Lancom Systems LCOS 3.50 User Manual
Reference Manual
LANCOM LCOS 3.50
© 2004 LANCOM Systems GmbH, Wuerselen (Germany)
While the information in this manual has been compiled with great care, it may not be deemed an assurance of product
characteristics. LANCOM shall be liable only to the degree specified in the terms of sale and delivery.
The reproduction and distribution of the documentation and software supplied with this product and the use of its contents
is subject to written authorization from LANCOM. We reserve the right to make any alterations that arise as the result of
technical development.
Trad emarks
®
Windows
, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http://www.openssl.org/
The LANCOM logo and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other names mentioned may be trademarks or registered trademarks of their respective owners.
Subject to change without notice. No liability for technical errors or omissions.
LANCOM Systems GmbH
Adenauertrsasse 20 / B2
D-52146 Würselen
Germany
www.lancom.de
Wuerselen, August 2004
.
Contents LANCOM Reference Manual LCOS 3.50
Contents
1 Preface 10
2 System design 13
3 Configuration and management 15
3.1 Configuration tools and approaches 15
3.2 Configuration software 16
3.2.1 Configuration using LANconfig 16
3.2.2 Configuration with WEBconfig 18
3.2.3 Configuration using Telnet 19
3.2.4 Configuration using SNMP 20
3.3 Remote configuration via Dial-Up Network 20
3.3.1 This is what you need for ISDN remote configuration 21
3.3.2 The first remote connection using Dial-Up Networking21
3.3.3 The first remote connection using a PPP client and Telnet
21
3.4 LANmonitor—know what's happening 23
3.4.1 Extended display options 24
3.4.2 Monitor Internet connection 24
3.5 Trace information—for advanced users 26
3.5.1 How to start a trace 26
3.5.2 Overview of the keys 27
3.5.3 Overview of the parameters 27
3.5.4 Combination commands 28
3.5.5 Examples 29
3.6 Working with configuration files 29
3.7 New firmware with LANCOM FirmSafe 30
3.7.1 This is how LANCOM FirmSafe works 30
3.7.2 How to load new software 31
3.8 Command line interface 32
3.8.1 Command line reference 33
3.9 Scheduled Events 34
Contents
4 Management 37
4.1 N:N mapping 37
3
LANCOM Reference Manual LCOS 3.50 Contents
4.1.1 Application examples 38
Contents
4.1.2 Configuration 42
4.1.3 45
5 Diagnosis 46
5.1 LANmonitor—know what's happening 46
5.1.1 Extended display options 46
5.1.2 Monitor Internet connection 47
5.2 Trace information—for advanced users 48
5.2.1 How to start a trace 48
5.2.2 Overview of the keys 49
5.2.3 Overview of the parameters 49
5.2.4 Combination commands 50
5.2.5 Examples 51
6 Security 52
6.1 Protection for the configuration 52
6.1.1 Password protection 52
6.1.2 Login barring 54
6.1.3 Restriction of the access rights on the configuration 55
6.2 Protecting the ISDN connection 58
6.2.1 Identification control 58
6.2.2 Callback 60
6.3 The security checklist 61
7 Routing and WAN connections 64
7.1 General information on WAN connections 64
7.1.1 Bridges for standard protocols 64
7.1.2 What happens in the case of a request from the LAN? 64
7.2 IP routing 66
7.2.1 The IP routing table 66
7.2.2 Local routing 68
7.2.3 Dynamic routing with IP RIP 69
7.2.4 SYN/ACK speedup 73
7.3 The hiding place—IP masquerading (NAT, PAT) 74
7.3.1 Simple masquerading 74
7.3.2 Inverse masquerading 78
7.3.3 Unmasked Internet access for server in the DMZ 79
4
Contents LANCOM Reference Manual LCOS 3.50
7.4 N:N mapping 80
7.4.1 Application examples 81
7.4.2 Configuration 85
7.5 Configuration of remote stations 89
7.5.1 Name list 89
7.5.2 Layer list 90
7.6 Establishing connection with PPP 91
7.6.1 The protocol 92
7.6.2 Everything o.k.? Checking the line with LCP 94
7.6.3 Assignment of IP addresses via PPP 94
7.6.4 Settings in the PPP list 96
7.7 Extended connection for flat rates—Keep-alive 97
7.8 Callback functions 98
7.8.1 Callback for Microsoft CBCP 98
7.8.2 Fast callback using the LANCOM process 99
7.8.3 Callback with RFC 1570 (PPP LCP extensions) 100
7.8.4 Overview of configuration of callback function 100
7.9 Channel bundling with MLPPP 101
8 Firewall 104
8.1 Threat analysis 104
8.1.1 The dangers 104
8.1.2 The ways of the perpetrators 105
8.1.3 The methods 105
8.1.4 The victims 106
8.2 What is a Firewall? 107
8.2.1 Tasks of a Firewall 107
8.2.2 Different types of Firewalls 108
8.3 The LANCOM Firewall 114
