ABB EDS500 Series Function Manual

Ethernet & dsl switches

Hide thumbs Also See for EDS500 Series:

Manual (46 pages)

Operating instruction (7 pages)

Operating instructions manual (6 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Summary of Contents for ABB EDS500 Series

Page 1 Power Grids Power Grids EDS500 series - Ethernet & DSL switches EDS500 series - Ethernet & DSL switches Part 2: Functions Part 2: Functions Manual Release 2 Manual Release 2...
Page 2 Revision Revision Document identity: 1KGT151021 V000 1 Revision: Date: Changes: 08/2019 Initial version 1KGT151021 V000 1...
Page 3: Table Of Contents
Contents Contents Introduction..........................7 About the Manual EDS500 series - Ethernet & DSL switches........7 References..........................7 Functions..........................9 Configuration Methods.......................9 2.1.1 Configuration via the Serial Interface............9 2.1.2 Configuration via the IP Network..............9 2.1.3 Configuration via Telnet.................. 10 2.1.4 Configuration via SSH..................10 2.1.5...
Page 4 Contents 2.8.2 VLAN Properties....................28 Configuration of IP Addresses..................29 2.9.1 IP Address......................29 2.9.2 Configuration of the System IP Address............. 29 2.9.3 Configuration of VLAN IP Addresses............30 2.9.4 Configuration of Unnumbered Interfaces........... 30 2.9.5 Configuration of an IP Address Block for IEC 60870-5-101, IEC 60870-5-104 Conversion..................
Page 5 Contents 2.21.2 Serial Protocols and Sampling Operation........... 62 2.21.3 Topologies and Transmission settings............62 2.21.4 Enhanced Parameters of the Serial Tunnel..........63 2.21.5 Query the Status of the Serial Tunnel............65 2.22 IEC 60870-5-101 and IEC 60870-5-104................65 2.22.1 Addresses of the EDS500 Device Information Objects......65 2.22.2 Connection of Signals and Application as RTU..........68 2.22.3...
Page 6 Contents 2.35 Cryphographic Key......................108 2.35.1 Device Specific Cryptographic Key.............108 2.35.2 Generate and Apply Cryptographic Key.............109 2.36 Certificate Management....................112 2.36.1 Host Key Type....................112 2.36.2 Combination of Key and Certificate............112 2.36.3 Step-by-Step Instructions................117 Glossary..........................153 1KGT151021 V000 1...
Page 7: Introduction
Description of the functions 1KGT151018 Part 3: Command reference Description of the command line interface Table 1: Parts of the Manual EDS500 series - Ethernet & DSL switches References Individual Ident EDS500 series Individual hardware data sheets of all Hardware data...
Page 8 References Introduction 1KGT151021 V000 1...
Page 9: Functions
2.1.1 Configuration via the Serial Interface EDS500 series devices can be configured via the serial interface console0 or (if available) console1 if these are in operation mode "configuration". With a configuration cable (500CAB03, 1KGT038909) the device can be connected to the serial interface of a PC.
Page 10: Configuration Via Telnet
Configuration Methods Functions IP Setting Parameter IP Address 10.0.0.2 Subnet mask 255.0.0.0 Gateway IP address 10.0.0.1 Table 2: Default values for IP For further configuration you should first check the network connectivity e.g. with ICMP echo request (“ping”). Use the device IP address as target address. 2.1.3 Configuration via Telnet With the help of a Telnet client program the managment console can be accessed.
Page 11: Configuration Via The Web Interface
Functions Configuration Methods Parameter Loginmode password Loginmode radius User name RADIUS user User password Login password RADIUS password Table 4: Login with SSH After successful login the SSH connection offers access to the command line interface (CLI) (handling see Chapter 2.2, "Handling of the Command Line Interface (CLI)"). Establishing a connection via SSH can take a few seconds as the encryption has to be negotiated.
Page 12: Configuration Via Configuration Stick
2.1.8 Configuration via Configuration Stick If you plug in a configuration stick at the EXT plug during booting an EDS500 series device, then that configuration is used (refer to Chapter 2.4, "Loading and Saving a Configuration"). This enables e.g. a fast exchange of a faulty device when the configuration stick is plugged into the replacement device.
Page 13: Show Commands For Current Hierarchy Level
Functions Handling of the Command Line Interface (CLI) Help text after incomplete input of a command s w i t c h > p i n g < p i n g * > U s a g e : p i n g [ - a r p ] { I P a d d r e s s } s w i t c h >...
Page 14: Shortcuts To Input Commands Quicker
Handling of the Command Line Interface (CLI) Functions 2.2.4 Shortcuts to Input Commands Quicker EDS500 devices accept abbreviated input of commands as soon as they are unambiguous. Not all keywords have to be typed in the full extent. Concatenated input of commands s w i t c h >...
Page 15 Functions Handling of the Command Line Interface (CLI) scheme (refer to Chapter 2.3, "User Authentication") a login name and/or a login password have to be entered. In operation mode configuration all system parameters can be shown and all commands for system configuration can be executed.
Page 16: Event Messages And Status Messages At The Management Console
Handling of the Command Line Interface (CLI) Functions 2.2.7 Event Messages and Status Messages at the Management Console Event and status messages and processes like changes of interfaces, user login events and changes of the system states are stored in an internal memory, refer to Chapter 2.26, "Syslog and Device Internal Log".
Page 17: Login Mode Radius
Functions User Authentication A D V I C E Danger of an unreachable system due to different character encoding. When accessing the system the code page used by the accessing program has to be ISO 8859-15 (Latin-9). Due to different character encoding of diacritical characters on login, different code pages may lead to falsely interpreted and, hence, invalid passwords.
Page 18: Loading And Saving A Configuration
Loading and Saving a Configuration Functions Commands to set the automatic logout / disable < s e t i n t e r f a c e { c o n s o l e . . . } i d l e - l o g o u t { . . . } > <...
Page 19: Power-Up, Configuration Stick And Modifications During Runtime
Functions Loading and Saving a Configuration < c o p y r u n n i n g - c o n f i g s t a r t u p - c o n f i g > <...
Page 20: Transfer, Modification And Archiving Configurations
Loading and Saving a Configuration Functions 2.4.4 Transfer, Modification and Archiving Configurations Configurations cannot only be displayed on the devices but can also be copied over the network as files. Like that, configuration data can be archived (centrally). It is possible to edit configurations at a workstation and then transfer them to the devices. The web interface (refer to "Handling in the Web Interface") gives a comfortable overview.
