PH Scalance-m8x-Wbm 76 Ojo
PH Scalance-m8x-Wbm 76 Ojo
PH Scalance-m8x-Wbm 76 Ojo
Security recommendation 2
Description 3
SIMATIC NET
Technical basics 4
Industrial Remote
Communication Remote Networks Configuring with Web
5
Based Management
SCALANCE M-800 Web Based
Management V7.2
Upkeep and maintenance 6
Configuration Manual
Appendix A "SMS
command" A
Appendix B "Syslog
messages" B
Appendix C "Encryption
methods used (ciphers)" C
06/2023
C79000-G8976-C330-17
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance
are required to ensure that the products operate safely and without any problems. The permissible ambient
conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
1 Introduction ......................................................................................................................................... 11
1.1 Purpose of the configuration manual.................................................................................. 11
1.2 Scope of validity ................................................................................................................ 11
1.3 Supplementary documentation.......................................................................................... 11
1.4 Further documentation...................................................................................................... 12
1.5 New in this version ............................................................................................................ 13
1.6 Symbols used .................................................................................................................... 14
1.7 Designations used.............................................................................................................. 14
1.8 SIMATIC NET glossary......................................................................................................... 15
1.9 Security information .......................................................................................................... 15
1.10 Error/fault .......................................................................................................................... 16
1.11 Decommissioning .............................................................................................................. 16
1.12 Recycling and disposal ....................................................................................................... 16
1.13 Firmware ........................................................................................................................... 16
1.14 Open source license conditions .......................................................................................... 17
1.15 Trademarks........................................................................................................................ 17
2 Security recommendation ................................................................................................................... 19
2.1 Security recommendations................................................................................................. 19
2.2 Available services............................................................................................................... 23
3 Description........................................................................................................................................... 27
3.1 Function ............................................................................................................................ 27
3.2 Configuration examples ..................................................................................................... 28
3.2.1 Overview ........................................................................................................................... 28
3.2.2 SCALANCE MUM856/M81x as Internet access .................................................................... 29
3.2.3 Direct communication of stations....................................................................................... 31
3.2.4 Telecontrol via the mobile wireless network........................................................................ 32
3.2.5 Telecontrol via dedicated line ............................................................................................. 33
3.2.6 Mobile access to plants and plant sections.......................................................................... 34
3.2.7 Plant access via a remote maintenance center .................................................................... 36
3.2.8 TeleControl with SINEMA RC............................................................................................... 37
3.3 Requirements for operation................................................................................................ 38
3.3.1 For operation with MUM853 .............................................................................................. 38
3.3.2 For operation with MUM856 .............................................................................................. 40
3.3.3 For operation with M87x.................................................................................................... 41
3.3.4 For operation with M81x.................................................................................................... 43
There, you will find among other things optical performance data of the communications
partner that you require for the installation.
You will find the system manuals here:
• On the Internet pages of Siemens Industry Online Support under the following entry IDs:
– 27069465 (https://support.industry.siemens.com/cs/de/en/view/27069465)
Industrial Ethernet / PROFINET Industrial Ethernet System Manual
– 84922825 (https://support.industry.siemens.com/cs/de/en/view/84922825)
Industrial Ethernet / PROFINET - Passive network components System Manual
Note
eSIM and Secure Boot support
The eSIM and Secure Boot functions are available in SCALANCE MUM85x devices as of HW
version 2. The hardware version is displayed in WBM under "Information > I&M" or in CLI using
the "show im (Page 130)" command.
The eSIM function is not available on the 6GK5856-2EA00-3FA1 device variant.
The chapter described / the section described / the parameter described is not rele‐
vant for SCALANCE M804PB.
Abbreviations used
The information in the configuration manual often applies to more than one product variant.
In such situations, the designations of the products are shortened to avoid having to list all
the type designations.
The following table shows how the abbreviations relate to the product variants.
For additional information on industrial security measures that may be implemented, please
visit
https://www.siemens.com/industrialsecurity (https://www.siemens.com/industrialsecurity).
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customer’s exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under
https://www.siemens.com/cert (https://www.siemens.com/cert).
1.10 Error/fault
If a fault develops, send the device to your SIEMENS representative for repair. Repairs on-site are
not permitted.
1.11 Decommissioning
Shut down the device properly to prevent unauthorized persons from accessing confidential
data in the device memory.
To do this, restore the factory settings on the device.
Also restore the factory settings on the storage medium.
1.13 Firmware
The firmware is available on the Internet pages of the Siemens Industry Online Support: (https://
support.industry.siemens.com/cs/ww/en/ps/28821/dl)
License conditions
Note
Open source software
Read the license conditions for open source software carefully before using the product.
You will find license conditions in the following documents on the supplied data medium:
• OSS_Scalance-M-800-S615_86.pdf
• OSS_SCALANCE_MuM856_86.pdf
1.15 Trademarks
The following and possibly other names not identified by the registered trademark sign ® are
registered trademarks of Siemens AG:
SCALANCE, SINEMA, KEY-PLUG, C-PLUG
Note
Note that GPS signals can be obfuscated or blocked by malicious third-party devices.
General
• Check the device regularly to ensure that these recommendations and/or other internal
security policies are complied with.
• Evaluate the security of your location and use a cell protection concept with suitable
products. For more information, refer to:
Link: (https://www.siemens.com/industrialsecurity)
• When the internal and external network are disconnected, an attacker cannot access internal
data from the outside. If possible, operate the device only within a protected network area.
• Use VPN to encrypt and authenticate communication from and to the devices.
• For data transmission via a non-secure network, use an encrypted VPN tunnel (IPsec,
OpenVPN).
• Check the user documentation of other Siemens products that are used together with the
device for additional security recommendations.
• Using remote logging, ensure that the system protocols are forwarded to a central logging
server. Make sure that the server is within the protected network and check the protocols
regularly for potential security violations or vulnerabilities.
Authentication
Note
Accessibility risk - Risk of data loss
Do not lose the passwords for the device. Access to the device can only be restored by resetting
the device to factory settings which completely removes all configuration data.
• Replace the default passwords for all user accounts, access modes and applications (if
applicable) before you use the device.
• Define rules for the assignment of passwords.
• Use passwords with a high password strength. Avoid weak passwords, (e.g. password1,
123456789, abcdefgh) or recurring characters (e.g. abcabc).
This recommendation also applies to symmetrical passwords/keys configured on the device.
• Make sure that passwords are protected and only disclosed to authorized personnel.
• Do not use the same passwords for multiple user names and systems.
• Store the passwords in a safe location (not online) to have them available if they are lost.
• Regularly change your passwords to increase security.
• A password must be changed if it is known or suspected to be known by unauthorized
persons.
• When user authentication is performed via RADIUS, make sure that all communication takes
place within the security environment or is protected by a secure channel.
• Watch out for link layer protocols that do not offer their own authentication between
endpoints, such as ARP or IPv4. An attacker could use vulnerabilities in these protocols to
attack hosts, switches and routers connected to your layer 2 network, for example, through
manipulation (poisoning) of the ARP caches of systems in the subnet and subsequent
interception of the data traffic. Appropriate security measures must be taken for non-secure
layer 2 protocols to prevent unauthorized access to the network. Physical access to the local
network can be secured or secure, higher layer protocols can be used, among other things.
Physical/remote access
• If possible, operate the devices only within a protected network area. Attackers cannot access
internal data from the outside when the internal and the external network are separate from
each other.
• Limit physical access to the device exclusively to trusted personnel.
The memory card or the PLUG (C-PLUG, KEY-PLUG, CLP) contains sensitive data such as
certificates and keys that can be read out and modified. An attacker with control of the
device's removable media could extract critical information such as certificates, keys, etc. or
reprogram the media.
• Lock unused physical ports on the device. Unused ports can be used to gain forbidden access
to the plant.
• We highly recommend that you keep the protection from brute force attacks (BFA) activated
to prevent third parties from gaining access to the device. For more information, see the
configuration manuals, section "Brute Force Prevention (Page 428)".
• If possible, use the VPN functionality to encrypt and authenticate communication for
communication via non-secure networks.
• When you establish a secure connection to a server (for example for an upgrade), make sure
that strong encryption methods and protocols are configured for the server.
• Terminate the management connections (e.g. HTTPS, SSH) properly.
• Make sure that the device has been powered down completely before you decommission it.
For more information, refer to "Decommissioning (Page 16)".
• We recommend formatting a PLUG that is not being used.
Hardware / Software
• Use VLANs whenever possible as protection against denial-of-service (DoS) attacks and
unauthorized access.
• Restrict access to the device by setting firewall rules or rules in an access control list (ACL).
• Selected services are enabled by default in the firmware. It is recommended to enable only
the services that are absolutely necessary for your installation.
For more information on available services, see "List of available services (Page 23)".
• To ensure you are using the most secure encryption methods available, use the latest web
browser version compatible with the product. Also, the latest web browser versions of
Mozilla Firefox, Google Chrome, and Microsoft Edge have 1/n-1 record splitting enabled,
which reduces the risk of attacks such as SSL/TLS Protocol Initialization Vector
Implementation Information Disclosure Vulnerability (for example, BEAST).
• Ensure that the latest firmware version is installed, including all security-related patches.
You can find the latest information on security patches for Siemens products at the Industrial
Security (https://www.siemens.com/industrialsecurity) or ProductCERT Security Advisories
(https://www.siemens.com/cert/en/cert-security-advisories.htm) website.
For updates on Siemens product security advisories, subscribe to the RSS feed on the
ProductCERT Security Advisories website or follow @ProductCert on Twitter.
• Enable only those services that are used on the device, including physical ports. Free physical
ports can potentially be used to gain access to the network behind the device.
• Use the authentication and encryption mechanisms of SNMPv3 if possible. Use strong
passwords.
• Configuration files can be downloaded from the device. Ensure that configuration files are
adequately protected.
Configuration files can be password protected during download. You enter passwords on the
WBM page "System > Load & Save > Passwords (Page 205)".
• When using SNMP (Simple Network Management Protocol):
– Configure SNMP to generate a notification when authentication errors occur.
For more information, see WBM "System > SNMP > Notifications (Page 226)".
– Ensure that the default community strings are changed to unique values.
– Use SNMPv3 whenever possible. SNMPv1 and SNMPv2c are considered non-secure and
should only be used when absolutely necessary.
– If possible, prevent write access.
Secure/non-secure protocols
• Use secure protocols if access to the device is not prevented by physical protection measures.
• Restrict the use of non-secure protocols. While some protocols are secure (e.g. HTTPS, SSH,
802.1X, etc.), others were not designed for the purpose of securing applications (e.g.
SNMPv1/v2c, RSTP, etc.).
Therefore, take appropriate security measures against non-secure protocols to prevent
unauthorized access to the device/network. Use non-secure protocols on the device using a
secure connection (e.g. SINEMA RC).
• If non-secure protocols and services are required, ensure that the device is operated in a
protected network area.
• Check whether use of the following protocols is necessary:
– Telnet
– HTTP
– Broadcast pings
– Non authenticated and unencrypted interfaces
– ICMP (redirect)
– LLDP
– DHCP Options 66/67
– SNTP
– NTP
– TFTP
– TIA Portal Cloud Connector (not available with SCALANCE MUM85x)
– VRRPv3
– DNS
– SNMPv1/V2c
• Authentication
Specifies whether an authentication of the communication partner takes place or whether
an authentication can be configured.
• Encryption
Specifies whether the transfer is encrypted or whether the encryption can be configured.
The following is a list of all available Layer 2 services through which the device can be
accessed.
The table includes the following columns:
• Layer 2 service
The Layer 2 services that the device supports.
• Default status
The default status of the service (open or closed).
• Service configurable
Indicates whether the service can be configured via WBM / CLI.
Configuration
Configuration of all parameters using the
• Web Based Management (WBM) via HTTP and HTTPS.
• Command Line Interface (CLI) via Telnet and SSH.
Security functions
• Router with NAT function
– IP masquerading
– NAPT
– SourceNAT
– NETMAP
• Password protection
• Firewall function
– Port forwarding
– IP firewall with stateful packet inspection (layer 3 and 4)
– Global and user-defined firewall rules
• VPN functions
To establish a VPN (Virtual Private Network), the following functions are available
– IPsec VPN
– OpenVPN client
• SINEMA RC client
• Proxy server
• Siemens Remote Service (SRS)
• Brute Force Prevention
Other functions
• Time-of-day synchronization
– NTP client and NTP server
– Secure NTP server
– SIMATIC Time Client
– SNTP Client
• DHCP
– DHCP server (local network)
– DHCP client
• Virtual networks (VLAN)
To structure Industrial Ethernet networks with a fast growing number of devices, a physical
network can be divided into several virtual subnets
• Digital input/digital output
• Dynamic DNS client
• DNS client, DNS proxy and DNS records
• SMTP client
• TIA Portal Cloud Connector
3.2.1 Overview
With a SCALANCE M-800, you can link IP-based networks. The link can be via cable or wireless
via public or private communications infrastructures.
S7-300
Smartphone
TIM 3V-IE SCALANCE
Advanced MUM856-1 Mobile
Station wireless
network
S7-1200
ADSL ,QWHUQHWVHUYLFHV
Internet
HJHPDLO
CP 1243-1
DNP3 SCALANCE
M812-1
Industrial Ethernet
Station VPN tunnel
You can connect a station to the Internet using the mobile wireless network or using ADSL.
This makes Internet services available such as sending and receiving e-mails.
The device can automatically send an e-mail if an alarm event occurs, for example to the
network administrator. When an e-mail event message is received, the WBM can be started
by the Web browser using the identification of the sender to read out further diagnostics
information.
The M874 can send an SMS message to a mobile phone if an alarm event occurs.
Requirement
• The M-800 is reachable via an Admin PC
Procedure
To configure Internet access, follow the steps below:
1. Establish a connection to the WAN,see section Interfaces (Page 303).
2. To allow access to the required Internet services, set up firewall rules, see section Firewall
(Page 396).
3. Setup your application for the Internet services.
7UDQVIRUPHU
VWDWLRQ
6&$/$1&( 6&$/$1&(
0 0
('*( 6+'6/
3XEOLFQHWZRUN $31
3ULYDWHQHWZRUN
:LQGIDUP :LQGIDUP
&3 &3
)L[HG )L[HG
,3DGGUHVV ,3DGGUHVV
6&$/$1&( 6&$/$1&(
0 0
$'6/ 6+'6/
2XWVWDWLRQZLWK'6/DQGPRELOHZLUHOHVVFRQQHFWLRQ 2XWVWDWLRQZLWKGHGLFDWHGOLQH
The SCALANCE M826 modules can communicate with each other either in 2-wire mode or in
4-wire mode. In 4-wire mode, 2 x 2-wire cables are aggregated to form a virtual connection
with twice the data rate.
Network A Network B
6&$/$1&( 6&$/$1&(
0 0
6+'6/ 6+'6/
Industrial Ethernet
2-wire cable
Requirements
• The M-800 is reachable via an Admin PC.
• To establish a VPN tunnel:
– M81x and M874
The network provider offers the required services, for example, a fixed IP address for
mobile wireless routers and/or an access to the Internet via a private APN.
– M826
The devices have a fixed IP address and are in routing mode.
Procedure
To configure data transfer via a VPN tunnel, follow the steps below:
1. Establish a connection to the public or private network, refer to the section Interfaces
(Page 303).
2. Connect a controller, for example using a CP 343-1 to an Ethernet interface of the M-800.
3. Establish a VPN connection between the two M800 devices, refer to the section IPsec VPN
(Page 409).
4. Set up the connected controllers for data communication.
Field PG
SCALANCE
M874-3
Smartphone
S7-300
TIM 3V-IE
Tablet Advanced
Station
Requirements
• The M-800 is reachable via an Admin PC.
• To establish a VPN tunnel:
Fixed IP address or hostname of the DSL router.
Procedure
To set up one or more VPN tunnels for data transfer, follow the steps below:
1. Establish a connection to the WAN, see section Interfaces (Page 303).
2. Connect local SINAUT applications, for example TIM 4R-IE to one of the Ethernet interfaces.
3. Establish a VPN connection, see sectionIPsec VPN (Page 409).
4. Set up the connected SINAUT applications for data communication.
S7-400 with
CP 443-1
Industrial Ethernet
SCALANCE SCALANCE
Master station M826-2 M826-2
Star-shaped SCALANCE
SCALANCE dedicated line
M826-2 M826-2
network
S7-300 with S7-300 with
TIM 3V-IE TIM 3V-IE
Station
Station
Mobile access
Mobile
Internet Industrial Ethernet
wireless Remote station 2
SCALANCE
M874-3
1 3 2
Industrial Ethernet
Remote station 1
① Image transfer
② WinCC flexible
③ Web access to CP 343-1
Requirements
• The M874 is reachable via an Admin PC.
Procedure
To be able to access a plant via a VPN tunnel when traveling, note the following points and the
relevant sections in these operating instructions:
1. Establish a connection to the mobile wireless network,refer to the section Mobile wireless
(Page 306).
2. Set up a VPN tunnel in Roadwarrior mode for the M874-x, refer to the section IPsec VPN
(Page 409).
3. Set up a VPN tunnel on the mobile access page in the SOFTNET Security Client.
Note: Points 3 and 4 can also be performed with the Security Configuration Tool.
4. Set up the connected applications of the plant for data communication.
SCALANCE SCALANCE
S612 M812-1
DMZ VPN tunnel 2
SIMATIC S7-300 with
system
CPU 315-2DP
VPN and CP 343-1
tunnel 1 Lean
Service center
SCALANCE
M874-2 PROFIBUS
Internet
Industrial Ethernet
Mobile Remote station 2
wireless
G_IK10_XX_30190
M874-3
1 3 2 UMTS
mobile phone
Industrial Ethernet
Remote station 1
Procedure
To be able to access a plant via a remote maintenance master station, follow the steps below:
1. Establish the Ethernet connection between the M874 and the connected Admin PC.
2. Establish a connection to the mobile wireless network,see section Mobile wireless
(Page 306).
3. Configure the VPN connection for the remote maintenance master station on the SCALANCE
S612 with the Security Configuration Tool.
4. Set up a VPN tunnel in standard mode, see section IPsec VPN (Page 409).
5. Set up the connected applications of the plant for data communication.
PC with
SINEMA RC server
PC with SINEMA RC Client S615 PC
H[WHUQDOSXEOLFQHWZRUN
Station 1 Station 2
LQWHUQDOQHWZRUN LQWHUQDOQHWZRUN
S7-300 S7-1200
Procedure
To be able to access a plant via a remote maintenance master station, follow the steps below:
1. Establish the Ethernet connection between the S615 and the connected Admin PC.
2. Create the devices and node groups on the SINEMA RC Server.
3. Configure the connection to the SINEMA RC server on the device, refer to the section SINEMA
RC (Page 287).
4. Set up the connected applications of the plant for data communication.
Antenna
The device supports the following frequency bands:
• 5G:
– SA: n1, n2, n3, n5, n7, n8, n12, n20, n28, n38, n40, n41, n48, n66, n71, n77, n78, n79
– NSA: n41, n77, n78, n79
• LTE:
B1/ B2/ B3/ B4/ B5/ B7/ B8/ B12/ B13/ B14/ B17/ /B18/ B19/ B20/ B25/ B26/ B28/ B29/ B30/ B32/
B34/ B38/ B39/ B40/ B41/ B42/ B43/ B46/ B48/ B66/ B71
• UMTS:
B1/ B2/ B3/ B4/ B5/ B8
Use antennas from the accessories program of the SCALANCE M-800 device. You will find
further information on this in the device-specific operating instructions.
Depending on the frequency bands used by your mobile wireless provider, antennas must be
tuned to the suitable frequencies. Check with your mobile wireless provider for the frequency
bands.
Note
You should also note the national approvals for the SCALANCE M-800 devices.
You will find the current status of the national approval on the Internet at the following address:
(https://w3.siemens.com/mcms/industrial-communication/en/support/ik-info/Documents/
Online_CountryApprovals_GSM_UMTS_products.pdf)
Note
Antennas
• A1+ A2
An antenna must always be connected to the antenna connectors in order to use 3/4/5G
connectivity.
• A3 + A4
Optional. The antenna ports are required for additional MIMO download streams.
Keep the protective caps
Keep the removed protective cap for later use.
Power supply
You will find further information on this in the device-specific operating instructions.
SIM card
A micro SIM card from the chosen mobile wireless provider.
PIN
The PIN (= Personal Identification Number) for the SIM card
5 G / LTE / UMTS activation
The SIM card must be activated for the services in the mobile wireless network by your
mobile wireless provider.
The access data must be known:
• Access point name (APN)
• User name
• Password
Configuration
In the factory settings, the SCALANCE MUM853 can be reached as follows for initial
configuration:
You will find more information in "Web Based Management (Page 97)" and in "Starting and
logging in (Page 98)".
Antenna
The device supports the following frequency bands:
• 5G:
– SA: n1, n2, n3, n5, n7, n8, n12, n20, n28, n38, n40, n41, n48, n66, n71, n77, n78, n79
– NSA: n41, n77, n78, n79
• LTE:
B1/ B2/ B3/ B4/ B5/ B7/ B8/ B12/ B13/ B14/ B17/ /B18/ B19/ B20/ B25/ B26/ B28/ B29/ B30/ B32/
B34/ B38/ B39/ B40/ B41/ B42/ B43/ B46/ B48/ B66/ B71
• UMTS:
B1/ B2/ B3/ B4/ B5/ B8
Use antennas from the accessories program of the SCALANCE M-800 device. You will find
further information on this in the device-specific operating instructions.
Depending on the frequency bands used by your mobile wireless provider, antennas must be
tuned to the suitable frequencies. Check with your mobile wireless provider for the frequency
bands.
Note
You should also note the national approvals for the SCALANCE M-800 devices.
You will find the current status of the national approval on the Internet at the following address:
Online_CountryApprovals_GSM_UMTS_products.pdf
(https://w3.siemens.com/mcms/industrial-communication/en/support/ik-info/Documents/
Online_CountryApprovals_GSM_UMTS_products.pdf)
Note
Antennas
• A1+ A2
An antenna must always be connected to the antenna connectors in order to use 3/4/5G
connectivity.
• A3 + A4
Optional. The antenna ports are required for additional MIMO download streams.
Keep the protective caps
Keep the removed protective cap for later use.
Power supply
You will find further information on this in the device-specific operating instructions.
SIM card
A micro SIM card from the chosen mobile wireless provider.
PIN
The PIN (= Personal Identification Number) for the SIM card
5 G / LTE / UMTS activation
The SIM card must be activated for the services in the mobile wireless network by your
mobile wireless provider.
The access data must be known:
• Access point name (APN)
• User name
• Password
Configuration
In the factory settings, the SCALANCE MUM856 can be reached as follows for initial
configuration:
You will find more information in "Web Based Management" and in "Starting and logging in
(Page 98)".
Antenna
The frequency range of the antenna depends on the device being used:
• SCALANCE M874-2
EGPRS / GPRS (2G): 850, 900, 1800 or 1900 MHz
• SCALANCE M874-3 / M876-3
UMTS (3G): 800, 850, 900, 1900 or 2100 MHz
• SCALANCE M876-4
LTE (4G): 800, 900, 1800, 2100 or 2600 MHz
Use antennas from the accessories program of the SCALANCE M-800 device. You will find
further information on this in the device-specific operating instructions.
Note
You should also note the national approvals for the SCALANCE M-800 devices.
You will find the current status of the national approval on the Internet at the following address:
http://www.automation.siemens.com/mcms/industrial-communication/en/support/ik-info/
Documents/Online_CountryApprovals_GSM_UMTS_products.pdf (https://w3.siemens.com/
mcms/industrial-communication/en/support/ik-info/Documents/
Online_CountryApprovals_GSM_UMTS_products.pdf)
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current.
You will find further information on this in the device-specific operating instructions.
SIM card
A mini SIM card from the chosen mobile wireless provider.
PIN
The PIN (= Personal Identification Number) for the SIM card
LTE / UMTS / EGPRS / GPRS activation
The SIM card must be activated for the services in the mobile wireless network by your
mobile wireless provider.
The access data must be known:
• Access point name (APN)
• User name
• Password
Configuration
In the factory settings, the SCALANCE M87x can be reached as follows for initial configuration:
You will find more information in "Web Based Management" and in "Starting and logging in
(Page 98)".
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current.
You will find further information on this in the device-specific operating instructions.
ADSL connection
An ADSL connection of the chosen DSL provider.
ADSL activation
The DSL connection must be activated by your DSL provider.
The access data must be known:
• User name
• Password
• VCI / VPI
• Encapsulation
Configuration
In the factory settings, the SCALANCE M81x can be reached as follows for initial configuration:
You will find more information in "Web Based Management" and in "Starting and logging in
(Page 98)".
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current.
You will find further information on this in the device-specific operating instructions.
SHDSL connection
Company-owned copper cables
Configuration
In the factory settings, the SCALANCE M826 can be reached as follows for initial configuration:
Note
When the product ships and following "Restore Factory Defaults and Restart", DHCP is enabled.
If a DHCP server is available in the local area network, and this responds to the DHCP request of
a SCALANCE M826, the IP address, subnet mask and gateway are assigned automatically when
the device first starts up. "Restore Memory Defaults and Restart " does not delete an IP address
assigned either by DHCP or by the user.
You will find more information in "Web Based Management" and in "Starting and logging in
(Page 98)".
Note
M826 operation
The full range of functions is only supported when only SCALANCE M826 devices are used. If you
use an SHDSL modem of another manufacturer as an end node, problem free operation cannot
be guaranteed.
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient current.
You will find further information on this in the device-specific operating instructions.
Configuration
With the factory settings, the SCALANCE M804PB can be reached as follows for initial
configuration:
You will find more information in "Web Based Management (Page 97)" and in "Starting and
logging in (Page 98)".
Note
Validity of CCA declaration
The CCA declaration applies to PROFINET RT without the use in media redundancy structures.
Configuration information
When using the device in a PROFINET environment, follow the following configuration
instructions:
• Set the "Aging Time" to 45 seconds.
• Disable Spanning Tree and enable Passive Listening.
• Set the Base Bridge Mode (Layer 2 > VLAN > General) to "802.1Q VLAN Bridge". The M826 is
an exception. If the same subnet is transferred with SHDSL, use "802.1D Transparent Bridge"
for "Base Bridge Mode".
Note
• Use the "TIA Portal Cloud Connector" integrated in the product over a VPN solution (e.g.
SINEMA RC).
• Configure the firewall settings of the SCALANCE M800/S615 (e.g. predefined IPv4 rules
"Cloud Connector") to prevent unauthorized access of network devices to the "TIA Portal
Cloud Connector Server".
Availability of hardware
The following table shows the hardware of the devices.
We reserve the right to make technical changes.
SCALANCE
M874-2 M876-3 M812 M816 M826 M804PB MUM856-1 MUM853-1
M874-3 M876-4
Interfaces 1 x SMA an‐ 2 x SMA an‐ 1 x DSL 1 x DSL 2 x SHDSL 1 x RS 485 4 x N-connect 4 x SMA an‐
tenna con‐ tenna con‐ (MPI/DP) tenna port
nector nector
2 x RJ45 4 x RJ45 1x RJ45 4 x RJ45 4 x RJ45 2 x RJ45 1 x M12 sock‐ 4 x RJ45
(LAN) (LAN) et, X-coded
Digital in‐ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
put/
output
PLUG slot ✓ ✓ - ✓ ✓ ✓ ✓ ✓
(CLP) (CLP)
SET button ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
SCALANCE
M87x MUM85x M812 M816 M826 M804PB
Basic Wiz‐ IP settings ✓ ✓ ✓ ✓ ✓ ✓
ard Device settings ✓ ✓ ✓ ✓ ✓ ✓
SIM ✓ ✓ - - - -
Mobile network pro‐ ✓ ✓ - - - -
vider
DSL - - ✓ ✓ - -
SHDSL - - - - ✓ -
TIA Portal Cloud Con‐ ✓ ✓ ✓ ✓ ✓ ✓
nector
Time settings ✓ ✓ ✓ ✓ ✓ ✓
SINEMA RC 1) ✓ ✓ - ✓ ✓ ✓
DDNS ✓ ✓ ✓ ✓ ✓ ✓
SCALANCE
M87x MUM85x M812 M816 M826 M804PB
Informa‐ ARP Table ✓ ✓ ✓ ✓ ✓ ✓
tion IPv6 Neighbor Table ✓ ✓ ✓ ✓ ✓ ✓
Log Tables ✓ ✓ ✓ ✓ ✓ ✓
IPv4 Routing ✓ ✓ ✓ ✓ ✓ ✓
IPv6 Routing ✓ ✓ ✓ ✓ ✓ ✓
Mobile network ✓ ✓ - - - -
DSL - - ✓ ✓ - -
SHDSL ✓ ✓ ✓ ✓ ✓ -
Redundancy ✓ ✓ ✓ ✓ ✓ ✓
VRRPv3 ✓ ✓ ✓ ✓ - -
SINEMA RC 1)
✓ ✓ - ✓ ✓ ✓
System SMTP client ✓ ✓ ✓ ✓ ✓ ✓
SNMP ✓ ✓ ✓ ✓ ✓ ✓
Time setting ✓ ✓ ✓ ✓ ✓ ✓
Automatic logout ✓ ✓ ✓ ✓ ✓ ✓
Syslog client ✓ ✓ ✓ ✓ ✓ ✓
Fault Monitoring ✓ ✓ ✓ ✓ ✓ ✓
PLUG ✓ ✓ - ✓ ✓ ✓
SMS ✓ ✓ - - - -
DNS ✓ ✓ ✓ ✓ ✓ ✓
DHCPv4 ✓ ✓ ✓ ✓ ✓ ✓
cRSP/SRS ✓ ✓ ✓ ✓ ✓ ✓
Proxy Server ✓ ✓ ✓ ✓ ✓ ✓
TIA Portal Cloud Con‐ ✓ - ✓ ✓ ✓ ✓
nector
SINEMA RC1) ✓ ✓ - ✓ ✓ ✓
Connection Check ✓ ✓ ✓ ✓ ✓ ✓
Interfaces Ethernet ✓ ✓ ✓ ✓ ✓ ✓
Mobile network ✓ ✓ - - - -
DSL - - ✓ ✓ - -
SHDSL - - - - ✓ -
Layer 2 Configuration ✓ ✓ ✓ ✓ ✓ ✓
VLAN ✓ ✓ ✓ ✓ ✓ ✓
VXLAN - ✓ - - - -
Dynamic MAC aging ✓ ✓ ✓ ✓ ✓ ✓
LLDP ✓ ✓ ✓ ✓ ✓ ✓
Spanning Tree ✓ ✓ ✓ ✓ ✓ ✓
Layer 3 Static routes ✓ ✓ ✓ ✓ ✓ ✓
(IPv4) Subnets ✓ ✓ ✓ ✓ ✓ ✓
Spanning Tree ✓ ✓ ✓ ✓ ✓ ✓
NAT ✓ ✓ ✓ ✓ ✓ ✓
VRRPv3 ✓ ✓ ✓ ✓ ✓ ✓
SCALANCE
M87x MUM85x M812 M816 M826 M804PB
Layer 3 Subnets ✓ ✓ ✓ ✓ ✓ ✓
(IPv6) NAT ✓ ✓ ✓ ✓ ✓ ✓
Security Passwords ✓ ✓ ✓ ✓ ✓ ✓
Users ✓ ✓ ✓ ✓ ✓ ✓
AAA (Authentication, ✓ ✓ ✓ ✓ ✓ ✓
Authorization, Ac‐
counting)
Certificates ✓ ✓ ✓ ✓ ✓ ✓
Firewall ✓ ✓ ✓ ✓ ✓ ✓
IPsec VPN ✓ ✓ ✓ ✓ ✓ ✓
OpenVPN ✓ ✓ ✓ ✓ ✓ ✓
1)
KEY-PLUG SINEMA Remote Connect 6GK5908-0PB00 / SCALANCE CLP 2GB SINEMA RC 6GK5908-0UA00-0AA0
3.7 PLUG
3.7.1 PLUG
0
The PLUG is a removable medium and is used to transfer the configuration of the old device to
the new device when a device is replaced.
The following PLUG types are available:
• C-PLUG: The removable data storage medium only saves the configuration data of the device.
• KEY-PLUG: In addition to the configuration data, the removable data storage medium
contains a license with which specific functions can be enabled, e.g. SINEMA RC.
• CLP (Configuration License PLUG)
The SCALANCE CLP is a removable data storage medium for the storage and securing of
configuration data that can be used in all SCALANCE devices with CLP slot, e.g. SCALANCE
MUM85x. The SCALANCE CLP is used to transfer the configuration of the old device to the
new device when a device is replaced. The CLP is a successor to the previously described
PLUGs. The CLP is also referred to as PLUG in the description. The PLUG is available in the
following variants:
– PLUG Configuration
– PLUG License
Position
The PLUG slot is located on the back of the device, see the Device views section in the Operating
Instructions of the device.
Function
Devices with a PLUG slot support the following operating modes:
• Without PLUG
The device saves the configuration data in the internal memory. This mode is active when no
PLUG is inserted.
• With PLUG
In the startup phase:
– If an empty PLUG (as supplied) is inserted in the device, the device automatically backs
up the configuration data on the PLUG during startup. After that, it behaves like a PLUG
with data.
– When a PLUG with data is plugged into a device, the device automatically adopts the
configuration of the PLUG during the startup phase. The prerequisite for this is that the
configuration data was written by a compatible device type.
One exception to this can be the IP configuration if it is set using DHCP and the DHCP
server has not been reconfigured accordingly. Reconfiguration is necessary if you use
functions based on MAC addresses.
– If the PLUG contains a license, additional functions are also enabled.
Note
If the device was configured at some time with a KEY-PLUG or PLUG license, the device can
no longer be used without this PLUG. To be able to use the device again, reset the device
to the factory settings.
During operation:
– During operation, changes to the configuration are saved on the PLUG and in the internal
memory.
– The configuration data of the device is stored in a secured memory area of the PLUG. This
secured memory area can only be accessed via the authentication of the Siemens device.
– The device checks whether or not a PLUG is inserted at one second intervals. If the device
detects that the PLUG has been removed, it restarts automatically.
NOTICE
Operating risk - Danger of data loss
Only pull and plug the PLUG when the device is de-energized.
– The device signals deviations from normal operation of the PLUG (e.g., incompatible
data, incorrect operation or malfunctions) via the existing diagnostic mechanisms (e.g.,
LEDs or user interfaces). The user then has the choice of either removing the PLUG again
or selecting the option to reformat the PLUG.
The procedure for pulling and plugging the PLUG can be found in the section "Replacing the
PLUG" in the operating instructions for the device.
0
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise disruptions will
occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
In a PLUG that was configured as a PRESET-PLUG, the device configuration, user accounts,
certificates and the firmware are stored.
Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET PLUG
is formatted and the PRESET PLUG functionality is lost. You then need to create a new PRESET
PLUG.
We recommend that you remove the PRESET PLUG before you reset the device to the factory
settings.
For more detailed information on creating and using a PRESET PLUG refer to the section
Device configuration with PRESET-PLUG (Page 431).
IPv4 IPv6
IP configuration • DHCP server • Stateless Address Autoconfiguration (SLAAC): Stateless au‐
• Manual toconfiguration using NDP (Neighbor Discovery Protocol)
– Creates a link local address for every interface that does
not require a router on the link.
– Checks the uniqueness of the address on the link that
requires no router on the link.
– Specifies whether the global addresses are obtained via
a stateless mechanism, a stateful mechanism or via
both mechanisms. (Requires a router on the link.)
• Manual
• DHCPv6 (stateful)
Available IP addresses 32-bit: 4, 29 * 109 address‐ 128-bit: 3, 4 * 1038 addresses
es
Address format Decimal: 192.168.1.1 Hexadecimal: 2a00:ad80::0123
with port: 192.168.1.1:20 with port: [2a00:ad80::0123]:20
Loopback 127.0.0.1 ::1
IP addresses of the interface 4 IP addresses Multiple IP addresses
• LLA: A link local address (formed automatically) fe80::/128
per interface
• ULA: Several unique local unicast addresses per interface
• GUA: Several global unicast addresses per interface
Header • Checksum • Checking at a higher layer
• Variable length • Fixed size
• Fragmentation in the • Fragmentation in the extension header
header
• No security
Fragmentation Host and router Only endpoint of the communication
Quality of service Type of Service (ToS) for The prioritization is specified in the header field "Traffic Class".
prioritization
Types of frame Broadcast, multicast, uni‐ Multicast, unicast, anycast
cast
IPv4 IPv6
Identification of DHCP clients/ Client ID: DUID + IAID(s) = exactly one interface of the host
server • MAC address DUID = DHCP unique identifier
• DHCP client ID Unique identifier of server and clients
• System name IAID = Identity Association Identifier
• PROFINET station name At least one per interface is generated by the client and remains
unchanged when the DHCP client restarts
• IAID and DUID
Three methods of obtaining the DUID
• DUID-LLT
• DUID-EN
• DUID-LL
Resolution of IP addresses in ARP (Address Resolution NDP (Neighbor Discovery Protocol)
hardware addresses Protocol)
Subnet mask
The subnet mask consists of four decimal numbers with the range from 0 to 255, each number
separated by a period; example: 255.255.0.0
The binary representation of the 4 subnet mask decimal numbers must contain a series of
consecutive 1s from the left and a series of consecutive 0s from the right.
