Lancom Systems Server LCOS 350 User Manual

Reference Manual

LANCOM LCOS 3.50

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Contents

LANCOM Reference Manual LCOS 3.50

Contents

1 Preface

2 System design

3 Configuration and management

3.1 Configuration tools and approaches

3.2 Configuration software

3.2.1 Configuration using LANconfig

3.2.2 Configuration with WEBconfig

3.2.3 Configuration using Telnet

3.2.4 Configuration using SNMP

3.3 Remote configuration via Dial-Up Network

3.3.1 This is what you need for ISDN remote configuration 21

3.3.2 The first remote connection using Dial-Up Networking21

3.3.3 The first remote connection using a PPP client and Telnet

3.4 LANmonitor—know what's happening

3.4.1 Extended display options

3.4.2 Monitor Internet connection

3.5 Trace information—for advanced users

3.5.1 How to start a trace

3.5.2 Overview of the keys

3.5.3 Overview of the parameters

3.5.4 Combination commands

3.5.5 Examples

3.6 Working with configuration files

3.7 New firmware with LANCOM FirmSafe

3.7.1 This is how LANCOM FirmSafe works

3.7.2 How to load new software

3.8 Command line interface

3.8.1 Command line reference

3.9 Scheduled Events

4 Management

4.1 N:N mapping

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Contents

4.1.1 Application examples

4.1.2 Configuration

4.1.3

5 Diagnosis

5.1 LANmonitor—know what's happening

5.1.1 Extended display options

5.1.2 Monitor Internet connection

5.2 Trace information—for advanced users

5.2.1 How to start a trace

5.2.2 Overview of the keys

5.2.3 Overview of the parameters

5.2.4 Combination commands

5.2.5 Examples

6 Security

6.1 Protection for the configuration

6.1.1 Password protection

6.1.2 Login barring

6.1.3 Restriction of the access rights on the configuration 55

6.2 Protecting the ISDN connection

6.2.1 Identification control

6.2.2 Callback

6.3 The security checklist

7 Routing and WAN connections

7.1 General information on WAN connections

7.1.1 Bridges for standard protocols

7.1.2 What happens in the case of a request from the LAN? 64

7.2 IP routing

7.2.1 The IP routing table

7.2.2 Local routing

7.2.3 Dynamic routing with IP RIP

7.2.4 SYN/ACK speedup

7.3 The hiding place—IP masquerading (NAT, PAT)

7.3.1 Simple masquerading

7.3.2 Inverse masquerading

7.3.3 Unmasked Internet access for server in the DMZ

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Contents

LANCOM Reference Manual LCOS 3.50

7.4 N:N mapping

7.4.1 Application examples

7.4.2 Configuration

7.5 Configuration of remote stations

7.5.1 Name list

7.5.2 Layer list

7.6 Establishing connection with PPP

7.6.1 The protocol

7.6.2 Everything o.k.? Checking the line with LCP

7.6.3 Assignment of IP addresses via PPP

7.6.4 Settings in the PPP list

7.7 Extended connection for flat rates—Keep-alive

7.8 Callback functions

7.8.1 Callback for Microsoft CBCP

7.8.2 Fast callback using the LANCOM process

7.8.3 Callback with RFC 1570 (PPP LCP extensions)

7.8.4 Overview of configuration of callback function

100

7.9 Channel bundling with MLPPP

101

8 Firewall

8.1 Threat analysis

8.1.1 The dangers

104

105

106

8.1.2 The ways of the perpetrators

8.1.3 The methods

8.1.4 The victims

8.2 What is a Firewall?

107

108

8.2.1 Tasks of a Firewall

8.2.2 Different types of Firewalls

8.3 The LANCOM Firewall

114

8.3.1 How the LANCOM Firewall inspects data packets 115

8.3.2 Special protocols

119

121

125

131

134

137

141

151

8.3.3 General settings of the Firewall

8.3.4 Parameters of Firewall rules

8.3.5 Alerting functions of the Firewall

8.3.6 Strategies for Firewall settings

8.3.7 Hints for setting the Firewall

8.3.8 Configuration of Firewall rules

8.3.9 Firewall diagnosis

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Contents

8.3.10 Firewall limitations

159

8.4 Protection against break-in attempts: Intrusion Detection

8.4.1 Examples for break-in attempts

160

161

8.4.2 Configuration of the IDS

8.5 Protection against “Denial of Service” attacks

8.5.1 Examples of Denial of Service attacks

8.5.2 Configuration of DoS blocking

162

165

8.5.3 Configuration of ping blocking and Stealth mode 166

9 Quality of Service

168

9.1 Why QoS?

168

9.2 Which data packets to prefer?

9.2.1 Guaranteed minimum bandwidths

9.2.2 Limited maximum bandwidths

168

171

172

9.3 The queue concept

172

175

9.3.1 Queues in transmission direction

9.3.2 Queues for receiving direction

9.4 Reducing the packet length

176

178

182

9.5 QoS parameters for Voice over IP applications

9.6 QoS in sending or receiving direction

9.7 QoS configuration

183

185

187

189

9.7.1 Evaluating ToS and DiffServ fields

9.7.2 Defining minimum and maximum bandwidths

9.7.3 Adjusting transfer rates for interfaces

9.7.4 Sending and receiving direction

9.7.5 Reducing the packet length

10 Virtual LANs (VLANs)

192

10.1 What is a Virtual LAN?

192

10.2 This is how a VLAN works

10.2.1 Frame tagging

192

193

194

195

10.2.2 Conversion within the LAN interconnection

10.2.3 Application examples

10.3 Configuration of VLANs

10.3.1 The network table

198

199

200

10.3.2 The port table

10.3.3 Configuration with LANconfig

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Contents

LANCOM Reference Manual LCOS 3.50

10.3.4 Configuration with WEBconfig or Telnet

201

11 Wireless LAN – WLAN

203

11.1 What is a Wireless LAN?

203

11.1.1 Standardized radio transmission by IEEE

11.1.2 Operation modes of Wireless LANs and base stations

206

11.2 Developments in WLAN security

11.2.1 Some basic concepts

11.2.2 WEP

213

214

215

219

220

223

230

231

11.2.3 WEPplus

11.2.4 EAP and 802.1x

11.2.5 TKIP and WPA

11.2.6 AES and 802.11i

11.2.7 Summary

11.3 Protecting the wireless network

232

11.4 Configuration of WLAN parameters

11.4.1 WLAN security

233

234

243

244

250

254

11.4.2 General WLAN settings

11.4.3 The physical WLAN interfaces

11.4.4 The logical WLAN interfaces

11.4.5 Additional WLAN functions

11.5 Establishing outdoor wireless networks

11.5.1 Geometrical layout of the transmission path

11.5.2 Antenna power

256

258

261

264

11.5.3 Emitted power and maximum distance

11.5.4 Transmission power reduction

12 Office communications with LANCAPI

265

12.1 What are the advantages of LANCAPI?

265

12.2 The client and server principle

12.2.1 Configuring the LANCAPI server

12.2.2 Installing the LANCAPI client

12.2.3 Configuration of the LANCAPI clients

265

268

269

12.3 How to use the LANCAPI

270

12.4 The LANCOM CAPI Faxmodem

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Contents

13 Server services for the LAN

272

13.1 Automatic IP address administration with DHCP

13.1.1 The DHCP server

272

273

274

13.1.2 DHCP—'on', 'off' or 'auto'?

13.1.3 How are the addresses assigned?

13.2 DNS

277

279

280

283

284

13.2.1 What does a DNS server do?

13.2.2 DNS forwarding

13.2.3 Setting up the DNS server

13.2.4 URL blocking

13.2.5 Dynamic DNS

13.3 Call charge management

285

286

287

13.3.1 Charge-based ISDN connection limits