Page 21: Handling In The Web Interface
Functions Loading and Saving a Configuration Device Settings Value Implicit default value Explicit command Web interface Enabled SNMP Enabled Read-Commu- public nity-String Write-Commu- private nity-String Table 6: Parameters of the default configuration To reset a device to the default values automatically, the following options are available: –...
Page 22 Handling in the Web Interface Functions Default configuration: The Web-Server is activated with the configuration HTTP with redirection to HTTPS. An IP connection between a PC and the device is required for configuration. Enter the IP address of the device into the URL field of the browser to access the web interface.
Page 23 Functions Handling in the Web Interface Figure 4: Web interface of a 500NMD02 Login password Enable password Password input for Password input for view mode configuration mode not configured not configured not possible Empty password not configured Configured Empty password Enable password Configured not configured...
Page 24: Cold Start And Warm Start
Cold Start and Warm Start Functions < s e t s y s t e m w e b - s e r v e r n o e n a b l e > < s e t s y s t e m w e b - s e r v e r p o r t { 1 - 6 5 5 3 6 } > <...
Page 25: Plan Device Warm Start With Command
Functions Cold Start and Warm Start 2.6.3 Plan Device warm Start with Command When modifying the configuration of a remote device it can get into a state in which it cannot be reached any more. To get an automatic reset of the device settings you can use a planned restart. A planned restart resets the device to the startup configuration if the planned restart is not cancelled or a modified configuration has been saved with the command <write>.
Page 26: Display Of The System Description
Host Name and Description Functions The names correspond to the objects in the group “system “ of the SNMP MIB-2. The maximum length is 50 characters. The default value for a description is empty. Commands to set system descriptions < s e t s y s t e m d e s c r i p t i o n { . . . } > <...
Page 27: Assigning Vlans To Interfaces
Functions VLAN Settings Trunk Figure 5: Using VLANs Default configuration: In default configuration VLANs are disabled. 2.8.1 Assigning VLANs to Interfaces The interfaces of the EDS500 devices can transmit Ethernet frames either without 802.1Q VLAN tag (untagged, Access-Port) or with VLAN tag (tagged, Trunk-Port). For this you can select a VLAN id from the range between (including) 1 and 4094.
Page 28: Vlan Properties
VLAN Settings Functions a filter function: only those Ethernet frames are transmitted where the VLAN tag has a VLAN id that is assigned to a secure trunk port. Each secure trunk port can be associated with up to 16 VLAN ids. The VLAN ids do not have to be defined in e.g.
Page 29: Configuration Of Ip Addresses
Functions Configuration of IP Addresses Different VLANs are strictly separated from each other in respect to data traffic. A MAC table contains the assignment between learnt MAC addresses and interfaces. It is possible to assign an individual MAC table to a VLAN. The property mac-table can be set to: –...
Page 30: Configuration Of Vlan Ip Addresses
Configuration of IP Addresses Functions Commands to configure system IP address and gateway < s e t s y s t e m i p { I P a d d r e s s } > < s e t s y s t e m s u b n e t m a s k { s u b n e t m a s k } > <...
Page 31: Configuration Of An Ip Address Block For Iec 60870-5-101, Iec
Functions Configuration of IP Addresses Borrow IP address VLAN 1 VLAN 1 / LAN 192.168.12.1 Borrow IP address VLAN 1 Figure 6: Unnumbered interface Command for configuration of an unnumbered VLAN interface < s e t i n t e r f a c e v l a n { 1 - 4 0 9 4 } i p - a d d r e s s u n n u m b e r e d v l a n { v l a n i d } >...
Page 32 Quality of Service Functions frames are lost but potentially huge delays may arise for all connections so that the use of flow control together with QoS is not recommended. The default value for flow-control is: off. With the use of QoS (Quality of Service) Ethernet frames get a priority. If an overload situation occurs at one place in the network then it is decided under consideration of the IEEE 802.1p tag priority which frames should be preferred and which are discarded.
Page 33: Rate Limiting
Functions Rate Limiting CoS (Class-of-Service) Queue Weighted-Fair priority Table 11: Class-of-Service and queues If any loss of data of the critical services should be avoided at high loads on the bandwidth then the scheduling has to be set to strict i.e. the priority queuing has to be modified. To set the connections for the network infrastructure (when using VLANs then these are the trunk ports) where the IEEE 802.1p priority is considered these ports have to trust the CoS tag (example: <set switch port1 trust cos>).
Page 34 Rate Limiting Functions DSL 1 Mbps Limits: 128 kbps 256 kbps 512 kbps 1024 kbps Limitation 256 kbps 2048 kbps 4096 kbps Limitation 512 kbps 8192 kbps Figure 8: Rate Limiting per port In estimating the bandwidth, already when feeding in the data stream a later overload situation can be avoided in the furthur network.
Page 35: Alarms And Alarm Configuration
Functions Alarms and Alarm Configuration 2.12 Alarms and Alarm Configuration EDS500 devices have an alarm concept to communicate certain error conditions with an alarm relay, LEDs for display or software signalisation. The individual alarms (referring to interfaces or the system) are summarised in the system-wide alarm state. The alarms have three levels of severity.
Page 36 Alarms and Alarm Configuration Functions Alarm Stage Enabled Config- Reason Command urable default value) partners has not set channel bundling. Signal qual- Warning Quality of signal too <set interface {dsl1 ity warn low. | dsl2} sqthresh- threshold old {{threshold} | reached no} [alarm | warn- ing]>...
Page 37: Ethernet Interfaces
Functions Ethernet Interfaces Certain alarms are set in such a way that they can occur during system start (or as a reaction to configuration commands). A list of possible alarms can be displayed with the command <show alarm enabled>. As soon as an alarm condition applies to one of these alarms it is activated and adopted by the system-wide state.
Page 38: Optical Interfaces
Optical Interfaces Functions The current link state of the Ethernet interface can be displayed in an overview. Detailed information about the data traffic that runs over an Ethernet interface is also available and can be requested alternatively via RMON (SNMP). Commands to configure Ethernet interfaces <...