The "1" values determine the network address within the IPv4 address. The "0" values
determine the device address within the IPv4 address.
Example:
Correct values
255.255.0.0 D = 1111 1111.1111 1111.0000 0000.0000 0000 B
255.255.128.0 D = 1111 1111.1111 1111.1000 0000.0000 0000 B
255.254.0.0 D = 1111 1111.1111 1110.0000 0000.0000.0000 B
Incorrect value:
255.255.1.0 D = 1111 1111.1111 1111.0000 0001.0000 0000 B
In the example for the IP address mentioned above, the subnet mask shown here has the
following meaning:
The first 2 bytes of the IP address determine the subnet - i.e. 192.168. The last two bytes
address the device, i.e. 16.2.
The following applies in general:
• The network address results from the AND combination of IPv4 address and subnet mask.
• The device address results from the AND-NOT combination of IPv4 address and subnet mask.
Result:
All devices with addresses from 129.80.1.xxx to 129.80.127.xxx are on one IP subnet, all
devices with addresses from 129.80.128.xxx to 129.80.255.xxx are on another IP subnet.
Configuration options
An initial IP address for a SCALANCE W device cannot be assigned using Web Based Management
(WBM) or the Command Line Interface (CLI) over Telnet because these configuration tools
require that an IP address already exists.
The following options are available to assign an IP address to an unconfigured device
currently without an IP address:
• DHCP (default)
• SINEC PNI
• STEP 7
• SINEC NMS
Note
When the product ships and following "Restore Memory Defaults and Restart", DHCP is
enabled.
If a DHCP server is available in the local area network, and this responds to the DHCP request
of a SCALANCE W device, the IP address, subnet mask and gateway are assigned
automatically when the device first starts up. "Restore Factory Defaults and Restart" does not
delete an IP address assigned either by DHCP or by the user.
SINEC INS can be used as in-house DHCP server and assign IP addresses to devices in the
network.
Properties of DHCP
DHCP (Dynamic Host Configuration Protocol) is a method for automatic assignment of IP
addresses. It has the following characteristics:
• DHCP can be used both when starting up a device and during ongoing operation.
• The assigned IP address remains valid only for a limited time known as the lease time. When
half the period of validity has elapsed. the DHCP client can extend the period of the assigned
IPv4 address. When the entire time has elapsed, the DHCP client needs to request a new IPv4
address.
• There is normally no fixed address assignment; in other words, when a client requests an IP
address again, it normally receives a different address from the previous address. It is possible
to configure the DHCP server so that the DHCP client always receives the same fixed address
in response to its request. The parameter with which the DHCP client is identified for the
fixed address assignment is set on the DHCP client. The address can be assigned via the MAC
address, the DHCP client ID, PROFINET device name or the device name. You configure the
parameter in "System > DHCP Client".
• The following DHCP options are supported:
– DHCP option 3: Assignment of a router address
– DHCP option 6: Assignment of a DNS server address
– DHCP option 66: Assignment of a dynamic TFTP server name
– DHCP option 67: Assignment of a dynamic boot file name
Note
DHCP uses a mechanism with which the IP address is assigned for only a short time (lease
time). If the device does not reach the DHCP server with a new request on expiry of the lease
time, the assigned IP address, the subnet mask and the gateway continue to be used.
The device therefore remains accessible under the last assigned IP address even without a
DHCP server. This is not the standard behavior of office devices but is necessary for problem-
free operation of the plant.
Introduction
The SINEC PNI is capable of assigning such an address to unconfigured devices that do not yet
have an IP address.
SINEC PNI
• To be able to assign an IP address to the device with SINEC PNI, it must be possible to reach
the device via Ethernet.
• You can find SINEC PNI on the Internet pages of Siemens Industry Online Support at the
following Link: (https://support.industry.siemens.com/cs/de/en/ps/26672/dl)
• For additional information about assigning the IP address with SINEC PNI, refer to the online
help or the "SINEC PNI network management" operating instructions.
STEP 7 as of V13
For additional information on assigning the IP address using STEP 7 as of V13, refer to the online
help "Information system", section "Addressing PROFINET devices".
Defined in RFC 4193. The IPv6 interface can be reached via this address in the LAN.
GUA
Global unicast address
The IPv6 interface can be reached through this address, for example, via the Internet.
Interface ID
The interface ID is formed with the EUI-64 method or manually.
EUI-64
Extended Unique Identifier (RFC 4291); process for forming the interface ID. In Ethernet,
the interface ID is formed from the MAC address of the interface. Divides the MAC address
into the manufacturer-specific part (OUI) and the network-specific part (NIC) and inserts FFFE
between the two parts.
Example:
MAC address = AA:BB:CC:DD:EE:FF
OUI = AA:BB:CC
NIC = DD:EE:FF
EUI-64 = OUI + FFFE + NIC = AA:BB:CC:FF:FE:DD:EE:FF
Scope
Defines the range of the IPv6 address.
Rules / simplifications:
• If one or more fields have the value 0, a shortened notation is possible.
The address fd00:0000:0000:ffff:02d1:7d01:0000:8f21 can also be shortened and written
as follows:
fd00::ffff:02d1:7d01:0000:8f21
To ensure uniqueness, this shortened form can only be used once within the entire address.
• Leading zeros within a field can be omitted.
The address fd00:0000:0000:ffff:02d1:7d01:0000:8f21 can also be shortened and written
as follows:
fd00::ffff:2d1:7d01:0000:8f21
• Decimal notation with periods
The last 2 fields or 4 bytes can be written in the normal decimal notation with periods.
Example: The IPv6 address fd00::ffff.125.1.0.1 is equivalent to fd00::ffff:7d01:1
The prefix for the link local address is always fe80:0000:0000:0000. The prefix is shortened
and noted as follows: fe80::
IPv6 prefix
Specified in: RFC 4291
The IPv6 prefix represents the subnet identifier.
Prefixes and IPv6 addresses are specified in the same way as with the CIDR notation (Classless
Inter-Domain Routing) for IPv4.
Design
IPv6 address / prefix length
Example
IPv6 address: 2001:0db8:1234::1111/48
Prefix: 2001:0db8:1234::/48
Interface ID: ::1111
4.2 VLAN
4.2.1 VLAN
The VLANs are in different IP subnets. To allow these to communicate with each other, the
corresponding route and firewall rule must be configured on the device.
You can change the assignment in "Layer 2 > VLAN > General (Page 332)".
Note
The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
The end nodes on the networks must be checked to find out whether they can process this
length / this frame type. If this is not the case, only frames of the standard length may be sent
to these nodes.
The additional 4 bytes are located in the header of the Ethernet frame between the source
address and the Ethernet type / length field:
[
The additional bytes contain the tag protocol identifier (TPID) and the tag control information
(TCI).
The prioritization of the data packets is possible only if there is a queue in the components in
which they can buffer data packets with lower priority.
The device has multiple parallel queues in which the frames with different priorities can be
processed. As default, first, the frames with the highest priority are processed. This method
ensures that the frames with the highest priority are sent even if there is heavy data traffic.
Canonical Format Identifier (CFI)
The CFI is required for compatibility between Ethernet and the token Ring.
The values have the following meaning:
Value Meaning
0 The format of the MAC address is canonical. In the canonical representation of the MAC address,
the least significant bit is transferred first. Standard-setting for Ethernet switches.
1 The format of the MAC address is not canonical.
VLAN ID
In the 12-bit data field, up to 4096 VLAN IDs can be formed. The following conventions
apply:
VLAN ID Meaning
0 The frame contains only priority information (priority tagged frames) and no valid
VLAN identifier.
1- 4094 Valid VLAN identifier, the frame is assigned to a VLAN and can also include priority
information.
4095 Reserved
4.3 VXLAN
VXLAN (Virtual eXtensible LAN), like VLAN, divides a network into multiple virtual network
segments. The Ethernet frame (Layer 2) is forwarded through a VXLAN tunnel via an IP network
(Layer 3).
VNI / VNID
The VXLAN network ID (VNID / VNI) determines membership of an Ethernet frame in a
VXLAN and has 24 bits. This means that up to 16 million network segments, often also
referred to as VXLAN segments, are possible. The nodes with the same VNI are in a VXLAN
segment and can communicate with each other.
VTEP
The devices (physical or virtual) that establish the tunnel are referred to as VLAN tunnel
endpoints (VTEP). The source VTEP encapsulates the frame in different headers to send the
Ethernet frame. The destination VTEP, also called remote VTEP, decapsulates the Ethernet
frame and forwards it.
The VTEP has two interfaces.
• Physical interface
The VTEP is connected to the local network and its nodes via the physical interface. The
Ethernet frames are encapsulated and decapsulated at this interface.
Depending on the configuration, the local network is divided into multiple VLANs. To ensure
that the VTP forwards the Ethernet frame into the right VLAN, an assignment of VLAN ID to
VNI is configured. This also applies for the opposite direction. If the VTEP receives an Ethernet
frame, it uses the VNI in the VXLAN header that is assigned to this VLAN.
• Virtual interface
The VTEPs establish the VXLAN tunnel via the network virtual endpoint (NVE) interface and
forward the encapsulated Ethernet frame. A VTEP can have multiple NVE interfaces that
differ through a unique ID (NVE ID (Page 337)).
Header in which the Layer 2 Ethernet frame is encapsulated Layer2 Ethernet frame
① Outer MAC header ② Outer IP header ③ UDP header ④ VXLAN header
18 bytes IPv4: 20 bytes 8 bytes 8 bytes
IPV6: 40 bytes
Bit Bit Bit Bit
48 Remote VTEP 72 Different data of the 16 Source port 8 VXLAN flag ⑤Inner MAC header
MAC address IP header 00001000: • Destination MAC ad‐
(Page 342) VNI contained dress
• Source MAC address
⑥ Inner IP header
• Destination MAC ad‐
dress
• Source MAC address
⑦ VLAN tag (Page 340)
⑧ Payload
46 ... 1500 bytes
48 Source VTEP MAC 8 IP protocol 16 Destination 24 Reserved Frame Check Sequence
address port (VXLAN
port)
(Page 337)
16 VLAN type 16 Checksum 16 Length 24 VNI (Page 340)
16 VLAN ID 32 32: Source VTEP 16 Checksum 8 Reserved
/6 IPv4 address
4 (Page 339)
64: Source IPv6 ad‐
dress
16 Ethernet type 32 32: Remote VTEP
/6 IPv4 address
4 (Page 341) or Re‐
mote VTEP IPv4 ad‐
dress (Page 342)
64: Destination IPv6
address
4.4 SNMP
Introduction
With the aid of the Simple Network Management Protocol (SNMP), you monitor and control
network components from a central station, for example routers or switches. SNMP controls the
communication between the monitored devices and the monitoring station.
Tasks of SNMP:
• Monitoring of network components
• Remote control and remote parameter assignment of network components
• Error detection and error notification
In versions v1 and v2c, SNMP has no security mechanisms. Each user in the network can
access data and also change parameter assignments using suitable software.
For the simple control of access rights without security aspects, community strings are used.
The community string is transferred along with the query. If the community string is correct,
the SNMP agent responds and sends the requested data. If the community string is not
correct, the SNMP agent discards the query. Define different community strings for read and
write permissions. The community strings are transferred in plain text.
Standard values of the community strings:
• public
has only read permissions
• private
has read and write permissions
Note
Because the SNMP community strings are used for access protection, do not use the standard
values "public" or "private". Change these values following the initial commissioning.
SNMPv3
Compared with the previous versions SNMPv1 and SNMPv2c, SNMPv3 introduces an extensive
security concept.
SNMPv3 supports:
• Fully encrypted user authentication
• Encryption of the entire data traffic
• Access control of the MIB objects at the user/group level
With the introduction of SNMPv3 you can no longer transfer user configurations to other devices
without taking special action, e.g. by loading a configuration file or replacing the C-PLUG.
According to the standard, the SNMPv3 protocol uses a unique SNMP engine ID as an internal
identifier for an SNMP agent. This ID must be unique in the network. It is used to authenticate
access data of SNMPv3 users and to encrypt it.
Depending on whether you have enabled or disabled the “SNMPv3 User Migration” function,
the SNMP engine ID is generated differently.
Restriction when using the function
Use the "SNMPv3 User Migration" function only to transfer configured SNMPv3 users to a
substitute device when replacing a device.
Do not use the function to transfer configured SNMPv3 users to multiple devices. If you load
a configuration with created SNMPv3 users on several devices, these devices use the same
SNMP engine ID. If you use these devices in the same network, your configuration contradicts
the SNMP standard.
Compatibility with predecessor products
You can only transfer SNMPv3 users to a different device if you have created the users as
migratable users. To create a migratable user the "SNMPv3 User Migration" function must be
activated when you create the user.
4.5 ICMP
The acronym ICMP stands for Internet Control Message Protocol (RFC792) and is used to
exchange error and information messages.
• Error message
Informs the sender of the IP frame that when forwarding the frame an error or a parameter
problem occurred.
• Information message
Can contain information about the time measurement, the address mask, the reachability of
the destination or for finding the router.
0 4 8 12 16 20 24 28 31
ICMP packet type Code Checksum
Type of message Further details of the
message
Data (optional)
5RXWHU$
,QWHUIDFH ,QWHUIDFH
+RVW$ ,3 ,3
,3 YODQ YODQ
*:
6XEQHW$YODQ
6XEQHW%YODQ
5RXWHU%
,QWHUIDFH ,QWHUIDFH
,3 ,3
YODQ YODQ
+RVW&
,3
Host A wants to send an IP frame to host C. Host C is not located in the same subnet as host
A. For this reason host A sends the IP frame to its default gateway. The default gateway of
host A is interface 1 of router A. Router A cannot forward the IP frame because it does not
know the destination network. Via its routing table, however, router A knows that subnet C is
reachable via router B. Router B connects subnet A with subnet C. Router A sends a redirect
message to host A. In this, router A instructs host A in future to send IP frames to host C via
router B whose IP address is contained in the redirect message. The initial IP frame is sent by
router A directly to router B that forwards it to Host C.
Local logon
The local logging on of users by the device runs as follows:
1. The user logs on with user name and password on the device.
2. The device checks whether an entry exists for the user.
→ If an entry exists, the user is logged in with the rights of the associated role.
→ If no corresponding entry exists, the user is denied access.
If you have set the authorization mode "conventional", the authentication of users via a
RADIUS server runs as follows:
1. The user logs on with user name and password on the device.
2. The device sends an authentication request with the login data to the RADIUS server.
3. The RADIUS server runs a check and signals the result back to the device.
– The RADIUS server reports a successful authentication and returns the value
"Administrative User" to the device for the attribute "Service Type".
→ The user is logged in with administrator rights.
– The RADIUS server reports a successful authentication and returns a different or even no
value to the device for the attribute "Service Type".
→ The user is logged in with read rights.
– The RADIUS server reports a failed authentication to the device:
→ The user is denied access.
RADIUS authorization mode "Manufacturer-specific"
Requirement
For the RADIUS authorization mode "Siemens VSA" the following needs to be set on the
RADIUS server:
• Manufacturer code: 4196
• Attribute number: 1
• Attribute format: Character string (group name)
Procedure
If you have set the authorization mode "SiemensVSA", the authentication of users via a
RADIUS server runs as follows:
1. The user logs on with user name and password on the device.
2. The device sends an authentication request with the login data to the RADIUS server.
3. The RADIUS server runs a check and signals the result back to the device.
Case A: The RADIUS server reports a successful authentication and returns the group
assigned to the user to the device.
– The group is known on the device and the user is not entered in the table "External User
Accounts"
→ The user is logged in with the rights of the assigned group.
– The group is known on the device and the user is entered in the table "External User
Accounts"
→ The user is assigned the role with the higher rights and logged in with these rights.
– The group is not known on the device and the user is entered in the table "External User
Accounts"
→ The user is logged in with the rights of the role linked to the user account.
– The group is not known on the device and the user is not entered in the table "External
User Accounts"
→ The user is logged in with the rights of the role "Default".
Case B: The RADIUS server reports a successful authentication but does not return a group
to the device.
– The user is entered in the table "External User Accounts":
→ The user is logged in with the rights of the linked role "".
– The user is not entered in the table "External User Accounts":
→ The user is logged in with the rights of the role "Default".
Case C: The RADIUS server reports a failed authentication to the device:
– The user is denied access.
4.6.3 Firewall
The security functions of the device include a stateful inspection firewall. This is a method of
packet filtering or packet checking.
The IP packets are checked based on firewall rules in which the following is specified:
• The permitted protocols
• IP addresses and ports of the permitted sources
• IP addresses and ports of the permitted destinations
If an IP packet fits the specified parameters, it is allowed to pass through the firewall. The
rules also specify what is done with IP packets that are not allowed to pass through the
firewall.
Simple packet filter techniques require two firewall rules per connection.
• One rule for the query direction from the source to the destination.
• A second rule for the response direction from the destination to the source
Note
IP packets via layer 2 (within the same VLAN)
If the IP packets from the device are sent via a switch port (layer 2), these IP packets are not
checked based on firewall rules. The firewall has no effect on packets forwarded at the layer 2
level.
Communication directions
from to Meaning
vlan (1-x) vlan (1-x) Access from the V(X)LAN segment to the V(X)LAN segment.
nve x nve x Example:
vlan1 (INT) → vlan2 (EXT)
Access from the local IP subnet and the device to the external IP subnet.
ppp0/usb Access from the IP subnet to the mobile wireless interface of the device.
Device Access from the IP subnet to the device.
SINEMA RC Access from the IP subnet and the device to the SINEMA RC connection.
IPsec (all) Access from the IP subnet to the tunnel partners that can be reached via all
IPsec <Connection VPN connections (all) or via a certain VPN connection (<Connection
Name> Name>).
OpenVPN (all)
OpenVPN <Connec‐
tion Name>
Device vlan (1-x) Access from the device to the IP subnet.
nve x
ppp0/usb Access from the device to the mobile wireless interface of the device.
SINEMA RC Access from the device to the SINEMA RC connection
IPsec (all) Access from the device to the tunnel partners that can be reached via all VPN
IPsec <Connection connections (all) or via a certain VPN connection (<Connection Name>).
Name>
OpenVPN (all)
OpenVPN <Connec‐
tion Name>
from to Meaning
SINEMA RC vlan x Access from the SINEMA RC server to the V(X)LAN segment.
ppp0/usb Access from the SINEMA RC server to the mobile wireless interface of the
device.
Device Access from the SINEMA RC server to the device.
IPsec (all) Access from the SINEMA RC Server to the tunnel partners that can be
IPsec <Connection reached via all VPN connections (all) or via a certain VPN connection <Con‐
Name> nection Name>.
OpenVPN (all)
OpenVPN <Connec‐
tion Name>
IPsec (all) vlan (1-x) Access via tunnel partners to the V(X)LAN segment.
IPsec <Connection nve x
Name> ppp0/usb Access via tunnel partners to the mobile wireless interface of the device.
OpenVPN (all) Device Access via tunnel partners to the device.
OpenVPN <Connection SINEMA RC Access via tunnel partners to the SINEMA RC connection.
Name>
ppp0/usb vlan (1-x) Access from the mobile wireless interface to the V(X)LAN segment.
nve x
Device Access from the mobile wireless interface to the device.
SINEMA RC Access from the mobile wireless interface to the SINEMA RC connection.
IPsec (all) Access from the mobile wireless interface to the tunnel partners that can be
IPsec <Connection reached via all VPN connections (all) or via a certain VPN connection (<Con‐
Name> nection Name>).
OpenVPN (all)
OpenVPN <Connec‐
tion Name>
Service Access
Local access (vlan1) to the de‐ External access to the device
vice 1) M87x, M81x, MUM85x: ppp0/
usb0
S615: vlan2
Cloud Connector - -
DHCP ✓ ✓ (only with S615)
DNS ✓ --
HTTP ✓ --
HTTPS ✓ --
IPsec VPN -- ✓
Ping ✓ --
SMS relay (only with M87x / ✓ --
MUM856)
TCP event -- --
SNMP ✓ --
SSH ✓ --
System Time -- --
Telnet ✓ --
Service Access
Local access (vlan1) to the de‐ External access to the device
vice 1) M87x, M81x, MUM85x: ppp0/
usb0
S615: vlan2
VRRP -- --
VXLAN (only with MUM85x) -- --
1)
With SCALANCE M826 and M804PB, only vlan1 is available in the delivery state.
4.6.4 NAT
NAT (Network Address Translation) is a method of translating IP addresses in data packets. With
this, two different networks (internal and external) can be connected together.
A distinction is made between source NAT in which the source IP address is translated and
destination NAT in which the destination IP address is translated.
You will find information on NAT scenarios that are implemented with the device at the
following address: (https://support.industry.siemens.com/cs/gb/en/view/109744660)
IP masquerading
IP masquerading is a simplified source NAT. With each outgoing data packet sent via this
interface, the source IP address is replaced by the IP address of the interface. The adapted data
packet is sent to the destination IP address. For the destination host it appears as if the queries
always came from the same sender. The internal nodes cannot be reached directly from the
external network. By using NAPT, the services of the internal nodes can be made reachable via
the external IP address of the device.
IP masquerading can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because the internal network structure should remain hidden.
You configure masquerading in "Layer 3" > "NAT" > "IP Masquerading (Page 358)".
NAPT
NAPT (Network Address and Port Translation) is a form of destination NAT and is often called port
forwarding. This allows the services of the internal nodes to be reached from external that are
hidden by IP masquerading or source NAT.
Incoming data packets are translated that come from the external network and are intended
for an external IP address of the device (destination IP address). The destination IP address
is replaced by the IP address of the internal node. In addition to address translation, port
translation is also possible.
from to Response
a single port the same port If the ports are the same, the frames will be forwarded without port
translation.
a single port a single port The frames are translated to the port.
a port range a single port The frames from the port range are translated to the same port (n:1).
a port range the same port If the port ranges are the same, the frames will be forwarded without
range port translation.
Port forwarding can be used to allow external nodes access to certain services of the internal
network e.g. FTP, HTTP.
You configure NAPT in "Layer 3" > "NAT" > "NAPT (Page 358)".
Source NAT
As with masquerading, in source NAT the source address is translated. In addition to this, the
outgoing data packets can be restricted. These include limitation to certain IP addresses or IP
address ranges and limitation to certain interfaces.
Source NAT can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because a private address range such as 192.168.x.x is used.
You configure source NAT in "Layer 3" > "NAT" > "Source NAT (Page 360)".
NETMAP
With NETMAP it is possible to translate complex subnets to a different subnet. In this translation,
the subnet part of the IP address is changed and the host part remains. For translation with
NETMAP only one rule is required. NETMAP can translate both the source IP address and the
destination IP address. To perform the translation with destination NAT and source NAT,
numerous rules would be necessary. NETMAP can also be applied to VPN connections.
You configure NETMAP in "Layer 3" > "NAT" > "NETMAP (Page 362)".
NAT rule
Type Source In‐ Destina‐ Source IP Sub‐ Source IP translated Destination IP Translated destina‐
terface tion Inter‐ net subnet Subnet tion IP
face
① Source vlan1 vlan2 192.168.1.0/24 10.100.1.0/24 10.10.10.0/24 -
(internal) (external)
The rule applies to packets sent from vlan1 (internal) to vlan2 (external). With the packets that arrive at vlan1 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of the
recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated source IP
subnet". The subnet part of the source IP address is changed and the host part remains unchanged.
A packet, for example with the source IP address 192.168.1.102 is changed to 10.100.1.102. For the devices connected
to vlan2 it appears as if the packets were sent from the IP subnet 10.100.1.0/24. This allows for example overlaps of IP
subnets to be resolved. The rule is only specified for the send direction. The retranslation is performed implicitly. If the rule
does not apply, the packets are forwarded without translation.
② Desti‐ vlan2 vlan1 10.10.10.0/24 - 10.100.1.0/24 192.168.1.0/24
nation (external) (internal)
The rule applies to packets sent from vlan2 (external) to vlan1 (internal). With the packets that arrive at vlan2 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of the
recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated destination
IP subnet".
A packet, for example with the source IP address 10.10.10.102 is changed to 192.168.1.102. The devices connected to
vlan1 can communicate with the devices connected to vlan2. This assumes that the corresponding firewall rule is set.
The devices connected to vlan2 must address the devices connected to vlan1 with the virtual IP address from the subnet
10.100.1.0.
Example 2:
4.6.6 Certificates
Certificate types
The device uses different certificates to authenticate the various nodes.
File types
4.6.7 VPN
• The Security Association (SA) contains the specifications negotiated between the partners,
e.g. about the lifetime of the key, the encryption algorithm, the period for new
authentication etc.
• Internet Key Exchange (IKE) is a key exchange method. The key exchange takes place in two
phases:
– Phase 1
In this phase, no security services such as encryption, authentication and integrity checks
are available yet since the required keys and the IPsec SA still need to be created. Phase 1
serves to establish a secure VPN tunnel for phase 2. To achieve this, the communications
partners negotiate an ISAKMP Security Association (ISAKMP SA) that defines the required
security services (algorithms, authentication methods used). The subsequent messages
and phase 2 are therefore secure.
– Phase 2
Phase 2 serves to negotiate the required IPsec SA. Similar to phase 1, exchanging offers
achieves agreement about the authentication methods, the algorithms and the
encryption method to protect the IP packets with IPsec AH and IPsec ESP.
The exchange of messages is protected by the ISAKMP SA negotiated in phase 1. Due to
the ISAKMP SA negotiated in phase 1, the identity of the nodes is known and the method
for the integrity check already exists.
Authentication method
• CA certificate, device and partner certificate (digital signatures)
The use of certificates is an asymmetrical cryptographic system in which every node (device)
has a pair of keys. Each node has a secret, private key and a public key of the partner. The
private key allows the device to authenticate itself and to generate digital signatures.
• Pre-shared key
The use of a pre-shared key is a symmetrical cryptographic system. Each node has only one
secret key for decryption and encryption of data packets. The authentication is via a common
password.
Encryption methods
The following encryption methods are supported. The selection depends on the phase und the
key exchange method (IKE)
Phase 1 Phase 2
IKEv1 IKEv2 IKEv1 IKEv2
3DES x x x x
AES128 CBC x x x x
AES192 CBC x x x x
AES256 CBC x x x x
Phase 1 Phase 2
IKEv1 IKEv2 IKEv1 IKEv2
AES128 CTR - x x x
AES192 CTR - x x x
AES256 CTR - x x x
AES128 CCM 16 - x x x
AES192 CCM 16 - x x x
AES256 CCM 16 - x x x
AES128 GCM 16 - x x x
AES192 GCM 16 - x x x
AES256 GCM 16 - x x x
x: is supported
-: is not supported
Default Ciphers
During connection establishment a preset list can be transferred to the VPN connection
partners. The list contains combinations of the three algorithms (Encryption, Authentication,
Key Derivation). To establish a VPN connection, the VPN connection partner must support at
least one of these combinations. The combinations depend on the phase und the key exchange
method IKE).
4.6.7.2 OpenVPN
With OpenVPN, virtual private networks (VPN) can be established. As an OpenVPN client, the
device can establish a VPN connection to a remote network.
You configure the OpenVPN client in "Security" > " OpenVPN Client (Page 422)".
The VPN connection is established via virtual device drivers, the TAP and TUN device. During
this, virtual network interfaces are created that act like a physical interface of the device and
represent the endpoint of the VPN tunnel.
The device supports the following:
• TUN device: Routing mode
The LAN Interface and the virtual network interface are located in different IP subnets. The
virtual tunnel interface is assigned a virtual IP address from a devised subnet by the OpenVPN
server. The IP packets (layer 3) are routed between the virtual tunnel interface and the LAN
interface.
Authentication
The following options are available for authenticating the OpenVPN client at the OpenVPN
server:
• Certificates: CA certificate and device certificate
The use of certificates is an asymmetrical cryptographic system. Each node (device) has a
secret, private key and a public key of the partner. The private key allows the device to
authenticate itself and to generate digital signatures.
• User name / password
Access is restricted by a user name and a password.
• Certificates and user name / password
If both authentication methods are successful, the VPN connection is established.
Encryption methods
The device also supports the following methods:
• BF CBC
• AES128 CBC
• AES192 CBC
• AES256 CBC
• DES EDE3
9
',
9
',
Requirement
• In "System > Events > Configuration (Page 206)" for the "Digital Input" event "VPN Tunnel" is
activated.
If this setting is not activated, the event is not passed on to the VPN connection.
Options
The device supports the following options for controlling the VPN tunnel via the digital input:
• Start on DI
If the event "Digital Input" occurs, the device becomes "active". The device tries to establish
a VPN connection to a remote station (OpenVPN, IPsec, SINEMA RC). SCALANCE M804PB
starts the integrated TIA Portal Cloud Connector.
• Wait on DI
If the event "Digital Input" occurs, the device becomes "passive". The device waits until the
connection establishment is initiated by the remote station (OpenVPN, IPsec).
• Digital Input & Wake-up SMS (only with M87x / MUM856)
If the event "Digital In" occurs or the device receives a wake-up SMS message, the device
becomes "active". The device attempts to establish a VPN connection to the SINEMA RC
server.
The device supports the following options for controlling the VPN tunnel via an SMS message:
• start on SMS
When the device receives a command SMS message, the device becomes "active". The
command SMS message contains the name of the VPN connection (OpenVPN, IPsec). The
device attempts to establish a connection to the partner specified in the VPN connection.
Format of the SMS message:
Establishment of the VPN connection:
– OpenVPN: SYS OVPN UP <name of the OpenVPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the OpenVPN connection>, the OpenVPN connections are
established that are set in "Operation" "start on SMS".
– IPsec VPN: SYS IPSEC UP<name of the IPsec VPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the IPsec VPN connection>, the IPsec VPN connections are
established that are set in "Operation" "start on SMS".
Termination of the VPN connection:
– OpenVPN: SYS OVPN DOWN <name of the OpenVPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the OpenVPN connection>, the OpenVPN connections are
terminated that are set in "Operation" "start on SMS".
– IPsec VPN: SYS IPSEC DOWN<name of the IPsec VPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the IPsec VPN connection>, the IPsec VPN connections are
terminated that are set in "Operation" "start on SMS".
• wait on SMS
When the device receives a command SMS message, the device is "passive". The command
SMS message contains the name of the IPsec VPN connection. The device waits for the
partner specified in the VPN connection to initiate the connection.
Format of the SMS message:
If you enter a "*" for <name of the IPsec VPN connection>, the IPsec VPN connections are
established that are set in "Operation" "start on SMS".
– IPsec VPN: SYS IPSEC UP<name of the IPsec VPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the IPsec VPN connection>, the IPsec VPN connections are
established that are set in "Operation" "start on SMS".
– IPsec VPN: SYS IPSEC DOWN<name of the IPsec VPN connection>, see Command SMS
message (Page 437).
If you enter a "*" for <name of the IPsecVPN connection>, the IPsec VPN connections are
terminated that are set in "Operation" "wait on SMS".
Notification options
If the status of the digital input or a VPN tunnel (IPsec, OpenVPN, SINEMA RC) changes, the
device provides several options for notification on the "Events (Page 206)" page.
9
'2
'2 9
Note
You can control the digital output directly via CLI or SNMP. In WBM and CLI, you can
configure the use of the digital output in "Events". Do not control the digital output
directly when you use this in the WBM and CLI.
SMS (only with x x The device sends an SMS message with a standard text.
M87x, Requirement:
MUM85x)
• In "System > SMS > Event SMS " the function is activated and the telephone num‐
ber of a recipient is configured.
x - The device sends an SMS message with a user-defined text. You configure text in
"System > SMS > Event SMS".
Requirement:
• In "System > SMS > Event SMS " the function is activated, the telephone number
of a recipient and the text are configured.
• In "System > Events > Configuration", "SMS" is activated for the "Digital Input"
event.
Read the status x - Using the private MIB variable snMspsDigitalInputLevel, you can read out the status of
of the MIB varia‐ the digital input.
ble • OID of the private MIB variable snMspsDigitalInputLevel:
iso(1).org(3).dod(6).internet(1).private(4).enterprises(1)
.siemens(4329).industrialComProducts(20).iComPlatforms(1).
simaticNet(1).snMsps(1).snMspsCommon(1).snMspsDigitalIO(39
).snMspsDigitalIOObjects(1).snMspsDigitalInputTable(2).snM
spsDigitalInputEntry(1).snMspsDigitalInputLevel(6)
• values of the MIB variable
– 1: Signal 0 at the digital input (DI)
– 2: Signal 1 at the digital input (DI)
4.7 Redundancy
4.7.1.1 RSTP
By directly linking the devices, a status change (reconfiguration of the ports) can be made
without any delays.
• Alternate port (substitute for the root port)
A substitute for the root port is configured. If the connection to the root bridge is lost, the
device can establish a connection over the alternate port without any delay due to
reconfiguration.
• Reaction to events
Rapid spanning tree reacts to events, for example an aborted connection, without delay.
There is no waiting for timers as in spanning tree.
• Counter for the maximum bridge hops
The number of bridge hops a package is allowed to make before it automatically becomes
invalid.
In principle, therefore with rapid spanning tree, alternatives for many parameters are
preconfigured and certain properties of the network structure taken into account to reduce
the reconfiguration time.
4.7.2 VRRPv3
Several VRRP routers in a network segment are put together as a logical group representing
a virtual router (VR). The group is defined using the virtual ID (VRID). Within the group, the
VRID must be the same. The VRID can no longer be used for other groups.
A virtual IP address and a virtual MAC address are assigned to the virtual router. One of the
VRRP routers within the group is specified as the master router. The master router has priority
255. The other VRRP routers are backup routers. The master router assigns the virtual IP
address and the virtual MAC address to its network interface. The master router sends VRRP
packets (advertisements) to the backup routers at specific intervals. With the VRRP packets,
the master router signals that it is still functioning. The master router also replies to the ARP
queries.
If the virtual master router fails, a backup router takes over the role of the master router.
The backup router with the highest priority becomes the master router. If the priority of the
backup routers is the same, the higher MAC address decides. The backup router becomes the
new virtual master router.
The new virtual master router adopts the virtual MAC and IP address. This means that no
routing tables or ARP tables need to be updated. The consequences of a device failure are
therefore minimized.
You configure VRRP in "Layer 3 > VRRPv3 (Page 365)".
How it works
The device has an integrated HTTP server for Web Based Management (WBM). If a device is
addressed with a Web browser, it returns HTML pages to the Admin PC depending on the user
input.
The user enters the configuration data in the HTML pages sent by the device. The device
evaluates this information and generates reply pages dynamically.
Access via HTTPS is enabled in the factory setting. With access via HTTP, the address is
automatically redirected to HTTPS.
If you wish to access the WBM via an HTTP connection, you need to select "HTTP & HTTPS" for
"HTTP Services" in "System > Configuration".
Requirements
WBM display
• The device has an IP address.
• There is a connection between the device and the Admin PC.
With the Windows ping command, you can check whether or not a connection exists.
If the device has the factory settings, refer to "Requirements for operation".
• Access via HTTPS is enabled.
• JavaScript is activated in the Web browser.
• The Web browser must not be set so that it reloads the page from the server each time the
page is accessed. The updating of the dynamic content of the page is ensured by other
mechanisms.
In Internet Explorer, you can make the appropriate setting in the "Tools > Internet options >
General" menu in the section "Browsing history" with the "Settings" button. Under "Check for
newer versions of stored pages", select the option "Automatically".
• If a firewall is used, the relevant ports must be opened.
– For access using HTTPS: TCP port 443
• The display of the WBM was tested with the following desktop Web browsers:
– Mozilla Firefox 91 ESR
– Google Chrome 93
– Microsoft Edge Chromium 93
Changing language
1. From the drop-down list at the top right, select the language version of the WBM pages.
2. Click the "Go" button to change to the selected language.
Note
Available languages
English and German are available as languages.
2. Load the text file into the device using "System > Load&Save". To do so, use the "Upload"
button in the table row "LoginWelcomeMessage" regardless of the protocol used.
3. Log out. The configured text is shown below the login data on the login page.
Logging in to WBM
You have the following options for logging in via HTTPS. You either use the login option in the
center of the browser window or the login option in the upper left area of the browser window.
The following steps apply, whichever of the above options you choose.
1. "Name" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the user preset in the factory "admin".
With this user account, you can change the settings of the device (read and write access
to the configuration data).
– Enter the user name of the created user account. You configure local user accounts and
roles in "Security > Users".
2. "Password" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the password of the default user preset in the factory "admin": "admin".
– Enter the password of the relevant user account.
After successful login, the WBM page "Information on dynamic firewall rules" opens.
The current ruleset and the remaining time are displayed. If needed, the user can extend the
access time via the "Reset Timeout" button.
Introduction
With the Basic Wizard, menus guide you through the configuration of the most important
parameters. On the Basic Wizard pages, you can only configure the parameters important for the
basic functionality. You make further settings when you have finished with the Basic Wizard.