13.3.2 Time dependent ISDN connection limit

13.3.3 Settings in the charge module

13.4 The SYSLOG module

287

288

13.4.1 Setting up the SYSLOG module

13.4.2 Example configuration with LANconfig

14 Virtual Private Networks—VPN

291

14.1 What does VPN offer?

291

293

294

14.1.1 Private IP addresses on the Internet?

14.1.2 Secure communications via the Internet?

14.2 LANCOM VPN: an overview

14.2.1 VPN example application

14.2.2 Advantages of LANCOM VPN

14.2.3 LANCOM VPN functions

295

296

297

14.3 VPN connections in detail

298

299

14.3.1 LAN-LAN coupling

14.3.2 Dial-in connections (Remote Access Service)

14.4 What is LANCOM Dynamic VPN?

14.4.1 A look at IP addressing

300

301

14.4.2 This is how LANCOM Dynamic VPN works

14.5 Configuration of VPN connections

306

14.5.1 VPN tunnel: Connections between VPN gateways 307

14.5.2 Set up VPN connections with the Setup Wizard

14.5.3 Inspect VPN rules

14.5.4 Manually setting up VPN connections

308

309

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Contents

LANCOM Reference Manual LCOS 3.50

14.5.5 Prepare VPN network relationships

311

314

318

322

14.5.6 Configuration with LANconfig

14.5.7 Configuration with WEBconfig

14.5.8 Diagnosis of VPN connections

14.6 Specific examples of connections

14.6.1 Static/static

322

323

324

14.6.2 Dynamic/static

14.6.3 Static/dynamic (with LANCOM Dynamic VPN)

14.6.4 Dynamic/dynamic (with LANCOM Dynamic VPN) 325

14.7 How does VPN work?

326

327

328

14.7.1 IPSec—The basis for LANCOM VPN

14.7.2 Alternatives to IPSec

14.8 The standards behind IPSec

329

330

332

335

14.8.1 IPSec modules and their tasks

14.8.2 Security Associations – numbered tunnels

14.8.3 Encryption of the packets – the ESP protocol

14.8.4 Authentication – the AH protocol

14.8.5 Key management – IKE

15 Appendix: Overview of functions for LANCOM models and LCOS

versions 337

16 Index

338

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 1: Preface

1 Preface

User’s manual and reference manual

The documentation of your device consists of two parts: The user’s manual

and the reference manual.

̈ The hardware of the LANCOM devices is documented in the respective

user’s manuals. Apart from a description of the specific feature set of the

different models, you find in the user’s manual information about inter-

faces and display elements of the devices, as well as instructions for basic

configuration by means of the wizards.

̈ You are now reading the reference manual. The reference manual

describes all functions and settings of the current version of LCOS, the

operating system of all LANCOM routers and LANCOM Wireless Access

Points. The reference manual refers to a certain software version, but not

to a special hardware.

It completes the user’s manual and describes topics in detail, which are

valid for several models simultaneously. These are for example:

୴ Systems design of the LCOS operating system

୴ Configuration

୴ Management

୴ Diagnosis

୴ Security

୴ Routing and WAN functions

୴ Firewall

୴ Quality of Service (QoS)

୴ Virtual Private Networks (VPN)

୴ Virtual Local Networks (VLAN)

୴ Backup solutions

୴ LANCAPI

୴ Further server services (DHCP, DNS, charge management)

LCOS, the operating system of LANCOM devices

All LANCOM routers and LANCOM Wireless Access Points use the same oper-

ating system: LCOS. The operating system developed by LANCOM itself is not

attackable from the outside, and thus offers high security. The consistent use

of LCOS ensures a comfortable and constant operation of all LANCOM prod-

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 1: Preface

LANCOM Reference Manual LCOS 3.50

ucts. The extensive feature set is available throughout all LANCOM products

(provided respective support by hardware), and continuously receives further

enhancements by free, regular software updates.

This reference manual applies to the following definitions of software, hard-

ware and manufacturers:

̈ ’LCOS’ describes the device-independent operating system

̈ ’LANCOM’ stands as generic term for all LANCOM routers and LANCOM

Wireless Access Points

̈ ’LANCOM’ stands as shortened form for the manufacturer, LANCOM Sys-

tems GmbH from Würselen, Germany

Validity

The present reference manual applies to all

LANCOM routers and LANCOM

Wireless Access Points with firmware version 3.32 or better.

The functions and settings described in this reference manual are not sup-

ported by all models and/or all firmware versions. A table can be found in the

appendix denoting the individual functions, from which firmware version they

are supported in the respective devices (’Appendix: Overview of functions for

LANCOM models and LCOS versions’ →page 337).

Illustrations of devices, as well as screenshots always represent just examples,

which need not necessarily correspond to the actual firmware version.

Security settings

For a carefree use of your device, we recommend to carry out all security set-

tings (e.g. Firewall, encryption, access protection, charge lock), which are not

already activated at the time of purchase of your device. The LANconfig wizard

’Check Security Settings’ will support you accomplishing this. Further informa-

tion regarding this topic can be found in chapter ’Security’ →page 52.

We ask you additionally to inform you about technical developments and

actual hints to your product on our Web page www.lancom.de, and to down-

load new software versions if necessary.

This documentation was compiled …

...by several members of our staff from a variety of departments in order to

ensure you the best possible support when using your LANCOM product.

In case you encounter any errors, or just want to issue critics or enhance-

ments, please do not hesitate to send an email directly to:

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 1: Preface

[email protected]

Our online services ( www.lancom.de) are available to you around the

clock should you have any queries regarding the topics discussed in

this manual or require any further support. In addition, support from

LANCOM Systems is also available to you. Telephone numbers and

contact information for LANCOM Systems support can be found on a

separate insert, or at the LANCOM Systems website.

Notes symbols

Very important instructions. If not followed, damage may result.

Important instruction should be followed.

Additional instructions which can be helpful, but are not

required.

Special formatting in body text

Bold

Menu commands, command buttons, or text boxes

Inputs and outputs for the display mode

Placeholder for a specific value

Code

<Value>

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 2: System design

LANCOM Reference Manual LCOS 3.50

2 System design

The LANCOM operating system LCOS is a collection of different software mod-

ules, the LANCOM devices themselves have different interfaces to the WAN

and LAN. Depending on the particular application, data packets flow through

different modules on their way from one interface to another.