8.3.1 How the LANCOM Firewall inspects data packets 115
8.3.2 Special protocols 119
8.3.3 General settings of the Firewall 121
8.3.4 Parameters of Firewall rules 125
8.3.5 Alerting functions of the Firewall 131
8.3.6 Strategies for Firewall settings 134
8.3.7 Hints for setting the Firewall 137
8.3.8 Configuration of Firewall rules 141
8.3.9 Firewall diagnosis 151
Contents
5
LANCOM Reference Manual LCOS 3.50 Contents
8.3.10 Firewall limitations 159
Contents
8.4 Protection against break-in attempts: Intrusion Detection 160
8.4.1 Examples for break-in attempts 160
8.4.2 Configuration of the IDS 161
8.5 Protection against “Denial of Service” attacks 162
8.5.1 Examples of Denial of Service attacks 162
8.5.2 Configuration of DoS blocking 165
8.5.3 Configuration of ping blocking and Stealth mode 166
9 Quality of Service 168
9.1 Why QoS? 168
9.2 Which data packets to prefer? 168
9.2.1 Guaranteed minimum bandwidths 171
9.2.2 Limited maximum bandwidths 172
9.3 The queue concept 172
9.3.1 Queues in transmission direction 172
9.3.2 Queues for receiving direction 175
9.4 Reducing the packet length 176
9.5 QoS parameters for Voice over IP applications 178
9.6 QoS in sending or receiving direction 182
9.7 QoS configuration 183
9.7.1 Evaluating ToS and DiffServ fields 183
9.7.2 Defining minimum and maximum bandwidths 185
9.7.3 Adjusting transfer rates for interfaces 187
9.7.4 Sending and receiving direction 189
9.7.5 Reducing the packet length 189
10 Virtual LANs (VLANs) 192
10.1 What is a Virtual LAN? 192
10.2 This is how a VLAN works 192
10.2.1 Frame tagging 193
10.2.2 Conversion within the LAN interconnection 194
10.2.3 Application examples 195
10.3 Configuration of VLANs 198
10.3.1 The network table 198
10.3.2 The port table 199
10.3.3 Configuration with LANconfig 200
6
Contents LANCOM Reference Manual LCOS 3.50
10.3.4 Configuration with WEBconfig or Telnet 201
11 Wireless LAN – WLAN 203
11.1 What is a Wireless LAN? 203
11.1.1 Standardized radio transmission by IEEE 203
11.1.2 Operation modes of Wireless LANs and base stations
206
11.2 Developments in WLAN security 213
11.2.1 Some basic concepts 214
11.2.2 WEP 215
11.2.3 WEPplus 219
11.2.4 EAP and 802.1x 220
11.2.5 TKIP and WPA 223
11.2.6 AES and 802.11i 230
11.2.7 Summary 231
11.3 Protecting the wireless network 232
11.4 Configuration of WLAN parameters 233
11.4.1 WLAN security 234
11.4.2 General WLAN settings 243
11.4.3 The physical WLAN interfaces 244
11.4.4 The logical WLAN interfaces 250
11.4.5 Additional WLAN functions 254
11.5 Establishing outdoor wireless networks 256
11.5.1 Geometrical layout of the transmission path 256
11.5.2 Antenna power 258
11.5.3 Emitted power and maximum distance 261
11.5.4 Transmission power reduction 264
Contents
12 Office communications with LANCAPI 265
12.1 What are the advantages of LANCAPI? 265
12.2 The client and server principle 265
12.2.1 Configuring the LANCAPI server 265
12.2.2 Installing the LANCAPI client 268
12.2.3 Configuration of the LANCAPI clients 269
12.3 How to use the LANCAPI 270
12.4 The LANCOM CAPI Faxmodem 270
7
LANCOM Reference Manual LCOS 3.50 Contents
13 Server services for the LAN 272
Contents
13.1 Automatic IP address administration with DHCP 272
13.1.1 The DHCP server 272
13.1.2 DHCP—'on', 'off' or 'auto'? 273
13.1.3 How are the addresses assigned? 274
13.2 DNS 277
13.2.1 What does a DNS server do? 277
13.2.2 DNS forwarding 279
13.2.3 Setting up the DNS server 280
13.2.4 URL blocking 283
13.2.5 Dynamic DNS 284
13.3 Call charge management 285
13.3.1 Charge-based ISDN connection limits 285
13.3.2 Time dependent ISDN connection limit 286
13.3.3 Settings in the charge module 287
13.4 The SYSLOG module 287
13.4.1 Setting up the SYSLOG module 288
13.4.2 Example configuration with LANconfig 288
14 Virtual Private Networks—VPN 291
14.1 What does VPN offer? 291
14.1.1 Private IP addresses on the Internet? 293
14.1.2 Secure communications via the Internet? 294
14.2 LANCOM VPN: an overview 295
14.2.1 VPN example application 295
14.2.2 Advantages of LANCOM VPN 296
14.2.3 LANCOM VPN functions 297
14.3 VPN connections in detail 298
14.3.1 LAN-LAN coupling 298
14.3.2 Dial-in connections (Remote Access Service) 299
14.4 What is LANCOM Dynamic VPN? 300
14.4.1 A look at IP addressing 300
14.4.2 This is how LANCOM Dynamic VPN works 301
14.5 Configuration of VPN connections 306
14.5.1 VPN tunnel: Connections between VPN gateways 307
14.5.2 Set up VPN connections with the Setup Wizard 308
