Modbus

Introduction
 Introduction
• Modbus is a serial communications protocol originally published
by Modicon (now Schneider Electric) in 1979 for use with its
programmable logic controllers (PLCs).
• Simple and robust, it has since become a de facto standard
communication protocol, and it is now a commonly available
means of connecting industrial electronic devices.

Its Application ?
• Used to establish master-slave/client-server communication between
intelligent devices

• Openly published and royalty-free

• Modbus enables communication between many (approximately 247)

devices connected to the same network
 Modbus Protocols

• Modbus ASCII
• Modbus RTU (Remote Terminal Unit)
– Modbus RTU uses RS-485 or RS-232
• Modbus TCP/IP
– Modbus TCP uses Ethernet
• Modbus ASCII and Modbus RTU are simple serial protocols that use RS-232 or RS-
485 to transmit data packets.
• Modbus TCP/IP follows the OSI Network Model and can be used in an ordinary
Ethernet network
• Modbus RTU (Remote Terminal
Unit) and ACSII
 Communication between MODBUS devices
• MODBUS devices communicate using a master-slave technique in
which only one device (the master) can initiate transactions (called
queries).

• The other devices (slaves) respond by supplying the requested data

to the master

• A slave is any peripheral device (I/O transducer, valve, network or

other measuring device), which processes information and sends its
output to the master .

• Masters can address individual slaves, or can initiate a broadcast

message to all slaves. Slaves return a response to all queries
addressed to them individually, but do not respond to broadcast
queries
Basic Modbus
Network General Message Form

Basic Modbus
Transaction
 Modbus frames:
• The messages exchanged between the master and the slave are called
frames.

• There are two types of Modbus frames: Protocol Data Unit (PDU) and
Application Data Unit (ADU).

• The PDU frames : function Code+ data.

• The ADU frames : Add+FC+data+Error check .

• The FC -> action to perform and the data -> information to be used for
this action.
 How is data stored in Standard Modbus?

• Information is stored in the Slave device in four different tables.

• Two tables store on/off discrete values (coils) and two store numerical values
(registers).
• The coils and registers each have a read-only table and read-write table.
• Each table has 9999 values.
• Each coil or contact is 1 bit and assigned a data address between 0000 and
270E.
• Each register is 1 word = 16 bits = 2 bytes and also has data address between
0000 and 270E.
• Coil/Register Numbers can be thought of as location names since they do not
appear in the actual messages. The Data Addresses are used in the messages.
• Each table has a different offset. 1, 10001, 30001 and 40001.
 Modbus Data Types
• Modbus transactions always perform a set of actions by reading or
writing to a set of four data ,used by the Modbus application layer.
Limitations
• Since Modbus is a master/slave protocol, there is no way for a field
device to "report by exception"

• The master must routinely poll each field device, and look for changes
in the data.

• Modbus is restricted to addressing 247 devices on one data link, which

limits the number of field devices that may be connected to a master
station .

• Modbus protocol provides no security against unauthorized

commands .
Modbus Recap
Query
• Modbus is restricted to addressing 247 devices on one data link, which
limits the number of field devices that may be connected to a master
station .
• The address field in the Modbus-defined frame is only 8 bits wide. This
would provide for 256 slave addresses
• Address 0 is reserved as a "broadcast" address.
• Eight other "reserved" addresses that are not valid for a slave

• Source :http://stackoverflow.com/questions/22523716/modbus-slave-count-
limitation
• Source : http://www.control.com/thread/1369186948
(Modbus Over Serial Line V1.02", page 8, Section 2.2 Modbus Addressing
rules, "from 248 to 255: Reserved“)
Accessing The Data
• 16-bit Unsigned Registers And Single-bit Coils
• Input Registers And Holding Registers
• Input Coils And Status Coils

• 64 kb of space is allocated for registers and coils

 Read Coil Status (FC=01)
• Request
• The below command is requesting the ON/OFF status of discrete coils # 20 to 56
from the slave device with address 17.

• 11 01 0013 0025 0E84

• 11: The Slave Address (11 hex = address17 )
01: The Function Code 1 (read Coil Status)
0013: The Data Address of the first coil to read.
• ( 0013 hex = 19 , + 1 offset = coil #20 )
0025: The total number of coils requested. (25 hex = 37, inputs 20 to 56 )
0E84: The CRC (cyclic redundancy check) for error checking.