The following block diagram illustrates in abstract the general arrangement

of LANCOM interfaces and LCOS modules. In the course of this reference man-

ual the descriptions of the individual functions will refer to this illustration to

show important connections of the particular applications and to deduce the

resulting consequences.

The diagram can thus explain for which data streams the firewall comes into

play, or, in case of address translations (IP masquerading or N:N mapping), at

which place which addresses are valid.

VPN services

VPN / PPTP

LAN interfaces

Firewall / IDS / DoS / QoS

LAN / Switch

IP router

WAN interfaces

DSLoL

connection via LAN/Switch

WLAN-1

WLAN-2

ADSL

IP module: NetBIOS, DNS,

DHCP server, RADIUS, RIP, NTP,

SNMP, SYSLOG, SMTP

DSL

DMZ

Configuration &

management:

ISDN

WEBconfig, Telnet,

IPX router

LANCAPI

IPX over PPTP/VPN

Notes regarding the respective modules and interfaces:

̈ The IP router takes care of routing data on IP connections between the

interfaces from LAN and WAN.

̈ The firewall (with the services “Intrusion Detection”, “Denial of Service”

and “Quality of Service”) encloses the IP router like a shield. All connec-

tions via the IP router automatically flow through the firewall as well.

̈ LANCOM devices provide either a separate LAN interface or an integrated

switch with multiple LAN interfaces as interfaces to the LAN.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 2: System design

̈ LANCOM Wireless access points resp. LANCOM routers with wireless

modules offer additionally one or, depending on the respective model,

also two wireless interfaces for the connection of Wireless LANs.

̈ A DMZ interface enables for some models a ’demilitarized zone’ (DMZ),

which is also physically separated within the LAN bridge from other LAN

interfaces.

̈ The LAN bridge provides a protocol filter that enables blocking of dedi-

cated protocols on the LAN. Additionally, single LAN interfaces can be

separated by the “isolated mode”. Due to VLAN functions, virtual LANs

may be installed in the LAN bridge, which permit the operating of several

logical networks on a physical cabling.

̈ Applications can communicate with different IP modules (NetBIOS, DNS,

DHCP server, RADIUS, RIP, NTP, SNMP, SYSLOG, SMTP) either via the IP

router, or directly via the LAN bridge.

̈ The functions “IP masquerading” and “N:N mapping” provide suitable IP

address translations between private and public IP ranges, or also

between multiple private networks.

̈ Provided according authorization, direct access to the configuration and

management services of the devices (WEBconfig, Telnet, TFTP) is provided

from the LAN and also from the WAN side. These services are protected

by filters and login barring, but do not require any processing by the fire-

wall. Nevertheless, a direct access from WAN to LAN (or vice versa) using

the internal services as a bypass for the firewall is not possible.

̈ The IPX router and the LANCAPI access on the WAN side only the ISDN

interface. Both modules are independent from the firewall, which controls

only data traffic through the IP router.

̈ The VPN services (including PPTP) enable data encryption in the Internet

and thereby enable virtual private networks over public data connections.

̈ Depending on the specific model, either xDSL/Cable, ADSL or ISDN are

available as different WAN interfaces.

̈ The DSLoL interface (DSL over LAN) is no physical WAN interface, but

more a “virtual WAN interface”. With appropriate LCOS settings, it is pos-

sible to use on some models a LAN interface as an additional xDSL/Cable

interface.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

3 Configuration and management

This section will show you the methods and ways you can use to access the

device and specify further settings. You will find descriptions on the following

topics:

̈ Configuration tools

̈ Monitoring and diagnosis functions of the device and software

̈ Backup and restoration of entire configurations

̈ Installation of new firmware in the device

3.1 Configuration tools and approaches

LANCOM are flexible devices that support a variety of tools (i.e. software) and

approaches (in the form of communication options) for their configuration.

First, a look at the approaches.

You can connect to an LANCOM with three different access methods (accord-

ing to the connections available).

̈ Through the connected network (LAN as well as WAN—inband)

̈ Through the configuration interface (config interface) on the rear of the

router (also known as outband)

̈ Remote configuration via ISDN access

What is the difference between these three possibilities?

On one hand, the availability: Configuration via outband is always available.

Inband configuration is not possible, however, in the event of a network fault.

Remote configuration is also dependent on an ISDN connection.

On the other hand, whether or not you will need additional hardware and

software: The inband configuration requires one of the computers already

available in the LAN or WAN, as well as only one suitable software, such as

LANconfig or WEBconfig (see following section). In addition to the configura-

tion software, the outband configuration also requires a the computers with

a serial port. The preconditions are most extensive for ISDN remote configu-

ration: In addition to an ISDN capable LANCOM, an ISDN card is needed in

the configuration PC or alternatively, access via LANCAPI to an additional

LANCOM that is ISDN capable.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

3.2 Configuration software

Situations in which the device is configured vary—as do the personal require-

ments and preferences of the person doing the configuration. LANCOM rout-

ers thus feature a broad selection of configuration software:

̈ LANconfig – nearly all parameters of the LANCOM can be set quickly and

with ease using this menu-based application. Outband, inband and

remote configuration are supported, even for multiple devices simultane-

ously.

̈ WEBconfig – this software is permanently installed in the router. All that

is required on the workstation used for the configuration is a web

browser. WEBconfig is thus independent of operating systems. Inband

and remote configuration are supported.

̈ SNMP – device-independent programs for the management of IP net-

works are generally based on the SNMP protocol. It is possible to access

the LANCOM inband and via remote configuration using SNMP.

̈ Terminal program, Telnet – an LANCOM can be configured with a ter-

minal program via the config interface (e.g. HyperTerminal) or within an

IP network (e.g. Telnet).

̈ TFTP – the file transfer protocol TFTP can to a limited extent also be used

within IP networks (inband and remote configuration).

Please note that all procedures access the same configuration data.

For example, if you change the settings in LANconfig, this will also

have a direct effect on the values under WEBconfig and Telnet.

3.2.1 Configuration using LANconfig

Start LANconfig by, for example, using the Windows Start menu: Start ̈

Programs ̈ LANCOM ̈ LANconfig. LANconfig will now automatically

search for devices on the local network. It will automatically launch the setup

wizard if a device which has not yet been configured is found on the local area

network LANconfig.

Find new devices

Click on the Find button or call up the command with Device / Find to initi-

ate a search for a new device manually. LANconfig will then prompt for a loca-

tion to search. You will only need to specify the local area network if using the

inband solution, and then you're off.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

Once LANconfig has finished its search, it displays a list of all the devices it

has found, together with their names and, perhaps a description, the IP

address and its status.

The expanded range of functions for professionals

Two different display options can be selected for configuring the devices with

LANconfig:

̈ The 'Simple configuration display' mode only shows the settings required

under normal circumstances.

