ABB EDS500 Series, Function Manual

Page 1: ...Power Grids EDS500 series Ethernet DSL switches Part 2 Functions Manual Release 2 Power Grids EDS500 series Ethernet DSL switches Part 2 Functions Manual Release 2 ...

Page 2: ...Revision Revision Document identity 1KGT151021 V000 1 Revision Date Changes 0 08 2019 Initial version 2 1KGT151021 V000 1 ...

Page 3: ...nfiguration Enable 14 2 2 7 Event Messages and Status Messages at the Management Console 16 2 3 User Authentication 16 2 3 1 Login Mode Password 16 2 3 2 Login Mode Radius 17 2 3 3 Automatic Session Termination 17 2 4 Loading and Saving a Configuration 18 2 4 1 Show Configurations 18 2 4 2 Modifying Start Configuration 18 2 4 3 Power up Configuration Stick and Modifications during Runtime 19 2 4 4...

Page 4: ...Spanning Tree Protocol Version 52 2 19 2 Commands to Display the Spanning Tree Bridge Information 53 2 19 3 Display the Spanning Tree Root Information 53 2 19 4 Display the Spanning Tree Port Roles and States 53 2 19 5 Display detailed Spanning Tree Information 53 2 19 6 Display of Specific Settings for Multiple Spanning Tree MST 53 2 19 7 Configuration of Spanning Tree Bridge Parameters 54 2 19 8...

Page 5: ... with IEEE 802 1X 85 2 25 Access Lists 86 2 25 1 Concept 86 2 25 2 Filter for MAC Addresses 87 2 25 3 Filter for Ethertype 88 2 25 4 Filter for IP Addresses or Ranges 88 2 25 5 Filters for the IP Payload Protocol 88 2 25 6 Filter for TCP and UDP Ports 88 2 25 7 Access Control Lists as Incoming or Outgoing Packet Filter for Interfaces 88 2 25 8 Access Lists as Class Map to Qualify QoS of the Data T...

Page 6: ...pecific Cryptographic Key 108 2 35 2 Generate and Apply Cryptographic Key 109 2 36 Certificate Management 112 2 36 1 Host Key Type 112 2 36 2 Combination of Key and Certificate 112 2 36 3 Step by Step Instructions 117 3 Glossary 153 6 1KGT151021 V000 1 ...

Page 7: ...151021 Part 2 Functions Description of the functions 1KGT151018 Part 3 Command reference Description of the command line interface Table 1 Parts of the Manual EDS500 series Ethernet DSL switches 1 2 References 1 Individual Ident EDS500 series Hardware data sheets Individual hardware data sheets of all devices and auxiliary equipment 2 Individual Ident EDS500 series Operating instructions Individua...

Page 8: ...References Introduction 8 1KGT151021 V000 1 ...

Page 9: ...rminal program e g Tera Term PuTTY HyperTerminal The default value for the serial interface is 57600 Baud 8N1 8 data bits no parity 1 stop bit no flow control With the help of the terminal program you can enter commands as alpha numeric commands that are executed after pressing Enter For operating the command line interface CLI refer to Chapter 2 2 Handling of the Command Line Interface CLI If a l...

Page 10: ... to User Authentication The default value for loginmode is password The default login password is empty Parameter User name User password Loginmode password Login password Loginmode radius RADIUS user RADIUS password Table 3 Login with Telnet After successful login Telnet offers access to the command line interface CLI handling see Chapter 2 2 Handling of the Command Line Interface CLI 2 1 4 Confi...

Page 11: ...ation HTTP with redirection to HTTPS The handling of the web interface is described in detail in Chapter 2 5 Handling in the Web Interface 2 1 6 Configuration via SNMP Some of the device parameters can be set via SNMP access see Chapter 2 27 SNMP Network Management Prerequisite is the reachability of the device via the IP network refer to Chapter 2 1 2 Configuration via the IP Network and activate...

Page 12: ...evices can be configured by the command line interface CLI 2 2 1 Command Input A command is entered as an alphanumeric command and concluded with Enter After complete and correct input the command is executed Input a command switch show interface show interface Interface Summary Interface dsl1 system0 port1 port2 port3 port4 console0 Admin State up up up up up up up Link state down up up down down...

Page 13: ...mand line interface CLI of the EDS500 devices offers an online help to show the further input options of the current hierarchy level The list of input options is shown after entering the question mark or pressing the tab key Command list at the top hierarchy level switch enable exit ping show telnet switch Command list at the hierarchy level show switch show alarm arp cdp debug dot1x iec101 iec104...

Page 14: ...e command line interface CLI has a command stack for the last 5 commands With the help of the cursor up and cursor down keys the list of commands can be scrolled It shows always only one command The currently shown command can be edited Pressing the Enter key executes the command The command stack is purged at Logout or Disable refer to Chapter 2 2 6 Operation Modes View Login and Configuration En...

Page 15: ...e is in view mode enable disable Login Password Enable Password Configuration Mode View Mode Mode Figure 1 Access modes The command exit terminates view mode and operating mode configuration and closes the command line interface CLI The prompt at the command line interface CLI shows the current access mode Prompt for view mode switch The symbol indicates the login permission view mode Prompt in op...

Page 16: ...refer to Chapter 2 5 Handling in the Web Interface is protected by a two step authorization concept refer to Chapter 2 2 6 Operation Modes View Login and Configuration Enable The default value for passwords is empty It is recommended to set a new password during first login This reminder will appear as long as no password is not set The following sections describe how the device can be protected a...

Page 17: ...ured the login mode password stays active as a fall back After successful login with RADIUS e g via Telnet or SSH the user is in view mode If the web interface is used with RADIUS the user is in operation mode configuration after authentication Commands to set login mode radius set system loginmode radius ADVICE Serial connections to the command line interface CLI via serial connections are not au...

Page 18: ...that set the values to special settings The persistent configuration memory the startup config allows a device to restore a configuration after a restart The stored configuration commands are executed during start up and create the initial running config In addition to the device internal startup config an optional external hot pluggable storage in the shape of a configuration stick is available I...

Page 19: ...ng operation further configuration commands are executed then the running config is modified If the configuration stick is plugged in during operation then the stored configuration can be accessed There is no automatic transfer of the configuration The data of the configuration stick is used not before a restart of the device and then the data is copied to the startup configuration Tab 5 Modificat...

Page 20: ...he format is checked for plausibility Commands to transfer the configurations copy tftp copy running config copy config tftp 2 4 5 Default Configuration and Reset of a Device The default configuration of a device contains configuration commands that allow access to the broadest set of functions of a system On shipping all devices have the default configuration The default configuration is not iden...