The scope of the Basic Wizard pages depends on the device.
Requirement
• The device has an IP address and can be reached via the Ethernet interface.
• You are logged on in the WBM as a user with administrator rights.
• M87x: There is a mini SIM card in the device.
• MUM856: There is a micro SIM card in the device
• When shipped or following a "Restore Factory Defaults and Restart" the device can be reached
with the values preset in the factory. For more detailed information, refer to the section
"Requirements for operation (Page 38)".
Button Description
Goes to the next page
Goes back to the previous page
The Basic Wizard is closed without adopting the settings.
Saves the configuration and exits the Basic Wizard.
Navigation within the pages of the Basic Wizard is possible only with the "Previous" and
"Next" buttons.
5.3.2 IP
Introduction
One of the basic steps in configuration of a device is setting the IP address. The IP address
identifies a device in the network uniquely.
Description
The Basic Wizard page contains the following boxes:
• IP Address
Enter an IP address that is unique within your network.
• Subnet Mask
Enter the subnet mask of the device.
• DHCP (Only with M826)
Shows the DHCP client setting on vlan1.
When enabled, the device receives the IP address and subnet mask settings from a DHCP
server.
5.3.3 Device
Introduction
On this Basic Wizard page, you configure the general device information.
Description
The Basic Wizard page contains the following boxes
• System Name
You can enter the name of the device. If you configure this box, this configuration is adopted
and displayed in the selection area. A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in the
CLI input prompt is limited. The system name is truncated after 16 characters.
• System Location
You can enter the location where the device is installed. The location is displayed in the
selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7) are permitted in the input fields:
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
• System Contact
You can enter a contact person responsible for managing the device. A maximum of 255
characters are possible.
5.3.4 DSL
0[
On this Basic Wizard page, you configure the DSL access and the parameters for the virtual
connection via which the packets will be transferred.
Description
The page contains the following:
• Enable DSL Interface.
Enable or disable the DSL interface.
• Enable PPPoE Passthrough
– Enabled
The device acts as a modem. The settings "User Account", "Password" and "Forced
Disconnect" cannot be edited. Only a connected device can use the DSL connection. This
device also handles the authentication (dial-in) with the provider.
– Disabled
The device acts as a router and logs in with the user name and password. All connected
devices can use the DSL connection.
• Account
Enter the user name. You will receive the user name from your DSL provider.
• Password
Enter the password. You will receive the password from your DSL provider.
• VCI (Virtual Channel Identifier)
Enter the ID for the virtual channel. You will receive setting from your DSL provider.
5.3.5 SHDSL
0
On this Basic Wizard page, you configure the role and the transfer profile for the interface.
Description
The page contains the following:
• Enable PME Aggregation Function
PME = Physical Medium Entities
When enabled, the SHDSL interfaces or the 2-wire cables are put together to form a single
connection with a higher transmission rate.
Note
If the "Enable PME Aggregation Function" is selected, each of the interfaces of a device must
have the same role.
5.3.6 SIM
0[ 080[
For access to the mobile wireless network and the mobile wireless services, the following
access parameters are necessary. You will receive the access parameters from your mobile
wireless provider.
Description
The Basic Wizard page contains the following:
• Enable Mobile Network Interface
Enable or disable the mobile wireless interface. The mobile wireless WLAN interfaces are
disabled when the device is supplied.
• PIN
Enter the PIN of the SIM card. You obtain the PIN from your mobile wireless provider.
The device also works with SIM cards without a PIN, in this case leave the box empty.
Note
If you make incorrect entries, the SIM card is blocked
Make sure that you enter the PIN correctly. If you enter the PIN incorrectly more than three
times, the SIM card will be blocked.
In "Information > Mobile", you can check the status of the SIM card. If "SIM Status" displays
"PUK required", the SIM card is blocked.
You can change the PIN or unlock the SIM card under "Interfaces > Mobile > SIM".
• PIN Confirmation
Repeat the PIN.
• Radio Mode
Select the required mobile wireless network. The following options are available:
– Auto (not with the M874-2)
All services. As first choice, the device attempts to establish a connection to the fastest
available mobile wireless system.
– GSM only
The EGPRS and GPRS services.
The device ignores the UMTS and LTE network and establishes a connection to the GSM
service that provides the highest bandwidth locally
– UMTS only (not with the M874-2)
The UMTS and HSPA service. The device ignores the EGPRS, GPRS and LTE services and
establishes a connection in the UMTS network.
– LTE only (available with M876-4 / MUM85x)
The LTE service. The device ignores the EGPRS and GPRS and UMTS services and
establishes a connection in the LTE network.
– 5 G NR + LTE (NSA) (only with MUM85x)
The services 5G New Radio (NR) and LTE non-standalone operation (NSA)
– Only 5 G NR SA (only with MUM85x)
The service 5G New Radio (NR) in standalone operation (SA)
– EVDO (only available with M876-3)
EVolution, Data-Optimized. Default for CDMA-based networks.
The following sub-standards are supported:
- EVDO Hybrid
- EVDO 1xRTT
- EVDO HDR - High Data Rate
– No data connection
There is no data connection. Suitable when the device is only used to send or receive SMS
messages.
• Authentication Method
Select the required authentication method.
– CHAP
Encrypted transfer of user name and password using the Challenge Handshake
Authentication Protocol (CHAP).
– PAP
Unencrypted transfer of user name and password using the Password Authentication
Protocol (PAP).
– Auto
User name and password are transferred automatically with one of the following two
methods. CHAP has the higher priority. If the communications partner does not support
CHAP, the user name and password are transferred using PAP.
• Allow Data Roaming
When enabled, the device automatically logs in to an available network if the specified
network is unreachable.
5.3.7 Operator
0[ 080[
The APN (Access Point Name) is the name of the access point from the mobile network to
the Internet or to a private company network. Depending on the type of network connected,
this is a public or private APN. Information about the APN is provided by the mobile network
provider.
Description
The page contains the following boxes:
• Country List
From this list, select the country in which the device will be deployed.
• Provider List
From this list select the appropriate mobile network provider. The list depends on the
selected country.
If the mobile network provider is not contained in the list of providers, select "-".
Note
"5G SA (Standalone) only" radio mode
For "5G SA only" radio mode, disable all providers that are not needed.
• PLMNID
Each mobile network provider has an identification number that is unique worldwide known
as the Public Land Mobile Network ID (PLMN ID). You will find the Net ID in the documentation
of your mobile network provider or on their Internet pages.
– If you know the PLMNID of the mobile network provider, enter this number.
– If you do not know the PLMNID, enter the data in the table under "Manual".
• APN
Enter the name of the APN. You will find the APN in the documentation of your mobile
network provider on your provider's Website or ask your mobile network provider's hotline.
• User name
Enter the user name. Some mobile network providers do not use access control with user
names and/or passwords. In this case, leave the box empty.
• Password
Enter the password. Some mobile network providers do not use access control with user
names and/or passwords. In this case, leave the box empty.
• Password Confirmation
Repeat the password.
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• PLMNID
– Identification number (Net ID)
Displays the PLMNID of the mobile phone provider.
– Manual (static APN)
If the PLMNID is not known, enter the APN of your mobile phone provider.
– Manual (dynamic APN)
Only available with M876-4
Requirement: Radio mode "LTE only"
If you do not configure any data, the APN is assigned dynamically.
• Operator Name
Enter the name of your mobile network provider.
• APN
Enter the name of the APN. You will find the APN in the documentation of your mobile
network provider on your provider's Website or ask your mobile network provider's hotline.
• User name
Enter the user name for the APN. Some mobile network providers do not use access control
with user names and/or passwords. In this case, leave the box empty.
• Password
Enter the password for the APN. Some mobile network providers do not use access control
with user names and/or passwords. In this case, leave the box empty.
• Password Confirmation
Repeat the password.
• Enabled
The entry is used
Time setting
On this Basic Wizard page, you set the date and time of the system.
Description
Manual time setting:
• Time Manually
Enable or disable manual setting of the time. If you enable the option, the "System Time"
input box can be edited.
• System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
• Use PC Time
Click the button to use the time setting of the PC.
5.3.9 DDNS
On this Basic Wizard page, you configure the dynamic DNS client (DDNS client). The DDNS client
synchronizes the assigned IP address with the hostname registered at the DDNS provider. This
means that the device can always be reached using the same hostname.
Description
The table has the following columns:
• Service
Shows which providers are supported.
• Enabled
When enabled, the device logs on to the DDNS server.
• Host
Enter the hostname that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
• Username
Enter the user name with which the device logs on to the DDNS server.
• Password
Enter the password assigned to the user.
• Confirm password
Confirm the password.
5.3.10 SINEMA RC
0
On this Basic Wizard page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 52).
Description
The page contains the following:
• Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes cannot be
edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
• SINEMA RC Address
Enter the IPv4 address or the FQDN (Fully Qualified Domain Name) of the SINEMA RC Server.
• SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
"Server Verification" area
• Verification Type
– Fingerprint: The identity of the server is verified based on the fingerprint.
– CA certificate: The identity of the server is verified based on the CA certificate.
• Fingerprint
Only necessary with the setting "Fingerprint". Enter the fingerprint of the device. The
fingerprint is assigned during commissioning of the SINEMA RC Server. Based on the
fingerprint, the device checks whether the correct SINEMA RC Server is involved. You will
find further information on this in the Operating Instructions of the SINEMA RC Server.
• CA Certificate
Only necessary with the setting "CA Certificate". Select the CA certificate of the server used
to sign the server certificate. Only loaded CA certificates can be selected.
"Device Credentials" area
• Device ID
Enter the device ID. The device ID is assigned when configuring the device on the SINEMA RC
Server. You will find further information on this in the Operating Instructions of the SINEMA
RC Server.
• Device Password
Enter the password with which the device logs on to the SINEMA RC Server. The password is
assigned when configuring the device on the SINEMA RC Server. You will find further
information on this in the Operating Instructions of the SINEMA RC Server.
• Device Password Confirmation
Repeat the password.
Note
• Use the "TIA Portal Cloud Connector" integrated in the product over a VPN solution (e.g.
SINEMA RC).
• Configure the firewall settings of the SCALANCE M800/S615 (e.g. predefined IPv4 rules
"Cloud Connector") to prevent unauthorized access of network devices to the "TIA Portal
Cloud Connector Server".
Requirement
• For the incoming packets to be forwarded to the device, enable the predefined IPv4 rule
"Cloud Connector".
Description
The Basic Wizard page contains the following:
• Operation
– Enabled
Enables the integrated TIA Portal Cloud Connector.
– Disabled
Disables the integrated TIA Cloud Connector.
– Start on DI
Enabling is controlled via the digital input (DI) if the "Cloud Connector" is enabled for the
event "Digital input" under "System > Events > Configuration". If this setting is not
enabled, the event is not passed on to the TIA Portal Cloud Connector.
• Port
Communication with the TIA Portal Cloud Connector is established via this port.
• Protocol
This protocol is used to access the plant network.
– PROFINET via VLAN
You define the VLAN interface in the following table.
Only with M804PB
– PROFIBUS via MPI/DP
– PROFINET-PROFIBUS
The following table is only required for PROFINET:
• Interface
Only VLANs with a configured subnet are available.
• Active
When enabled, this VLAN is used for PROFINET.
5.3.12 Summary
Introduction
The settings are summarized on this page. The content of the page depends on the set
parameters and the device.
Check the settings before you exit the Basic Wizard with the "Set Values" button. If settings
are incorrect, go back using the "Prev" button and change the settings to the required ones.
Set Values
Click the "Set Values" button to exit the Basic Wizard. The settings are adopted.
• Favorites
When the product ships, the button is disabled on all pages .
If you click this button, the symbol changes and the currently open page or currently open
tab is marked as favorite. Once you have enabled the button once, the navigation area is
divided into two tabs. The first tab "Menu" contains all the available menus as previously. The
second tab "Favorites" contains all the pages/tabs that you selected as favorites. On the
"Favorites" tab the pages/tabs are arranged according to the structure in the "Menu" tab.
If you disable all the favorites you have created, the "Favorites" tab is removed again. To do
this, click the button on the relevant pages/tabs.
You can save, upload and delete the favorites configuration of a device on the "System >
Load&Save" page using HTTP or TFTP.
• Update on / Update off
WBM pages with overview lists can also have the additional "Update" button.
With this button, you can enable or disable updating of the content area. If updating is turned
on, the display is updated every 2 seconds. To disable the update, click "On". Instead of "On",
"Off" is displayed. As default, updating is always enabled on the WBM page.
• DDNS Status
If a dynamic DNS service is used, the host name of the device is displayed, e.g. example.no-
ip.com. The status of the update is also displayed.
– update successful
Update successful
– update failed
Update unsuccessful
– status unknown
Status unknown
• Fault Status Fault status of the device
Note
The changes take immediate effect. But it takes some time for the changes in the
configuration to be stored.
Logout
You can log out from any WBM page by clicking the "Logout" link.
Messages
If you have enabled the "Automatic Save" mode and you change a parameter the following
message appears in the display area "Changes will be saved automatically in x seconds. Click
'Write Startup Config' to save the changes immediately."
Note
Interrupting the save
Saving starts only after the timer in the message has elapsed. How long saving takes depends
on the device.
During the save, the message "Saving configuration data in progress. Please do not switch off the
device" is displayed.
• Do not switch off the device immediately after the timer has elapsed.
5.4.2 Versions
This WBM page shows the versions of the hardware and software of the device.
Description
Table 1 has the following columns:
• Hardware
– Basic Device
Shows the basic device
– CELL (only with M87x / MUM85x)
Shows the radio module being used.
– xDSL (only with M81x)
Shows the DSL module being used
• Name
Shows the name of the device.
• Revision
Shows the hardware version of the device.
• Order ID
Shows the article number of the device.
5.4.4.1 ARP-Tabelle
Logging events
The WBM page shows the system events that have occurred in the form of a table. Some of the
system events can be configured in "System > Events", for example if the connection status of a
port has changed.
The content of the table is retained even when the device is turned off. The event log file can
be loaded using HTTP, TFTP or SFTP.
Description
• Severity Filters
You can filter the entries in the table according to severity. To display all the entries, enable
or disable all parameters.
Note
A maximum of 800 entries in the table are possible for each severity. If the maximum number
of entries is reached for a severity, the oldest entries of this severity are overwritten in the
table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
The table has the following columns:
• Restart
Counts the number of restarts since you last reset to factory settings and shows the device
restart after which the corresponding event occurred.
• System Up Time
Shows the time the device has been running since the last restart when the described event
occurred.
• System Time
Shows the date and time when the described event occurred. If no system time is set, the box
displays "Date/time not set".
• Severity
Sorts the entry into the categories above.
• Log Message
Displays a brief description of the event that has occurred.
Description
• Severity Filters
You can filter the entries in the table according to severity. To display all the entries, enable
or disable all parameters.
Note
A maximum of 800 entries in the table are possible for each severity. If the maximum number
of entries is reached for a severity, the oldest entries of this severity are overwritten in the
table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
The table has the following columns:
• Restart
Counts the number of restarts since you last reset to factory settings and shows the device
restart after which the corresponding event occurred.
• System Up Time
Shows the time the device has been running since the last restart when the described event
occurred.
• System Time
Shows the date and time when the described event occurred. If no system time is set, the box
displays "Date/time not set".
• Severity
Sorts the entry into the categories above.
• Log Message
Displays a brief description of the event that has occurred.
Description
• Severity Filters
You can filter the entries in the table according to severity. To display all the entries, enable
or disable all parameters.
Note
A maximum of 800 entries in the table are possible for each severity. If the maximum number
of entries is reached for a severity, the oldest entries of this severity are overwritten in the
table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
5.4.6 Faults
Error status
if an error occurs, it is shown on this page. On the device, errors are indicated by red fault LED
lighting up.
Internal errors of the device and errors that you configure on the following pages are
indicated:
• "System > Events"
• "System > Fault Monitoring"
The calculation of the time of an error always begins after the last system start. If there are
no errors present, the fault LED switches off.
Description
• No. of Signaled Faults
Indicates how often the fault LED lit up and not how many faults occurred.
The table contains the following columns:
• Fault Time
Shows the time the device has been running since the last system restart when the described
error/fault occurred.
• Fault Description
Displays a brief description of the fault/error that has occurred.
• Clear Fault State
Some faults can be acknowledged and thus removed from the fault list, e.g. a fault of the
event "Cold/Warm Start". If the "Clear Fault State" button is enabled, you can delete the error.
• Identification Method
Shows the method with which the DHCP client is identified.
– MAC address
Identification is based on the MAC address.
– DHCP Client ID
Identification is based on a freely defined DHCP client ID.
– System Name
Identification is based on the system name. If the system name is 255 characters long, the
last character is not used for identification.
– IAID and DUID
With this, the DHCP client can log on to DHCP servers that support parallel operation of
IPv4 and IPv6.
The identification is via the IAID and the DUID and identifies precisely one IP interface of
the device.
• Identification Value
Shows the value that is assigned to the identification method.
• Allocation Method
Shows whether the IPv4 address was assigned statically or dynamically. You configure the
static entries in "System > DHCP > Static Leases".
• Binding State
Shows the status of the assignment.
– Associated
The assignment is used.
– not used
The assignment is not used.
– probing
The assignment is being checked.
– unknown
The status of the assignment is unknown.
• Expire Time
Shows how long the assigned IPv4 address is still valid. When half the period of validity has
elapsed. the DHCP client can extend the period of the assigned IPv4 address. When the entire
time has elapsed, the DHCP client needs to request a new IPv4 address.
5.4.8 SNMP
This page displays the created SNMPv3 groups. You configure the SNMPv3 groups in "System >
SNMP".
Description
The table has the following columns:
• Group Name
Shows the group name.
• User Name
Shows the user that is assigned to the group.
5.4.9 LLDP
Description
The table contains the following columns:
• System Name
System name of the connected device.
• Device ID
Device ID of the connected device. The device ID corresponds to the device name assigned
via SINEC PNI (STEP 7). If no device name is assigned, the MAC address of the device is
displayed.
• Local Interface
Port at which the device received the information.
• Hold Time[s]
Hold time in seconds
An entry remains stored on the device for the time specified here. If the device does not
receive any new information from the connected device during this time, the entry is deleted.
• Capability
Shows the properties of the connected device:
– Router
– Bridge
– Telephone
– DOCSIS Cable Device
– WLAN Access Point
– Repeater
– Station
– Other
• Port ID
Port of the device with which the device is connected. If no port ID is assigned, the MAC
address of the connected device is shown.
Introduction
This page shows the routes currently being used.
Description
The table has the following columns:
• Destination Network
Shows the destination address of this route.
• Subnet Mask
Shows the subnet mask of this route.
• Gateway
Shows the gateway for this route.
• Interface
Shows the interface for this route.
• Metric
Shows the metric of the route. The higher value, the longer packets require to their
destination.
• Routing Protocol
Shows the routing protocol from which the entry in the routing table originates. The
following entries are possible:
– Connected: Connected routes
– Static: Static routes
– DHCP: Routes via DHCP
Introduction
This page shows the IPv6 routes currently being used.
Description
The table has the following columns:
• Destination Network
Shows the destination address of this route.
• Prefix Length
Shows the prefix length of this route.
• Gateway
Shows the gateway for this route.
• Interface
Shows the interface for this route.
• Metric
Shows the metric of the route. The higher value, the longer packets require to their
destination.
• Routing Protocol
Shows the routing protocol from which the entry in the routing table originates. The
following entries are possible:
– Connected: Connected routes
– Static: Static routes
– RIPng: Routes via RIPng
– OSPFv3: Routes via OSPFv3
– Other: Other routes
5.4.12 Mobile
5.4.12.1 Overview
0[ 080[
The WBM page shows an overview of the current operating status of the device.
• PIN Status
Shows the status of the PIN.
– PIN required
PIN still needs to be entered.
– No PIN required
PIN is not needed.
– PUK required
SIM card blocked. With the PUK, the SIM card can be unblocked again.
– wrong PIN
The PIN is wrong.
– PIN valid
The PIN is valid.
• IMSI
Shows the subscriber ID that is stored on the SIM card being used.
• Phone Number
Shows the phone number of the SIM card.
If the phone number does not exist or cannot be read out, "no number" is dispayed.
• Connection Status
Shows whether a wireless connection exists, and, if it does, which one:
– UMTS: IP connection via UMTS or HSPA
– GPRS: IP connection via EGPRS, GPRS or LTE
• Packet Switch Status
Shows the status of the packet switching.
• Cell ID
Shows the ID of the wireless cell in which the device is logged in.
• LAC (Location Area Code)
Shows the ID for the current location of the M87x within the mobile wireless network.
• Signal Strength
Shows the signal strength.
– Signal strength for SCALANCE M87x:
• APN
Shows the APN (= Access Point Name) of the wireless link that is being used.
• External IP Address
Shows the WAN IP address at which the device can be reached in the mobile wireless
network. The WAN IP address is assigned to the device by the service of the mobile wireless
provider.
• DNS Server(s)
Shows the DNS server or servers used by the device.
The signal recorder shows the signal strength to the wireless cell in which the device is
booked in.
• x axis
The x axis shows the course of the measurement in seconds.
• Measurement data
The measurement data shows the value of the signal strength to according to the color
scheme shown.
Displayed Samples
Select how many measured values will be shown in the graphic.
This WBM page displays the data volume consumed in the selected month. The device
calculates the data usage based on the counted data packets (upload and download) on the
WAN interface. The determined data volume can deviate from the invoice of your mobile
network provider due to block rounding.
The consumed data volume of 3 months is stored in the non-volatile FLASH memory of the
device. The values are stored at regular intervals or before the unit shuts down, but not in
the event of a power failure.
Requirement
• "Mobile data usage" is activated under "Interfaces > Mobile > General".
5.4.13 DSL
5.4.13.1 Overview
0[
An ADSL connection consists of two endpoints known as ADSL Transceiver Units (ATU). The
ADSL Transceiver Unit Remote (ATU-R) is this device and the ADSL Transceiver Unit Central
(ATU-C) is the device in the central office.
The WBM page shows the current operating status of the device and contains information on
the ATU-C.
0[
The WBM page contains an overview of the data transfer rates for the receive direction
(downstream) and the send direction (upstream).
5.4.13.3 Streams
0[
The WBM page shows parameters that influence the data transfer rate.
5.4.14 SHDSL
0
• Remote DN
Shows the Distinguished Name (DN) signaled by the remote device during connection
establishment.
• IRemote Subnet
Shows the remote subnet.
• Rekey Time
Shows when the validity of the key expires.
• Status
Shows the status of the VPN connection.
5.4.16 SINEMA RC
0
Note
This function can only be used with the PLUG SINEMA RC (Page 52).
• Fingerprint
Shows the fingerprint of the server certificate. Is only displayed when the fingerprint is used
for verification.
• Remote Address
Shows the IP address of the SINEMA RC Server.
• Connected Local Subnet(s)
Shows the IP addresses of the local subnets. Is only displayed when the option "Connected
local subnets" is enabled on the SINEMA RC Server. You will find further information on this
in the Operating Instructions of the SINEMA RC Server.
• Connected Local Host (s)
Shows the destination IP address of the hosts that can be reached.
• Tunnel Interface Address
Shows the IP address of the virtual tunnel interface.
• Connected Remote Subnet(s)
Shows the subnets of the SINEMA RC Server that are reachable for the device. Which subnets
are reachable for the device depends on the communications relations on the SINEMA RC
Server. You will find further information on this in the Operating Instructions of the SINEMA
RC Server.
• Routed Subnets
Shows the subnets of the OpenVPN server.
• Status
Shows the status of the OpenVPN connection.
5.4.18 Redundancy
5.4.18.1 Overview
MSTP-CIST configuration
The page consists of the following parts.
• The left-hand side of the page shows the configuration of the device.
• The right-hand part shows the configuration of the root bridge that can be derived from the
spanning tree frames received by a device.
Introduction
The page shows the current information about the spanning tree and the settings of the root
bridge.
• Status
Shows the current status of the interface. The values are only displayed. The parameter
depends on the configured protocol.
– Discarding
The port receives BPDU frames. Other incoming or outgoing frames are discarded.
– Listening
The port receives and sends BPDU frames. The port is involved in the spanning tree
algorithm. Other outgoing and incoming frames are discarded.
– Learning
The port actively learns the topology; in other words, the node addresses. Other outgoing
and incoming frames are discarded.
– Forwarding
Following the reconfiguration time, the port is active in the network. The port receives
and sends data frames.
• Oper. Version
Shows the compatibility mode of Spanning Tree used by the port.
• Priority
If the path calculated by the spanning tree is possible over several ports of a device, the port
with the highest priority (in other words the lowest value for this parameter) is selected. A
value between 0 and 240 can be entered for the priority in steps of 16. If you enter a value
that cannot be divided by 16, the value is automatically adapted. The default is 128.
• Path Cost
This parameter is used to calculate the path that will be selected. The path with the lowest
value is selected. If several ports of a device have the same value, the port with the lowest
port number is selected.
The calculation of the path costs is based largely on the transmission speed. The higher the
achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
• Edge Type
Shows the type of the connection. The following values are possible:
– Edge Port
There is an end device at this port.
– No Edge Port
There is a spanning tree or rapid spanning tree device at this port.
• P.t.P. Type
Shows the type of point-to-point link. The following values are possible:
– P.t.P.
With half duplex, a point-to-point link is assumed.
–
Shared Media
With a full duplex connection, a point-to-point link is not assumed.
Introduction
This page shows the statistics of the VRRPv3 protocol and all configured virtual routers.
Description
The following fields are displayed:
• VRID Errors
Shows how many VRRPv3 packets containing an unsupported VRID were received.
• Version Errors
Shows how many VRRPv3 packets containing an invalid version number were received.
• Checksum Errors
Shows how many VRRPv3 packets containing an invalid checksum were received.
The table has the following columns:
• Interfaces
Interface to which the settings relate.
• VRID
Shows the ID of the virtual router. Valid values are 1 ... 255.
• Address Type
Shows the version of the IP protocol.
• Become Master
Shows how often this virtual router changed to the "Master" status.
• Advertisements Received
Shows how many VRRPv3 packets were received.
• Advertisement Interval Errors
Shows how many bad VRRPv3 packets were received whose interval does not match the
value set locally.
• IP TTL Errors
Shows how many bad VRRPv3 packets were received whose TTL (Time to live) value in the IP
header is incorrect.
• Prio 0 received
Shows how many VRRPv3 packets with priority 0 were received. VRRPv3 packets with priority
0 are sent when a master router is shut down. These packets allow a fast handover to the
relevant backup router.
• Prio 0 sent
Shows how many VRRPv3 packets with priority 0 were sent. Packets with priority 0 are sent
when a master router is shut down. These packets allow a fast handover to the relevant
backup router.
• Invalid Type
Shows how many bad VRRPv3 packets were received whose value in the "Type" field of the IP
header is invalid.
• Address List Errors
Shows how many bad VRRPv3 packets were received whose address list does not match the
locally configured list.
• Packet Length Errors
Shows how many bad VRRPv3 packets were received whose length is not correct.
5.4.20 Security
5.4.20.1 Overview
Note
The values displayed depend on the rights of the logged-in user.
This page shows the security settings and the local and external user accounts.
Description
Services
The "Services" list shows the security settings.
• Telnet Server
You configure the setting in "System > Configuration".
– Enabled: Unencrypted access to the CLI.
– Disabled: No unencrypted access to the CLI.
• SSH Server
You configure the setting in "System > Configuration".
– Enabled: Encrypted access to the CLI.
– Disabled: No encrypted access to the CLI.
• SSH fingerprint
The following SSH fingerprints are displayed:
– MD5
– SHA256
• Web Server
You configure the setting in "System > Configuration".
– HTTP/HTTPS: Access to the WBM is possible with HTTP and HTTPS.
– HTTPS: Access to the WBM is now only possible with HTTPS.
• SNMP
You can configure setting in "System > SNMP > General".
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3.
– SNMPv3
Access to device parameters is possible only with SNMP version 3.
• Login Authentication
You configure the setting in "Security > AAA > General".
– Local
The authentication must be made locally on the device.
– RADIUS
The authentication must be handled via a RADIUS server.
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name and
password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a RADIUS
query is sent.
– RADIUS and fallback Local
The authentication must be handled via a RADIUS server.
A local authentication is performed only when the RADIUS server cannot be reached in
the network.
• Password Policy
Shows which password policy is currently being used.
The "Local User Accounts" and "External User Accounts" tables have the following columns:
• User Account
Shows the name of the local user.
• Role
Shows the role of the user. You can obtain more information on the function rights of the role
in "Information > Security > Roles".
Local and external user accounts
You configure local user accounts and roles in "Security > Users".
When you create a local user account an external user account is generated automatically.
Local user accounts involve users each with a password for logging in on the device.
In the table "External User Accounts" a user is linked to a role. In this example the user
"Observer" is linked to the "user" role. The user is defined on a RADIUS server. The roll is
defined locally on the device. When a RADIUS server authenticates a user, the corresponding
group however is unknown or does not exist, the device checks whether or not there is an
entry for the user in the table "External User Accounts". If an entry exists, the user is logged
in with the rights of the associated role. If the corresponding group is known on the device,
both tables are evaluated. The user is assigned the role with the higher rights.
Note
The table "External User Accounts" is only evaluated if you have set "SiemensVSA" in the RADIUS
Authorization Mode.
Note
The values displayed depend on the role of the logged-on user.
The page shows the function rights available locally on the device.
5.4.20.3 Roles
Note
The values displayed depend on the role of the logged-on user.
Description
The table contains the following columns:
• Role
Shows the name of the role.
• Function Right
Shows the function right of the role:
– 1
Users with this role can read device parameters but cannot change them.
– 15
Users with this role can both read and change device parameters.
– 0
This is a role that the device assigns internally when a user could not be authenticated.
The user is denied access to the device.
• Description
Shows a description of the role.
• Remote Access
Shows which remote access is currently being used.
5.4.20.4 Groups
Note
The values displayed depend on the role of the logged-on user.
This page shows which group is linked to which role. The group is defined on a RADIUS
server. The roll is defined locally on the device.
5.4.21 VXLAN
080[
This page shows the current content of the VXLAN NVE Peer table.
• VNI ID
Shows the VNI segment of which the remote VTEP is a member.
• Remote MAC Address
Shows the MAC address of the remote VTEP that the device learned or that was configured.
• MAC Type
Shows how the MAC address of the remote VTEP is obtained.
– Static:
The MAC and IP addresses were configured under "Layer 2 > VXLAN > Static MAC
Addresses". The static addresses are stored permanently; in other words, they are not
deleted when the aging time expires or when the device is restarted.
– Dynamic:
The VTEP of the device obtains the MAC address from the received frame.
• Arp Suppression
This function is not supported.
This page shows the system time settings for the device.
Description
The page contains the following boxes:
• Current System Time
Shows the set date and the time in the format "MM/DD/YYYY HH:MM:SS".
• Last Synchronization Time
Shows when the last time-of-day synchronization took place. If no time-of-day
synchronization was possible, the box displays "Date/time not set".
• Last Synchronization Mechanism
Shows how the last time-of-day synchronization was performed.
– Not set
The time was not set.
– Manual
Manual time setting
– NTP
Automatic time-of-day synchronization with NTP
– SNTP
Automatic time-of-day synchronization with SNTP
– SIMATIC Time Client
Automatic time-of-day synchronization using the SIMATIC time frame
– GPS
Shows whether the time is received via the GPS signal.
– Cellular
Shows whether the time is received via a mobile wireless network. Priority
• Time Zone
Shows the time zone you are using in the format "(+/- )HH:MM". The time zone relates to UTC
coordinated universal time.
• GPS Daylight Saving Time
Shows whether the daylight saving time changeover is active.
– active (offset +1 h)
The system time was changed to daylight saving time; in other words, an hour was added.
You can see the current system time at the top right in the selection area of the WBM.
The set time continues to be displayed in the "System Time" box.
– inactive (offset +0 h)
The current system time is not changed.
• Fallback Period[seconds]
Shows the wait time after which the replacement time service synchronizes the system time.
Range of values 1 ... 86400. Default value 3600.
5.5.1 Configuration
System configuration
The WBM page contains the configuration overview of the access options of the device.
Specify the services that access the device. With some services, there are further
configuration pages on which more detailed settings can be made.
The standard port can also be changed for your own services.
Note
Change standard port
Some programs can only access the service over the standard port, e.g. TIA Portal accesses
HTTPS over standard port 443. Before you change the port, check which port the program uses.
When you change the standard port, you must access the service over the changed port.
Firewall
The firewall is reinitialized after the ports are changed. This means that the changed ports are
applied in the firewall rules. Existing connections, for example, via the dynamic firewall, can be
used with restrictions during this time.
Description
The page contains the following boxes:
• Telnet Server
Enable or disable the "Telnet Server" service for unencrypted access to the CLI.
• Telnet Port
Specify the port for Telnet access to the CLI.
• SSH Server
Enable or disable the "SSH Server" service for encrypted access to the CLI.
• SSH Port
Specify the port for SSH access to the CLI.
• SSH key exchange algorithm level
Configure the level of SSH key exchange algorithm for SSH access to the CLI.
High (default)
– Curve25519-sha256
– [email protected]
– Ecdh-sha2-nistp256
– Ecdh-sha2-nistp384
– Ecdh-sha2-nistp521
– Diffie-hellman-group16-sha512
– Diffie-hellman-group18-sha512
Low
– Curve25519-sha256
– [email protected]
– Ecdh-sha2-nistp256
– Ecdh-sha2-nistp384
– Ecdh-sha2-nistp521
– Diffie-hellman-group16-sha512
– Diffie-hellman-group18-sha512
– Diffie-hellman-group14-sha256
– Diffie-hellman-group14-sha1
• HTTP Server
Enable or disable HTTP access to the WBM.
• HTTP Port
Specify the port for HTTP access to the WBM.
• HTTPS Server
Enable or disable HTTPS access to the WBM.
• HTTPS Port
Specify the port for HTTPS access to the WBM.
• HTTP Services
Specify how the WBM is accessed:
– HTTPS
Access to the WBM is only possible with HTTPS.
– HTTP/HTTPS
Access to the WBM is only possible with HTTP and HTTPS.
– Redirect HTTP to HTTPS
Access via HTTP is automatically diverted to HTTPS.
• Min. TLS version
Specify which minimum TLS version is used.
• Default Login Page
Specify the login page with which the WBM starts by default.
– Firewall
Logging into the WBM page for dynamic firewall.
– Configuration
Logging into the WBM.
• SMTP Client
Enable or disable the SMTP client. You can configure other settings in "System > SMTP Client".
• Syslog Client
Enable or disable the Syslog client. You can configure other settings in "System > Syslog
Client".
• DCP Server
Specify whether or not the device can be accessed with DCP (Discovery and Configuration
Protocol):
– "-" (disabled)
DCP is disabled. Device parameters can neither be read nor modified.
– Read/Write
With DCP, device parameters can be both read and modified.
– Read Only
With DCP, device parameters can be read but cannot be modified.
– Read/Setup
As long as the administrator's default password has not been changed, the device
parameters can be both read and changed via DCP. Once the default password has been
changed, the device parameters can no longer be changed via DCP.
• Time
Select the setting from the drop-down list. The following settings are possible:
– Manual
The system time is set manually. You can configure other settings in "System > System
Time > Manual Setting".
– SIMATIC Time
The system time is set using a SIMATIC time transmitter. You can configure other settings
in "System > System Time > SIMATIC Time Client".
– SNTP Client
The system time is set via an SNTP server. You can configure other settings in "System >
System Time > SNTP Client".
– NTP Client
The system time is set via an NTP server. You can configure other settings in "System >
System Time > NTP Client".
• SNMP
Select the protocol from the drop-down list. The following settings are possible:
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3. You can configure
other settings in "System > SNMP > General".
– SNMPv3
Access to device parameters is possible only with SNMP version 3. You can configure other
settings in "System > SNMP > General".
• SNMPv1/v2 Read Only
Enable or disable write access to SNMP variables with SNMPv1/v2c.
• SNMPv1 Traps
Enable or disable the sending of SNMPv1 traps (alarm frames). You can configure other
settings in "System > SNMP > Traps".
• SINEMA Configuration Interface
If the SINEMA configuration interface is enabled, you can download configurations to the
device using STEP 7 Basic / Professional.
• DHCP Client
Enable or disable the DHCP client. You can configure other settings in "System > DHCP".
• DUID-Type
Specify which DUID type is used. The DUID types are defined in RFC 3315.
– DUID-LLT
DUID is based on the link layer address of the interface and a time stamp
– DUID-EN
DUID is assigned by the vendor (EN = enterprise number)
– DUID-LL
DUID is based on the link layer address of the interface
– Trial
Trial mode. In Trial mode, although changes are adopted, they are not saved in the
configuration file (startup configuration).
To save changes in the configuration file, use the "Write startup config" button. The display
area also shows the message "Trial Mode Active – Press the "Write Startup Config" button
to make your settings persistent" as soon as there are unsaved modifications. This
message can be seen on every WBM page until the changes made have either been saved
or the device has been restarted.
