Page 2
Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
● IP routing via the backplane bus Replaced edition Edition 10/2016 Current manual release on the Internet You will find the current version of this manual on the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/man) Sources of information and other documentation See section Guide to the documentation (Page 9).
Page 4
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks.
Page 5
Siemens contact. Keep to the local regulations. You will find information on returning the product on the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/view/109479891)
4.3.2 Restart after detection of a duplicate IP address in the network.......... 35 4.3.3 IP routing........................... 35 Security ..........................36 4.4.1 VPN ..........................36 4.4.1.1 Creating VPN tunnel communication between S7-1500 stations ........37 CP 1543-1 Operating Instructions, 05/2017, C79000-G8976-C289-07...
Page 8
Table of contents 4.4.1.2 Successfully establishing VPN tunnel communication between the CP 1543-1 and SCALANCE M ........................39 4.4.1.3 VPN tunnel communication with SOFTNET Security Client ..........39 4.4.1.4 CP as passive subscriber of VPN connections ..............40 4.4.2 Firewall ..........................41 4.4.2.1 Firewall sequence when checking incoming and outgoing frames ........41 4.4.2.2 Notation for the source IP address (advanced firewall mode) ..........41 4.4.2.3...
The documentation of the SIMATIC products has a modular structure and covers topics relating to your automation system. The complete documentation for the S7-1500 system consists of a system manual, function manuals and device manuals. The STEP 7 information system (online help) also supports you in configuring and programming your automation system.
Page 10
SIMATIC manuals All current manuals for SIMATIC products are available for download free of charge from the Internet: Link: (http://www.siemens.com/automation/service&support) CP documentation in the Manual Collection (article number A5E00069051) The "SIMATIC NET Manual Collection" DVD contains the device manuals and descriptions of all SIMATIC NET products current at the time it was created.
This description contains information on the following product CP 1543-1 article number 6GK7 543-1AX00-0XE0 hardware product version 2 firmware version V2.1 communications processor for SIMATIC S7-1500 View of the CP 1543-1 ① LEDs for status and error displays ② LED displays of the Ethernet interface for connection status and activity ③...
MAC address in the subnet! Application The CP is intended for operation in an S7-1500 automation system. It allows the S7-1500 to be connected to Industrial Ethernet. With a combination of different security measures such as firewall and protocols for data encryption, the CP protects the S7-1500 or even entire automation cells from unauthorized access.
– FETCH/WRITE services as server (corresponding to S5 protocol) via ISO transport, ISO-on-TCP and TCP connections The S7-1500 with the CP is always the server (passive connection establishment). The fetch or write access (client function with active connection establishment ) is performed by a SIMATIC S5 or a third-party device / PC.
Page 14
Web server access using the HTTPS protocol The Web server of a SIMATIC S7-1500 station is located in the CPU. For this reason, when there is secure access (HTTPS) to the Web server of the station using the IP address of the CP 1543-1, the SSL certificate of the CPU is displayed.
CPU or additional CPs. Security functions of the CP for the S7-1500 station As result of using the CP, the following security functions are accessible to the S7-1500 station on the interface to the external network: ● Firewall –...
Product overview, functions 2.5 Configuration limits and performance data Configuration limits and performance data 2.5.1 General characteristic data Characteristic Explanation / values Total number of freely usable connections on Industrial Ethernet The value applies to the total number of connections of the following types: S7 connections •...
Page 17
Product overview, functions 2.5 Configuration limits and performance data The following characteristics are important (OUC + FETCH/WRITE): Characteristic Explanation / values Number of connections Number of configured and programmed +connections in total (ISO • transport + ISO-on-TCP + TCP + UDP + FETCH/WRITE + e-mail): Max.
Number of reserved connections for Web Note Maximum values for an S7-1500 station Depending on the CPU you are using, there are limit values for the S7-1500 station. Note the information in the relevant documentation. CP 1543-1 Operating Instructions, 05/2017, C79000-G8976-C289-07...
Product overview, functions 2.5 Configuration limits and performance data 2.5.4 Characteristic data for FTP / FTPS mode TCP connections for FTP FTP actions are transferred from the CP over TCP connections. Depending on the mode, the following characteristic data applies: ●...
