Manuale d’uso / di manutenzione del prodotto LCOS 3.50 del fabbricante Lancom Systems
Vai alla pagina of 346
Refer ence Manual LA NCOM L COS 3.50.
© 2004 LANCOM Systems GmbH , Wuerselen (Germany) Wh ile th e in fo rm ati on in t hi s ma nu al h as bee n c omp il ed w it h gr ea t c ar e, i t m ay n ot be d ee med an ass ur an ce o f p ro duc t characterist ics. LANCOM shall be liable only t o the degree specified in the terms of sale and delivery .
Contents LANCOM Refer ence Manual LC OS 3.50 3 Contents Contents 1 Preface 10 2 System design 13 3 Configuration and management 15 3.1 Configuration tools and approaches 15 3.2 Configuration software 16 3.2.1 Confi guration using LANconfig 16 3.2.
LANCOM Refer ence Manual LC OS 3.50 Contents 4 Contents 4.1.1 Applic ation examples 38 4.1.2 Confi guration 42 4.1.3 45 5 Diagnosis 46 5.1 LANmonitor—know what's happening 46 5.1.1 Extended dis play options 46 5.1.2 Monitor Internet connect ion 47 5.
Contents LANCOM Refer ence Manual LC OS 3.50 5 Contents 7.4 N:N mapping 80 7.4.1 Applic ation examples 81 7.4.2 Confi guration 85 7.5 Configuration of remote stations 89 7.5.1 Name list 89 7.5.2 Layer list 90 7.6 Establishing connection with PPP 91 7.
LANCOM Refer ence Manual LC OS 3.50 Contents 6 Contents 8.3.10 Fir ewall limitations 159 8.4 Protection against break- in atte mpts: Intru sion Detection 160 8.4.1 Examples for break- in attempts 160 8.4.2 Confi guration of the IDS 161 8.5 Protection against “Den ial of Service” attacks 162 8.
Contents LANCOM Refer ence Manual LC OS 3.50 7 Contents 10.3.4 Configuration with WEBconfig or Telnet 201 11 Wireless LAN – WLAN 203 11.1 What is a Wireless LAN? 203 11.1.1 Standardized radio transmissi on by IEEE 203 11.1.2 Operation modes of Wirel ess LANs and base stations 206 11.
LANCOM Refer ence Manual LC OS 3.50 Contents 8 Contents 13 Server services for the LAN 272 13.1 Automatic IP address administ ration with DHCP 272 13.1.1 The DHCP server 272 13.1.2 DHCP—'on', 'off' or 'auto'? 273 13.
Contents LANCOM Refer ence Manual LC OS 3.50 9 Contents 14.5.5 Prepare VPN network rel ationships 311 14.5.6 Configuration with LANconfig 314 14.5.7 Configuration with WEBconfig 318 14.5.8 Diagnosis of VPN connections 322 14.6 Specif ic exam ples of connections 322 14.
LANCOM Refer ence Manual LC OS 3.50 Chapter 1: Preface 10 Pref ace 1P r e f a c e User’s manual and r eference manual The documentation of your device cons ists of two parts: The user’ s manual and th e ref eren ce man ua l. The hardware of the LANCOM devices is documented in the respective user’s manuals.
Chapter 1: Preface LANCOM Reference Manual L COS 3.50 11 Pref ace ucts. The extens ive feature s et is available thr oughout all LANCOM products (p rovi ded res pec ti ve sup por t b y h ardw are) , a nd con ti nuo us ly re ce ive s f urt he r enhancements by fr ee, regular software updates.
LANCOM Refer ence Manual LC OS 3.50 Chapter 1: Preface 12 Pref ace info@lancom.de Our online services ( www.lancom.de ) are available to you around the clock should you have any queries regarding the topic s discussed in this manual or requir e any further support.
Chapter 2: System design LANCOM Reference Manual LCOS 3.50 13 System design 2 S ystem design The LANCOM operating system L CO S is a collection of differ ent software mod- ules, the LANCOM devices themselves ha ve different interf aces to the W AN and LAN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 2: System design 14 System design LAN CO M W irel es s ac ces s p oin ts resp . L AN COM rou ter s w ith wire le ss modules offer additional ly one or , depending on the respective model, also two wireless interfaces for the connection of Wireless LANs.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 15 Configuration and manage- ment 3 Configuration and management This section will sh ow you the method s a nd ways you can use to acce ss the device and specify further settings.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 16 Configuration and manage- ment 3.2 Configuration softwar e Situations in which the device is configured vary—as do the personal require- ments and prefer ences of the person do ing the configur ation.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 17 Configuration and manage- ment Once LANconfig has finished its search, it displays a list of all the devices it has found, together with their name s and, perhaps a description, the IP address and its status.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 18 Configuration and manage- ment Management of multiple devices LANconfig supports multi device r emote management. Simply select the desired devices, and LANcon fig performs all actions for all selected devi ces then, one after t he other .
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 19 Configuration and manage- ment Secure with HT TPS WEBconfig offers an encrypted transmi ssion of the configuration data for secure (remote) management via HT TPS.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 20 Configuration and manage- ment The syntax of the TFTP call is depend ent on the oper ating system. With Win- dows 2000 and Windows NT the syntax is: tftp -i <IP address Host> [get|put] source [target] With numerous TFTP cl ients the ASCII format is pr eset.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 21 Configuration and manage- ment Y ou can also reserve a special calling number for remote configuration. The n the support technician can always access th e router even if it is really no longer accessible due to incorr ect settings.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 22 Configuration and manage- ment 햳 Open a T elnet session to t he LANCOM. Use t he following IP address for this purpose: '172.17.17 .18', if you hav e not defined an IP address for the PPP cli- ent.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 23 Configuration and manage- ment 햲 Switch to the 'Security' tab in the 'Management' configuration section. 햳 Enter a number at your location which is not being used for other pur- poses in the 'C onfiguration access' area.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 24 Configuration and manage- ment time under Window s operating system s—of all of the LANCOM routers in t he network. Many of the internal messages gene rated by the devices are converted to plain text, ther eby helping you to troubleshoot.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 25 Configuration and manage- ment monitor . If the configuration of the devic e is protected by password, enter the password too. Alternatively , you can select the device via the LANconfig and monitor it using Tools / Monitor Device .
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 26 Configuration and manage- ment specify whether LANmonitor should create a log file daily , monthly , or on an ongoing basis.
Chapter 3: Conf iguration and manage me nt LA NCOM Reference Manual L COS 3.50 27 Configuration and manage- ment 3.5.2 Overview of the keys 3.5.3 Overview of the parameters The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the com- mand line.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 28 Configuration and manage- ment 3.5.4 Combination commands Any appended parameters are pr ocessed fr om left to right. This means that it is possible to call a par ameter and then rest rict it.
Chapter 3: Conf iguration and manage me nt LANCOM Reference Manual L COS 3.50 29 Configuration and manage- ment 3.5.5 Examples 3.6 Working with configur ation files The curre nt configurat ion of an LANCOM can be saved as a fi le and reloaded in the device (or in another device of the same type) if necessary .
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 30 Configuration and manage- ment Convenient series configuration However , even when you are faced with the task of configuring several LANCOM of the same type, you will come to appreciate the function for saving and restoring configurations.
Chapter 3: Conf iguration and manage me nt LANCOM Reference Manual L COS 3.50 31 Configuration and manage- ment The device no longer responds af ter loading the new firmwar e. If an error occurs during the upload, th e device autom atically reactivates the pr evious firmware v ersion and reboots the device.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 32 Configuration and manage- ment LANconfig then te lls you the v ersion number and the date of the firmware in the description and offers to upload the file. The firmware you already have installed will be r eplaced by the selected release by clicking Open .
Chapter 3: Conf iguration and manage me nt LANCOM Reference Manual L COS 3.50 33 Configuration and manage- ment Stat us Contains all read- only statistics of the indivi dual SW modules Set.
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 34 Configuration and manage- ment All commands and directory/item na mes may be abbreviated as long as no ambiguity ex ists. For example, it i s valid to shorten the ” sysinfo ” command to ” sys ” or a ” cd Management ” to ” c ma ”.
Chapter 3: Conf iguration and manage me nt LANCOM Reference Manual L COS 3.50 35 Configuration and manage- ment regular firmwar e or configuration updates The data is stored in a table with t .
LANCOM Refer ence Manual LC OS 3.50 Chapter 3: Configurat ion and management 36 Configuration and manage- ment Time- controlled rules will not necessarily be executed at precisely zero seconds of real time, but at some indeterminate point of time in the minute in question.
