Siemens SIMATIC NET SCALANCE S615 Configuration Manual

SCALANCE S615

___________________

SIMATIC NET

Industrial Ethernet Security SCALANCE S615 Web Based Management

Configuration Manual

05/2015

C79000

Preface

Description

Technical basics

Security recommendation

Configuring with Web Based Management

Service and maintenance

-G8976-C388-02

Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C388-01

Ⓟ

Legal information

Warning notice system

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

Qualified Personnel

personnel qualified

Proper use of Siemens products

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

Disclaimer of Liability

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

The product/system described in this documentation may be operated only by task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Note the following:

documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

for the specific

05/2015 Subject to change

Preface

Validity of the manual

Purpose of the Configuration Manual

Orientation in the documentation

This Configuration Manual covers the following product:

● SCALANCE S615

This Configuration Manual applies to the following software version:

● SCALANCE S615 firmware as of Version V04.00

This Configuration Manual is intended to provide you with the information you require to install, commission and operate the device. It provides you with the information you require to configure the devices.

Apart from the Configuration Manual you are currently reading, the following documentation is also available from on the topic of Remote Network:

● Getting Started SCALANCE S615

Based on examples, this document explains the configuration of the SCALANCE S615.

● Operating Instructions SCALANCE S615

You will find this document on the Internet pages of Siemens Industry Online Support. It contains information on installation, connecting up and approvals of the SCALANCE S615.

● Operating Instructions SINEMA RC Server

You will find this document on the Internet pages of Siemens Industry Online Support. It contains information on the installation, configuration and operation of the application SINEMA Remote Connect Server.

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Preface

SIMATIC NET manuals

SIMATIC NET glossary

Security information

You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support:

● Using the search function:

Link to Siemens Industry Online Support (http://support.automation.siemens.com/WW/view/en)

Enter the entry ID of the relevant manual as the search item.

● In the navigation panel on the left-hand side in the area "Industrial Communication":

Link to the area "Industrial Communication" (http://support.automation.siemens.com/WW/view/en/10805878/130000)

Go to the required product group and make the following settings: tab "Entry list", Entry type "Manuals"

You will find the documentation for the SIMATIC NET products relevant here on the data storage medium that ships with some products:

● Product CD / product DVD

● SIMATIC NET Manual Collection

Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary.

You will find the SIMATIC NET glossary here:

● SIMATIC NET Manual Collection or product DVD

The DVD ships with certain SIMATIC NET products.

● On the Internet under the following entry ID:

50305045 (http://support.automation.siemens.com/WW/view/en/50305045)

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates.

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit http://support.automation.siemens.com.

SCALANCE S615 Web Based Management

4 Configuration Manual, 05/2015, C79000-G8976-C388-02

Preface

Firmware

License conditions

Note Open source software

Read the license conditions for open source software carefully before using the product.

The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.

You will find license conditions in the following documents on the supplied data medium:

● DOC_OSS-SCALANCE-M_74.pdf

● DC_LicenseSummaryScalanceS615_76.htm

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Preface

Trademarks

The following and possibly other names not identified by the registered trademark sign ® are registered trademarks of Siemens AG:

SCALANCE

SCALANCE S615 Web Based Management

6 Configuration Manual, 05/2015, C79000-G8976-C388-02

Preface ................................................................................................................................................... 3

1 Description ............................................................................................................................................ 11

2 Technical basics ................................................................................................................................... 19

3 Security recommendation ...................................................................................................................... 33

4 Configuring with Web Based Management ............................................................................................ 37

1.1 Function .................................................................................................................................. 11

1.2 Requirements for operation .................................................................................................... 13

1.3 Configuration examples .......................................................................................................... 14

1.3.1 TeleControl with SINEMA RC ................................................................................................. 14

1.3.2 Secure access with S615 ....................................................................................................... 16

1.4 Digital input / output ................................................................................................................ 17

2.1 IPv4 address, subnet mask and address of the gateway ....................................................... 19

2.2 VLAN ....................................................................................................................................... 21

2.2.1 VLAN ....................................................................................................................................... 21

2.2.2 VLAN tagging .......................................................................................................................... 22

2.3 NAT ......................................................................................................................................... 24