• Response
• 11 01 05 CD6BB20E1B 45E6
• 11: The Slave Address (11 hex = address17 )
01: The Function Code 1 (read Coil Status)
05: The number of data bytes to follow (37 Coils / 8 bits per byte = 5 bytes)
CD: Coils 27 - 20 (1100 1101)
6B: Coils 35 - 28 (0110 1011)
B2: Coils 43 - 36 (1011 0010)
0E: Coils 51 - 44 (0000 1110)
1B: 3 space holders & Coils 56 - 52 (0001 1011)
45E6: The CRC (cyclic redundancy check).
 • Read Holding Registers (FC=03)
• Request
• This command is requesting the content of analog output holding registers # 40108
to 40110 from the slave device with address 17.

• 11 03 006B 0003 7687

• 11: The Slave Address (11 hex = address17 )
03: The Function Code 3 (read Analog Output Holding Registers)
006B: The Data Address of the first register requested.
( 006B hex = 107 , + 40001 offset = input #40108 )
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
7687: The CRC (cyclic redundancy check) for error checking.

• Response
• 11 03 06 AE41 5652 4340 49AD
• 11: The Slave Address (11 hex = address17 )
03: The Function Code 3 (read Analog Output Holding Registers)
06: The number of data bytes to follow (3 registers x 2 bytes each = 6 bytes)
AE41: The contents of register 40108
5652: The contents of register 40109
4340: The contents of register 40110
49AD: The CRC (cyclic redundancy check).
 MODBUS Transmission Mode

• These transmission modes determine the way in which the MODBUS

messages are coded
• MODBUS ASCII cannot communicate with MODBUS RTU
• ASCII Mode
• Each character byte in a message is sent as 2 ASCII characters.
• Each byte is sent as a string of 7 binary characters framed with a start
bit, parity bit and a stop bit. A parity bit is added before the stop bit
which keeps the actual byte size at 10 bits.
• RTU Mode
• Each byte is sent as a string of 8 binary characters framed with a start
bit, and a stop bit, making each byte 10.
• Each 8-bit message byte contains two 4-bit hexadecimal characters,
and the message is transmitted in a continuous stream.
 Modbus ASCII vs Modbus RTU
• In Modbus RTU, bytes are sent consecutively with a 3-1/2 character
space between messages for a delimiter. This allows the software to know
when a new message is starting.

•Any delay between bytes will cause Modbus RTU to interpret it as the start of a
new message.

• Modbus ASCII marks the start of each message with a colon character " : " i.e.,
(hex 3A).

• The end of each message is terminated with the carriage return and line feed
characters (hex 0D and 0A). The only allowable characters for all other fields are
hexadecimal 0-9 & A-F.

• One should be aware that all nodes within one MODBUS network must be of the
same transmission mode, meaning MODBUS ASCII cannot communicate with
MODBUS RTU and vice versa.
Modbus ASCII vs Modbus RTU
ModBus RTU Frame Format
 MODBUS PROTOCOL ON OSI
MODEL
Application Modbus Application Layer

Presentation

Session

Transport

Modbus Messaging on
TCP/IP

Network TCP
IP

Serial Line Master / Salve HDLC Ethernet Data

Data Link Link

Physical RS232 RS485 RS485 Ethernet

Physical Layer

OSI Model Modbus Serial Modbus Plus Modbus TCP

 Electrical Signals
Digital

Modbus RS232 PHY

• RS232 is an Electrical Standard for Physical Drivers that put Electrical

signals on the wire
• Point to Point Connection
• Full Duplex
• Maximum Cable Length 50 FT.
• Maximum Data Rate 20kb/s

Rx Tx

Tx Rx

GND GND
 Electrical Signals

Modbus RS485 Digital

PHY

•Multi- Point Connection (up to 32 devices )

•Half Duplex

•Maximum Cable Length 4,000 FT.