Chapter 4: Management LANCOM Refer ence Manual LC OS 3.50 37 Management 4 Management 4.1 N:N mapping Network Address T ransl ation (NAT) can be used for seve ral different matters: for bette r.
LANCOM Refer ence Manual LC OS 3.50 Chapte r 4: Manage ment 38 Management the defined translation range. An “inbound” addr ess mapping, whe- reby the sour ce address is transl ated (instead of the d estination address), needs to be re alized b y an appropriate “ outbound” address translation on the r emote sid e.
Chapter 4: Management LANCOM Refer ence Manual LC OS 3.50 39 Management With the help of N:N mapping, all addr es ses of the LAN can be translat ed to a new address range for the coupling wi th the other network. The network of company A e. g. will be transl ated to 192.
LANCOM Refer ence Manual LC OS 3.50 Chapte r 4: Manage ment 40 Management In this example, a serv ice provider monitors the net works of different clients out of a central control. For this purpose, the SNMP- capable devices should send the respective traps of important e vents automatically to the SNMP trap addressee (e.
Chapter 4: Management LANCOM Refer ence Manual LC OS 3.50 41 Management The networks of client A and B use different address ranges in the respective head office and the connected branches. A standard net- work coupling via VPN is therefor e possible between these networks.
LANCOM Refer ence Manual LC OS 3.50 Chapte r 4: Manage ment 42 Management with actual same address r ange looks li ke two different networks for the gate- way of the service provider . The administr ator selects the address ra nges 192.168.2.x and 192.
Chapter 4: Management LANCOM Refer ence Manual LC OS 3.50 43 Management The addr ess range for tr anslation must be at minimum as lar ge as the source address r ang e. Please notice that the N:N mappi ng functions are only effective when the fir ewall has been activated.
LANCOM Refer ence Manual LC OS 3.50 Chapte r 4: Manage ment 44 Management ped” original addres ses. The entries of the remote network use the “mapped” addresses of the remote side, valid on the VPN connection.
Chapter 4: Management LANCOM Refer ence Manual LC OS 3.50 45 Management WEBconfig, T eln et Under W EBconfig and T elnet you find the NA T table for configuration of N:N mapping at the following positions of the menu tree: When starting a new ent ry under WEBconfig, the NA T table shows up as fol- lows: 4.
LANCOM Refer ence Manual LC OS 3.50 Chapter 5: D iagnosis 46 Diagnosis 5 Diagnosis 5.1 LANmonitor — know what's happening The LANmonitor incl udes a monitoring tool with which you can view .
Chapter 5: Diagnosis LANCOM Refer ence Manual LC OS 3.50 47 Diagnosis 5.1.2 Monitor Internet connection T o demonstrate the functions of LANmonit or we wi ll first show you the types of information LANmonitor provides about connections be ing established to your Internet pr ovider.
LANCOM Refer ence Manual LC OS 3.50 Chapter 5: D iagnosis 48 Diagnosis Under the general information you can watch the transmission r ates at which data is currently be ing exchanged with the Internet. 햴 T o br eak the connection manually , click on the active channel with th e right mouse button.
Chapter 5: Diagnosis LANCOM Refer ence Manual LC OS 3.50 49 Diagnosis 5.2.2 Overview of the keys 5.2.3 Overview of the parameters The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the com- mand line.
LANCOM Refer ence Manual LC OS 3.50 Chapter 5: D iagnosis 50 Diagnosis 5.2.4 Combination commands Any appended parameters are pr ocessed fr om left to right.
Chapter 5: Diagnosis LANCOM Refer ence Manual LC OS 3.50 51 Diagnosis 5.2.5 Examples This code... ... in combination with the trace causes the following: trace displays a ll protocols that can gen.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 52 Security 6 Security Y ou certainly would not like any outsider to have easy access to or to be able to modify the data on your computer . Therefore this chapter covers an impor- tant topic: safety .
Chapter 6: Security LANCOM Reference Manual L COS 3.50 53 Security Note: If a password has not been set, the P ower LED flashes, until the devices have been configured correctly . Tips for proper use of passwords We would like to give you a fe w tips here for using passwor ds: Keep a pas sword as secret as possible.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 54 Security ard Security Settin gs . In a terminal or T elnet session you set o r change the password with the command passwd . Protecting the SNMP access At the same time you should also pr otec t the SNMP read access with a pass- word.
Chapter 6: Security LANCOM Reference Manual L COS 3.50 55 Security Lock configur ation for ( Lock-minutes ) 6.1.3 Restriction of the access rights on the configuration Access to the internal f.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 56 Security 햲 Change to the re gister card 'Secur ity in the 'Management' configur ation area: 햳 Enter as call number within 'configu ration access' a call number of your connection, which is not used for other purposes.
Chapter 6: Security LANCOM Reference Manual L COS 3.50 57 Security rately . The configuration access can gene rally be permitted or forbid den, a p ur e r e ad a c ce s s o r - if y o ur m od e l is equipped with VPN - also can be per- mitted only over VPN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 58 Security By default, this tabl e does not contain entries. Thus the device can be a c c e s s e d o v e r T C P / I P f r o m c o m p u t e r s w i t h a r b i t r a r y I P a d d r e s s e s .
Chapter 6: Security LANCOM Reference Manual L COS 3.50 59 Security Y ou have a choice of the following: all: Calls are accepted fr om any remote station. by number: Only call s from those remote stations whose Calling Line Id en- tification number (CLIP) is entere d in the number list are accepted.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 60 Security Checking th e number Wh en a c all is pl ac ed o ve r a n IS DN li ne , th e c al le r' s nu mb er is n or ma lly se nt over the D channel before a connectio n is even ma de (CLI – C alling Line Iden- tifier ).
Chapter 6: Security LANCOM Reference Manual L COS 3.50 61 Security An especially effective ca llback method is the fast- callback procedur e (patent pending). This speeds up the callback proc edure considerabl y . The procedur e only works if it is supported by both stations.
LANCOM Refer ence Manual LC OS 3.50 Chapter 6: Security 62 Security When a call is placed over an IS DN line, the call er's number is normally sent over the D channel before a connection is even made (CLI – C alling L ine I dentifier).
Chapter 6: Security LANCOM Reference Manual L COS 3.50 63 Security will be permitted to use the internal functions. The cir cle of authorized users can be expand ed by inputting further ent ries. The filter entries can describe both individual computers and whole networks .
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 64 Routing and W AN connections 7 Routing and W AN connections This chapter describes the most import ant pr otocols and configuration entries used for WAN connections. It also shows ways to optimize WAN connecti ons.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 65 Routing and W AN connections A s i m p l i f i e d e x a m p l e w i l l c l a r i f y t h i s p r o c e s s . H e r e w e a s s u m e t h a t t h e I P address of the computer being searched for is known in the Internet.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 66 Routing and W AN connections 햵 Transmission of dat a packets As soon as the connection is establ ished, the router can send the data packet to the Internet. 7.2 IP routing An IP router works between networks which use TCP/IP as the network proto- col.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 67 Routing and W AN connections Configuration of the routing table An IP routing table can, fo r example, look like this.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 68 Routing and W AN connections That way routes whi ch are forbidden on the Internet (pri vate address spaces, e. g. '10.0.0.0'), for ex ample, are excluded fr om transmissi on.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 69 Routing and W AN connections How can you assist the workstation computer now? By default, the router sends the computer a response with the address of the router which knows t he route to the destination network (this response is known as an ICMP redir ect).
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 70 Routing and W AN connections Although the entries in t he static routing table are set manually , this informa- tion changes according to the connection s t at u s o f t he r o ut e r an d so d o th e RIP packets tr ansmitted.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 71 Routing and W AN connections column shows which router has r evealed th is route. This leaves the 'Time'. The dynamic table thus shows how old the relevant route is.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 72 Routing and W AN connections packets and look on them as normal broadcast or multicast packets. Connec- tions are cont inually established by the RIPs if this route r holds the default rou t e t o a re m ot e ro u te r .
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 73 Routing and W AN connections 'address ': The network mask is derived from the first bit that is set in the IP address entered. This and all high- order bits within the network mask ar e set.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 74 Routing and W AN connections assume a certain order that differs from the pr otocol st andard.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 75 Routing and W AN connections any number . It also enters this new po rt on the table and forwards the packet with the new information.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 76 Routing and W AN connections Which protocols can be transmitted using IP masquerading? IP masquerading for all IP protocols that are based on TCP , UDP , or ICMP and communicate excl usively through ports.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 77 Routing and W AN connections On the local side, the r outer supports two different networks: The Intranet and the DMZ (’ de- militar ized zone’). The DMZ marks a distinct, separ ate local network, usuall y for servers, that mu st be accessibl e from the Internet.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 78 Routing and W AN connections 7.3.2 Inverse masquerading This masking operates in both direct ions: The local network behind the IP address of t he router is maske d if a computer from the LAN sends a packet to the Internet (simple masquer ading).