Power supply via the CPU adequate or additional power supply modules required You can operate a certain number of modules in the S7-1500 station without an additional power supply. Make sure that you keep to the specified power feed to the backplane bus for the particular CPU type.
Product overview, functions 2.6 Requirements for use 2.6.3 Programming Program blocks For communications services, there are preprogrammed program blocks (instructions) available as the interface in your STEP 7 user program. Table 2- 1 Instructions for communications services Protocol Program block (instruction) System data type Establish connection and TCON_IP_v4...
Product overview, functions 2.7 LEDs LEDs LEDs ① RUN LED ② ERROR LED ③ MAINT LED ④ LINK/ACT LED ⑤ Reserve LED Figure 2-2 LED display of the CP 1543-1 (without front cover) Meaning of the LED displays of the CP The CP has the following 3 LEDs to display the current operating status and the diagnostics status: (one-color LED: green)
Page 23
Product overview, functions 2.7 LEDs The following table shows the meaning of the various combinations of colors of the RUN, ERROR and MAINT LEDs. Table 2- 3 Meaning of the LEDs "RUN", "ERROR", "MAINT" ERROR MAINT Meaning No supply voltage on the CP or supply voltage too low.
The Ethernet interface allows a secure connection to external networks via a firewall. The CP provides the following protective function: ● Protection of the S7-1500 station in which the CP is operated; ● Protection of the underlying company networks connected to the other interfaces of the S7-1500 station.
Installation, connecting up, commissioning, operation Important notes on using the device Safety notices on the use of the device Note the following safety notices when setting up and operating the device and during all associated work such as installation, connecting up or replacing the device. WARNING LAN attachment A LAN or LAN segment with the attachments belonging to it should be within a single low-...
Zone 2, the device must be installed in a cabinet or a suitable enclosure. WARNING DIN rail In the ATEX and IECEx area of application only the Siemens DIN rail 6ES5 710-8MA11 may be used to mount the modules. 3.1.2...
Installation, connecting up, commissioning, operation 3.1 Important notes on using the device 3.1.3 Notes on use in hazardous areas according to UL HazLoc WARNING EXPLOSION HAZARD You may only connect or disconnect cables carrying electricity when the power supply is switched off or when the device is in an area without inflammable gas concentrations.
Read the system manual "S7-1500 Automation System" Prior to installation, connecting up and commissioning, read the relevant sections in the system manual "S7-1500 Automation System" (references to documentation, refer to the section Guide to the documentation (Page 9)). Make sure that the power supply is turned off when installing/uninstalling the devices.
You will find additional information on the topics of "Connecting up" and "Accessories (RJ-45 plug)" in the system manual: Link: (https://support.industry.siemens.com/cs/ww/en/view/59191792) Mode of the CPU - effect on the CP You can change the mode of the CPU between RUN and STOP using the STEP 7 configuration software.
Page 30
Installation, connecting up, commissioning, operation 3.3 Mode of the CPU - effect on the CP Note RUN/STOP LED of the CP The green RUN/STOP LED of the CP continues to be lit green regardless of the STOP mode of the CPU. CP 1543-1 Operating Instructions, 05/2017, C79000-G8976-C289-07...
● Keep the firmware up to date. Check regularly for security updates of the firmware and use them. ● Check regularly for new features on the Siemens Internet pages. – Here you will find information on network security: Link: (http://www.siemens.com/industrialsecurity) –...
Page 32
Configuration, programming 4.1 Security recommendations Security functions of the product Use the options for security settings in the configuration of the product. These includes among others: ● Protection levels Configure access to the CPU under "Protection and Security". ● Security function of the communication –...
Page 33
Configuration, programming 4.1 Security recommendations Table: Meaning of the column titles and entries The following table provides you with an overview of the open ports on this device. ● Protocol / function Protocols that the device supports. ● Port number (protocol) Port number assigned to the protocol.
Configuration, programming 4.2 Network settings Protocol / Port number (pro- Default of the port Port status Authentication function tocol) 20 (TCP) Closed Open after configuration 21 (TCP) FTPS 989 (TCP) Closed Open after configuration 990 (TCP) SNMP 161 (UDP) Open Open after configuration Yes (with SNMPv3) SMTP...
