface ...................................................................................................... 24

2.3.1 Characteristic data .................................................................................................................. 24

2.3.2 Number of simultaneous SEND/RECEIVE calls ..................................................................... 26

2.4 Characteristics of open TCP/IP communication ..................................................................... 28

2.5 Characteristic data for PROFINET IO ..................................................................................... 28

2.6 Characteristic data for PROFINET CBA ................................................................................. 29

2.6.1 Typical values and limit values ............................................................................................... 29

2.6.2 Cycle times ............................................................................................................................. 32

2.6.3 Reaction times ........................................................................................................................ 33

2.7 Characteristics of e-mail mode ............................................................................................... 35

2.8 Characteristic data for FTP / FTPS mode............................................................................... 36

2.9 Characteristic data of TCP connections for HTTP / HTTPS ................................................... 37

2.10 Characteristic data for the use of Java applets ...................................................................... 37

2.11 Memory organization in the CP 4431 Advanced .................................................................... 38

2.12 Characteristic data of the integrated 4port switch .................................................................. 39

3.1 Configuration limits ................................................................................................................. 41

3.2 System environment ............................................................................................................... 41

3.3 Project engineering ................................................................................................................. 45

3.4 SOFTNET Security Client for VPN tunnels with PCs ............................................................. 46

3.5 Programming .......................................................................................................................... 46

5.1 Important notes on using the device ....................................................................................... 53

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Table of contents

6 Configuration and operation .................................................................................................................. 63

5.1.1 Notices on use in hazardous areas........................................................................................ 53

5.1.2 Notices on use in hazardous areas according to ATEX / IECEx ........................................... 54

5.1.3 Notices on use in hazardous areas according to UL HazLoc ................................................ 55

5.2 Installing and connecting up .................................................................................................. 56

5.3 Commissioning....................................................................................................................... 58

5.4 CPLUG (configuration plug) ................................................................................................... 60

6.1 Security recommendations .................................................................................................... 63

6.2 Controlling the mode .............................................................................................................. 67

6.3 Effects of protection levels ..................................................................................................... 67

6.4 Configuration in STEP 7 ........................................................................................................ 68

6.5 Interface configuration ........................................................................................................... 69

6.5.1 Network settings..................................................................................................................... 69

6.5.1.1 IP address assignment and communications path ................................................................ 69

6.5.1.2 Fast Ethernet with the PROFINET and gigabit interface ....................................................... 69

6.5.1.3 Transmission speed of the gigabit interface .......................................................................... 71

6.5.2 IP configuration and DHCP .................................................................................................... 72

6.5.2.1 S7 connections and DHCP .................................................................................................... 72

6.5.2.2 Address assignment via DHCP- gigabit interface .................................................................. 72

6.5.2.3 Restart after detection of a duplicate IP address in the network ........................................... 72

6.5.3 Unused PROFINET interface without BUS2F indicator ......................................................... 73

6.5.4 Using the CP as an IP router ................................................................................................. 73

6.6 Port configuration with redundant partners ............................................................................ 73

6.7 PROFINET IO mode .............................................................................................................. 74

6.7.1 How PROFINET IO devices start up in a large configuration ................................................ 74

6.7.2 Reduce the communication allocation reserved for PROFINET IO when operating

alongside other services. ....................................................................................................... 74

6.7.3 Prioritized startup in PROFINET IO ....................................................................................... 74

6.7.4 IRT communication: Types of synchronization ...................................................................... 75

6.7.5 Operating PROFINET IO devices with a current firmware version ........................................ 76

6.7.6 Shared device - using the router address .............................................................................. 76

6.8 Media redundancy ................................................................................................................. 77

6.9 Interface in the user program ................................................................................................. 77

6.9.1 Call interface for open communications services SEND/RECV ............................................ 77

6.9.2 Programmed communication connections with IP_CONFIG ................................................. 78

6.9.3 IP access protection with programmed communications connections .................................. 78

6.9.4 Programmed communications connections - assigning parameters to the ports .................. 79

6.9.5 Open TCP/IP communication ................................................................................................ 79

6.9.6 Recommendation for use with a high communications load ................................................. 80

6.10 Security .................................................................................................................................. 81

6.10.1 Using VPN - effects on communication ................................................................................. 81

6.10.2 Reloading firewall rules .......................................................................................................... 81

6.10.3 Activating IP access protection .............................................................................................. 82