Procedure
1. To use the required function, select the corresponding check box.
2. Select the options you require from the drop-down lists.
3. Click the "Set Values" button.
5.5.2 General
5.5.2.1 Device
This WBM page contains the general device information.
Description
The WBM page contains the following boxes:
• Current System Time
Shows the current system time. The system time is either set by the user or by a time-of-day
frame: either SIMATIC time-of-day frame, NTP or SNTP.
• System Up Time
Shows the operating time of the device since the last restart.
• Device Type
Shows the type designation of the device.
• System Name
You can enter the name of the device. The entered name is displayed in the selection area.
A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in the
CLI input prompt is limited. The system name is truncated after 16 characters.
• System Contact
You can enter the name of a contact person responsible for managing the device. A
maximum of 255 characters are possible.
• System Location
You can enter the location where the device is installed. The entered installation location is
displayed in the selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7e) are permitted in the input
fields "System Name", "System Contact" and "Device Location":
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
Procedure
1. Enter the contact person responsible for the device in the "System Contact" input box.
2. Enter the identifier for the location at which the device is installed in the "System Location"
input box.
3. Enter the name of the device in the "System Name" input box.
4. Click the "Set Values" button.
Note: Steps 1 to 3 can also be performed with the SNMP Management Tool.
5.5.2.2 Coordinates
You can enter the geographical coordinates in the format degrees, minutes, seconds
(DDD°MM'SS'') or in decimal degrees (DD.dddddd).
The format DDD°MM'SS'' has the following meaning:
The value for the geographical latitude +49° 1´31.67" means that the device is located at
49 degrees, 1 arc minute and 31.67 arc seconds northerly latitude.
The southerly latitude is shown by a preceding minus sign or the letter N (northerly latitude)
or S (southerly latitude), e.g. 49° 1´31.67" N.
The value for the geographical longitude +8° 20´58.73" means that the device is located at
8 degrees, 20 minutes and 58.73 seconds easterly longitude.
A western longitude is indicated by a preceding minus sign or the letter E (easterly longitude)
or W (westerly longitude), e.g. 8° 20´58.73" E.
The GPS coordinates are displayed in the format DD.dddddd. "DD" stands for the longitude
and "dddddd" stands for the decimal longitude.
Heights are shown in dddd m format. 33 m means that the device is located at a height of
33 m above sea level. Heights below sea level (for example the Dead Sea) are indicated by a
preceding minus sign.
Description
The page contains the following input boxes with a maximum length of 32 characters:
• Latitude
Here, enter the value for the northerly or southerly latitude of the location of the device.
• Longitude
Enter the value for easterly or westerly longitude for the location of the device.
• Height
Enter the value for the geographical height over or under zero (sea level) in meters.
080[ :
The device MUM85x has the GPS function through which the device determines its location.
The accuracy of the location determination is about 10 meters. The GPS position is updated
every 60 seconds.
Additional fields:
• Use GPS Location
Enables or disables automatic read-out of the device location.
If you enable the option, the input fields for latitude, longitude and height are not editable.
• GPS-Position
Shows the current GPS position in the decimal system in the order "Latitude, longitude,
height".
• Satellite
Shows the number of available satellites.
• Last Sync
Shows the status of the synchronization:
– Synced
Location determination was performed.
– Not Synced
Location determination was not performed.
– >= <time in minutes>
The time in minutes since the last attempt to determine the location.
Procedure
1. Enter the calculated latitude in the "Latitude" input box.
2. Enter the calculated longitude in the "Longitude" input box.
3. Enter the height above sea level in the "Height" input box.
4. Click the "Set Values" button.
5.5.3 Restart
5.5.3.1 Restart
Restart
Note the following points about restarting a device:
• You can only restart the device with administrator privileges.
• A device should only be restarted with the buttons of this menu or with the appropriate CLI
commands and not by a power cycle on the device.
• If the device is in "Trial" mode, configuration modifications must be saved manually before a
restart. Any modifications you have made only become active on the device after clicking the
"Set values" button on the relevant WBM page.
• If the device is in "Automatic Save" mode, the last changes are saved automatically before a
restart.
Description
To restart the device, the buttons on this page provide you with the following options:
• Restart
Click this button to restart the system. You must confirm the restart in a dialog box. During
a restart, the device is reinitialized, the internal firmware is reloaded, and the device runs a
self-test. The settings of the start configuration are retained, e.g. the IP address of the device.
The learned entries in the address table are deleted. You can leave the browser window open
while the device restarts. After the restart you will need to log in again.
• Restore Memory Defaults and Restart
Click this button to restore the factory configuration settings with the exception of the
protected presettings and to restart the device.
The protected presettings include the following parameters:
– IP addresses
– Subnet mask
– IP address of the default gateway
– DHCP client ID
– DHCP
– System name
– System location
– System contact
– User names and passwords
– Login text
– PROFINET Name of Station
• Restore Factory Defaults and Restart
Click this button to restore the factory defaults for the configuration. The protected defaults
are also reset. Created eSIM profiles are deleted on SCALANCE MUM85x.
An automatic restart takes place.
SCALANCE MUM85x: Do not switch off the device until it has finished restarting. If the
device is switched off while it is restarting, eSIM profiles may not be fully deleted. As a result,
no message is sent to the mobile network provider about the eSIM to be released. In this case,
you must order a new eSIM for your mobile plan.
Note
By resetting to the factory configuration settings, the device loses its configured IP address,
see section "Requirements for operation".
• M87x, MUM856, M81x, M804PB: The device can once again be reached at the IP address
192.168.1.1 that was set in the factory.
• M826: An IP address must be assigned to the device.
• Restart in
Specify the time after which the device restarts.
• Backup
The configuration backups under "System > Configuration Backup" can be selected. Before
the scheduled restart, the device applies the configurations of the selected backup and
continues working with them after the restart.
All configurations made up to this point that have not been saved in a backup are lost.
With the "-" setting, no file is selected and the device uses the current configuration after the
restart.
• Schedule restart
When you click this button, a timer starts and runs backwards with the defined time. When
the timer has expired, the device restarts.
The following message is also displayed in the display area: "The automatic restart starts in
[..] minutes. Click 'Cancel scheduled restart' to cancel the restart". This message can be seen
on every WBM page until you cancel the restart or the SCALANCE device is restarted.
Note
Unsaved configuration is lost after reboot
The scheduled restart is performed after the time has elapsed without any further message.
Unsaved configuration changes are lost.
Save the current configuration via "System > Backup of configuration" before setting the
timer for the restart.
080[
To reduce the power consumption of the device, you can use the "Sleep Mode" energy saving
mode. This mode puts the device to sleep and changes to the previous state after the
configured time has elapsed. When sleep mode is activated, all processes are aborted, even a
firmware update for example.
On this page, you specify after the time after which the device in sleep mode wakes up again.
Description
• Sleep Duration [min.]
Specify how long the device should remain in power saving mode.
Value range 1 ... 44639. Default value 0: power saving mode off
• Activate Sleep Mode
Use this button to activate the sleep timer.
Procedure
1. Enter a value of 1 ... 44639 minutes in the "Sleep Duration [min.]" text box.
2. Click on the "Activate Sleep Mode" button.
Result
The device applies the setting for the duration and immediately switches to sleep mode.
Once the time has elapsed, the device returns to the active state. The digital output is
deactivated after the restart.
5.5.4 Load&Save
5.5.4.2 HTTP
Configuration files
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration files
(ConfigPack and Config). Use the "Write Startup Config" button on the "System > Configuration"
WBM page to save changes in the configuration files.
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file (Script).
Description
For a clearer overview, the tables are divided into different areas. Each table has the following
columns:
• Type
Shows the file type.
• Description
Shows the short description of the file type.
• Load
With this button, you can load files onto the device. The button can be enabled, if this
function is supported by the file type.
• Save
With this button, you can save files from the device. The button can only be enabled if this
function is supported by the file type and the file exists on the device.
• Delete
With this button, you can delete files from the device. The button can only be enabled if this
function is supported by the file type and the file exists on the device.
Note
Following a firmware update, delete the cache of the Web browser.
Procedure
Uploading data using HTTP
1. Start the upload function by clicking one of the "Load" buttons.
Note
Files whose access is password protected
To save and load these files on the device successfully, you need to enter the password
specified for the file in "System > Load&Save > Passwords".
A dialog for uploading a file opens.
2. Go to the file you want to load and click "Open" in the dialog window.
The file is uploaded.
3. If a restart is necessary, a message to this effect will be output. Click the "OK" button and run
the restart. If you click the "Abort" button, there is no device restart. The changes only take
effect after a restart.
Whether or not a restart is necessary depends on the loaded file. Some files are executed
immediately, for example the CLI script file, and new settings are applied without a restart.
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Note
Configuration data has a checksum. If you edit the files, you can no longer upload them to the
device.
Password-protected config file
If the file is password-protected, you cannot load the file via DHCP with options 66 and 67.
5.5.4.3 TFTP
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration files
(ConfigPack and Config). Use the "Write Startup Config" button on the "System > Configuration"
WBM page to save changes in the configuration files.
You can download existing CLI configurations (RunningCLI) and upload your own CLI scripts
(Script).
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file (Script).
Description
The page contains the following boxes:
• TFTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the TFTP server with
which you exchange data.
• TFTP Server Port
Enter the port of the TFTP server via which data exchange will be handled. If necessary, you
can change the default value 69 to your own requirements.
For a clearer overview, the tables are divided into different areas. Each table has the
following columns:
• Type
Shows the file type.
• Description
Shows the short description of the file type.
• Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the changed
file name can also be used with the Command Line Interface.
• Actions
Select the action from the drop-down list. The selection depends on the selected file type, for
example, you can only save a log file.
The following actions are possible:
– Save file
With this selection, you save a file on the TFTP server.
– Load file
With this selection, you load a file from the TFTP server.
Procedure
Loading or saving data using TFTP
1. Enter the address of the TFTP server in "TFTP server address".
2. Enter the port of the TFTP server to be used in "TFTP Server Port".
3. If applicable, enter the name of a file in which you want to save the data or take the data from
in "Filename".
Note
Files whose access is password protected
To save and load these files on the device successfully, you need to enter the password
specified for the file in "System > Load&Save > Passwords".
4. Select the action you want to execute from the "Actions" drop-down list.
Note
Configuration data has a checksum. If you edit the files, you can no longer upload them to the
device.
Password-protected config file
If the file is password-protected, you cannot load the file via DHCP with options 66 and 67.
5.5.4.4 SFTP
Configuration files
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration files
(ConfigPack and Config). Use the "Write Startup Config" button on the "System > Configuration"
WBM page to save changes in the configuration files.
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file (Script).
Description
The page contains the following boxes:
• SFTP Server Address
Enter the IP address or the FQDN of the SFTP server with which you exchange data.
• SFTP Server Port
Enter the port of the SFTP server via which data exchange will be handled. If necessary, you
can change the default value 22 to your own requirements.
• SFTP User
Enter the user for access to the SFTP server. This assumes that a user with the corresponding
rights has been created on the SFTP server.
• SFTP Password
Enter the password for the user
• SFTP Password Confirmation
Confirm the password.
For a clearer overview, the tables are divided into different areas. Each table has the
following columns:
• Type
Shows the file type.
• Description
Shows the short description of the file type.
• Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the changed
file name can also be used with the Command Line Interface.
• Actions
Select the action from the drop-down list. The selection depends on the selected file type, for
example, you can only save a log file.
The following actions are possible:
– Save file
With this selection, you save a file on the SFTP server.
– Load file
With this selection, you load a file from the SFTP server.
Procedure
Loading or saving data using SFTP
1. Enter the address of the SFTP server in "SFTP Server Address".
2. Enter the port of the SFTP server to be used in "SFTP Server Port".
3. Enter the user data (user name and password) required for access to the SFTP server.
4. If applicable, enter the name of a file in which you want to save the data or take the data from
in "Filename".
Note
Files whose access is password protected
To save these files or load them into the device successfully, you need to enter the password
specified for the file in "System > Load&Save > Passwords".
5. Select the action you want to execute from the "Actions" drop-down list.
6. Click "Set Values" to start the selected action.
7. If a restart is necessary, a message to this effect will be output. Click the "OK" button to run
the restart. If you click the "Abort" button, there is no device restart. The changes only take
effect after a restart.
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Note
Configuration data has a checksum. If you edit the files, you can no longer upload them to the
device.
Password-protected config file
If the file is password-protected, you cannot load the file via DHCP with options 66 and 67.
5.5.4.5 Passwords
There are files to which access is password-protected. For example, to be able to use the HTTPS
certificate, you need to specify the corresponding password on this WBM page.
Description
The table has the following columns:
• Type
Shows the file type.
• Description
Shows the short description of the file type.
• Setting
Can only be enabled if a password is configured.
When enabled, a check is made during loading to ensure that the password matches the
password set for the file.
• Password
Enter the password for the file.
• Password Confirmation
Confirm the new password.
• Status
– Valid
The "Enabled" check box is selected and the password matches the file.
– Invalid
The "Enabled" check box is selected but the password does not match the file, or no file has
been loaded yet.
– "-"
The password cannot be evaluated or is not yet being used. The "Enabled" check box is not
selected.
– Required
A password is required for loading or saving.
Procedure
1. Enter the password in "Password".
2. To confirm the password, enter the password again in "Password Confirmation".
3. Select the "Enabled" option.
4. Click the "Set Values" button.
5.5.5 Events
Description
• Log Table Alarm Threshold
Set the limit for the entries for each severity. A maximum of 2000 entries are possible for each
severity.
If the specified limit will be reached with the next entry, an alarm message is output, e.g. if
1950 is specified, the message that limit 1950 has been reached is output after entry 1949.
With Table 1, you can enable or disable all check boxes of a column of Table 2 at once.
Table 1 has the following columns:
• All Events
Shows that the settings are valid for all events of table 2.
• E-mail / Trap / Log Table / Syslog / Fault / SMS / Digital Out / VPN Tunnel / Cloud
Connector / Firewall
Enable or disable the desired type of notification for all events. If "No Change" is selected, the
entries of the corresponding column in table 2 remain unchanged.
• Copy To Table
If you click the button, the setting is adopted for all events of table 2.
• Firewall
Controls application of the user-defined rule set. The prerequisite is that a rule set is assigned
to the digital input under "Security > Firewall > Dynamic rules".
• Cloud Connector
Controls the forwarding of an event to the TIA Portal Cloud Connector communication. The
communication connection is active as long as the event is present.
Procedure
Establishing/terminating a VPN tunnel via the digital input
1. For the "Digital Input" event, enable the "VPN Tunnel" entry.
2. Configure the VPN connection
– IPsec:
In "Operation", set "wait on DI" or "start on DI". You will find more information on this
under "IPsec > Connections (Page 412)" and under "VPN connection establishment
(Page 88)".
– OpenVPN:
In "Operation" set "start on DI". You will find more information on this under "OpenVPN
> Connections (Page 423)" and under "VPN connection establishment (Page 88)".
– SINEMA RC:
In "Type of connection", set "Auto", "Digital In" or "Digital Input & Wake-up SMS" (only with
M87x/MUM85x). With the "Auto" type of connection, you need to set the type of
connection "Digital In" or "Wake-up SMS & digital input" (only with M87x/MUM85x) on the
SINEMA RC Server under "Remote connections > Devices". You will find more information
on this topic in the "SINEMA RC Server" operating instructions.
3. Click the "Set Values" button.
Description
The table has the following columns:
• Client Type
Select the client type for which you want to make settings:
– E-mail
Sending system event messages by e-mail.
– Log Table
Entry of system events in the log table.
– Syslog
Entry of system events in the Syslog file.
– SMS (only with M87x/MUM85x)
System event messages sent per SMS.
• Severity
Select the desired severity. The following settings are possible:
– Critical
System events with the severity Critical (Critical) are processed.
– Warning
System events with the severity Warning (Warnings) or higher are processed: This means
events of the categories "Warning" and "Critical".
– Info
System events with the severity Info (Information) or higher are processed: This means
events of the categories "Info", "Warning" and "Critical".
Procedure
Follow the steps below to configure the required level:
1. Select the required values from the drop-down lists of the second table column after the
client types.
2. Click the "Set Values" button.
5.5.6.1 General
Description
The page contains the following boxes:
• SMTP Client
Enable or disable the SMTP client.
• SMTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server.
The table contains the following columns:
• Select
Select the check box in a row to be deleted.
• Status
Specify whether this SMTP server will be used.
• SMTP Server Address
Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server.
• Sender Email Address
Enter the e-mail address of the sender that is specified in the e-mail.
• User Name
If necessary, enter the user name used for authentication on the SMTP server.
• Password
If necessary, enter the password used for authentication on the SMTP server.
• Password Confirmation
Repeat the password.
• Port
Enter the port via which your SMTP server can be reached.
Factory settings:
– 25 (None)
– 465 (SSL/TLS and StartTLS)
• Security
Specify whether transfer of the e-mail from the device to the SMTP server is encrypted. This
is only possible when the SMTP server supports the selected setting.
Note
2-factor authentication (2FA)
2-factor authentication is not supported.
– SSL/TLS
– StartTLS
– None: The e-mail is transferred unencrypted.
• Test
Sends a test email to the configured receivers.
• Test Result
Shows whether the e-mail was sent successfully or not. If sending was not successful, the
message contains possible causes.
Procedure
Configuring the SMTP server
1. Enable the "SMTP Client" function.
2. Enter the IP address or the FQDN of the SMTP server for "SMTP Server Address".
3. Click the "Create" button. A new entry is generated in the table.
4. Enter the name of the sender that will be included in the e-mail for "Sender Email Address".
5. Enter the user name and password if the SMTP server prompts you to log in.
6. Under "Security", specify whether transfer to the SMTP server is encrypted.
5.5.6.2 Recipient
On this page, you specify who receives an e-mail when an event occurs.
Description
The page contains the following boxes:
• SMTP Server
Specify the SMTP server via which the e-mail is sent.
• Email address of the SMTP receiver
Enter the e-mail address to which the device sends an e-mail.
The table contains the following columns:
• Select
Select the check box in a row to be deleted.
• SMTP Server
Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server to which
the entry relates.
• Send
When enabled, the device sends an email to this receiver.
• Email address of the SMTP receiver
Shows the e-mail address to which the device sends an e-mail if a fault occurs.
Procedure
Configuring an SMTP receiver
1. Select the required "SMTP server".
2. Enter the email address of the SMTP receiver.
3. Click the "Create" button. A new entry is generated in the table.
4. Activate the "Send" option for the entry.
5. Click the "Set Values" button.
5.5.7 SNMP
5.5.7.1 General
Configuration of SNMP
Note
SNMPv3 configuration during a firmware update
As of firmware version 6.4, the SNMP configuration has been distributed across multiple WBM
pages.
To delete the SNMPv3 configuration, follow these steps:
1. Delete all SNMPv3 views except for the predefined views SIMATICNETRD
and SIMATICNETWR.
2. Delete all SNMPv3 access.
3. Delete all entries in the "SNMPv3 User to Group mapping" table.
4. Delete all SNMPv3 users.
On this page, you make the basic settings for SNMP. Enable the check boxes according to the
function you want to use.
Description
The page contains the following boxes:
• SNMP
Select the SNMP protocol from the drop-down list. The following settings are possible:
– "-" (Disabled)
SNMP is disabled.
– SNMPv1/v2c/v3
SNMPv1/v2c/v3 is supported.
Note
Note that SNMP in versions 1 and 2c does not have any security mechanisms.
– SNMPv3
Only SNMPv3 is supported.
• SNMPv1/v2c Read-Only
If you enable this option, SNMPv1/v2c can only read the SNMP variables.
Note
Community String
For security reasons, do not use the standard values "public" or "private". Change the
community strings following the initial installation.
The recommended minimum length for community strings is 6 characters.
For security reasons, only limited access to objects of the SNMPCommunityMIB is possible
with the SNMPv1/v2c Read Community String. With the SNMPv1/v2c Read/Write Community
String, you have full access to the SNMPCommunityMIB.
• SNMP Engine ID
Shows the SNMP engine ID.
• SNMP Agent Listen Port
Specify the port at which the SNMP agent waits for the SNMP queries. Standard port 161 is
the default. You can optionally enter the standard port 162 or a port number in the range
1024 … 49151 or 49500 ... 65535.
Procedure
1. Select the required option from the "SNMP" drop-down list:
– "-" (disabled)
– SNMPv1/v2c/v3
– SNMPv3
2. Enable the "SNMPv1/v2c Read Only" check box if you only want read access to SNMP variables
with SNMPv1/v2c.
3. Enter the required character string in the "SNMPv1/v2c Read Community String" input box.
4. Enter the required character string in the "SNMPv1/v2c Read/Write Community String" input
box.
5. If necessary, enable the SNMPv3 User Migration.
6. Click the "Set Values" button.
Description
The page contains the following boxes:
• User Name
Enter a freely selectable user name. After you have entered the data, you can no longer
modify the name.
The table has the following columns:
• Select
Select the row you want to delete.
• User Name
Shows the created users.
• Authentication Protocol
Specify the authentication protocol for which a password will be stored.
The following settings are available:
– None
– MD5
– SHA
• Privacy Protocol
Specify the encryption protocol for which a password will be stored. This drop-down list is
only enabled when an authentication protocol has been selected.
The following settings are available:
– None
– DES
– AES
• Authentication Password
Enter the authentication password in the first input box. This password must have at least 1
character, the maximum length is 32 characters.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters, uppercase/lowercase
letters, numbers.
• Privacy Password
Enter your encryption password. This password must have at least 1 character, the maximum
length is 32 characters.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters, uppercase/lowercase
letters, numbers.
Procedure
Create a new user
1. Enter the name of the new user in the "User Name" input box.
2. Click the "Create" button. A new entry is generated in the table.
3. Select the authentication algorithm for "Authentication Protocol". In the relevant input
boxes, enter the authentication password and the confirmation.
4. Select the algorithm in "Privacy Protocol". In the relevant input boxes, enter the encryption
password and the confirmation.
5. Click the "Set Values" button.
Delete user
1. Enable "Select" in the row to be deleted.
Repeat this for all users you want to delete.
2. Click the "Delete" button. The entry is deleted.
Description
The page contains the following boxes:
• Group Name
Enter the group that will be assigned to the user.
• User Name
Select the user to be a member of the specified group. The drop-down list only contains users
that are not yet assigned to a group.
The table has the following columns:
• Select
Select the row you want to delete.
• Group Name
Displays the SNMPv3 group. A group name can only be changed later if no access rights have
been defined for the group yet.
• User Name
Shows the user that is a member of this group.
Note
Different access permissions for different security levels can be assigned to a group. If no access
permission is defined for a security level, no access to the device is possible for members of the
group using this security level.
Description
The page contains the following boxes:
• Group Name
Select the name of the group.
• Security Level
Select the security level (authentication, encryption) for which you want to define the access
permissions of the group:
– No Auth/no Priv
No authentication enabled/no encryption enabled.
– Auth/no Priv
Authentication enabled/no encryption enabled.
– Auth/Priv
Authentication enabled/encryption enabled.
Procedure
Creating a new group
1. Select the name of the group for which you are configuring SNMP access.
2. Select the required security level from the "Security Level" drop-down list.
3. Click the "Create" button to create a new entry.
4. In the "Read View Name" field, enter the SNMPv3 view for read access.
5. In the "Write View Name" field, enter the SNMPv3 view for write access.
6. In the "Notification View Name" field, enter the SNMPv3 view for notifications.
7. Click the "Set Values" button.
Modifying a group
Once a group name and the security level have been specified, they can no longer be
modified after the group is created. If you want to change the group name or the security
level, you will need to delete the group and create it and configure it with the new name.
Deleting a group
1. Enable "Select" in the row to be deleted.
Repeat this for all groups you want to delete.
2. Click the "Delete" button. The entries are deleted.
Note
Controlling the SNMPv1 and SNMPv2c access
The preconfigured SIMATICNETRD and SIMATICNETWR views are used internally to control the
SNMPv1 and SNMPv2c access. If you delete or change these views, this directly affects the
SNMPv1 and SNMPv2c access.
Description
The page contains the following boxes:
• View Name
Select the name of the view that you want to configure. An SNMPv3 view always needs to be
assigned to an SNMPv3 access. For this reason, you need to enter a new SNMPv3 view in the
table in the "SNMP Access" tab.
• MIB Tree
Select the Object Identifier (OID) of the MIB area that is to be used for the SNMPv3 view. The
following options are possible:
– iso
– std
– member-body
– org
– mgmt
– private
– snmpV2
The drop-down list only contains the OIDs that are usually used. If the configuration of a
specific OID that is not listed is necessary, you can configure this via the CLI with the snmp
view command. This OID is then also displayed in the WBM in the overview table.
The table has the following columns:
• Select
Select the row you want to delete.
• View Name
The name of the SNMPv3 view.
• MIB Tree
The OID of the MIB area for the SNMPv3 view.
• View Type
The available options are as follows:
– Included
The MIB OID and its lower-level nodes are part of the SNMPv3 view. Access to the
corresponding MIB objects is possible.
– Excluded
The MIB OID and its lower-level nodes are not part of the SNMPv3 view. Access to the
corresponding MIB objects is not possible.
5.5.7.6 Notifications
Description
The page contains the following boxes:
• SNMPv1 Traps
Enable or disable sending of SNMPv1 traps. This setting affects all recipients of SNMPv1 traps
and has no effects on recipients of SNMPv2c or SNMPv3 notifications.
• SNMPv1/v2c Trap Community String
Enter the community string for sending SNMPv1/v2c notifications.
• SNMPv3 Notify User
Select the user to which SNMPv3 notifications are to be sent.
• SNMPv3 Notify Security Level
Select the security level (authentication, encryption) to be used for SNMPv3 notification. The
following options are possible:
– no Auth/no Priv
No authentication enabled / no encryption enabled.
– Auth/no Priv
Authentication enabled / no encryption enabled.
– Auth/Priv
Authentication enabled / encryption enabled.
Procedure
Configuring a notification
1. Select the recipient for SNMPv3 notifications in the "SNMPv3 Notify User" drop-down list.
2. Select the security level for SNMPv3 notifications in the "SNMPv3 Notify Security Level" drop-
down list.
3. Select the recipient type in the "Notification Receiver Type" drop-down list.
4. In "Notification Receiver Address", enter the IP address, the FQDN or the host name of the
station to which the device will send traps or notifications.
5. Click the "Create" button to create a new trap entry.
There are different methods that can be used to set the system time of the device. Only one
method can be active at any one time.
If one method is activated, the previously activated method is automatically deactivated.
Description
The page contains the following boxes:
• Time Manually
Enable or disable the manual time setting. If you enable the option, the "System Time" input
box can be edited.
• System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
• Use PC Time
Click the button to use the time setting of the PC.
• Last Synchronization Time
Shows when the last time-of-day synchronization took place. If no time-of-day
synchronization was possible, the box displays "Date/time not set".
• Last Synchronization Mechanism
Shows how the last time synchronization was performed.
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
• Daylight Saving Time
Shows whether the daylight saving time changeover is active.
– active (offset +1 h)
The system time was changed to daylight saving time; in other words, an hour was added.
You can see the current system time at the top right in the selection area of the WBM.
The set time continues to be displayed in the "System Time" box.
– inactive (offset +0 h)
The current system time is not changed.
Procedure
1. Enable the "Time Manually" option.
2. Click in the "System Time" input box.
3. In the "System Time" input box, enter the date and time in the format "MM/DD/YYYY
HH:MM:SS".
4. Click the "Set Values" button.
The date and time are adopted and "Manual" is entered in "Last Synchronization Mechanism"
box.
Settings
The page contains the following boxes:
• Select
Select the row you want to delete.
• DST No.
Shows the number of the entry.
If you create a new entry, a new line with a unique number is created.
• Name
Shows the name of the entry.
• Year
Shows the year for which the entry was created.
• Start Date
Shows the month, day and time for the start of daylight saving time.
• End Date
Shows the month, day and time for the end of daylight saving time.
• Recurring Date
With an entry of the type "Recurring", the period in which daylight saving time is active is
displayed consisting of week, day, month and time of day.
With an entry of the type "Date" a "-" is displayed.
• Status
Shows the status of the entry:
– Enabled
The entry was created correctly.
– Invalid
The entry was created new and the start and end date are identical.
• Type
Shows how the daylight saving time changeover is made:
– Date
A fixed date is entered for the daylight saving time changeover.
– Recurring
A rule was defined for the daylight saving time changeover.
Procedure
Creating an entry
1. Click the "Create" button.
A new entry is created in the table.
2. Click on the required entry in the "DST No column.
You change to the "DST Configuration" page.
3. Select the required type in the "Type" drop-down list.
Depending on the selected type, various settings are available.
4. Enter a name name in the "Name" box.
5. If you have selected the type "Date", fill in the following boxes.
– Year
– Day (for start and end date)
– Hour (for start and end date)
– Month (for start and end date)
6. If you have selected the type "Recurring", fill in the following boxes.
– Hour (for start and end date)
– Month (for start and end date)
– Week (for start and end date)
– Day (for start and end date)
7. Click the "Set Values" button.
Deleting an entry
1. Enable "Select" in the row to be deleted.
2. Click the "Delete" button. The entry is deleted.
Settings
Note
The content of this page depends on the selection in the "Type" box.
The boxes "DST No.", "Type" and "Name" are always shown.
• DST No.
Select the type of the entry.
• Type
Select how the daylight saving time changeover is made:
– Date
You can enter a fixed date for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time changeover is not
governed by rules.
– Recurring
You can define a rule for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time always begins or ends
on a certain weekday.
• Name
Enter a name for the entry.
The name can be a maximum of 16 characters long.
Settings with "Date" selected
You can set a fixed date for the start and end of daylight saving time.
• Year
Enter the year for the daylight saving time changeover.
• Start Date
Enter the following values for the start of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.
• End Date
Enter the following values for the end of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.
Settings with "Recurring" selected
You can create a rule for the daylight saving time changeover.
• Year
Enter the year for the daylight saving time changeover.
• Start Date
Enter the following values for the start of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.
• End Date
Enter the following values for the end of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.
Note
To prevent time jumps, make certain there is only one time server in the network.
Description
The page contains the following boxes:
• GPS Time
When enabled, the device receives the time with the GPS signal from navigation satellites.
The time is updated every 60 seconds.
• Cellular Time
When enabled, the device fetches the time via a mobile wireless network. The time is
updated every 60 seconds.
• Current System Time
Shows the current system time.
• Last Synchronization Time
Shows when the last time-of-day synchronization took place.
Procedure
1. Click the "GPS Time" or "Cellular Time" check box to activate fetching of the mobile time.
2. Click the "Set Values" button.
Note
To avoid time jumps, make sure that there is only one time server in the network.
Requirement
To receive the SNTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
The page contains the following boxes:
• SNTP Client
When enabled, the device receives the system time from an SNTP server.
• Current System Time
Shows the current date and current normal time received by the IE switch. If you specify a
time zone, the time information is adapted accordingly.
• Last Synchronization Time
Shows when the last time-of-day synchronization took place.
• Poll Interval[s]
Enter the interval between two time queries. In this box, you enter the polling interval in
seconds. Possible values are 16 to 16284 seconds.
• SNTP Server Address
Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the SNTP
server.
The table has the following columns:
• Select
Select the row you want to delete.
• SMTP Server Address
Shows the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the SMTP
server.
• SNTP Server Port
Enter the port of the SNTP server.
The following ports are possible:
– 123 (standard port)
– 1025 to 36564
• Primary
The check mark is set for the SNTP server that you create first. If several SNTP servers have
been created, the primary server is queried first.
Procedure
1. Click the "SNTP Client" check box to enable the automatic time setting.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for example
+02:00 for CEST, the Central European Summer Time. This time is recalculated and displayed
as the local time based on the specified time zone.
3. Select one of the following options from the "SNTP Mode" drop-down list:
– Poll
For this mode, you need to configure the following:
- time zone difference (step 2)
- query interval (step 4)
-time server (step 5)
- Port (step 7)
- complete the configuration with step 8.
– Listen
For this mode, you need to configure the following:
- time difference to the time sent by the server (step 2)
- time server (step 5)
- port (step 7)
- complete the configuration with step 8.
4. In "SNTP Server Address", enter the address of the SNTP server whose frames will be used to
synchronize the time of day.
5. In "SNTP Server Port", enter the port via which the SNTP server is available. The port can only
be modified if the IP address of the SNTP server is entered.
6. In "Poll Interval[s]", enter the time in seconds after which a new time query is sent to the time
server.
7. Click the "Set Values" button.
Note
To avoid time jumps, make sure that there is only one time server in the network.
Requirement
To receive the NTP frames, enable the entry "System Time" under "Security > Firewall > Pre-
defined IPv4 rules".
Description
The page contains the following boxes:
• NTP client
When enabled, the device receives the system time from an NTP server.
• Secure NTP Client only
When enabled, the device receives the system time from a secure NTP server. The setting
applies to all server entries.
To use the secure NTP client, you configure the parameters for authentication (key ID, hash
algorithm, key).
• Current System Time
Shows the current date and current normal time received by the device. If you specify a time
zone, the time information is adapted accordingly.
• Last Synchronization Time
Shows when the last time-of-day synchronization took place.
• Last Synchronization Mechanism
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
– PTP
Automatic time-of-day synchronization with PTP
• Time Zone
Enter the time zone you are using in the format "+/- HH:MM". The time zone relates to UTC
standard world time.
The time in the "Current System Time" box is adapted accordingly.
Procedure
Time-of-day synchronization with NTP server
1. Click in the "NTP Client" check box to enable the automatic time setting using NTP.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for example
+02:00 for CEST, the Central European Summer Time. This time is recalculated and displayed
as the local time based on the specified time zone.
3. Select the "NTP Server Index".
4. Click the "Create" button.
A new row is inserted in the table for the NTP server.
5. In "NTP Server Address", enter the address of the NTP server whose frames are used to
synchronize the time of day.
6. In "NTP Server Port", enter the port via which the NTP server is available. The port can only be
modified if the address of the NTP server is entered.
7. In the "Poll Interval" column, enter the interval in seconds after which a new time-of-day
query is sent to the time server.
8. Click the "Set Values" button.
Time-of-day synchronization via a secure NTP server
To synchronize the time of day via a secure NTP server, the following additional steps are
necessary:
1. Click the "Secure NTP Client only" check box to enable the automatic time setting using
Secure NTP.
2. Configure the authentication.
– In "Key ID" enter the ID of the authentication key.
– In "Hash Algorithm" select the required format.
– In "Key" enter the authentication key.
With these entries, the NTP client authenticates itself with the secure NTP server. These
entries must be present on the secure NTP server.
3. Click the "Set Values" button.
Note
To avoid time jumps, make sure that there is only one time server in the network.
Description
The page contains the following boxes:
• SIMATIC Time Client
Select this check box to enable the device as a SIMATIC time client.
• Current System Time
Shows the current system time.
• Last Synchronization Time
Shows when the last time-of-day synchronization took place.
• Last Synchronization Mechanism
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
Procedure
1. Click the "SIMATIC Time Client" check box to enable the SIMATIC Time Client.
2. Click the "Set Values" button.
Note
Time synchronization
Also configure the device as NTP client so that it synchronizes the connected devices to a correct
time. As NTP client, the device gets the precise time from an external time server and as NTP
server distributes it to its NTP clients.
The NTP server does not send cyclic messages with time information on its own, but only
responds to corresponding requests. Settings in the function as a client (time zone and daylight
saving time) do not influence the time information that the device sends as a server.
Requirement
• To receive the NTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
The page contains the following boxes:
• NTP Server
Enable or disable the service of the NTP server.
Note
SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
• Interface
Specify the interface via which the time is transferred using NTP.
If you have been logged out automatically, you will need to log in again.
Note
No automatic logout from the CLI
If the connection is not terminated after the set time, check the "Keep alive" setting on the Telnet
client.
If the interval for "Keep alive" is shorter than the configured time, the connection is maintained
although no user data is transferred. You have set, for example, 300 seconds for the automatic
logoff and the "Keep alive" function is set to 120 seconds. In this case, a packet is sent every 120
seconds that keeps the connection uninterrupted.
• Turn off the "Keep alive" (interval time=0)
or
• Set the interval high enough so that the underlying connection is terminated when there is
inactivity.
Procedure
1. Enter a value of 60-3600 seconds in the "Web Base Management [s]" input box. If you enter
the value 0, the automatic logout is disabled.
2. Enter a value of 60-600 seconds in the "CLI (TELNET, SSH) [s]" input box. If you enter the value
0, the automatic logout is disabled.
3. Click the "Set Values" button.
5.5.10 Button
Functionality
The SELECT/SET button is used to:
• Restart
• Load new firmware
• Reset to factory settings.
You will find a detailed description of the functions in the operating instructions for the
device.
On this page, the functionality of the button can be restricted.
Description
The following functionality is possible:
• Restart / Restore Factory Defaults
When disabled, the SELECT/SET button cannot be used for a restart or to restore factory
settings.
CAUTION
Button function "Restart / Restore Factory Defaults" active during startup
If you have disabled this function in your configuration, disabling is only valid during
operation. When restarting, for example after power off, the function is active until the
configuration is loaded and the device can therefore inadvertently be reset to the factory
settings. This may cause unwanted disruption in network operation since the device then
needs to be reconfigured. An inserted PLUG is also deleted and returned to the status as
shipped.