Configuration, programming 4.3 IP configuration IP configuration 4.3.1 Points to note about IP configuration Configured S7 and OUC connections cannot be operated if the IP address is assigned using DHCP Note If you obtain the IP address using DHCP, any S7 and OUC connections you may have configured will not work.
Configuration, programming 4.4 Security Security Note the range and application of the security functions of the CP in the section Industrial Ethernet Security (Page 15). For the configuration limits, see section Characteristics security (Page 19). The security functions are configured in STEP 7. 4.4.1 What is VPN? Virtual Private Network (VPN) is a technology for secure transportation of confidential data in...
● The Ethernet interfaces of the two stations are located in the same subnet. Note Communication also possible via an IP router Communication between the two S7-1500 stations is also possible via an IP router. To use this communications path, however, you need to make further settings. Procedure To create a VPN tunnel, you need to work through the following steps: 1.
Page 38
Configuration, programming 4.4 Security 3. Create the VPN group and assign security modules. 4. Configure properties of the VPN group. Configure local VPN properties of the two CPs. You will find a detailed description of the individual steps in the following paragraphs of this section.
VPN tunnel communication with SOFTNET Security Client Creating VPN tunnel communication between the CP SOFTNET Security Client and CP 1543-1 is the same as described in Procedure for S7-1500 stations (Page 37). VPN tunnel communication works only if the internal node is disabled Under certain circumstances the establishment of VPN tunnel communication between SOFTNET Security Client and the CP 1543-1 fails.
Configuration, programming 4.4 Security Use the procedure for disabling the node as explained below only if the described problem occurs. Disable the node in the SOFTNET Security Client tunnel overview: 1. Remove the checkmark in the "Enable active learning" check box. The lower-level node initially disappears from the tunnel list.
Configuration, programming 4.4 Security 4.4.2 Firewall 4.4.2.1 Firewall sequence when checking incoming and outgoing frames Each incoming or outgoing frame initially runs through the MAC firewall (layer 2). If the frame is discarded at this level, it is not checked by the IP firewall (layer 3). This means that with suitable MAC firewall rules, IP communication can be restricted or blocked.
Configuration, programming 4.4 Security 4.4.3 Online functions 4.4.3.1 Online diagnostics via port 8448 Security diagnostics without opening port 102 If you want to perform security diagnostics without opening port 102, follow the steps below: 1. Select the CP in STEP 7. 2.
Configuration, programming 4.5 Time-of-day synchronization 4.4.4 Filtering of the system events Communications problems if the value for system events is set too high If the value for filtering the system events is set too high, you may not be able to achieve the maximum performance for the communication.
Configuration, programming 4.6 Program blocks for OUC Configuration For more detailed information on configuration, refer to the STEP 7 online help of the "Time- of-day synchronization" parameter group. Program blocks for OUC Programming Open User Communication (OUC) The instructions (program blocks) listed below are required for the following communication services via Ethernet: ●...
Page 45
Configuration, programming 4.6 Program blocks for OUC ● TSEND V4.0 / TRCV V4.0 Sending and receiving data via TCP or ISOonTCP ● TMAIL_C V4.0 Sending e-mails Note the description of TMAIL_C as of version V4.0 in the STEP 7 information system. Connection establishment and termination Connections are established using the program block TCON.
Page 46
Configuration, programming 4.6 Program blocks for OUC The following SDTs can be used. ● Configured connections: – TCON_Configured For transferring frames via TCP ● Programmed connections: – TCON_IP_V4 For transferring frames via TCP or UDP – TCON_IP_V4_SEC For the secure transfer of frames via TCP –...
Configuration, programming 4.7 Setting up FTP communication Setting up FTP communication 4.7.1 The program block FTP_CMD (FTP client function) Meaning Using the FTP_CMD instruction, you can establish FTP connections and transfer files from and to an FTP server. Note Block versions You can use the version V2.x of FTP_CMD in a station only in conjunction with a CPU and a CP V2.x V2.x.
Page 48
Configuration, programming 4.7 Setting up FTP communication Job blocks The following data structures are used for the job blocks: ● Connection establishment Various data structures are available for the connection establishment using the following types of access: – FTP_CONNECT_IPV4: Connection establishment with IP addresses according to IPv4 –...