6.10.4 Importing certificates for SMTP with STARTTLS or FTPS .................................................... 82

6.10.5 Security and STEP 7 special diagnostics activated - configuration activities blocked .......... 82

CP 443-1 Advanced (GX30)

10 Manual, 03/2019, C79000-G8976-C256-05

Table of contents

7 Diagnostics and upkeep ........................................................................................................................ 95

8 Technical specifications ...................................................................................................................... 109

9 Approvals ............................................................................................................................................ 111

A Documentation references .................................................................................................................. 117

6.11 Time-of-day synchronization ................................................................................................... 83

6.12 SNMP ...................................................................................................................................... 84

6.13 Ping: Permitted length of ICMP packets ................................................................................. 86

6.14 Use in the H system ................................................................................................................ 86

6.15 Using the CP for PROFINET CBA .......................................................................................... 87

6.15.1 CBA interface in the user program ......................................................................................... 87

6.15.2 Preparing for configuration with STEP 7................................................................................. 88

6.15.3 PROFINET CBA configuration with SIMATIC iMap ................................................................ 89

6.15.4 Using PROFINET CBA communication and standard communication at the same time ...... 92

7.1 Online security diagnostics via port 443 ................................................................................. 95

7.2 Diagnostics options ................................................................................................................. 95

7.3 The CP as Web server............................................................................................................ 96

7.4 Replacing older modules: Module replacement / upgrading .................................................. 97

7.5 Replacing older modules: CPs with configurable data management ................................... 100

7.6 Replacing a module without a programming device ............................................................. 101

7.7 Loading new firmware ........................................................................................................... 103

7.8 Memory reset / reset to factory defaults ............................................................................... 104

A.1 On configuring, commissioning and using the CP ................................................................ 117

A.1.1 /1/ .......................................................................................................................................... 117

A.1.2 /2/ .......................................................................................................................................... 118

A.1.3 /3/ .......................................................................................................................................... 118

A.1.4 /4/ .......................................................................................................................................... 118

A.1.5 /5/ .......................................................................................................................................... 118

A.1.6 /6/ .......................................................................................................................................... 118

A.2 On installing and commissioning the CP .............................................................................. 119

A.2.1 /7/ .......................................................................................................................................... 119

A.3 For configuration with STEP 7 / NCM S7 ............................................................................. 119

A.3.1 /8/ .......................................................................................................................................... 119

A.3.2 /9/ .......................................................................................................................................... 119

A.3.3 /10/ ........................................................................................................................................ 119

A.3.4 /11/ ........................................................................................................................................ 120

A.4 On programming (blocks, OPC) ........................................................................................... 120

A.4.1 /12/ ........................................................................................................................................ 120

A.4.2 /13/ ........................................................................................................................................ 120

A.4.3 /14/ ........................................................................................................................................ 120

A.4.4 /15/ ........................................................................................................................................ 121

A.4.5 /16/ ........................................................................................................................................ 121

A.5 Industrial Ethernet security ................................................................................................... 121

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Table of contents

Index ................................................................................................................................................... 125

A.5.1 /17/ ....................................................................................................................................... 121

A.5.2 /18/ ....................................................................................................................................... 121

A.6 For application and configuration of PROFINET IO............................................................. 122

A.6.1 /19/ ....................................................................................................................................... 122

A.6.2 /20/ ....................................................................................................................................... 122

A.7 On project engineering of PROFINET CBA ......................................................................... 122

A.7.1 /21/ ....................................................................................................................................... 122

A.7.2 /22/ ....................................................................................................................................... 122

A.7.3 /23/ ....................................................................................................................................... 122

A.7.4 /24/ ....................................................................................................................................... 123

A.8 On setting up and operating an Industrial Ethernet network ............................................... 123

A.8.1 /25/ ....................................................................................................................................... 123

CP 443-1 Advanced (GX30)

12 Manual, 03/2019, C79000-G8976-C256-05

1.1

Properties of the CP

Application

Security Integrated

The CP has the following interfaces:

Note

The following servic

•

The CP is intended for use in an S7400 or S7400H (faulttolerant) automation system. It allows the S7400 / S7400H to be connected to Industrial Ethernet.

With a combination of different security measures such as firewall, NAT/NAPT routers and VPN (Virtual Private Network) over IPsec tunnels, the CP protects individual S7-400 stations or even entire automation cells from unauthorized access.