14.5.3 Inspect VPN rules 309
14.5.4 Manually setting up VPN connections 309
8
Contents LANCOM Reference Manual LCOS 3.50
14.5.5 Prepare VPN network relationships 311
14.5.6 Configuration with LANconfig 314
14.5.7 Configuration with WEBconfig 318
14.5.8 Diagnosis of VPN connections 322
14.6 Specific examples of connections 322
14.6.1 Static/static 323
14.6.2 Dynamic/static 323
14.6.3 Static/dynamic (with LANCOM Dynamic VPN) 324
14.6.4 Dynamic/dynamic (with LANCOM Dynamic VPN) 325
14.7 How does VPN work? 326
14.7.1 IPSec—The basis for LANCOM VPN 327
14.7.2 Alternatives to IPSec 328
14.8 The standards behind IPSec 329
14.8.1 IPSec modules and their tasks 329
14.8.2 Security Associations – numbered tunnels 329
14.8.3 Encryption of the packets – the ESP protocol 330
14.8.4 Authentication – the AH protocol 332
14.8.5 Key management – IKE 335
15 Appendix: Overview of functions for LANCOM models and LCOS
versions 337
Contents
16 Index 338
9
LANCOM Reference Manual LCOS 3.50 Chapter 1: Preface
1Preface
User’s manual and reference manual
The documentation of your device consists of two parts: The user’s manual
and the reference manual.
Preface
The hardware of the LANCOM devices is documented in the respective
user’s manuals. Apart from a description of the specific feature set of the
different models, you find in the user’s manual information about interfaces and display elements of the devices, as well as instructions for basic
configuration by means of the wizards.
You are now reading the reference manual. The reference manual
describes all functions and settings of the current version of LCOS, the
operating system of all LANCOM routers and LANCOM Wireless Access
Points. The reference manual refers to a certain software version, but not
to a special hardware.
It completes the user’s manual and describes topics in detail, which are
valid for several models simultaneously. These are for example:
Systems design of the LCOS operating system
Configuration
Management
Diagnosis
Security
Routing and WAN functions
Firewall
Quality of Service (QoS)
Virtual Private Networks (VPN)
Virtual Local Networks (VLAN)
Backup solutions
LANCAPI
Further server services (DHCP, DNS, charge management)
10
LCOS, the operating system of LANCOM devices
All LANCOM routers and LANCOM Wireless Access Points use the same operating system: LCOS. The operating system developed by LANCOM itself is not
attackable from the outside, and thus offers high security. The consistent use
of LCOS ensures a comfortable and constant operation of all LANCOM prod-
Chapter 1: Preface LANCOM Reference Manual LCOS 3.50
ucts. The extensive feature set is available throughout all LANCOM products
(provided respective support by hardware), and continuously receives further
enhancements by free, regular software updates.
This reference manual applies to the following definitions of software, hardware and manufacturers:
’LCOS’ describes the device-independent operating system
’LANCOM’ stands as generic term for all LANCOM routers and LANCOM
Wireless Access Points
’LANCOM’ stands as shortened form for the manufacturer, LANCOM Sys-
tems GmbH from Würselen, Germany
Validity
The present reference manual applies to all
LANCOM routers and LANCOM
Wireless Access Points with firmware version 3.32 or better.
The functions and settings described in this reference manual are not sup-
ported by all models and/or all firmware versions. A table can be found in the
appendix denoting the individual functions, from which firmware version they
are supported in the respective devices (’Appendix: Overview of functions for
LANCOM models and LCOS versions’ →page 337).
Illustrations of devices, as well as screenshots always represent just examples,
which need not necessarily correspond to the actual firmware version.
Preface
Security settings
For a carefree use of your device, we recommend to carry out all security settings (e.g. Firewall, encryption, access protection, charge lock), which are not
already activated at the time of purchase of your device. The LANconfig wizard
’Check Security Settings’ will support you accomplishing this. Further information regarding this topic can be found in chapter ’Security’ →page 52.
We ask you additionally to inform you about technical developments and
actual hints to your product on our Web page www.lancom.de
, and to down-
load new software versions if necessary.
