Entering access permissions in the IP access control list (IP-ACL)
Reference
Making settings for the interface properties in the "Properties > General > IP access protection" parameter group.
Rules for entering the IP addresses:
Keep to the following rules when entering IP addresses:
You can enter the IP address singly or as a range.
You can also enter comments.
The maximum number of addresses you can enter is: 32
The maximum number of address ranges you can enter is: 10
The system does not check whether addresses that have already been entered singly are also included in an address range.
The system does not check whether a range includes invalid addresses (for example, broadcast addresses can be specified here although they cannot occur as the IP address of a sender).
Comments begin with the "#" character
Examples:
Individual IP address with comment: 141.80.0.16 #address of partner x
Range of IP addresses with comment: 141.80.0.16 - 141.80.0.25 #address range for control level
Rights
The access permissions described here can be selected in the IP access control list with their short designations.
Access permissions and short designations
Access right
Short designation
Meaning / remark
Access to station
A
Access
Communications partners with addresses in the specified range have access to the station (CP / CPU) belonging to the CP.
This access permission is set implicitly for IP addresses you have specified in the connection configuration.
Modifying the IP access control list
M
Modify
Communications partners with addresses in the specified range, have the right to access the IP access control list. These communications partners can send entries for the IP access control list to the CP using HTTP.
If you select this permission, the permission "A" is also set.
Notes on the entries sent using HTTP:
With each list transferred using HTTP, a previous list sent using HTTP becomes invalid.
The access permissions sent using HTTP can be added to entries configured in STEP 7, but the entries cannot be deleted.
A list transferred using HTTP is deleted if there is a power down on the CP (power OFF).
You will find information on the syntax of a list transferred using HTTP in the documentation of the CP.
IP routing access to the another IP subnet
R
Routing
Communications partners with addresses in the specified range have access to other subnets connected to the CP.
This access permission is not set automatically for IP addresses you have specified in the connection configuration. Where necessary, this access permission must be set here explicitly.
Note
Loading configuration data via TCP/IP
When downloading via TCP/IP with access protection enabled, note that you will need to include the IP address of the programming device / PC from which the configuration is downloaded in the IP-ACL. The programming device / PC would otherwise be detected as unauthorized during the loading and the loading routine would be aborted
Loading S7 connections later
If you want to load individual S7 connections to the S7 station later, these are not included automatically in the IP-ACL. In this case, you will need to load the entire station configuration again.
Adopting and editing a configuration by loading to the programming device / PC
If you want to edit the connection configuration and have enabled IP access protection, you will require the full connection information on the programming device / PC. This means that you will need to upload the current connection data. When you then load the data to the S7 station again, you will need to load the entire connection data and station data.
Note
Using special diagnostics, you can view the current IP-ACL on the S7 station and, if required, compare it with the configured IP-ACL.