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 79 Routing and W AN connections Configuration of the inverse masquerading Stateful Inspection and inverse masquerading If in the Masquerading module a port is exposed (i.e.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 80 Routing and W AN connections Example: Y ou are assigned the IP network address 12 3.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 81 Routing and W AN connections In the first application the so- called N: 1 NAT , also known as IP masquerading (’The hiding place—IP masquerading (NA T , P A T)’ → page 74) is used.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 82 Routing and W AN connections Network coupling An often appearing scenario is the co upling of two company networks which internally use the same address range (e. g. 10.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 83 Routing and W AN connections Remote moni toring and remo te control of networks Remote maintenance and control of ne tworks become more and more impor- tance because of the possibili ties given by VPN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 84 Routing and W AN connections client C oper ates a network with sever a l public WLAN base stations as hot spots, and client D has got an addition al router for ISDN dial- up accesses in his LAN.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 85 Routing and W AN connections head office. On this occasion, also all subn etworks locate d “behind” the head office are supplied with the needed new IP addresses. In this example, the administrator of the servic e provider selects 10.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 86 Routing and W AN connections of the mapping address. Therefore, in an assi gnment of 10.0.0.0/ 255.255. 255.0 to 192.168.1 .0, a server of the LAN with IP address 10.1.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 87 Routing and W AN connections use the “mapped” addresses of the r emote side, valid on the VPN con- nection.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 88 Routing and W AN connections Configuration with different tools LANconfig With LANconfig you adjust the addr ess tr a.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 89 Routing and W AN connections When starting a new ent ry under WEBconfig, the NA T table shows up as fol- lows: 7.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 90 Routing and W AN connections 7.5.2 Layer list With a layer , a collection of protocol settings are defined, which should be used when connecting to specific remote stations.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 91 Routing and W AN connections 7.6 Establishing connection with PPP LANCOM routers also support the point- to- point pr otocol (PPP).
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 92 Routing and W AN connections of routers made by different manufactur ers since this protocol is supported by practically all manufacturers.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 93 Routing and W AN connections The phases of PPP negotiation Establishment of a connection using PPP always begins with a negotiation of the parameters to be used for the conn ection.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 94 Routing and W AN connections to begin output of the PPP protocol fr ames exchanged during a terminal ses- sion. Y ou can perform a detailed analysis once the connection has been bro- ken if this termi nal session has been lo gged in a log file.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 95 Routing and W AN connections telecomputer), the LANCOM assigns it an IP address for the dura tion of the connection, enabling communications to take place.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 96 Routing and W AN connections Windows users are able to view the assi gned addresses via LANm onitor. In addition to the name of the r emote station, the current IP addr ess as well as the addresses of DNS and NBNS servers can be found ther e.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 97 Routing and W AN connections 7.7 Extended connection for flat rates—K eep- alive The term flat rate is used to r efer to all- inclus ive connection rates that are not billed according to connection times, b ut instead as a flat fee f or fixed period s.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 98 Routing and W AN connections holding time of 0 seconds then. Howe ver , connections interrupted by the remote site ar e not automatically re- establ ished with this setting.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 99 Routing and W AN connections No callback For this setting, the callback entry must be set to 'off' when c onfiguring via WEBconfig or in the console.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 100 Routing and W AN connections The callback party selects 'Call back the remote site (fast procedur e)' in the name list and enters the calling number ('LANCOM' when configuring via WEBconfig, terminal program or T e lnet).
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 101 Routing and W AN connections The setting 'Name' offers the greate st security when an entry is made into the number list as well as the PPP list. The setting 'LANCOM' offers the fastes t callback method between two LANCOM router s.
LANCOM Refer ence Manual LC OS 3.50 Chapter 7: Routing and WAN conn ections 102 Routing and W AN connections T wo methods of channel bundling Static channel bundling If a connection is established with static channel bu ndling, the LANCOM tries to establish the second B cha nnel immediately after setting up the first B channel.
Chapter 7: Routing an d WAN co nnections LANCOM Reference Ma nual LCOS 3.50 103 Routing and W AN connections Depending on the type of application, the B1 hold time should be increased to such a level s o that the connect ion is not dropped pre- matur ely because of packe ts not be ing transmitted for a short time.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 104 Firewall 8F i r e w a l l For most companies and many private us ers a work without t he Internet is no longer conceivab le. E- mail and web are indispensable for communication and information search.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 105 Firewall Destroy data on the w orkstations of the LAN. Par alyse workstations of the LAN or the connection to the Internet. We restrict ourselves in this section to t he attacks of loc al networks (LAN) resp.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 106 Firewall protocol, the search for open ports is al so called “port scanning”. On the occa- sion, the attacker starts an inquiry for.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 107 Firewall that a defenceless workstat ion installed in the Int ernet will - perhaps even accidentally - become the victim of attacks. 8.2 What is a Firewall? The term “Firewall” is interpreted very differ ently .
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 108 Firewall which are used f or creation of the rules and which are checked during the operation of the Firewall, one distin guishes differ ent types of Firewalls.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 109 Firewall Packet filters One speaks about a packet filter- based Fi rewall, if the router only checks the details in the header o f the data packet s and decides on the basis of this infor- mation, whether the pac ket may pass or not.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 110 Firewall it is expecting the connection. The s erver will es tablish as a result from its port 20 a connection to the desir ed port of the client.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 111 Firewall packets that do not belong to one of the tracked session of the connection state table will be automatically discarded. Additionally , the Stateful Inspection is able to track fr om the connection set up, whether additional ch annels are negotiated fo r data exchange or not.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 112 Firewall table, because the connection to the LA N has been init iated from the client.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 113 Firewall only the one with the correct delivery note will pass. Li kewise, a s econd cou- rier demanding access to the em ployee will be rejected, too.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 114 Firewall Application Gateways: It never exists a direct connection e.g. between a client of the local network and a server of the Internet. T he LAN workstations only see the proxy , the workstations of the Internet likewise.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 115 Firewall 8.3.1 How the LANCOM Firewall inspects data packets The Firewall filt ers only those data packets out of the entire data str eam run- ning through the IP r outer of the LA NCOM, for which a special t reatment has been defined.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 116 Firewall The Firewall only check s routed data packets! The Firewall only checks data packets routed by the IP r outer of the LANCOM . In general, these are the data packets, which are exchan ged between one of the WA N interfaces and the internal networks (LAN, WLAN, DMZ).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 117 Firewall Th e L AN COM Fi re wa ll use s s ev er al li st s fo r c he ck ing da ta pa cke ts , w hic h a r e automaticall y generated from.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 118 Firewall list will be carried out. I f the action intend s to accept the packet, then an entry is made in the connection list, as well as for any further actions. If no explicit Firewa ll rule exists for a dat a packet, th e packet will be accepted (’Allow - All’).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 119 Firewall a dynamic one, new entries can be a dded continuously with the appropri- ate Firewall actions.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 120 Firewall Ho we v er , if t he se r ve r w a nt s t o se nd l arg er s et s o f da ta ( e.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 121 Firewall ICMP connections For ICMP two case s must be diffe rent iated: The ICMP request/reply connec- t i o n s , l i k e t o b e u s e d w i t h " p i n g " , and the ICMP error messages, which can be received as an answer to any IP packet.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 122 Firewall Please notice that the N:N ma pping fu nctions (’N:N mapping’ → page 80) are only active when the Firewall has been sw i.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 123 Firewall Route : Fr agmented packets are passed on without any further checking by the Firewall, as long as permit ted by valid filter setti ngs. Re- assemble : Fragmented packets ar e buffered and re- assembled to complete IP packets.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 124 Firewall route" are als o suppressed, so that the LANCOM cannot be found, neither by "pi ng " no r by "t race rout e" . Poss ible settings are: Off : ICMP answers are not blocked.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 125 Firewall the needed port will be ope ned for a short time (20 sec onds) sole ly for the authentication inquiry . This behaviour of the Firewall in TCP Stealth mode can be suppressed specif- ically with the par ameter “ A lways mask authentication por t, too“.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 126 Firewall Create VPN rule : Is this Fire wall rule also used to create a VPN rule? ( → page 127) Priority When setting up the filter list of the Fi rewall rules, the LANCOM will automat- ically sort the entries.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 127 Firewall either a rule applies to the packet, for which observe further rules is not activated. or the list of the Firewall rules has been completely worked through with- out applying a further rule to the packet.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 128 Firewall action sets. If the same tri gger is used for several action sets, th e sequence of action sets can be adjusted.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 129 Firewall The entire local network (LAN) Certain remote stations (described by the name of the name list) Certain stations of t.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 130 Firewall Limit / Trigger The limit or trigger describes a quan tified threshol d value that must be exceeded on the defi ned connection before the fi lter action gets executed for a data packet.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 131 Firewall SNMP/LANmonitor : Sends a SNM P trap, that wi ll be analyzed e. g. by LANmonitor. Each of these three message measures leads automatically to an entry in the Fi rewall event t able.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 132 Firewall Firewall . The specific parameters for th e different alerting types such as th e relevant em ail account can be set at the following places: An example: Let us assume a filter na med 'BL OCKHTTP', which blocks all access to a HTTP server 192.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 133 Firewall FROM: LANCOM_Firewa ll@MyCompany.com TO: Administrator@MyComp any.com SUBJECT: packet filtered Date: 9/24/2002 15: 06:46 The packet below Src: 10.0.0.37:4353 {cs2} Dst: 192.168.200.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 134 Firewall SNMP: Generic trap = enterpriseSpecific (6) SNMP: Specific trap = 26 (0x1A) SNMP: Time stamp = 1442 (0x5A2) System descriptor SNMP: OID = 1.3.6.1 .2.1.1.1.0 1. SNMP: String Value = L ANCOM Business 6021 2.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 135 Firewall This contradiction shows the dilemm a of the responsible a dministrators who have developed subsequently differen t strategies to solve thi s problem. Allow All The Allow All strategy favours unhind ered communication of the employees compared over security .