Page 39: Dsl Interfaces
Functions DSL Interfaces < s h o w s w i t c h { f o 1 | f o 2 } > < s h o w s w i t c h { f o 1 | f o 2 } f r a m e - c o u n t e r s > A D V I C E For optical interfaces the alarm 'Ethernet remote fault' means that only one of two optical fibres has a link.
Page 40: Process Of Establishing Connection Between Dsl Interfaces
DSL Interfaces Functions To connect legacy devices of the HYTEC EDS series with actual devices via DSL you have to activate the compatibility mode on both sides, refer to Chapter 2.15.5, "Configuration of Data Encapsulation". For a better identification of a connection in a topology each DSL interface can have a description (alias).
Page 41: Configuration Of The Data Rate
Functions DSL Interfaces The identification plate shows the default value for the operation mode: master, slave or jumper. Commands to configure mode Master or Slave on DSL interfaces < s e t i n t e r f a c e { d s l 1 | d s l 2 } m o d e { j u m p e r | m a s t e r | s l a v e } > A D V I C E Devices with dedicated DSL Master LED signal the current state also optically, refer to EDS500 Manual - Part 1: Display Elements.
Page 42: Termination Of Link In Case Of An Error
DSL Interfaces Functions negotiation that is further away or cannot be reached as easily. Like that in case of an error the option to set the reachable side to a lower data rate to re-establish the line. For an estimation of the achievable data rate at a given distance refer to Chapter 2.15.6, "Signal Quality, Line Length and Data Rate"...
Page 43: Configuration Of Data Encapsulation
Functions DSL Interfaces Commands to configure the connection cut of DSL interfaces < s e t i n t e r f a c e { d s l 1 | d s l 2 } b a d l i n e - d i s c o n n e c t { f a s t | m e d i u m | s l o w } >...
Page 44 DSL Interfaces Functions The default value to trigger the pre-alarm Signal quality warn threshold reached is 1 dB The default value to trigger the alarm Signal quality alarm threshold reached is 0.5 dB For further alarms see Chapter 2.12, "Alarms and Alarm Configuration". Command to modify the alarm behaviour <...
Page 45: Link Analysis
Functions DSL Interfaces [dB] Signal quality (SHDSL.bis) 192 kbps 256 kbps 512 kbps 768 kbps 1024 kbps 1536 kbps 2048 kbps 3072 kbps 4096 kbps 5696 kbps 8192 kbps 10240 kbps 11400 kbps [km] Figure 9: Achievable signal quality in relation to distance 2.15.7 Link Analysis 2.15.7.1...
Page 46 DSL Interfaces Functions Example of the display of DSL interfaces L i n k u p t i m e i s 0 d a y s 2 3 : 4 4 : 5 7 ( 4 t r a n s i t i o n ( s ) t o u p ) S i g n a l q u a l i t y : 2 6 d B L i n e l o s s r a t i o : 0 d B Display...
Page 47 Functions DSL Interfaces Other services Other services SQ: 5 dB SQ: 5 dB Figure 11: Interference due to different service 3 If the service is only transmitted on a section of the cable then the interference is only at this line segment. Other services SQ: 7 dB SQ: 11 dB...
Page 48: Dsl Channel Bundling
DSL Channel Bundling Functions The exact reversal of the error condition exists if one-sided cable faults are present like breaches, hair cracks, shield defects with water intrusion or isolation faults. 1 In this example ordinary operation shows a signal quality of 11 dB on both sides. Interferences spread evenly in the course of the line so that both sides have a symmetrical value for signal quality.
Page 49: Redundancy With A Backup-Group
Functions Redundancy with a Backup-Group The default value activates a weighted algorithm that tries to optimize the load on both DSL channels adapted to the respective transmission rate of both DSL lines. Alternatively, a MAC based distribution algorithm can be set that selects a DSL channel in relation of source and target MAC address.
Page 50: Layer-2-Tunnel
Layer-2-Tunnel Functions Legend: 2-Wire Cu 1 FO 1 2 Ethernet Port 1 3 Ethernet Port 2 DSL 1 4 Ethernet Port 3 5 Ethernet Port 4 SHDSL-Interface Intelligent Switch Backup group 1 (Layer 2 or 3) local LAN Figure 17: Example application backup-group 1: Grouping dsl1 and fo1 Commands to configure the backup-group <...
Page 51: Spanning Tree Protocol
Functions Spanning Tree Protocol Internet Figure 18: DSL line to layer 2 ring with L2TP One device of a L2TP tunnel is configured as L2TP server, the other is configured as L2TP client and establishes a link to the server. Both devices need the local and the remote IP address.
Page 52: Activate, Deactivate, Spanning Tree Protocol Version
Spanning Tree Protocol Functions protocol secures in a transparent way that only one path is active for packet forwarding between two nodes of a layer-2 network segment. Redundant connections are identified and blocked if necessary. 2.19.1 Activate, Deactivate, Spanning Tree Protocol Version The default value for Spanning Tree protocol on all devices is: <set stp enable>...
Page 53: Commands To Display The Spanning Tree Bridge Information
Functions Spanning Tree Protocol 2.19.2 Commands to Display the Spanning Tree Bridge Information Information about the current device is summarized in the bridge information. If MSTP is used operation every MST instance (MSTI, 1-4094) has additionally its own bridge information. Commands to display the spanning tree bridge information <...
Page 54: Configuration Of Spanning Tree Bridge Parameters
Spanning Tree Protocol Functions The devices have to be connected to each other and have to execute MSTP. These parameters can be displayed with a command. Command to display the spanning tree MST settings: < s h o w s t p m s t > 2.19.7 Configuration of Spanning Tree Bridge Parameters The Root Bridge is selected by its hardware address (MAC address), and a priority that can...
Page 55: Spanning Tree Port Cost
Functions Spanning Tree Protocol < s e t s t p m s t i { 1 - 4 0 9 4 } p r i o r i t y { b a c k u p - g r o u p 1 | c h a n n e l 0 | d s l 1 | d s l 2 | f a s t e t h e r n e t 0 | f o 1 | f o 2 | p o r t 1 | p o r t 2 | p o r t 3 | p o r t 4 | t u n n e l 0 } { 0 - 2 4 0 } >...