This documentation was compiled …
...by several members of our staff from a variety of departments in order to
ensure you the best possible support when using your LANCOM product.
In case you encounter any errors, or just want to issue critics or enhancements, please do not hesitate to send an email directly to:
11
LANCOM Reference Manual LCOS 3.50 Chapter 1: Preface
info@lancom.de
Our online services ( www.lancom.de) are available to you around the
clock should you have any queries regarding the topics discussed in
this manual or require any further support. In addition, support from
LANCOM Systems is also available to you. Telephone numbers and
Preface
contact information for LANCOM Systems support can be found on a
separate insert, or at the LANCOM Systems website.
Notes symbols
Very important instructions. If not followed, damage may result.
Important instruction should be followed.
Additional instructions which can be helpful, but are not
required.
Special formatting in body text
12
Bold Menu commands, command buttons, or text boxes
Code
Inputs and outputs for the display mode
<Value> Placeholder for a specific value
Chapter 2: System design LANCOM Reference Manual LCOS 3.50
V
2 System design
The LANCOM operating system LCOS is a collection of different software modules, the LANCOM devices themselves have different interfaces to the WAN
and LAN. Depending on the particular application, data packets flow through
different modules on their way from one interface to another.
The following block diagram illustrates in abstract the general arrangement
of LANCOM interfa ces and LCOS modul es. In the course o f this reference manual the descriptions of the individual functions will refer to this illustration to
show important connections of the particular applications and to deduce the
resulting consequences.
The diagram can thus explain for which data streams the firewall comes into
play, or, in case of address translations (IP masquerading or N:N mapping), at
which place which addresses are valid.
Virtual LANs (VLAN)
LAN interfaces
LAN / Switch
WLAN-1
Filter
WLAN-2
Encryption:
802.11i/WPA/WEP
DMZ
PN services
VPN / PPTP
WAN interfaces
DSLoL
connection via LAN/Switch
ADSL
DSL
ISDN
DHCP client / PPP
IP masquerading
IPX over PPTP/VPN
Firewall / IDS / DoS / QoS
N:N mapping
DHCP server, RADIUS, RIP, NTP,
IP router
IP module: NetBIOS, DNS,
SNMP, SYSLOG, SMTP
Configuration &
management:
Filter
WEBconfig, Telnet,
IPX router
LANCAPI
Filter
LAN bridge with “isolated mode”
System design
Notes regarding the respective modules and interfaces:
The IP router takes care of routing data on IP connections between the
interfaces from LAN and WAN.
The firewall (with the services “Intrusion Detection”, “Denial of Service”
and “Quality of Service”) encloses the IP router like a shield. All connections via the IP router automatically flow through the firewall as well.
LANCOM devices provide either a separate LAN interface or an integrated
switch with multiple LAN interfaces as interfaces to the LAN.
13
LANCOM Reference Manual LCOS 3.50 Chapter 2: System design
LANCOM Wireless access points resp. LANCOM routers with wireless
modules offer additionally one or, depending on the respective model,
also two wireless interfaces for the connection of Wireless LANs.
A DMZ interface enables for some models a ’demilitarized zone’ (DMZ),
which is also physically separated within the LAN bridge from other LAN
interfaces.
The LAN bridge provides a protocol filter that enables blocking of dedi-
System design
cated protocols on the LAN. Additionally, single LAN interfaces can be
separated by the “isolated mode”. Due to VLAN functions, virtual LANs
may be installed in the LAN bridge, which permit the operating of several
logical networks on a physical cabling.
Applications can communicate with different IP modules (NetBIOS, DNS,
DHCP server, RADIUS, RIP, NTP, SNMP, SYSLOG, SMTP) either via the IP
router, or directly via the LAN bridge.
The functions “IP masquerading” and “N:N mapping” provide suitable IP
address translations between private and public IP ranges, or also
between multiple private networks.
Provided according authorization, direct access to the configuration and
management services of the devices (WEBconfig, Telnet, TFTP) is provided
from the LAN and also from the WAN side. These services are protected
by filters and login barring, but do not require any processing by the firewall. Nevertheless, a direct access from WAN to LAN (or vice versa) using
the internal services as a bypass for the firewall is not possible.
The IPX router and the LANCAPI access on the WAN side only the ISDN
interface. Both modules are independent from the firewall, which controls
only data traffic through the IP router.
The VPN services (including PPTP) enable data encryption in the Internet
and thereby enable virtual private networks over public data connections.
Depending on the specific model, either xDSL/Cable, ADSL or ISDN are
available as different WAN interfaces.
The DSLoL interface (DSL over LAN) is no physical WAN interface, but
more a “virtual WAN interface”. With appropriate LCOS settings, it is possible to use on some models a LAN interface as an additional xDSL/Cable
interface.