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 136 Firewall Some LANCOM models support this stru cture by a separate LAN interface only used for the DMZ. Looking at the path of data thr ough the LANCOM, then the function of the Firewall for shielding the LAN against the DMZ becomes visi- ble.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 137 Firewall A direct data exchange between LAN an d DMZ via LAN bridge is not possible if a dedicated DMZ port is used.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 138 Firewall If you operate a web server in yo u r L A N , t h a t h a s b e e n p e r m i t t e d access to this se rvice from the outside.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 139 Firewall Example configuratio n “Basic Intern et” If you want to permit a VPN dial- in to a LANCOM acting as VPN gateway , the.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 140 Firewall For a netw ork coupling you permit additionally the communicati on between the involved networks: If you operate e.g. an ow n web server , you selectively allow acc ess to the server: For diagnostic purposes it is hel pfu l to allow ICMP protocols (e.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 141 Firewall 8.3.8 Configuration of Fir ewall rules Firewall wizar d The fastest method to configu re the Firewa ll i s p r o v i d e d b y t .
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 142 Firewall LANconfig The filters can be installed v ery comfortably with LANconfig. Sta rting from the gen era l reg ist er ca rd "F.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 143 Firewall The option 'Observe further rules ...' can be us ed to create complex functions ensuring e.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 144 Firewall Stations : Here the stations – as sender or addressee of the packe ts – are specified, for which the filt er rule shall match. Services : Here the IP protocols, source and destination ports are specified for which the filter rule shall apply .
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 145 Firewall WEBconfig, T elnet Under WEBconfi g or T elnet the Firewall rules are configured in the follow ing menus and lists: There is a spe cial syntax in L COS for the description of the Firewal l rules.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 146 Firewall action table for Firewall actions( → page 147). It can also contain dir ect descriptions in th e appropriate LC OS syntax (e.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 147 Firewall Stations and services can be described according to the following rules in the object ta ble: Equal identifier ca n generate comma- separated l ists as for example host lists/ address lists (%A10.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 148 Firewall Conditions If no further actions are specified in a “connect” or “Internet” filter , then implicitly a combination of t hese filters with the “reje ct” action is assumed.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 149 Firewall If an action is given without any ass ociated limit, the n implicitly a packet limit is assu med that is im mediately exceeded with the first packet. Pa cket action These packet actions can be combined arbitrarily .
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 150 Firewall Further measures If t he "c l os e p or t " a ct io n is ex ec u te d, an e nt ry i n a bl oc k li st i s m ad e, b y which all packets, which are sent at the respective computer and port, get rejected.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 151 Firewall send at the same time an email to the administr ator , then the description of the object for the action r eads as follows: This descript ion permits traff ic ( %a ) at the beginning.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 152 Firewall la s t f iv e ev en ts , th at we r e t ri g ge r ed ei t he r b y a F ir ew a ll ru l e, th e D o S, or th e IDS system with activated ’SNMP/LANmonitor’ option.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 153 Firewall If you call up the logging table vi a LANmonitor, it looks like the follow ing depiction: If you call up the logging tabl e via WEBconfig, it looks like the following depiction: The table contai ns the following values: Element Element meaning Idx.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 154 Firewall All Firewall actions are likewise displaye d within the IP router trace (’How to start a trace’ → page 48). Furthermore, s ome LANCOM mod- els have a Firewall LED, which signals each filtered packet.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 155 Firewall O n T e l n e t l e v e l , t h e c o n te n t o f t h e f il t e r l i s t c a n b e d i s p l a y e d w i t h t h e c o m- mand.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 156 Firewall The connection list The connection table files source address, destination addr ess, protocol, source port, destina tion port, etc. of a connection, as we ll as possible actions.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 157 Firewall The table contains the followi ng elements: Element Element meaning Src addr . Source address o f the connection Dst addr . De stination a ddress of the conn ection Protocol Used protocol (TCP/UDP etc.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 158 Firewall Meaning of the flags of the connection list Port block list Address, protocol and port of a destinat ion station are filed in the port block list, if blocking of the destination port on t he destination station was selected as a filter’s packet action.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 159 Firewall Sorting is done accor ding to address, pr otocol and port. The table contains the following elements: Host block list The address of a station is filed in the ho st b lock list, if bl ocking of the sender was selected in a filter’s packet action .
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 160 Firewall 8.4 Protection against br eak- in attempts: Intrusion Detection A Firewall has the task to exami ne da ta traf fic ac ross bo rder s be tw ee n ne t- wo rk s , a nd to re je ct t ho se p ac ke t s, wh ic h do n ot ha ve a pe rm i ss io n fo r t ran s - mission.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 161 Firewall 8.4.2 Configuration of the IDS LANconfig Par ameters of the Intrusion Detection S ystem are set in LANconfig in the con- figurati.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 162 Firewall 8.5 Protection against “Denial of Service” attacks Attacks from the Internet can be br eak- in attem pts, as well as attacks aiming to block the accessibility and functional ity of indivi dual servic es.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 163 Firewall during the attack and, moreover , the owner of the falsified address cannot receive normal data any more during the attack. If the falsified sender address is the broadcast address of the second network, also al l workst ations are blocked in this network, too.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 164 Firewall a new Denial of Service attack can resu lt thereby if the memory of the vi ctim is exhausted. Te a r d r o p The T ear drop attack works with overl a pping fragments. After the first frag- ment another one is sent, which overlaps completely within the first one, i.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 165 Firewall 8.5.2 Configuration of DoS blocking LANconfig Par ameters against DoS attacks are set in the LANconfig in the configur ation tool.
LANCOM Refer ence Manual LC OS 3.50 Ch apter 8: Firewall 166 Firewall The connection will be cut off . The sender address will be blocked for an adjustable period of time. The destination port of the scan will be blocked for an adjustab le period of time.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 167 Firewall WEBconfig, T eln et With WEBconfig or T eln et the suppress ion of responses can be configur ed here: Configuration tool Run WEBc.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 168 Quality of Service 9 Quality of Service This chapter d edicates itse lf to quality: Under the generic term Quality of Serv- ice (short: QoS) those LCOS function s ar e summarized, which are concerned with the guarantee of cert ain service availa bilities.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 169 Quality of Service desired data transfer , certain da ta packet s must be treated preferentially . It is necessary for this, that at first a LA NCOM recognizes which data packe ts should be preferred at all.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 170 Quality of Service Limited maximum bandwidth What is DiffServ? DiffServ stands for “Differentiated Services” and is a quite recent model to signal the priority of data packets.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 171 Quality of Service 9.2.1 Guaranteed minimum bandwidths Hereby you give priority to enterprise- c ritical applications, e.g. Voice- over- IP (VoIP) PBX systems or certain user groups.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 172 Quality of Service 9.2.2 Limited maximum bandwidths Hereby you limit e.g. the entir e or connection- related maximum bandwidth for server accesses. An example: Y ou operate both a W eb server and a local network on a shared Internet access.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 173 Quality of Service As long as the interval for the mini mum bandwidth is no t exceeded (i.e. up to the end of the current second), all pack ets in this queue are treated without further speci al priority .