Page 56: Configuration Of The Spanning Tree Port Edge Setting
Spanning Tree Protocol Functions 2.19.11 Configuration of the Spanning Tree Port Edge Setting A further setting for a fast port switch when the topology is modified is setting the edge property for such ports that are only connected to terminal devices. The auto-edge property takes care that an edge port is automatically detected.
Page 57: 2.19.14 Assigning Vlans To Multiple Spanning Tree Instances
Functions Spanning Tree Protocol 2.19.14 Assigning VLANs to Multiple Spanning Tree Instances VLANs have to be explicitly assigned to MSTIs with a command. The range of valid MSTIDs is 1-4094. Per device up to 4 MSTIs can be defined (with arbitrary MSTID). Initially, all VLANs are assigned to the CIST (Common and Internal Spanning Tree).
Page 58: Usage For Configuration Or As Process Interface
Serial Interfaces Functions • 8N1( 8 data bits, no parity, 1 stop bit) • no flow control 2.20.1 Usage for Configuration or as Process Interface The default value for the serial interfaces is: configuration. The setting configuration allows to access the management console with its command line interface (CLI).
Page 59: Inactivity Detection For The Command Line Interface (Cli)
Functions Serial Interfaces The current state of a serial interface can be displayed in an overview. Detailed information about the data traffic that runs over a serial interface is available and can be requested also via RMON (SNMP). Commands to configure the transmission parameters of the serial interface <...
Page 60: Serial Tunnel
Serial Tunnel Functions < s e t i n t e r f a c e c o n s o l e 0 p h y s i c a l - m o d e r s - 4 8 5 - f u l l > <...
Page 61 Functions Serial Tunnel IEC-101 Control station 1200 Baud RS-232 1200 Baud Station 1 RS-232 1200 Baud Station 2 RS-232 1200 Baud Station 3 IEC-104 IEC-101 Control station RS232 Ethernet RS-232 / Ethernet Station 1 RS-232 / RS-232 Ethernet 1200 Baud Station 2 RS-232 1200 Baud...
Page 62: Serial Protocols And Sampling Operation
Serial Tunnel Functions 2.21.2 Serial Protocols and Sampling Operation In general arbitrary serial UART format based protocols can be transported. The supported remote control protocols are (among others) IEC 60870-5-101, Modbus, RCOM, RP570/RP571 and Hibus-2. Data rates up to 115200 Baud are supported, however the tunnel ends may be configured with different baud rates.
Page 63: Enhanced Parameters Of The Serial Tunnel
Functions Serial Tunnel Tunnel groups can be defined to separate logically different data streams in the same network. Only endpoints with the same tunnel group transmit serial data streams among each other. Up to ten different tunnel groups can be set. There is forward error correction.
Page 64 Serial Tunnel Functions 4 5 6 Sample IP Packet 3 4 5 3 4 5 6 Figure 21: Interruption in the serial data stream The data transmission as a whole has to be delayed to avoid interruptions at the tunnel exit. Like this it is ensured that the following data is already available and can be issued without gap.
Page 65: Query The Status Of The Serial Tunnel
The default value for the ASDU address is 0. In addition the devices of the EDS500 series can be used for the conversion between IEC 60870-5-101 and IEC 60870-5-104. If a telecontrol network shall be migrated to Ethernet then it is typically desired to switch also the telecontrol protocol from IEC 60870-5-101 to IEC 60870-5-104.
Page 66 IEC 60870-5-101 and IEC 60870-5-104 Functions For default values for the addresses of the information objects refer to "Tab. 27: Information objects". Object / Function State / Value range Pre-set object ASDU data type address System – Warning OFF: normal state ON: Warning imminent (Single message) System –...
Page 67 Functions IEC 60870-5-101 and IEC 60870-5-104 Object / Function State / Value range Pre-set object ASDU data type address >= 32768: value is invalid Table 27: Information objects There is a basis address set as default value for each interface related information object. Incremental object addresses result in respect to the existing interfaces of each device.
Page 68: Connection Of Signals And Application As Rtu
IEC 60870-5-101 and IEC 60870-5-104 Functions Interface Link state Link speed Signal quality Port state console0 console1 Table 31: Addresses of the interface related information objects for 500NMD20 Commands to modify pre-set object addresses < s e t { i e c 1 0 1 | i e c 1 0 4 } i n t e r f a c e { 1 | 2 } o b j e c t a l a r m a d d r e s s - b a s e { 0 - 1 6 7 7 7 2 1 5 } >...
Page 69: Concept Of Interface And Polling
Functions IEC 60870-5-101 and IEC 60870-5-104 Optocoupler 3rd party Console0 Figure 24: Connector switch output Suitable optocouplers ideally have a nominal switch value of 3 V or 5 V and a switching current below 5 mA (e.g. Phoenix Contact PLC-BSC-5DC/1/ACT (Art.-No. 2980241) equipped with 5 V / 24 V Optocoupler (Art.-No.
Page 70: Configuration Of An Iec 60870-5-101 Interface
IEC 60870-5-101 and IEC 60870-5-104 Functions Every independent central office operates with its own information objects while central offices that depend on each other share information objects. The addresses (ASDU and Information objects) do not have to be the same between two independent central offices. If a configuration in an independent central office resets a counter then it will not be reset in another independent central office.
Page 71: Configuration Of An Iec 60870-5-104 Interface
Functions IEC 60870-5-101 and IEC 60870-5-104 < c l e a r i e c 1 0 1 i n t e r f a c e { 1 | 2 } a t t a c h { c o n s o l e 0 | c o n s o l e 1 } >...
Page 72: Activating And Deactivating The Iec 60870-5-101 And Iec 60870-5-104 Interfaces
IEC 60870-5-101 and IEC 60870-5-104 Functions Value for (t) Description The default value for IEC 60870-5-104 is: 20 s Table 34: Time monitor counter 2.22.7 Activating and Deactivating the IEC 60870-5-101 and IEC 60870-5-104 Interfaces In order to use IEC 60870-5-101 and IEC 60870-5-104 the corresponding interfaces have to be activated explicitly.
Page 73 Functions IEC 60870-5-101 and IEC 60870-5-104 IEC-101 Control station 1200 Baud RS-232 1200 Baud Station 1 RS-232 1200 Baud Station 2 RS-232 1200 Baud Station 3 IEC-104 Control station Ethernet Ethernet Station 1 Ethernet RS-232 1200 Baud Station 2 RS-232 1200 Baud Station 3 Figure 25: Step-by-step replacement of communications technology...
