Manual be.IP 4isdn
Manual
bintec elmeg GmbH
Manual
be.IP 4isdn
Operation as a Media Gateway
Copyright© Version 10.1.27 RC 10/2017 bintec elmeg GmbH
be.IP 4isdn
Manual
bintec elmeg GmbH
Legal Notice
Warranty
This publication is subject to change.
bintec elmeg GmbH offers no warranty whatsoever for information contained in this manual. bintec elmeg GmbH is not liable for any direct, indirect, collateral, consequential or any
other damage connected to the delivery, supply or use of this manual.
Copyright © bintec elmeg GmbH.
All rights to the data included, in particular the right to copy and propagate, are reserved by
bintec elmeg GmbH.
Open source software in this product
Along with other components, this product contains open source software that has been
developed by third party suppliers and which is licensed under an open source software license. These open source software files are subject to copyright. For a current list of the
open source software programs and the open source software licenses, go to
www.bintec-elmeg.com .
GEMA
This product uses internal music for calls on hold for which approval from GEMA (German
Society for Musical Performance and Mechanical Reproduction Rights) is not required. This
has been confirmed by GEMA with the following approval certification. The approval certification can be viewed at the following web address: www.bintec-elmeg.com . System hold
music: elmeg Song, Hold the line.
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
Table of Contents
be.IP 4isdn
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1
be.IP 4isdn . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2.1.1
Setting up and connecting . . . . . . . . . . . . . . . . . . . . . .
2
2.1.2
Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.1.3
Connections (on the side) . . . . . . . . . . . . . . . . . . . . . .
4
2.1.4
Mounting brackets . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.1.5
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
2.1.6
Scope of supply . . . . . . . . . . . . . . . . . . . . . . . . . .
6
2.1.7
General Product Features . . . . . . . . . . . . . . . . . . . . . .
7
2.2
Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3
Presettings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
2.4
Support-Information . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3
Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1
Connecting terminals . . . . . . . . . . . . . . . . . . . . . . .
11
3.1.1
Internal ISDN connection . . . . . . . . . . . . . . . . . . . . .
11
3.2
Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3.3
Wall mounting . . . . . . . . . . . . . . . . . . . . . . . . . .
11
3.4
Pin Assignments . . . . . . . . . . . . . . . . . . . . . . . . .
12
3.4.1
Ethernet interfaces . . . . . . . . . . . . . . . . . . . . . . . .
12
3.4.2
ISDN interface . . . . . . . . . . . . . . . . . . . . . . . . . .
13
3.4.3
VDSL interface . . . . . . . . . . . . . . . . . . . . . . . . . .
14
3.4.4
Serial interface . . . . . . . . . . . . . . . . . . . . . . . . . .
14
Chapter 4
Basic configuration . . . . . . . . . . . . . . . . . . . . . . 16
10
i
Table of Contents
ii
bintec elmeg GmbH
4.1
Preparations . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
4.1.1
Systemsoftware . . . . . . . . . . . . . . . . . . . . . . . . .
16
4.1.2
System requirements . . . . . . . . . . . . . . . . . . . . . . .
16
4.1.3
Gathering data . . . . . . . . . . . . . . . . . . . . . . . . . .
17
4.1.4
Setting up a PC . . . . . . . . . . . . . . . . . . . . . . . . .
18
4.2
Configuring the system . . . . . . . . . . . . . . . . . . . . . .
19
4.2.1
Network setting (LAN) . . . . . . . . . . . . . . . . . . . . . . .
20
4.2.2
Enter SIP provider . . . . . . . . . . . . . . . . . . . . . . . .
20
4.3
Setting up an internet connection . . . . . . . . . . . . . . . . . .
20
4.3.1
Internet connection via the internal VDSL modem . . . . . . . . . . .
20
4.3.2
Other internet connections . . . . . . . . . . . . . . . . . . . . .
20
4.3.3
Testing the configuration. . . . . . . . . . . . . . . . . . . . . .
21
4.4
User access . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
4.5
Software updates for be.IP 4isdn . . . . . . . . . . . . . . . . . .