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 174 Quality of Service data packets it is still able to r eceive, and thus brakes the data stream already within the router . As a result, the queues wi ll automatica lly fill up. Different is the cas e, if an Ethernet in terface represents th e connection to the WAN.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 175 Quality of Service standard DSL connection, th e DSL in terface is thus adjusted in the LANCO M to the appropriate upstream rate (e.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 176 Quality of Service Standard r eception queue All packets that do not need special tr eatment because of an active QoS rule on the receiving side end up here. P ackets of this queue are directly passed on resp.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 177 Quality of Service A resulti ng delay has no disadvantageou s effect to the TCP- secur ed FTP trans- fer .
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 178 Quality of Service office via VPN connection, over whic h the Internet traffic is not running simultaneously . 9.5 QoS parameters for V oice over IP applications An important task when configuring V oIP systems is to guarantee a sufficient voice quality .
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 179 Quality of Service Accordingly , a VoIP connection should be config ured such that the criteria for good speech qu ality are met: Packet loss up to 10%, delay up to 150 ms and jitter up to 10ms.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 180 Quality of Service In detail, delay is determined especially by the codec used, the resulting packet size and the available bandwidth: The time for processing is de termined by the used codec.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 181 Quality of Service the IPSec header must be added (RTP and IPSec headers can be larger , depending on the configuration). Since packets encr ypted with DES, 3DES , or AES, are only able to grow in block sizes of 64 bytes, the IPSec packet for G.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 182 Quality of Service The transfer time of the packets to the interface (serialization) assumes a PMTU of 512 bytes on a 128 Kbps conn ection. Theref ore, for slower inte r- faces or other codecs it is eventually necessary to adjust jitter buffers and/ or PMTU values.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 183 Quality of Service tion always the physical data tran sfer via the r espective interface applies as the direction! 9.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 184 Quality of Service DiffServ : The T oS/DiffServ field is interpreted as DiffServ field and evalu- ated as follows: DiffSer.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 185 Quality of Service WEBconfig, T eln et For configur ation with WEBconfi g or T elnet, t he parameters ar e entere d at the following places into a new Firewall rule: The Firewall rule is extended by condition “@d” and th e DSCP (Differentiate d Services C ode Point ).
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 186 Quality of Service The guaranteed bandwidth is defined on index card 'QoS'. The option 'A ction only for default r oute' limits the rule to those pack- ets, which are sent or received via default route.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 187 Quality of Service A maximum bandwidth is s imply defined by a limi t rule, which di scards by a “Drop” action all packets, which exceed the defined bandwidth.
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 188 Quality of Service (e.g. Voice over IP), this extr a overhe ad is quite noticeable.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 189 Quality of Service 9.7.4 Sending and receiving dir ection LANconfig The interpretation of the data transfer direct ion can be .
LANCOM Refer ence Manual LC OS 3.50 Chapter 9: Quality of Service 190 Quality of Service Not packets of certain protocols ar e re duced, rather than all packets glo- bally on that interface.
Chapter 9: Quality of Service LANCOM Refer ence Manual LC OS 3.50 191 Quality of Service The following example shows a settin g for V oice over IP tele phony: This rule defines the minimum bandwi dt h for sending and r eceiving to 32 Kbps, forces and reduces the PMTU while sending and receiving to packets of 256 byte size.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 192 Virt ua l LAN s ( VLAN s) 10 Virtual LANs (VLANs) 10.1 What is a Virtual LAN? The increasin g availability of inexpensive layer 2 switches enables the setup of LANs much larger than in t he past.
Chapter 10: Virtual LANs (VL ANs) LANCOM Refer ence Manual L COS 3.50 193 Virt ua l LAN s ( VLAN s) Data traffic of certain logi cal units should be transmitted with a specific priority compar ed to other network users.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 194 Virt ua l LAN s ( VLAN s) The tagging is realized by an additional field within the MA C frame. This field contains two important information for the virtual LAN: VLAN ID : A unique num ber describes the virtual LAN.
Chapter 10: Virtual LANs (VL ANs) LANCOM Refer ence Manual L COS 3.50 195 Virt ua l LAN s ( VLAN s) rules for generating and processing of the VLAN tags are assigned to the sin- gle interfaces. Coming back again to the first example: A workstation from the marketing sends a data packet to a workstation of the sales department.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 196 Virt ua l LAN s ( VLAN s) Management and user traffic on a LAN Several hot spots are installed on an univer sity campus, so that students equipped with notebooks and WLAN cards have access to the Inte rnet and to the server of the library .
Chapter 10: Virtual LANs (VL ANs) LANCOM Refer ence Manual L COS 3.50 197 Virt ua l LAN s ( VLAN s) But this task is very bur densome to re alize by har dware changes, or even not at all, because e.g. only one single central cabling exi sts in the office building.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 198 Virt ua l LAN s ( VLAN s) 10.3 Configuration of VLANs VLAN technology functions are presently only supported by LANCOM Wireless devices.
Chapter 10: Virtual LANs (VL ANs) LANCOM Refer ence Manual L COS 3.50 199 Virt ua l LAN s ( VLAN s) Example for a network table: 10.3.2 The port table The port table configures the individual ports of the device for use by the VLAN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 200 Virt ua l LAN s ( VLAN s) 10.3.3 Configuration with LANconfig Pa rameters for virtual networks can be set with LANconfig u.
Chapter 10: Virtual LANs (VL ANs) LANCOM Refer ence Manual L COS 3.50 201 Virt ua l LAN s ( VLAN s) The definition of the used virtual ne tworks can be a ccessed via the button VLAN table : The button Port table o p e n s a d r o p d o w n l i s t w h e r e a V L A N p o r t c a n b e selected for editing: 10.
LANCOM Refer ence Manual LC OS 3.50 Chapter 10: Virtual LANs (VL ANs) 202 Virt ua l LAN s ( VLAN s) The VLAN configuration shows up under WEBco nfig as follows:.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 203 Wireless LAN – WLAN 11 Wireless LAN – WLAN 11.1 What is a Wireless LAN? The following sect ions are a general description of the L COS operating system functions in wir eless networks.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 204 Wireless LAN – WLAN IEEE 802.11a: 54 Mbps IEEE 802.11a describes the operation of Wir eless LANs in the 5 GHz frequency band (5,15 GHz to 5,75 GHz), with up to 54 Mbps maximum transfer rate.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 205 Wireless LAN – WLAN transmission. If exactl y this range is us ed by another transmitter , interferences in transmiss ion would be the result.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 206 Wireless LAN – WLAN Y our LANCOM base station supports - according to the model type - the standards IEEE 802.11g (downward- compat ible to IEEE 802.11b), and/or IEEE 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 207 Wireless LAN – WLAN Larger Wireless LANs, connection to LA Ns with one or more base stations (infrastructure networ k.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 208 Wireless LAN – WLAN Connecting the Wire less LAN to an existing LAN Extending the coverage of a Wire less LAN Additionally , the use of a base station enables a central administration of the Wireless LAN.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 209 Wireless LAN – WLAN In the example above, the roaming functi on of the mobile st ation enables the access to the workstation in r adio cell A also after changing into radio cell B.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 210 Wireless LAN – WLAN also possible t o specifically cont rol the access of w orkstations in the LAN to the IP routing function of the device.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 211 Wireless LAN – WLAN By the use of narrow beam antennas (e.g . AirLancer Extender ), also larger dis- tances can be bridged securely . An additional incr ease of reach can be achieved by use of further base statio ns, which operate in relay mode between two LAN segments.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 212 Wireless LAN – WLAN base station. Due to the client mode, it is also possible to integrate devices like PCs or printers having only one Ethernet interface in to a Wireless LAN.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 213 Wireless LAN – WLAN In some applications, however , it may be desirable to divide the clients the radio cell into different groups, each of which is tr eated in a certain way by the access point.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 214 Wireless LAN – WLAN On the way from the original WEP of th e 802.11 standard to 802.11i, a whole s e r i e s o f c o n c e p t s h a v e a r i s e n t h a t have tended to increase confusion and i n s e c u r i t y a m o n g t h e u s e r s .