Page 74: Technological Background Of The Iec 60870-5-101,104 Conversion
IEC 60870-5-101 and IEC 60870-5-104 Functions { l o c a l A S D U a d d r e s s 0 - 6 5 5 3 6 } > < s e t i e c 1 0 4 i n t e r f a c e { 1 | 2 } r e m o t e - s t a t i o n a d d r e s s { s t a t i o n a d d r e s s } i p - a d d r e s s { I P a d d r e s s } >...
Page 75 Functions IEC 60870-5-101 and IEC 60870-5-104 For IEC 60870-5-104 a station is addressed with IP address and TCP port number. There are no protocol specific addresses. TCP sets a point-to-point connection, polling mode does not exist. To test the correct operation of the communications link as well as the readiness for operation of a station, there are test procedure for IEC 60870-5-101 (test function for the link layer, link test) and IEC 60870-5-104 (test APDU, TESTFR, test frame).
Page 76 IEC 60870-5-101 and IEC 60870-5-104 Functions • Forwarding the time information from the telecontrol unit. The information for year, month, day, weekday and hours is set to zero and the original information of minutes and milliseconds is copied from the original time stamp CP24Time2a.
Page 77 Functions IEC 60870-5-101 and IEC 60870-5-104 Type ids IEC-101 / IEC-104 Command Command direc- direc- tion / tion / control control direction direction Conver- Conver- sion to sion to IEC-101 IEC-101 type id type id iec104 iec104 convert convert asdu- no asdu- types types...
Page 78 IEC 60870-5-101 and IEC 60870-5-104 Functions Type ids IEC-101 / IEC-104 Command Command direc- direc- tion / tion / control control direction direction Conver- Conver- sion to sion to IEC-101 IEC-101 type id type id iec104 iec104 convert convert asdu- no asdu- types types...
Page 79 Functions IEC 60870-5-101 and IEC 60870-5-104 Type ids IEC-101 / IEC-104 Command Command direc- direc- tion / tion / control control direction direction Conver- Conver- sion to sion to IEC-101 IEC-101 type id type id iec104 iec104 convert convert asdu- no asdu- types types...
Page 80 IEC 60870-5-101 and IEC 60870-5-104 Functions Type ids IEC-101 / IEC-104 Command Command direc- direc- tion / tion / control control direction direction Conver- Conver- sion to sion to IEC-101 IEC-101 type id type id iec104 iec104 convert convert asdu- no asdu- types types...
Page 81 Functions IEC 60870-5-101 and IEC 60870-5-104 Type ids IEC-101 / IEC-104 Message Message direc- direc- tion / tion / Monitor Monitor direction direction Conver- Conver- sion to sion to IEC-104 IEC-104 type id type id iec104 iec101 convert convert asdu- no asdu- types types...
Page 82 IEC 60870-5-101 and IEC 60870-5-104 Functions Type ids IEC-101 / IEC-104 Message Message direc- direc- tion / tion / Monitor Monitor direction direction Conver- Conver- sion to sion to IEC-104 IEC-104 type id type id iec104 iec101 convert convert asdu- no asdu- types types...
Page 83 Functions IEC 60870-5-101 and IEC 60870-5-104 Type ids IEC-101 / IEC-104 Message Message direc- direc- tion / tion / Monitor Monitor direction direction Conver- Conver- sion to sion to IEC-104 IEC-104 type id type id iec104 iec101 convert convert asdu- no asdu- types types...
Page 84: Radius
RADIUS Functions Type ids IEC-101 / IEC-104 Message Message direc- direc- tion / tion / Monitor Monitor direction direction Conver- Conver- sion to sion to IEC-104 IEC-104 type id type id iec104 iec101 convert convert asdu- no asdu- types types (Stan- dard) C_TS_NA_1...
Page 85: Access Control And Device Authentication With Ieee 802.1X
Functions Access Control and Device Authentication with IEEE 802.1X The user authentication of the EDS500 devices (Chapter 2.3.2, "Login Mode Radius") can use RADIUS to verify the validity of a login with Telnet, SSH or serial connections web interface. Furthermore with the help of RADIUS a port authentication can be carried out according to IEEE 802.1X (Chapter 2.24, "Access Control and Device Authentication with IEEE 802.1X").
Page 86: Access Lists
Access Lists Functions The presence of a RADIUS server in the device config and the fact that this server can be reached over the network is mandatory for the function of 802.1X. The method of access control negotiation must be synchronized between Supplicant and Authentication Server (RADIUS).
Page 87: Filter For Mac Addresses
Functions Access Lists Every access list can contain up to 16 rules. Creating the first rule of an access list determines if this is a deny list or a permit list. Subsequent, deviating commands are ignored. Each rule can define several criterias that all have to match before the action of the rule is executed.
Page 88: Filter For Ethertype
Access Lists Functions 2.25.3 Filter for Ethertype To check the Ethertype field of a frame the parameter can either be set as a number (0x0800 to 0xffff), or as keyword (ip for the Internet protocol (version 4), arp for the Address Resolution Protocol).
Page 89: Access Lists As Class Map To Qualify Qos Of The Data Traffic
Functions Access Lists Depending whether it is a Deny or a Permit list the packets are blocked or forwarded that match the criteria of the Access Control List of the interface. An incoming and outgoing list can also be configured for the system. Like this the security can be enhanced and/or a firewall can be established.
Page 90: Syslog And Device Internal Log
Syslog and Device Internal Log Functions Legend: 2-Wire Cu 1 FO 1 2 Ethernet Port 1 DSL 1 3 Ethernet Port 2 4 Ethernet Port 3 5 Ethernet Port 4 Configuration SHDSL-Interface and Monitoring Intelligent Switch (Layer 2 or 3) local LAN Class Map Figure 28: Class Map overview for a 500NMD11...
Page 91: Snmp Network Management
Functions SNMP Network Management < s h o w s y s t e m s y s l o g > < d e b u g s y s t e m s y s l o g t e s t m e s s a g e [ { I P a d d r e s s } ] > 2.27 SNMP Network Management SNMP (Simple Network Management Protocol) is intended for the central monitoring and...