14
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
3 Configuration and management
This section will show you the methods and ways you can use to access the
device and specify further settings. You will find descriptions on the following
topics:
Configuration tools
Monitoring and diagnosis functions of the device and software
Backup and restoration of entire configurations
Installation of new firmware in the device
3.1 Configuration tools and approaches
LANCOM are flexible devices that support a variety of tools (i.e. software) and
approaches (in the form of communication options) for their configuration.
First, a look at the approaches.
You can connect to an LANCOM with three different access methods (according to the connections available).
Through the connected network (LAN as well as WAN—inband)
Through the configuration interface (config interface) on the rear of the
router (also known as outband)
Remote configuration via ISDN access
What is the difference between these three possibilities?
On one hand, the availability: Configuration via outband is always available.
Inband configuration is not possible, however, in the event of a network fault.
Remote configuration is also dependent on an ISDN connection.
On the other hand, whether or not you will need additional hardware and
software: The inband configuration requires one of the computers already
available in the LAN or WAN, as well as only one suitable software, such as
LANconfig or WEBconfig (see following section). In addition to the configuration software, the outband configuration also requires a the computers with
a serial port. The preconditions are most extensive for ISDN remote configuration: In addition to an ISDN capable LANCOM, an ISDN card is needed in
the configuration PC or alternatively, access via LANCAPI to an additional
LANCOM that is ISDN capable.
ment
Configuration and manage-
15
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
3.2 Configuration software
Situations in which the device is configured vary—as do the personal requirements and preferences of the person doing the configuration. LANCOM routers thus feature a broad selection of configuration software:
LANconfig – nearly all parameters of the LANCOM can be set quickly and
with ease using this menu-based application. Outband, inband and
remote configuration are supported, even for multiple devices simultaneously.
WEBconfig – this software is permanently installed in the router. All that
ment
Configuration and manage-
is required on the workstation used for the configuration is a web
browser. WEBconfig is thus independent of operating systems. Inband
and remote configuration are supported.
SNMP – device-independent programs for the management of IP net-
works are generally based on the SNMP protocol. It is possible to access
the LANCOM inband and via remote configuration using SNMP.
Terminal program, Telnet – an LANCOM can be configured with a ter-
minal program via the config interface (e.g. HyperTerminal) or within an
IP network (e.g. Telnet).
TFTP – the file transfer protocol TFTP can to a limited extent also be used
within IP networks (inband and remote configuration).
16
Please note that all procedures access the same configuration data.
For example, if you change the settings in LANconfig, this will also
have a direct effect on the values under WEBconfig and Telnet.
3.2.1 Configuration using LANconfig
Start LANconfig by, for example, using the Windows Start menu: Start
Programs LANCOM LANconfig. LANconfig will now automatically
search for devices on the local network. It will automatically launch the setup
wizard if a device which has not yet been configured is found on the local area
network LANconfig.
Find new devices
Click on the Find button or call up the command with Device / Find to initiate a search for a new device manually. LANconfig will then prompt for a location to search. You will only need to specify the local area network if using the
inband solution, and then you're off.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
Once LANconfig has finished its search, it displays a list of all the devices it
has found, together with their names and, perhaps a description, the IP
address and its status.
The expanded range of functions for professionals
Two different display options can be selected for configuring the devices with
LANconfig:
The 'Simple configuration display' mode only shows the settings required
under normal circumstances.
The 'Complete configuration display' mode shows all available configura-
tion options. Some of them should only be modified by experienced users.
Select the display mode in the View / Options menu.
Double-clicking the entry for the highlighted device and then clicking the
Configure button or the Device / Configure option reads the device's current settings and displays the 'General' configuration selection.
ment
Configuration and manage-
The integrated Help function
The remainder of the program's operation is self-explanatory or you can use
the online help. You can click on the 'Help' button top right in any window or
right-click on an unclear term at any time to call up context-sensitive help.
17
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
Management of multiple devices
LANconfig supports multi device remote management. Simply select the
desired devices, and LANconfig performs all actions for all selected devices
then, one after the other. The only requirement: The devices must be of the
same type.
In order to support an easy management, the devices can be grouped
together. Therefore, ensure to enable ’Folder Tree’ in the View menu, and
group the devices by ’drag an drop’ into the desired folders.
LANconfig shows only those parameters that are suitable for multi
ment
device configuration when more than one device is selected, e.g. MAC
Access Control Lists for all LANCOM Wireless Access Points.
Configuration and manage-
18
3.2.2 Configuration with WEBconfig
You can use any web browser, even text-based, for basic setup of the device.
The WEBconfig configuration application is integrated in the LANCOM. All
you need is a web browser in order to access WEBconfig.
Functions with any web browser
WEBconfig offers setup wizards similar to LANconfig and has all you need for
easy configuration of the LANCOM—contrary to LANconfig but under all
operating systems for which a web browser exists.
A LAN or WAN connection via TCP/IP must be established to use WEBconfig.