You will find more information on how to restore the device to the factory defaults despite
disabled functions in the section "Upkeep and maintenance (Page 436)".
Description
The page contains the following boxes:
• Syslog Client
Enable or disable the Syslog client on the device.
• Syslog Server Address
Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the Syslog
server.
This table contains the following columns
• Select
Select the row you want to delete.
• Syslog Server Address
Shows the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the
Syslog server.
• Server Port
Enter the port of the Syslog server being used.
• TLS
– Enabled
The syslog messages are sent using TLS encryption over TCP.
– Disabled
Syslog messages are sent unencrypted over UDP.
Procedure
Enabling function
1. Select the "Syslog Client" check box.
2. Click the "Set Values" button.
Creating a new entry
1. In the "Syslog Server Address" input box, enter the address of the Syslog server to which the
Syslog messages are sent.
2. Click the "Create" button. A new row is inserted in the table.
3. In the "Server Port" input box, enter the number of the server port.
4. Click the "Set Values" button.
Note
The default setting of the server port is 514.
Note
You will find the permitted operating voltage limits in the operating instructions of the device.
If a fault occurs, the error LED lights up on the device. The currently pending error is
displayed under "Information > Errors".
In addition, the corresponding error message is entered in the result log table. The content of
the event log table is displayed in "Information > Log Tables > Event Log".
Procedure
1. Click the check box in front of the line name you want to monitor to enable or disable the
monitoring function.
2. Click the "Set Values" button.
Description
Table 1 has the following columns:
• 1st column
Shows that the settings are valid for all ports.
• Setting
Select the setting from the drop-down list. You have the following setting options:
– "-" (disabled)
– Up
– Down
– No Change: The setting in table 2 remains unchanged.
• Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
• Port
Shows the available ports and link aggregations. The port is made up of the module number
and the port number, for example port 0.1 is module 0, port 1.
• Setting
Select the setting from the drop-down list. You have the following options:
– Up
Error handling is triggered when the port changes to the active status.
(From "Link down" to "Link up")
– Down
Error handling is triggered when the port changes to the inactive status.
(From "Link up" to "Link down")
– "-" (disabled)
The error handling is not triggered.
Procedure
Configure error monitoring for a port
1. From the relevant drop-down list, select the options of the slots / ports whose connection
status you want to monitor.
2. Click the "Set Values" button.
Configure error monitoring for all ports
1. Select the required setting from the drop-down list of the "Setting" column.
2. Click the "Copy to table" button. The setting is adopted for all ports of table 2.
3. Click the "Set Values" button.
On this page, you configure whether or not an error message is triggered if there is a status
change of the SIM card.
Description
The table has the following columns:
• SIM card
Shows the available SIM cards.
• Setting
Select the setting from the drop-down list. You have the following options:
– "-" (disabled)
The error handling is not triggered.
– SIM missing
Troubleshooting is triggered if no SIM card is plugged in. An error causes the fault LED to
light up on the device.
5.5.13 PLUG
5.5.13.1 Configuration
0
NOTICE
Do not remove or insert a PLUG during operation!
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is detected that
the PLUG was removed, there is a restart. If a valid PLUG with license was inserted in the device,
the device changes to a defined error state following the restart. With SCALANCE M, the
available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory settings.
Note
Incompatibility with older firmware versions with PLUG inserted
During the installation of an older firmware version, the configuration data can be lost. In this
case, reset the device to the factory settings after the firmware has been installed.
In this situation, when a PLUG is inserted in the device, this has the status "NOT ACCEPTED"
following the restart because the PLUG still has the configuration data of the previous, more up-
to-date firmware. This allows you to return to the previous, more up-to-date firmware without
any loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually via "System > PLUG".
Note
The action is only executed after you click the "Set Values" button.
The action cannot be undone.
If you decide against executing the function after making your selection, click the "Refresh"
button. As a result the data of this page is read from the device again and the selection is
canceled.
Description
The table has the following rows:
• Status
Shows the status of the PLUG. The following are possible:
– ACCEPTED
There is a PLUG with a valid and suitable configuration in the device.
– NOT ACCEPTED
Invalid or incompatible configuration on the inserted PLUG.
– NOT PRESENT
No PLUG is inserted in the device.
– FACTORY
PLUG is inserted and does not contain a configuration. This status is also displayed when
the PLUG was formatted during operation.
– MISSING
There is no PLUG inserted. Functions are configured on the device for which a license is
required.
• Device Group
Shows the SIMATIC NET product line that used the PLUG previously.
• Device Type
Shows the device type within the product line that used the PLUG previously.
• Configuration Revision
The version of the configuration structure. This information relates to the configuration
options supported by the device and has nothing to do with the concrete hardware
configuration. This revision information does not therefore change if you add or remove
additional components (modules or extenders), it can, however, change if you update the
firmware.
• File System
Displays the type of file system on the PLUG.
• File System Size
Displays the maximum storage capacity of the file system on the PLUG.
• File System Usage
Displays the memory utilization of the file system of the PLUG.
• Firmware on PLUG
When the function is enabled (default), the firmware will be stored on the PLUG. This means
that automatic firmware updates/downgrades can be made with the PLUG. The "Info" box
shows whether or not the firmware is stored on the PLUG.
• Info String
Shows additional information about the device that used the PLUG previously, for example,
article number, type designation, and the versions of the hardware and software. The
displayed software version corresponds to the version in which the configuration was last
changed. With the "NOT ACCEPTED" status, further information on the cause of the problem
is displayed.
If a PLUG was configured as a PRESET PLUG this is shown here as additional information in the
first row. For more detailed information on creating and using a PRESET PLUG refer to the
section "Maintenance (Page 431)".
• Modify PLUG
Select the setting from the drop-down list. You have the following options for changing the
configuration on the PLUG:
– Write Current Configuration to the PLUG
This option is available only if the status of the PLUG is "NOT ACCEPTED" or "FACTORY".
The configuration in the internal flash memory of the device is copied to the PLUG.
– Erase PLUG to factory default
Deletes all data from the PLUG and triggers low-level formatting.
Procedure
1. You can only make settings in this box if you are logged on as "Administrator". Here, you
decide how you want to change the content of the PLUG.
2. Select the required option from the "Modify PLUG" drop-down list.
3. Click the "Set Values" button.
5.5.13.2 License
0
NOTICE
Do not remove or insert the PLUG during operation.
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is detected that
the PLUG was removed, there is a restart. If a valid PLUG with license was inserted in the device,
the device changes to a defined error state following the restart. With SCALANCE M, the
available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory settings.
Note
Incompatibility with older firmware versions with PLUG inserted
During the installation of an older firmware version, the configuration data can be lost. In this
case, reset the device to the factory settings after the firmware has been installed.
In this situation, when a PLUG is inserted in the device, this has the status "NOT ACCEPTED"
following the restart because the PLUG still has the configuration data of the previous, more up-
to-date firmware. This allows you to return to the previous, more up-to-date firmware without
any loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually via "System > PLUG".
Description
• Status
Shows the status of the PLUG. The following are possible:
– ACCEPTED
There is a PLUG with a valid and matching license in the device.
– NOT ACCEPTED
The license of the inserted PLUG is not valid.
– NOT PRESENT
No PLUG is inserted in the device.
– MISSING
There is no PLUG inserted with the "FACTORY" status. Functions are configured on the
device for which a license is required.
– WRONG
The inserted PLUG is not suitable for the device.
– UNKNOWN
Unknown content of the PLUG.
– DEFECTIVE
The content of the PLUG contains errors.
• Article number
Shows the article number of the PLUG. The PLUG is available for various functional
enhancements and for various target systems.
• Serial Number
Shows the serial number of the PLUG.
• Info String
Shows additional information about the device that used the PLUG previously, for example,
article number, type designation, and the versions of the hardware and software. The
displayed software version corresponds to the version in which the configuration was last
changed. With the "NOT ACCEPTED" status, further information on the cause of the problem
is displayed.
Note
When you save the configuration, the information about whether or not a PLUG was inserted
in the device at the time is also saved. This configuration can then only work if a PLUG with
the same order number / license is inserted.
5.5.14 Ping
Description
The page contains the following boxes:
• Destination Address
Enter the IPv4, IPv6 address or the FQDN (Fully Qualified Domain Name) of the device.
• Repeat
Enter the number of Ping requests.
• DNS Resolution
Select the IP address type in which an entered FQDN will be resolved.
– Auto
In this mode, the IP address type is selected automatically.
– IPv4
The entered FQDN will be resolved in an IPv4 address.
– IPv6
The entered FQDN will be resolved in an IPv6 address.
• Out Interface for IPv6
This selection is only required when the destination address is a multicast or a link local
address.
– "-" (factory setting)
– Select the relevant IPv6 interface.
• Ping
Click this button to start the Ping function.
• Ping Output
This box shows the output of the Ping function.
• Clear
Click this button to delete the ping output.
Note
DCP Discovery
The function is only available with the VLAN associated with the TIA interface. You can
configure the TIA interface with "Layer 3 > Subnets > Configuration".
Requirement:
To adapt network parameters, DCP requires write access to the device. If access is write-
protected, the network parameters cannot be configured.
On SCALANCE devices, you configure access under "System > Configuration".
Description
The page contains the following boxes:
• Timeout[s]
Specify the time for flashing. When the time elapses, flashing stops.
• Blink Own LEDs
Makes the LEDs of your own device flash.
• Interface
Select the required interface.
• Discover
Starts the search for devices reachable via the selected interface.
On completion of the search the reachable devices are listed in the table. The table is limited
to 100 entries.
The table has the following columns:
• Port
Shows the port via which the device can be reached.
• MAC Address
Shows the MAC address of the device.
• Device Type
Shows the product line or product group to which the device belongs.
• Device Name
Adapt the PROFINET device name if necessary.
The device name must be DNS-compliant. If the device name is not used, the box is empty.
• IP Address
If necessary, adapt the IPv4 address of the device.
The IPv4 address should be unique within your network and should match the network. The
IPv4 address 0.0.0.0 means that no IPv4 address has yet been set.
• Subnet mask
If necessary, adapt the subnet mask of the device.
• Gateway Address
Adapt the IPv4 address of the gateway if necessary.
• Status Device Name
– None: The device name is not used.
– Discovered: The set device name is used.
– Configured: The device was assigned a new device name.
• IP Status
– Discovered/IP: The device uses a static IPv4 address.
– Discovered/DHCP: The device has obtained the IPv4 address from a DHCP server.
– Configured: The device was assigned a new IPv4 address.
• Timeout[s]
Specify the time for flashing. When the time elapses, flashing stops.
• Flash
Makes the LEDs of the selected device flash.
Procedure
1. Select the TIA interface.
2. To show all devices that can be reached via the TIA interface, click the "Browse" button.
3. Adapt the desired properties.
4. Click the "Set Values" button.
The status of the modified properties changes to "Configured".
5. To ensure that the properties were applied correctly, click the "Browse" button again.
The status of the modified properties changes to "Discovered".
5.5.16 SMS
5.5.16.1 General
0[ 080[
For the device to be able to send an SMS message, you need to enter a specific SMS
center (Short Message Server Center, SMS-C) of your mobile wireless provider or your service
provider.
• If you use the standard SMS center, you do not need to configure anything on this WBM page.
The SIM card already contains the correct information.
• If you do not use the standard SMS center, you can replace the stored call number of the
standard SMS center with another number on this WBM page. This depends on your contract.
Description
The page contains the following boxes:
• Current SMS service center call number
Shows the stored call number of the SMS center.
• Override SMS service center call number
Enter the call number of the SMS center including the country dialing code. Confirm the entry
with "Set Values" to store the phone number on the SIM card. If the call number is displayed
in "Current SMS service center call number", the stored call number of the SMS center has
been overwritten and the input box emptied.
Note
When the change takes effect, the mobile wireless connection will be interrupted for a short
time. The change can take up to a minute.
Description
The page contains the following:
• Enable Event SMS
When enabled, the device sends an SMS.
In the area "Customize SMS messages for Digital Input" you specify the SMS text for the
digital input.
• Digital Input
Shows the available digital inputs.
• Rising edge
Enter the SMS text that is sent when the signal at the digital input changes from 0 (LOW) to
1 (HIGH).
• Falling edge
Enter the SMS text that is sent when the signal at the digital input changes from 1 (HIGH) to
0 (LOW).
Note
Permitted characters for user name and password
The following characters are permitted:
• 0123456789
• A...Z a...z
• . -_
Additionally allowed in the password:
• Space
• !"%&/()=?*+<>',
• Sending Option
Specify when the SMS text is sent.
– None
The function is disabled.
– Both
In both cases, an SMS text is sent.
– Rising only
Only the SMS text is sent when the signal at the digital input changes from 0 (LOW) to 1
(HIGH).
– Falling only
Only the SMS text is sent when the signal at the digital input changes from 1 (HIGH) to 0
(LOW).
• Phone Number
Enter the full telephone number of the recipient including the country dialing code If you
click the "Create" button, a new row with a unique number is created.
• The table contains the following columns:
– Select
Activate the check box in the row to be deleted.
– No.
Unique number that is assigned when the sender is created.
– Send
Specify whether the device sends an SMS message to this recipient.
– Phone Number
Shows the phone number of the recipient.
Procedure
Configuring an event SMS
To obtain an SMS message when the signal changes from 0 (LOW) to 1 (HIGH), follow the
steps below:
1. Specify the SMS text at "Rising Edge".
2. For "Sending Option", select "Rising only".
3. Click the "Set Values" button.
4. Enter the phone number of the recipient in the "Phone Number" input box.
5. Click the "Create" button. A new row with a unique number is created in the table.
6. Specify whether the device sends an SMS message to this recipient if a fault occurs.
7. Select "Enable Event SMS".
8. Click the "Set Values" button.
9. In "System > Events > Configuration" activate the type of notification "SMS" for the "Digital In"
event.
Commands can also be sent with SMS messages. On this page, you specify who can control
the device. As identification either the phone number or the sender ID is specified. The
sender ID can, for example, be an IP address or a DNS name.
With an SMS command, you can, for example, establish a VPN connection to an application
such as the SINEMA RC Server. To do this, the SINEMA RC Server sends a wake-up SMS
message containing the required commands. Additional information can be found in the
section "Command SMS (Page 437)".
To obtain a reply SMS with the status, you must also configure the phone number of the
recipient on the page.
Description
The page contains the following:
• Enable Command SMS
Enable or disable receipt of command SMS messages.
• Phone Number / Sender Identifier
Specify the sender ID or the phone number including the country code. If you click the
"Create" button, a new row with a unique number is created.
In phone numbers, you can replace as numbers as required to the right with the asterisk (*)
placeholder. The placeholder can only be positioned at the end of a number sequence.
Example:
+49177545* stands for all phone numbers that start with 0177545.
Note
Please note that when you use the placeholder "*", command text messages (SMS) from a
wide range of phone numbers will be accepted. We therefore recommend that you use a
more restrictive input, if possible.
With the SMS messaging function, applications connected to the Ethernet interface of the
device can send SMS messages. To send an SMS message, the application must establish a
TCP/IP connection to the device via the Ethernet interface. Via this TCP/IP connection, the
application transfers the text of the SMS to the device that packs the text in an SMS message
and sends it.
Note
A large number of sent SMS can overload the device. Restrict the number of SMS to 20 messages
per minute.
The device cannot be the receiver of its own SMS; this would result in an event loop.
Note
Permitted characters for user name and password
The following characters are permitted:
• 0123456789
• A...Z a...z
• . -_
Additionally allowed in the password:
• Space
• !"%&/()=?*+<>',
• User name
Enter a user name to check the permission for sending an SMS message. Maximum of 10
characters.
• Password
Enter the password belonging to the user name. Maximum of 10 characters.
• CommandCode
Command to send an SMS message from the local network. This value of 105 is fixed and
must not be modified.
• Seq-Num
The sequence number is used to assign several requests at the same time. The function is not
currently supported.
The sequence number consists of 2 numeric characters from 01 to 99.
• Phone number
Call number of the SMS recipient with a maximum of 40 characters. International numbers
(+49) are permitted.
• Message
SMS text with a maximum of 160 characters
Description
The page contains the following:
• Enable SMS Relay (Outgoing)
Enable or disable the sending of SMS messages from the local network.
• User
Enter the user name that must be included before the text is sent as an SMS message.
• Password
Enter the password that must be included before the text is sent as an SMS message.
• Password (Confirmation)
Repeat the password to confirm it.
• Server Port Number
Enter the port at which the server receives the SMS.
Applications connected to the Ethernet interface of the device can receive SMS messages. To
receive an SMS message, the application must establish a TCP/IP connection to the device via
the Ethernet interface. The device receives a command SMS message and forwards the text it
contains to the application.
Note
A large number of received SMS can overload the device. Restrict the number of SMS to 20
messages per minute.
Note
Permitted characters for user name and password
The following characters are permitted:
• 0123456789
• A...Z a...z
• . -_
Additionally allowed in the password:
• Space
• !"%&/()=?*+<>',
• User name
Enter a user name to check the receipt of the SMS message. Maximum of 10 characters.
• Password
Enter the password belonging to the user name. Maximum of 10 characters.
• CommandCode
Command to send an SMS message to the local network. This value of 105 is fixed.
• Seq-Num
The sequence number is used to assign several requests at the same time. The function is not
currently supported.
The sequence number consists of 2 numeric characters from 01 to 99.
• Phone number
Phone number of the sender of the command SMS message with a maximum of 40
characters. International numbers (+49) are permitted.
• Message
SMS text with a maximum of 160 characters
Description
The page contains the following:
• Connection Name
Enter a unique name for the relay connection.
• IP Address
Enter the IP address of the recipient. The frame is sent to this IP address.
• Port number
Enter the port to which the frame will be sent.
• Username
Enter the user name to check receipt of the message. Enter the user name in the frame.
• Password
Enter the password belonging to the user name.
• Password (Confirmation)
Repeat the password to confirm it.
The table contains the following columns:
• Select
Activate the check box in the row to be deleted.
• Connection Name
Shows the name of the relay connection.
• IP Address
Shows the IP address of the recipient.
• Port Number
Shows the port.
• Username
Shows the user name contained in the frame.
This function sends an SMS directly via the device. This allows you to test SMS-based services
such as Email2SMS.
Note
A large number of sent SMS can overload the device. Restrict the number of SMS to 20 messages
per minute.
The device cannot be the receiver of its own SMS; this would result in an event loop.
Description
The page contains the following:
• Call number of the receiver
Enter the full telephone number of the receiver including the country dialing code
• Text
Enter SMS text.
Note
Characters permitted for sending SMS messages
The following characters are permitted in the text:
• 0123456789
• A...Z a...z
• Space
• !"%&/()=?*+<>',.-
5.5.17 DNS
Description
The page contains the following boxes:
• DNS client
Enable or disable depending on whether the device should operate as a DNS client.
• Used DNS Servers
Specify which DNS server the device uses:
– learned only
The device uses only the DNS servers assigned by DHCP.
– manual only
The device uses only the manually configured DNS servers. The DNS servers must be
connected to the Internet. A maximum of two DNS servers can be configured.
– all
The device uses all available DNS servers.
• DNS Server Address
Enter the IP address of the DNS server.
The table has the following columns:
• Select
Activate the check box in the row to be deleted
• DNS Server Address
Shows the IP address of the DNS server.
• Origin
Shows whether the DNS server was configured manually or was assigned by DHCP.
Description
The page contains the following boxes:
• Enable DNS Proxy
Enable or disable the proxy of the DNS server.
• Cache Name Errors (NXDOMAIN)
Enable or disable the caching of NXDOMAIN replies. If you enable the option, the domain
names that were unknown to the DNS server remain in the cache.
Description
The table has the following columns:
• Service
Shows which providers are supported.
• Enabled
When enabled, the device logs on to the DDNS server.
• Host
Enter the host name that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
• User Name
Enter the user name with which the device logs on to the DDNS server.
• Password
Enter the password assigned to the user.
• Password Confirmation
Confirm the password.
Procedure
Requirement:
• User name and password that gives you the right to use the DDNS service.
• Registered hostname, e.g. example.no-ip.com
• UDP port 53 for DNS is enabled and is not used for NAT.
1. In "Host", enter the hostname that you have agreed with your DDNS provider for the device,
e.g. example.no-ip-com.
2. Enter the login data (user name, password) for the DDNS server.
3. Select "Enabled". This hostname is used for the device.
4. Click on "Set Values".
Description
The page contains the following boxes:
• Enable DNS Records
When this is enabled, the address directory is used.
The table has the following columns:
• Select
Select the check box in the row to be deleted.
• Domain
Enter the FQDN (Fully Qualified Domain Name).
• IP Address
Enter the corresponding IPv4 address.
• Comment
If needed, enter a comment.
5.5.18 DHCPv4
Description
The page contains the following boxes:
• Keep Alive
When this is enabled, the IP address is retained in the event of a connection breakdown and
is not reset to 0.0.0.0. Keep Alive is enabled by default. When Keep Alive is disabled, the IP
address is reset to 0.0.0.0 in the event of a communication breakdown.
• DHCP Client Configuration Request (Opt. 66, 67)
When enabled, the DHCP client uses the options to download the configuration file (option
67) from the TFTP server (option 66). After the restart, the device uses the data from the
configuration file.
NOTICE
Security hazard - risk of unauthorized access and/or misuse
The function can potentially be used to change the functionality of the device and thus
cause the failure of data traffic. Users with malicious intent could cause the device to load
a manipulated configuration file in order to change the configuration to their benefit.
To prevent unauthorized access and/or misuse, disable the function if you are not using it
(Off).
In a device with default setting (Setup), no configuration file is loaded from the DHCP server
even if the options 66 and 67 are still contained in the DHCP queries of the DHCP client after
the first login with the default user profile admin and the assignment of a new password.
Note
Configuration file and firmware version
The configuration file is used to store and read in configuration data within a firmware
version, e.g. 4.3. Configuration files created with a firmware version <4.2 cannot be read in
to a device with a firmware version 4.3.
– Setup
Default setting. The function depends on the status of the device.
In the delivery state and after reset to default settings, the function behaves as with the
setting On and the function is enabled for all DHCP client interfaces.
The following events trigger a status change of the device: The first login with the default
user profile admin and the associated assignment of a new password or the loading of a
configuration file. Afterwards, the device is in the secure operating state and the function
behaves as with the Off option: The option is disabled for all DHCP client interfaces.
The status changes automatically.
– On
The function is enabled. The DHCP client requests a configuration file with the next DHCP
query.
– Off
The function is disabled. The DHCP client does not request a configuration file.
• DHCP Mode
Specify the type of identifier with which the DHCP client logs on with its DHCP server.
– via MAC Address
Identification is based on the MAC address.
Note
DHCP mode "via PROFINET device name"
With firmware version 5.0, the setting "via PROFINET device name" was removed.
Procedure
Follow the steps below to configure the IP address using the DHCP client ID:
1. Select the identification method in the "DHCP Mode" drop-down list.
If you select the DHCP mode "via DHCP Client ID" an input box appears.
In the enabled input box "DHCP client ID" enter a string to identify the device. This is then
evaluated by the DHCP server.
2. Select the "DHCP Client Configuration Request (Opt. 66, 67)", if you want the DHCP client to
use options 66 and 67 to download and then enable a configuration file.
3. Enable the "DHCP" option in the table.
4. Click the "Set Values" button.
Note
If a configuration file is downloaded, this can trigger a system restart. If the currently running
configuration and the configuration in the downloaded configuration file differ, the system
restarts.
Make sure that the option "DHCP Client Configuration Request (Opt. 66, 67)" is no longer set.
Requirement
• The connected devices are configured so that they obtain the IP address from a DHCP server.
Description
The page contains the following boxes:
• DHCP Server
Enable or disable the DHCP server on the device.
Note
To avoid conflicts with IPv4 addresses, only one device may be configured as a DHCP server
in the network.
• Subnet
Enter the network address range that will be assigned to the devices. Use the CIDR notation.
• Lower IP Address
Enter the IPv4 address that specifies the start of the dynamic IPv4 address band. The IPv4
address must be within the network address range you configured for "Subnet".
• Upper IP address
Enter the IPv4 address that specifies the end of the dynamic IPv4 address band. The IPv4
address must be within the network address range you configured for "Subnet".
• Lease Time (sec)
Specify for how many seconds the assigned IPv4 address remains valid. When half the period
of validity has elapsed. the DHCP client can extend the period of the assigned IPv4 address.
When the entire time has elapsed, the DHCP client needs to request a new IPv4 address.
Description
The page contains the following boxes:
• Pool ID
Select the required address band.
• Option Code
Enter the number of the required DHCP option.
Note
DHCP options supported
The DHCP options 1, 2, 3, 4, 5, 6, 42, 66, 67 are supported.
The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address band
is created. With the exception of option 1, the options can be deleted.
The table has the following columns:
• Select
Select the check box in the row to be deleted
• Pool ID
Shows the number of the address band.
• Option Code
Shows the number of the DHCP option.
• Use Interface IP
Specify whether or not the internal IP address of the device will be used.
• Value
Enter the DHCP parameter that is transferred to the DHCP client. The content depends on the
DHCP option.
Description
The page contains the following boxes:
• Pool ID
Select the required address band.
• Client Identification Method
Select the method according to which a client is identified.
– Ethernet MAC
Identification is based on the MAC address. Enter the MAC address in "Value". A MAC
address consists of six byes separated by hyphens in hexadecimal notation, e.g. 00-ab-1d-
df-b4-1d.
– Client ID
Identification is based on a freely defined DHCP client ID. Enter the required designation
in "Value".
– DUID
Identification is based on the DUID and IAID. Enter the required designation in "Value" e.g.
00-00-01-C2-00-01-00-01-00-00-00-72-00-1B-1B-B6-32-9D.
• Value
Enter the required value. The entry depends on the selected identification method of the
client.
Note
The maximum is 128 entries.
Note
Common Remote Service Platform (cRSP) / Siemens Remote Service (SRS) is a remote
maintenance platform via which remote maintenance access is possible.
To use the platform, additional service contracts are necessary and certain constraints must be
kept to. If you are interested in cRSP / SRS, call your local Siemens contact or visit Web page
(https://support.industry.siemens.com/cs/gb/en/sc/2281).
On this page, you configure the access data for the SRS / cRSP acc. to URI syntax. The Uniform
Resource Identifier (URI) is defined in RFC 3986.
Description
The page contains the following boxes:
• Enable DDNS for cRSP / SRS
Enable or disable the use of cRSP / SRS.
• Update Interval
Enter the time interval.
• Validate Server Certificate
When enabled, the device checks the validity of the received server certificate.
The table has the following columns:
• Index
The number of the entry.
• Select
Select the check box in the row to be deleted.
• Scheme
Identifies the access method and the resource type.
https: Secure access to a Web page.
• Authority
Contains the address of the destination server
• Path
Contains the target path to the resource. The target path can correspond to a directory name
or file name.
• Query
A query can contain parameter values for an application.
– WAN_IP (keyword): Replaces WAN_IP with current external IP address of the device to the
destination server.
• Frag.
Addresses local parts of the resource, e.g. the anchor attribute of a Web page.
• Status
Shows the status of the last cRSP / SRS access of the entry.
• Enabled
When enabled, this entry is used.
Description
• Proxy Name
Enter a name for the proxy server.
The table has the following columns:
• Select
Select the check box in the row to be deleted.
• Name
Shows the name of the proxy server.
• Address
Enter the IPv4 address of the proxy server.
• Type
Specify the type of the proxy server.
– HTTP: Proxy server only for access using HTTP.
– SOCKS: Universal proxy server
• Port
Enter the port on which the proxy service runs.
• Auth. Method
Specify the authentication method.
– None
Without authentication
– Basic
Standard authentication. User name and password are sent unencrypted.
– NTLM (NT LAN Manager)
Authentication according to the NTLM standard (Windows user logon)
• User Name
Enter the user name for access to the proxy server.
• Password
Enter the password for access to the proxy server.
• Password Confirmation
Enter the password again to confirm it.
5.5.21 SINEMA RC
0
On the WBM page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 52).
Description
The page contains the following:
• Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes cannot be
edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
• SINEMA RC Address
Enter the IPv4 address or the FQDN (Fully Qualified Domain Name) of the SINEMA RC Server.
• SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
– All
The device uses all connection types. The exception is "AUTO".
• Use Proxy
Specify whether a connection to the defined SINEMA RC Server is established via a proxy
server. Only the proxy servers can be selected that you configured in "System > Proxy Server".
• Autoenrollment Interval [min]
Specify the period of time in minutes after which queries are sent to the SINEMA RC server.
With this query, the device checks whether there is a newer firmware file on the SINEMA RC
server or whether the connection settings have changed. If you enter the value 0, this
function is disabled.
• Timeout [min]
Specify the period of time in minutes. If no data exchange takes place, when this time has
elapsed the VPN tunnel is automatically terminated.
Note
• Use the "TIA Portal Cloud Connector" integrated in the product via a VPN solution (e.g.
SINEMA RC).
• To prevent unauthorized access by network nodes to the "TIA Portal Cloud Connector Server",
enable the item "Cloud Connector" under "Security > Firewall > Pre-defined IPv4 Rules".
• You can only enable this function on one interface at a time.
Requirement
• For the incoming packets to be forwarded to the device, enable the predefined IPv4 rule
"Cloud Connector".
Description
The page contains the following:
• Operation
– Enabled
Enables the integrated TIA Portal Cloud Connector.
– Disabled
Disables the integrated TIA Portal Cloud Connector.
– Start on DI
Enabling is controlled via the digital input (DI) if the "Cloud Connector" is enabled for the
event "Digital input" under "System > Events > Configuration". If this setting is not
enabled, the event is not passed on to the TIA Portal Cloud Connector.
• Port
Communication with the TIA Portal Cloud Connector is established via this port.
• Protocol
This protocol is used to access the plant network.
– PROFINET via VLAN
You define the VLAN interface in the following table.
Only with M804PB
– PROFIBUS via MPI/DP
– PROFINET-PROFIBUS
The following table is only required for PROFINET:
• Interface
Only VLANs with a configured subnet are available.
• Active
When enabled, this VLAN is used for PROFINET.
• Reset Parameters
Resets the properties of the interface to the default values.
Backup
On this page, you can create backups of the configuration and save them on the device. The
backups are created in "ConfigPack" format and include users with passwords, certificates and
favorites in addition to the configuration. You can restore these backups directly from the device.
After the restore, the device restarts. The maximum number depends on the size of the backup
and the available memory space.
On the "System > Load&Save > HTTP/TFTP/SFTP" page, you can save the created backups in
ZIP format under "ConfigPackBackup" on your client PC to be able to load them from there
later. You can find more detailed information in the section "Load&Save (Page 188)".
Description
The page contains the following boxes:
• Name
Enter a name for the backup.
The table contains the following columns:
• Select
Select the row you want to delete.
• Name
Shows the name of the backup.
• Size [KB]
The first row "Available memory" shows how much memory is available for backups on the
device. When you create a backup, the available memory space is reduced accordingly.
The other rows show the size of each backup.
• Restore
Click the "Restore" button to load the relevant backup on the device.
Procedure
1. Enter the required name.
2. Click the "Create" button.
The current configuration is saved as a configuration backup.
Saving the backup may take some time. A new row is created for the backup. The size of the
backup is displayed and subtracted from the available memory space.
On this page, you activate a ping test that monitors connections. During the ping test, the device
sends ICMP echo request packets (pings) to the configured destination address at regular
intervals. If this destination address does not respond, the device tries to reach the destination
address again. If all ping attempts (retries) are unsuccessful, the ping test is considered to have
failed or the group is considered unreachable. If the group is not reachable, the device initiates
the configured action on the selected interface. If all 5 actions have been executed or after a
restart, the device starts again with the first action.
Description
• Enable Connection Check
Enable or disable the ping test for connection monitoring.
• Startup delay[s]
Define the wait time after restart of the device after which the device sends a ping to the first
destination address.
Range of values: 0 to 3600 seconds, default value 600 seconds. If you enter "0", the start
delay is disabled.
The first table contains the following columns:
• Group Identifier
Index of the group
• Name
Specify a name for the group. The entry is displayed in the "Action" table as column name.
• Source Interface
Specify the interface via which reachability of the destination addresses is monitored.
• Interval
Specify the interval at which the ping tests take place.
• TTL (Time to live)
Specify the TTL value.
• Retries
Specify how often the ping attempt is repeated.
The time interval between the ping attempts is 100 ms. With a large number of ping
attempts, this can result in a time delay.
If none of the configured addresses responds, the ping test is considered to have failed
(error). In the "Action" table, you define whether a specific action is executed.
• 1. - 3. Ping destination
Specify the destination address that is used as reference for the reachability.
The second table contains the following columns:
• Group 1 - 5
If a name if configured, it is used as column name. Assign the groups to the desired interface.
The interface is considered reachable when all assigned groups are reachable. If only one of
the groups is not reachable, the configured action is executed on the selected interface.
• Action for
Indicates the interface on which the action is executed.
• 1st action - 5th action
The following actions are possible. The selection depends on the interface on which the
action is executed.
– None (default)
– Restart
Restart the device. After the restart, the device waits until the time specified in the "Start
delay[s]" input box has expired and then sends a ping to the first destination address.
– Soft-Reset (only with M87x / MUM85x)
Restart of the mobile network engine via the software
– Hard-Reset (only with M87x / MUM85x)
Restart of the mobile network engine
– Fallback (only with M876 / MUM85x / S615 / M826)
If the main connection fails, the data traffic is handled via the fallback connection.
Provided the "Connection Fallback"function is configured.
– VPN Reset
Restart of the VPN connection
– VPN enable
Establishes a VPN connection to the VPN server.
– VPN disable
Terminates the VPN connection to the VPN server.
– Digital Output
Switches off the digital output.
The "Connection Fallback" function allows you to connect a network via 2 interfaces, e.g. the
Internet. The priority determines whether the interface is the main connection or the fallback
connection. If the main connection fails, the system switches over to the fallback connection. If
the main connection is available again, the system switches over again. To monitor the main
connection, use the "Connection Check" function.
Description
• Enable Connection Fallback
Enable or disable the fallback function.
• Priority
– 1 - Main connection
– 2 - Fallback connection
• Interface
Specify the interface for the connection.
• Status
Shows the status of the connection:
– Active: All data traffic is handled via the interface.
– Fallback: If the main connection fails, the data traffic is processed via the fallback
connection.
– Not used: The connection is not used.
– Not reachable: If the main connection fails, the status changes to "Not reachable".
Note
Permitted characters for user name and password
The following characters are permitted:
• 0123456789
• A...Z a...z
• . -_
Additionally allowed in the password:
• Space
• !"%&/()=?*+<>',
Description
The page contains the following:
• Enable
Enable or disable reception of the TCP packets. To log this, activate the "TCP Event Log" event
under "System > Event".
• User Name
Enter the user name to check receipt of the TCP packet. The user name and password are
entered in the TCP packet.
• Password
Enter the password belonging to the user name.
• Password Confirmation
Repeat the password to confirm it.
• Port number
Define the port at which the device waits for the TCP packets. Standard port 26864 is the
default.
Optionally, you can enter the default port 26864 or a port number in the 1 … 65535 range.
Note
Reserved ports
Some ports are permanently reserved. Make sure that the specified port is not already in use.
You can find the ports used in the "List of available services (Page 23)".
5.5.26 GPS
5.5.26.1 Coordinates
080[
Description
The page contains the following input boxes:
• Latitude
Here, enter the value for the northerly or southerly latitude of the location of the device in the
format "DD.dddddd". "DD" stands for the latitude and "dddddd" for decimal latitude.
The southerly latitude is displayed with a preceding minus sign.
• Longitude
Enter the value for easterly or westerly longitude for the location of the device in the format
"DD.dddddd". "DD" stands for the longitude and "dddddd" for decimal longitude.
The westerly longitude is displayed with a preceding minus sign.
• Height
Enter the value of the geographic height above sea level in meters.
For example, 158 m means that the device is located at a height of 158 m above sea level.
Heights below sea level (for example the Dead Sea) are indicated by a preceding minus sign.
Procedure
1. Enable the "Use GPS Location" option to determine the location automatically.
2. Click the "Set Values" button.
5.5.26.2 Geofencing
080[
With geofencing, you can define geographical areas within or outside of which you can
control your SCALANCE M device.
On this page, you define areas in which specific events trigger desired actions on the device
after their occurrence. You can configure up to 20 areas.
Description
The page contains the following:
• Enable Geofencing
Enables or disables geofencing.
To log this, activate the "Geofencing" event under "System > Event".
The table contains the following columns:
• Select
Select the row you want to delete.
• Name
Enter the name of the area to be delimited.
Maximum of 64 characters.
• Latitude
Enter the northerly or southerly latitude of the area to be delimited in the format
"DD.dddddd". "DD" stands for the latitude and "dddddd" for decimal latitude.
The southerly latitude is displayed with a preceding minus sign.
• Longitude
Enter the easterly or westerly longitude of the area to be delimited in the format
"DD.dddddd". "DD" stands for the longitude and "dddddd" for decimal longitude.