22
Chapter 5
Access and configuration. . . . . . . . . . . . . . . . . . . 24
5.1
Access via LAN . . . . . . . . . . . . . . . . . . . . . . . . .
24
5.1.1
HTTP/HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . .
24
5.2
Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .
24
5.2.1
Configuration interface . . . . . . . . . . . . . . . . . . . . . .
24
Chapter 6
Assistants . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 7
System Management . . . . . . . . . . . . . . . . . . . . . 36
7.1
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
7.2
Global Settings
. . . . . . . . . . . . . . . . . . . . . . . . .
38
7.2.1
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
7.2.2
Passwords
. . . . . . . . . . . . . . . . . . . . . . . . . . .
41
7.2.3
Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .
42
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
be.IP 4isdn
7.2.4
System Licences . . . . . . . . . . . . . . . . . . . . . . . . .
46
7.3
Interface Mode / Bridge Groups
. . . . . . . . . . . . . . . . . .
49
7.3.1
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
7.4
Administrative Access
. . . . . . . . . . . . . . . . . . . . . .
53
7.4.1
Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
7.4.2
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
7.4.3
SNMP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
7.5
Remote Authentication . . . . . . . . . . . . . . . . . . . . . .
59
7.5.1
RADIUS
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
7.5.2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64
7.6
Configuration Access . . . . . . . . . . . . . . . . . . . . . . .
65
7.6.1
Access Profiles . . . . . . . . . . . . . . . . . . . . . . . . . .
65
7.6.2
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
7.7
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
7.7.1
Certificate List . . . . . . . . . . . . . . . . . . . . . . . . . .
70
7.7.2
CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
77
7.7.3
Certificate Servers . . . . . . . . . . . . . . . . . . . . . . . .
78
Chapter 8
Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . 79
8.1
Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . .
79
8.1.1
Port Configuration . . . . . . . . . . . . . . . . . . . . . . . .
80
8.2
ISDN Ports . . . . . . . . . . . . . . . . . . . . . . . . . . .
81
8.2.1
ISDN Configuration . . . . . . . . . . . . . . . . . . . . . . . .
82
8.2.2
MSN Configuration . . . . . . . . . . . . . . . . . . . . . . . .
84
8.3
DSL Modem . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
8.3.1
DSL Configuration . . . . . . . . . . . . . . . . . . . . . . . .
86
Chapter 9
LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
9.1
IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . .
90
iii
Table of Contents
iv
bintec elmeg GmbH
9.1.1
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
9.2
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9.2.1
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9.2.2
Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . 103
9.2.3
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter 10
Wireless LAN Controller . . . . . . . . . . . . . . . . . .
10.1
Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
10.1.1
Wireless LAN Controller Wizard . . . . . . . . . . . . . . . . . . 105
10.1.2
Wireless LAN Controller VLAN Configuration
10.2
Controller Configuration . . . . . . . . . . . . . . . . . . . . . . 112
10.2.1
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
10.2.2
Slave AP Autoprofile . . . . . . . . . . . . . . . . . . . . . . . 115
10.3
Slave AP configuration . . . . . . . . . . . . . . . . . . . . . . 116
10.3.1
Slave Access Points . . . . . . . . . . . . . . . . . . . . . . . 116
10.3.2
Radio Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 119
10.3.3
Wireless Networks (VSS) . . . . . . . . . . . . . . . . . . . . . 125
10.4
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10.4.1
WLAN Controller . . . . . . . . . . . . . . . . . . . . . . . . . 133
10.4.2
Slave Access Points . . . . . . . . . . . . . . . . . . . . . . . 134
10.4.3
Active Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 135
10.4.4
Wireless Networks (VSS) . . . . . . . . . . . . . . . . . . . . . 135
10.4.5
Client Management . . . . . . . . . . . . . . . . . . . . . . . . 136
10.5
Neighbor Monitoring . . . . . . . . . . . . . . . . . . . . . . . 136
10.5.1
Neighbor APs . . . . . . . . . . . . . . . . . . . . . . . . . . 136
10.5.2
Rogue APs . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.5.3
Rogue Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.6
Maintenance
10.6.1
Firmware Maintenance . . . . . . . . . . . . . . . . . . . . . . 138
105
. . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . 138
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
be.IP 4isdn
Chapter 11
Networking . . . . . . . . . . . . . . . . . . . . . . . . .