Page 92: Mib Support
In addition to the objects of the standard MIBs listed in Chapter 2.27.2, "MIB Support" the EDS500 devices have further, device specific objects that are defined in a dedicated vendor proprietary MIB. This is called ABB-EDS500-MIB and includes definitions of product ids, trap ids and object ids (OIDs).
Page 93 Write object reload –no (0) triggerreload (1) executes command <reload>. 1.3.6.1.4.1.21939.9.0.0 –triggerreload (1) –reloading (2) Table 42: Objects of the group abb ->abbMgmt Object name Read object Write object boardVersion Coded version of the main- board 1.3.6.1.4.1.21939.9.1.1.1.0 Table 43: Objects of the group abb->abbMgmt->system->version...
Page 94 Coded version of the expan- 1.3.6.1.4.1.21939.9.1.1.8.0 sion board if applicable powerBoardVersion Coded version of the PSU 1.3.6.1.4.1.21939.9.1.1.9 board if applicable Table 43: Objects of the group abb->abbMgmt->system->version Object name Read object Write object sensorDetected Temperature sensor detected: 1.3.6.1.4.1.21939.9.1.2.1.1.0 –notdetected (0) –detected (1)
Page 95 Number or detected external temperature sensors 1.3.6.1.4.1.21939.9.1.2.1.7.0 extTempTable Table for external tempera- ture sensors 1.3.6.1.4.1.21939.9.1.2.1.8… Table 44: Objects of the group abb->abbMgmt->system->enviroment->temperature Object name Read object Write object remoteIP Source IP of the SNMP request (use for NAT/PAT) 1.3.6.1.4.1.21939.9.1.3.1.0 lastReloadReason Device start: 1.3.6.1.4.1.21939.9.1.3.2.0...
Page 96 Progress in bytes when pro- gramming the firmware 1.3.6.1.4.1.21939.9.1.8.6.0 transferResult ASCII text: status message of the last TFTP transmission 1.3.6.1.4.1.21939.9.1.8.7.0 Table 47: Objects of the group abb->abbMgmt->system->tftpControl Object name Read object Write object dsaKeyFingerprint Fingerprint of the DSA system crypto key 1.3.6.1.4.1.21939.9.1.4.1.0...
Page 97 1.3.6.1.4.1.21939.9.2.2.1.10.x connectProgress Progress of the DSL speed negotiation 1.3.6.1.4.1.21939.9.2.2.1.11.x signalQuality Signal quality in dB 1.3.6.1.4.1.21939.9.2.2.1.12.x resetCounter Reset counter for subsystem 1.3.6.1.4.1.21939.9.2.2.1.13.x linelossRatio Line loss in dB 1.3.6.1.4.1.21939.9.2.2.1.14.x Table 49: Objects of the group abb->abbMgmt->interface->ifTable (table index - ifIndex) 1KGT151021 V000 1...
Page 98 ASCII text: name of the SFP module 1.3.6.1.4.1.21939.9.2.2.1.15.x sfpTemperature Temperature of the SFP mod- 1.3.6.1.4.1.21939.9.2.2.1.16.x Table 49: Objects of the group abb->abbMgmt->interface->ifTable (table index - ifIndex) Object name Read object Write object systemAlarmLevel System-wide alarm state: 1.3.6.1.4.1.21939.9.3.1.0 –levelNone (0) –levelWarning (1)
Page 99 Convenience object: return ignored the System Uptime (like MIB-2 1.3.6.1.4.1.21939.9.9.1.1.11.a sys- UpTime) .b.c.d Table 53: Objects of the group abb->abbMgmt->mgr->mgrTable (table index - ip) Object name Read object Write object tcpReceiveIdle TCP inactivity in 100 ms 1.3.6.1.4.1.21939.9.10.3.1.6.a .b.c.d.x.e.f.g.h.y Table 54: Objects of the group abb->abbMgmt->tcpExt->tcpTable (table index -...
Page 100: Trap Server And Traps
SNMPv1 format or SNMPv2c format, depending on the settings. The traps are sent to the configured trap server as well as to logged in network management systems (ABB-EDS500-MIB Group 'mgr', refer to Chapter 2.27.3, "Vendor Specific Device MIB" ). Up to 10 different trap target IP addresses can be defined.
Page 101 Functions SNMP Network Management The default value for Community-String is: public. Command to configure SNMP Trap servers < s e t s y s t e m s n m p t r a p - t a r g e t { I P a d d r e s s } [ { v 1 | v 2 c } ] [ { c o m m u n i t y } ] >...
Page 102: Time Synchronization With Sntp
Time Synchronization with SNTP Functions 2.28 Time Synchronization with SNTP EDS500 devices can synchronize date and time with a time server via the Simple Network Time Protocol. This time information is used in Syslog messages and the internal log (command <show log>). The SNTP time can be used in timestamps by the telecontrol protocol IEC 60870-5-104.
Page 103: State Dependencies
Functions State Dependencies Monitor: delay state (hold down) Monitor switching Monitor condition delay over entered Monitor condition lost Monitor: Monitor: normal state backup state (up) (down) Monitor condition entered Monitor Monitor: Monitor condition switching delay over lost delay state (hold up) Figure 29: State transitions of the monitor Commands for the monitor: <...
Page 104: Ip Routing
IP Routing Functions { i n v e r s e - m o n i t o r | m o n i t o r } ] > < c l e a r s y s t e m s n m p t r a p - s o u r c e v l a n [ { 1 - 4 0 9 4 } ] > <...
Page 105: Configure Routing Protocol Rip
Functions IP Routing Display of routing table R o u t i n g L i s t E n t r i e s : 3 e n t r i e s ( s t a t i c l o c a l g a t e w a y s e x c l u d e d ) D e s t .
Page 106: Virtual Router Redundancy Protocol (Vrrp)
Virtual Router Redundancy Protocol (VRRP) Functions 2.32 Virtual Router Redundancy Protocol (VRRP) The Virtual Router Redundancy Protocol (VRRP) serves the fail safeguarding of gateways by using redundant routers. Failures in routed Layer-2 networks can be countered with redundant connections and dynamic routing protocols.
Page 107: Lldp Neighbour Recognition
Functions LLDP Neighbour Recognition This VRRP IP address as well as the VRRP-ID (1 to 255) have to be identical on all grouped routers. Furthermore, an individual VRRP priority can be configured per router (1 to 255) where the router with the highest VRRP priority becomes master router. Finally, VRRP has to be activated on the specified interface.