Page 21: ... Method 1 Reset with Command Command to restart a device with the default configuration reload default config 2 4 5 2 Method 2 Reset during Startup of Device During start up the serial interface console0 is always in operation mode configuration interface settings 57600 Baud 8N1 even if it is configured as process interface or similar after start up During start up the key i may be pressed once to...

Page 22: ... interface After calling the URL in the browser a dialogue pops up for authentication Depending on the set mode for user authentication refer to Chapter 2 3 User Authentication enter the access data Figure 3 Dialogue for authentication when accessing the web interface Login mode User name Password password weblogin Login password or Enable password radius RADIUS user name RADIUS user password Tabl...

Page 23: ...u for the main function units All modifications initiated by the web interface effect the running configuration running config of the device Settings that have no dedicated web page can be executed with the help of the built in command parser of the web interface The function Commands is the interface to the command line interface CLI of the device Chapter 2 2 Handling of the Command Line Interfac...

Page 24: ...rt up has been concluded successfully about 30 seconds after switching on the device the display Ready switches to green At this time the specified device configuration has been loaded refer to Chapter 2 4 Loading and Saving a Configuration 2 6 1 Information about the last Start up The general output on system information includes the device uptime since the last system start system uptime and the...

Page 25: ... and easy location in the network Especially in larger networks this feature becomes important 2 7 1 Host Name The host name is the unique identification for a device in the network The host name of an EDS500 device may be up to 20 characters long and consist of any combinations of characters numbers and special characters The default value for Hostname is switch A Hostname should consist only of ...

Page 26: ...werk Station Umspannwerk Schaltschrank 4 Max Mustermann 38 1875 deg Celsius time server not set 2 8 VLAN Settings Virtual networks allow to transmit different services separated from each other over the same infrastructure Although the physical topology of a network connects all network elements setting VLANs can take care that the individual logical topologies are separated from each other This s...

Page 27: ... terminal devices On an access port incoming Ethernet frames get a VLAN tag frames that leave the port in the direction of the terminal device get stripped off the VLAN tag and the data is transmitted untagged Each access port is associated with exactly one VLAN id Those interfaces that connect the network infrastructure are configured as trunk ports Ethernet frames are transmitted with 802 1Q VLA...

Page 28: ...switch port1 port2 port3 port4 access vlan 1 4094 set switch port1 access vlan 10 set switch port1 port2 port3 port4 trunk vlan 1 4094 all set switch port3 trunk vlan all set system radius source vlan 1 4094 dependency inverse monitor monitor set system snmp trap source vlan 1 4094 dependency inverse monitor monitor clear interface channel trunk vlan clear interface dsl access vlan clear interface...

Page 29: ...0870 5 101 IEC 60870 5 104 conversion or to use the devices as IP routers it is necessary to define one or more IP addresses The devices support the IP protocol version 4 and 6 2 9 1 IP Address The default value for the IP address is 10 0 0 2 If several devices are connected to a network without individually changing the IP address it cannot be predicted which device is reached under the IP addres...

Page 30: ...ss to a specified VLAN use the command set system vlan 1 4094 The system IP address and the system gateway are deactivated and the formerly set IP address and gateway for the specified VLAN interface are activated The other way round the configuration of an individual VLAN interface can be adopted as system IP address and gateway with the command set system vlan none Commands to configure VLAN IP ...

Page 31: ...serve a whole block of IP addresses instead of only one For this a second parameter with IP address is added that marks the included end of the block When setting the block take care that it is included completely in the subnet set by the subnet mask Only the first IP address has to be considered a full fledged one All the following ones are especially for the IEC 60870 5 101 IEC 60870 5 104 conve...

Page 32: ...and less important connections may be delayed Higher values for priority are better lower probability of loss than low ones Control station DSL 1 Mbps DSL 2 Mbps Ethernet Priority 4 Priority 6 Priority 0 Priority 2 RTU RTU Figure 7 Priorities for data traffic in the network with QoS To avoid that certain services get compromised their priority is set to a higher level In this example the telecontr...

Page 33: ...gured example set switch port1 cos 0 7 and on the other hand the port has to configured in such a way that possibly existing tags are not used to determine the priority but the set CoS example set switch port1 trust none If QoS is to be used without VLANs then the IEEE 802 1p tag has to be activated explicitly for that port priority tagging Otherwise the packets are forwarded without tag Example s...

Page 34: ...ill picture H 264 approx 440 kbps 1 7 Mbps Moving picture MPEG 4 app 735 kbps 2 4 Mbps IP camera VGA 25 pictures per s MJPEG app 8 8 Mbps 12 1 Mbps IEC 60870 5 104 TCP IP Appr 64 kbps Table 12 Estimation of bandwidth requirement When limiting the rate limiting only to certain frame type then the rate limiting can be used as broadcast storm control Limit mode Effect all The rate of all frames is li...

Page 35: ... table can be displayed via the command line interface CLI ant the Web interface The alarm table can also be evaluated with SNMP refer to Chapter 2 27 3 Vendor Specific Device MIB and Chapter 2 27 4 Trap Server and Traps Alarm Stage Enabled as default value Config urable Reason Command Speed mis match Warning Yes Yes Negotiated data rate does not match set data rate set switch fo1 fo2 no warn dupl...

Page 36: ...otready SSH server not ready Alarm Yes Yes Alarm if no session is ready for a connec tion set system ssh no alarm ifnotready SFP is not inserted Information Yes No Shows that a link has been activated but no SFP is plugged in Internal switch uplink down Alarm Yes No Internal hardware error condition SHDSL encapsu lation mis match Alarm Yes No Incompatible SHDSL settings Internal switch inter conne...

Page 37: ... 802 3 compliant interfaces capable of Fast Ethernet auto negotiation auto sense and flow control designed as RJ 45 plugs 8P8C see EDS500 Manual Part 1 Ethernet interfaces Port1 Port4 They support 100Base TX and 10Base T The default value for speed is auto Nway Therefore usually no special configuration of the Ethernet connection settings is necessary Still the following settings can be configured...

Page 38: ...Fo2 WARNING Only transceivers up to laser class 1 according to EN 60825 1 are allowed to be used for the SFP interfaces The plug for the optical fibres is of the type Duplex LC IEC 61754 20 TIA604 10 A The supported transmission rate is fixed to 100 Mbps The default value for duplex is full The settings can be modified with set switch fo1 duplex half and set switch fo2 duplex half The default valu...

Page 39: ...ompact devices X3 X4 show the specification of the interfaces and give advice on the electrical installation The default value for all DSL interfaces is shutdown Using the default config refer to Chapter 2 4 5 Default Configuration and Reset of a Device grants simple connectivity and sets the interface Admin State up to this value no shutdown On shipping the interface dsl1 is set to master mode an...