141
11.1
Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
11.1.1
IPv4 Route Configuration . . . . . . . . . . . . . . . . . . . . . 141
11.1.2
IPv6 Route Configuration . . . . . . . . . . . . . . . . . . . . . 146
11.1.3
IPv4 Routing Table . . . . . . . . . . . . . . . . . . . . . . . . 148
11.1.4
IPv6 Routing Table . . . . . . . . . . . . . . . . . . . . . . . . 149
11.1.5
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
11.2
IPv6 General Prefixes
11.2.1
General Prefix Configuration . . . . . . . . . . . . . . . . . . . . 151
11.3
NAT
11.3.1
NAT Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 153
11.3.2
NAT Configuration . . . . . . . . . . . . . . . . . . . . . . . . 154
11.3.3
NAT - Configuration example . . . . . . . . . . . . . . . . . . . . 160
11.4
Load Balancing
11.4.1
Load Balancing Groups . . . . . . . . . . . . . . . . . . . . . . 162
11.4.2
Special Session Handling . . . . . . . . . . . . . . . . . . . . . 166
11.4.3
Load balancing - Configuration example . . . . . . . . . . . . . . . 169
11.5
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
11.5.1
IPv4/IPv6 Filter
11.5.2
QoS Classification . . . . . . . . . . . . . . . . . . . . . . . . 176
11.5.3
QoS Interfaces/Policies . . . . . . . . . . . . . . . . . . . . . . 178
11.6
Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 185
11.6.1
Access Filter
11.6.2
Rule Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
11.6.3
Interface Assignment . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 12
Multicast. . . . . . . . . . . . . . . . . . . . . . . . . . .
12.1
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
12.1.1
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . 151
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
. . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . 172
. . . . . . . . . . . . . . . . . . . . . . . . . . 186
193
v
Table of Contents
vi
bintec elmeg GmbH
12.2
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
12.2.1
IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
12.2.2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
12.3
Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12.3.1
Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 13
WAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13.1
Internet + Dialup . . . . . . . . . . . . . . . . . . . . . . . . . 200
13.1.1
PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
13.1.2
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
13.1.3
PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
13.1.4
IP Pools
13.2
ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
13.2.1
Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
13.2.2
Service Categories . . . . . . . . . . . . . . . . . . . . . . . . 227
13.2.3
OAM Controlling . . . . . . . . . . . . . . . . . . . . . . . . . 229
13.3
Real Time Jitter Control . . . . . . . . . . . . . . . . . . . . . . 233
13.3.1
Controlled Interfaces . . . . . . . . . . . . . . . . . . . . . . . 233
Chapter 14
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14.1
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
14.1.1
IPSec Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
14.1.2
Phase-1 Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 252
14.1.3
Phase-2 Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.1.4
XAUTH Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.1.5
IP Pools
14.1.6
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
14.2
be.IP Secure Client . . . . . . . . . . . . . . . . . . . . . . . . 269
14.3
LISP Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
200
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
be.IP 4isdn
14.3.1
Router (ITR/ETR)
. . . . . . . . . . . . . . . . . . . . . . . . 271
14.3.2
Local/Remote-Sites
14.3.3
EID Prefix Segregation (LISP Instances)
Chapter 15
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .
15.1
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
15.1.1
IPv4 Filter Rules . . . . . . . . . . . . . . . . . . . . . . . . . 279
15.1.2
IPv6 Filter Rules . . . . . . . . . . . . . . . . . . . . . . . . . 281
15.1.3
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
15.2
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
15.2.1
IPv4 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
15.2.2
IPv6 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
15.3
Addresses
15.3.1
Address List . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
15.3.2
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
15.4
Services
15.4.1
Service List . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
15.4.2
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
15.5
Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 291
15.5.1
SIF - Configuration example . . . . . . . . . . . . . . . . . . . . 291
Chapter 16
VoIP
16.1
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
16.1.1
Extensions
16.1.2
SIP Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 301
16.1.3
Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
16.1.4
ISDN Trunks
16.1.5
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
16.2
Media Gateway
16.2.1
Call Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
. . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . 275
277
. . . . . . . . . . . . . . . . . . . . . . . . . . . 286
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
296
. . . . . . . . . . . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . 311
. . . . . . . . . . . . . . . . . . . . . . . . . 315
vii
Table of Contents
viii
bintec elmeg GmbH
16.2.2
CLID Translation . . . . . . . . . . . . . . . . . . . . . . . . . 319
16.2.3
Call Translation
Chapter 17
Local Services . . . . . . . . . . . . . . . . . . . . . . .
17.1
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
17.1.1
Global Settings
17.1.2
DNS Servers
17.1.3
Static Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
17.1.4
Domain Forwarding
17.1.5
Dynamic Hosts
17.1.6
Cache
17.1.7
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
17.2
HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
17.2.1
HTTPS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 333
17.3
DynDNS Client
17.3.1
DynDNS Update . . . . . . . . . . . . . . . . . . . . . . . . . 334
17.3.2
DynDNS Provider
17.4
DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . 337
17.4.1
IP Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . 337
17.4.2
DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . 338
17.4.3
IP/MAC Binding . . . . . . . . . . . . . . . . . . . . . . . . . 342
17.4.4
DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . 343
17.4.5
DHCP - Configuration example . . . . . . . . . . . . . . . . . . . 344
17.5
DHCPv6 Server . . . . . . . . . . . . . . . . . . . . . . . . . 347
17.5.1
DHCPv6 Server . . . . . . . . . . . . . . . . . . . . . . . . . 349
17.5.2
DHCPv6 Global Options
17.5.3
Stateful Clients
17.5.4
Stateful Clients Configuration. . . . . . . . . . . . . . . . . . . . 352
17.6
CAPI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
17.6.1
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
. . . . . . . . . . . . . . . . . . . . . . . . . 320
323
. . . . . . . . . . . . . . . . . . . . . . . . . 324
. . . . . . . . . . . . . . . . . . . . . . . . . . 327
. . . . . . . . . . . . . . . . . . . . . . . 330
. . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . 333
. . . . . . . . . . . . . . . . . . . . . . . . 335
. . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . 352
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
be.IP 4isdn
17.6.2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
17.7
Scheduling
17.7.1
Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
17.7.2
Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
17.7.3
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
17.7.4
Configuration example - Time-controlled Tasks (Scheduling) . . . . . . 372
17.8
Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
17.8.1
Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
17.8.2
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
17.8.3
Ping Generator
17.9
UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
17.9.1
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.9.2
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
17.10
HotSpot Gateway
. . . . . . . . . . . . . . . . . . . . . . . . 382
17.10.1
HotSpot Gateway
. . . . . . . . . . . . . . . . . . . . . . . . 384
17.10.2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
17.11
Wake-On-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 388
17.11.1
Wake-On-LAN Filter . . . . . . . . . . . . . . . . . . . . . . . 388
17.11.2
WOL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
17.11.3
Interface Assignment . . . . . . . . . . . . . . . . . . . . . . . 393
17.12
Trace Interface
. . . . . . . . . . . . . . . . . . . . . . . . . 394
17.12.1
Trace Interface
. . . . . . . . . . . . . . . . . . . . . . . . . 394
17.12.2
Trace VoIP/SIP . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Chapter 18
Maintenance . . . . . . . . . . . . . . . . . . . . . . . .