● PROFINET interface (Ethernet interface)

A 4-port switch with IRT capability and with autocrossing, autonegotiation and autosensing is integrated in the CP. The 4-port switch allows the integration of the CP in a bus or a ring with media redundancy.

Each port of the switch is designed for simple diagnostics and is equipped with a combined RXD/TXD / LINK dual LED. For special situations, each port can also be set to a fixed mode manually using STEP 7, for example 10 or 100 Mbps half duplex / full duplex.

● Gigabit interface with security access

The CP also has an Ethernet interface complying with the gigabit standard IEEE 802.3ab. This is independent of the PROFINET interface and supports autocrossing, autonegotiation and autosensing. The gigabit interface can, for example, be used to connect to a PG/PC or to a higherlevel company network.

The gigabit interface allows a secure connection to external networks via a firewall and VPN. The CP provides the following protective function:

– Protection of the S7-400 station in which the CP is operated.

– Protection of the internal company networks connected to the PROFINET interface.

Each port can be disabled individually in the configuration.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

es or characteristics are only available on the PROFINET interface:

PROFINET Programmed communications connections (program block IP_CONFIG).

Properties and services

1.2

Enhanced functions

Compatibility with predecessor modules

Functional expansions of the current firmware version V3.2

Expanded functions of the older firmware versions V2.1 to V3.0

Functions

1.2 Enhanced functions

The CP 443-1 Advanced (6GK7 443−1GX30−0XE0) with firmware version V3.2 supports all functions of the following predecessor modules:

● 6GK7 443−1GX30−0XE0, Firmware version V3.0 / V3.1

● 6GK7 443−1GX20−0XE0, Firmware version V2.4 / V2.3 / V2.2 / V2.1 / V2.0 / V1.0

For information on replacing modules, read the section Replacing older modules: Module replacement / upgrading (Page 97)

● Expansion of the block “FTP_CMD“ for FTP client operation with the addition of the

function “Passive FTP” (client establishes connection) in STEP 7 V5.5. You will find the description in the manual /12/ (Page 120).

● Sending e-mails with STARTTLS, see Characteristics of e-mail mode (Page 35).

● Use of the CP as a purely diagnostics CP via the gigabit interface without networking the

PROFINET interface, see Diagnostics options (Page 95).

● Configuration of passive TCP connections between a CP and a redundant partner with

the identical number of the local port, see Port configuration with redundant partners (Page 73).

● Expansion of the protection concept of the CP when a protection level of the CPU is

activated, see Effects of protection levels (Page 67).

The following characteristics are new and can be used during configuration with STEP 7, see section Project engineering (Page 45):

● Security functionality

● Advanced Web diagnostics; among other things with the following additional options:

– Update center for firmware download, updating of the IP access control list and

language settings

– Topology representation

– Diagnostics of S7 connections

– Status of the configured security functions

– Module identification

CP 443-1 Advanced (GX30)

14 Manual, 03/2019, C79000-G8976-C256-05

Properties and services

Expansions on the interface to the user program

Functional improvements

1.2 Enhanced functions

● PROFINET IO

– IRT with the option "high performance"

– Full PROFINET IO diagnostics on the gigabit interface

– Full PROFINET IO diagnostics on all interfaces also in the expansion rack

● Use in fault-tolerant systems (H systems) is also possible on the gigabit interface.

● New program block AG_CNTEX for connection and system diagnostics with PING

functionality

● Expanded program block FTP_CMD for FTP services allows the establishment of secure SSL connections.

The overall communication speed of the CP during simultaneous operation of standard communications functions and PROFINET IO controller mode was further improved.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Properties and services

1.3

Communication services

PROFINET IO controller

Note IRT communication or MRP

If you are us

PROFINET CBA

Note PROFINET CBA versus security function

If yo

S7 communication with the following functions:

1.3 Communication services

The CP supports the following communication services:

●

PROFINET IO allows direct access to PROFINET IO devices over Industrial Ethernet. PROFINET IO can only be used via the ports of the PROFINET interface.

– Prioritized startup

The CP supports prioritized startup. Per PROFINET IO controller, a maximum of 32 PROFINET IO devices can be configured that support prioritized startup. Of these 32 IO devices, simultaneous startup times with values as low as 0.5 s can be achieved by up to 8 IO devices.

– IRT communication (Isochronous Real Time) with IRT option "high performance"

IRT communication with the IRT option "high-performance" is possible with PROFINET IO. The IRT option "high-performance" optimizes data traffic as the result of topology planning.