Page 40: ...SL interfaces is shutdown Connection process 1 A suitably DSL counterpart is discovered 2 The connection properties are negotiated DSL Activity LED flashes for up to a minute DSL Link LED is off 3 Link established successfully DSL Link LED lit permanently DSL Activity LED flashes to indicate payload traffic 4 Link not established successfully Negotiation phase newly starts For details on LEDs see ...

Page 41: ...ction with fixed data rates on both sides Data rates of up to 5696 kbps are compliant to ITU T Standard G 991 2 or G 991 2 Annex F respectively Rates beyond this use a proprietary technique 2 15 3 2 One Side with a fixed Data Rate the other with Auto Negotiation Data rate at the local side Data rate at the remote side SHDSL Standard 192 256 512 768 1024 1280 1536 1792 2048 or 2304 kbps auto ITU T ...

Page 42: ...a perhaps only temporary interruption The error rate of DSL interfaces is monitored by the system If it reaches a threshold that is dynamically adapted to the transmission rate then the connection is terminated and re established The threshold can be set with a command Setting Description fast This setting detect a line interruption within a few milliseconds but there is the danger that the connec...

Page 43: ...sulation efm hdlc compatible hdlc enhanced hdlc native 2 15 6 Signal Quality Line Length and Data Rate 2 15 6 1 Signal Quality The signal quality describes the quality of a connection on the receive side as relative signal noise ratio in dB that is based on an absolute signal noise ratio of 30 dB at which a bit error probability of 10 7 occurs The achievable signal quality depends on the impedance...

Page 44: ...wing formula the line length can be estimated Line length l RL 2RT The resistance measured with the Ohm meter is called RL the comparison value from the table is called RT The values in the table describe the typical line resistance per kilometre at a given line diameter Diameter mm Resistance RT ohms km Diameter mm Resistance RT ohms km Alu minium wire 0 4 137 7 210 9 0 6 61 2 93 7 0 8 34 4 52 7 ...

Page 45: ...ce dsl2 can be used It shows information on the link quality and frame statistics Example of the display of DSL interfaces switch sh int dsl1 show interface dsl1 DSL interface 1 is up line protocol is up took 0 days 00 01 02 DSL mode is set to master encapsulation is hdlc enhanced Interface speed is 1024 kbps Incoming QoS tag is trusted Priority is based on 802 1p tag cos is set to 0 if no tag fou...

Page 46: ...Comments on the example of the display of DSL interfaces Commands to show information and frame statistics of DSL interfaces show interface backup group1 channel0 console0 console1 dsl1 dsl2 fastethernet0 tunnel0 show interface channel0 dsl1 dsl2 fastethernet0 tunnel0 frame counters clear interface channel0 counters 2 15 7 2 Interferences and Cable Faults The signal quality allows conclusions abou...

Page 47: ...f the left side shows a lower share in interference than the already strongly dampened transmit signal of the right side That is why the signal quality on the left receive side is worse than on the right side In this case the signal quality on the errored side is worse Disturbance Signal Source Signal Source Disturbance Cross talk 200 mV 2 km 20 of the signal level Result 8 km 20 of the signal lev...

Page 48: ... due to one sided cable fault The already dampened transmit signal on the right side is attenuated further with the already existing interferences while payload signal and interference are attenuated by the same amount and the signal to noise ratio stays almost the same The strong transmit signal on the left side is dampened strongly by the cable fault and collects more interferences in the course...

Page 49: ...But this does not contribute to increase the channel0 data rate Only reliability against failure is there ADVICE If a DSL interface that is part of a channel bundling gets connected to a counterpart that is not part of the channel bundling the alarm Link aggregation mismatch will occur In this state the function of Spanning Tree is not guaranteed and the network is in a potentially incoherent stat...

Page 50: ...e g side A fo1 with side B fo1 and side A fo2 with side B fo2 ADVICE As the switch over is triggered by the link state Link Fault Pass Through LFPT has to be activated if a media converter is used at the Ethernet ports 1 4 2 18 Layer 2 Tunnel The layer 2 tunnel protocol L2TP can be used to connect physically not directly connected network nodes on the layer 2 of the OSI layer model The data traffi...

Page 51: ...s one or more trunk VLANs tagged where all of them are not associated with the local or remote IP address Then the tunnel interface has to be activated Default configuration In default configuration L2TP is disabled Commands related to the layer 2 tunnel function set interface tunnel role set interface tunnel source ip set interface tunnel0 trunk vlan 1 4094 all set interface tunnel0 destination i...

Page 52: ...ort3 port4 tunnel0 ADVICE With deactivated spanning tree protocol loops in the network topology will lead to packet storms undefined behaviour and consequently network failure ADVICE A deactivated apnning tree protocol can not be reset with a global command Example 1 set stp no enable port1 causes that for Port 1 STP stays deactivated even after command set stp enable Example 2 set stp no enable c...

Page 53: ...g Tree Port Roles and States The result of a Spanning Tree calculation are port roles and states that are summarized in a list When using version MSTP each additional MST instance MSTI 1 4094 has individual port roles and states that can deviate from those for CIST Common and Internal Spanning Tree Commands to display the spanning tree port roles and states show stp port roles show stp msti 1 4094...

Page 54: ...anning tree timer values set stp forwarddelay 4 30 set stp holdcount 1 10 set stp maxage 6 40 set stp maxhops 6 40 To grant the interoperability to older IEEE 802 1D versions it should be considered when setting forward delay and maxage that the following applies 2 forwarddelay 1 maxage Timer value Range Default value forwarddelay 4 30 15 holdcount 1 10 6 maxage 6 40 20 maxhops 6 40 20 Table 23 Va...

Page 55: ...ning tree protocol distinguishes between ports that operate in point to point mode and those that operate in point to multipoint mode any to any shared In point to point mode STP BPDUs can only be received from exactly one other bridge For ports in shared mode longer transition periods have to be endured as first of all several potential bridges have to reach a consent This may lead to unnecessary...

Page 56: ...gration check set stp migration check all interfaces set stp migration check backup group1 channel0 dsl1 dsl2 fastethernet0 fo1 fo2 port1 port2 port3 port4 tunnel0 2 19 13 Configuration of Multiple Spanning Tree Parameters There are further parameters for operation in the version MSTP MST configuration name MST configuration revision VLAN to MSTI assignment MST configuration hash value Devices bel...

Page 57: ...nt to point mode This is particularly advisable for optical fibre rings example set stp point to point fo1 The default value for Ethernet ports optical fibres as well as copper is no point to point If for redundant paths particular ports should get priority then the port priority should be set accordingly The port cost should not be adapted or if only to a small extent as these values get summed u...