18.1
Log out Users . . . . . . . . . . . . . . . . . . . . . . . . . . 395
18.1.1
Log out Users . . . . . . . . . . . . . . . . . . . . . . . . . . 395
18.2
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
18.2.1
Ping Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
18.2.2
DNS Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
. . . . . . . . . . . . . . . . . . . . . . . . . . . 355
. . . . . . . . . . . . . . . . . . . . . . . . . 379
395
ix
Table of Contents
x
bintec elmeg GmbH
18.2.3
Traceroute Test . . . . . . . . . . . . . . . . . . . . . . . . . 396
18.3
Software &Configuration
18.3.1
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
18.4
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
18.4.1
System Reboot
18.5
Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Chapter 19
External Reporting . . . . . . . . . . . . . . . . . . . . .
19.1
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
19.1.1
Syslog Servers
19.2
IP Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 405
19.2.1
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
19.2.2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
19.3
Alert Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
19.3.1
Alert Recipient . . . . . . . . . . . . . . . . . . . . . . . . . . 407
19.3.2
Alert Settings
19.4
SNMP
19.4.1
SNMP Trap Options
19.4.2
SNMP Trap Hosts . . . . . . . . . . . . . . . . . . . . . . . . 412
19.5
SIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
19.5.1
SIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Chapter 20
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . .
20.1
Internal Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
20.1.1
System Messages . . . . . . . . . . . . . . . . . . . . . . . . 414
20.2
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
20.2.1
IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 414
20.2.2
IPSec Statistics
. . . . . . . . . . . . . . . . . . . . . 397
. . . . . . . . . . . . . . . . . . . . . . . . . 402
403
. . . . . . . . . . . . . . . . . . . . . . . . . 403
. . . . . . . . . . . . . . . . . . . . . . . . . . 409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
. . . . . . . . . . . . . . . . . . . . . . . 411
414
. . . . . . . . . . . . . . . . . . . . . . . . . 416
be.IP 4isdn
Table of Contents
bintec elmeg GmbH
be.IP 4isdn
20.3
ISDN/Modem . . . . . . . . . . . . . . . . . . . . . . . . . . 417
20.3.1
Current Calls
20.3.2
Call History . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
20.4
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
20.4.1
Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
20.4.2
Network Status
20.5
Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
20.5.1
br<x> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
20.6
HotSpot Gateway
. . . . . . . . . . . . . . . . . . . . . . . . 420
20.6.1
HotSpot Gateway
. . . . . . . . . . . . . . . . . . . . . . . . 420
20.7
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
20.7.1
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
. . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . . . . . . . . 420
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . .
422
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . .
460
xi
Table of Contents
xii
bintec elmeg GmbH
be.IP 4isdn
1 Introduction
bintec elmeg GmbH
Chapter 1 Introduction
Important
Read these notes on the application of your be.IP 4isdn carefully. Features not included in this manual are not supported!
Our Media Gateway be.IP 4isdn with its integrated business router offers easy entry into
the world of IP technology.
The device has been designed with the migration of existing ISDN PABXs to All-IP connections in mind. "Migration", in this context, means that you are enabled to continue using
your ISDN PABX with all its connected terminals like telephones and fax devices without
having to change the actual PABX configuration. Since our gateway offers four ISDN ports,
it is suitable for locations with multiple ISDN point-to-multi-point or point-to-point connections. If the four ports prove to be insufficient, you can link two be.IP 4isdn. The resulting
unit enables you to migrate an ISDN PABX with up to eight ISDN connections and 16 simultaneously used voice channels to an ALL-IP connection.
If you are in need of voice trans-coding, our Media Gateway be.IP 4isdn is a perfect
choice, as well. Due to the use of additional DSPs the number of simultaneously available
connections is significantly higher than with other devices of the be.IP series - even without
the use of ISDN.
Of course, the device also supports all of the common fax applications through CAPI at the
ISDN port. If your company runs a server-based Email system that a third party CAPI interface expands by fax, voice mail and voice messaging, a be.IP 4isdn operating in Media
Gateway mode enables you to control ISDN interfaces on virtualized server systems, too.