•Maximum Data Rate 100kbps

Master Slave A

Rx
Tx
Rx

Slave B

Rx
Tx
Master / Slaves State Diagrams
After sending
a request, the Master leaves the "Idle" state, and cannot
send a second request at the same time

This is the initial state after power-up

Idle
A request can only be sent in "Idle" state

When a reply is received, the Master checks the

Waiting reply before starting the data processing.
for reply In case of an error detected on the frame, a retry
is performed

Processing
reply
When a unicast request is sent to a slave, the master goes into "Waiting
for reply" state, and a “Response Time-out” is started.

It prevents the Master from staying indefinitely in "Waiting for reply"

state. Value of the Response time-out is application dependant.

If no reply is received, the Response time-out expires, and an error is

generated. Then the Master goes into "Idle" state, enabling
a retry of the request. The maximum number of retries depends on the
master set-up.
Master / Slaves State Diagrams
When a broadcast request is sent on the serial
bus, no response is returned from the slaves.

Nevertheless a delay is respected by the Master

in order to allow any slave to process the current
request before sending a new one. This delay is
Idle called "Turnaround delay".

Therefore the master goes into "Waiting

Turnaround delay" state before going back in
"idle" state and before being able to send another
request.

Waiting turnaround delay

 MODBUS PROTOCOL ON OSI
MODEL
Application Modbus Application Layer

Presentation

Session

Transport

Modbus Messaging on
TCP/IP

Network TCP
IP

Serial Line Master / Salve Ethernet Data HDLC

Data Link Link

Physical RS232 RS485 Ethernet RS485

Physical Layer

OSI Model Modbus Serial Modbus TCP Modbus Plus

Modbus TCP/IP
• Modbus TCP/IP is simply the Modbus RTU protocol with a TCP interface that
runs on Ethernet.

• TCP/IP refers to the Transmission Control Protocol and Internet Protocol

The Function of TCP is to

rules for IP makes sure that
ensure that all packets of messages are correctly
organizing and data are received
interpreting the addressed and routed
correctly
data

The Modbus TCP/IP message is simply a Modbus communication encapsulated in

an Ethernet TCP/IP wrapper.

In general, Modbus TCP/IP uses TCP/IP and Ethernet to carry the data
of the Modbus message structure between compatible devices.
 Modbus TCP/IP Client/Server Model

The MODBUS messaging service provides a Client/Server communication between

devices connected on an Ethernet TCP/IP network.

This client / server model is based on four type of messages:

· MODBUS Request,
· MODBUS Confirmation,
· MODBUS Indication,
· MODBUS Response
Modbus TCP/IP Client/Server Model

Request Indication

MODBUS
MODBUS Client Server

Confirmation Response

A MODBUS Request is the message sent on the network by the Client to

initiate a transaction,

A MODBUS Indication is sent by server to confirm that a request was

received.

A MODBUS Response is the Response message sent by the Server

A MODBUS Confirmation is sent by client to acknowledge the receipt of the

response
Modbus RTU and Modbus TCP
Frame Format
Modbus TCP/IP Data Frame (ADU)

Modbus Application Protocol (MBAP) Header

•Transaction identifier is supplied by the client is used to keep track of specific request.
•The server is to send back the same identifier in its response.
•Length field identify length of all remaining fields including PDU.
•Unit identifier provides address of the Modbus serial line slave that must be accessed
through gateway.

The Modbus commands and user data are encapsulated into the data container
of a TCP/IP telegram without being modified in any way.
Modbus TCP/IP Data Frame

Modbus Serial Address

Function
Data Checksum
Code
Frame

Modbus
Length
Function
Data
TCP/IP
Protocol Unit ID
Transaction
Identifier
Identifier Field
Code
Frame

The Modbus error checking field (checksum) is not used, as the standard Ethernet
TCP/IP link layer checksum methods are used.

The Modbus Address field is replaced by the unit identifier in Modbus TCP/IP,
Modbus TCP/IP Data Frame
MBAP
Modbus
Function
Data TCP/IP
Protocol Length Unit ID Code
Transaction
Identifier
Identifier Field Frame

Transaction Identifier - It is used for transaction pairing,

MODBUS server copies the identification of a MODBUS Request

This is important because, in MODBUS TCP, the server can handle many requests
at the same time. This is not possible in MODBUS Serial.