Page 58: ...e interface generates a test pattern that is sent continuously With the com mand line interface CLI it can be monitored whether the interface receives the test pattern correctly or whether the link is interrupted Loopback loopback The interface returns all received data immediately Table 25 Operating modes Commands to configure the operation mode of the serial interface set interface console0 cons...

Page 59: ...automatic logout or disable for the view mode The default value for the automatic termination in operation mode configuration after inactivity is 600 seconds The default value for the automatic termination of the view mode is 1200 seconds The view mode can only be terminated automatically if a login password has been set Setting the idle logout time to zero disables the automatic logout Commands t...

Page 60: ...cols and applications This means that modern internet technology can be used simultaneously with established legacy technology Possible applications include RTU communication Remote Terminal Units AMR Automated Meter Reading SPS applications a m m The communication technology can be updated in a migration scenario without the need to replace the hardware or configuration of the remote terminal uni...

Page 61: ... Figure 20 Step by step replacement of serial transmission devices and temporary preservation of the previous remote control configuration In addition to the use for remote control protocols there are many more application options feasible for a serial tunnel e g the access to a remote serial management interface or the transport of more or less any slow digital signals Chapter 2 21 2 Serial Proto...

Page 62: ...on the extent and type of the network Layer 2 switched vs Layer 3 routed various logical topologies can be realized Topology Description Point to Point A serial line is tunnelled through the network Point to Multipoint One participant can communicate with all other participants that in return cannot communicate with each other Typical use case for an existing partyline installation Any to Any All ...

Page 63: ...unnel The default values work for many applications without the need of an enhanced configuration via the serial interface settings refer to Chapter 2 20 2 Transmission Parameters of the Interface and the basic settings of the serial tunnel Tunnel mode IP targets Tunnel Group There are further settings for protocols that react delicately to changes in timing to minimize the effects of the transpor...

Page 64: ...with lead time Caused by jitter in the packet runtimes through the Ethernet IP network as well as different baud rates at the tunnel entrance and exit can cause that a serial telegram arrives at the tunnel exit while the previous telegram is still being sent or the DCD signal is still active e g due to a set DCD delay This causes that the DCD lead time is not applied as the DCD signal is already a...

Page 65: ...external installation a telecontrol device can be realised The IEC 60870 5 104 and 60870 5 101 station addresses and the addresses of the information objects can be chosen freely The default value for the ASDU address is 0 In addition the devices of the EDS500 series can be used for the conversion between IEC 60870 5 101 and IEC 60870 5 104 If a telecontrol network shall be migrated to Ethernet th...

Page 66: ... 5 V max 5 mA 4 1 Single message Console0 DCD output OFF 2 5 5 V ON 2 5 5 V max 5 mA 5 1 Single message Link state interfaces OFF no link ON link from 128 1 Single message Speed interfaces Value in bps 2147483648 value is invalid from 160 7 Bit pattern 32 bit Signal quality inter faces 16 0 dB value 160 8388608 value is invalid from 192 11 Measured value scaled Port state interfaces 0x Port blocke...

Page 67: ... speed Signal quality Port state dsl1 128 160 192 224 dsl2 129 161 193 225 port1 130 162 194 226 port2 131 163 195 227 port3 132 164 196 228 port4 133 165 197 229 console0 134 166 198 230 console1 135 167 199 231 Table 29 Addresses of the interface related information objects for 500NMD02 Interface Link state Link speed Signal quality Port state dsl1 128 160 192 224 port1 129 161 193 225 port2 130...

Page 68: ...e 0 16777215 set iec101 iec104 interface 1 2 object portstate address 0 16777215 2 22 2 Connection of Signals and Application as RTU For the assignment of the interface Console0 see Chapter 2 20 Serial Interfaces Input RTS and output CTS can be connected to relai contacts refer to Fig 23 Connector alarm relais to connect EDS500 with a potential free contact CTS Console0 Alarm relay RTS 3rd party F...

Page 69: ...onsole0 In normal operation data can also be sent spontaneously over the interface ADVICE The level of the interface signals DCD and CTS is in the negative voltage area in the state off The information object for input RTS of interface Console0 can be operated in the following modes Mode Description switch Switch returns ON OFF ASDU data type 1 A change triggers spontaneous message on counter On c...

Page 70: ... Read Reset 100 Read 0 Table 33 Operation with dependent and independent central offices Independent central offices are configured with so called interfaces Each interface get its own set of information objects own addresses and own time out settings The interfaces are configured with the following commands where n stands for the interface number i e the central office group that shares the objec...

Page 71: ...d IEC 60870 5 104 use different timeout times to control the establishment of a connection acknowledment and retransmission These are typically used system wide central office and all remote control units and do not have to be modified if the values are accepted that are suggested by the standard For time parameters and default values refer to Tab 34 Time monitor counter Commands for configuring t...

Page 72: ...ol data fields the acknowledging behaviour and the station and object addresses Commands to set the addresses an their lengths for IEC 60870 5 101 IEC 60870 5 104 set iec101 iec104 interface 1 2 station address local ASDU address 0 65536 set iec101 iec104 interface 1 2 length station address 1 2 set iec101 iec104 interface 1 2 length objectaddress 1 3 set iec101 iec104 interface 1 2 object structu...

Page 73: ...on 3 RS 232 1200 Baud FSK 1200 Baud RS 232 RTU RTU RTU FSK Figure 25 Step by step replacement of communications technology Commands for configuring IEC 60870 5 101 IEC 60870 5 104 protocol conversion set iec101 iec104 interface 1 2 convert to iec101 iec104 interface 1 2 set system ip start IP address end IP address set interface vlan 1 4094 ip address start ip address end ip address subnet mask se...

Page 74: ...cation layer protocol control information APCI for IEC 60870 5 104 For IEC 60870 5 101 these are part of the frame format FT 1 2 The format of the application data is almost identical for both protocols and is called service data unit of the application layer ASDU The protocol control information is fundamentally different for both protocols While IEC 60870 5 104 supports polling mode also called ...

Page 75: ... 60870 5 104 always uses two bytes The type id describes the structure of the contained information objects Typical information objects are Single point messages Single point commands one bit information Double point messages Double point commands two bis information Bit patterns Measurement data Counter values a m m The information objects are defined differently with and without time stamp The s...

Page 76: ...amination of the current state and the design of a conversion concept that defines the various degrees of freedom for conversion and protocols Type ids IEC 101 IEC 104 Command direc tion control direction Conver sion to IEC 101 type id iec104 convert asdu types Stan dard Command direc tion control direction Conver sion to IEC 101 type id iec104 convert no asdu types 0 UNDEF not used 0 0 1 M_SP_NA_...