Note: IRT with the option "high flexibility" is now only supported when a CP GX20 is replaced.

ing IRT communication, no media redundancy is supported.

– Shared device

As a PROFINET IO controller, individual submodules of an IO device can be assigned to the CP. Read the information in /19/ (Page 122) regarding configuration of PROFINET IO systems and shared IO devices.

●

Use of a SIMATIC S7400 for Component based Automation on the basis of the PROFINET standard of the PNO. This standard allows:

– Component technology in automation

– Communication between intelligent devices is configured graphically instead of

requiring laborious programming

– Vendor-independent, plantwide engineering

u use PROFINET CBA, you cannot enable the CP for the "Security" functionality.

●

– PG functions

– Operator monitoring and control functions

– Data exchange over S7 connections

CP 443-1 Advanced (GX30)

16 Manual, 03/2019, C79000-G8976-C256-05

Properties and services

Open communication services with the following functions:

Open TCP/IP communication

SIMATIC Safety - Fail-safe communication

IT functions

HTTP

FTP

E-mail

1.3 Communication services

●

– SEND/RECEIVE interface over ISO transport connections

– SEND/RECEIVE interface over TCP connections, ISO-on-TCP and UDP connections

With the SEND/RECEIVE interface via TCP connections, the CP supports the socket interface to TCP/IP available on practically every end system.

UDP frame buffering on the CP can be disabled during configuration. When necessary, this allows you to achieve a shorter reaction time between the arrival of a UDP frame and its evaluation on the CPU.

– Multicast over UDP connection

The multicast mode is made possible by selecting a suitable IP address when configuring connections.

– FETCH/WRITE services (server services; corresponding to S5 protocol) via ISO

transport connections, ISO-on-TCP connections and TCP connections;

Here, the SIMATIC S7400 with the CP is always the server (passive connection establishment) while the read or write access (client function with active connection establishment) is always initiated by a SIMATIC S5 or a device from another range / PC.

– LOCK/UNLOCK with FETCH/WRITE services (CPU-dependent; see section

Requirements for use (Page 41))

●

Open TCP/IP communication provides a program interface for the transfer of connectionoriented and connectionless services. The establishment and termination of connections is initiated here only via the "dynamic" program interface.

STEP 7 provides a UDT for the connection description as well as four FBs for data exchange.

The CP supports communication via ISO-on-TCP connections for this interface.

●

The CP supports fail-safe communication via S7 connections. A fail-safe connection can run from the local CPU via the CP to the relevant communications partner, for example another F-CPU or a fail-safe distributed I/O system.

You do not need to configure any special safety relevant properties for the CP.

●

–

– Web server: Monitoring devices and process data (HTML process control)

–

FTP functions (File Transfer Protocol) for file management and access to data blocks in the CPU (client and server functions)

–

Sending e-mail via SMTP or ESMTP. The CP supports t SMTP-Auth for authentication on an email server and STARTTLS.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Properties and services

1.4

Further services and characteristics of the CP

Security functions

Protection concept beyond network boundaries - separation of the internal from the external network

Communication in the internal network (PROFINET interface)

SMTPS with STARTTLS

Note UDP multicast

UDP multicast via a VPN channel is not supported.

1.4 Further services and characteristics of the CP

●

Depending on the configuration, the security functions of the CP provide protected communication beyond network boundaries and within a network.

–

On its gigabit interface, the CP provides the option of secure access from an external network connected here to the internal network (PROFINET interface).

With a combination of different security measures such as firewall, NAT/NAPT routers and VPN (Virtual Private Network) over IPsec tunnels, the CP protects individual devices or even entire automation cells from unauthorized access.

The CP allows this protection flexibly, without repercussions, protocol-independent (as of Layer 2 according to IEEE 802.3).

The secure protocols HTTPS, FTPS, NTP (secure) and SNMPv3 can also be activated.

–

If security is enabled, you now have the option of using the secure protocols HTTPS, FTPS, NTP (secure) and SNMPv3 within the internal network.

Note: The switch function of the PROFINET interface integrated in the CP forwards frames in the internal subnet regardless of the security setting of the CP.

–

Support of SSL/TLS encryption for the secure transfer of e-mails

You need to enable the security functions in the configuration.