Page 108: Update Via Web Interface
Firmware Update Functions Example for updating firmware s w i t c h > e n a b l e < e n a b l e > E n t e r P a s s w o r d : s w i t c h # c o p y t f t p f l a s h <...
Page 109: Generate And Apply Cryptographic Key
Functions Cryphographic Key A D V I C E Devices that have been shipped with a software version without SSH support (SWOPS < 1.33.0), have no individual cryptographic key but use a standard value as key. An individual key has to be applied for security reasons when cryptographic protocols are used. Such devices can be detected during boot or login or by the output of the command <show system ssh>...
Page 110 Cryphographic Key Functions Figure 31: PuTTY Key Generator - key selection The parameter of the key type has to be set SSH2-DSA (refer to "Fig. 31: PuTTY Key Generator - key selection"). The required key size is 1024. Clicking on button “Generate” and moving the mouse over the plane “key” generates the key. A process bar gives visual feedback.
Page 111 Functions Cryphographic Key Figure 32: PuTTY Key Generator - generated key Next, the key has to be exported in the OpenSSH format. Do this with the function “Conversions”. The action "Export OpenSSH key" saves the key file ("Fig. 33: PuTTY Key Generator - key export").
Page 112: Certificate Management
Certificate Management Functions 2.36 Certificate Management For secure webserver (HTTPS) functionality the EDS500 managed switches requires a compatible combination of EC key (Eliptic Curve key) and certificate. In delivery state each EDS500 managed switches has stored its EC key (device key) and its certificate (device certificate - self-signed) generated from the EC key.
Page 113 The key pre-installed in the device complies with ABB's minimum cyber security requirements. According to this, the key is unique and the private part is not read out. However, some companies need to use their own keys and this is supported by the EDS500 managed switches.
Page 114 Certificate Management Functions a) Use default key and self-signed cerﬁcate of device EDS500 EC key Cerﬁcate device device / Self-signed download Browser b) Use external EC key and self-signed funcon of device. EDS500 EC key device EC key Cerﬁcate external device / self-signed Cerﬁcate Cerﬁcate...
Page 115 Functions Certificate Management CA certificates can be created by yourself as well as purchased from an authentication authority. Combinations and their characteristics • Device EC key and self-signed certificate - Default working - Out of the box - Each certificate must be integrated in the browser •...
Page 116 Certificate Management Functions c) Device EC key, CSR and external CA-signed cerﬁcate. EDS500 EC key Cerﬁcate device device / self-signed EC key Cerﬁcate Cerﬁcate external external signing request download upload .csr .crt signed by CA d) External EC key, CSR and external CA-signed cerﬁcate. EDS500 EC key device...
Page 117: Step-By-Step Instructions
Functions Certificate Management 2.36.3 Step-by-Step Instructions OpenSSL For certification OpenSSL can be used. In this manual a step-by-step instruction for the XCA tool is given. This tool is based on OpenSSL. It has a graphical user interface and works on Microsoft Windows workstations.
Page 118 Certificate Management Functions 3 In this example version 1.3.2 is used. 2.36.3.2 Generate CA Certificates CA certificates can be purchased from an authentication authority as well as created by yourself. This chapter describes how to create a CA certificate yourself. CA certificates are mandatory for the use of non-self-signed certificates.
Page 119 Functions Certificate Management Create new database 1 First a data base has to be created. 2 This data base is protected by password. 1KGT151021 V000 1...
Page 120 Certificate Management Functions Create new certificate 1 Go to Certificates and choose New Certificate 2 Set the Source like in picture. Select [default] CA. 3 To generate a CA certificate the tab Extensions has to be selected. Change Type to to Certification Authority.
Page 121 Functions Certificate Management 4 In tab Subject a Key for this certificate has to be generated. 5 In this example we generate an RSA 2048 bit key. 1KGT151021 V000 1...
Page 122 Certificate Management Functions 6 After creating the key you should get the following confirmation. 7 Switch back to the tab Subject and select the created key. 8 After clicking on OK you should get the following confirmation. 1KGT151021 V000 1...
Page 123 Functions Certificate Management 9 You should now see the certificate in tab Certificates. Important: The currently generated certificate have to be a CA certificate. 2.36.3.3 Generate External Certificates (CRT) For using of external certificates the EDS500 managed switches provides CSR (Certificates Signing Request) function.
Page 124 Certificate Management Functions 2 Scroll to the bottom of the page and download the Crypto certificate signing request web download. Create CA-signed certificate Start the XCA tool with the listed CA certificate (how this can be done is described in the previous chapter).
Page 125 Functions Certificate Management 1 Import the CSR file: Select Import in the menu and click on Request. 2 A message confirms the successful import. 3 Select the tab Certificate signing request. Right mouse click on the imported CSR and select Sign. 4 A new window will open.
Page 126 Certificate Management Functions 5 Go to tab Extensions. Select End Entity under Basic Constraints and enter Not before and Time range in the Group Validity. Chose Time range according your company security policies. Then confirm with OK. 1KGT151021 V000 1...
Page 127 Functions Certificate Management 6 A message confirms the successful creation of the certificate. 7 The now created certificate will listed as a branch of the CA certificate in the certificates overview. Select the certificate and click on Export of the right side. 8 Choose PEM (*.crt) as Export Format and click on OK.
Page 128 Certificate Management Functions Upload CRT file 1 Go to web server of the EDS500 managed switches and chose Encryption in the left Administration menu. Click on Browse... under Crypto certificate web upload, select your created certificate and click on upload. 2 A successful upload of a valid certificate will be confirmed by the following website.
Page 129 Functions Certificate Management 2.36.3.4 Generate and Upload EC Keys This chapter describes how to create a valid EC key and upload them to the EDS500 managed switches. Based on the external key you have the possibility to create a self-signed certificate or a CSR file based by the EDS500 managed switches.
Page 130 Certificate Management Functions 3 A message confirms the successful EC Key creation. An external EC Key has been created and is ready for upload to the EDS500 managed switches. Upload EC Key 1 Go to web server of the EDS500 managed switches and chose Encryption in the left Administration menu.