̈ The 'Complete configuration display' mode shows all available configura-

tion options. Some of them should only be modified by experienced users.

Select the display mode in the View / Options menu.

Double-clicking the entry for the highlighted device and then clicking the

Configure button or the Device / Configure option reads the device's cur-

rent settings and displays the 'General' configuration selection.

The integrated Help function

The remainder of the program's operation is self-explanatory or you can use

the online help. You can click on the 'Help' button top right in any window or

right-click on an unclear term at any time to call up context-sensitive help.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

Management of multiple devices

LANconfig supports multi device remote management. Simply select the

desired devices, and LANconfig performs all actions for all selected devices

then, one after the other. The only requirement: The devices must be of the

same type.

In order to support an easy management, the devices can be grouped

together. Therefore, ensure to enable ’Folder Tree’ in the View menu, and

group the devices by ’drag an drop’ into the desired folders.

LANconfig shows only those parameters that are suitable for multi

device configuration when more than one device is selected, e.g. MAC

Access Control Lists for all LANCOM Wireless Access Points.

3.2.2 Configuration with WEBconfig

You can use any web browser, even text-based, for basic setup of the device.

The WEBconfig configuration application is integrated in the LANCOM. All

you need is a web browser in order to access WEBconfig.

Functions with any web browser

WEBconfig offers setup wizards similar to LANconfig and has all you need for

easy configuration of the LANCOM—contrary to LANconfig but under all

operating systems for which a web browser exists.

A LAN or WAN connection via TCP/IP must be established to use WEBconfig.

WEBconfig is accessed by any web browser via the IP address of the LANCOM,

via the name of the device (if previously assigned), or via any name if the

device has not been configured yet.

http://<IP address or device name>

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

Secure with HTTPS

WEBconfig offers an encrypted transmission of the configuration data for

secure (remote) management via HTTPS.

https://<IP address or device name>

For maximum security, please ensure to have installed the latest ver-

sion of your Internet browser. For Windows 2000, LANCOM Systems

recommends to use the “High Encryption Pack” or at least Internet

Explorer 5.5 with Service Pack 2 or above.

3.2.3 Configuration using Telnet

Start configuration using Telnet, e.g. from the Windows command line with

the command:

C:\>telnet 10.0.0.1

Telnet will then establish a connection with the device using the IP address.

After entering the password (if you have set one to protect the configuration),

all configuration commands are available.

Change the language of the display.

The terminal can be set to English and German modes. The display language

of your LANCOM is set to English at the factory. In the remaining documen-

tation, all configuration commands will be provided in English. To change the

display language to German, use the following commands:

Configuration tool Run (when English is the selected language)

WEBconfig

Telnet

Expert configuration ̈ Setup ̈ Config-module ̈ Language

set /Setup/Config module/Language German

TFTP

Certain functions cannot be run at all, or not satisfactorily, with Telnet. These

include all functions in which entire files are transferred, for example the

uploading of firmware or the saving and restoration of configuration data. In

this case TFTP is used.

TFTP is available by default under the Windows 2000 and Windows NT oper-

ating systems. It permits the simple transfer of files with other devices across

the network.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

The syntax of the TFTP call is dependent on the operating system. With Win-

dows 2000 and Windows NT the syntax is:

tftp -i <IP address Host> [get|put] source [target]

With numerous TFTP clients the ASCII format is preset. Therefore, for

the transfer of binary data (e.g. firmware) the binary transfer must

usually be explicitly selected.This example for Windows 2000 and

Windows NT shows you how to achieve this by using the '-i' param-

eter.

3.2.4 Configuration using SNMP

The Simple Network Management Protocol (SNMP V.1 as specified in RFC

1157) allows monitoring and configuration of the devices on a network from

a single central instance.

There are a number of configuration and management programs that run via

SNMP. Commercial examples are Tivoli, OpenView from Hewlett-Packard,

SunNet Manager and CiscoWorks. In addition, numerous programs also exist

as freeware and shareware.

Your LANCOM can export a so-called device MIB file (Management Informa-

tion Base) for use in SNMP programs.

Configuration tool Run

WEBconfig

TFTP

Get Device SNMP MIB (in main menu)

tftp 10.0.0.1 get readmib file1

3.3 Remote configuration via Dial-Up Network

The complete section on remote configuration applies only to

LANCOM with ISDN interface.

Configuring routers at remote sites is particularly easy using the remote con-

figuration method via a Dial-Up Network from Windows. The device is acces-

sible by the administrator immediately without any settings being made after

it is switched on and connected to the WAN interface. This means that you

save a lot of time and costs when connecting other networks to your network

because you do not have to travel to the other network or instruct the staff

on-site on configuring the router.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

You can also reserve a special calling number for remote configuration. Then

the support technician can always access the router even if it is really no

longer accessible due to incorrect settings.

3.3.1 This is what you need for ISDN remote configuration

̈ An LANCOM with an ISDN connection

̈ A computer with a PPP client, e.g. Windows Dial-Up Network

̈ A program for inband configuration, e.g. LANconfig or Telnet

̈ A configuration PC with an ISDN card or access via LANCAPI to an

LANCOM with ISDN access.

3.3.2 The first remote connection using Dial-Up Networking

ቢ In the LANconfig program select Device / New, enable 'Dial-Up connec-

tion' as the connection type and enter the calling number of the WAN

interface to which the LANCOM is connected. If you wish, you can also

enter the time period after which an idle connection is to be disconnected

automatically.

ባ LANconfig now automatically generates a new entry in the Dial-Up Net-

work. Select a device that supports PPP (e.g. the NDIS-WAN driver

included with the LANCAPI) for the connection and press OK to confirm.

ቤ Then the LANconfig program will display a new device with the name

'Unknown' and the dial-up call number as the address in the device list.

When an entry in the device list is deleted, the related connection in

the Windows Dial-Up Network is also deleted.

ብ You can configure the device remotely just like all other devices.

LANconfig establishes a dial-up connection enabling you to select a con-

figuration.

3.3.3 The first remote connection using a PPP client and Telnet

ቢ Establish a connection to the LANCOM with your PPP client using the fol-

lowing details:

୴ User name 'ADMIN'

୴ The password selected in LANCOM

୴ An IP address for the connection, only if required

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

ባ Open a Telnet session to the LANCOM. Use the following IP address for

this purpose:

୴ '172.17.17.18', if you have not defined an IP address for the PPP cli-

ent. The LANCOM automatically uses this address if no other address

has been defined. The PC making the call will respond to the IP

'172.17.17.17'.

୴ Raise the IP address of the PC by one, if you have defined an address.

Example: You have set the IP '10.0.200.123' for the PPP client, the

LANCOM then responds to '10.0.200.124'. Exception: If the digits

'254' are at the end of the IP address, the router responds to 'x.x.x.1'.

ቤ You can configure the LANCOM remotely just like all other devices.

The default layer for remote field installations

The PPP connection of any other remote site to the router, of course, will only

succeed if the device answers every call with the corresponding PPP settings.