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 215 Wireless LAN – WLAN case, so- called assymetric encryption methods such as RSA can b e used, that is, to decrypt the data, a differ ent key is used than the one used to encrypt it.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 216 Wireless LAN – WLAN data packet—a double application of the XOR operation with the same values cancels out.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 217 Wireless LAN – WLAN combination of two clear te xt packets. If one already knows the contents of one of the two packets, then the clear te xt of the other is easily determined.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 218 Wireless LAN – WLAN usually weaker than 40 or 104 bits (t he current IEEE standards, for instance, assume that a typical password has a str e ngth of about 2.5 bits per character .
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 219 Wireless LAN – WLAN for certain values of the RC4 key , conclusions may be drawn about the first values of the pseudo- random sequence it gener ates—thus about the bytes with which the beginning of the packet are encrypted.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 220 Wireless LAN – WLAN which could au tomatically crack an arb itrary WLAN connection within a few hours.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 221 Wireless LAN – WLAN the possibilit y of installing a valid WE P key for the next sessio n is more or less a byproduct. Figure 2 shows the basic p rocess of a session sec ured by EAP .
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 222 Wireless LAN – WLAN The access point is thus a sort of middle man betwee n client and server . it doesn't have to check the contents of these packets, it just has to check that no other data traffic to or fr om the client can occur .
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 223 Wireless LAN – WLAN Further adv antages of this procedur e include its simple implementation i n the access point, with l ittle extension to existing hardwar e. The disadvantage of the procedure is its complexity .
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 224 Wireless LAN – WLAN A simplified procedure for deriving the Master Secret mentioned in the last section, which can be perf ormed without a RADIUS server . Negotiation of encryption procedur e between access point and client.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 225 Wireless LAN – WLAN a new component (green), however , besides the CRC, the unenc rypted package also has a so- called Michael- MI C attac hed.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 226 Wireless LAN – WLAN decryption par t of TKIP checks this se quentiality and di scards packets which contain an already- used IV , wh i ch prevents replay at tacks. As a further detail , TKIP also mixes the MAC addr ess of the sender into the first phase.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 227 Wireless LAN – WLAN The key handshake breaks down into two phases: first the pairwise key handshake, then the group key handshake (Figure 4).
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 228 Wireless LAN – WLAN The client still can't be 'approved', ho wev er , because the access point must still tr ansmit a further key—the group key , which it uses to transmit br oadcast and multicast pac kets simultaneo usly to all stations.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 229 Wireless LAN – WLAN point to show whether encryption sh ould be used or not. This became insufficient the moment WEP was used with key lengths other than 40 bits— the user just had to take care that not only the same value but that the same length was defined as well.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 230 Wireless LAN – WLAN 11.2.6 AES and 802.11i In mid- 2004, the long awaited 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 231 Wireless LAN – WLAN Similar to TKIP , CCM uses a 48- bit Initial V ector in each packet—an IV repetition is impossible in practice. As in TKIP , the receiver notes the last IV used and discards packets with an IV which is equal to or less than the comparison value.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 232 Wireless LAN – WLAN steps like WP A, the IEEE committee has now pr esented the new WLAN security standard 802.11i. The TKIP procedure us ed by WP A is based on the older RC4 algorithm, the foundation of WEP .
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 233 Wireless LAN – WLAN example, is not a particularly secure SSI D. (’Network sett ings’ → page 251) 햴 If you know e.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 234 Wireless LAN – WLAN apply to all of the logical wireless ne tworks su pported by this card. These parameters include, for example, the transmitt ing power of the antenna and the operating mode of the WLAN card (access point or client).
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 235 Wireless LAN – WLAN stations. If t he stations do not answer these packet s, then the charging systems recognises the stat ion as no longer active.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 236 Wireless LAN – WLAN Check that the setting 'filter out data from th e listed stations, transfer all other' is activated. New stations that ar e to participate in your wireles s network are added with the button 'Stati ons'.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 237 Wireless LAN – WLAN Configura tion with LANconfig For configuration with LANconfig you wi ll find the protocol filter under the configuration area 'WLAN Securit y' on the 'Protocols' tab.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 238 Wireless LAN – WLAN Redirect address when the 'Redirect' action is selected Example: A R P , D H C P , I C M P w i l l b e l e t t h r o u g h , T e l n e t a n d H T T P w i l l b e r e d i r e c t e d t o 192.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 239 Wireless LAN – WLAN i n c o r p o ra t ed i n t h e 8 0 2 . 1 1 s t a n d a rd f or t h e e n c r y p t i o n o f d a t a i n w i re l e s s transmissio n. This method uses keys of 40 (WEP64), 104 (WEP1 28) or 128 bits (WEP152) in length.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 240 Wireless LAN – WLAN Key 1/passphr ase In line with the encryption method ac tivated, you can enter a special WEP key fo.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 241 Wireless LAN – WLAN Rules of the entr y of the keys can be fo un d in the descriptio n of the WEP group key ’Rules for entering WEP keys ’ → page 243.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 242 Wireless LAN – WLAN keys: a special key for eac h logical WLAN interface and three common group WEP keys for each physical WLAN interface. If 802.1x/EAP is in use and th e 'dynamic key generation and transmission' is ac tivated, t he gr oup keys from 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 243 Wireless LAN – WLAN Rules for entering WEP keys WEP keys can be entered as ASCII char acters or in hexadecimal form. The hexadecimal form begins with the char acters '0x'.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 244 Wireless LAN – WLAN Configura tion with LANconfig For the configur ation with LANconfig, the country settings can be fo.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 245 Wireless LAN – WLAN the list of physical WLAN interfaces by clicking on the button Physical WLAN settings .
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 246 Wireless LAN – WLAN Configura tion with WEBconfig or T elnet Under WEBconfig or T elnet you can se t the oper ation mod.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 247 Wireless LAN – WLAN this mode, the WLAN card in the access point principally works with the faster standard and falls back on the slower mo de should a client of thi s type log into the WLAN .
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 248 Wireless LAN – WLAN possible range and, in particular , the highest possible data transfer rat e s. Access point density The more access points there are in a given area, the more the r eception areas of the antennae intersect.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 249 Wireless LAN – WLAN Point - to- point 'Off': The access point only communicates with mobile clients Poi.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 250 Wireless LAN – WLAN Create IBBS If the station can establish an IBBS (I ndependent Basic Service Set), meaning an adhoc network, then the s tation ca n connect to other WLAN clients.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 251 Wireless LAN – WLAN LAN' tab. Open the list of logical WLAN interfaces by clicking on the button Logical WLAN settings and sele ct the required logical interface.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 252 Wireless LAN – WLAN Configura tion with WEBconfig or T elnet Under WEBconfig or T elnet you can set the network sett in.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 253 Wireless LAN – WLAN RTS threshold The RTS thr eshol d prevents the occurren ce of the "hidden station“ phenomenon. Here, the t hree access points 쐃 , 쐇 , and 쐋 are positioned such that no direct wir eless connection between the two outer devices is possible.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 254 Wireless LAN – WLAN 11.4.5 Additional WLAN functions Apart from the di fferent encryption me th ods 802.11i/AES, WP A/TKIP or WEP and the closed network, a va riety of other functions exis t for securing the operation of a wire less network.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 255 Wireless LAN – WLAN IEEE 802.1x/EAP The international industry standard IEEE 802.1x and the E xtensible A uthentication P rotocol (EAP) enable access points to carry out reliable and secure access checks.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 256 Wireless LAN – WLAN IPSec over WLAN Only with th e LANCOM VPN Option. Not available w ith all LANCOM devices.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 257 Wireless LAN – WLAN transmitter and re ceive r . The ar eas where the waves amplify or cancel themselves out are known as Fresnel zones.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 258 Wireless LAN – WLAN T o ensure that the Fr esnel zone 1 remains unobstructed, the height of the antennae must exceed that of the highes t obstruction by this radius.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 259 Wireless LAN – WLAN connections, and even the air , and amplifying elem ents such as the extern al antennae. 햲 The calculation of the pow er over the path begins at the tr ansmitters's radio module.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 260 Wireless LAN – WLAN The dat a transmissi on rate is set according to the recept ion power . A WLAN module has an input sensitivity equiv alent to a power level of , for example, - 80dBm.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 261 Wireless LAN – WLAN 햸 The receiving end als o has amplifying and attenuating elements.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 262 Wireless LAN – WLAN (P2mP , connection from an access poin t to the register ed clients, e.g. notebooks). The last column in the table shows the transmission power r eduction to be set so that the upper limits of 30 dBm (802 .
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LC OS 3.50 263 Wireless LAN – WLAN Assumed cable loss: 9 dB AirLancer Extender O- 70 (802.