Page 131 Functions Certificate Management 2 A successful upload of a valid EC key will be confirmed by the following website. 2.36.3.5 Device Certificate with External EC Key This chapter describes how to upload an external key and download the self-signed certificate from the EDS500 managed switches web server and integrate it into the browser The Generatioin of the self-signed certificate will be done by the EDS500 managed switches automatically after upload of the EC key.
Page 132 Certificate Management Functions "Integration of self-signed and CA-signed certificates into MS Internet Explorer/Edge and Google Chrome". 2.36.3.6 External Certificate (CRT) with External EC Key This chapter describes how to upload an external key and generate a CSR (Certificates Signing Request) file based on the external key. The way via the CRT file ensures that the external created EC key and the external created CA-signed certificate are compatible to each other.
Page 133 Functions Certificate Management 2 Go to tab Certificates and click on New Certificate. 3 A message confirms the successful import. 1KGT151021 V000 1...
Page 134 Certificate Management Functions 4 Go to tab Subject. Type the internal Name, the commonName and choose the EC Key in the drop down list. 5 Then confirm with OK. 1KGT151021 V000 1...
Page 135 Functions Certificate Management Go to tab Subject. Type the internal Name, the internal Name, the commonName and choose the EC Key in the drop down list. Then confirm with OK. An external certificate has been created and is ready for upload to the EDS500 managed switches.
Page 136 Certificate Management Functions 2.36.3.8 Integration of Certificates Into Browser Regardless of which combination of key and certificate is used, the certificates must be integrated into the used browser. The procedure depends on the browser and the type of certificates. The following combinations are described: •...
Page 137 Functions Certificate Management 2. Select Privacy & Security from the menu and click on View Certificates... 3. Go to tab Servers and click on Add Exception... 1KGT151021 V000 1...
Page 138 Certificate Management Functions 4. Write https:// and the IP address of the device under Location and click on Get Certificate 5. Select Permanently store this exception and click on Confirm Security Exception 1KGT151021 V000 1...
Page 139 Functions Certificate Management 6. The exception should then be listed in the certificate manager. Integration of CA certificates into Mozilla Firefox This section describes how to import a CA certificate into Firefox. Import CA certificates 1. Open Firefox, press ALT for opening extra menu and select Options. 1KGT151021 V000 1...
Page 140 Certificate Management Functions 2. Select Privacy & Security from the menu and click on View Certificates... 3. Go to tab Authorities and click on Import... 1KGT151021 V000 1...
Page 141 Functions Certificate Management 4. Select the CA certificate with .p7b extension and confirm with Open 5. A dialog window opens. Select there Trust this CA to identify websites and confirm with 6. The imported certificate should be listed in the certificate manager. 1KGT151021 V000 1...
Page 142 Certificate Management Functions Integration of self-signed and CA-signed certificates into MS Internet Explorer/Edge and Google Chrome This section describes how to import a self-signed and CA-signed certificate into MS Internet Explorer/Edge and Google Chrome. Import self-signed and CA-signed certificates 1. Open the web interface of the EDS500 managed switches and select Encrytion in the Administration menu.
Page 143 Functions Certificate Management 3. A message will appear. Click on Save File to store the certificate on the workstation. 4. Open the Microsoft Windows certificate manager by pressing Win+R and write certmgr.msc in the Open field and click on OK. 5.
Page 144 Certificate Management Functions 7. Chose X.509 Certificate (*.cer; *.crt), select the certificate to be used and click on Open. 8. Confirm with a click on Next >. 1KGT151021 V000 1...
Page 145 Functions Certificate Management 9. Make sure that the certificates are stored in Trusted Root Certification Authorities and click on Next >. 10. Complete the import by clicking on Finish. 1KGT151021 V000 1...
Page 146 Certificate Management Functions 11. The import was successful if the following message appears. Click on OK to close the wizard. 12. The new certificate should now be listed in the certificate manager. Integration of CA certificates into MS Internet Explorer/Edge and Google Chrome This section describes how to import a CA certificate into MS Internet Explorer/Edge and Google Chrome.
Page 147 Functions Certificate Management Import CA certificates 1. Open the Microsoft Windows certificate manager by pressing Win+R and write certmgr.msc in the Open field and click on OK. 2. After the certificate manager is open, click on the small triangle infront of Trust Root Certification Authorities.
Page 148 Certificate Management Functions 4. Chose PKCS #7 Certificates (*.spc; *.p7b), select the CA certificate to be used and click on Open. 5. Confirm with a click on Next >. 1KGT151021 V000 1...
Page 149 Functions Certificate Management 6. Make sure that the certificates are stored in Trusted Root Certification Authorities and click on Next >. 7. Complete the import by clicking on Finish. 1KGT151021 V000 1...
Page 150 Certificate Management Functions 8. A Security Warning will open. Click on Yes to confirm. 9. The import was successful if the following message appears. Click on OK to close the wizard. 1KGT151021 V000 1...
Page 151 Functions Certificate Management 10. The new certificate should now be listed in the certificate manager. 1KGT151021 V000 1...
Page 152 Certificate Management Functions 1KGT151021 V000 1...
Page 153: Glossary
Glossary Glossary Active Directory Access Point Name of GPRS Service Provider Network Address Resolution Protocol ASDU Application Service Data Unit Certificate Authority Command Line Interface Cyclic Redundancy Check Clear to Send Decibel Data Carrier Detect Digital Subscriber Line Elliptic Curve Global Standard for Mobile Communications HTTP Hypertext Transfer Protocol...
Page 154 Glossary Open Systems Interconnection Model Personal Computer Personal Identity Number PKCS Public-Key Cryptography Standards Programmable Logic Control Power Supply Unit RADIUS Remote Authentication Dial-In User Service Request for Comments Routing Information Protocol RSTP Rapid Spanning Tree Protocol Request to Send Remote Terminal Unit Receive Direction Small Form-factor Pluggable...
Page 155 1KGT151021 V000 1...
Page 156 Brochure has been made available, in view of any damages including costs or losses shall be excluded. In particular ABB AG shall in no event be liable for any indirect, consequential or special damages, such as – but not limited to – loss of profit, loss of production, loss of revenue, loss of data, loss of use, loss of earnings, cost of capital or cost connected with an interruption of business or operation, third party claims.

ABB EDS500 Series Function Manual

1 Introduction

3 Glossary

Quick Links

Related Manuals for ABB EDS500 Series

Summary of Contents for ABB EDS500 Series

Table of Contents