The westerly longitude is displayed with a preceding minus sign.
• Radius[m]
Enter the radius of the area to be delimited in meters.
Range of values: 10 ... 2147483647. Default value 20.
• Timeout[min]
Specify the period of time in minutes after which the action is triggered.
Range of values: 1 ... 2147483647. Default value 5.
• Event
Select an event that triggers the action when it occurs.
– Leave
The device leaves the area to be delimited.
– Enter
The device enters the area to be delimited.
– In
The device is in the area to be delimited.
– Out
The device is outside of the area to be delimited.
• Action
From the drop-down list, select the action to be performed when the specified event occurs.
– Event System
Triggers the event that is configured under "System > Events".
– Restart
Restarts the device.
– Restart Factory
Restores the factory settings for the device and restarts it.
– Fault enable/ Fault disable
Switches fault monitoring on/off.
– Digital Output close/ Digital Output open
Closes/opens the digital output.
– Sleep Mode
Activates sleep mode.
– Engine HW reset
Performs the hard reset with a restart of the mobile network engine.
– Engine SW reset
Performs the restart of the mobile network engine via the software.
– IPsec (all) enable/ IPsec (all) disable
Establishes/terminates a VPN connection to the IPsec server.
– OpenVPN (all) enable/ OpenVPN (all) disable
Establishes/terminates a VPN connection to the OpenVPN server.
– SINEMA RC (all) enable/ SINEMA RC (all) disable
Establishes/terminates a VPN connection to the SINEMA RC Server.
• Enabled
Activates the execution of the action under the given conditions.
5.6.1 Ethernet
The page shows the configuration for the data transfer for all ports of the device. You cannot
configure anything on this page.
Description
The table has the following columns:
• Port
Shows the configurable ports. The entry is a link. If you click on the link, the corresponding
configuration page is opened.
• Port Name
Shows the name of the port.
• Port Type (only with routing)
Shows the type of the port. The following types are possible:
– Switch Port VLAN Hybrid
– Switch Port VLAN Trunk
• Status
Shows whether the port is on or off. Data traffic is possible only over an enabled port.
• OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid connection
to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has no
connection.
• Link
Shows the connection status to the network. With the connection status, the following is
possible:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
• Mode
Shows the transfer parameters of the port.
• Negotiation
Shows whether the automatic configuration is enabled or disabled.
• MAC Address
Shows the MAC address of the port.
5.6.1.1 Configuration
Configuring ports
With this page, you can configure all the ports of the device.
Description
• Port
Select the port to be configured from the drop-down list.
• Status
Specify whether the port is enabled or disabled.
– enabled
The port is enabled. Data traffic is possible only over an enabled port.
– disabled
The port is disabled but the connection remains.
Note
Turn off unused ports.
– link down
The port is disabled and the connection to the partner device is terminated.
• Port Name
Here, enter a name for the port.
• MAC Address
Shows the MAC address of the port.
• Mode Type
From this drop-down list, select the transmission speed and the transfer mode of the port.
The following settings are possible:
– 10 Mbps full duplex (FD) or half duplex (HD)
– 100 Mbps full duplex (FD) or half duplex (HD)
– Auto negotiation
If you set the mode to "Auto negotiation", these parameters are automatically negotiated
with the connected end device or network component. This must also be in the
"Autonegotiation" mode.
Note
Before the port and partner port can communicate with each other, the settings must match
at both ends.
• Mode
Shows the transmission speed and the transmission mode of the port. The display depends
on the set "Mode Type".
• Negotiation
Shows whether the automatic configuration of the connection to the partner port is enabled
or disabled.
• Port Type
Select the type of port from the drop-down list.
– Switch Port VLAN Hybrid
The port sends tagged and untagged frames. It is not automatically a member of a VLAN.
– Switch-Port VLAN Trunk
The port only sends tagged frames and is automatically a member of all VLANs.
• OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid connection
to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has no
connection.
• Link
Shows the physical connection status to the network. The available options are as follows:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
5.6.2.1 General
0[ 080[
For access to the mobile network and the mobile network services, access parameters are
required that you specify on this page. You will receive the access parameters from your
mobile wireless provider.
You can use the "Mobile data usage" function to control the used data volume.
Note
Use a time server to avoid incorrect detection of the volume of data used.
Changes made to the SIM card are logged in the event log. Log messages start with "Primary-
Modem Physical-SIM: < log message>" for an exchangeable SIM card and "Primary-Modem
e-SIM: < Log message>" for an eSIM card.
Description
The page contains the following:
• Enable Mobile Network Interface
Enables or disables the mobile network interface. Before you enable the mobile network
interface, select the desired SIM card type at "Select SIM type" and enable the SIM card at
"Enable SIM".
• Fast Engine Startup (only with SCALANCE MUM85x)
Accelerates the connection to the mobile network by eliminating the engine reset after the
device starts.
Enable the option to reduce the time to establish the mobile wireless connection.
• Enable SIM
Enables the SIM card. You can only enable one SIM card in V7.2.
• PIN
Personal identification number
If the mobile network interface is enabled, the currently valid PIN of the SIM card is queried.
Enter the currently valid PIN for the selected SIM card. The device also operates with SIM cards
that do not require a PIN or for which the PIN query has been deactivated.
Note
If you make incorrect entries, the SIM card is blocked
Make sure that you enter the PIN correctly. If you enter the PIN incorrectly three times, the SIM
card will be locked.
In "Information > Mobile", you can check the status of the SIM card. If "SIM Status" displays
"PUK required", the SIM card is locked. You can release the SIM card again under "Interfaces
> Mobile > SIM".
• PIN Confirmation
Repeat the PIN.
• Radio Mode
Select the required mobile wireless network. The following options are available:
– Auto (not with SCALANCE M874-2)
All services. As first choice, the device attempts to establish a connection to the fastest
available mobile wireless system.
– GSM only
The EGPRS and GPRS services. The device ignores the UMTS and LTE network and
establishes a connection to the GSM service that provides the highest bandwidth locally
– UMTS only (not with the SCALANCE M874-2)
The UMTS and HSPA service. The device ignores the EGPRS, GPRS and LTE services and
establishes a connection in the UMTS network.
– LTE only (only with SCALANCE M876-4/MUM85x)
The LTE service. The device ignores the EGPRS and GPRS and UMTS services and
establishes a connection in the LTE network.
– 5 G NR + LTE (NSA) (only with SCALANCE MUM85x)
The services 5G New Radio (NR) and LTE non-standalone operation (NSA)
– Only 5 G NR SA (only with SCALANCE MUM85x)
The service 5G New Radio (NR) in standalone operation (SA)
– EVDO (only with SCALANCE M876-3)
EVolution, Data-Optimized. Default for CDMA-based networks.
The following sub-standards are supported:
- EVDO Hybrid
- EVDO 1xRTT
- EVDO HDR - High Data Rate
– No data connection
There is no data connection. Suitable when the device is only used to send or receive SMS
messages.
• IP Version
Specify which IP version the device supports.
• Authentication Method
Select the required authentication method.
– CHAP
Challenge Handshake Authentication Protocol
Encrypted transfer of user name and password using CHAP.
– PAP
Password Authentication Protocol
Unencrypted transfer of user name and password using PAP.
– Auto
User name and password are transferred automatically with one of the following two
methods. CHAP has the higher priority. If the communications partner does not support
CHAP, the user name and password are transferred using PAP.
• Allow Data Roaming
When enabled, the device automatically logs on to an available network. Provided the
specified network is not accessible.
Procedure
Warnings received via SMS:
1. For "Reset on the day of the month", specify the start of the invoicing period.
2. For "Warning limit", set the data volume in MB.
3. Select "Mobile data usage" and click on the "Set Values" button.
4. Set the receiver under "System > SMS > Event SMS".
– Enter the telephone number in the "Call number" text box.
– Click the "Create" button.
– Activate "Enable event SMS" and "Send" for the receiver.
– Click the "Set Values" button.
5. Set the notification type "Apply SMS settings" for the "Exceed data limit" event under "System
> Events > Configuration".
6. Click the "Set Values" button.
Result:
The recipient receives the warnings via SMS.
5.6.2.2 SIM
0[ 080[
You receive the PIN with the SIM card. On this page, you can change the PIN of the selected
SIM card or release locked SIM cards, if necessary.
Requirement
• The mobile network interface is disabled.
• The desired SIM card is selected and enabled on the "Interfaces > Mobile > General" page
under "Select SIM card type".
Description
The page contains the following:
• Status
Shows the status of the action. The following entries are possible:
– -
No action was performed.
– Action starts...
Execution of the selected action is starting.
– Action in progress... Reset mobile engine
The wireless module is automatically reset after execution of the action.
– SIM Action was successful
The selected action was successful.
– SIM Card locked
The SIM card is irreversibly locked because the incorrect PUK was entered ten times in
succession.
– SIM not locked, please use "Change PIN".
The entry under "PUK" is not required.
– SIM is locked, use "Unlock SIM".
The SIM card is locked because the incorrect PIN was entered three times in succession.
Unlock the SIM card with the action "Unlock SIM".
– Wrong PIN (remaining attempts %d)
The entry under "Old PIN" is incorrect. Shows the number of remaining attempts.
– Wrong PUK (remaining attempts %d)
The entry under "PUK" is incorrect. Shows the number of remaining attempts.
• Action
Select the required action:
– Change PIN
Changes the PIN of the selected card.
– Unlock SIM (PUK)
Unlocks the SIM card using the PUK and defines a new PIN.
– Enable PIN
Switches on PIN request.
– Disable PIN
Switches off PIN request.
Note
When you change the PIN, you need to adjust the PIN under "Interfaces > Mobile > General".
• Old PIN
Enter the currently valid PIN.
• PUK
Personal Unblocking Key
Enter the PUK. You will have received the PUK from your operator together with the SIM card.
If you enter the PUK incorrectly ten times in succession, the SIM card will be irreversibly
locked.
• New PIN
Enter the new PIN that you wish to use instead of the previous PIN.
• New PIN Confirmation
Repeat the new PIN.
• Start
Executes the selected action. Depending on the action, execution can take up to 30 seconds.
Refer to the display under "Status" to check whether the action was successful. You can
update the display either automatically or manually.
– Automatic
In the top right corner of the display area on this page, you can switch automatic updating
of the content area on or off using the "on/off" buttons. If enabled, the display is updated
every 2 seconds.
– Manual
Click the "Update" button.
The APN (Access Point Name) is the name of the access point from the mobile network to
the Internet or to a private company network. Depending on the type of network connected,
this is a public or private APN. Information about the APN is provided by the mobile network
provider.
Description
The page contains the following:
• Country List
From this list, select the country in which the device will be deployed.
• Provider List
From this list select the appropriate mobile network provider. The list depends on the
selected country.
If the mobile network provider is not contained in the list of providers, select "-".
Note
"5G SA (Standalone) only" radio mode
For "5G SA only" radio mode, disable all providers that are not needed.
• PLMNID
Each mobile network provider has an identification number that is unique worldwide known
as the Public Land Mobile Network ID (PLMN ID). You can find the Net ID in the documentation
of your mobile network provider or on their Internet pages.
– If you know the PLMNID of the mobile network provider, enter this number.
– If you do not know the PLMNID, enter the data in the table under "Manual".
• Operator Name
Enter the name of your mobile network provider.
• APN
Enter the name of the APN. You can find the APN in the documentation of your mobile
network provider on your provider's Website or ask your mobile network provider's hotline.
• User Name
Enter the user name. Some mobile network providers do not use access control with user
names and/or passwords. In this case, leave the box empty.
• Password
Enter the password. Some mobile network providers do not use access control with user
names and/or passwords. In this case, leave the box empty.
• Password Confirmation
Repeat the password.
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• PLMNID
– Identification number (Net ID)
Displays the PLMNID of the mobile phone provider.
– Manual (static APN)
If the PLMNID is not known, enter the APN of your mobile phone provider.
– Manual (dynamic APN)
Only available with M876-4
Requirement: Radio mode "LTE only"
If you do not configure any data, the APN is assigned dynamically.
• Operator Name
Enter the name of your mobile network provider.
• APN
Enter the name of the APN. You can find the APN in the documentation of your mobile
network provider on your provider's Website or ask your mobile network provider's hotline.
• User Name
Enter the user name for the APN. Some mobile network providers do not use access control
with user names and/or passwords. In this case, leave the box empty.
• Password
Enter the password for the APN. Some mobile network providers do not use access control
with user names and/or passwords. In this case, leave the box empty.
• Password Confirmation
Repeat the password.
• Enabled
The entry is used
Note
The eSIM function is available in SCALANCE MUM85x devices as of HW version 2. You can find
information on the hardware version under "Information > I&M (Page 130)".
The eSIM function is not available on the 6GK5856-2EA00-3FA1 device variant.
An eSIM is an embedded SIM that you activate using the QR code provided by the mobile
network provider in order to use its mobile plan.
On this page, you create an eSIM profile of your eSIM card on the device. This page is used
for initial setup of the eSIM.
Using a camera connected to your PC, you can scan in the QR code. By reading out the QR
code, the profile is completed with the data provided by the mobile network provider and
usage of the eSIM is activated by the mobile network provider. This means that you do not
have to manually enter the activation code. Note the requirements for this operation.
If you want to change the PIN of the eSIM card or unlock the locked eSIM, use the "Interfaces
> Mobile Network > SIM" page.
Requirements
Before you create an eSIM profile, check the following:
• The date and time are current.
You set the system time on the "System > System Time > Manual Setting" page with the "Use
PC Time" button.
• An Internet connection exists, e.g. over the Ethernet interface.
You set a default route on the "Layer 3 (IPv4) > Static Routes" page. Enter the IP address of your
WLAN router as the gateway.
• The DNS server has been configured.
You set the DNS server on the "System > DNS > DNS Client" page. Enter the IP address of the
DNS server, e.g. the IP address of your WLAN router.
• The mobile network interface is disabled.
Description
The page contains the following:
• Status
Shows the status of the eSIM.
– eSIM enabled
The eSIM card is enabled.
– eSIM disabled
The eSIM card is disabled.
– Write progress started
The eSIM profile is being searched for or installed.
– eSIM available
The eSIM profile is available.
– Write progress failed
The operation has failed.
• Name
Enter a name for the eSIM card.
• Activation Code
You receive the activation code from the mobile network provider.
By entering the activation code, data needed to activate the eSIM is transmitted by the
mobile network provider.
Hold the QR code in front of the camera connected to your PC. The scan area of the camera
is shown in the top area of the page. The activation code is automatically read out and
entered in the input field.
• Activation PIN
Activation PIN (ePIN) for activating the eSIM card
Enter the Activation PIN for the eSIM card. You receive the Activation PIN from the mobile
network provider.
• Activation PIN Conf
Repeat the Activation PIN.
Note
An Internet connection is not needed to activate, deactivate or rename an eSIM profile. An
Internet connection is only needed when installing a new eSIM profile using the Activation Code.
Only one eSIM profile can be active. If you want to activate another eSIM profile, you must first
deactivate the currently active eSIM profile.
1. Select the desired eSIM profile using the "Enabled" check box and click "Set Values".
The SIM status in the "Information > Mobile Network > Overview" menu changes to
"Available". The eSIM now behaves like a SIM card, and you have the option of assigning it a
PIN. Note that if the eSIM profile is deleted, all changes will be lost.
2. Select the "Enable Mobile Network Interface" check box on the "Interfaces > Mobile Network
> General" page.
Once the mobile network interface has been enabled, the configuration fields of the SIM are
grayed out. This prevents any change to the SIM or a change from one SIM to another during
operation.
Use this function to ensure that the connection to the mobile network is retained. On
this page you specify which WAN-IP addresses are used as reference for the connection
monitoring.
The device sends echo messages (pings) to the configured WAN IP addresses of the remote
stations at regular intervals (Ping Time Interval).
If, for example, you configure three WAN-IP addresses, the device sends a ping to the first
WAN-IP address. If this WAN-IP address is reachable, it sends a reply. When the configured
interval has elapsed, the device sends the next ping. If the first WAN-IP address cannot be
reached, the device sends a further ping after a waiting time has elapsed (10 s). In total three
pings are sent to the WAN-IP address. If the device does not receive a reply after the third
ping, the second WAN-IP address is checked. If this WAN-IP addresses is also unreachable, the
next WAN-IP address is checked.
Is none of the three WAN-IP addresses is reachable, the device restarts the mobile network
interface and logs the restart with the following message "Detected a problem with the
provider connection. Trying to reconnect to the provider. Attempt no.: x".
The x stands for the number of attempts. In total the device makes 10 attempts. After
restarting the mobile network interface, the device waits for some time and then sends a
ping to the first WAN-IP address. Following the first restart of the mobile network interface
the wait time is 2 minutes. With each further restart of the mobile network interface the wait
time is extended by one minute.
If the 10 attempts are unsuccessful, the device restarts and logs the restart with the
following message: "Detected a problem with the provider connection. Reconnect to the
provider had no effect. Device will restart now."
Note
Always configure several WAN-IP addresses. If you only configure one WAN-IP address, the
sporadic failure of the single WAN-IP address can lead to the WAN connection being constantly
re-established.
Description
The page contains the following:
• Enable Connection Ping
Enable or disable the function. Can only be enabled if at least one IP address is configured.
• Ping Time Interval [s]
Specify the interval at which the pings are sent.
• Ping Target Address
Enter the WAN-IP address that will be used for the connection monitoring.. Click "Create" to
save an entry to the table
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Target Address
Shows the WAN-IP address.
5.6.3 DSL
0[
On this WBM page, you configure the DSL access and the parameters for the virtual
connection via which the packets will be transferred.
Description
The page contains the following:
• Enable DSL Interface
Enable or disable the DSL interface.
• Enable PPPoE Passthrough
– Enabled
The device acts as a modem. The settings "Account", "Password" and "Enable Force
Disconnect" cannot be edited. Only a connected device can use the DSL connection. This
device also handles the authentication (dial-in) with the provider.
– Disabled
The device acts as a router and logs in with the user name and password. All connected
devices can use the DSL connection.
• Account
Enter the user name. You will receive the user name from your DSL provider.
• Password
Enter the password. You will receive the password name from your DSL provider.
• Password Confirmation
Repeat the password.
• VCI (Virtual Channel Identifier)
Enter the ID for the virtual channel. You will receive setting from your DSL provider.
5.6.4 SHDSL
5.6.4.1 Overview
0
Description
The page contains the following:
• Enable PME Aggregation Function
PME = Physical Medium Entities
When enabled, the SHDSL interfaces or the 2-wire cables are put together to form a single
connection with a higher transmission rate.
Note
If the "PME Aggregation" function is enabled, the interfaces of a device must each have the
same role.
• Target SNR
Shows the signal-to-noise ratio:
– Reliability (10 dB)
Reliable transfer
– Normal (6 dB)
Normal transfer
– High-speed (0 dB)
High-speed transfer
• Port Type
Shows the operating mode of the switch port:
– Switch-Port VLAN Hybrid
The port accepts tagged and untagged frames.
– Switch-Port VLAN Trunk
The port only sends tagged frames and is automatically a member of all VLANs.
5.6.4.2 Configuration
0
On this WBM page, you specify the settings for the connection and the role of the device. You
will find additional information on the settings in ITU-T G.991.2.
Description
The page contains the following:
• Interface
Select the interface.
• Status
Specify whether or not the interface will be used.
• Port Type
Specify the operating mode for the switch port.
– Switch-Port VLAN Hybrid
The port accepts tagged and untagged frames.
– Switch-Port VLAN Trunk
The port only sends tagged frames and is automatically a member of all VLANs.
• Role
Specify the role:
– Central Office (CO)
The interface is a central office.
– Customer Premises Equipment (CPE)
The interface is an end node device.
• Predefined Profile
Specify the profile for the transfer. If you use a profile, the following parameters are set
automatically.
– Profiles with a transfer range
If during calibration of the cable the measured value is within the range, the SHDSL
connection is established.
• Extended Mode
Enable or disable the extended mode. Depending on the setting, the selection in the
following boxes changes.
• PAM
Pulse Amplitude Modulation
Specify the modulation method.
• Line probing
When enabled, the cable is calibrated according to ITU-T G.991.2.
• SNR Model
Specify the model for calculating the signal-to-noise ratio.
– Current condition
The value for noise is used that was measured when calibrating the cable.
– Worst Case
The value for noise is assumed that could occur over several cables of a cable bundle.
• Target SNR
Specify the transmission mode for the signal-to-noise ratio. The current signal-to-noise ratio
is displayed under "Information > SHDSL".
– Reliability (10 dB)
Reliable transfer
– Normal (6 dB)
Normal transfer
– High-speed (0 dB)
High-speed transfer
0
Use this function to ensure that the connection to the SHDSL network is retained. On
this page you specify which WAN-IP addresses are used as reference for the connection
monitoring.
The device sends echo messages (pings) to the configured WAN IP addresses of the remote
stations at regular intervals (Ping Time Interval).
If, for example, you configure three WAN-IP addresses, the device sends a ping to the WAN-IP
addresses. If only one of the three WAN-IP addresses is unreachable the following message is
logged: "Could not reach remote device a.b.c.d (Failure count x)".
"a.b.c.d" stands for the IP address of the device and x stands for the number of attempts. In
total the device makes 5 attempts.
If the IP address becomes reachable again, this is logged with the following message: SHDSL
connection check: Remote devices are reachable again.
If the 5 attempts are unsuccessful, the device restarts and logs the restart with the following
message: "SHDSL connection check: Maximum failure count reached, restarting device."
Description
The page contains the following:
• Enable Connection Ping
Enable or disable the function. Can only be enabled if at least one IP address is configured.
• Ping Time Interval [s]
Specify the interval at which the pings are sent.
• Ping Target Address
Enter the WAN-IP address that will be used for the connection monitoring.. Click "Create" to
create an entry in the table.
This table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Target Address
Shows the WAN-IP address.
On this WBM page, enable the function "Packet Capture" on the interface (Ethernet, WLAN).
The function is for network diagnostics via a connected PC, e.g. to detect transfer errors.
You can also enable the function on several interfaces at the same time. When the function
is enabled the interface can be linked in Wireshark. For a period Wireshark record the data
traffic over the interface. Afterwards from the recording you can see the content of the
frames or filter according to certain contents.
Description
The table contains the following columns:
• Interface
The interface to which the entry relates.
• Enable
Enable or disable the "Packet Capture" function. As default, the function is disabled.
Note
Performance
Enable the function only for diagnostics purposes. The increased data traffic could influence
the performance of the device.
12.To start the recording, click "Start" in the "Capture" menu. You can obtain further information
about handling the program in Wireshark.
If you analyze several interfaces, you can use a Wireshark instance for each interface.
Configuring layer 2
On this page, you create a basic configuration for the functions of layer 2.
Description
• Passive Listening
When enabled the function ensures that the BPDUs from the RSTP network are forwarded
transparently and return again. If this was not the case, loops would form at the connection
point between RSTP and the ring.
5.7.2 VLAN
5.7.2.1 General
Note
Changing the Agent VLAN ID
If the configuration PC is connected directly to the device via Ethernet and you change the agent
VLAN ID, the device is no longer reachable via Ethernet following the change.
Description
The page contains the following boxes:
• Base Bridge Mode
Note
Changing Base bridge mode
Note the section "Changing Base bridge mode" in this chapter. This section describes how a
change affects the existing configuration.
Select the required mode from the drop-down list. The following modes are possible:
– 802.1Q VLAN Bridge
Sets the mode "VLAN-aware" for the device. In this mode, VLAN information is taken into
account.
– 802.1D Transparent Bridge
Sets the mode "VLAN-unaware" for the device. In this mode, VLAN tags are not taken into
account or changed but are forwarded transparently. In this mode, you cannot create any
VLANs. Only a management VLAN is available: VLAN 1.
• VLAN ID
Enter the VLAN ID in the "VLAN ID" input box.
Range of values: 1 ... 4094
The table has the following columns:
• Select
Select the row you want to delete.
• VLAN ID
Shows the VLAN ID. The VLAN ID (a number between 1 and 4094) can only be assigned once
when creating a new data record and can then no longer be changed. To make a change, the
entire data record must be deleted and created again.
• Name
Enter a name for the VLAN. The name only provides information and has no effect on the
configuration. The length is a maximum of 32 characters.
• Status
Shows the status type of the entry in the internal port filter table. Here, "Static" means that
the VLAN was entered statically by the user.
• List of ports
Specify the use of the port. The following options are available:
– "-"
The port is not a member of the specified VLAN.
With a new definition, all ports have the identifier "-".
– M
The port is a member of the VLAN. Frames sent in this VLAN are forwarded with the
corresponding VLAN tag.
– U (uppercase)
The port is an untagged member of the VLAN. Frames sent in this VLAN are forwarded
without the VLAN tag. Frames without a VLAN tag are sent from this port.
– u (lowercase)
The port is an untagged member of the VLAN, but the VLAN is not configured as a port
VLAN. Frames sent in this VLAN are forwarded without the VLAN tag.
– F
The port is not a member of the specified VLAN and cannot become a member of this
VLAN even if it is configured as a trunk port.
– T
This option is only displayed and cannot be selected in the WBM.
This port is a trunk port making it a member in all VLANs.
You configure this function in the CLI (Command Line Interface) using the "switchport
mode trunk" command or in the WBM under "Interfaces > Ethernet > Configuration".
Procedure
Requirement:
For Base Bridge mode "802.1Q VLAN Bridge" is set
Creating a new VLAN
1. Enter an ID in the "VLAN ID" input box.
2. Click the "Create" button. A new entry is generated in the table. As default, the boxes have "-"
entered.
3. Enter a name for the VLAN under Name.
4. Specify the use of the port in the VLAN. If, for example you select M, the port is a member of
the VLAN. The frame sent in this VLAN is forwarded with the corresponding VLAN tag.
5. Specify the mode of the device.
6. Click the "Set Values" button.
Description
Table 1 has the following columns:
• All ports
Shows that the settings are valid for all ports of table 2.
• Priority / Port VID / Acceptable Frames / Ingress Filtering
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries of
the corresponding column in table 2 remain unchanged.
• Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
• Port
Shows the available ports.
• Priority
Select the required priority assigned to untagged frames.
The CoS priority (Class of Service) used in the VLAN tag. If a frame is received without a tag,
it will be assigned this priority. This priority specifies how the frame is further processed
compared with other frames.
There are a total of eight priorities with values 0 to 7, where 7 represents the highest priority
(IEEE 802.1p Port Priority).
• Port VID
Select the required VLAN ID. Only VLAN IDs defined in "VLAN > General" can be selected.
If a received frame does not have a VLAN tag, it has a tag with the VLAN ID specified here
added to it and is sent according to the rules at the port.
• Acceptable Frames
Specify which types of frames will be accepted. The following alternatives are possible:
– Tagged Frames Only
The device discards all untagged frames. Otherwise, the forwarding rules apply according
to the configuration.
– All
The device forwards all frames.
• Ingress Filtering
Specify whether the VID of received frames is evaluated.
You have the following options:
– Enabled
The VLAN ID of received frames decides whether they are forwarded: To forward a VLAN
tagged frame, the receiving port must be a member in the same VLAN. Frames from
unknown VLANs are discarded at the receiving port.
– Disabled
All frames are forwarded.
Steps in configuration
1. In the row of the port to be configured, click on the relevant cell in the table to configure it.
2. Enter the values to be set in the input boxes as follows.
3. Select the values to be set from the drop-down lists.
4. Click the "Set Values" button.
5.7.3.1 VXLAN
On this page, you define VXLANs (Virtual eXtensible LAN). VXLAN is a virtual network
technology for extending VLAN and allows the transmission of Layer 2 packets via Layer 3
networks.
The maximum size of a packet (MTU) for VXLAN is 1500 bytes. Larger packets are
fragmented.
Description
The page contains the following boxes:
• VXLAN
Enables the VXLAN function.
• UDP port
Enter the destination port of the VXLAN.
Range of values: 1000 ... 65535
UDP port 4789 is assigned by default.
• Network Virtual Endpoint Interface (NVE)
In this area, you configure the virtual interface via which the VXLAN tunnel is established.
– NVE ID
Enter a number for the NVE interface.
Range of values: 1 ... 65535
• The table contains the following columns.
– Select
Select the row you want to delete.
– NVE Interface
Shows the NVE interface. The label is automatically composed of "nve" and the entered
number.
Procedure
5.7.3.2 VTEP
On this page, you make settings relating to the VTEPs (VXLAN Tunnel End Points). The VTEPS
form the endpoints in the VXLAN over which the connection runs. In the "Static MAC" tab, you
set end devices that are to be reachable via a VTEP in the destination network.
Description
The page contains the following boxes:
• NVE Interface
Select the required NVE interface. Only the interfaces that you created in the "VXLAN" tab can
be selected.
• VTEP Source IP Address
Enter the IPv4 address of the source VTEP. The requirement is that the IPv4 address is created
on the device. You configure the IPv4 address under "Layer 3 > Subnets".
The table has the following columns:
• Select
Select the row you want to delete.
• NVE Interface
Shows the NVE interface. The ID of the NVE interface can only be assigned once when you
create a new data record and can then no longer be changed. To make a change, the entire
data record must be deleted and created again.
• VTEP Source IP Address
Shows the IPv4 address of the source VTEP.
Procedure
Creating the source IP address
1. Select the NVE interface.
2. Enter the corresponding VTEP source IP address.
3. Click the "Create" button.
Description
The page contains the following boxes:
• VLAN ID
Select the required VLAN ID. Only VLANs with a configured subnet can be selected.
• VNI
Enter the VNI that will be assigned to the VLAN ID. The VNI can be assigned to multiple VLAN
IDs.
The table has the following columns:
• Select
Select the row you want to delete.
• VLAN ID
Shows the VLAN ID.
• VNI
Shows the VNI assigned to the VLAN.
Procedure
Creating an assignment
1. Select the required VLAN ID.
2. Enter the VNI ID that will be assigned to the VLAN ID.
3. Click the "Create" button.
Description
The page contains the following boxes:
• NVE Interface
Select the required NVE interface.
• VNI ID
Enter the required VNI. Only VXLAN networks with the same VNI ID can communicate with
one another.
Range of values: 1 ... 16777215
The table has the following columns:
• Select
Select the row you want to delete.
• NVE Interface
Shows the selected NVE interface.
• VNI ID
Shows the VNI ID.
• Remote VTEP IP Address
Enter the IPv4 address of the remote VTEP.
The replicated Ethernet frame is encapsulated and sent to this remote VTEP. The prerequisite
is that the remote VTEP is a member of the VNI segment.
Procedure
1. Select the NVE interface.
2. Enter an ID in the "VNI ID" input box.
3. Click the "Create" button.
A new entry is generated in the table.
Description
The page contains the following boxes:
• NVE Interface
Select the NVE interface via which the remote VTRP can be reached. Only the interfaces that
you created in the "VXLAN" tab can be selected.
• VNI ID
Enter the VNI ID (VXLAN Network Identifier). Only VTEPs that are members of the same
VXLAN segment can communicate with one another.
• Remote MAC Address
Enter the MAC address of the end device in the destination network to be reached via the
VTEP entered in the table.
The table has the following columns:
• Select
Select the row you want to delete.
• NVE Interface
Shows the NVE interface.
• VNI
Shows the VNI. The VNI can only be assigned once when you create a new data record and
can then no longer be changed. To make a change, the entire data record must be deleted
and created again.
• Remote MAC Address
Shows the MAC address of the end device in the destination network.
• Remote VTEP IP Address
Enter the IPv4 address of the VTEP via which the end device with the entered remote MAC
address can be reached in the destination network.
Procedure
1. Select the NVE interface.
2. Enter an ID in the "VNI ID" input box.
3. Enter the remote MAC address.
4. Click the "Create" button.
A new entry is generated in the table.
5. Enter the remote VTEP IP address.
6. Click the "Set Values" button.
Steps in configuration
1. Select the "Dynamic MAC Aging" check box.
2. Enter the time in seconds in the "Aging Time[s]" input box.
3. Click the "Set Values" button.
5.7.5.1 General
This is the basic page for spanning tree. As default, Rapid Spanning Tree is enabled.
Description
The page contains the following boxes:
• Spanning Tree
Enable or disable spanning tree.
• Protocol Compatibility
The following setting is available:
– RSTP
Procedure
1. Select the "Spanning Tree" check box.
2. Click the "Set Values" button.
5.7.5.2 ST general
The page consists of the following parts.
• The left-hand side of the page shows the configuration of the device.
• The right-hand part shows the configuration of the root bridge that can be derived from the
spanning tree frames received by a device.
Description
The page contains the following boxes:
• Bridge Priority / Root Priority
Which device becomes the root bridge is decided by the bridge priority. The bridge with the
highest priority (in other words, with the lowest value for this parameter) becomes the root
bridge. If several devices in a network have the same priority, the device whose MAC address
has the lowest numeric value will become the root bridge. Both parameters, bridge priority
and MAC address together form the bridge identifier. Since the root bridge manages all path
changes, it should be located as centrally as possible due to the delay of the frames.
The value for the bridge priority is a whole multiple of 4096. Range of values: 0 - 61440
• Bridge Address / Root Address
The bridge address shows the MAC address of the device and the root address shows the MAC
address of the root bridge.
• Root port
Shows the port via which the switch communicates with the root bridge.
• Root Cost
The path costs from this device to the root bridge.
• Topology Changes / Last Topology Change
The entry for the device shows the number of reconfiguration actions due to the spanning
tree mechanism since the last startup. For the root bridge, the time since the last
reconfiguration is displayed as follows:
– Seconds: Unit "sec" after the number
– Minutes: Unit min after the number
– Hours: Unit hr after the number
• Bridge hello time [s] / Root hello time [s]
Each bridge sends configuration frames (BPDUs) regularly. The interval between two
configuration frames is the "Hello Time".
Factory setting: 2 seconds
• Bridge Forward Delay[s] / Root Forward Delay[s]
New configuration data is not used immediately by a bridge but only after the period
specified in the Forward Delay parameter. This ensures that operation is only started with the
new topology after all the bridges have the required information.
Factory setting: 15 seconds
• Bridge Max Age[s] / Root Max Age[s]
If the BPDU is older than the specified "Max Age" it is discarded.
Factory setting: 20 seconds
• Reset Counters
Click this button to reset the counters on this page.
5.7.5.3 ST port
When the page is called, the table displays the current status of the configuration of the port
parameters.
To configure them, click the relevant cells in the port table.
Description
Table 1 has the following columns:
• All ports
Shows that the settings are valid for all ports of table 2.
• Spanning Tree Status
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries of
the corresponding column in table 2 remain unchanged.
• Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
• Port
Shows the available ports.
• Spanning Tree Status
Specify whether or not the port is integrated in the spanning tree.
Note
If you disable the "Spanning Tree Status" option for a port, this may cause the formation of
loops. The topology must be kept in mind.
• Priority
Enter the priority of the port. The priority is only evaluated when the path costs are the same.
The value must be divisible by 16. If the value that cannot be divided by 16, the value is
automatically adapted.
Range of values: 0 - 240.
The default is 128.
• Cost Calc.
Enter the path cost calculation. If you enter the value "0" here, the automatically calculated
value is displayed in the "Path costs" box.
• Path Cost
This parameter is used to calculate the path that will be selected. The path with the lowest
value is selected as the path. If several ports of a device have the same value for the path
costs, the port with the lowest port number is selected.
If the value in the box "Cost Calc." is "0", the automatically calculated value is shown.
Otherwise, the value of the "Cost Calc." box is displayed.
The calculation of the path costs is largely based on the transmission speed. The higher the
achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
The values can, however, also be set individually.
• Status
Displays the current status of the port. The values are only displayed and cannot be
configured. The "Status" parameter depends on the configured protocol. The following values
are possible:
–
Disabled
The port only receives and is not involved in STP, MSTP and RSTP.
– Discarding
In the "Discarding" mode, BPDU frames are received. Other incoming or outgoing frames
are discarded.
– Listening
In this status, BPDUs are both received and sent. The port is involved in the spanning tree
algorithm.
–
Learning
Stage prior to the "Forwarding" status, the port is actively learning the topology (in other
words, the node addresses).
–
Forwarding
Following the reconfiguration time, the port is active in the network; it receives and
forwards data frames.
• Fwd. Trans
Specifies the number of changes from the "Discarding" status to the "Forwarding" status.
• Edge Type
Specify the type of "edge port". You have the following options:
– "-"
Edge port is disabled. The port is treated as a "no Edge Port".
– Admin
Select this option when there is always an end device on this port. Otherwise a
reconfiguration of the network will be triggered each time a connection is changed.
– Auto
Select this option if you want a connected end device to be detected automatically at this
port. When the connection is established the first time, the port is treated as a "no Edge
Port".
– Admin/Auto
Select these options if you operate a combination of both on this port. When the
connection is established the first time, the port is treated as an "Edge Port".
• Edge
Shows the status of the port.
– Enabled
5.7.6 LLDP
Applications
PROFINET uses LLDP for topology diagnostics. In the factory setting, LLDP is enabled for all
available ports; in other words, LLDP frames are sent on the ports.
The information sent is stored on every device with LLDP capability in an LLDP MIB file.