Third party CAPI applications connected directly to an ISDN connection often do no longer
work with All IP connections. For this, be.IP 4isdn offers "Fax mode" operation and hence
the possibility to operate your existing systems directly at a SIP connection through CAPI entirely without the use of ISDN. Our CAPI2SIP solution will migrate your CAPI applications
into the ALL IP era.
be.IP 4isdn
1
2 Introduction
bintec elmeg GmbH
Chapter 2 Introduction
2.1 be.IP 4isdn
This chapter will show you how to set your device up, connect it and get it working in just a
few minutes.
We shall then explain, step-by-step, more detail about the configuration. A detailed online
help system gives you extra support.
The PDF version of this document contains a slim version of the manual. It comprises all
information on installation as well as the description of all configuration parameters, but no
screen shots. An HTML-based version containing the screen shots is available as a ZIP file
in the download section of your device. Unpack the ZIP file into a folder of your choice and
call “start.html” in a web browser.
2.1.1 Setting up and connecting
be.IP 4isdn is operated at a purely IP-based connection. Telephony is exclusively VoIPbased, but your choice of connected devices is not restricted in any way. You can connect
SIP, analogue and ISDN phones as well as PCs.
Caution
Please read the safety instructions carefully before installing and starting up your
device.
2
be.IP 4isdn
2 Introduction
bintec elmeg GmbH
Caution
Using an incorrect power supply unit may damage your device! You should only use
the power supply unit provided!
Set up and connect in the following sequence:
(1)
Installation
When operational, be.IP 4isdn needs to be wall-mounted in an upright position or
well ventilated inside of a device rack (please read chapter Mounting on page 11
carefully).
(2)
Mains connection
Connect the network connection on the device with the power supply unit provided
to a 230 V mains socket.
(3)
DSL
Connect the DSL connector to the TAE plug using the grey cable.
(4)
ISDN telephones
Connect an ISDN telephone at the internal ISDN connector of the be.IP 4isdn. To
do this, use the cable provided with the terminal.
(5)
SIP telephones
Connect your SIP telephones to the 10/100/1000 Base-T Ethernet interfaces. In a
last step connect your PC and follow the instructions from the installation poster.
(6)
PC
Connect a suitable PC to one of the Ethernet ports of be.IP 4isdn using an Ethernet
cable. Should you run into any problems with the connection between your PC and
your be.IP 4isdn , read the corresponding sections on the basic configuration of
your device.
(7)
SYNC
The SYNC connector enables you to connect a second be.IP 4isdn using a SYNC
cable. This provides an additional four ISDN connections.
Note
The additional connections are available in Media Gateway mode only!
(8)
be.IP 4isdn
VoIP
For a pure IP connection without ISDN refer to the instruction provided by your service provider.
3
2 Introduction
bintec elmeg GmbH
2.1.2 Connectors
1
DSL interface Annex B/J
2
10/100/1000 Base-T Ethernet interface (LAN 1 - LAN4)
3
Etherne WAN interface (LAN5)
4
Interface for ISDN telephones (ISDN1 - ISDN4)
5
SYNC interface
6
Socket for the power supply unit
2.1.3 Connections (on the side)
1
Function key
2
Console
2.1.4 Mounting brackets
Due to the position of the devices in a rack it is recommended to use remote antenna. Attach the mounting brackets to the device using the supplied screws. The mounting brackets
and screws are available as an accessory (Part No. MN40285514).
Note
During operation in a rack the ambient temperature must not exceed 40 °C.
4
be.IP 4isdn
2 Introduction
bintec elmeg GmbH
2.1.5 LEDs
The LEDs provide information on the device's activities and statuses.