WEBconfig is accessed by any web browser via the IP address of the LANCOM,
via the name of the device (if previously assigned), or via any name if the
device has not been configured yet.
http://<IP address or device name>
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
Secure with HTTPS
WEBconfig offers an encrypted transmission of the configuration data for
secure (remote) management via HTTPS.
https://<IP address or device name>
For maximum security, please ensure to have installed the latest version of your Internet browser. For Windows 2000, LANCOM Systems
recommends to use the “High Encryption Pack” or at least Internet
Explorer 5.5 with Service Pack 2 or above.
3.2.3 Configuration using Telnet
Start configuration using Telnet, e.g. from the Windows command line with
the command:
C:\>telnet 10.0.0.1
Telnet will then establish a connection with the device using the IP address.
After entering the password (if you have set one to protect the configuration),
all configuration commands are available.
Change the language of the display.
The terminal can be set to English and German modes. The display language
of your LANCOM is set to English at the factory. In the remaining documentation, all configuration commands will be provided in English. To change the
display language to German, use the following commands:
Configuration tool Run (when English is the selected language)
WEBconfig Expert configuration Setup Config-module Language
Tel net
TFTP
Certain functions cannot be run at all, or not satisfactorily, with Telnet. These
include all functions in which entire files are transferred, for example the
uploading of firmware or the saving and restoration of configuration data. In
this case TFTP is used.
TFTP is available by default under the Windows 2000 and Windows NT operating systems. It permits the simple transfer of files with other devices across
the network.
set /Setup/Config module/Language German
ment
Configuration and manage-
19
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
The syntax of the TFTP call is dependent on the operating system. With Windows 2000 and Windows NT the syntax is:
tftp -i <IP address Host> [get|put] source [target]
With numerous TFTP clients the ASCII format is preset. Therefore, for
the transfer of binary data (e.g. firmware) the binary transfer must
usually be explicitly selected.This example for Windows 2000 and
Windows NT shows you how to achieve this by using the '-i' parameter.
Configuration and manage-
ment
3.2.4 Configuration using SNMP
The Simple Network Management Protocol (SNMP V.1 as specified in RFC
1157) allows monitoring and configuration of the devices on a network from
a single central instance.
There are a number of configuration and management programs that run via
SNMP. Commercial examples are Tivoli, OpenView from Hewlett-Packard,
SunNet Manager and CiscoWorks. In addition, numerous programs also exist
as freeware and shareware.
Your LANCOM can export a so-called device MIB file (Management Informa-
tion Base) for use in SNMP programs.
Configuration tool Run
WEBconfig Get Device SNMP MIB (in main menu)
TFTP
tftp 10.0.0.1 get readmib file1
3.3 Remote configuration via Dial-Up Network
The complete section on remote configuration applies only to
LANCOM with ISDN interface.
Configuring routers at remote sites is particularly easy using the remote configuration method via a Dial-Up Network from Windows. The device is accessible by the administrator immediately without any settings being made after
it is switched on and connected to the WAN interface. This means that you
save a lot of time and costs when connecting other networks to your network
because you do not have to travel to the other network or instruct the staff
on-site on configuring the router.
20
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
You can also reserve a special calling number for remote configuration. Then
the support technician can always access the router even if it is really no
longer accessible due to incorrect settings.
3.3.1 This is what you need for ISDN remote configuration
An LANCOM with an ISDN connection
A computer with a PPP client, e.g. Windows Dial-Up Network
A program for inband configuration, e.g. LANconfig or Telnet
A configuration PC with an ISDN card or access via
LANCAPI
to an
LANCOM with ISDN access.
3.3.2 The first remote connection using Dial-Up Networking
햲 In the LANconfig program select Device / New, enable 'Dial-Up connec-
tion' as the connection type and enter the calling number of the WAN
interface to which the LANCOM is connected. If you wish, you can also
enter the time period after which an idle connection is to be disconnected
automatically.
햳 LANconfig now automatically generates a new entry in the Dial-Up Net-
work. Select a device that supports PPP (e.g. the NDIS-WAN driver
included with the LANCAPI) for the connection and press OK to confirm.
ment
Configuration and manage-
햴 Then the LANconfig program will display a new device with the name
'Unknown' and the dial-up call number as the address in the device list.
When an entry in the device list is deleted, the related connection in
the Windows Dial-Up Network is also deleted.
햵 You can configure the device remotely just like all other devices.
LANconfig establishes a dial-up connection enabling you to select a configuration.
3.3.3 The first remote connection using a PPP client and Telnet
햲 Establish a connection to the LANCOM with your PPP client using the fol-
lowing details:
User name 'ADMIN'
The password selected in LANCOM
An IP address for the connection, only if required
21
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
햳 Open a Telnet session to the LANCOM. Use the following IP address for
this purpose:
'172.17.17.18', if you have not defined an IP address for the PPP cli-
ent. The LANCOM automatically uses this address if no other address
has been defined. The PC making the call will respond to the IP
'172.17.17.17'.