Configuration, programming 4.7 Setting up FTP communication CMD = 0 (NOOP) CMD = 5 (QUIT) The content of the job block is not evaluated when these command types execute, the type (UDT) of the specified job block is therefore unimportant. Note Response if the reference to the FTP job block is missing If this reference is not supplied, the command is not executed.
Page 50
The functionality described here allows you to transfer data in the form of files to or from an S7-1500 station using FTP commands. At the same time, the conventional FTP commands for reading, writing and managing files can also be used.
Page 51
Configuration, programming 4.7 Setting up FTP communication Reading/writing via DBs of the CPU To transfer data with FTP via data blocks, create the required DBs in the CPU. Due to their special structure, these are known as file DBs. When it receives an FTP command, the CP acting as FTP server queries its assignment table to find out how the data blocks used for file transfer in the CPU will be mapped to files.
FTPS access only with security functions enabled FTPS access to the S7-1500 station as an FTP server is only possible if a user with suitable rights has been created in the STEP 7 project. This means that the security functions must be enabled on the CP.
Diagnostics and upkeep Diagnostics options Diagnostics options You have the following diagnostics options available for the module: ● The LEDs of the module For information on the LED displays, refer to the section LEDs (Page 22). ● STEP 7: The "Diagnostics" tab in the Inspector window Here, you can obtain the following information on the selected module: –...
Page 54
Diagnostics and upkeep 5.2 Diagnostics with SNMP You will find detailed information on SNMP and the Siemens Automation MIB in the manual "Diagnostics and Configuration with SNMP" that you will find on the Internet: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15392/man) Performance range of the CP The CP supports the following SNMP versions: ●...
Page 55
The following groups of the standard MIB II are not supported: – Adress Translation (AT) – EGP – Transmission ● LLDP MIB ● Siemens Automation MIB Note that write access is permitted only for the following MIB objects of the "System" group: – sysContact – sysLocation –...
Diagnostics and upkeep 5.3 Replacing a module without a programming device Replacing a module without a programming device General procedure The configuration data of the CP is stored on the CPU. This makes it possible to replace this module with a module of the same type (identical article number) without a PG. Note Configured MAC address is adopted When setting the ISO protocol, remember that MAC address set previously during...
Technical specifications Note the information in the System description of SIMATIC S7-1500 (Page 9). In addition to the information in the system description, the following technical specifications apply to the module. Technical specifications - CP 1543-1 Product name CP 1543-1...
Page 58
Technical specifications Technical specifications - CP 1543-1 0 ... 100 m Max. 100 m IE FC TP Standard Cable with IE FC RJ45 Plug 180 • Max. 90 m IE FC TP Standard Cable + 10 m TP Cord via •...
The approvals for shipbuilding are an exception to this. Certificates for shipbuilding and national approvals The device certificates for shipbuilding and special national approvals can be found in Siemens Industry Online Support on the Internet: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert) EC declaration of conformity...
Page 60
DE-76181 Karlsruhe Germany You will find the EC Declaration of Conformity on the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert) The current versions of the standards can be seen in the EC Declaration of Conformity and in the certificates. IECEx The product meet the requirements of explosion protection according to IECEx.
Page 61
● In the SIMATIC NET Manual Collection in "All documents" > "Use of subassemblies/modules in a Zone 2 Hazardous Area" ● On the Internet at the following address: Link: (https://support.industry.siemens.com/cs/ww/en/view/78381013) Until 19.04.2016 the product meets the requirements of the EC Directive 2014/30/EU "Electromagnetic Compatibility” (EMC directive).
Page 62
Approvals Applied standards: ● ANSI ISA 12.12.01 ● CSA C22.2 No. 213-M1987 APPROVED for Use in: ● Cl. 1, Div. 2, GP. A, B, C, D T3...T6 ● Cl. 1, Zone 2, GP. IIC T3...T6 Ta: Refer to the temperature class on the type plate of the CP Report / UL file: E223122 (NRAG, NRAG7) Note the conditions for the safe deployment of the product according to the section Notes on use in hazardous areas according to UL HazLoc (Page 27).
Page 63
SIMATIC NET products are regularly submitted to the relevant authorities and approval centers for approvals relating to specific markets and applications. If you require a list of the current approvals for individual devices, consult your Siemens contact or check the Internet pages of Siemens Industry Online Support: Link: (https://support.industry.siemens.com/cs/ww/en/ps/15340/cert)