Have a need to make data available from your S7-1200 PLC to a Modbus TCP Master (or SCADA)? Luckily, this is easy to setup. This will be short and sweet.
Siemens provides two Instruction blocks for setting up Client/Server Modbus TCP connections – you can find them under Communication on the Instructions Window – MB_SERVER and MB_CLIENT.
As an example, let’s set up a Modbus TCP server on our PLC. I’m starting a project from scratch, so I’m going to add an instance of MB_SERVER to my OB1. When you add the instruction, you’ll notice it will need its own instance DB, so go ahead and create one.
You’ll see there are only a few inputs to this block:
- DISCONNECT: the default for this input is 'FALSE.' Setting the input to 'TRUE' will cause the server to sever any active connection and refuse any connection attempts.
- CONNECT_ID: this defines a connection number on the PLC. This must be unique for each instance of MB_SERVER or MB_CLIENT.
- IP_PORT: by default, the IP_PORT will be set to 502, which is the standard port used for Modbus TCP communications. If you would like to use an alternative port, this is where you set it. Just be careful not to use any ports already used by the PLC: 20, 21, 25, 80, 102, 123, 5001, 34962, 34963, and 34964.
- MB_HOLD_REGISTER: This defined the location (start and size) for the available Holding Registers (40001 to max defined register). This pointer can be any global data block or a memory area (M). These holding registers are used for Modbus functions 3 (read Word), 6 (write Word), and 16 (write multiple Words). You can set this pointer using the ANY format (“P#bit address” “data type” “length”):
That’s really all you need. There are some status bits you can use to debug connection issues and a few static tags that can be accessed, but in most case you shouldn’t need them.
Now, ignoring the hold registers for a moment, let’s look at what this MB_SERVER instruction gives us out of the box. There’s a handy table in the help file explaining the codes and data sources automatically made available. To sum it up, function codes 1, 2, 4, 5, and 15 will immediately support direct read and write access to the process image of the CPU.
For example, function code 01 (Read Bits) allows read access to the output process image, with registers 1-8192 corresponding to Q0.0-Q1023.7. Likewise, function code 5 (Write Bits) allows write access to the same registers/bits. Function code 02 will allow read access to the input process image, mapping registers 10001-18192 to I0.0 to I1023.7. Check the help file for the other options.
Getting back to the hold registers, these are accessed with function codes 3, 6, and 16. Unless you’ve modified the start position, the hold registers will begin at 40001 and continue for the length defined in MB_HOLD_REG. To wrap things up, I’m going to create a global DB for my hold registers and include the following:
Looking at the DB above, you can see I’ve created an array of Bools that make up the first Word (this will be Register 40001). The next Word will be the data for Register 40002, in this case, an Int. Finally, I’ve added a Real, which is a DW and will use Registers 40003 and 40004.
We should now have a single rung of logic to control our Modbus TCP server.
Now, I can update information in my global DB from my code and read it from a Modbus TCP master, or the master can write data to my PLC.
That’s it. All you need to run a Modbus TCP server on your S7-1200. Have fun.
Learn more about DMC's PLC Programming services and contact us to get started on your next PLC Programming project.