Raise the IP address of the PC by one, if you have defined an address.
Example: You have set the IP '10.0.200.123' for the PPP client, the
LANCOM then responds to '10.0.200.124'. Exception: If the digits
'254' are at the end of the IP address, the router responds to 'x.x.x.1'.
ment
햴 You can configure the LANCOM remotely just like all other devices.
The default layer for remote field installations
Configuration and manage-
The PPP connection of any other remote site to the router, of course, will only
succeed if the device answers every call with the corresponding PPP settings.
This is the case using the factory default settings because the default protocol
(default layer) is set to PPP.
You may, however, want to change the default layer for LAN-to- LAN connections, for example, to a different protocol after the first configuration run.
Then the device will no longer take calls on the dial-up connection using the
PPP settings. The solution to this is to agree upon a special calling number for
configuration access:
22
The administrator access for ISDN remote management
If the device receives a call on this number, it will always use PPP, regardless
of any other settings made on the router. Only a specific user name which is
automatically entered by the LANconfig program during call establishment
will be accepted during the PPP negotiations:
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
햲 Switch to the 'Security' tab in the 'Management' configuration section.
ment
Configuration and manage-
햳 Enter a number at your location which is not being used for other pur-
poses in the 'Configuration access' area.
Alternatively, enter the following command:
set /setup/config-module/Farconfig 123456
Always provide additional protection for the settings of the device by
setting a password. Alternatively, enter the following command during a Telnet or terminal connection:
passwd
You will then be prompted to enter and confirm a new password.
3.4 LANmonitor—know what's happening
The LANmonitor includes a monitoring tool with which you can view the most
important information on the status of your routers on your monitor at any
23
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
time under Windows operating systems—of all of the LANCOM routers in the
network.
Many of the internal messages generated by the devices are converted to
plain text, thereby helping you to troubleshoot.
You can also use LANmonitor to monitor the traffic on the router's various
interfaces to collect important information on the settings you can use to optimize data traffic.
In addition to the device statistics that can also be read out during a Telnet or
terminal session or using WEBconfig, a variety of other useful functions are
also available in the LANmonitor, such as the enabling of an additional charge
ment
limit.
With LANmonitor you can only monitor those devices that you can
Configuration and manage-
access via IP (local or remote). With this program you cannot access a
router via the serial interface.
3.4.1 Extended display options
Under View / Show Details you can activate and deactivate the following
display options:
Error messages
Diagnostic messages
System information
24
Many important details on the status of the LANCOM are not displayed until the display of the system information is activated. These
include, for example, the ports and the charge management.Therefore, we recommend that interested users activate the display of the
system information.
3.4.2 Monitor Internet connection
To demonstrate the functions of LANmonitor we will first show you the types
of information LANmonitor provides about connections being established to
your Internet provider.
햲 To start LANmonitor, go to Start Programs LANCOM
LANmonitor. Use Device New to set up a new device and in the fol-
lowing window, enter the IP address of the router that you would like to
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
monitor. If the configuration of the device is protected by password, enter
the password too.
Alternatively, you can select the device via the LANconfig and monitor it
using Tools / Monitor Device.
햳 LANmonitor automatically creates a new entry in the device list and ini-
tially displays the status of the transfer channels. Start your Web browser
and enter any web page you like. LANmonitor now shows a connection
being established on one channel and the name of the remote site being
called. As soon as the connection is established, a plus sign against the
communication channel entry indicates that further information on this
channel is available. Click on the plus sign or double-click such entry to
open a tree structure in which you can view various information.
ment
Configuration and manage-
In this example, you can determine from the PPP protocol information the
IP address assigned to your router by the provider for the duration of the
connection and the addresses transmitted for the DNS and NBNS server.
Under the general information you can watch the transmission rates at
which data is currently being exchanged with the Internet.
햴 To break the connection manually, click on the active channel with the
right mouse button. You may be required to enter a configuration password.
햵 If you would like a log of the LANmonitor output in file form, select
Device Properties and go to the 'Logging' tab. Enable logging and
25
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
specify whether LANmonitor should create a log file daily, monthly, or on
an ongoing basis.
3.5 Trace information—for advanced users
Trace outputs may be used to monitor the internal processes in the router during or after configuration. One such trace can be used to display the individual
steps involved in negotiating the PPP. Experienced users may interpret these
outputs to trace any errors occurring in the establishment of a connection. A
particular advantage of this is: The errors being tracked may stem from the
configuration of your own router or that of the remote site.
ment
The trace outputs are slightly delayed behind the actual event, but are
always in the correct sequence. This will not usually hamper interpre-
Configuration and manage-
3.5.1 How to start a trace
tation of the displays but should be taken into consideration if making
precise analyses.