CP 443-1 Advanced (GX30)

18 Manual, 03/2019, C79000-G8976-C256-05

Properties and services

Media redundancy

Timeofday synchronization over Industrial Ethernet using the following configurable modes:

Addressable with the factoryset MAC address

SNMP agent

Module access protection

IP access protection (IPACL)

1.4 Further services and characteristics of the CP

●

Within an Ethernet network with a ring topology, the CP supports the media redundancy protocol MRP. You can assign the role of redundancy manager to the CP.

●

– SIMATIC mode

The CP receives MMS timeofday messages and synchronizes its local time.

You can choose whether or not the time of day is forwarded. You can also decide on the direction in which it is forwarded.

Synchronization using the SIMATIC mode is only possible on the PROFINET interface.

– NTP mode (NTP: Network Time Protocol)

The CP sends timeofday queries at regular intervals to an NTP server and synchronizes its local time of day.

The time can also be forwarded automatically to the CPU modules in the S7 station allowing the time to be synchronized in the entire S7 station.

If security is enabled, the CP supports the NTP (secure) protocol for secure time-ofday synchronization and transfer of the time of day.

●

To assign the IP address to a new CP (direct from the factory), it can be accessed using the preset MAC address on the interface being used. Online address assignment is made in STEP 7.

●

The CP supports data queries over SNMP in version V1 (Simple Network Management Protocol). It delivers the content of certain MIB objects according to the MIB II standard, LLDP MIB, Automation System MIB and MRP Monitoring MIB.

If security functions are enabled, the CP supports SNMPv3 for transfer of network analysis information protected from eavesdropping.

●

To protect the module from accidental or unauthorized access, protection can be configured at various levels.

For more information, refer to the section Effects of protection levels (Page 67).

●

Using IP access protection gives you the opportunity of restricting communication over the CP of the local S7 station to partners with specific IP addresses.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Properties and services

IP configuration

Web diagnostics

Diagnostics buffer extract request

Connection diagnostics with the AG_CNTEX program block

S5/S7 addressing mode

1.4 Further services and characteristics of the CP

●

For the PROFINET interface and the gigabit interface, you can configure how and with which method the CP is assigned the IP address, the subnet mask and the address of a gateway.

For the PROFINET interface, the IP configuration and the connection configuration can also be assigned to the CP by the user program (program block IP_CONFIG; see /12/ (Page 120)).

Note: Does not apply to S7 connections.

●

With the aid of Web diagnostics, you can read out the diagnostics data from a station connected via the CP to a PG/PC with a Web browser. From the integrated Download Center, you can download firmware updates.

The Web pages contain the following information:

– Module and status information

– Information on security functions

– Special information on S7 connections

●

With the aid of a Web browser, the CP supports the option of obtaining an extract of the diagnostics buffer containing the most recent diagnostics events of the CPUs and CPs located in the same S7 station as the CP.

●

With the AG_CNTEX program block, you can diagnose connections.

– When necessary, you can activate or deactivate connections or initiate

reestablishment of a connection.

– You can check the reachability of the connection partners using the PING function.

– You can find out which connection types are set up for the SEND / RECEIVE

interface.

●

The addressing mode can be configured for FETCH/WRITE access as the S7 or S5 addressing mode (S7 addressing mode only for data blocks / DBs).

CP 443-1 Advanced (GX30)

20 Manual, 03/2019, C79000-G8976-C256-05

Properties and services

Detection of double IP addressing in the network

Characteristics of the PROFINET interface

Characteristics of the gigabit interface

Support in the fault-tolerant system (H system)

1.4 Further services and characteristics of the CP

●

To save you timeconsuming troubleshooting in the network, the CP detects double addressing in the network.

The reaction of the CP when double addressing is detected varies as follows:

– CP during startup

The CP remains in STOP mode.

– CP in RUN mode

There is an LED indication (BUS2F LED) and an entry in the diagnostics buffer; the CP remains in RUN mode.

– CP during startup

The CP changes to RUN, the BUS1F LED is lit and the CP cannot be reached via the gigabit interface.

– CP in RUN mode

There is an LED indication (BUS1F LED) and an entry in the diagnostics buffer; the CP remains in RUN mode.