Request
MODBUS Client
(Initialized by the MODBUS Server
Client)
Transaction
Transaction Identifier
Identifier
Modbus TCP/IP Data Frame
MBAP
Modbus
Function
Data TCP/IP
Protocol Length Unit ID Code
Transaction
Identifier
Identifier Field Frame

Protocol Identifier – This field is always 0 for Modbus services and other values
are reserved for future extensions
 Modbus TCP/IP Data Frame
MBAP
Modbus
Function
Data TCP/IP
Protocol Length Unit ID Code
Transaction
Identifier
Identifier Field Frame

Length - The length field is the size of the following fields, including the Unit
Identifier ,Function Code , data fields.
Modbus TCP/IP Data Frame
MBAP
Modbus
Function
Data TCP/IP
Protocol Length Unit ID Code
Transaction
Identifier
Identifier Field Frame

The Unit identifier is typically used to address the MODBUS slave

Modbus TCP/IP
Stack
The flow of data from a sender to a receiver using the TCP/IP stack

Each layer on the sending stack communicates with the corresponding layer
of the receiving stack through information stored in headers

As you move the data down the stack of the sender, each stack layer adds its
own header to message
The higher layers are encapsulated by the lower layers

Conversely, this header information is removed by the corresponding layer at

the Receiver
CONSTRUCTION OF A TCP/IP-
ETHERNET DATA PACKET
Application User Application
Data (ADU)

Application User TCP

Data (ADU)
Transport

Application User
Data (ADU) IP
Network

Application User
Data (ADU) Ethernet
Data Link

Physical
PROFINET

Industrial Networks & Operating Systems

ECCE5231
Dr. Waseem Iqbal
ECCE5231 1
PROFINET- Introduction
• PROFINET is the innovative open standard for Industrial Ethernet.
PROFINET satisfies all requirements of automation technology.
PROFINET enables solutions to be developed for factory automation,
process automation, safety applications, and the entire range of drive
technology up to and including isochronous motion control
applications.
• PROFINET allows existing fieldbus systems such as PROFIBUS DP,
PROFIBUS PA, AS-Interface, INTERBUS, and DeviceNet to be
integrated without changes to existing field devices.
• PROFINET is standardized in IEC 61158 and IEC 61784

ECCE5231 2
PROFINET- Introduction
• PROFINET is 100% Ethernet-compatible as defined in IEEE Standards. With
PROFINET, the following minimum data communication requirements are
automatically established:
• 100 Mbps data communication with copper or fiber optic transmission (100 Base TX
and 100 Base FX)
• Full duplex transmission
• Switched Ethernet
• Auto-negotiation (negotiating of transmission parameters)
• Auto-crossover (sending and receiving lines are crossed in the switch)
• Wireless communication (WLAN and Bluetooth)
• PROFINET uses UDP/IP as the higher-level protocol for demand-oriented
data exchange

ECCE5231 3
 PROFINET- Introduction
• The four key functions of PROFINET are:
• Performance: automation in real time
• Safety: safety-related communication with PROFIsafe
• Diagnostics: high plant availability due to fast commissioning and
efficient troubleshooting
• Investment protection: seamless integration of fieldbus systems

ECCE5231 4
 PROFINET Communication Channels
• There are three Communication Channels in
PROFINET: Real-Time (RT), Non-Real-Time (NRT),
and Isochronous Real-Time (IRT).
• There are two main problems using the entire
OSI stack for all communications:
1. Each layer of the stack means extra work has
to be done to pack and unpack the
PROFINET data at the source and destination
2. Using the Network Layer adds some
transmission delay between the sender and
receiver,
• Both of these issues add to delays called
“latency” (lag) and “jitter” on the network.
ECCE5231 5
• Latency is a predictable delay between a transmitter and receiver. On large networks, it may be on the
order of 10 – 100 ms.
• Jitter is the variance in latency from one packet to the next

ECCE5231 6
Real Time (RT) Channel

• Latency and jitter are bad news for a “real time” industrial
automation protocol. So PROFINET designed the “Real Time”
channel to try to reduce both of those values.
• The RT channel skips the encapsulation steps in the Network,
Transport and Session layers. This means that the frames
exchanged over the RT channel have both low latency and low
jitter, but there’s a real drawback, too: there’s no IP address. And
that means that RT frames can’t be routed between LANs.
ECCE5231 7
Non Real Time (NRT) Channel