Trace output can be started in a Telnet session, for example. The command to
call up a trace follows this syntax:
trace [code] [parameters]
The trace command, the code, the parameters and the combination commands are all separated from each other by spaces. And what is the meaning
of these codes and parameters?
26
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
3.5.2 Overview of the keys
This code... ... in combination with the trace causes the following:
? displays a help text
+ switches on a trace output
- switches off a trace output
# switches between different trace outputs (toggle)
no code displays the current status of the trace
3.5.3 Overview of the parameters
The available traces depend individually on the particular model and
can be listed by entering trace with no arguments on the command line.
This parameter... ... brings up the following display for the trace:
Status status messages for the connection
Error error messages for the connection
LANCOM LANCOM protocol negotiation
IPX-router IPX routing
PPP PPP protocol negotiation
SAP IPX Service Advertising Protocol
IPX-watchdog IPX watchdog spoofing
SPX-watchdog SPX watchdog spoofing
LCR Least-Cost Router
Script script processing
RIP IPX Routing Information Protocol
IP-router IP routing
IP-RIP IP Routing Information Protocol
ARP Address Resolution Protocol
ICMP Internet Control Message Protocol
IP masquerading processes in the masquerading module
DHCP Dynamic Host Configuration Protocol
ment
Configuration and manage-
27
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
This parameter... ... brings up the following display for the trace:
NetBIOS NetBIOS management
DNS Domain Name Service Protocol
Packet dump display of the first 64 bytes of a package in hexadecimal form
D-channel- dump trace on the D channel of the connected ISDN bus
ATM spoofing at the ATM packet level
ADSL ADSL connections status
VPN-Status IPSec and IKE negotiation
ment
VPN-Packet IPSec and IKE packets
SMTP-Client E-Mail processing of the integrated mail client
SNTP Simple Network Time Protocol information
Configuration and manage-
3.5.4 Combination commands
This combination
command...
All all trace outputs
Display status and error outputs
Protocol LANCOM and PPP outputs
TCP-IP IP-Rt., IP-RIP, ICMP and ARP outputs
IPX-SPX IPX-Rt., RIP, SAP, IPX-Wd., SPX-Wd., and NetBIOS outputs
Time displays the system time in front of the actual trace output
Source includes a display of the protocol that has initiated the output in
Any appended parameters are processed from left to right. This means that it
is possible to call a parameter and then restrict it.
... brings up the following display for the trace:
front of the trace
28
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50
3.5.5 Examples
This code... ... in combination with the trace causes the following:
trace displays all protocols that can generate outputs during the config-
trace + all switches on all trace outputs
trace + protocol display
trace + all - icmp switches on all trace outputs with the exception of the ICMP proto-
trace ppp displays the status of the PPP
trace # ipx-rt display toggles between the trace outputs for the IPX router and the dis-
trace - time switches off the system time output before the actual trace output
uration, and the status of each output (ON or OFF)
switches on the output for all connection protocols together with
the status and error messages
col
play outputs
3.6 Working with configuration files
The current configuration of an LANCOM can be saved as a file and reloaded
in the device (or in another device of the same type) if necessary.
Additionally, configuration files can be generated and edited offline for any
LANCOM device, firmware option and software version:
ment
Configuration and manage-
Backup copies of configuration
With this function you can create backup copies of the configuration of your
LANCOM. Should your LANCOM (e.g. due to a defect) lose its configuration
data, you simply reload the backup copy.
29
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management
Convenient series configuration
However, even when you are faced with the task of configuring several
LANCOM of the same type, you will come to appreciate the function for saving
and restoring configurations. In this case you can save a great deal of work
by first importing identical parameters as a basic configuration and then only
making individual settings to the separate devices.
Running function
Configuration tool Run
ment
Configuration and manage-
LANconfig Edit Save Configuration to File
WEBconfig Save Configuration Load Configuration (in main menu)
TFTP
Edit Restore Configuration from File
Edit New Configuration File
Edit Edit Configuration File
Edit Print Configuration File
tftp 10.0.0.1 get readconfig file1 tftp
10.0.0.1 put file1 writeconfig
3.7 New firmware with LANCOM FirmSafe
30
The software for devices from LANCOM is constantly being further developed.
We have fitted the devices with a flash ROM which makes child's play of
updating the operating software so that you can enjoy the benefits of new
features and functions. No need to change the EPROM, no need to open up
the case: simply load the new release and you're away.
3.7.1 This is how LANCOM FirmSafe works
LANCOM FirmSafe makes the installation of the new software safe: The used
firmware is not simply overwritten but saved additionally in the device as a
second firmware.
Of the two firmware versions saved in the device only one can ever be active.
When loading a new firmware version the active firmware version is not overwritten. You can decide which firmware will be activated after the upload:
'Immediate': The first option is to load the new firmware and activate it
immediately. The following situations can result:
The new firmware is loaded successfully and works as desired. Then
all is well.
Loading...