Page 77: ...ked stimulations of the protection with time stamp CP24Time2a 18 18 19 M_EP_TC_1 Blocked triggers of the pro tection with time stamp CP24Time2a 19 19 20 M_PS_NA_1 Packed single messages with status indicator 20 20 21 M_ME_ND_1 Measured value standard ized value without quality id 21 21 22 29 TYPE_22 29 Reserved standard range 22 29 22 29 30 M_SP_TB_1 Single message with time stamp CP56Time2a 30 30...

Page 78: ...tamp CP56Time2a 40 40 41 44 TYPE_41 44 Reserved standard range 41 44 41 44 45 C_SC_NA_1 Single command 45 45 46 C_DC_NA_1 Double command 46 46 47 C_RC_NA_1 Level setting command 47 47 48 C_SE_NA_1 Target value setting com mand standardized value 48 48 49 C_SE_NB_1 Target value setting com mand scaled value 49 49 50 C_SE_NC_1 Target value setting com mand floating point with single accuracy 50 50 5...

Page 79: ...range 71 99 71 99 100 C_IC_NA_1 general station polling command 100 100 101 C_CI_NA_1 Counter query command 101 101 102 C_RD_NA_1 Polling command 102 102 103 C_CS_NA_1 Time synchronization com mand 103 103 104 C_TS_NA_1 Check command 104 104 105 C_RP_NA_1 Process reset command 105 105 106 C_CD_NA_1 Command to assess telegram runtime 106 106 107 C_TS_TA_1 Check command with time stamp CP56Time2a 10...

Page 80: ...sec tion acknowledgement 124 124 125 F_SG_NA_1 Section 125 125 126 F_DR_TA_1 Directory 126 126 127 225 TYPE_127 255 Reserved user defined range 127 255 127 255 Table 35 Type conversion in command direction Type ids IEC 101 IEC 104 Message direc tion Monitor direction Conver sion to IEC 104 type id iec104 convert asdu types Stan dard Message direc tion Monitor direction Conver sion to IEC 104 type ...

Page 81: ...11 M_ME_NB_1 Measured value scaled value 11 11 12 M_ME_TB_1 Measured value scaled value with time stamp CP24Time2a 35 12 13 M_ME_NC_1 Measured value floating point with single accuracy 13 13 14 M_ME_TC_1 Measured value floating point with single accu racy and time stamp CP24 Time2a 36 14 15 M_IT_NA_1 Counted values 15 15 16 M_IT_TA_1 Counted values with time stamp CP24Time2a 37 16 17 M_EP_TA_1 Pro...

Page 82: ...tandard ized value with time stamp CP56Time2a 34 34 35 M_ME_TE_1 Measured value scaled value with time stamp CP56Time2a 35 35 36 M_ME_TF_1 Measured value floating point with single accu racy and time stamp CP56 Time2a 36 36 37 M_IT_TB_1 Counted values with time stamp CP56Time2a 37 37 38 M_EP_TD_1 Protection event with time stamp CP56Time2a 38 38 39 M_EP_TE_1 Blocked stimulations of the protection ...

Page 83: ...e2a 59 59 60 C_RC_TA_1 Level setting command with time stamp CP56Time2a 60 60 61 C_SE_TA_1 Level setting command standardized value with time stamp CP56Time2a 61 61 62 C_SE_TB_1 Level setting command scaled value with time stamp CP56Time2a 62 62 63 C_SE_TC_1 Target value setting com mand floating point with single accuracy and time stamp CP56Time2a 63 63 64 C_BO_TA_1 Bit pattern command 32 bit wit...

Page 84: ... 112 112 113 P_AC_NA_1 Parameter for activation 113 113 114 119 TYPE_114 119 Reserved standard range 114 119 114 119 120 F_FR_NA_1 File ready 120 120 121 F_SR_NA_1 Section ready 121 121 122 F_SC_NA_1 Polling directory selection polling section polling 122 122 123 F_LS_NA_1 Last section last segment 123 123 124 F_FA_NA_1 File acknowledgement sec tion acknowledgement 124 124 125 F_SG_NA_1 Section 12...

Page 85: ...ontrol and Device Authentication with IEEE 802 1X The IEEE 802 1X standard offers the possibility to apply an access protection for physical ports in the LAN A device Supplicant connected to an EDS500 managed switches Authenticator is granted network access only after a successful authentication The Authenticator in this case the EDS500 device does not perform the actual authentication but instead...

Page 86: ...decimal digits all uppercase and sep arated by hyphens 30 B2 16 00 2F 3A Table 37 Configuration of the RADIUS server for a Supplicant with MAB Commands to related 802 1X set dot1x no enable set dot1x portcontrol fastethernet0 fo1 fo2 port1 port2 port3 port4 auth force pae auto unauth force set dot1x mab port1 port2 port3 port4 no enable set dot1x reauthentication port down no allow show dot1x ADVI...

Page 87: ... access list 1 16 deny rule permit rule 1 16 ip destination source IP address subnet mask access list mac access list 1 16 deny rule permit rule 1 16 mac destination source aa bb cc dd ee ff aabb ccdd eeff aabbccddeeff access list protocol access list 1 16 deny rule permit rule 1 16 protocol tcp udp icmp 0 255 access list tcp dst port access list 1 16 deny rule permit rule 1 16 tcp dst port 0 6553...

Page 88: ...otocol ID as a number 0 to 255 or as a keyword tcp for the Transmission Control protocol udp for the User Datagram protocol icmp for the Internet Control Message protocol The Ethernet frame implicitly has to contain an IP packet to match this criterion Commands to filter for IP follow up protocol access list 1 16 deny rule permit rule 1 16 protocol tcp udp icmp 0 255 2 25 6 Filter for TCP and UDP ...

Page 89: ...out set switch fo1 fo2 acl 1 16 in out set switch port1 port2 port3 port4 acl 1 16 in out set system acl 1 16 in out clear interface channel0 acl 1 16 in out clear interface dsl1 dsl2 acl 1 16 in out clear switch fo1 fo2 acl 1 16 in out clear switch port1 port2 port3 port4 acl 1 16 in out clear system acl in out 2 25 8 Access Lists as Class Map to Qualify QoS of the Data Traffic Access lists can b...

Page 90: ...fo1 fo2 class map clear switch port1 port2 port3 port4 class map 2 26 Syslog and Device Internal Log EDS500 devices store information messages in an internal event storage If there is synchronization with a time server NTP server the time stamp with date and time is used otherwise the current system uptime is used as time stamp The event log can be displayed as follows at the command line interfac...

Page 91: ... read only set system snmp no enable set system snmp version any v3 only show system snmp By default there are no user defined community strings In this case the fallback community strings for read and write access are active Community type Community String Read access Write access Read Community public Yes No Write Community private Yes Yes Table 38 Fallback Community Strings in SNMP agent If at ...