• Routing restrictions can be a real problem on large networks, where

diagnostic tools need to have access to PROFINET devices to keep
tabs on the operating state of the PROFINET network. So PROFINET
also has a “Non Real Time” (NRT) communication channel.
• It uses all the layers of the OSI model, and does have IP
addresses. So, PROFINET supervisors can access devices from across
routing boundaries or even over the Internet. But the tradeoff is
higher latency and jitter for these NRT communications.
ECCE5231 8
Isochronous Real-Time (IRT) Communication
• But sometimes “Real-Time” isn’t “hard” real time. Some applications, like closed-loop
motion control, require not just low cycle times, they also require deterministic behavior
from their network – data should be strictly sequenced and should never be vulnerable
to collisions or jitter. To meet these requirements, PROFINET designed a MAC-layer
extension to Ethernet that allows each switch on an IRT network to provide time slices
that turn it in to a TDMA (Time Division Multiple Access) medium part of the time and a
regular CSMA-CD medium the rest of the time.
• By synchronizing the network, IRT provides some benefits over the standard RT
communications channel:
• Deterministic network behavior: frames are transmitted and received on a schedule and in order
• Fast cycle times: IRT can easily provide cycle times down to 250μs (4,000 samples per
second). With some of the PROFINET V2.3 extensions, IRT networks can operate with cycle times
as low as 31.25μs (32,000 samples per second).
• A possibility to lock the network data exchange to the real-world I/O data process, eliminating
aliasing or other sampling artifacts.

ECCE5231 9
Isochronous Real-Time (IRT) Communication
Each switch on the network requires two things to create the time slices and work in an IRT domain:
1. A shared and extremely accurate clock to determine when to enter the IRT time slice and when to
return to normal Ethernet operation.
2. Additional circuitry in the network switch to buffer and hold any stray Ethernet traffic that is received
on other ports during the IRT time slice.

The shared clock is provided by an IEEE standard, known as IEEE 1588v2 (or IEEE 1588-2008). This standard
defines the Precision Time Protocol (PTP), and PROFINET extends PTP in a wrapper protocol called the
Precision Transparent Clock Protocol (PTCP). PTCP is used to not only share a common real-time clock
across the network, but is also used to compute the delays inherent in both the network switches and the
cabling between them. IRT devices are capable of calculating those delays down to the nanosecond, and
that accuracy is what allows all of the switches in the IRT network to enter and exit the IRT time slice at
exactly the same time. ECCE5231 10
 Conformance Classes

CC-C describes the basic functions for devices with hardware-supported bandwidth
reservation and synchronization (IRT communication) and is thus the basis for
isochronous applications

CC-B extends the concept to include network diagnostics via

IT mechanisms as well as topology information.

CC-A provides basic functions for PROFINET IO

with RT communication and provide wireless
communication.

ECCE5231 11
Conformance Classes
CC-A CC-B CC-C
Functionality Real-Time Real-Time Real-Time
Cyclic IO Cyclic IO Cyclic IO
Parameter Parameter Parameter
Alarms Alarms Alarms
Network diagnostics Networkdiagnostics
Topology information Topologyinformation
System redundancy Reserved bandwidth
Synchronization
Certification Controller Controller Controller
Devices Devices Devices
Infrastructure Infrastructure
Cabling Copper Copper Copper
Fiberoptics Fiberoptics Fiberoptics
Wireless
Typical Applications Infrastructure Factory Automation Motion Control
Building Automation Process Automation

ECCE5231 12
Real Time Classes
• Real-time frames are automatically prioritized in PROFINET compared to UDP/IP
frames. This is necessary in order to prioritize the transmission of data in switches
to prevent RT frames from being delayed by UDP/IP frames.
• PROFINET IO differentiates the following classes for RT communication.
• RT_CLASS_1 = Unsynchronized RT communication within a subnet (for CC-A and CC-B).
Industrial standard switches can be used in this RT class.
• RT_CLASS_2 = frames can be transmitted via synchronized IRT or unsynchronized RT
communication (depreciated and not used today) Ethernet controller/switch with support of
isochronous operation is required in this RT class.
• RT_CLASS_3 = IRT Synchronized IRT communication within a subnet (used when motion or
high speed applications are necessary, CC-C). Ethernet controller/switch with support of
isochronous operation is required in this RT class
• RT_CLASS_UDP = The unsynchronized RT cross-subnet communication between different
subnets over UDP/IP (with this RT can be sent via a router, not used much up to now).
Industrial standard switches can be used in this RT class.