●

S7 communication is supported in the H system with the following protocols:

– ISO transport

– ISO-on-TCP (RFC1006)

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Properties and services

1.4 Further services and characteristics of the CP

CP 443-1 Advanced (GX30)

22 Manual, 03/2019, C79000-G8976-C256-05

Note Measured values of transfer or reaction times

Measured values of transmission and reaction times in Ethernet, PROFIBUS and PROFINET networks for a series of configurations can be found on the Internet at the following address:

Link: (

Note Configuration limits for security functions

Configuration limits for security are described in

You will find a complete overview of the permitted configuration limits on the Internet at the following address:

Link: (

2.1

General characteristic data

Characteristic

Explanation / values

Note: FTP connections occupy 2 TCP connections.

Example

https://support.industry.siemens.com/cs/ww/en/view/25209605)

/17/ (Page 121).

https://support.industry.siemens.com/cs/ww/en/view/58217657)

Total number of connections on Industrial Ethernet 128

The value applies to the total number of connections of the following types:

• S7 connections

• SEND/RECEIVE connections

• CBA

• FTP (FTP client)

You can, for example, operate the following combination of connections:

● 62 S7 connections or 62 H connections

● 30 ISO-on-TCP connections

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

● 10 TCP connections

Performance data

2.2

Characteristics of S7 communication

Characteristic

Explanation / values

of those max. 62 H connections

Note Effects of connections in the SPEED SEND/RECV mode

Note the effects of connections on the SEND/RECEIVE interface that are used in the SPEED SEND/RECEIVE mode.

The maximum configuration limits of S7 communication are reduced by each configured connection using

2.3

SEND/RECEIVE interface

2.3.1

Characteristic data

2.2 Characteristics of S7 communication

● 10 UDP connections

● 8 ISO transport connections

● 4 FTP connections (for FTP client mode)

See section Characteristic data for FTP / FTPS mode (Page 36).

S7 communication provides data transfer via the ISO Transport or ISO-on-TCP protocols.

Total number of S7 connections on Industrial Ethernet

LAN interface - data field length generated by CP per protocol data unit

• sending

• receiving

• Number of PG connections

• Number of OP connections

128 max.,

480 bytes / PDU 480 bytes / PDU

2 max.

30 max.

the SPEED SEND/RECV mode.

The SEND/RECEIVE interface provides access to communication over TCP, ISOonTCP, ISO transport, email, and UDP connections.

CP 443-1 Advanced (GX30)

24 Manual, 03/2019, C79000-G8976-C256-05

Performance data

Characteristic

Explanation / values

cannot

version of the CP described here continues to support these blocks.

2.3 SEND/RECEIVE interface

The following characteristics are important:

Number of SEND/RECEIVE connections

Number of SEND/RECV connections in SPEED SEND/RECV mode

Maximum data length for AG_SEND and AG_RECV program blocks

1) 2)

• TCP connections: 1...64

• ISO-on-TCP connections: 1...64

• ISO transport connections: 1...64

• Total number of UDP connections (specified and free) that can be

configured: 1 to 64 (of those up to 48 in multicast mode)

• E-mail connection: 1

• Max. number of connections in total:

(ISO transport and ISOonTCP

+ TCP + UDP + e-mail) <= 64 Refer to the example in section 5.1 (Page 23) Notes:

Avoiding receive overload

•

The flow control on TCP connections

control permanent overload of the recipient. You should therefore make sure that the processing capabilities of a receiving CP are not permanently exceeded by the sender (approximately 150200 messages per second).

•

TCP connections for FTP Of the available TCP connections, a maximum of 20 TCP connections can be configured / used with the "Use FTP protocol" option (see section 5.7 (Page 36)).

The number depends on the CPU type being used.

• Per CPU 412/414 maximum 30

• Per CPU 416/417 maximum 62

AG_SEND and AG_RECV were shipped with predecessors of the CP and allow the transfer of user data with a length from 1 to 240 bytes. The

Maximum data length for AG_LSEND and AG_LRECV program blocks

AG_LSEND and AG_LRECV allow the transfer of user data with the following lengths:

1. ISO-on-TCP, TCP, ISO transport: 1 to 8192 bytes

2. UDP: 1 to 2048 bytes

3. E-mail (job header + user data): 1 to 8192 bytes

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Performance data

Characteristic

Explanation / values

2. UDP: 1 to 1452 bytes

Restrictions for UDP

2.3.2

Number of simultaneous SEND/RECEIVE calls

2.3 SEND/RECEIVE interface

Maximum data length for AG_SSEND and AG_SRECV program blocks

LAN interface max. data field length generated by CP per protocol data unit

● Transfer is not confirmed

The transmission of UDP frames is unconfirmed, in other words the loss of messages is not detected or displayed by the send blocks (AG_SEND or AG_LSEND).