This is the case using the factory default settings because the default protocol

(default layer) is set to PPP.

You may, however, want to change the default layer for LAN-to-LAN connec-

tions, for example, to a different protocol after the first configuration run.

Then the device will no longer take calls on the dial-up connection using the

PPP settings. The solution to this is to agree upon a special calling number for

configuration access:

The administrator access for ISDN remote management

If the device receives a call on this number, it will always use PPP, regardless

of any other settings made on the router. Only a specific user name which is

automatically entered by the LANconfig program during call establishment

will be accepted during the PPP negotiations:

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

ቢ Switch to the 'Security' tab in the 'Management' configuration section.

ባ Enter a number at your location which is not being used for other pur-

poses in the 'Configuration access' area.

Alternatively, enter the following command:

set /setup/config-module/Farconfig 123456

Always provide additional protection for the settings of the device by

setting a password. Alternatively, enter the following command dur-

ing a Telnet or terminal connection:

passwd

You will then be prompted to enter and confirm a new password.

3.4 LANmonitor—know what's happening

The LANmonitor includes a monitoring tool with which you can view the most

important information on the status of your routers on your monitor at any

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

time under Windows operating systems—of all of the LANCOM routers in the

network.

Many of the internal messages generated by the devices are converted to

plain text, thereby helping you to troubleshoot.

You can also use LANmonitor to monitor the traffic on the router's various

interfaces to collect important information on the settings you can use to opti-

mize data traffic.

In addition to the device statistics that can also be read out during a Telnet or

terminal session or using WEBconfig, a variety of other useful functions are

also available in the LANmonitor, such as the enabling of an additional charge

limit.

With LANmonitor you can only monitor those devices that you can

access via IP (local or remote). With this program you cannot access a

router via the serial interface.

3.4.1 Extended display options

Under View / Show Details you can activate and deactivate the following

display options:

̈ Error messages

̈ Diagnostic messages

̈ System information

Many important details on the status of the LANCOM are not dis-

played until the display of the system information is activated. These

include, for example, the ports and the charge management.There-

fore, we recommend that interested users activate the display of the

system information.

3.4.2 Monitor Internet connection

To demonstrate the functions of LANmonitor we will first show you the types

of information LANmonitor provides about connections being established to

your Internet provider.

ቢ To start LANmonitor, go to Start ̈ Programs ̈ LANCOM ̈

LANmonitor. Use Device ̈ New to set up a new device and in the fol-

lowing window, enter the IP address of the router that you would like to

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

monitor. If the configuration of the device is protected by password, enter

the password too.

Alternatively, you can select the device via the LANconfig and monitor it

using Tools / Monitor Device.

ባ LANmonitor automatically creates a new entry in the device list and ini-

tially displays the status of the transfer channels. Start your Web browser

and enter any web page you like. LANmonitor now shows a connection

being established on one channel and the name of the remote site being

called. As soon as the connection is established, a plus sign against the

communication channel entry indicates that further information on this

channel is available. Click on the plus sign or double-click such entry to

open a tree structure in which you can view various information.

In this example, you can determine from the PPP protocol information the

IP address assigned to your router by the provider for the duration of the

connection and the addresses transmitted for the DNS and NBNS server.

Under the general information you can watch the transmission rates at

which data is currently being exchanged with the Internet.

ቤ To break the connection manually, click on the active channel with the

right mouse button. You may be required to enter a configuration pass-

word.

ብ If you would like a log of the LANmonitor output in file form, select

Device ̈ Properties and go to the 'Logging' tab. Enable logging and

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

specify whether LANmonitor should create a log file daily, monthly, or on

an ongoing basis.

3.5 Trace information—for advanced users

Trace outputs may be used to monitor the internal processes in the router dur-

ing or after configuration. One such trace can be used to display the individual

steps involved in negotiating the PPP. Experienced users may interpret these

outputs to trace any errors occurring in the establishment of a connection. A

particular advantage of this is: The errors being tracked may stem from the

configuration of your own router or that of the remote site.

The trace outputs are slightly delayed behind the actual event, but are

always in the correct sequence. This will not usually hamper interpre-

tation of the displays but should be taken into consideration if making

precise analyses.

3.5.1 How to start a trace

Trace output can be started in a Telnet session, for example. The command to

call up a trace follows this syntax:

trace [code] [parameters]

The trace command, the code, the parameters and the combination com-

mands are all separated from each other by spaces. And what is the meaning

of these codes and parameters?

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

3.5.2 Overview of the keys

This code...

... in combination with the trace causes the following:

displays a help text

switches on a trace output

switches off a trace output

switches between different trace outputs (toggle)

displays the current status of the trace

no code

3.5.3 Overview of the parameters

The available traces depend individually on the particular model and

can be listed by entering tracewith no arguments on the com-

mand line.

This parameter...

... brings up the following display for the trace:

status messages for the connection

error messages for the connection

LANCOM protocol negotiation

IPX routing

Status

Error

LANCOM

IPX-router

PPP

PPP protocol negotiation

SAP

IPX Service Advertising Protocol

IPX watchdog spoofing

IPX-watchdog

SPX-watchdog

LCR

SPX watchdog spoofing

Least-Cost Router

Script

script processing

RIP

IPX Routing Information Protocol

IP routing

IP-router

IP-RIP

IP Routing Information Protocol

Address Resolution Protocol

Internet Control Message Protocol

processes in the masquerading module

Dynamic Host Configuration Protocol

ARP

ICMP

IP masquerading

DHCP

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

This parameter...

NetBIOS

... brings up the following display for the trace:

NetBIOS management

DNS

Domain Name Service Protocol

Packet dump

D-channel-dump

ATM

display of the first 64 bytes of a package in hexadecimal form

trace on the D channel of the connected ISDN bus

spoofing at the ATM packet level

ADSL

ADSL connections status

VPN-Status

VPN-Packet

SMTP-Client

SNTP

IPSec and IKE negotiation

IPSec and IKE packets

E-Mail processing of the integrated mail client

Simple Network Time Protocol information

3.5.4 Combination commands

This combination

command...

... brings up the following display for the trace:

All

all trace outputs

Display

Protocol

TCP-IP

IPX-SPX

Time

status and error outputs

LANCOM and PPP outputs

IP-Rt., IP-RIP, ICMP and ARP outputs

IPX-Rt., RIP, SAP, IPX-Wd., SPX-Wd., and NetBIOS outputs

displays the system time in front of the actual trace output

Source

includes a display of the protocol that has initiated the output in

front of the trace

Any appended parameters are processed from left to right. This means that it

is possible to call a parameter and then restrict it.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

3.5.5 Examples

This code...