2.4 SNMP ...................................................................................................................................... 26

2.5 Security functions .................................................................................................................... 28

2.5.1 Firewall .................................................................................................................................... 28

2.5.2 IPsecVPN ................................................................................................................................ 29

2.5.3 Certificates .............................................................................................................................. 32

4.1 Web Based Management ....................................................................................................... 37

4.2 Starting and logging in ............................................................................................................ 39

4.3 "Information" menu ................................................................................................................. 42

4.3.1 Start page ............................................................................................................................... 42

4.3.2 Versions .................................................................................................................................. 47

4.3.3 ARP Table ............................................................................................................................... 48

4.3.4 Log tables ............................................................................................................................... 49

4.3.4.1 Event log ................................................................................................................................. 49

4.3.4.2 Security log ............................................................................................................................. 51

4.3.4.3 Firewall log .............................................................................................................................. 53

4.3.5 Faults ...................................................................................................................................... 55

4.3.6 DHCP Server .......................................................................................................................... 56

4.3.7 LLDP ....................................................................................................................................... 57

4.3.8 Routing table ........................................................................................................................... 58

4.3.9 IPsec VPN ............................................................................................................................... 59

4.3.10 SINEMA RC ............................................................................................................................ 60

4.4 "System" menu ....................................................................................................................... 62

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Table of contents

4.4.1 Configuration .......................................................................................................................... 62

4.4.2 General .................................................................................................................................. 65

4.4.2.1 Device .................................................................................................................................... 65

4.4.2.2 Coordinates ............................................................................................................................ 67

4.4.3 Restart .................................................................................................................................... 68

4.4.4 Load and Save ....................................................................................................................... 70

4.4.4.1 HTTP ...................................................................................................................................... 70

4.4.4.2 TFTP ...................................................................................................................................... 73

4.4.4.3 Passwords .............................................................................................................................. 75

4.4.5 Events .................................................................................................................................... 76

4.4.5.1 Configuration .......................................................................................................................... 76

4.4.5.2 Severity filter .......................................................................................................................... 78

4.4.6 SMTP client ............................................................................................................................ 80

4.4.7 SNMP ..................................................................................................................................... 82

4.4.7.1 General .................................................................................................................................. 82

4.4.7.2 Traps ...................................................................................................................................... 83

4.4.7.3 Groups ................................................................................................................................... 85

4.4.7.4 Users ...................................................................................................................................... 87

4.4.8 System Time .......................................................................................................................... 89

4.4.8.1 Manual setting ........................................................................................................................ 89

4.4.8.2 SNTP client ............................................................................................................................ 91

4.4.8.3 NTP client ............................................................................................................................... 93

4.4.8.4 SIMATIC Time Client ............................................................................................................. 95

4.4.9 Auto logout ............................................................................................................................. 97

4.4.10 Syslog Client .......................................................................................................................... 98

4.4.11 Fault monitoring ..................................................................................................................... 99

4.4.12 PLUG ................................................................................................................................... 102

4.4.12.1 Configuration ........................................................................................................................ 102

4.4.12.2 License ................................................................................................................................. 105

4.4.13 Ping ...................................................................................................................................... 107

4.4.14 DNS ...................................................................................................................................... 108

4.4.14.1 DNS client ............................................................................................................................ 108

4.4.14.2 DNS proxy ............................................................................................................................ 109

4.4.14.3

DDNS client .......................................................................................................................... 110

4.4.15 DHCP ................................................................................................................................... 111

4.4.15.1 DHCP client .......................................................................................................................... 111

4.4.15.2 DHCP server ........................................................................................................................ 113

4.4.15.3 DHCP Options...................................................................................................................... 115

4.4.15.4 Static Leases ........................................................................................................................ 116

4.4.16 SRS ...................................................................................................................................... 118

4.4.17 Proxy server ......................................................................................................................... 119

4.4.18 SINEMA RC ......................................................................................................................... 121

4.5 "Interfaces" menu ................................................................................................................. 123

4.5.1 Ethernet ................................................................................................................................ 123

4.5.1.1 Overview .............................................................................................................................. 123

4.5.1.2 Configuration ........................................................................................................................ 124

4.6 "Layer 2" menu ..................................................................................................................... 127