LANCOM Refer ence Manual LC OS 3.50 Chapter 11: Wireless L AN – WLAN 264 Wireless LAN – WLAN 11.5.4 T ransmission power r eduction Every country has regulations concerni ng the permissible output power fr om WLAN antennae, often with d ifferences according to the WLAN standard or divided according to indoor or outdoor use.
Chapter 12: Office communications with LANCAPI LANCOM Refere nce Manual LCOS 3.50 265 Office communi cations with LANCA PI 12 Office communications with LANCAPI LANCAPI from LANCOM is a special version of the popular CAPI interface.
LANCOM Refer ence Manual LC OS 3.50 Chapter 12: Office communications with LANC API 266 Office communi cations with LANCA PI Which of th e computers in t he local network should be able to acc.
Chapter 12: Office communications with LANCAPI LANCOM Refere nce Manual LCOS 3.50 267 Office communi cations with LANCA PI 햴 Activate the LANC API server for the outgoing and incoming calls, or allow only outgoing calls. 햵 In the latter case, the LANCAPI wi ll not respond to incoming calls—to receive faxes, for example.
LANCOM Refer ence Manual LC OS 3.50 Chapter 12: Office communications with LANC API 268 Office communi cations with LANCA PI 햹 Switch to the 'A vailability' tab.
Chapter 12: Office communications with LANCAPI LANCOM Refere nce Manual LCOS 3.50 269 Office communi cations with LANCA PI If necessary , the system is restarted an d LANCAPI is then ready to accept all jobs from the office communica tions software.
LANCOM Refer ence Manual LC OS 3.50 Chapter 12: Office communications with LANC API 270 Office communi cations with LANCA PI It is also possible to s et the interval at which the client checks whet her the found or list ed servers are stil l active.
Chapter 12: Office communications with LANCAPI LANCOM Refere nce Manual LCOS 3.50 271 Office communi cations with LANCA PI Installation T h e C A P I F a x m o d e m c a n b e i n s t a l l e d f r o m t h e C D s e t u p . A l w a y s i n s t a l l t h e CAPI Fa xmodem together with the current version of LANC API.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 272 Server services for the LAN 13 Server services for the LAN An LANCOM off ers a number of servic es for the PCs in th e LAN. These are cen- tral functions that can be used by work station computers.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 273 Server services for the LAN period of validity for the parameters assigned The DHCP server takes the IP addresses either from a freely defined address pool or determines the addresses auto matically from its own IP addr ess (or intranet address).
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 274 Server services for the LAN 13.1.3 How are the addresses assigned? IP address assignment Before the DHCP server can assign I P addresses to the computers i n the net- work, it first needs to know which addr esses are available for assignment.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 275 Server services for the LAN Otherwise, the network mask fr om the TC P/IP module is used.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 276 Server services for the LAN it requested. The DHCP module prov ides two setti ngs for influencing the period of validity: Maximum lease time i n minutes Here you can enter t he maximum period of validity that the DHCP server assigns a host.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 277 Server services for the LAN Checking of IP ad dresses in the LAN The DHCP table provides a list of the IP addresses in the LAN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 278 Server services for the LAN part specifies the domain. Specifying the domain is opt ional within a local network. These names could thus be ' www .domain.co m' or 'ftp.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 279 Server services for the LAN Finally , the DNS server checks whether the request to another DNS server is to be forwarded to another DNS se rver via a WAN inte rface (special DNS forwarding via the DNS destination table).
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 280 Server services for the LAN Initially the router checks whether a DNS server has been enter ed in its own settings. If it is s uccessful there, it obta ins the desired informati on from this server .
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 281 Server services for the LAN 햳 Enter the domain in which t he DNS serv er is located. The DNS server uses this domain to determine whether th e r equested name is located in the LAN.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 282 Server services for the LAN that are accessible via the router . With the foll owing commands you add stations to the Hos t names table: Fo r ex amp le, if wo uld lik e to acce ss t he ma il s erv er at you r he adq uart ers (name: mail.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 283 Server services for the LAN The DNS server m ay either be specified by the r emote site name (for automatic setting via PPP), or by an ex plicit IP address of the accord- ing name server .
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 284 Server services for the LAN T o o n l y b l o c k t h e a c c e s s o f a c e r t a i n c o m p u t e r ( e . g . w i t h I P 1 0 . 0 . 0 . 1 2 3 ) t o COM domains, enter the fol lowing values: In the console mode the command is: set 002 *.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 285 Server services for the LAN The current W AN IP address of a LANCOM can be picked under the following address: http://<address of LANCOM>/config/ 1/6/8/3/ Figure: Picking the current IP address out of a LANCOM 13.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 286 Server services for the LAN mum of 830 c harge units may be used in six days . The router will not p ermit the establishment of any further connectio ns once this limit has been reached.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 287 Server services for the LAN 13.3.3 Settings in the charge module In the charges m odule, the online time can be monitor ed and used to control call establishm ent. Day(s)/P eriod The duration of the monitor ing peri od in days can be specified here.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 288 Server services for the LAN 13.4.1 Setting up the SYSLOG module 13.4.2 Example configuration with LANconfig Create SYSL OG client 햲 Start LANconfig. Under 'Management', select the 'Log & T race' tab.
Chapter 13: Server services for the LAN LA NCOM Reference Manual L COS 3.50 289 Server services for the LAN shows the alignment between the internal sour ces of the LANCOM and the SYSL OG facilities. The eight priority stages defined initia lly in the SYSL OG are reduced to five stages in the LANCOM.
LANCOM Refer ence Manual LC OS 3.50 Chapter 13: Server services for the LAN 290 Server services for the LAN 햶 After you have set all the par ame ters, confirm the entries with OK . Th e SYSL OG client is then entered with its parameters into the SYSLOG table.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 291 Virtual Pri vate Networks— VPN 14 Virtual Private Networks—VPN 14.1 What does VPN offer? A VPN ( V irtual P rivate N etwork can be used to set up cost- effectiv e, public IP networks, for exampl e via the Inte rnet.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 292 Virtual Pri vate Networks— VPN The central LAN has a connection to the Internet so that its users can access the Web, and se nd and receive e- mail. All connections to the outside world are based on dedi cated lines, i.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 293 Virtual Pri vate Networks— VPN The subsidiary also has its own connection to the Internet. The RAS PCs connect to the headquarters LAN via the Internet. The Internet is available vi rtually ever ywhere and typically has lo w access costs.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 294 Virtual Pri vate Networks— VPN Routing at the IP level with VPN IP connections must be established betw een routers with public IP addresses in order to link networks via the Internet.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 295 Virtual Pri vate Networks— VPN the Internet. With the pr oper technology , thir d parties can monitor and even recor d data traffic. As the packet s are encrypted by VPN, the actual content of the packets is inaccessible.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 296 Virtual Pri vate Networks— VPN following example il lustrates a typical application that is often used in practice.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 297 Virtual Pri vate Networks— VPN When VPN clients are dialing in with the appropriate client software, extended functions in the IKE hand shake of LANCOM VPN allow t he use of different Preshar ed Keys (PSK s).
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 298 Virtual Pri vate Networks— VPN DES, key length 56 bit IKE key exchange with Preshared K eys Key ex.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 299 Virtual Pri vate Networks— VPN In practice, LAN- LAN couplings are frequently used between company headquarters and subsidiaries, or fo r connections to partner compani es.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 300 Virtual Pri vate Networks— VPN software then sets up a tunnel to the VPN gateway of the LAN using this Internet connection. The VPN gateway of the LAN must support the es tablishment of VPN tunnels with the VPN client s oftware of the remote PC.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 301 Virtual Pri vate Networks— VPN of the Internet and a private one by which the computer can be reached within the local network . Static and dynamic IP addresses Public IP addresses must be applie d for and ma naged, which inv olves costs.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 302 Virtual Pri vate Networks— VPN static – dynamic dynamic – dynamic Dynamic – static If a user on compu ter B in LAN 2 wishes to connect to computer A i n LAN 1, then gateway 2 receives a request and tries to establish a VPN tunnel to gateway 1.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 303 Virtual Pri vate Networks— VPN Static – dynamic If , on the other hand, computer A in LAN 1 requires a conne.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 304 Virtual Pri vate Networks— VPN translation via dynamic DNS services, a solution often used with flatrat e connections. The describ ed connection set up r equ ires an ISDN connection for both VPN gateways.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 305 Virtual Pri vate Networks— VPN The LLC element is not available in 1TR6, the German national ISDN. The pr ocedure describe d above thus will not work with 1TR6. As a subaddress via the D- channel.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 306 Virtual Pri vate Networks— VPN address for the DNS name translation.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 307 Virtual Pri vate Networks— VPN individual computers (RAS) or the connection of structured networks will be cove red subsequent ly .