● No receipt of UDP broadcast

To avoid overload due to high broadcast load, the CP does not allow reception of UDP broadcasts.

AG_SSEND and AG_SRECV allow the transfer of user data with the following lengths:

1. ISO-on-TCP, TCP, ISO transport: 1 to 1452 bytes

• sending

ISO transport, ISOonTCP, TCP: – 400 bytes / TPDU with AG_SEND / AG_LSEND – 1452 bytes / TPDU with AG_SSEND

• receiving – ISO transport: 512 bytes / TPDU – ISO-on-TCP: 1452 bytes / TPDU – TCP: 1452 bytes / TPDU

As an alternative, use the multicast function over a UDP connection. This allows you to register the CP as a node in a multicast group.

● UDP frame buffering

Length of the frame buffer with buffering enabled:

2 KB

Note:

Following a buffer overflow, newly arriving frames are discarded.

The number of SEND/RECEIVE calls that can be used at the same time is limited both by the CPU and by the CP.

If the maximum number of simultaneous SEND/RECEIVE calls is exceeded, the value 8302H (no receive resources) is indicated in the STATUS of the surplus SEND functions. This can, for example, happen when too many SEND/RECEIVE calls are sent at the same time in OB1.

CP 443-1 Advanced (GX30)

26 Manual, 03/2019, C79000-G8976-C256-05

Performance data

Limitation by the CPU

Limitation by the CP

Number of simultaneous SEND calls

0 1 2

3, 4 5 6 7 8, 9

ous FC60s per CPU 412/414

2.3 SEND/RECEIVE interface

In productive operation, the number of SEND/RECEIVE calls that can be used at one time depends on the CPU resources being used. Note the information on the available CPU resources in section System environment (Page 41). The following CPU resources are required:

● Per SEND job short (AG_SEND) or long (AG_LSEND): 1 send resource

● Per RECEIVE job short (AG_RECV): 1 receive resource

● Per RECEIVE job long (AG_LRECV): 1 send resource, 1 receive resource

● Per SPEED SEND/RECV job (AG_SSEND, AG_SRECV): 0 resources

A maximum of 64 SEND/RECEIVE connections can be operated by the CP. At an assignment of 1 CP per CPU, the maximum number of SEND/RECEIVE calls that can be used at one time is limited as follows:

● SEND calls short (AG_SEND): CPU 416/417: max. 64 calls per CPU CPU 412/414: max. 24 calls per CPU

● SEND calls long (AG_LSEND): CPU 416/417: max. 32 calls per CPU CPU 412/414: max. 12 calls per CPU

● RECEIVE calls short (AG_RECV): CPU 416/417: max. 64 calls per CPU CPU 412/414: max. 24 calls per CPU

● RECEIVE calls long (AG_LRECV): variable The number of AG_LRECV program blocks that can be used at the same time depends on the number of SEND calls active at the same time (see tables below).

Table 2- 1 Dependency of the maximum number of RECEIVE calls long (AG_LRECV FC60) used at the same time on

the number of SEND calls (CPU 412/414)

Max. number of simultane-

19 18 17 16 15 14 13 12 11 10 9

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Performance data

Number of simultaneous SEND calls

0 1 2

3, 4 5 6 7 8, 9

13,

CPU 416/417/41x-H

Number of simultaneous SEND calls

17 18, 19

20 21 22 23, 24

25 26 27 28, 29

30 31 32

CPU 416/417/41x-H

2.4

Characteristics of open TCP/IP communication

Characteristic

Explanation / values

trial Ethernet

Max. data length

1452 bytes

2.5

Characteristic data for PROFINET IO

Characteristic

Explanation / values

controllers within an S7400 station

Size the input area over all PROFINET IO devices

4 KB max.

Size of the output area over all PROFINET IO devices

4 KB max.

2.4 Characteristics of open TCP/IP communication

Table 2- 2 Dependency of the maximum number of RECEIVE calls long (AG_LRECV FC60) used at the same time on

the number of SEND calls (CPU 416/417)

Max. number of simultaneous FC60s per

51 50 49 48 47 46 45 44 43 42 41 40 39 38

37 36 35 34 33 32 31 30 29 28 27 26 25

The maximum number of SPEED SEND/RECEIVE calls that can be used simultaneously (FC53, FC63) depends only on the CPU (see above).