4.6.1 Dynamic MAC Aging ............................................................................................................ 127

4.6.2 VLAN .................................................................................................................................... 128

4.6.2.1 General ................................................................................................................................ 128

4.6.2.2 Port Based VLAN ................................................................................................................. 130

SCALANCE S615 Web Based Management

8 Configuration Manual, 05/2015, C79000-G8976-C388-02

Table of contents

5 Service and maintenance .................................................................................................................... 169

Index................................................................................................................................................... 177

4.6.3 LLDP ..................................................................................................................................... 132

4.7 "Layer 3" menu ..................................................................................................................... 134

4.7.1 Routes ................................................................................................................................... 134

4.7.2 Subnets ................................................................................................................................. 135

4.7.2.1 Overview ............................................................................................................................... 135

4.7.2.2 Configuration ......................................................................................................................... 137

4.7.3 NAT ....................................................................................................................................... 138

4.7.3.1 Masquerading ....................................................................................................................... 138

4.7.3.2 NAPT..................................................................................................................................... 139

4.7.3.3 Source NAT .......................................................................................................................... 141

4.7.3.4 NETMAP ............................................................................................................................... 143

4.8 "Security" menu .................................................................................................................... 146

4.8.1 Password .............................................................................................................................. 146

4.8.2 Certificates ............................................................................................................................ 147

4.8.2.1 Overview ............................................................................................................................... 147

4.8.2.2 Certificates ............................................................................................................................ 149

4.8.3 Firewall .................................................................................................................................. 152

4.8.3.1 General ................................................................................................................................. 152

4.8.3.2 Predefined IPv4 .................................................................................................................... 153

4.8.3.3 IP Services ............................................................................................................................ 154

4.8.3.4 ICMP Services ...................................................................................................................... 156

4.8.3.5 IP Protocols ........................................................................................................................... 157

4.8.3.6 IP Rules ................................................................................................................................ 158

4.8.4 IPsec VPN ............................................................................................................................. 159

4.8.4.1 General ................................................................................................................................. 159

4.8.4.2 Remote End .......................................................................................................................... 160

4.8.4.3 Connections .......................................................................................................................... 162

4.8.4.4 Authentication ....................................................................................................................... 164

4.8.4.5 Phase 1 ................................................................................................................................. 165

4.8.4.6 Phase 2 ................................................................................................................................. 167

5.1 Firmware update using HTTP ............................................................................................... 169

5.1.1 Firmware update using HTTP ............................................................................................... 169

5.2 Firmware update - using TFTP ............................................................................................. 171

5.3 Firmware update using WBM not possible ........................................................................... 173

5.4 Firmware update using WBM not possible ........................................................................... 175

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Table of contents

SCALANCE S615 Web Based Management

10 Configuration Manual, 05/2015, C79000-G8976-C388-02

1.1

Function

Configuration

Security functions

Configuration of all parameters using the

● Web Based Management (WBM) via HTTP and HTTPS.

● Command Line Interface (CLI) via Telnet and SSH.

● Router with NAT function

– IP masquerading

– NAPT

– SourceNAT

– NETMAP

● Password protection

● Firewall function

– Port forwarding

– IP firewall with stateful packet inspection (layer 3 and 4)

– Global and user-defined firewall rules

● VPN functions

To establish a VPN (Virtual Private Network), the following functions are available

– IPsecVPN for up to 20 connections

● SINEMA RC client

● Proxy server

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

Monitoring / diagnostics / maintenance

Other functions

1.1 Function

● LEDs

Display of operating statuses via the LED display. You will find further information on this in the Operating Instructions of the device.

● Logging

For monitoring have the events logged.

● SNMP

For monitoring and controlling network components such as routers or switches from a central station.

● Time-of-day synchronization

– NTP

– SNTP

● DHCP

– DHCP server (local network)

– DHCP client

● Virtual networks (VLAN)

To structure Industrial Ethernet networks with a fast growing number of nodes, a physical network can be divided into several virtual subnets

● Digital input/digital output

● Dynamic DNS client

● DNS client

● SMTP client

SCALANCE S615 Web Based Management

12 Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

1.2

Requirements for operation

Power supply

Configuration

Default values set in the factory

ration

Subnet mask

255.255.255.0

"Restore Factory Defaults and Restart"

1.2 Requirements for operation

A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current.