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 308 Virtual Pri vate Networks— VPN 14.5.2 Set up VPN connections with the Setup Wizard If possib le, make use of the Setup Wi zard within LANconfig to set up VPN connections between loca l networks.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 309 Virtual Pri vate Networks— VPN 14.5.3 Inspect VPN rules VPN rules represent a combination of various pieces of information and they are not directly defined in a LANCOM de vice; instead, they ar e compiled from a variety of sources.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 310 Virtual Pri vate Networks— VPN Definition of the tunnel endpoints Definition of the security- related parameters (IKE and IPSec) Definition of the VPN netw ork relationships, i.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 311 Virtual Pri vate Networks— VPN 14.5.5 Prepar e VPN network relationships The firewall integrated into LANCOM r.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 312 Virtual Pri vate Networks— VPN When only a portion of the local intranet is to be availabl e to the remote network, then the autom atic method is unsuited as the IP address range that is open to the VPN connection is too lar ge.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 313 Virtual Pri vate Networks— VPN The firewall rules for generating VP N rul es are active even when the actual fire wall function in the LANCOM device is not r equired and is switched off! Make sure that t he firewall action is s et to “T ransfer”.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 314 Virtual Pri vate Networks— VPN 14.5.6 Configuration with LANconfig The section demonstrates how LANconfi g can be used to configure a LAN- LAN coupling with additional subnets.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 315 Virtual Pri vate Networks— VPN gateway” , enter the pu blic address of the remote s tation: eithe r the fixed IP address or the name for tr anslation by DNS. 햵 When using LANCOM Dynamic VPN: Change to the “Communication” configuration ar ea.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 316 Virtual Pri vate Networks— VPN accessible in the remote and in the local LAN. In each cas e, define the rout er as t he re mo te V PN gat ew ay a nd swi tch th e IP ma squ erad in g o ff .
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 317 Virtual Pri vate Networks— VPN As a rule, i t is recommended that you keep the r ules used for making network relationships separa te from those fir ewall rules that affect the servi ces used in communicat ions, for example.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 318 Virtual Pri vate Networks— VPN The only difference is that the sour ce and the destination networks are swapped. 14.5.7 Configuration with WEBconfig 햲 Under Configuration VPN IK E- Param.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 319 Virtual Pri vate Networks— VPN 햴 Under Configuration VPN Connection list generate a new entry with the name of the remote ga teway s et to “Name”.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 320 Virtual Pri vate Networks— VPN accessible in the remote and in the local LAN. In each cas e, define the rout er as t he re mo te V PN gat ew ay a nd swi tch th e IP ma squ erad in g o ff .
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 321 Virtual Pri vate Networks— VPN “VPN- GW 1- REMOTE”). Enter each su bnet in the form “%A10.1. 0.0 %M255.25 5.0.0”. 햸 Under Configuration Firewall/QoS Rules table define a new f i r e w a l l r u l e n a m e d “ V P N -G W 1 -O U T ”.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 322 Virtual Pri vate Networks— VPN only difference is that the sour ce and the destination networks are swapped.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 323 Virtual Pri vate Networks— VPN 14.6.1 Static/static A VPN tunnel via the Internet serves as the connection between the LANCOM Headquarters and branch office . Bo th gateways have static I P addresses.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 324 Virtual Pri vate Networks— VPN Headquarters has a fixed, static address. When the connection is set up, Branch office transmits its actual IP address to Headquarters .
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 325 Virtual Pri vate Networks— VPN Alternatively , this application can be solv ed with the help of dynamic DNS.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 326 Virtual Pri vate Networks— VPN The entries f or the ISDN connection are needed f or the transmission of the actual dynamic IP address solely . The Internet acce ss wizard configures the connection to the Internet.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 327 Virtual Pri vate Networks— VPN 14.7.1 IPSec—The basis for LANCOM VPN The original IP protocol does not cont ain any provisions for security .
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 328 Virtual Pri vate Networks— VPN 14.7.2 Alternatives to IPSec IPSec is an open st andard. It is not dependent on individu al manufacturer s and is being developed by the IETF with input from the intere sted public.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 329 Virtual Pri vate Networks— VPN All of these layer- 2 protocols only supp ort end- to- end connections; they are therefore not suitable for coupling entire networks.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 330 Virtual Pri vate Networks— VPN Security Parameter Index (SPI) ID to distingu ish multiple l ogical connect.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 331 Virtual Pri vate Networks— VPN In transport m ode, the IP header of the original packet is left unchanged and the ESP header , encrypted data and both trailers are inserted.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 332 Virtual Pri vate Networks— VPN The result is a nominal key length of 168 bit, with an effective ke y length of 112 bits.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 333 Virtual Pri vate Networks— VPN The AH process in the sender In the sender , the authentication data is generate d in 3 steps. 햲 A checksum is calculated for the complete package using a hash algorithm.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 334 Virtual Pri vate Networks— VPN packet. The comparison with the sent ICV of the packet determines the integrity and authenticity of the pack et.
Chapter 14: Virtual Priva te Networks —VPN LANCOM Refe rence Manual LCOS 3.50 335 Virtual Pri vate Networks— VPN Generation of the authenticatio n data In the second step, AH generates a new hash code using the checksum and a key , the final authentication data.
LANCOM Refer ence Manual LC OS 3.50 Chapter 14: Virtual Private Netw orks—VPN 336 Virtual Pri vate Networks— VPN 햵 In two further messages, the devices ex change their p ublic keys for Diffie - Hellman. The further co mmunicat ion is encrypted with Diffie- Hellman.
Chapter 15: Appendix LANCOM Refer ence Manual LC OS 3.50 337 15 Appendix: Overview of functions for LANCOM models and LCOS versions 1) P ort Separation (Private Mode) 2) only if VPN option activated 3) not with in conjunction with 802.
LANCOM Refer ence Manual LC OS 3.42 Chapter 16: Index 338 Index 16 Index Numerics 1 1 mapping 41 , 84 3 DES 297 , 331 3- D ES 337 4- Port Switch 337 802.
Chapter 16: Index L ANCOM Reference Man ual LC OS 3.42 339 Index Command line reference 33 Common ISDN Application Programming Interface (CAPI) 265 Computer names 277 Conf 97 Configuration procedu.
LANCOM Refer ence Manual LC OS 3.42 Chapter 16: Index 340 Index Dynamic – static 302 , 323 Examples 323 How it works 301 ICMP 324 Introduction 300 PPP list 310 Static – dynamic 303 , 324 UDP 324 E EAP 220 Process of a session secured by EAP 221 RADIUS server 221 EAP/802.
Chapter 16: Index L ANCOM Reference Man ual LC OS 3.42 341 Index IKE 298 , 335 Inband 15 inband Configuration via Inband 15 with Telnet 19 Initial Vector 217 Install software 30 Internet 74 Intern.
LANCOM Refer ence Manual LC OS 3.42 Chapter 16: Index 342 Index MAC frame 194 Mail server 282 Main mode 297 Maximum bandwidth 170 , 172 Microsoft Network 276 Minimum bandwidth 169 , 171 , 172 Rece.
Chapter 16: Index L ANCOM Reference Man ual LC OS 3.42 343 Index Precedence 170 Pre- Shared Ke y 214 Preshared key 298 Priority control 268 Private Mode 337 Private WEP settings 239 Protection for.
LANCOM Refer ence Manual LC OS 3.42 Chapter 16: Index 344 Index TCP- Stealth- Modus 124 Teardrop 164 Telnet 21 Temporal Key Integrity Protocol 224 Term 97 Terminal program 31 TFTP 19 Throughput 10.
Chapter 16: Index L ANCOM Reference Man ual LC OS 3.42 345 Index Static – dynamic 32 4 static - static 323 VPN client 299 VPN connections Diagnosis 322 Manual set- up 309 Setup Wizard 308 VPN ex.
LANCOM Refer ence Manual LC OS 3.42 Chapter 16: Index 346 Index VPN pass- through 207 WEP group keys 241 WLAN interface logical 250 physical 244 WLAN security 214 802.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Lancom Systems LCOS 3.50 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Lancom Systems LCOS 3.50 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Lancom Systems LCOS 3.50 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Lancom Systems LCOS 3.50 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Lancom Systems LCOS 3.50, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Lancom Systems LCOS 3.50.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Lancom Systems LCOS 3.50. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Lancom Systems LCOS 3.50 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.