Page 92: ...devices have further device specific objects that are defined in a dedicated vendor proprietary MIB This is called ABB EDS500 MIB and includes definitions of product ids trap ids and object ids OIDs Product IDs Return value for the object sysObjectID 1 3 6 1 2 1 1 2 0 of the MIB 2 group system Object name OID Device name eds500nmd01 1 3 6 1 4 1 21939 1 5 1 500NMD01 eds500nmd02 1 3 6 1 4 1 21939 1 ...

Page 93: ...1 4 1 21939 8 7 System Uptime since last modification of running con fig stickIsPresent 1 3 6 1 4 1 21939 8 8 0 Information whether a config uration stick is plugged in sticknotpresent 0 stickpresent 1 stickIsReadOnly 1 3 6 1 4 1 21939 8 9 0 Information whether a pluggedin configuration stick has been set to read only readwrite 0 readonly 1 readwrite 0 executes com mand set config stick no read on...

Page 94: ... 1 21939 9 1 1 7 0 ASCII text type of the expan sion board if applicable extensionBoardVersion 1 3 6 1 4 1 21939 9 1 1 8 0 Coded version of the expan sion board if applicable powerBoardVersion 1 3 6 1 4 1 21939 9 1 1 9 Coded version of the PSU board if applicable Table 43 Objects of the group abb abbMgmt system version Object name OID Read object Write object sensorDetected 1 3 6 1 4 1 21939 9 1 2...

Page 95: ...4 1 21939 9 1 3 2 0 Device start unknown 0 coldstart 1 warmstarthardware 2 warmstartsoftware 4 watchdog 8 Table 45 Objects of the group abb abbMgmt system information Object name OID Read object Write object dsaKeyFingerprint 1 3 6 1 4 1 21939 9 1 4 1 0 Fingerprint of the DSA system crypto key dsaSessionsReady 1 3 6 1 4 1 21939 9 1 4 2 0 Number of prepared DSA ses sions Table 46 Objects of the gro...

Page 96: ...opytftptodsskey 70 owner 1 3 6 1 4 1 21939 9 1 8 5 0 Information about the origin of the TFTP transmission none 0 console 1 telnet 2 http 4 snmp 8 progBytesTransferred 1 3 6 1 4 1 21939 9 1 8 6 0 Progress in bytes when pro gramming the firmware transferResult 1 3 6 1 4 1 21939 9 1 8 7 0 ASCII text status message of the last TFTP transmission Table 47 Objects of the group abb abbMgmt system tftpCon...

Page 97: ...gured duplex duplexsetbysystem 1 3 6 1 4 1 21939 9 2 2 1 7 x Selected duplex half 0 full 1 duplexnegotiated 1 3 6 1 4 1 21939 9 2 2 1 8 x Effectively negotiated duplex half 0 full 1 duplexmode 1 3 6 1 4 1 21939 9 2 2 1 9 x Mode of duplex manual 0 auto 1 Sets the mode of the duplex adaptProgress 1 3 6 1 4 1 21939 9 2 2 1 10 x Progress of the adapt DSL speed negotiation connectProgress 1 3 6 1 4 1 2...

Page 98: ...ect Write object activeAlarmReason 1 3 6 1 4 1 21939 9 3 2 1 3 x y ASCII text Alarm message activeAlarmLevel 1 3 6 1 4 1 21939 9 3 2 1 4 x y Severity of the alarm levelNone 0 levelWarning 1 levelError 2 activeAlarmTimestamp 1 3 6 1 4 1 21939 9 3 2 1 5 x y System Uptime when the alarm occurred Table 51 Objects of the group abb abbMgmt alarm activeAlarmsTable table index ifIndex alarmId Object name ...

Page 99: ...d Manager setting for traps snmpNotificationPort 1 3 6 1 4 1 21939 9 9 1 1 8 a b c d UDP port for SNMP traps Sets the UDP port for SNMP traps Default value 162 sendSyslogSeverity 1 3 6 1 4 1 21939 9 9 1 1 9 a b c d Bits 0 2 minimum severity for Syslog messages Sets the minimum severity for Syslog messages bits 0 2 Bit 3 activates the sending of Sys log syslogPort 1 3 6 1 4 1 21939 9 9 1 1 10 a b c...

Page 100: ...nserted 12 internalSwitchUplinkDown 13 dslEncapsulationMismatch 14 internalSwitchInterconnectDown 15 ethernetRemoteFault 16 monitorUp 17 monitorDown Table 56 alarmID 2 27 4 Trap Server and Traps For the report of spontaneous events EDS500 devices support SNMP trap messages Traps can be sent in the SNMPv1 format or SNMPv2c format depending on the settings The traps are sent to the configured trap s...

Page 101: ...fAdminSta tus ifOperStatus Generic Trap ID linkUp 3 Trap OID 1 3 6 1 6 3 1 1 5 4 newRoot Reports that this device has become root in a spanning tree Generic Trap ID spe cific 6 Specific Trap ID 1 Enterprise OID 1 3 6 1 2 1 17 Trap OID 1 3 6 1 2 1 17 0 1 topologyChange Reports that for this device a change in the spanning tree topol ogy has occurred Generic Trap ID spe cific 6 Specific Trap ID 2 En...

Page 102: ...onization with the time server should fail a new attempt is started every minute The default value for all further synchronizations with the time server after the first successful synchronization is 24 hrs The interval between two synchronizations can be set by a command Commands for SNTP set system sntp server IP address clear system sntp server IP address set system sntp timezone cet set system ...

Page 103: ...ow monitor 2 30 State Dependencies EDS500 devices offer the option to bind certain settings to certain conditions e g the link state of another interface Link Fault Pass Through LFPT or to a monitor refer to Chapter 2 29 Monitor Further settings for dependencies deal with the selection of the source VLAN for system services and serial tunnelling Commands to configure state dependencies set switch ...

Page 104: ... is no routing to or from VLAN interfaces that do not have this property These can only be reached in their own VLAN Display of IP address overview show interface ip address Interface Summary Interface vlan 10 vlan 20 IP Address 10 0 0 11 8 20 0 0 10 29 IP Gateway Admin State up up Link State up down Commands to configure routing with VLAN interfaces set interface vlan 1 4094 routing set interface...

Page 105: ...dynamic routes set interface vlan 1 4094 rip metric offset 0 255 set router auto summarization advanced normal off show ip route 2 31 3 Configure Routing Protocol RIP The Routing Information Protocol RIP is a distance vector routing protocol that automatically synchronizes the routing tables of connected routers EDS500 devices support RIP in the versions 1 and 2 including split horizon and trigger...