You will find further information on this in the device-specific operating instructions.

In the factory settings, the SCALANCE S615 can be reached as follows for initial configuration:

Ethernet interface for the configu-

IP address 192.168.1.1

User name admin (cannot be changed) Password admin

P1 ... P4

The password needs to be changed after the first logon or after a

You will find more information in "Web Based Management (Page 37)" and in "Starting and logging in (Page 39)".

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

1.3

Configuration examples

1.3.1

TeleControl with SINEMA RC

1.3 Configuration examples

In this configuration, the remote maintenance master station is a connected to the Internet/intranet via the SINEMA Remote Connect Server. The stations communicate via SCALANCE M874 or SCALANCE S615 that establish a VPN tunnel to the SINEMA RC server. In the master station, the SINEMA RC client establishes a VPN tunnel to the SINEMA RC server.

The devices must log on to the SINEMA RC server. The VPN tunnel between the device and the SINEMA RC server is established only after successful authentication. Depending on the configured communications relations and the security settings, the SINEMA RC server connects the individual VPN tunnels.

SCALANCE S615 Web Based Management

14 Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

Procedure

1.3 Configuration examples

To be able to access a plant via a remote maintenance master station, follow the steps below:

1. Establish the Ethernet connection between the S615 and the connected Admin PC.

2. Create the devices and node groups on the SINEMA RC Server.

3. Configure the connection to the SINEMA RC server on the device, refer to the section SINEMA RC (Page 121).

4. Set up the connected applications of the plant for data communication.

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

1.3.2

Secure access with S615

Secure remote access and network segmentation with SCALANCE S615

1.3 Configuration examples

A secure connection for data exchange between an automation plant and remote stations will be established via the Internet and mobile wireless network. At the same time, a secure connection will be established when necessary for service purposes. This connection is, however, restricted to a specific plant section or a specific machine.

In the automation plant, a SCALANCE S615 is connected to the Internet via the ADSL+ router M812-1. The remote stations will be connected to the Internet via the LTE-CP 1243-7 or the HSPA+ router SCALANCE M874-3. SCALANCE S615 via which data can be exchanged securely.

When necessary, the service technician connects to the Internet. With the SOFTNET Security Client, he or she establishes a secure VPN connection to the S615. Various IP subnets are connected to the S615 between which the integrated firewall checks communication. This allows the communication of the service technician to be restricted to a specific IP subnet.

The devices establish a VPN connection to the

SCALANCE S615 Web Based Management

16 Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

1.4

Digital input / output

Introduction

Application example

Control of the digital output

Note

You can control the digital output directly via CLI or SNMP. In WBM and CLI, you can configure the use of the digital output in "Events". Do not control the digital output direc when you use this in the WBM and CLI.

Note

If the digital input changes the status, an entry is made in the event protocol table.

1.4 Digital input / output

The devices have a digital input/output.

The connection is made using two 2-pin terminal blocks. You will find information about the pin assignment in the operating instructions of the devices.

● Digital input e.g. for establishing a VPN connection

● Digital output e.g. to signal existing VPN connections.

Using CLI and using the private MIB variable snMspsDigitalOutputLevel, you can control the digital output (DO/1L).

tly

● OID of the private MIB variable snMspsDigitalOutputLevel:

iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).siemens(4329).industria

lComProducts(20).iComPlatforms(1).simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDi

gitalIO(39).snMspsDigitalIOObjects(1).snMspsDigitalOutputTable(3).snMspsDigitalOut

putEntry(1).snMspsDigitalOutputLevel(6)

● values of the MIB variable

– 1: Digital output is open (DO and 1L are interrupted).

– 2: Digital output is closed (DO and 1L are jumpered).

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Description

Digital input

Note

If the digital output changes status, an entry is made in the event protocol table.

MIB file

1.4 Digital input / output

Using the private MIB variable snMspsDigitalInputLevel, you can read out the status of the digital input.