... in combination with the trace causes the following:

trace

displays all protocols that can generate outputs during the config-

uration, and the status of each output (ON or OFF)

trace + all

switches on all trace outputs

trace + protocol dis-

play

switches on the output for all connection protocols together with

the status and error messages

trace + all - icmp

switches on all trace outputs with the exception of the ICMP proto-

col

trace ppp

displays the status of the PPP

trace # ipx-rt display

toggles between the trace outputs for the IPX router and the dis-

play outputs

trace - time

switches off the system time output before the actual trace output

3.6 Working with configuration files

The current configuration of an LANCOM can be saved as a file and reloaded

in the device (or in another device of the same type) if necessary.

Additionally, configuration files can be generated and edited offline for any

LANCOM device, firmware option and software version:

Backup copies of configuration

With this function you can create backup copies of the configuration of your

LANCOM. Should your LANCOM (e.g. due to a defect) lose its configuration

data, you simply reload the backup copy.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

Convenient series configuration

However, even when you are faced with the task of configuring several

LANCOM of the same type, you will come to appreciate the function for saving

and restoring configurations. In this case you can save a great deal of work

by first importing identical parameters as a basic configuration and then only

making individual settings to the separate devices.

Running function

Configuration tool Run

LANconfig

Edit ̈ Save Configuration to File

Edit ̈ Restore Configuration from File

Edit ̈ New Configuration File

Edit ̈ Edit Configuration File

Edit ̈ Print Configuration File

WEBconfig

TFTP

Save Configuration ̈ Load Configuration (in main menu)

tftp 10.0.0.1 get readconfig file1 tftp

10.0.0.1 put file1 writeconfig

3.7 New firmware with LANCOM FirmSafe

The software for devices from LANCOM is constantly being further developed.

We have fitted the devices with a flash ROM which makes child's play of

updating the operating software so that you can enjoy the benefits of new

features and functions. No need to change the EPROM, no need to open up

the case: simply load the new release and you're away.

3.7.1 This is how LANCOM FirmSafe works

LANCOM FirmSafe makes the installation of the new software safe: The used

firmware is not simply overwritten but saved additionally in the device as a

second firmware.

Of the two firmware versions saved in the device only one can ever be active.

When loading a new firmware version the active firmware version is not over-

written. You can decide which firmware will be activated after the upload:

̈ 'Immediate': The first option is to load the new firmware and activate it

immediately. The following situations can result:

୴ The new firmware is loaded successfully and works as desired. Then

all is well.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

୴ The device no longer responds after loading the new firmware. If an

error occurs during the upload, the device automatically reactivates

the previous firmware version and reboots the device.

̈ 'Login': To avoid problems with faulty uploads there is the second option

with which the firmware is uploaded and also immediately booted.

୴ In contrast to the first option, the device will wait for five minutes until

it has successfully logged on. Only if this login attempt is successful

does the new firmware remain active permanently.

୴ If the device no longer responds and it is therefore impossible to log

in, it automatically loads the previous firmware version and reboots

the device with it.

̈ 'Manual': With the third option you can define a time period during which

you want to test the new firmware yourself. The device will start with the

new firmware and wait for the preset period until the loaded firmware is

manually activated and therefore becomes permanently effective.

3.7.2 How to load new software

There are various ways of carrying out a firmware upload, all of which produce

the same result:

̈ LANconfig

̈ WEBconfig

̈ Terminal program

̈ TFTP

All settings will remain unchanged by a firmware upload. All the same you

should save the configuration first for safety's sake (with Edit ̈ Save Con-

figuration to File if using LANconfig, for example).

If the newly installed release contains parameters which are not present in the

device's current firmware, the device will add the missing values using the

default settings.

LANconfig

When using LANconfig, highlight the desired device in the selection list and

click on Edit ̈ Firmware Management ̈ Upload New Firmware, or

click directly on the Firmware Upload button. Then select the directory in

which the new version is located and mark the corresponding file.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

LANconfig then tells you the version number and the date of the firmware in

the description and offers to upload the file. The firmware you already have

installed will be replaced by the selected release by clicking Open.

You also have to decide whether the firmware should be permanently acti-

vated immediately after loading or set a testing period during which you will

activate the firmware yourself. To activate the firmware during the set test

period, click on Edit ̈ Firmware Management . After upload, start the

new firmware in test mode.

WEBconfig

Start WEBconfig in your web browser. On the starting page, follow the Per-

form a Firmware Upload link. In the next window you can browse the folder

system to find the firmware file and click Start Upload to start the installa-

tion.

Terminal program (e.g. Telix or Hyperterminal in Windows)

If using a terminal program, you should first select the 'set mode-firmsafe'

command on the 'Firmware' menu and select the mode in which you want the

new firmware to be loaded (immediately, login or manually). If desired, you

can also set the time period of the firmware test under 'set Timeout-firmsafe'.

Select the 'Firmware-upload' command to prepare the router to receive the

upload. Now begin the upload procedure from your terminal program:

̈ If you are using Telix, click on the Upload button, specify 'XModem' for

the transfer and select the desired file for the upload.

̈ If you are using Hyperterminal, click on Transfer ̈ Send File, select the

file, specify 'XModem' as the protocol and start the transfer with OK.

TFTP

TFTP can be used to install new firmware on LANCOM. This can be done with

the command (or target) writeflash. For example, to install new firmware in

a LANCOM with the IP address 10.0.0.1, enter the following command under

Windows 2000 or Windows NT:

tftp -i 10.0.0.1 put Lc_16xxu.282 writeflash

3.8 Command line interface

The LANCOM command line interface is always structured as follows:

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

̈ Status

Contains all read-only statistics of the individual SW modules

̈ Setup

Contains all configurable parameters of all SW modules of the device

̈ Firmware

Contains all firmware-management relevant actions and tables

̈ Other

Contains dialling, boot, reset and upload actions

3.8.1 Command line reference

Navigating the command line can be accomplished by DOS and UNIX style

commands as follows:

Command

cd <directory>

Description

Change the current directory. Certain abbreviations exists,

e.g. ”cd ../..” can be abbreviated to ”cd ...” etc.

del <name>

rm <name>

Delete the table entry with the index <name>

dir [<directory>]

list[<directory>]

ls [<directory>]

ll [<directory>]

Display the contents of a directory

do <name> [<parameters>]

Execute the action <name> in the current directory.

Parameters can be specified

exit/quit/x

Close the console session

feature <code>

passwd

Unlock the feature with the specified feature code

change password

ping [IP address]

readconfig

Issues an ICMP echo request to the specified IP address

Displays the complete configuration of the device in

”readconfig” syntax

readmib

display SNMP Management Information Base

repeat <VALUE> <command>

repeats command every VALUE seconds until terminated

by new input

stop

stop ping

set <name> <value(s)>

Set a configuration item to the specified value. If the item

is a table entry, multiple values must be given (one for

each table column). A ”*” as a value indicates that the

column in question should be left at its previous value.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

Command

Description

set [<name>] ?

