Logo  
企业邮局QQ快速登录
浏览文档 当前位置:广州若恒 >> 支持中心 >> 网上课堂 >> 可编程控制器 >> S7-300 >> 浏览文档
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
核心提示:If you are using an Industrial Ethernet CP that supports the IP access list function in the S7-300/400, you can prevent unauthorized access via the LAN (local area network).

Description
If you are using an Industrial Ethernet CP that supports the "IP access list" function in the S7-300/400, you can prevent unauthorized access via the LAN (local area network).

The following modules support the "IP access list" function:

6GK7 343-1GX20-0XE0 - from V1.0 (CP343-1 IT)
6GK7 343-1GX21-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1GX30-0XE0 - from V1.0 (CP343-1 Advanced)
6GK7 343-1EX21-0XE0 - from V1.0 (CP343-1)
6GK7 343-1EX30-0XE0 - from V2.0 (CP343-1)
6GK7 443-1EX10-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX11-0XE0 - from V2.3 (CP443-1)
6GK7 443-1EX20-0XE0 - from V1.0 (CP443-1)
6GK7 443-1EX40-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1EX41-0XE0 - from V1.0 (CP443-1 Advanced)
6GK7 443-1GX20-0XE0 - from V2.0 (CP443-1 Advanced)

IP access list
The IP access list is configured in the Properties dialog of the Industrial Ethernet CP concerned.
In the configuration, it is possible to define a list of IP addresses that are permitted access to the module. For example, in the configuration you can enter all the IP addresses of the programming devices that are authorized to have access. This then prevents unauthorized access from PCs, for example, to the S7-300/400 via the LAN.

The CP works on the following principle
Every time a message is received via the LAN, a check is made to see whether the sender's IP address is on the IP access list. If not, the message is discarded, and the partner receives neither a positive nor a negative response. If the IP address is on the IP access list, i.e. it has access authorization, the message is forwarded and processed.

Special feature of the IP access list
If you want double IP addresses to be recognized in the network, then you must enter the IP address of the Industrial Ethernet CP in the IP access list.
Otherwise, no reply is made to the PING sent by the partner module, because the IP access list check reveals that it does not have access authorization. The double IP address in the network is not recognized otherwise.

Configuration of the IP access list

  1. Open the HW Config of your S7-300/400.
  2. Double-click on the Industrial Ethernet CP. The Properties dialog opens.
  3. Select the "IP Access Protection" tab.
  4. Check the "Activate access protection for IP communication" function to activate the IP access list.
  5. Now enter the IP addresses or IP address bands of the devices that have access authorization.


Fig. 01

Note
The IP Access List is only effective in TCP / UDP or ISO-on-TCP communication. It does not take into account messages sent via the ISO transport protocol and MAC addresses.

Loading the configuration into the module
You have the following options for loading the configuration data.

  • Loading via the MPI interface of the CPU.
  • Loading via the LAN (ISO protocol or TCP/IP protocol).

The following points should be noted here.

  1. Loading via MPI
    There are no restrictions for loading configuration data via MPI.
     
  2. Loading via ISO protocol
    The
    Industrial Ethernet CP, via which the configuration data is to be loaded, must support the ISO protocol.
     
  3. Loading via the TCP/IP protocol
    If the configuration is to be loaded with the IP access list into the module via TCP/IP, the IP address of the configuration PC/PG has to be entered in the IP access list!
    The IP access list becomes effective before the loading into the module procedure has been terminated. The IP address of the PC/PG then suddenly no longer has access authorization to the S7-300/400. STEP 7 then reports a faulty loading procedure and the CPU reports inconsistent configuration.

Remedy
Enter the IP address of the configuration PC/PG into the IP access list and the load the configuration again via ISO protocol or MPI.

Note
If the IP address of the PC/PG is not to be entered in the IP access list, then the configuration usually has to be loaded via MPI or ISO protocol.

 


Tags:Security LAN Access authorization Module protection Network

0% (0)
0% (10)
发表评论
用户评论
最新文档
·How can you protect the S7-300 
·S7-300 CPU 可以使用哪一类存储卡 
·如何从装载内存中备份程序? 
·通过 PUT 和 GET S7 通讯功能进行 
·哪些通信口可以被释放来进行 Mod 
推荐文档
视觉焦点
How can you protect the S7-300/400 against unauthorized access from the LAN (local area network)?
S7-300 CPU 可以使用哪一类存储卡?
  2880306702
  sales@gzrh.com   在线发送
微信扫一扫
  技术支持
  技术论坛
  Support@gzrh.com   在线发送
  项目洽谈
  Support@gzrh.com   在线发送
  投诉与建议
  gzrh@gzrh.com   在线发送
  订阅精彩内容
  填写您的邮件地址,订阅我们的精彩内容:
  联系我们
销售热线:020-85520027/85520287
项目洽谈:020-85533142/85533145
联系传真:020-85520030/85536394
技术热线:020-61087040
咨询邮箱:gzrh@gzrh.com
公司地址:广州市天河区黄埔大道中662号金融城绿地中心509室