● OID of the private MIB variable snMspsDigitalInputLevel:

iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).siemens(4329).industria

lComProducts(20).iComPlatforms(1).simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDi

gitalIO(39).snMspsDigitalIOObjects(1).snMspsDigitalInputTable(2).snMspsDigitalInpu

tEntry(1).snMspsDigitalInputLevel(6)

● values of the MIB variable

– 1: Signal 0 at the digital input (DI)

– 2: Signal 1 at the digital input (DI)

The MIB variables can be found in the file "SN-MSPS-DIGITAL-IO-MIB" that is part of the private MIB file "scalance_m_msps.mib".

SCALANCE S615 Web Based Management

18 Configuration Manual, 05/2015, C79000-G8976-C388-02

2.1

IPv4 address, subnet mask and address of the gateway

Range of values for IPv4 address

IPv4 address format - notation

Range of values for subnet mask

The IPv4 address consists of four decimal numbers with the range from 0 to 255, each number separated by a period; example: 141.80.0.16

An IPv4 address consists of 4 bytes. Each byte is represented in decimal, with a dot separating it from the previous one.

XXX.XXX.XXX.XXX

XXX stands for a number between 0 and 255

The IPv4 address consists of two parts:

● The address of the (sub) network

● The address of the node (generally also called end node, host or network node)

The subnet mask consists of four decimal numbers with the range from 0 to 255, each number separated by a period; example: 255.255.0.0

The binary representation of the 4 subnet mask decimal numbers must contain a series of consecutive 1s from the left and a series of consecutive 0s from the right.

The 1s specify the network number within the IPv4 address. The 0s specify the host address within the IPv4 address.

Example:

Correct values:

255.255.0.0 D = 1111 1111.1111 1111.0000 0000.0000 0000 B

255.255.128.0 D = 1111 1111.1111 1111.1000 0000.0000 0000 B

255.254.0.0 D = 1111 1111.1111 1110.0000 0000.0000.0000 B

Incorrect value:

255.255.1.0 D = 1111 1111.1111 1111.0000 0001.0000 0000 B

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

Relationship between the IPv4 address and subnet mask

First decimal number of the IPv4 address

Subnet mask

0 to 127

255.x.x.x

192 to 223

255.255.255.x

Classless Inter-Domain Routing (CIDR)

Example:

Value range for gateway address

Relationship between IPv4 address and gateway address

2.1 IPv4 address, subnet mask and address of the gateway

The first decimal number of the IPv4 address (from the left) determines the structure of the subnet mask with regard to the number of "1" values (binary) as follows (where "x" is the host address):

128 to 191 255.255.x.x

CIDR is a method that groups several IPv4 addresses into an address range by representing an IPv4 address combined with its subnet mask. To do this, a suffix is appended to the IPv4 address that specifies the number of bits of the network mask set to 1. Using the CIDR notation, routing tables can be reduced in size and the available address ranges put to better use.

IPv4 address 192.168.0.0 with subnet mask 255.255.255.0

The network part of the address covers 3 x 8 bits in binary representation; in other words 24 bits.

This results in the CIDR notation 192.168.0.0/24. The host part covers 1 x 8 bits in binary notation. This results in an address range of 2 to the power 8, in other words 256 possible addresses.

The address consists of four decimal numbers taken from the range 0 to 255, each number being separated by a period; example: 141.80.0.1

The only positions of the IPv4 address and gateway address that may differ are those in which "0" appears in the subnet mask.

Example:

You have entered the following: 255.255.255.0 for the subnet mask; 141.30.0.5 for the IPv4 address and 141.30.128.0 for the gateway address. Only the fourth decimal number of the IPv4 address and gateway address may be different. In the example, however, the 3rd position is different.

You must, therefore, change one of the following in the example:

The subnet mask to: 255.255.0.0 or

the IPv4 address to: 141.30.128.1 or

the gateway address to: 141.30.0.1

SCALANCE S615 Web Based Management

20 Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

2.2

VLAN

2.2.1

VLAN

Network definition regardless of the spatial location of the nodes

Options for the VLAN assignment

VLAN assignment on the device

device

the device

2.2 VLAN

VLAN (Virtual Local Area Network) divides a physical network into several logical networks that are shielded from each other. Here, devices are grouped together to form logical groups. Only nodes of the same VLAN can address each other. Since multicast and broadcast frames are only forwarded within the particular VLAN, they are also known as broadcast domains.