Page 106: ... Layer 3 networks The gateways can be set up redundantly when using VRRP by grouping several physical routers to one logical router This logical router uses a virtual MAC address and a virtual IP address that is transferred in no more than three seconds from the master router to the backup router hot standby in case of an error Router IP x y z 2 VRRP IP x y z 1 Router IP x y z 3 VRRP IP x y z 1 Ro...

Page 107: ...e name port name and management addresses are exchanged This information can be displayed and controlled with the following commands and can be used to catalogue the topology and detect faulty configurations The information can also be queried via the SNMP LLDP MIB Commands for LLDP show neighbor show neighbor summary show neighbor show cdp neighbor set system lldp enable set system lldp no enable...

Page 108: ...ctly in the browser Select the firmware image on the local computer Click on the Upgrade to start the process Upload with the help of a TFTP server 1 Enter the IP address of the TFTP server the name of the firmware image Click on the Upgrade to start the process 2 Either click on Reload to start the updated firmware immediately 3 Or carry out the new start of the device at a later time 2 34 3 Upda...

Page 109: ... reduce the time for establishing a connection If there are no crypto sessions in the device then encrypted connections can only be established after at least one crypto session has been calculated This status can be monitored with an alarm with the commands set system ssh alarm if notready and set system ssh warn if notready 2 35 2 Generate and Apply Cryptographic Key The program PuTTYgen can be ...

Page 110: ...024 Clicking on button Generate and moving the mouse over the plane key generates the key A process bar gives visual feedback After some time the key is calculated and can be saved refer to Fig 32 PuTTY Key Generator generated key Do not set a password leave empty the field key passphrase ignore later subsequent related warnings The comment field Key comment also has to be empty 110 1KGT151021 V00...

Page 111: ...t Figure 33 PuTTY Key Generator key export The generated file has to be transmitted to the device for application You can do this either with the web interface and the menu item System refer to Chapter 2 5 Handling in the Web Interface by transferring the file directly in the web browser or by using a TFTP server or with the command line interface CLI and the use of a TFTP server Commands to apply...

Page 112: ...or certificates external certificates Every combination of device and external keys and certificates have their advantages Device EC key and device certificate default state Device EC key and external certificate CSR External EC key and device certificate External EC key and external certificate CSR or external generated The latter combination allows two possibilities The following chapter describ...

Page 113: ...er some companies need to use their own keys and this is supported by the EDS500 managed switches How to upload keys to the device is described in the next chapter At this point it should be mentioned that the key especially the private part must never be transmitted over an insecure connection This should also be avoided over supposedly secure connections ADVICE Private keys must be protected aga...

Page 114: ...l reasons it may be necessary to use CA signed certificates e g security guideline handling External certificates can be created in two ways Via a certificate signig request CSR or via an external program via external program only if private key exists externally In the case of the CSR method a csr file is downloaded from the device This file is signed with a CA and results in a device specific cr...

Page 115: ...e must be integrated in the browser EC key upload is a security risk Device EC key and CA signed certificate CSR Browser needs only one high level certificate Automation possible External EC key and CA signed certificate CSR Browser needs only one high level certificate Time consuming setup of the device EC key upload is a security risk External EC key and CA signed certificate external generated ...

Page 116: ... CA crt Cer ficate external upload Cer ficate signing request download EC key device EC key external Key PEM format upload d External EC key CSR and external CA signed cer ficate EC key external EC key device Cer ficate device self signed EDS500 csr signed by CA crt Cer ficate external upload Cer ficate signing request download c Device EC key CSR and external CA signed cer ficate Figure 36 Device key c ...

Page 117: ... entry point for the certificate up and download and the EC key upload This link can be found under the menu item Administration Due to the sensible information in the Crypto file up and download the following notice has to be considered 2 36 3 1 XCA Tool The XCA tool is a third party open source software Copyright C Christian Hohnstaedt It is intended for creating and managing X 509 certificates ...

Page 118: ...2 Generate CA Certificates CA certificates can be purchased from an authentication authority as well as created by yourself This chapter describes how to create a CA certificate yourself CA certificates are mandatory for the use of non self signed certificates 118 1KGT151021 V000 1 ...

Page 119: ...Functions Certificate Management Create new database 1 First a data base has to be created 2 This data base is protected by password 1KGT151021 V000 1 119 ...

Page 120: ...s and choose New Certificate 2 Set the Source like in picture Select default CA 3 To generate a CA certificate the tab Extensions has to be selected Change Type to to Certification Authority In this tab validity period for this certificate can be defined 120 1KGT151021 V000 1 ...

Page 121: ...Functions Certificate Management 4 In tab Subject a Key for this certificate has to be generated 5 In this example we generate an RSA 2048 bit key 1KGT151021 V000 1 121 ...

Page 122: ... Functions 6 After creating the key you should get the following confirmation 7 Switch back to the tab Subject and select the created key 8 After clicking on OK you should get the following confirmation 122 1KGT151021 V000 1 ...

Page 123: ... 2 36 3 3 Generate External Certificates CRT For using of external certificates the EDS500 managed switches provides CSR Certificates Signing Request function This chapter describes how to use the CSR function Download CSR file 1 First of all go to web server of the EDS500 managed switches and chose Encryption in the left Administration menu 1KGT151021 V000 1 123 ...

Page 124: ...the bottom of the page and download the Crypto certificate signing request web download Create CA signed certificate Start the XCA tool with the listed CA certificate how this can be done is described in the previous chapter 124 1KGT151021 V000 1 ...

Page 125: ...age confirms the successful import 3 Select the tab Certificate signing request Right mouse click on the imported CSR and select Sign 4 A new window will open Go to tab Source and make sure that Use this Certificate for signing is selected Choose the CA certificate from the drop down list 1KGT151021 V000 1 125 ...

Page 126: ...tions 5 Go to tab Extensions Select End Entity under Basic Constraints and enter Not before and Time range in the Group Validity Chose Time range according your company security policies Then confirm with OK 126 1KGT151021 V000 1 ...

Page 127: ... certificate will listed as a branch of the CA certificate in the certificates overview Select the certificate and click on Export of the right side 8 Choose PEM crt as Export Format and click on OK An external certificate has been created and is ready for upload to the EDS500 managed switches 1KGT151021 V000 1 127 ...

Page 128: ...managed switches and chose Encryption in the left Administration menu Click on Browse under Crypto certificate web upload select your created certificate and click on upload 2 A successful upload of a valid certificate will be confirmed by the following website 128 1KGT151021 V000 1 ...

Page 129: ...ificate or a CSR file based by the EDS500 managed switches In addition a certificate can also be created without the EDS500 managed switches by using the XCA Tool This option is described at the end of this chapter Create the EC Key 1 Start the XCA Tool and select New Key in the tab Private Keys 2 A dialog box opens Select EC as Keytype and prime256v1 X9 62 SECG curve over a 256 bit prime field as...