Show which values are allowed for a configuration item. If

<name> is empty, this is displayed for each item in the

current directory.

show <options>

Shows internal data. Run show ? for a list of available

items, e.g. boot history, firewall filter rules, vpn rules and

memory usage

sysinfo

Shows basic system information

trace […]

Configures the trace output system for several modules,

see ’How to start a trace’ →page 26

writeconfig

writeflash

Accept a new configuration in ”readconfig” syntax. All

subsequent lines are interpreted as configuration values

until two blank lines in a row are encountered

load new firmware via TFTP

̈ All commands and directory/item names may be abbreviated as long as

no ambiguity exists. For example, it is valid to shorten the ”sysinfo”

command to ”sys” or a ”cd Management” to ”c ma”. Not allowed

would be ”cd /s”, since that could mean either ”cd /Setup” or

”cd /Status”.

̈ Names with blanks in them must be enclosed in double quotes.

̈ Additionally, there is a command-specific help function available by call-

ing functions with a question mark as the argument, i.e. entering “ping

?” displays the options for the built-in PING command.

̈ A complete listing of available commands for a particular device is avail-

able by entering ’?’ from the command line.

3.9 Scheduled Events

Regular Execution of Commands

This feature is intended to allow the device to execute predefined commands

in a telnet-like environment, at times defined by the user. The functionality is

equivalent to the UNIX cron service. Subject of execution can be any

LANCOM command line command. Therefore, the full feature set of all

LANCOM devices can be controlled by this facility.

Application examples include:

̈ scheduled connections

̈ time-dependant firewall rules

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 3: Configuration and management

LANCOM Reference Manual LCOS 3.50

̈ regular firmware or configuration updates

Configuration Tool

WEBconfig

Run

Expert-Configuration ̈ Config-module ̈ Cron-table

Terminal/Telnet

setup/config-module/cron-table

The data is stored in a table with the following layout:

Entry

Index

Description

Unambiguously identifies this entry in the table

Base

The Basefield rules whether the time check is done against the device's

operation time or the real time. Rules based on real time are only executed if

the device has acquired the current time, e.g. via NTP. For real-time based

rules, all four columns have a meaning, while operation-time based rules

only take the minute/hour fields into account.

Minute

Hour

The entries Minuteto Monthform a mask that lets the user define at

which times a command will be executed. Entries in the mask field may be

DayOfWeek blank to mark that the respective component shall not be part of the com-

Day

Month

pare operation; otherwise, a field may contain a list of comma-separated

items that may either be a single number or a number range, given as mini-

mum and maximum concatenated with a hyphen.

For the DayOfWeek field, the usual cron interpretation applies:

Sunday

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Command

The command itself may be a list of command line commands, separated by

semicolons.

For example, the entry given below would connect the device each weekday

at 6 PM with a remote site ’HEADQUARTERS’

Base

Realtime

Minute

Hour

DayOfWeek 1,2,3,4,5,

Day

Month

Command

do /o/man/con HEADQUARTERS

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 3: Configuration and management

Time-controlled rules will not necessarily be executed at precisely zero

seconds of real time, but at some indeterminate point of time in the

minute in question.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 4: Management

LANCOM Reference Manual LCOS 3.50

4 Management

4.1 N:N mapping

Network Address Translation (NAT) can be used for several different matters:

̈ for better utilizing the IP4 addresses ever becoming scarcer

̈ for coupling of networks with same (private) address ranges

̈ for producing unique addresses for network management

In the first application the so-called N:1 NAT, also known as IP masquerading

(’The hiding place—IP masquerading (NAT, PAT)’ →page 74) is used. All

addresses (“N”) of the local network are mapped to only one (“1”) public

address. This clear assignment of data streams to the respective internal PCs

is generally made available by the ports of the TCP and UDP protocols. That’s

why this is also called NAT/PAT (Network Address Translation/Port Address

Translation).

Due to the dynamic assignment of ports, N:1 masquerading enables only

those connections, which have been initiated by the internal network. Excep-

tion: an internal IP address is staticly exposed on a certain port, e.g. to make

a LAN server accessible from the outside. This process is called “inverse mas-

querading” (’Inverse masquerading’ →page 78).

A N:N mapping is used for network couplings with identical address ranges.

This transforms unambiguously multiple addresses (“N”) of the local network

to multiple (“N”) addresses of another network. Thereby, an address conflict

can be resolved.

Rules for this address translation are defined in a static table in the LANCOM.

Thereby new addresses are assigned to single stations, parts of the network,

or the entire LAN, by which the stations can contact other networks then.

Some protocols (FTP, H.323) exchange parameters during their protocol nego-

tiation, which can have influence on the address translation for the N:N map-

ping. For a correct functioning of the address translation, the connection

information of these protocols are tracked appropriately by functions of the

firewall in a dynamic table, and are additionally considered to the entries of

the static table.

The address translation is made “outbound”, i.e. the source address is

translated for outgoing data packets and the destination address for

incoming data packets, as long as the addresses are located within

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 4: Management

the defined translation range. An “inbound” address mapping, whe-

reby the source address is translated (instead of the destination

address), needs to be realized by an appropriate “outbound” address

translation on the remote side.

4.1.1 Application examples

The following typical applications are described in this section:

̈ Coupling of private networks utilizing the same address range

̈ Central remote monitoring by service providers

Network coupling

An often appearing scenario is the coupling of two company networks which

internally use the same address range (e. g. 10.0.0.x). This is often the case,

when one company should get access to one (or more) server(s) of the other

one:

Network of firm A:

Network of firm B:

10.0.0.x

N:N mapping to 192.168.2.x

N:N mapping to 192.168.1.x

Gateway

VPN tunnel

Target: 192.168.2.1

Server_A1: 10.0.0.1

Server_A2: 10.0.0.2

Server_B1: 10.0.0.1

Server_B2: 10.0.0.2

In this example network servers of company A and B should have access over

a VPN tunnel to the respective other network. All stations of the LAN should

have access to the server of the remote network. For the time being, there is

no access possible to the other network, because both networks use the same

address range. If one station of the network of company A wants to access

server 1 of company B, the addressee (with an address from the 10.0.0.x net-

work) will be searched within the own local network, and the inquiry even

does not reach the gateway.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 4: Management

LANCOM Reference Manual LCOS 3.50

With the help of N:N mapping, all addresses of the LAN can be translated to

a new address range for the coupling with the other network. The network of

company A e. g. will be translated to 192.168.1.x, the network of company B

to 192.168.2.x. Under these new addresses the two LANs are now reachable

for the respective other network. The station from the network of company A

is now addressing server 1 of company B under the address 192.168.2.1. The

addressee does not reside anymore within the own network, the inquiry is

now passed on to the gateway, and the routing to the other network is wor-

king as desired.

Remote monitoring and remote control of networks

Remote maintenance and control of networks become more and more impor-

tance because of the possibilities given by VPN. With the use of the nearly ubi-

quitous broadband Internet connections, the administrator of such

management scenarios is no longer dependent of the different data commu-

nication technologies or expensive leased lines.