The particular advantage of VLANs is the reduced network load for the nodes and network segments of other VLANs.

To identify which packet belongs to which VLAN, the frame is expanded by 4 bytes, refer to VLAN tagging (Page 22). This expansion includes not only the VLAN ID but also priority information.

There are various options for the assignment to VLANs:

● Port-based VLAN

Each port of a device is assigned a VLAN ID. You configure port-based VLAN in "Layer 2 > VLAN > Port-based VLAN (Page 130)".

● Protocol-based VLAN Each port of a device is assigned a protocol group.

● Subnet-based VLAN The IP address of the device is assigned a VLAN ID.

In the factory settings, the following assignments are made on the SCALANCE S615:

P1 to P4 vlan1

P5 vlan2

You can change the assignment in "Layer 2 > VLAN > General (Page 128)".

For access from the local network (LAN) to the

For access from the external network (WAN) to

The VLANs are in different IP subnets. To allow these to communicate with each other, the route and firewall rule must be configured on the device.

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

2.2.2

VLAN tagging

Expansion of the Ethernet frames by four bytes

Note

The VLAN With the IE switches, the standard frame size is at least 1536 bytes. The end nodes on the networks must be checked to find out whether they can process this length / this fram sent to these nodes.

Tag protocol identifier (TPID)

2.2 VLAN

For CoS (Class of Service, frame priority) and VLAN (virtual network), the IEEE 802.1 Q standard defined the expansion of Ethernet frames by adding the VLAN tag.

tag increases the permitted total length of the frame from 1518 to 1522 bytes.

e type. If this is not the case, only frames of the standard length may be

The additional 4 bytes are located in the header of the Ethernet frame between the source address and the Ethernet type / length field:

Figure 2-1 Structure of the expanded Ethernet frame

The additional bytes contain the tag protocol identifier (TPID) and the tag control information (TCI).

The first 2 bytes form the Tag Protocol Identifier (TPID) and always have the value 0x8100. This value specifies that the data packet contains VLAN information or priority information.

SCALANCE S615 Web Based Management

22 Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

Tag Control Information (TCI)

CoS prioritization

CoS bits

Type of data

000

Non time-critical data traffic (less then best effort [basic setting])

010

Reserved (standard)

100

Data transfer with max. 100 ms delay

101

Guaranteed service, interactive multimedia

110

Guaranteed service, interactive voice transmission

111

Reserved

Canonical Format Identifier (CFI)

Value

Meaning

address, the least significant bit is transferred first. Standard-setting for Ethernet switches.

The format of the MAC address is not canonical.

VLAN ID

Meaning

VLAN identifier.

ty information.

4095

Reserved

2.2 VLAN

The 2 bytes of the Tag Control Information (TCI) contain the following information:

The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS). The priority according to IEEE 802.1p is as follows:

001 Normal data traffic (best effort [background])

011 Reserved ( excellent effort )

The prioritization of the data packets is possible only if there is a queue in the components in which they can buffer data packets with lower priority.

The device has multiple parallel queues in which the frames with different priorities can be processed. First, the frames with the highest priority ("Strict Priority" method) are processed. This method ensures that the frames with the highest priority are sent even if there is heavy data traffic.

The CFI is required for compatibility between Ethernet and the token Ring. The values have the following meaning:

0 The format of the MAC address is canonical. In the canonical representation of the MAC

In the 12-bit data field, up to 4096 VLAN IDs can be formed. The following conventions apply:

0 The frame contains only priority information (priority tagged frames) and no valid

1 - 4094 Valid VLAN identifier, the frame is assigned to a VLAN and can also include priori-

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

2.3

NAT

IP masquerading

NAPT

from

Response

port

translation.

a single port

The frames are translated to the port.

a port range

a single port

The frames from the port range are translated to the same port (n:1).

port range

port translation.

With individual connection, they are normally translated to the first port

used to translate to a free port in the target range.

robin method is used to translate to a free port in the target range.

2.3 NAT

NAT (Network Address Translation) is a method of translating IP addresses in data packets. With this, two different networks (internal and external) can be connected together.

A distinction is made between source NAT in which the source IP address is translated and destination NAT in which the destination IP address is translated.