Network management systems can access these LLDP MIB files using SNMP and therefore
recreate the existing network topology. In this way, an administrator can find out which
network components are connected to each other and can localize disruptions.
On this page, you have the option of enabling or disabling sending and/or receiving per port.
Description
Table 1 has the following columns:
Table 1 is only available when the device has more than one port.
• All Ports
Shows that the settings are valid for all ports.
• Setting
Select the setting from the drop-down list. If "No Change" is selected, the entry in table 2
remains unchanged.
• Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
• Port
Shows the available ports.
• Setting
Specify the LLDP functionality. The following options are available:
– Rx
This port can only receive LLDP frames.
– Tx
This port can only send LLDP frames.
– Rx & Tx
This port can receive and send LLDP frames.
– "-" (disabled)
This port can neither receive nor send LLDP frames.
Procedure
1. Select the LLDP functionality of the port from the "Setting" drop-down list.
2. Click the "Set Values" button.
Description
The page contains the following boxes:
• Destination Network
Enter the network address of the destination that can be reached via this route.
• Subnet Mask
Enter the corresponding subnet mask.
• Gateway
Enter the IPv4 address of the gateway via which this network address is reachable.
• Interface
Specify whether the network address can be reached via a certain interface or via the
gateway (auto).
• Administrative Distance
Enter the metric for the route. The metric corresponds to the quality of a connection, for
example speed, costs. If there are several equal routes, the route with the lowest metric value
is used.
If you do not enter anything, "not used" is entered automatically. The metric can be changed
later.
Range of values: 1 - 255 or -1 for "not used".
Here, 1 is the value for the best possible route. The higher value, the longer packets require
to their destination.
Procedure
1. Enter the network address of the destination in the "Destination Network" input box.
2. Enter the corresponding subnet mask in the "Subnet Mask" input box.
3. For "Interface", select the entry "auto".
4. Enter the gateway in the "Gateway" input box.
5. Enter the weighting of the route in "Administrative Distance".
6. Click the "Create" button. A new entry is generated in the table.
7. Click the "Set Values" button.
5.8.2 Subnets
5.8.2.1 Overview
The page shows the subnets for the selected interface. A subnet always relates to an interface
and is created in the "Configuration" tab.
Description
The page contains the following box:
• Interface
Select the interface on which you want to configure another subnet.
The table has the following columns:
• Select
Select the row you want to delete.
• Interface
Shows the interface.
• TIA Interface
Shows whether the interface is a TIA interface.
• Status
Shows whether or not the interface is enabled.
• Interface Name
Shows the name of the interface.
• MAC Address
Shows the MAC address.
• IP Address
Shows the IPv4 address of the subnet.
• Subnet Mask
Shows the subnet mask.
• Address Type
Shows the address type. The following values are possible:
– Primary
The first IPv4 address that was configured on the IPv4 interface.
– Secondary
All other IPv4 addresses that were configured on the IPv4 interface.
• IP Assignment Method
Shows how the IPv4 address is assigned. The following values are possible:
– Static
The IPv4 address is static. You enter the settings in "IP Address" and "Subnet Mask".
– Dynamic (DHCP)
The device obtains a dynamic IPv4 address from a DHCPv4 server.
• Address Collision Detection Status
If new IPv4 addresses become active in the network, the "Address Collision Detection"
function checks whether this can result in address collisions. The allows IPv4 addresses that
would be assigned twice to be detected.
Note
The function does not run a cyclic check.
This column shows the current status of the function. The following values are possible:
– Idle
The interface is not enabled and does not have an IPv4 address.
– Starting
This status indicates the start-up phase. In this phase, the device initially sends a query as
to whether the planned IPv4 address already exists. If the address is not yet been assigned,
the device sends the message that it is using this IP address as of now.
– Conflict
The interface is not enabled. The interface is attempting to use an IPv4 address address
that has already been assigned.
– Defending
The interface uses a unique IPv4 address. Another interface is attempting to use the same
IPv4 address.
– Active
The interface uses a unique IPv4 address. There are no collisions.
– Not supported
The function for detection of address collisions is not supported.
– Disabled
The function for detection of address collisions is disabled.
• MTU
Shows the packet size.
5.8.2.2 Configuration
On this page, you configure the subnet for the interface.
Description
The page contains the following:
• Interface (Name)
Select the interface from the drop-down list.
• Status
Enable or disable the interface.
• Interface Name
Enter the name of the interface.
• MAC Address
Displays the MAC address of the selected interface.
• DHCP
When enabled, the interface obtains the IPv4 address from a DHCP server.
• IP Address
Enter the IPv4 address of the interface. The IPv4 addresses must not be used more than once.
• Subnet Mask
Enter the subnet mask of the subnet you are creating. Subnets on different interfaces must
not overlap.
• Broadcast IP Address
If a specific IP address is to be used as the broadcast IP address of the subnet, enter this.
Otherwise the last IP address of the subnet will be used.
• Address Type
Shows the address type. The following values are possible:
– Primary
The first subnet of the interface.
– Secondary
All further subnets of the interface.
• TIA Interface
Select whether this interface should become the TIA interface. The TIA interface defines on
which VLAN the PROFINET functionalities are available. This mainly affects the device search
with or via DCP.
• MTU
MTU (Maximum Transmission Unit) specifies the maximum size of the packet. If packets are
longer than the set MTU, they are fragmented. The MTU covers the IP header and the headers
of the higher layers.
The range of values is from 90 to 1500 bytes.
5.8.3 NAT
Description
On this page, you can enable the following option:
• Announce alias IP addresses
When the option is enabled, a Gratuitous ARP is sent for each alias IP address. This announces
the IP address in the network, and the other devices can update their ARP cache. The
Gratuitous ARP is only sent at the time of configuration, that is, during device startup or when
an NAT rule (NETMAP) is being configured.
5.8.3.2 Masquerading
On this WBM page, you enable the rules for IP masquerading.
Description
The table has the following columns:
• Interface
Interface to which the setting relates. Only interfaces with a configured subnet are available.
• Enable Masquerading
When enabled, with each outgoing data packet sent via this interface, the source IP address
is replaced by the IP address of the interface.
5.8.3.3 NAPT
On this WBM page, you can configure a port translation in addition to the address translation.
The following port translations are possible:
• From a single port to the same port:
If the ports are the same, the frames will be forwarded without port translation.
• From a single port to a single port
The frames are translated to the port.
• From a port range to a single port
The frames from the port range are translated to the same port (n:1).
• From a port range to the same port range
If the port ranges are the same, the frames will be forwarded without port translation.
Description
The page contains the following boxes:
• Source Interface
Select the interface on which the queries will arrive.
• Traffic Type
Specify the protocol for which the address assignment is valid.
• Use Interface IP from Source Interface
When enabled, the IP address of the selected interface is used for "Dest IP Address".
• Destination IP
Enter the destination IP address. The frames are received at this IP address. Can only be edited
if "Use Interface IP from Source Interface" is disabled.
• Destination Port
Enter the destination port. Incoming frames with this port as the destination port are
forwarded. If the setting is intended to apply to a port range, enter the range with start port
"-" end port, for example 30 - 40.
• Translated Destination IP
Enter the IP address of the node to which this frame will be forwarded.
• Translated Destination Port
Enter the number of the port. This is the new destination port to which the incoming frame
will be forwarded. If the setting is intended to apply to a port range, enter the range with start
port "-" end port, for example 30 - 40.
The table has the following columns:
• Select
Select the check box in the row to be deleted.
• Source Interface
Shows the interface from which the packets need to come. Only these packets are considered
for port forwarding.
• Traffic Type
Shows the protocol for which the address assignment applies.
• Interface IP
Shows whether the IP address of the interface is used.
• Destination IP
Shows the destination IP address. The frames are received at this IP address.
• Destination Port
Shows the destination port. Incoming frames with this port as the destination port are
forwarded.
• Translated Destination IP
Shows the IP address of the node to which the packets will be forwarded.
• Translated Destination Port
Shows the destination port to which the packets are translated.
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-translated
addresses are therefore used.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Addresses"
• Destination (Range): Input from "Destination IP Addresses"
Description
• Source Interface / Destination Interface
Specify the direction of the connection establishment. Only connections established in this
specified direction are taken into account.
The virtual interfaces of VPN connections can also be selected:
– VLANx: VLANs with configured subnet
– pppx or usb0: WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
Note
When you configure a NAT address translation to or from the direction of the VPN tunnel, only
the IP addresses involved in the NAT address translation rules can be reached via the VPN
tunnel.
• Source IP Address(es)
Specify the source IP addresses for which this source NAT rule is valid. Only the packets that
correspond to the addresses entered are taken into account.
The following entries are possible:
– IP address: Applies precisely to the specified IP address.
– IP address range: Applies to a certain IP address range: Start IP address "-" End IP address,
e.g. 192.168.100.10 - 192.168.100.20
– IP subnet: Applies to several IPv4 addresses grouped together to form an IP address range:
IP address/number of bits of the network part (CIDR notation)
• Use Interface IP from Destination Interface
When enabled, the IP address of the selected destination interface is used in "Translated
Source IP Address".
• Translated Source IP Address
Enter the IP address with which the IP address of the sender is replaced. Can only be edited
if "Use Interface IP from Destination Interface" is disabled.
• Destination IP Address(es)
Specify the destination IP addresses for which this source NAT rule is valid. Only the packets
whose destination IP address is in the range of entered addresses are taken into account.
– IP address: Applies precisely to the specified IP address.
– IP address range: Applies to a certain IP address range: Start IP address "-" End IP address,
e.g. 192.168.100.10 - 192.168.100.20
– IP subnet: Applies to several IPv4 addresses grouped together to form an IP address range:
IP address/number of bits of the network part (CIDR notation)
See also
NAT and firewall (Page 81)
5.8.3.5 NETMAP
On this WBM page, you specify the rules for NETMAP. NETMAP is static 1:1 mapping of network
addresses in which the host part is retained. For more information, refer to the section "NAT and
firewall (Page 81)".
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-translated
addresses are therefore used.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Destination IP Subnet"
Firewall rule with destination NAT
Address translation with NAT was already performed before the firewall; the translated
addresses are therefore used in the firewall.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Translated Destination IP Subnet"
Description
• Type
Specify the type of address translation.
– Source: Replacement of the source IP address
– Destination: Replacement of the destination IP address
• Source Interface
Specify the source interface.
– VLANx: VLANs with configured subnet
– pppsx or usb0: WAN interface
– SINEMA RC: Connection to the SINEMA RC server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
• Destination Interface
Specify the destination interface.
– VLANx: VLANs with configured subnet
– pppx or usb0: WAN interface
– SINEMA RC: Connection to the SINEMA RC server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
• Source IP Subnet
Enter the subnet of the sender.
The subnet can also be a single PC or another subset of the subnet. Use the CIDR notation.
5.8.4 VRRPv3
5.8.4.1 Router
Introduction
Using the "Create" button, you can create new virtual routers. A maximum of 2 virtual routers
can be configured. You can configure other parameters on the "Configuration" tab.
Note
• You can use VRRPv3 on VLAN interfaces.
Requirement
For the incoming packets to be forwarded to the device, enable the predefined IPv4 rule "VRRP".
Description
The page contains the following:
• VRRPv3
Enable or disable routing using VRRPv3.
• VRID-Tracking
Enable or disable VRID tracking.
When enabled, all VRRP instances are monitored. If the status of a VRRP instance changes to
"Initialize", the priority of all VRRP instances is reduced to the value "1".
If the status of a VRRP instance changes, the original priority of all VRRP instances is restored.
• Interface
Select the required VLAN interface operating as virtual router.
• VRID
Enter the ID of the virtual router. This ID defines the group of routers that form a virtual router
(VR). In the group, this is the same. It can no longer be used for other groups.
Values 1...255 are valid.
Procedure
1. Select the "VRRPv3" check box.
2. Select the required interface.
3. Enter the ID of the virtual router in the "VRID" input box.
4. Click the "Create" button. A new row is inserted in the table.
5. Select the "Reply to pings on virtual interfaces" check box so that virtual IPv4 addresses reply
to pings as well.
6. Select the "VRID Tracking" check box to monitor the VRID.
7. Click the "Set Values" button. To configure the virtual router, click on the "Configuration" tab.
5.8.4.2 Configuration
Introduction
On this page, you configure the virtual router.
Description
The page contains the following:
• Interface / VRID
Select the ID of the virtual router to be configured.
• Primary Address
Select the primary IPv4 address. If the router becomes master router, the router uses this IPv4
address.
Note
If you only configure one subnet on this VLAN, no entry is necessary. The entry is then
0.0.0.0.
If you configure more than one subnet on the VLAN and you want a specific IPv4 address to
be used as the source address for VRRP packets, select the IPv4 address. Otherwise, the
numerically lowest IPv4 address will be used.
• Priority
Enter the priority of this virtual router. Valid values are 1-254.
If an IPv4 address is assigned to the VRRPv3 router that is also actually configured on the local
IPv4 interface, the value 255 is entered automatically. All other priorities can be distributed
freely among the VRRPv3 routers. The higher the priority, the earlier the VRRPv3 router
becomes "Master".
• Advertisement interval
Enter the time interval after which a master router sends another VRRPv3 packet.
Specified in centiseconds.
• Track ID
Select a track ID.
• Decrement Priority
Enter the value by which the priority of the VRRPv3 interface will be reduced.
• Current Priority
Shows the priority of the VRRPv3 interface after the monitored interface has changed to the
"down" status.
Procedure
To configure a virtual router as the master router, follow the steps below:
1. Select the ID of the virtual router you want to configure from the "Interface / VRID" drop-down
list.
2. Select the "Status" check box.
3. Select the source address from the "Primary Address" drop-down list.
4. From the "Priority" drop-down list, enter the priority of this virtual router.
5. Enter the interval in "Advertisement Interval".
6. Select a track ID.
7. Enter the value by which the priority of the VRRPv3 interface will be reduced
8. Click the "Set Values" button.
Overview
This page shows which IPv4 addresses the virtual router monitors. Each virtual router can
monitor one IPv4 address.
Description
The page contains the following:
• Interface / VRID
Select the ID of the virtual router.
• Associated IP Address
Enter the IPv4 address that the virtual router will monitor.
The table has the following columns:
• Select
Select the check box in the row to be deleted
• Associated IP Address
Shows the IPv4 addresses that the virtual router monitors.
Procedure
1. Select the ID of the virtual router.
2. Enter the IPv4 address that the virtual router will monitor.
3. Click the "Create" button. A new entry is generated in the table.
Introduction
On this page, you configure the monitoring of interfaces.
When the link of a monitored interface changes from "up" to "down", the priority of the
assigned VRRP interface is reduced. You configure the value by which the priority is reduced
on the page "Layer 3 > VRRPv3 > Configuration".
When the link of the interface changes back from "down" to "up", the original priority of the
VRRP interface is restored.
Description
The page contains the following boxes:
• Interface
From the drop-down list, select the interface to be monitored.
• Track ID
Enter a track ID.
• Track ID
Select a track ID.
• Track Interface Count
Enter how many monitored interfaces need to change to the "down" status, before the
priority is changed.
Procedure
1. Select the required interface from the "Interface" drop-down list.
2. In the "Track ID" box, enter the required ID.
3. Click the "Create" button.
4. Select an ID from the "Track-ID" drop-down list:
5. In the "Track Interface Count" enter the number of interfaces.
6. Click the "Set Values" button.
7. Link the monitoring to a VRRP interface in the "Configuration" tab.
Introduction
You configure the monitoring of IPv4 addresses on this page. The router sends a ping request to
each of the configured IPv4 addresses within the specified time period. If no response is received
within a specified time period, the VRRP priority of the corresponding interface is reduced.
Description
The page contains the following boxes:
• Track ID
Enter the track ID.
• IP Address
Enter the IPv4 address to be monitored. You can enter a maximum of five IPv4 addresses.
The table has the following columns:
• Select
Select the row you want to delete.
• Track ID
Shows the track ID.
• IP Address
Show the IPv4 address to be monitored.
• Ping Period
Shows the cycle time in seconds between two ping requests.
• Ping Timeout
Shows the time in seconds that the router waits for a ping response. The minimum duration
is three times the ping period.
Procedure
1. In the "Track ID" box, enter the required ID.
2. In the "IPv4 Address" field, enter the IPv4 address that the virtual router is to monitor.
3. Click the "Create" button. A new entry is generated in the table.
5.9.1 Subnets
Connected Subnets
On this page, you can enable IPv6 on the interface. The interface is also called an IPv6 interface.
An IPv6 interface can have several IPv6 addresses.
Description
The page contains the following:
• Interface
Select the IP interface on which IPv6 will be enabled.
• IPv6 Enable
Enable or disable IPv6 on the interface.
Note
Disabling IPv6
If IPv6 is enabled on an interface, you can only disable IPv6 by deleting interface.
• IPv6 Address
Enter the IPv6 address. The entry depends on the selected address type.
• Prefix Length
Enter the number of left-hand bits belonging to the prefix.
Procedure
Automatically form link local address
1. Select the required interface.
2. Enable IPv6.
3. Click the "Create" button. In the table an entry with the interface is created and the
automatically formed IPv6 address is displayed.
Assign link-local address
1. Select the required interface.
2. Enable IPv6.
3. In "IPv6 Address" enter the link local address, e.g. FE80::21B:1BFF:FE40:9155
4. Enter "64" in "Prefix Length".
5. For "IPv6 Address Type" select the entry "Link Local".
6. Click the "Create" button. In the table an entry with the interface is created and the IPv6
address is displayed.
5.9.2 NAT
5.9.2.1 Masquerading
On this WBM page, you enable the rules for IPv6 masquerading.
Description
The table has the following columns:
• Interface
Interface to which the setting relates. Only interfaces with a configured subnet are available.
• Enable Masquerading
When enabled, with each outgoing data packet sent via this interface, the source IP address
is replaced by the IPv6 address of the interface.
5.10.1 Users
Description
The page contains the following:
• User Account
Enter the name for the user. The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 250 characters long.
– The following characters must not be included: | § ? " ; : ß
– The characters for Space and Delete also cannot be included.
Note
User name cannot be changed
After creating a user, the user name can no longer be modified.
If a user name needs to be changed, the user must be deleted and a new user created.
Note
User names: admin
You can configure the device with this user name.
When you log in for the first time or log in after a "Restore Factory Defaults and Restart", you
will be prompted to change the predefined password "admin". You can also rename the
"admin" user preset in the factory once. Afterwards, renaming "admin" is no longer possible.
• Password Policy
Shows which password policy is being used.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 uppercase letter
At least 1 special character
At least 1 number
– User-defined
The password must meet the configured requirements. You configure the requirements
under "Security > Passwords > Options".
• Password
Enter the password. The strength of the password depends on the set password policy.
It may not contain any of the following characters: | § ? " ; : ß \
• Password Confirmation
Enter the password again to confirm it.
• Role
Select a role.
You can choose between default and self-defined roles, refer to the page "Security > Users >
Roles.".
• User Account
Shows the user name.
• Role
Shows the role of the user.
• Description
Displays a description of the user account. The description text can be up to 100 characters
long.
• Remote Access
– Only
Only remote access, which means no rights other than logging into the WBM page for
user-specific firewall.
– None
No remote access. The user cannot log on to the user-specific firewall, but only to the WBM
of the device.
– Additional
The user can log on to both the WBM of the device and the user-specific firewall.
Procedure
Note
Changes in "Trial" mode
Even if the device is in "Trial" mode, changes that you carry out on this page are saved
immediately.
Creating users
1. Enter the name for the user.
2. Enter the password for the user.
3. Enter the password again to confirm it.
4. Select the role of the user.
5. Click the "Create" button.
6. Enter a description of the user.
7. Click the "Set Values" button.
Deleting users
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. The entries are deleted and the page is updated.
5.10.1.2 Roles
Roles
On this page, you create roles that are valid locally on the device.
Note
The values displayed depend on the rights of the logged-in user.
Description
The page contains the following:
• Role Name
Enter the name for the role. The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 64 characters long.
Note
Role name cannot be changed
After creating a role, the name of the role can no longer be changed.
If a name of a role needs to be changed, the role must be deleted and a new role created.
• Role
Shows the name of the role.
• Function Right
Select the function rights of the role:
– 1
Users with this role can read device parameters but cannot change them. Users with this
role can change their own password.
– 15
Users with this role can both read and change device parameters.
Note
Function right cannot be changed
If you have assigned a role, you can no longer change the function right of the role.
If you want to change the function right of a role, follow the steps outlined below:
1. Delete all assigned users.
2. Change the function right of the role:
3. Assign the role again.
• Description
Enter a description for the role. With predefined roles a description is displayed. The
description text can be up to 100 characters long.
• Remote Access
– None
No remote access. The user cannot log in to the dynamic firewall, but only to the WBM of
the device.
– Additional
The user can log in to both the WBM of the device and the dynamic firewall.
– Only
The user can only log into the dynamic firewall.
Procedure
Creating a role
1. Enter the name for the role.
2. Click the "Create" button.
3. Select the function rights of the role.
5.10.1.3 Groups
User groups
On this page you link a group with a role.
In this example the group "Administrators" is linked to the "admin" role: The group is
defined on a RADIUS server. The role is defined locally on the device. When a RADIUS server
authenticates a user and assigns the user to the "Administrators" group, this user is given
rights of the "admin" role.
Note
The values displayed depend on the rights of the logged-in user.
Description
The page contains the following:
• Group Name
Enter the name of the group. The name must match the group on the RADIUS server.
The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 64 characters long.
– The following are not permitted: § ? " ; :
Procedure
Linking a group to a role.
1. Enter the name of a group.
2. Click the "Create" button.
3. Select a role.
4. Enter a description for the link of a group.to a role.
5. Click the "Set Values" button.
Deleting the link between a group and a role
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. The entries are deleted and the page is updated.
5.10.2 Passwords
Description
The page contains the following:
• Current User
Shows the user that is currently logged in.
• Current User Password
Enter the password for the currently logged in user.
• User Account
Select the user whose password you want to change.
• Password Policy
Shows which password policy is being used when assigning new passwords.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 uppercase letter
At least 1 special character
At least 1 number
– User-defined
The password must meet the configured requirements. You configure the requirements
under "Security > Passwords > Options"
• New Password
Enter the new password for the selected user.
It may not contain any of the following characters: | § ? " ; : ß \
Note
When you log in for the first time or log in after a "Restore Factory Defaults and Restart", you
will be prompted to change the predefined password "admin". You can also rename the
"admin" user preset in the factory once. Afterwards, renaming "admin" is no longer possible.
The factory setting for the password when the devices ship is as follows:
• admin: admin
Note
Changing the password in Trial mode
Even if you change the password in Trial mode, this change is saved immediately.
• Password Confirmation
Enter the new password again to confirm it.
5.10.2.1 Options
On this page, you specify which password policy will be used when assigning new passwords.
Description
• Password Policy
Shows which password policy is currently being used.
• New Password Policy
Select the required setting from the drop-down list.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 number
At least 1 special character
At least 1 uppercase letter
– User-defined
Configure the desired password requirements under "Password Policy Details".
• Password Policy Details
When you have selected the "High" password policy, the relevant password requirements are
displayed.
When you have selected the "User-defined" password policy, you can configure the relevant
password requirements.
– Minimum Password Length
Specifies the minimum length of a password.
– Minimum Number of Numeric Characters
Specifies the minimum number of numeric characters in a password.
– Minimum Number of Special Characters
Specifies the minimum number of special characters in a password.
– Minimum Number of Uppercase Letters
Specifies the minimum number of uppercase characters in a password.
– Minimum Number of Lowercase Letters
Specifies the minimum number of lowercase characters in a password.
5.10.3 AAA
5.10.3.1 General
Description
The page contains the following boxes:
Note
To be able to use the login authentication "RADIUS", "Local and RADIUS" or "RADIUS and fallback
Local", a RADIUS server must be stored and configured for user authentication.
• Login Authentication
Specify how the login is made:
– Local
The authentication must be made locally on the device.
– RADIUS
The authentication must be handled via a RADIUS server.
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name and
password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a RADIUS
request is sent.
– RADIUS and fallback Local
The authentication must be handled via a RADIUS server.
A local authentication is performed only when the RADIUS server cannot be reached in
the network.
Description
The page contains the following boxes:
• RADIUS Authorization Mode
For the login authentication, the RADIUS authorization mode specifies how the rights are
assigned to the user with a successful authentication.
– Conventional
In this mode the user is logged in with administrator rights if the server returns the value
"Administrative User" to the device for the attribute "Service Type". In all other cases the
user is logged in with read rights.
– SiemensVSA
In this mode, the assignment of rights depends on whether and which group the server
returns for the user and whether or not there is an entry for the user in the table "External
User Accounts".
The table has the following columns:
• Select
Select the row you want to delete.
• RADIUS Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the RADIUS server.
• Server Port
Here, enter the input port on the RADIUS server. As default, input port 1812 is set. The range
of values is 1 to 65535.
• Shared Secret
Enter your access ID here. The range of values is 1...128 characters
• Shared Secret Conf.
Enter your access ID again as confirmation.
• Max. Retrans.
Here, enter the maximum number of retries for an attempted request.
The initial connection attempt is repeated the number of times specified here before another
configured RADIUS server is queried or the login counts as having failed. As default 3 retries
are set, this means 4 connection attempts. The range of values is 1 to 5.
• Primary Server
Using the options in the drop-down list, specify whether or not this server is the primary
server. You can select one of the options "yes" or "no".
• Test
With this button, you can test whether or not the specified RADIUS server is available. The test
is performed once and not repeated cyclically.
• Test Result
Shows whether or not the RADIUS server is available:
– Not reachable
The IP address is not reachable.
The IP address is reachable, the RADIUS server is, however, not running.
– Reachable, key not accepted
The IP address is reachable, the RADIUS server does not, however accept the shared secret.
– Reachable, key accepted
The IP address is reachable, the RADIUS server accepts the specified shared secret.
Procedure
Entering a new server
1. Click the "Create" button. A new entry is generated in the table.
The following default values are entered in the table:
– RADIUS Server Address: 0.0.0.0
– Server Port: 1812
– Max. Retrans.: 3
– Primary server: No
2. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.: 3
– Primary server: No
3. If necessary check the reachability of the RADIUS server.
4. Click the "Set Values" button.
Repeat this procedure for every server you want to enter.
Modifying servers
1. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.
– Primary Server
2. If necessary check the reachability of the RADIUS server.
3. Click the "Set Values" button.
Repeat this procedure for every server whose entry you want to modify.
Deleting servers
1. Click the check box in the first column before the row you want to delete to select the entry
for deletion.
Repeat this for all entries you want to delete.
2. Click the "Delete" button. The data is deleted from the memory of the device and the page is
updated.
5.10.4 Certificates
5.10.4.1 Overview
All loaded files (certificates and keys) are shown on this WBM page. You have the following
options for loading files on the device:
• System > Load&Save > HTTP
• System > Load&Save > TFTP
• System > Load&Save > SFTP
Figure 5-1 Part 1
Figure 5-2 Part 2
Description
• Select
Select the check box in the row to be deleted. Only unused certificates can be deleted.
• Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
• Filename
Shows the file name.
• Status
Shows whether the certificate is valid or has already expired.
• Subject DN
Shows the name of the applicant.
• Issuer DN
Shows the name of the certificate issuer.
• Issue Date
Shows the start of the period of validity of the certificate
• Expiry Date
Shows the end of the period of validity of the certificate.
• Used
Shows which function uses the certificate.
5.10.4.2 Certificates
The format of the certificate is based on X.509, a standard of the ITU-T for creating digital
certificates. This standard describes the schematic structure of X509 certificates. You will find
further information on this on the Internet at "http://www.itu.int".
On this WBM page, the content of the following structure elements can be displayed. If the
structure element does not exist or is not completed in the selected certificate, nothing is
shown in the box on the right. Certain entries can only be edited if they are supported.
Description
• Filename
Select the required certificate.
• Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
• DN
Shows the name of the applicant.
• Issuer DN
Shows the name of the certificate issuer.
• Subject Alternate Name
If it exists, an alternative name of the applicant is displayed.
• Issue Date
Shows the start of the period of validity of the certificate
• Expiry Date
Shows the end of the period of validity of the certificate.
• Serial Number
Shows the serial number of the certificate.
• Used
Shows which function uses the certificate.
• Crypto Algorithm
Shows which cryptographic method is used.
• Key Usage
Shows the purpose that the key belonging to the certificate is used for, e.g. to verify digital
signatures.
• Extended Key Usage
Shows whether the purpose is additionally restricted, e.g. only to verify signatures of the CA
certificate.
• Key File
Shows the key file.
• Certificate Revocation List 1st URL
Enter the URL with which the revocation list can be called up. Can only be edited if supported
by the certificate.
• Certificate Revocation List 2nd URL
Enter an alternative URL. If the revocation list cannot be called up using the 1st URL, the
alternative URL is used. Can only be edited if supported by the certificate.
• Certificate
Shows the name of the certificate.
• Passphrase
Enter the password for the certificate. Can only be edited if the encrypted file is password
protected.
• Passphrase Confirmation
Enter the password again. Can only be edited if the encrypted file is password protected.
5.10.5 Firewall
5.10.5.1 General
On this WBM page, you enable the firewall.
Note
Please remember that if you disable the firewall, your internal network is unprotected.
Description
The page contains the following:
• Activate Firewall
When enabled, the firewall is active.
• TCP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the TCP connection is
terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 86400 seconds
• UDP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the UDP connection is
terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 300 seconds
• ICMP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the ICMP connection is
terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 300 seconds
• Enable State Synchronization
• Local Interface
Interfaces with DHCP cannot be selected.
• Local IP Address
• IP Address Sync Partner
• Port Sync Partner
Description
• Interface
The list is dynamic.
– pppx or usb0 (only with M876-4, MUM856)
Allows access from the WAN interface to the device.
– VLANx
Allows access from the IP subnet to the device. VLANs with configured IP subnet are
available.
– SINEMA RC
Allows access from the SINEMA RC server to the device. Only available with KEY-PLUG
SINEMA RC.
– OpenVPN connection, IPsec VPN connection
Allows the VPN tunnel partners reachable via the VPN connection to access the device.
If you have created a VPN connection, the connection name will be displayed in the list.
– IP Version
Shows the IP version to which the firewall rules apply.
IPv4
IPv6 (only with M876-4 and MUM85x)
• Access over the firewall is permitted to the following IPv4 services:
– All
All predefined IPv4 services.
– HTTP
For access to Web Based Management.
– HTTPS
For secure access to Web Based Management.
Note
HTTP and HTTPS deactivated
If you disable HTTP and HTTPS, the WBM of the device can no longer be reached.
HTTPS disabled
When you disable HTTPS, you can only access the WBM using HTTP. This assumes that
"HTTP & HTTPS" is set in "System > Configuration > HTTP Services". If for example "Redirect
HTTP to HTTPS" is set, access via HTTP cannot be redirected to HTTPS. This means that the
WBM of the device can no longer be reached.
– DNS
DNS queries to the device. Necessary only if the "DNS-Relay" function is enabled on the
device.
– SNMP
Incoming SNMP connections. Required, for example, to access the SNMP information of
the device using a MIB browser.
– Telnet
For unencrypted access to the CLI.
Description
• Days
If "Weekly" or "Monthly" is set for the cycle, specify the days.
Enter the days separated by commas, e.g. 1,3,4
– Weekly: 1 - 7
– Monthly: 1 - 31
• Dynamic Source (Range)
– Individual IP address: Specify the IP address
– IP range: Specify the range with start address "-" end address, e.g.
IPv4:192.168.100.10 - 192.168.100.20
IPv6: fe80:: - febf::
– All IP addresses:
IPv4: " 0.0.0.0/0"
IPv6: "::"
– If the rule set is activated by a user, the placeholder DYNAMIC is replaced by the IP address
of the end device used.
• Start time
Enter the start time in the format HH:MM.
• End time
Enter the end time in the format HH:MM.
• Enable
When enabled, the rule set is time-triggered. The connection is briefly interrupted when the
time-triggered firewall rules are initiated.
5.10.5.4 IP services
On this WBM page, you define IP services. Using the IP service definitions, you can define
firewall rules for specific services. You select a name and assign the service parameters to it.
When you configure the IP rules, you simply use this name.
Description
The page contains the following:
• Service Name
Enter the name of the IP service. The name must be unique.
This table contains the following columns:
• Select
Activate the check box in the row to be deleted.
• Service Name
Shows the name of the IP service.
• Transport
Specify the protocol type.
– UDP
The rule applies only to UDP frames.
– TCP
The rule applies only to TCP frames.
• Source Port (Range)
Enter the source port. The rule applies specifically to the specified port.
– If the rule is intended to apply to a port range, enter the range with start port "-" end port,
for example 30 - 40.
– If the rule is intended to apply to all ports, enter "*".
• Destination Port (Range)
Enter the destination port. The rule applies specifically to the specified port.
– If the rule is intended to apply to a port range, enter the range with start port "-" end port,
for example 30 - 40.
– If the rule is intended to apply to all ports, enter "*".
Description
The page contains the following:
• Service Name
Enter a name for the ICMP service. The name must be unique.
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Service Name
Shows the name of the ICMP service.
• Protocol
Shows the version of the ICMP protocol.
• Type
Specify the ICMP packet type. A few examples are shown below:
– Destination Unreachable
IP frame cannot be delivered.
– Time Exceeded
Time limit exceeded
– Echo-Request
Echo request, better known as ping.
• Code
The code describes the ICMP packet type in greater detail. The selection depends on the
selected ICMP packet type.
With "Destination Unreachable", for example "Code 1" host cannot be reached.
5.10.5.6 IP protocols
On this WBM page, you can configure user-defined protocols, e.g. IGMP for multicast groups. You
select a protocol name and assign the service parameters to it. When you configure the IP rules,
you simply use this protocol name.
Description
The page contains the following:
• Protocol Name
Enter a name for the protocol.
The page contains the following check boxes:
• Select
Select the check box in the row to be deleted.
• Protocol Name
Shows the protocol name.
• Protocol Number
Enter the protocol number, for example 2. You will find list of the protocol numbers on the
Internet pages of iana.org
Procedure
Create IGMP protocol
1. Enter IGMP in "Protocol Name".
2. Click the "Set Values" button. A new entry is generated in the table.
3. Enter "2" in "Protocol Number".
5.10.5.7 IP rules
On this WBM page, you specify your own IP rules for the firewall.
The IP rules set here have priority:
• Over the predefined IP rules and
• Over the IP rules created automatically due to a connection configuration (SINEMA RC).
Description
• IP Version
Specify the IP version to which the firewall rules apply.
• Rule set
Select the required rule set. Only the IP rules that are assigned to this rule set will then be
displayed in the table, provided that "Show all" is disabled.
• Show all
When enabled, all available IP rules are displayed. With the "Assign" setting, you assign an IP
rule to the selected rule set.
The table contains the following columns:
• Select
Activate the check box in the row to be deleted.
• Protocol
Shows the version of the IP protocol.
• Action
Select how incoming IP packets are handled:
– "Accept" - The data packets can pass through.
– "Reject" – The data packets are rejected, and the sender receives a corresponding
message.
– "Drop" – The data packets are discarded without any notification to the sender.
• From / To
Specify the communications direction of the IP rule.
– VLANx: VLANs with configured subnet
– NVEx: Virtual interface via which the VXLAN tunnel is established.
– Device: Device
– ppp0 or usb0 (only with M876-4 / MUM85x): WAN interface
– SINEMA RC: Connection to the SINEMA RC server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
• Source (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address: Specify the IP address
– IP range: Specify the range with start address "-" end address, e.g.
IPv4:192.168.100.10 - 192.168.100.20
IPv6: fe80:: - febf::
– All IP addresses:
IPv4: " 0.0.0.0/0"
IPv6; "::"
– If the rule set is activated by a user, the placeholder DYNAMIC is replaced by the IP address
of the end device used.
Note
Digital input and DYNAMIC placeholder
If the rule set is executed by controlling the digital input, the placeholder DYNAMIC is
replaced by the setting for "Dynamic Source (Range)". You configure the setting under
"Security > Firewall > Dynamic Rules".
Destination (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address: Specify the IP address
– IP range: Specify the range with start address "-" end address, e.g.
IPv4:192.168.100.10 - 192.168.100.20
IPv6: fe80:: - febf::
– All IP addresses:
IPv4: " 0.0.0.0/0"
IPv6; "::"
– If the rule set is activated by a user, the placeholder DYNAMIC is replaced by the IP address
of the end device used.
• Service
Select the service or the protocol name for which this rule is valid.
• Log
Specify whether or not there should be a log entry every time the rule comes into effect and
specify the severity of the event.
The following settings are available:
– none
The rule coming into effect is not logged.
– info / warning / critical
The rule coming into effect is logged with the selected event severity. The log file is
displayed in "Information" > "Log Tables" > "Firewall Log".
• Precedence
In ascending order starting with 0, you define the sequence in which the IP rules of the
firewall are processed.
• Assign
To assign the IP rules to the selected rule set, activate the setting for the desired IP rules and
click the "Set Values" button.