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 4: Management

Customer B, office 1:

Gateway, e.g. Customer A, office 1:

10.1.2.1

10.1.2.x, 255.255.255.0

Customer B, headquarters:

10.1.x.x, 255.255.0.0

Gateway

Customer A, headquarters:

10.1.x.x, 255.255.0.0

VPN tunnel

Customer B, office 2:

10.1.3.x, 255.255.255.0

Customer A, office 2:

10.1.3.x, 255.255.255.0

Hot Spot, e.g.

172.16.10.11

Internet

Customer D:

172.16.10.x,

255.255.255.0

Gateway

Customer C:

Gateway, e.g.

172.16.10.x, 255.255.255.0

80.123.123.123 (public)

and 172.16.10.11 (intern)

Service provider:

172.16.10.x,

255.255.255.0

In this example, a service provider monitors the networks of different clients

out of a central control. For this purpose, the SNMP-capable devices should

send the respective traps of important events automatically to the SNMP trap

addressee (e. g. LANmonitor) of the network of the service provider. So the

LAN administrator of the service provider has an up-to-date view of the state

of the devices at any time.

The individual networks can be structured very differently: Clients A and B

integrate their branches with own networks via VPN connections to their LAN,

client C operates a network with several public WLAN base stations as hot

spots, and client D has got an additional router for ISDN dial-up accesses in

his LAN.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 4: Management

LANCOM Reference Manual LCOS 3.50

The networks of client A and B use different address ranges in the

respective head office and the connected branches. A standard net-

work coupling via VPN is therefore possible between these networks.

In order to avoid the effort to building up its own VPN tunnel to each indivi-

dual subnetwork of the clients A and B, the service provider makes only one

VPN connection to the head office, and uses the existing VPN lines between

head office and branches for communication with the branches.

Traps from the networks report to the service provider whether e. g. a VPN

tunnel has been build up or cut, if an user has been tried to log in three times

with a wrong password, if an user has been applied for a hot spot, or if some-

where a LAN cable has been pulled out of a switch.

A complete list of all SNMP traps supported by LANCOM can be found

in the appendix of this reference manual (’SNMP traps’ →page 287).

Routing of these different networks reaches very fast its limiting factors, if two

or more clients use same address ranges. Additionally, if some clients use the

same address range as the service provider as well, further address conflicts

are added. In this example, one of the hot spots of client C has got the same

address as the gateway of the service provider.

There are two different variants to resolve these address conflicts:

Loopback:

decentralized

1:1 mapping

̈ In the decentralized variant, alternative IP addresses for communicating

with the SNMP addressee are assigned to each of the monitored devices

by means of an 1:1 mapping. This address is in technical language also

known as “loopback address”, the method accordingly as “loopback

method”.

The loopback addresses are valid only for communication with certain

remote stations on the connections belonging to them. Thus a

LANCOM is not generally accessible via this IP address.

Alternative:

central

N:N mapping

̈ Even more appealing is the solution of a central mapping: instead of con-

figuring each single gateway in the branch networks, the administrator

configures solely one central address translation in the gateway of the

head office. On this occasion, also all subnetworks located “behind” the

head office are supplied with the needed new IP addresses.

In this example, the administrator of the service provider selects 10.2.x.x as

central address translation for the network of client B, so that both networks

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 4: Management

with actual same address range looks like two different networks for the gate-

way of the service provider.

The administrator selects the address ranges 192.168.2.x and 192.168.3.x for

client C and D, so that the addresses of these networks do differ from the own

network of the service provider.

In order to enable the gateway of the provider to monitor the networks of cli-

ents C and D, the administrator sets up an address translation to 192.168.1.x

also for the own network.

4.1.2 Configuration

Setting up address translation

Configuration of N:N mapping succeeds with only few information. Since a

LAN can be coupled with several other networks via N:N, different destinati-

ons can have also different address translations for a source IP range. The NAT

table can contain 64 entries at maximum, including the following information:

̈ Index: Unambiguous index of the entry.

̈ Source address: IP address of the workstation or network that should

get an alternative IP address.

̈ Source mask: Netmask of source range.

̈ Remote station: Name of the remote station over that the remote net-

work is reachable.

̈ New network address: IP address or address range that should be used

for the translation.

For the new network address, the same netmask will be used as the source

address already uses. For assignment of source and mapping addresses the

following hints apply:

̈ Source and mapping can be assigned arbitrarily for the translation of sin-

gle addresses. Thus, for example, it is possible to assign the mapping

address 192.168.1.88 to a LAN server with the IP address 10.1.1.99.

̈ For translation of entire address ranges, the station-related part of the IP

address will be taken directly, only appended to the network-related part

of the mapping address. Therefore, in an assignment of 10.0.0.0/

255.255.255.0 to 192.168.1.0, a server of the LAN with IP address

10.1.1.99 will get assigned the mapping address 192.168.1.99.

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 4: Management

LANCOM Reference Manual LCOS 3.50

The address range for translation must be at minimum as large as the

source address range.

Please notice that the N:N mapping functions are only effective when

the firewall has been activated. (’Firewall/QoS enabled’ →page 121)!

Additional configuration hints

By setting up address translation in the NAT table, the networks and worksta-

tions become only visible under another address at first in the higher network

compound. But for a seamless routing of data between the networks some

further settings are still necessary:

̈ Entries in the routing tables for packets with new addresses to find the

way to their destination.

̈ DNS forwarding entries, in order that inquiries about certain devices in the

respective other networks can be resolved into mapped IP addresses

(’DNS forwarding’ →page 279).

̈ The firewall rules of the gateways must be adjusted such that (if neces-

sary) authorized stations resp. networks from the outside are permitted to

set up connections.

̈ VPN rules for loopback addresses in order to transmit the newly assigned

IP addresses through an according VPN tunnel.

The IP address translation takes place in the LANCOM between fire-

wall and IP router on one hand, and the VPN module on the other

hand. All rules related to the own network use therefore the “unmap-

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 4: Management

ped” original addresses. The entries of the remote network use the

“mapped” addresses of the remote side, valid on the VPN connection.

Target address

Source address

WAN interface,

e.g. ISDN

LAN

Firewall / IDS / DoS

WAN interface,

e.g. ADSL

IP router

WLAN

DMZ

WAN interface,

e.g. Ethernet

Configuration with different tools

LANconfig

With LANconfig you adjust the address translation for the configuration range

’IP router’ on register card 'N:N-Mapping':

Download from Www.Somanuals.com. All Manuals Search And Download.

̈ Chapter 4: Management

LANCOM Reference Manual LCOS 3.50

WEBconfig, Telnet

Under WEBconfig and Telnet you find the NAT table for configuration of N:N

mapping at the following positions of the menu tree:

Configuration tool Run

WEBconfig

Expert configuration / Setup / IP router / NAT table

Setup / IP router module / NAT table

Terminal/Telnet

When starting a new entry under WEBconfig, the NAT table shows up as fol-

lows:

4.1.3

Download from Www.Somanuals.com. All Manuals Search And Download.

LANCOM Reference Manual LCOS 3.50

̈ Chapter 5: Diagnosis