IP masquerading is a simplified source NAT. With each outgoing data packet sent via this interface, the source IP address is replaced by the IP address of the interface. The adapted data packet is sent to the destination IP address. For the destination host it appears as if the queries always came from the same sender. The internal nodes cannot be reached directly from the external network. By using NAPT, the services of the internal nodes can be made reachable via the external IP address of the device.

IP masquerading can be used if the internal IP addresses cannot or should not be forwarded externally, for example because the internal network structure should remain hidden.

You configure masquerading in "Layer 3" > "NAT" > "IP Masquerading (Page 138)".

NAPT (Network Address and Port Translation) is a form of destination NAT and is often called port forwarding. This allows the services of the internal nodes to be reached from external that are hidden by IP masquerading or source NAT.

Incoming data packets are translated that come from the external network and are intended for an external IP address of the device (destination IP address). The destination IP address is replaced by the IP address of the internal node. In addition to address translation, port translation is also possible.

The options are available for port translation:

a single port the same

a port range the same

a port range another port

range

If the ports are the same, the frames will be forwarded without port

If the port ranges are the same, the frames will be forwarded without

The frames are translated to any free port from the target range.

in the target range. If there are connections at the same time, the round robin method is

a single port a port range The frames are translated to any free port from the target range. With

individual connection, they are normally translated to the first port in the target range. If there are connections at the same time, the round

SCALANCE S615 Web Based Management

24 Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

Source NAT

NETMAP

2.4 SNMP

With the aid of the Simple Network Management Protocol (SNMP), you monitor and control network components from a central station, for example routers or switches. SNMP controls the communication between the monitored devices and the monitoring station.

Tasks of SNMP:

● Monitoring of network components

● Remote control and remote parameter assignment of network components

● Error detection and error notification

In versions v1 and v2c, SNMP has no security mechanisms. Each user in the network can access data and also change parameter assignments using suitable software.

For the simple control of access rights without security aspects, community strings are used.

The community string is transferred along with the query. If the community string is correct, the SNMP agent responds and sends the requested data. If the community string is not correct, the SNMP agent discards the query. Define different community strings for read and write permissions. The community strings are transferred in plain text.

Standard values of the community strings:

● public has only read permissions

● private has read and write permissions

Further simple protection mechanisms at the device level:

● Allowed Host The IP addresses of the monitoring systems are known to the monitored system.

● Read Only If you assign "Read Only" to a monitored device, monitoring stations can only read out data but cannot modify it.

SNMP data packets are not encrypted and can easily be read by others.

The central station is also known as the management station. An SNMP agent is installed on the devices to be monitored with which the management station exchanges data.

SCALANCE S615 Web Based Management

26 Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

SNMPv3

2.4 SNMP

The management station sends data packets of the following type:

● GET

Request for a data record from the agent

● GETNEXT

Calls up the next data record.

● GETBULK (available as of SNMPv2)

Requests multiple data records at one time, for example several rows of a table.

● SET

Contains parameter assignment data for the relevant device.

The SNMP agent sends data packets of the following type:

● RESPONSE

The agent returns the data requested by the manager.

● TRAP

If a certain event occurs, the SNMP agent itself sends traps.

SNMPv1/v2/v3 use UDP (User Datagram Protocol) and use the UDP ports 161 and 162. The data is described in a Management Information Base (MIB).

Compared with the previous versions SNMPv1 and SNMPv2. SNMPv3 introduces an extensive security concept.

SNMPv3 supports:

● Fully encrypted user authentication

● Encryption of the entire data traffic

● Access control of the MIB objects at the user/group level

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

2.5

Security functions

2.5.1

Firewall

Stateful inspection firewall

2.5 Security functions

The security functions of the device include a stateful inspection firewall. This is a method of packet filtering or packet checking. The IP packets are checked based on firewall rules in which the following is specified:

● The permitted protocols

● IP addresses and ports of the permitted sources

● IP addresses and ports of the permitted destinations

If an IP packet fits the specified parameters, it is allowed to pass through the firewall. The rules also specify what is done with IP packets that are not allowed to pass through the firewall.

Simple packet filter techniques require two firewall rules per connection.

● One rule for the query direction from the source to the destination.