ECCE5231 13
 PROFINET Node Roles

Cyclic Data Exchange – The exchange of

data between IO-Controllers and IO-
Devices.
Acyclic Data Exchange – The exchange of
Configuration and Diagnostic data o
Alarms – Alarm data exchange from an IO-
Device to an IO-Controller
Context Management – Connection
processing parameters

Controllers and Supervisors sit closer to an operator and aggregate information from Devices. Supervisors only
interact with controllers or devices when directed to by a user application. On the other hand, controllers interact
with devices on a regular basis as part of their normal operation.
ECCE5231 14
 PROFINET Node Roles
• Devices are stand-alone units designed to communicate real-time information to
a Controller. They don’t don’t try to communicate with other devices directly.
Instead, they report their real-time (cyclic) data directly to a Controller and may
send some alarm or diagnostic (acyclic) data to a Supervisor.
• Controllers are aggregators for real-time (cyclic) data sent by one or more
Devices. They keep up not only with a device’s real-time data, but they collect
information about each device’s maintenance status, collect alarm messages, and
make all of that information available to an end-user. Controllers are typically
PLCs, PC software applications, or high-end HMIs.
• Supervisors are similar to Controllers, but they don’t have access to the real-time
data from any Device. Supervisors are not part of the daily operation of a
PROFINET network. Instead, end users may use a Supervisor to do things like read
diagnostic information from a Device, assign IP addresses or DCP station names,
or troubleshoot a problematic network connection.

ECCE5231 15
PROFINET Supervisors and Supervisor
Takeover

If a Controller has established a connection

to a Device, it can require the Device to
reject Supervisor Connections

ECCE5231 16
IO-Device
An IO-Device is composed of slots and subslots. The modules located in the slot or subslot can have one or
several channels. The channel defines the amount of input and output data to be transmitted.

ECCE5231 17
 What is a GSD file?
• A PROFINET General Station Description (GSD) file is a description of an IO
device provided by the device manufacturer. The contents of the GSD consists
of configuration information, parameters, modules, diagnostic and alarms,
and vendor and device identification

• The GSD file is a standardized way of describing the device information to the
engineering tool and the IO controller (PLC/PAC/DCS) and can work across a
variety of engineering tools as a standard set of device information.

ECCE5231 18
PROFINET Device Parameters
• Standard Parameters
• F-Parameters (Failsafe Parameters)
• Dynamic Parameters ( iParameters)
• iPar-Server

ECCE5231 19
Topology
• PROFINET supports the following topologies for Ethernet
communication:
• Line topology, which primarily connects terminals with integrated switches in
the field .
• Star topology, which requires a central switch located preferably in the control
cabinet.
• Ring topology, in which a line is closed to form a ring in order to achieve
media redundancy.
• Tree topology, in which the topologies indicated above are combined.

ECCE5231 20
Addressing

• Each PROFINET device has three addresses: Device name, IP address,

and MAC address.
• The name is a logical name assigned to the module. It normally indicates its
location or purpose in the process.
• The Internet Protocol (IP) address is assigned by the IO Controller, when the
connection to the IO Device is established.
• The MAC address is assigned by the hardware manufacturer and cannot be
changed.