• Assigned
Shows the rule set to which this IP rule is assigned. The IP rules can also be assigned to
multiple rule sets. If the IP rule is assigned to all rule sets, "all" is displayed.
• Name
Shows who created the IP rule.
– NETMAP - automatically created firewall rule
5.10.6.1 General
On the WBM page, you configure the basic settings for VPN.
Description
The page contains the following:
• Activate IPsec VPN
Enable or disable the IPsec protocol for VPN.
• Enforce strict CRL Policy
When enabled, the validity of the certificates is checked based on the CRL (Certificate
Revocation List). The certificate revocation list lists the certificates issued by the certification
authority that have lost their validity before the set expiry date. You configure the certificate
revocation list to be used on the WBM page "Certificates (Page 393)".
• NAT Keep Alive Time Interval
Specify the time interval at which keep alive telegrams are sent. If there is a NAT device
between two VPN endpoints, when there is inactivity, the connection is deleted from its
dynamic NAT table. To prevent this, keepalives are sent.
Description
The page contains the following:
• Remote End Name
Enter the name of the remote station and click "Create" to create a new remote station.
This table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Name
Shows the name of the partner.
• Remote Mode
Specify the role the remote stations will adopt.
– Roadwarrior
The reachable remote addresses are entered. The reachable remote subnets are learned
from the partner.
– Standard
The reachable remote address and the reachable remote subnets are entered
permanently.
• Remote Type
Specify the type of remote station address.
– Manual
The address of the partner is known. The device can either establish the VPN connection
actively as a VPN client or wait passively for connection establishment by the partner.
– Any
Accepts the connection from remote stations with any IP address address. The device can
only wait for VPN connections but cannot establish a VPN tunnel as the active partner.
• Remote Address
Can only be edited with the remote type "Manual".
– In standard mode, enter the WAN IP address or the DDNS hostname of the partner. The
network mask is always 32
– In Roadwarrior mode, you can specify either the address of the partner or enter an IP
range from which connections will be accepted.
• Remote Subnet
– In standard mode, enter the remote subnet of the remote station. Use the CIDR notation.
Multiple subnets can be used only with IKEv2. The enter the subnets separated by a
comma.
– In Roadwarrior mode, the remote address informs the device of its accessible subnets and
the device learns them.
• Virtual IP Mode
Specify whether or not the remote station is offered a virtual IP address.
The following options are available:
– User defined IPv4
The virtual IP address is from the band specified in "Virtual IP".
– None
No virtual IP address. The VPN tunnel is established dynamically to the internal IP address
of the remote station.
• Virtual IP
Specify the subnet (CIDR) from which the remote station is offered a virtual IP address.
Can only be edited if "user defined IPv4" is selected in "Virtual IP Mode".
Procedure
Configure VPN standard mode
1. Enter the name of the remote station in "Remote End Name".
2. Click the "Create" button. A new entry is generated in the table.
3. For "Remote Mode", select "Standard".
4. For "Remote Type", select "manual".
5. In "Remote Address", enter the WAN IP address and in "Remote Subnet" the subnet of the
remote station.
6. Click the "Set Values" button.
5.10.6.3 Connections
On the WBM page, you configure the basic settings for the VPN connection. With these settings,
the device (local endpoint) can establish a secure VPN tunnel to the partner. You specify the
security settings on the WBM page "Authentication".
Note
Several IPsec VPN connections via the same VPN endpoint
If you have created IPsec VPN connections to different remote subnets via the same VPN
endpoint, the first configured VPN connection (lowest index) is the main connection (parent).
Via the main connection all other IPsec VPN connections (children) are created and established.
If all VPN tunnels are now established and the main (parent) connection is terminated all child
connections are interrupted. After the DPD timeout has expired, all IPsec VPN connections are
reestablished via the main connection.
If only one child connection is terminated, the parent connection and the other child
connections are retained.
Note
IPsec: Restrictions for phase 2 connections
Create a maximum of 20 phase 2 connections per phase 1 (remote endpoint).
Note
If you use "NETMAP"
• only auto firewall rules are supported
• For "Operation" the setting "on demand" cannot be selected.
Description
The page contains the following boxes:
• Connection name
Enter a name for the VPN connection and click "Create" to create a new connection.
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Name
Shows the name of the VPN connection.
• Operation
Specify who establishes the VPN connection. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 88)".
– Disabled
The VPN connection is disabled.
– start
The device attempts to establish a VPN connection to the partner.
– wait
The device waits for the remote station to initiate the connection establishment.
– on demand
The VPN connection is established when necessary.
– Start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to the
remote station.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To do
this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In" event.
– wait on DI
If the event "Digital In" occurs, the device waits for the remote station to initiate
connection establishment.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To do
this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In" event.
– Start on SMS (only with M87x / MUM 856)
If the device receives a command SMS, the device attempts to establish a VPN connection
to the remote station. This assumes that the device accepts a command SMS of the class
"System" from certain senders. You configure the senders in "System > SMS > SMS
Command".
– Wait on SMS (only with M87x / MUM 856)
When the device receives an SMS command, the device waits until the connection
establishment is initiated by the remote station. This assumes that the device accepts a
command SMS of the class "System" from certain senders. You configure the senders in
"System > SMS > SMS Command".
– start on Action
If the "VPN Reset" or "VPN enable" actions are triggered, the device attempts to establish
a VPN connection to the partner. For this purpose, you configure the corresponding action
under "System > Connection Check".
– wait on Action
If the "VPN Reset" or "VPN enable" actions are triggered, the device waits for the partner
to initiate connection establishment. For this purpose, you configure the corresponding
action under "System > Connection Check".
– start on TCP
If the incoming TCP packet contains conformant data, the device attempts to establish a
VPN connection to the partner. The prerequisite is that the "VPN" event is enabled under
"System > TCP Event".
– wait on TCP
If the incoming TCP packet contains conformant data, the device waits until the
connection establishment is initiated by the partner. The prerequisite is that the "VPN"
event is enabled under "System > TCP Event".
– start on GPS (only with MUM85x)
If the "OpenVPN (all) enable" action is triggered, the device attempts to establish a VPN
connection to the partner. For this purpose, you configure the corresponding action
under "System > GPS > Geofencing".
– start on GPS (only with MUM85x)
If the "OpenVPN (all) enable" action is triggered, the device waits for the partner to initiate
connection establishment. For this purpose, you configure the corresponding action
under "System > GPS > Geofencing".
• Interface
Specify the interface via which the VPN connection is established.
– vlan1
For access from the local network (LAN) to the device
– ppp0 or usb0 (only with M87x and MUM85x):
Access from the mobile wireless interface to the device.
• Keying Protocol
Specify whether IKEv2 or IKEv1 will be used.
• Remote End
Select the required remote station. Only partners can be configured that have been
configured on the "Remote End" WBM page.
• Local Subnet
Enter the local subnet. Use the CIDR notation. The local network can also be a single PC or
another subset of the local network.
Multiple subnets can be used only with IKEv2. The enter the subnets separated by a comma.
• Request Virtual IP
When enabled, a virtual IP address is requested from the remote station during connection
establishment.
• Timeout [min]
Specify the period of time in minutes. If no data exchange takes place, when this time has
elapsed the VPN tunnel is automatically terminated.
5.10.6.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves with
each other.
Description
This table contains the following columns:
• Name
Shows the name of the VPN connection to which the settings relate.
• Authentication
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.
– Remote Cert
The remote certificate is used for authentication. You specify the certificate in "Remote
Certificate"
– CA Cert
The certificate of the certification authority is used for authentication. You specify the
certificate in "CA Certificate".
– PSK
A key is used for authentication. You configure the key in "PSK".
Note
For this "PSK" authentication method, specify the "Local ID" and "Remote ID". If the entries
remain empty, IPSec uses the IP address of the interface as the ID and prevents
the VPN tunnel from being set up.
• CA Certificate
Select the certificate. Only loaded certificates can be selected.
• Local Certificate
Select the machine certificate.
You load the certificates on the device with "System > Load&Save". The loaded certificates
and key files are shown on the WBM page "Security > Certificates".
• Local ID
Enter the local ID from the partner certificate. Only when you use the partner certificate can
you leave the box empty. The box is automatically filled with the value from the partner
certificate.
• Remote Certificate
Select the remote station certificate. Only loaded remote certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded certificates
and key files are shown on the WBM page "Security > Certificates".
• Remote ID
Enter the "Distinguished Name" or "Alternate Name" from the partner certificate. Only when
you use the partner certificate can you leave the box empty. The box is automatically filled
with the value from the partner certificate.
• PSK
Enter the key.
• PSK Confirmation
Repeat the key.
5.10.6.5 Phase 1
Description
The table contains the following columns:
• Name
Shows the name of the VPN connection to which the settings relate.
• Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during connection
establishment. The list contains a combination of the three algorithms (Encryption,
Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner
must support at least one of the combinations. The selection depends on the key exchange
method. Additional information can be found in the section "IPsec VPN (Page 84)".
• Encryption
For phase 1, select the required encryption algorithm. Can only be selected if "Default
Ciphers" is disabled.
The selection depends on the key exchange method. Additional information can be found in
the section "IPsec VPN (Page 84)".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If you
use a mode AES x CCM for "Encryption", this is also used for authentication. Then only the
pseudo random function will be derived from the "Authentication" parameter. So that a VPN
connection can be established, all devices need to use the same settings.
• Authentication
Specify the method for calculating the checksum. Can only be selected if "Default Ciphers" is
disabled.
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
• Key derivation
Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can only
be selected if "Default Ciphers" is disabled.
The following DH groups are supported:
– DH group 1
– DH group 2
– DH group 5
– DH group 14
– DH group 15
– DH group 16
– DH group 17
– DH group 18
• Keying Tries
Enter the number of repetitions for a failed connection establishment. If you enter the value
0, the connection establishment will be attempted endlessly.
• Lifetime [min]
Enter a period in minutes to specify the lifetime of the authentication. When the time has
elapsed, the VPN endpoints involved must authenticate themselves with each other again
and generate a new key
• DPD
When enabled, DPD (Dead Peer Detection) is used. Using DPD, it is possible to find out
whether the VPN connection still exists or whether it has aborted.
Note
Sending DPD queries increases the amount of data sent and received. This can lead to
increased costs.
• Aggressive Mode
– Disabled:
Main Mode is used.
– Enabled
Aggressive Mode is used
The difference between main and aggressive mode is the "identity protection" used in main
mode. The identity is transferred encrypted in main mode but not in aggressive mode.
5.10.6.6 Phase 2
Description
The table contains the following columns:
• Name
Shows the name of the VPN connection to which the settings relate.
• Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during connection
establishment. The list includes combinations of the three algorithms (encryption,
authentication, key derivation). To establish a VPN connection, the VPN connection partner
must support at least one of the combinations. Further information can be found in the
section "IPsec VPN (Page 84)".
• Encryption
For phase 2, select the required encryption algorithm. Can only be selected if "Default
Ciphers" is disabled.
Further information can be found in the section "IPsec VPN (Page 84)".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If you
use a mode AES x CCM or AES x GCM for "Encryption", this will also be used for authentication.
Then only the pseudo random function will be derived from the "Authentication" parameter.
• Authentication
Specify the method for calculating the checksum. Can only be selected if "Default Ciphers" is
disabled.
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
Note
So that a VPN connection can be established, all devices need to use the same settings or
provide compatible key procedures..
• Lifetime [min]
Enter a period in minutes to specify the lifetime of the agreed keys. When the time expires,
the key is renegotiated.
• Lifebytes
Enter the data limit in bytes that specifies the lifetime of the agreed key. When the data limit
is reached, the key is renegotiated.
• Protocol
Specify the protocol for which the VPN connection is valid e.g. UDP, TCP, ICMP. If the setting
is intended to apply to all protocols, enter "*".
• Port (Range)
Specify the port via which the VPN tunnel can communicate. The setting applies specifically
to the specified port
– If the setting is intended to apply to a port range, enter the range with start port "-" end
port, for example 30 - 40.
– If the setting is intended to apply to all ports, enter "*".
The setting is only effective for port-based protocols.
• Auto Firewall Rules
– Enabled
For the VPN connection, the firewall rules for access from "External" to "Internal" and vice
versa are created automatically. You can enable access to specific services of the device
under "Security > Firewall > Predefined IPv4". Ping is enabled by default.
– Disabled
You will need to create the firewall rules yourself.
5.10.7.1 General
On this WBM page, you enable the OpenVPN client.
Description
The page contains the following:
• Activate OpenVPN Client
Enable or disable the OpenVPN client.
5.10.7.2 Connections
On this WBM page, you configure the basic settings for the OpenVPN connection. You specify the
security settings on the WBM page "Authentication".
Description
• Connection name
Enter a unique name for the OpenVPN connection and click "Create" to create a new
connection.
The table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Name
Shows the name of the OpenVPN connection.
• Operation
Specify how the VPN connection is estalished. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 88)".
– start
The device attempts to establish a VPN connection to the partner.
– Start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to the
remote station.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To do
this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In" event.
– Start on SMS (only with M87x/MUM85x)
If the device receives a command SMS, the device attempts to establish a VPN connection
to the partner. This assumes that the device accepts a command SMS of the class "System"
from certain senders. You configure the senders in "System > SMS > SMS Command".
– start on Action
If the "VPN Reset" or "VPN enable" actions are triggered, the device attempts to establish
a VPN connection to the partner. For this purpose, you configure the corresponding action
under "System > Connection Check".
– start on TCP
If the incoming TCP packet contains conformant data, the device attempts to establish a
VPN connection to the partner. The prerequisite is that the "VPN" event is enabled under
"System > TCP Event".
– start on GPS (only with MUM85x)
If the "OpenVPN (all) enable" action is triggered, the device attempts to establish a VPN
connection to the partner. For this purpose, you configure the corresponding action
under "System > GPS > Geofencing".
– Disabled
The VPN connection is disabled.
• Encryption
Select the required encryption algorithm.
– AES-128-CBC (default)
– AES-192-CBC
– AES-256-CBC
– DES-EDE3
– BF-CBC
• Authentication
Specify the method for calculating the checksum.
– SHA256 (default)
– SHA384
– SHA512
– SHA224
– SHA1
– MD5
• Use LZO
When enabled, the data is compressed with the LZO algorithm.
• Auto Firewall Rules
– Enabled
For the VPN connection, the firewall rules for access from "External" to "Internal" and vice
versa are created automatically. In addition to this, access from the device to the outside
is allowed. You can enable access to specific services of the device under "Security >
Firewall > Predefined IPv4". Ping is enabled by default.
– Disabled
You will need to create the suitable firewall rules yourself.
• Enable NAT
With this setting, you enable automatic IP masquerading for this interface. The local devices
are not directly reachable from the outside, but only via the IP address of the interface. The
local devices can, however, connect to the devices downstream from the OpenVPN server.
You will find more information on NAT in "Technical basics > NAT (Page 80)"
• Timeout [min]
Specify the period of time in minutes. If no data exchange takes place, when this time has
elapsed the VPN tunnel is automatically terminated.
5.10.7.3 Remote
On this WBM page, you configure the partner (OpenVPN end point). Per connection, you can
specify several OpenVPN partners. The device tries all configured OpenVPN partners one after
the other until a connection is successfully established.
Description
The page contains the following:
• Remote Name
Enter a name for the OpenVPN partner and click "Create" to create a new partner.
This table contains the following columns:
• Select
Select the check box in the row to be deleted.
• Name
Shows the name of the Open VPN partner.
• Connection
Select the corresponding connection. Only connections can be configured that have been
configured on the "Connections" WBM page.
• Remote Address
Enter the WAN IP address or the DNS host name of the OpenVPN partner.
• Port
Specify the port via which the OpenVPN tunnel can communicate. The setting applies
specifically to the specified port.
• Protocol
Specify the protocol for which the OpenVPN connection will be used.
• Proxy
Specify whether the OpenVPN tunnel to the defined OpenVPN partner is established via a
proxy server. Only the proxy servers can be selected that you configured in "System > Proxy
Server".
5.10.7.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves with
each other.
Description
This table contains the following columns:
• Name
Shows the name of the VPN connection to which the settings relate.
• TLS Auth. Key
Select the key file used to sign the TLS packets. If the incoming TLS packets are not signed with
this key, they are discarded.
• Direction
Specify the direction. If you select 0, 1 must be set on the partner and vice versa. With this
setting, you restrict the clients that can authenticate themselves.
Select "none" if nothing is set on the OpenVPN server. With "none", this setting is disabled.
• Method
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.
– Certificates
Certificates are used for the authentication.
– User Name/Password
The user name / password are used for the authentication.
– Cert/User Name/Password
For authentication, a user name and password are required in addition to the certificate.
The VPN connection is established only if both operations are successful.
• CA Certificate
Select the certificate. Only loaded certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded certificates
and key files are shown on the WBM page "Security > Certificates".
• Machine certificate
Select the machine certificate. Only loaded certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded certificates
and key files are shown on the WBM page "Security > Certificates".
• User Name
Specify the user name.
• Password
Enter the password.
• Password Confirmation
Repeat the password.
Brute Force Prevention (BFP) refers to the protection of the device from unauthorized access by
trying a sufficiently large number of passwords. The number of incorrect login attempts within a
specific time period is limited for this purpose.
Description
The page contains the following boxes:
• User Specific BFP is Enabled. / User Specific BFP is Disabled.
– Enabled:
With login authentication, the "Local" or "Local and RADIUS" mode is set and the
maximum number of invalid login attempts is greater than 0.
– Disabled:
With login authentication, the "RADIUS" or "RADIUS and fallback Local" mode is set or the
maximum number of invalid login attempts is 0.
You configure the login authentication under "Security > AAA > General > Login
Authentication".
• Acceptable Invalid Login Attempts Per User
The maximum number of invalid login attempts for a user accepted by the device. Further
login attempts for this user are blocked for a specific time.
The users that are not configured as local users for the device are summarized under the user
name "UnknownUser".
0: User Specific BFP is Disabled.
• IP Specific BFP is Enabled. / IP Specific BFP is Disabled.
Shows whether the IP-specific Brute Force Prevention is enabled.
• Acceptable Invalid IP Login Attempts Per IP
The maximum number of invalid login attempts for an IP address accepted by the device.
Further login attempts for this IP address are blocked for a specific time.
0: IP Specific BFP is Disabled.
• BFP Trigger Interval [min]
The time in minutes that is relevant for counting invalid login attempts.
If the maximum number of invalid login attempts is exceeded during this time, the device
blocks login for a specific period of time.
Invalid login attempts per user and per IP address are handled independently of one
another.
• BFP Automatic Reset Timer[min]
Time in minutes for which the device blocks login because the maximum number of invalid
login attempts was exceeded.
0: The timer is disabled.
The User Specific BFP table has the following columns:
• User
The users configured locally on the device. The users that are not locally configured on the
device are summarized under the user name "UnknownUser".
• Failed Logins
The number of failed login attempts.
• Last Failed [s]
Time in seconds (s) since the last failed login attempt. To display the current value, click the
"Refresh" button.
• Blocked [s]
The time in seconds (s) until the blocking will be removed. To display the current value, click
the "Refresh" button.
When a blocked user attempts to log in before the timer expires, the timer restarts.
• Delete
Ends blocking for the user and resets the displays in the "Last Failed [s]" and "Blocked [s]"
boxes.
The IP Specific BFP table has the following columns:
• IP
The IP address of the device for the login attempt.
• Failed Logins
The current number of failed login attempts.
• Last Failed [s]
Time in seconds (s) since the last failed login attempt. To display the current value, click the
"Refresh" button.
• Blocked [s]
The time in seconds (s) until the blocking will be removed. To display the current value, click
the "Refresh" button.
When a blocked IP address attempts to log in before the timer expires, the timer restarts.
• Delete
Ends blocking for the IP address and resets the displays in the "Last Failed [s]" and "Blocked [s]"
boxes.
Firmware
The firmware is signed and encrypted. This ensures that only firmware created by Siemens can
be downloaded to the device.
NOTICE
Do not remove or insert a PLUG during operation
A PLUG may only be removed or inserted when the device is turned off.
Note
Support as of V4.3
The PRESET-PLUG functionality is supported as of firmware version V4.3.
With the PRESET-PLUG, you can install the same device configuration (start configuration,
user accounts, certificates) including the corresponding firmware on multiple devices.
The PRESET PLUG is write-protected.
You configure the PRESET PLUG using the Command Line Interface (CLI).
Creating a PRESET-PLUG
You create the PRESET PLUG using the Command Line Interface (CLI). You can create a PRESET-
PLUG from any PLUG. To do this, follow the steps outlined below:
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise disruptions will
occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
Requirement
• A PLUG is inserted in the device on which you want to configure the PRESET-PLUG
functionality.
Procedure
1. Start the remote configuration using CLI and log on as a user with the "admin" role.
The CLI connection works either with Telnet (port 23) or SSH (port 22).
2. Switch to the global configuration mode with the command "configure terminal".
3. You change to the PLUG configuration mode with the "plug" command.
4. Create the PRESET-PLUG with the "presetplug" command.
The firmware version of the device and the current device configuration incl. user accounts
and certificates are stored on the PLUG and the PLUG is then write protected.
5. Turn off the power to the device.
6. Remove the PRESET-PLUG.
7. Start the device either with a new PLUG inserted or with the internal configuration.
Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET PLUG
is formatted and the PRESET PLUG functionality is lost. You then need to create a new PRESET
PLUG. The keys stored on the KEY-PLUG for releasing functions are retained.
We recommend that you remove the PRESET PLUG before you reset the device to the factory
settings.
Requirement
• The device has an IP address.
• The user is logged in with administrator rights.
Result
When the firmware is successfully loaded a dialog is displayed. Confirm the dialog with "OK". The
device is restarted.
In "Information > Versions" there is the additional entry "Firmware_Running".
Firmware_Running shows the version of the current firmware. Firmware shows the firmware
version stored after loading the firmware.
Cause
If there is a power failure during the firmware update, it is possible that the device is no longer
accessible using WBM and CLI.
Requirement
• The PC is connected to the device via the interface.
• A TFTP client is installed on the PC and the firmware file exists.
Solution
You can then also transfer firmware to the device using TFTP.
Follow the steps below to load new firmware using TFTP:
1. Now press the SET button.
2. Hold down the button until the red fault LED (F) starts to flash after approximately 3 seconds.
Note
If you hold down the SET button for approximately 10 seconds, the device is reset to its
factory settings and can be reached with the IP address 192.168.1.1.
3. Now release the button. The bootloader waits in this state for new firmware file that you can
download by TFTP.
Note
If you want to exit the boot loader without making changes, press the SET button briefly. The
device restarts with the loaded configuration.
Result
The firmware is transferred to the device.
Note
Please note that the transfer of the firmware can take several minutes. During the transmission,
the red error LED (F) flashes.
Once the firmware has been transferred completely to the device, the device is restarted
automatically.
NOTICE
Previous settings
If you reset, all the settings you have made will be overwritten by factory defaults. The
protected defaults are also reset. Created eSIM profiles are deleted on SCALANCE MUM85x.
NOTICE
Inadvertent reset
An inadvertent reset can cause disturbances and failures in a configured network with further
consequences.
Supported commands
Examples
Wake-up SMS
SYS SRC UP 192.168.20.200
SMS message to an application in the LAN
RLY conn2 my SMS text
The text "my SMS Text" is forwarded to the application specified in the
relay connection "conn2". The text is forwarded as the following frame:
user#password#105#01;0049xxxxxxxxx;my SMS text:
Note
Additional information about the meaning of the boxes is available in RFC 5424 (https://
datatracker.ietf.org/doc/html/rfc5424).
Message text {protocol}: User {User name} has logged in from {ip address}.
Example WBM: User "Admin" has logged in from 192.168.0.1.
Explanation Valid login information that is specified during remote login.
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.1
Message text {protocol}: User {User name} failed to log in from {ip address}.
Example WBM: User "Admin" has failed to log in from 192.168.0.1.
Explanation Incorrect user name or incorrect password (login information) specified during
remote login.
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.1
Message text {protocol}: User {User name} has logged out from {ip address}.
Example SSH: User "Admin" has logged out from 192.168.0.1.
Explanation User session completed - logged out.
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.1
Message text {protocol}: Default user {user name} logged in from {ip address}.
Example SSH: Default user admin logged in from 192.168.0.1.
Explanation The default user is logged in via the IP address.
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: n/a (NERC-CIP 007-R5)
Message text {firewall action accept}(1) in:{network interface} out:{network interface} len:
{length} s-mac:{src mac} d-mac:{dest mac}
s-ip:{ip address} d-ip:{ip address}
{protocol}:{src port}->{dest port}
Example ACCEPT(1) in:vlan1 out:ppp0 len:52
s-mac:58:EF:68:B3:FA:CE d-mac:00:1B:1B:A7:5B:D8
s-ip:172.23.1.6 d-ip:158.85.11.68 tcp:53788->443
Explanation A known device requested a connection.
Severity Info or Warning (configurable)
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.2
Message text {firewall action reject}(1) in:{network interface} out:{network interface} len:
{length} s-mac:{src mac} d-mac:{dest mac}
s-ip:{ip address} d-ip:{ip address}
{protocol}:{src port}->{dest port}
Example REJECT(1) in:vlan1 out:ppp0 len:52
s-mac:58:EF:68:B3:FA:CE d-mac:00:1B:1B:A7:5B:D8 s-ip:172.23.1.6 d-
ip:217.194.40.109
tcp:53773->443
Explanation An unknown device requested a connection. The request was denied.
Severity Info or Warning (configurable)
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.2
Account management
Message text {protocol}: User {user name} changed password of user {action user name}.
Example Telnet: User admin changed password of user test.
Explanation User has changed the password of another user.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR1.3
Message text {protocol}: User {user name} created user-account {action user name}.
Example WBM: User admin created user-account service.
Explanation The user has created an account.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR1.3
Message text {protocol}: User {user name} deleted user-account {action user name}.
Example WBM: User admin deleted user-account service.
Explanation The administrator deleted an existing account.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR1.3
Identifier management
Message text {Protocol}: User {User name} created group {Group} and assigned to role {Role}.
Example WBM: User admin created group it-service and assigned to role service.
Explanation The administrator has created a group and assigned it to a role.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.4
Message text {Protocol}: User {User name} deleted group {Group} and the role {Role} assignment.
Example WBM: User maier deleted group it-service and the role service assignment.
Explanation The administrator has deleted an existing group and the role assignment.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.4
Message text {User name} account is locked for {Time minute} minutes after {Failed login count}
unsuccessful login attempts.
Example User service account is locked for 44 minutes after 10 unsuccessful login attempts.
Explanation If there are too many failed logins, the corresponding user account was locked for a
specific period of time.
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.11
Message text [IKE] <{connection name}|{config detail}> IKE_SA {connection name}[{config de‐
tail}] established between {ip address}[{config detail}]...{ip address}[{config detail}]
Example [IKE] <c1|3> IKE_SA c1[1] established between 192.168.55.210[lokal]..
192.168.55.211[remote]
Explanation VPN connection is established (IPsec).
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R1)
Message text [IKE] <{connection name}|{config detail}> deleting IKE_SA {connection name}
[{config detail}] between {ip address}[{config detail}]...{ip address}[{config detail}]
Example [IKE] <c1|3> deleting IKE_SA c2[1] between
192.168.55.211[lokal].. 192.168.55.210[remote]
Explanation VPN tunnel is closed (IPsec).
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R1)
Message text SINEMA RC - State of Digital Input changed to HIGH. SINEMA RC - OpenVPN con‐
nection established.
Example SINEMA RC - State of Digital Input changed to HIGH.
SINEMA RC - OpenVPN connection established.
Explanation Remote access is permitted. (SINEMA RC, Digital Input)
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.13
Message text SINEMA RC - State of Digital Input changed to LOW. SINEMA RC - OpenVPN termi‐
nated.
Example SINEMA RC - State of Digital Input changed to LOW.
SINEMA RC - OpenVPN terminated.
Explanation Remote access denied (SINEMA RC, Digital Input)
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: SR 1.13
Message text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip
address "{ip address}". Timeout: {timeout} minutes.
Example User specific firewall user "usf" activated rule set "rs1" with ip address "172.23.1.14".
Timeout 5 minutes.
Explanation The user has logged onto the user-specific firewall. (USF Digital User Login)
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R2)
Message text User specific firewall digital input {trigger pin} activated rule set "{firewall rule}" with
ip "{ip address}".
Example User specific firewall digital input 1 activated rule set "cpu2" with ip "192.168.16.1".
Explanation The user has logged onto the user-specific firewall. (USF Digital Input Login)
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R2)4820486
Message text User specific firewall user "{user name}" ruleset "{firewall rule}" time expired.
Example User specific firewall user "usf" ruleset "rs1" time expired.
Explanation The access to the user-specific firewall was denied. The access time is expired. (USF
User Logout)
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.1
Message text User specific firewall user "{user name}" logged out by administrator configuration.
Example User specific firewall user "usf" logged out by administrator configuration.
Explanation The access to the user-specific firewall was denied. The device administrator deac‐
tivates the user using the "Force Deactivate" button. (USF user force log out by
admin)
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.1
Message text User specific firewall user "{user name}" deactivated by administrator configuration.
Example User specific firewall user "usf" deactivated by administrator configuration.
Explanation The access to the user-specific firewall was denied. The device administrator has
deactivated the user. (USF user deactivated by admin)
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.1
Message text User specific firewall digital input {trigger pin} deactivated rule set "{firewall rule}".
Example User specific firewall digital input 1 deactivated rule set "rs1".
Explanation The access to the user-specific firewall was denied. The corresponding set of rules
has been deactivated. (USF Digital Input Logout)
Severity Info
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.1
Session lock
Message text The session of user {user name} was closed after {time} seconds of inactivity.
Example The session of user admin was closed after 60 seconds of inactivity.
Explanation The current session was locked due to inactivity.
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.5
Message text [JOB] <{connection name}|{config detail}> deleting CHILD_SA after {time second}
seconds of inactivity
Example [JOB] <to_Baugruppe1|21> deleting CHILD_SA after 20 seconds of inactivity
Explanation The remote session was ended after a period of inactivity (IPsec).
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.6
Message text OVPN_{connection name}[{config detail}]: [{config detail}] Inactivity timeout (--
ping-restart), restarting
Example OVPN_c1[26296]: [router] Inactivity timeout (--ping-restart), restarting
Explanation The remote session was ended after a period of inactivity (OpenVPN).
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.6
Message text {Protocol}: The maximum number of {Max sessions} concurrent login session ex‐
ceeded.
Example WBM: The maximum number of 10 concurrent login sessions exceeded.
Explanation The maximum number of parallel connections is exceeded.
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 2.7
Nonrepudiation
Communication integrity
Message text [IKE] {connection name} {config detail} received invalid DPD sequence number
{config detail} (expected {config detail}), ignored.
Example [IKE] "c1" "1" received invalid DPD sequence number 10 (expected 12), ignored.
Explanation Integrity check failed (IPsec)
Severity Warning
Facility local0
Standard IEC 62443-3-3 Reference: SR 3.1
Session integrity
Log text {protocol}: User {user name} saved file type ConfigPack
Standard IEC 62443-3-3 Reference: SR7.3
Description User has saved the ConfigPack file.
Example WBM: User admin saved file type ConfigPack..
Severity Notice
Facility local0
Log text {protocol}: User {user name} failed to save file type ConfigPack.
Standard IEC 62443-3-3 Reference: SR7.3
Description User failed to save the ConfigPack file.
Example WBM: User admin failed to save file type ConfigPack.
Severity Info
Facility local0
Severity Warning
Facility local0
Message text {protocol}: Loaded file type Firmware {version} (restart required).
Example TFTP: Loaded file type Firmware V02.00.00 (restart required).
Explanation The firmware was successfully loaded.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR7.4
Message text {protocol}: User {user name} loaded file type Firmware {version} (restart required).
Example WBM: User admin loaded file type Firmware V02.00.00 (restart required).
Explanation The user has successfully loaded the firmware.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR7.4
Message text {protocol}: User {user name} loaded file type Config (restart required).
Example WBM: User admin loaded file type Config (restart required).
Explanation The configuration is applied.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR7.4
Message text {protocol}: User {user name} loaded file type ConfigPack (restart required).
Example WBM: User admin loaded file type ConfigPack (restart required).
Explanation The configuration is applied.
Severity Notice
Facility local0
Standard IEC 62443-3-3 Reference: SR7.4
C.1 SSL
C.2 OpenVPN
C.3 SINEMA RC
C.4 cSRP
SFTP Server
C.6 SNMP
SNMP Server
SNMP Trap
C.7 RADIUS
RADIUS Client
C.8 IPsec
IPsec Server
IPsec Client
Mobile, 145
OpenVPN client, 158
Role, 170 M
Security, 167, 169
Maintenance data, 130
Security log, 136
Manufacturer, 130
SHDSL, 154
Manufacturer ID, 131
SINEMA RC, 156
Mobile
SNMP, 142
Information, 145
Software, 129
Mobile data usage, 150
Spanning Tree, 161
Start page, 123
System Time, 172
Versions, 129
N
VXLAN, 171 NAPT
Interfaces Configuring, 359
Mobile wireless, 306 NAT
IP address 1-to-1 NAT, 363
Assignment with STEP 7, 62 Configuring, 358, 377
Basic Wizard, 103 Masquerading, 80
Configuration, 356 NAPT, 80
IPsec method, 84 NAT traversal, 87
IPsec VPN NETMAP, 81
NETMAP, 81 Source NAT, 81
Source NAT, 81 NAT traversal, 87
IPv4 NTP
VRRPv3, 95 Client, 240
IPv4 routing Server, 245
Routing table, 143
IPv6
Notation, 63 O
IPv6 routing
Operator
Routing table, 144
Interfaces, 313
Order ID, 131
K
KEY-PLUG, 257 P
Packet Capture, 329
Password, 385
L Options, 387
Layer 2, 332 Ping, 259
Layer 3, 257 PLUG, 53, 254, 257
LLDP, 142, 350 point-to-point, 95
Location, 181, 299 Port
Log table Port configuration, 303
Event log, 134 Power supply
Firewall log, 138 Monitoring, 250
Security log, 136
Login, 428
Logout Q
Automatic, 246
QoS Trust, 67
SNAT
Configuring, 361
R SNMP, 70, 178, 216, 222
Groups, 221
RADIUS, 388
Overview, 142
Redundant networks, 159, 346
SNMPv1, 70
Requirement
SNMPv2c, 70
ADSL connection, 43
SNMPv3, 70
Antenna, 38, 40, 41
Trap, 226
Power supply, 38, 40, 42, 43, 44
SNMPv3
SHDSL connection, 44
Access, 222
SIM card, 39, 40, 42
Groups, 221
Reset, 184
Notifications, 226
RESET button, 248
Users, 218
Reset device, 436
Views, 224
Reset timer BFP, 428
Software version, 131
Restart, 184
Source NAT
Restore Factory Defaults, 436
Masquerading, 80
Roles, 381
Spanning tree, 344
Root Max Age, 160, 346
Spanning Tree
Routing, 352
Information, 161
ICMP, 73
Rapid Spanning Tree, 95
IPv4 routing table, 143
SSH
IPv6 routing table, 144
Server, 176
Static routes, 352
Standard mode, 84
RSTP, 345
Start page, 123
Stateful inspection firewall, 77
Subnet
S Configuration, 356
Security settings, 222 Overview, 354
SELECT/SET button, 248 Subnets
Serial number, 131 Configuration (IPv6), 374
Server certificate, 83 Connected Subnets (IPv6), 374
Service & Support, 17 Syslog
SFTP Client, 177
Load/save, 200 System
SHA algorithm, 222 Configuration, 174
SHDSL Device, 180
Interface, 107, 325 General information, 180
Overview, 154, 323 Load and Save via HTTP, 192
Signal recorder, 148 System event log
SIM Agent, 248
Basic Wizard, 109 System events, 206
Interfaces, 310 Configuration, 206
SIMATIC NET glossary, 15 Severity filter, 210, 211
SMS, 263 System manual, 13
receiving, 269 System Time, 228
Send, 271
sending, 267
SMTP T
Client, 177
TCP Event, 296
Telnet
Server, 176
TFTP W
Load/save, 196
Web Based Management, 97
Time
Requirement, 97
Time zone, 243
UTC time, 243
Time of day
GPS and mobile wireless device, 235
Manual setting, 114, 229
NTP Client, 115
SIMATIC Time Client, 243
SNTP (Simple Network Time Protocol), 236
System time, 114, 228
Time zone, 239
Time-of-day synchronization, 236
UTC time, 239
Time setting, 178
Training, 17
Trigger interval BFP, 428
U
User groups, 383
V
VLAN, 65
Port VID, 336
Priority, 336
Tag, 336
VLAN ID, 67
VLAN tag, 66
VPN connection
Status, 155
Status OpenVPN client, 158
VRRP
VRRP addresses overview (IPv4), 369
VRRPv3 Addresses Configuration (IPv4), 370
VRRPv3 Configuration (IPv4), 367
VRRPv3 routers (IPv4), 365
VRRPv3
Backup router, 95
Interface Tracking, 371
Master router, 95
Virtual router, 95
VRRPv3 router, 95
VRRPv3 Statistics, 164
VXLAN, 171