Page 130: ...Key has been created and is ready for upload to the EDS500 managed switches Upload EC Key 1 Go to web server of the EDS500 managed switches and chose Encryption in the left Administration menu Click on Browse under Crypto key web upload select your created key and click on upload 130 1KGT151021 V000 1 ...

Page 131: ...om the EDS500 managed switches web server and integrate it into the browser The Generatioin of the self signed certificate will be done by the EDS500 managed switches automatically after upload of the EC key Upload EC Key see Upload EC Key page 130 Browser integration of self signed certificates For Firefox integration see Integration of self signed and CA signed certificates into Mozilla Firefox ...

Page 132: ...ificate are compatible to each other Upload EC key see Upload EC Key page 130 Generate external certificate with CRT see Generate External Certificates CRT page 123 Browser integration of CA signed certificates For Firefox integration see Integration of self signed and CA signed certificates into Mozilla Firefox For Internet Explorer Edge or Chrome see Integration of self signed and CA signed cert...

Page 133: ...Functions Certificate Management 2 Go to tab Certificates and click on New Certificate 3 A message confirms the successful import 1KGT151021 V000 1 133 ...

Page 134: ...Certificate Management Functions 4 Go to tab Subject Type the internal Name the commonName and choose the EC Key in the drop down list 5 Then confirm with OK 134 1KGT151021 V000 1 ...

Page 135: ... been created and is ready for upload to the EDS500 managed switches Upload CRT file 1 Go to web server of the EDS500 managed switches and chose Encryption in the left Administration menu Click on Browse under Crypto certificate web upload select your created certificate and click on upload 2 A successful upload of a valid certificate will be confirmed by the following website 1KGT151021 V000 1 13...

Page 136: ...S Internet Explorer Edge and Google Chrome Integration of CA certificates into MS Internet Explorer Edge and Google Chrome The usage of the device EC key and the device certificate self signed is the easiest way for a HTTPS connection However the certificate of each individual device must be downloaded and integrated into the browser That can be very complex when managing a large number of devices...

Page 137: ...Functions Certificate Management 2 Select Privacy Security from the menu and click on View Certificates 3 Go to tab Servers and click on Add Exception 1KGT151021 V000 1 137 ...

Page 138: ...anagement Functions 4 Write https and the IP address of the device under Location and click on Get Certificate 5 Select Permanently store this exception and click on Confirm Security Exception 138 1KGT151021 V000 1 ...

Page 139: ... listed in the certificate manager Integration of CA certificates into Mozilla Firefox This section describes how to import a CA certificate into Firefox Import CA certificates 1 Open Firefox press ALT for opening extra menu and select Options 1KGT151021 V000 1 139 ...

Page 140: ...Certificate Management Functions 2 Select Privacy Security from the menu and click on View Certificates 3 Go to tab Authorities and click on Import 140 1KGT151021 V000 1 ...

Page 141: ...the CA certificate with p7b extension and confirm with Open 5 A dialog window opens Select there Trust this CA to identify websites and confirm with OK 6 The imported certificate should be listed in the certificate manager 1KGT151021 V000 1 141 ...

Page 142: ...scribes how to import a self signed and CA signed certificate into MS Internet Explorer Edge and Google Chrome Import self signed and CA signed certificates 1 Open the web interface of the EDS500 managed switches and select Encrytion in the Administration menu 2 Scroll to the bottom of the page and download the Crypto certificate 142 1KGT151021 V000 1 ...

Page 143: ... write certmgr msc in the Open field and click on OK 5 After the certificate manager is open click on the small triangle infront of Trust Root Certification Authorities A sub folder Certificate will opens Right click on the Certificate sub folder opens the context menu Chose All Task and Import from the context menu 6 The Certificate Import Wizard opens Click on Next 1KGT151021 V000 1 143 ...

Page 144: ...Certificate Management Functions 7 Chose X 509 Certificate cer crt select the certificate to be used and click on Open 8 Confirm with a click on Next 144 1KGT151021 V000 1 ...

Page 145: ...unctions Certificate Management 9 Make sure that the certificates are stored in Trusted Root Certification Authorities and click on Next 10 Complete the import by clicking on Finish 1KGT151021 V000 1 145 ...

Page 146: ... on OK to close the wizard 12 The new certificate should now be listed in the certificate manager Integration of CA certificates into MS Internet Explorer Edge and Google Chrome This section describes how to import a CA certificate into MS Internet Explorer Edge and Google Chrome 146 1KGT151021 V000 1 ...

Page 147: ...ield and click on OK 2 After the certificate manager is open click on the small triangle infront of Trust Root Certification Authorities A sub folder Certificate will opens Right click on the Certificate sub folder opens the context menu Chose All Task and Import from the context menu 3 The Certificate Import Wizard opens Click on Next 1KGT151021 V000 1 147 ...

Page 148: ...Certificate Management Functions 4 Chose PKCS 7 Certificates spc p7b select the CA certificate to be used and click on Open 5 Confirm with a click on Next 148 1KGT151021 V000 1 ...

Page 149: ...unctions Certificate Management 6 Make sure that the certificates are stored in Trusted Root Certification Authorities and click on Next 7 Complete the import by clicking on Finish 1KGT151021 V000 1 149 ...

Page 150: ...Certificate Management Functions 8 A Security Warning will open Click on Yes to confirm 9 The import was successful if the following message appears Click on OK to close the wizard 150 1KGT151021 V000 1 ...

Page 151: ...Functions Certificate Management 10 The new certificate should now be listed in the certificate manager 1KGT151021 V000 1 151 ...

Page 152: ...Certificate Management Functions 152 1KGT151021 V000 1 ...

Page 153: ...ol IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers ITU T International Telecommunication Union Section Telecommuni cation Standardization kbps kbits per second L2TP Layer 2 Tunneling Protocol LAN Local Area Network LED Light Emitting Diode LLDP Link Layer Discovery Protocol according to IEEE 802 1AB MAX Maximum Mbps MBit per second MIB Managemen...

Page 154: ...SFP Small Form factor Pluggable SHDSL Single Pair High Speed Digital Subscriber Line SNMP Simple Network Management Protocol SNTP Simple Network Time Protocol according to RFC 4330 SPS Programmable Logic Control Speicherprogrammierbare Steuerung SSH Secure Shell STP Spanning Tree Protocol TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol Tx Transmit Directi...

Page 155: ...1KGT151021 V000 1 155 ...

Page 156: ...nterface against any kind of security breaches unauthorized access interference intrusion leakage and or theft of data or information ABB AG is not liable for any damages and or losses related to such security breaches any unauthorized access interference intrusion leakage and or theft of data or information ABB AG shall be under no warranty whatsoever whether express or implied and assumes no res...