ECCE5231 21
Addressing
Name
• Each PROFINET device has a name associated with it. The name is normally used to describe its position or
purpose in the process.
• PROFINET names are similar to DNS names in that the name is broken into components, each separated by a
period.
• Assigning names to the devices either using a tool with an “Assign name” function or from the PLC options (if
automatic PLC name assignment is supported) is a must.
• Below are the name restrictions.
• Limit of a total of 240 characters (letters "a" to "z", numbers "0" to "9", hyphens, periods).
• A name component within the device name, a character string between two periods, for example, must not be longer than 63
characters. A name cannot use more that 63 characters without using a period.
• No special characters like umlauts, parentheses, underscore, slash, space etc. The hyphen “-” is the only special characters
allowed.
• The device name must not contain uppercase letters.
• The device name must not begin nor end with the "-" or "." character.
• The device name must not begin with a number.
• The device name must not have the form "n.n.n.n" (n = 0...999). Specifically, do not use an IP address in the name.
• The device name must not begin with the character string "port-xyz-" (where x,y,z = 0...9).

ECCE5231 22
DCP (D iscovery and basic Configuration Protocol)

• It is a Data Link Layer based protocol used by the engineering tool and controller to discover
devices, identify device information, and configure device names and IP addresses. It is restricted
to one subnet and mainly used in small and medium applications without an installed DHCP
server.
• PROFINET DCP offers following services as the main functions
• Identify All
• Identify
• Set
• Set – Flash
• Set – Reset to Factory
• Get
• Hello
• Some of these services use a multicast message which means it goes to a group of PN devices and
some use a unicast message which goes only to a specific device.
• DCP services are integrated into PROFINET engineering tools, diagnostic tools, controllers, and
devices.

ECCE5231 23
DCP (D iscovery and basic Configuration Protocol)

Identify All (multicast service)

• Identify/browse the PROFINET network and find all the attached PROFINET
devices and get a device list of all their information such as current device
name, IP address, subnet mask, router address, MAC address, device type,
vendor and more .
• Once you have the device list it’s easy to determine if there is a network
management issue such as device:
• not connected
• has the wrong name / IP address
• has a duplicate IP address or duplicate name with another device
• device name is not set
• has an incorrect device type or vendor

ECCE5231 24
DCP (D iscovery and basic Configuration Protocol)

Identify (multicast service)

• The ‘Identify’ service is used when a device needs to be found using a
particular/known device name. This is typically used by the PROFINET controller at
startup to identify each device and check its IP address settings, name and if it has
the expected device before parameterization.
Set (unicast service)
• The ‘Set’ service is used to set the name or IP of the device. It also has some other
special functions such as resetting a device to factory settings and flash of device
LEDs.
Set / Reset to Factory (unicast service)
• A special set command that can be sent to the device after a user confirmation
which sets the device to a PROFINET factory (default) state which is empty name (“”)
and IP settings of 0.0.0.0.

ECCE5231 25
DCP (D iscovery and basic Configuration Protocol)

Set / Signal (Flash) (unicast service)

• An optional special set command which can be used to identify a device by flashing
LEDs somewhere on the device. It makes it easier if necessary to visually identify a
device if you have multiple devices of the same type that you are working with.
Get (unicast service)
• The ‘Get’ service can be used to get information from a device, for example the
vendor ID, device ID, type of device, MAC address, device role (ex: controller /
device), and others.
Hello(multicast service)
• The ‘Hello’ service is used when Fast startup is also employed and enabled on a
device. It allows a device to notify the controller (or controllers) after a power cycle
that it is back online rather than waiting for the controller to find it which may
extend the startup time.

ECCE5231 26
 Link Layer Discovery Protocol (LLDP)
• A device which supports LLDP will send a message to their
neighbor stations on each switch port every few seconds to
identify itself and give network related information. This is
then stored in a data table known as the
Discovery Management Information Base (MIB).
• Discover, check, and maintain the topology of the PROFINET
network and obtain diagnostics if something changes.
• Easy device commissioning when setting up the network
• Simple device replacement in case any device fails.
• Share network line and switch delays for high speed motion
applications.

ECCE5231 27
 SNMP(Simple Network Management Protocol)
• SNMP(Simple Network Management Protocol) has established itself as the de
facto standard for maintenance and monitoring of network components and their
functions.
• SNMP can read-access network components, in order to read out statistical data
pertaining to the network as well as port-specific data and information for
neighborhood detection.
• In order to monitor PROFINET devices with an established management system,
implementation of SNMP is mandatory for devices of Conformance Classes B and
C.

ECCE5231 28
Sources
• https://profinetuniversity.com/
• https://www.felser.ch/profinet-manual/conformance.html

ECCE5231 29