● A second rule for the response direction from the destination to the source

With a stateful inspection firewall, on the other hand, you only need to specify one firewall rule for the query direction from the source to the destination. The second rule is added implicitly. The packet filter recognizes when, for example, computer "A" is communicating with computer "B" and only then does it allow replies. A query by computer "B" is therefore not possible without a prior request by computer "A".

You configure the firewall in "Security > Firewall (Page 152)".

SCALANCE S615 Web Based Management

28 Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

2.5.2

IPsecVPN

Roadwarrior mode

Standard mode

The IPsec method

ESP

2.5 Security functions

The device is capable of establishing up to 20 IPsecVPN connections to a remote network.

You configure the IPsec connections in "Security" > " IPsec VPN (Page 159)".

With IPsecVPN, the frames are transferred in tunnel mode. To allow the device to establish a VPN tunnel, the remote network must have a VPN gateway as the partner.

For the VPN connections, the device distinguishes two modes:

●

In this mode, the device can only operate as a VPN server. The device can only wait for VPN connections but cannot establish a VPN tunnel as the active partner. The address of the partner does not need to be known in this mode. This means that it is also possible to use a dynamic IP address.

●

In standard mode, the address of the VPN gateway of the partner must be known so that the VPN connection can be established. The device can either establish the connection actively as a VPN client or wait passively for connection establishment by the partner.

The device uses the IPsec method in the tunnel mode for the VPN tunnel. Here, the frames to be transferred are completely encrypted and provided with a new header before they are sent to the VPN gateway of the partner. The frames received by the partner are decrypted and forwarded to the recipient.

To provide security, the IPsec protocol suite uses various protocols:

● The IP Authentication Header (

source.

● The Encapsulation Security Payload (

) handles the authentication and identification of the

) encrypts the data.

SCALANCE S615 Web Based Management Configuration Manual, 05/2015, C79000-G8976-C388-02

Technical basics

IKE

Authentication method

Local ID and remote ID

2.5 Security functions

● The Security Association (SA) contains the specifications negotiated between the partner, e.g. about the lifetime of the key, the encryption algorithm, the period for new authentication etc.

● Internet Key Exchange ( two phases:

– Phase 1

In this phase, no security services such as encryption, authentication and integrity checks are available yet since the required keys and the IPsec SA still need to be created. Phase 1 serves to establish a secure VPN tunnel for phase 2. To achieve this, the communications partners negotiate an ISAKMP Security Association (ISAKMP SA) that defines the required security services (algorithms, authentication methods used). The subsequent messages and phase 2 are therefore secure.

– Phase 2

Phase 2 serves to negotiate the required IPsec SA. Similar to phase 1, exchanging offers achieves agreement about the authentication methods, the algorithms and the encryption method to protect the IP packets with IPsec AH and IPsec ESP.

The exchange of messages is protected by the ISAKMP SA negotiated in phase 1. Due to the ISAKMP SA negotiated in phase 1, the identity of the nodes is known and the method for the integrity check already exists.

) is a key exchange method. The key exchange takes place in

● CA certificate, device and partner certificate (digital signatures)

The use of certificates is an asymmetrical cryptographic system in which every node (device) has a pair of keys. Each node has a secret, private key and a public key of the partner. The private key allows the device to authenticate itself and to generate digital signatures.

● Pre-shared key

The use of a pre-shared key is a symmetrical cryptographic system. Each node has only one secret key for decryption and encryption of data packets. The authentication is via a common password.

The local ID and the remote ID are used by IPsec to uniquely identify the partners (VPN end point) during establishment of a VPN connection.

SCALANCE S615 Web Based Management

30 Configuration Manual, 05/2015, C79000-G8976-C388-02

+ 150 hidden pages

Siemens SIMATIC NET SCALANCE S615 Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

SCALANCE S615

Legal information

Preface

Table of contents

Function

1.2 Requirements for operation

TeleControl with SINEMA RC

1.3 Configuration examples

Secure access with S615

1.4 Digital input / output

IPv4 address, subnet mask and address of the gateway

VLAN

2.2 VLAN

VLAN tagging

2.3 NAT

2.4 SNMP

Firewall

2.5 Security functions

IPsecVPN