The CP supports communication via ISO-on-TCP connections for this interface.

Table 2- 3 Open TCP/IP communication

Number of dynamically generated connections over Indus-

• ISO-on-TCP connections: 1...64

PROFINET IO communication of the CP is IRTcompliant. The CP supports the following maximum configuration as a PROFINET IO controller:

Number of CPs that can be operated as PROFINET IO

Number of possible PROFINET IO devices *) 128 *), of which

• up to 64 in IRT mode

• up to 32 in "prioritized startup" mode

CP 443-1 Advanced (GX30)

28 Manual, 03/2019, C79000-G8976-C256-05

Performance data

Characteristic

Explanation / values

ceive a message in the diagnostics buffer about lack of resources when downloading the configuration data.

Note Note the following for PROFINET IO:

If you use modules with access errors are entered in the diagnostics buffer of the CPU.

These I/O access errors occur during operation only in the "consistent user data" mode and with a low OB1 cycle time.

2.6

Characteristic data for PROFINET CBA

Note PROFINET CBA versus security function

If you use PROFINET CBA, you cannot enable the CP for the "Security" functionality.

2.6.1

Typical values and limit values

2.6 Characteristic data for PROFINET CBA

Size of the IO data area per submodule of a module in an IO device

• Inputs

• Outputs

Size of the consistency area for a submodule 240 bytes

The number of operable PROFINET IO devices can be reduced if the devices being used require extensive configura-

tion data due to large numbers of submodules. In this case, the memory on the CP will not be adequate and you will re-

• 240 bytes

≥ 32 bytes of input/output data, this can lead to I/O access errors;

The CP supports PROFINET CBA interconnections between PROFINET CBA components.

The "typical" values specified below are values that cause the SIMATIC iMap configuration tool to generate a warning if they are exceeded. The system may nevertheless be operable.

CP 443-1 Advanced (GX30) Manual, 03/2019, C79000-G8976-C256-05

Performance data

Characteristic

Typical value

Limit value

with FB88

with FB90

PROFINET CBA

partners

ments

(acyclic interconnections), maximum

(cyclic interconnections), maximum

(local interconnections), maximum

Remote interconnections with acyclic transmission

1000 ms

Number of incoming interconnections

150 maximum

Number of outgoing interconnections

150 maximum

nections

Remote interconnections with cyclic transmission

256 and 512 ms

Number of incoming interconnections

125

250

Number of outgoing interconnections

125

250

2.6 Characteristic data for PROFINET CBA

If one of the limit values specified for the interconnections is exceeded, they cannot be downloaded to the module. When the interconnections are downloaded, the SIMATIC iMap configuration tool generates an error message to this effect. If a limit value relating to the number or size of components is exceeded, the CPU will not change to RUN!

Number of remote interconnection

Total of all attachments 600 600 Data length of all incoming attach-

Data length of all outgoing attach-

Data length for arrays and structures

Scanning frequency: Scanning inter-

val, min. Selectable values: 100, 200, 500 and

Data length of all incoming intercon-

Data length of all outgoing interconnections

32 64

3200 bytes 8192 bytes 1452 bytes

2048 bytes 8192 bytes *) 1452 bytes

250 bytes 250 bytes 250 bytes

- 2400 bytes 1452 bytes

fast value: 20%

medium value: 40%

slow value: 40%

2048 bytes 8192 bytes 1452 bytes

2048 bytes 8192 bytes

100 ms minimum

Transmission frequency: Transmission

interval, min. Selectable values: 8, 16, 32, 64, 128,

CP 443-1 Advanced (GX30)

30 Manual, 03/2019, C79000-G8976-C256-05

fast value: 20%

medium value: 40%

slow value: 40%

8 ms minimum

+ 96 hidden pages

Siemens SIMATIC NET CP 443-1 Advanced Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Legal information

Preface

Table of contents

Properties of the CP

1.2 Enhanced functions

1.3 Communication services

1.4 Further services and characteristics of the CP

General characteristic data

SEND/RECEIVE interface

Characteristic data

2.2 Characteristics of S7 communication

Number of simultaneous SEND/RECEIVE calls

Characteristic data for PROFINET IO

2.4 Characteristics of open TCP/IP communication

Typical values and limit values

2.6 Characteristic data for PROFINET CBA