The LEDs on your be.IP 4isdn are arranged as follows:
In operation mode, the LEDs display the following status information for your device:
LED status display
LED
Status
Information
Service
on
Undergoing automatic maintenance
off
No automatic maintenance
on
Connection established
slow flashing
Synchronisation running
off
No synchronisation
flickering
Data transfer
on
Telephony ready at IP connector (Voice over IP)
off
Telephony not configured
DSL
TEL
ISDN1 to ISDN on
4
ISDN telephone system connected
off
Status
On standby or not functioning
on
After switching on: Device is started
While operation: Fault
Power
slow flashing
The device is active
on
The power supply is connected
off
No power supply
The LEDs for the Ethernet sockets LAN 1-4 (LAN) and LAN5 (WAN) show the following
status information:
Ethernet-LEDs
be.IP 4isdn
LED
Colour
Status
Information
LAN 1 to 4
(Link/Act)
Green
on
Ethernet connection established
5
2 Introduction
bintec elmeg GmbH
LED
Colour
Status
Information
LAN 1 to 4
(Link/Act)
Green
flashing
Data transmission via Ethernet
LAN 1 to 4
(Link/Act)
off
No Ethernet connection
LAN 1 to 4 (Speed) Green
on
1000 Mbit/s transfer rate
LAN 1 to 4 (Speed) Orange
on
100 Mbit/s transfer rate
LAN 1 to 4 (Speed)
off
10 Mbit/s transfer rate
LAN 5 (Link/Act)
Green
on
WAN Ethernet connection established
LAN 5 (Link/Act)
Green
flashing
Data transmission via ETH5t
off
No Ethernet connection
LAN 5 (Link/Act)
LAN 5 (Speed)
Green
on
1000 Mbit/s transfer rate
LAN 5 (Speed)
Orange
on
100 Mbit/s transfer rate
off
10 Mbit/s transfer rate
LAN 5 (Speed)
LEDs back view
The LEDs are linked to those on the top of the device and show the identical behavior.
1
Status
Yellow
2
Service Yellow
2.1.6 Scope of supply
Your device is supplied with the following parts:
Product Name
Cables/Accessories
Documentation
be.IP 4isdn
One Ethernet LAN cable (yellow)
Installation poster
One Ethernet WAN cable (blue)
Safety instructions
One VDSL cable (grey)
Power supply unit
6
be.IP 4isdn
2 Introduction
bintec elmeg GmbH
Product Name
Cables/Accessories
Documentation
19" kit and screws
2.1.7 General Product Features
Die allgemeinen Produktmerkmale umfassen die Leistungsmerkmale und die technischen
Voraussetzungen für Installation und Betrieb Ihres Geräts.
General Product Features be.IP 4isdn
Property
Dimensions and weights:
Equipment dimensions without cable (B 328 x 193 x 44 mm
x H x D):
Weight
approx. 900 g
Transport weight (incl. documentation,
cables, packaging)
approx. 1,800 g
Memory
128 MB SDRAM
LEDs
20 (9x Function, 1 x Service, 5x2 Ethernet)
Power consumption of the device
max. 30 W 12 V DC
Voltage supply
12 V DC, 2,5 A
Environmental requirements:
Storage temperature
-25 °C to +70 °C
Operating temperature
0 °C to +40 °C
Relative atmospheric humidity
max. 85%
Room classification
Operate only in dry rooms
Available interfaces:
be.IP 4isdn
VDSL interface
Internal VDSL modem
Ethernet IEEE 802.3 LAN (4-port
switch)
Permanently installed (twisted pair only), 10/100/1000 mbps,
autosensing, MDIX
DMZ interfaces
Permanently installed (twisted pair only), 10/100/1000 mbps,
7
2 Introduction
bintec elmeg GmbH
Property
autosensing, MDIX
ISDN interfaces (ISDN1 to ISDN4)
4 internal ISDN interfaces, ISDN termination
SYNC interface
SYNC
Serial interface V.24
Permanently installed, supports Baud rates: 1200 to 115200
Baud
Available sockets:
VDSL interface
1 x RJ45 socket (grey)
Ethernet interfaces LAN1 to LAN4
4 x RJ45 socket with integrated LEDs
Ethernet interface LAN5 (WAN)
1 x RJ45 socket with integrated LEDs
BRI interface ISDN1 to ISDN4
4 x RJ45 socket (black)
SYNC interface
1 x RJ45 socket
Serial interface V.24
5-pole mini USB socket
Barrel connector socket for power supply
2.2 Reset
The reset is performed by using the reset button at the terminal area.
The device is rebooted by quickly pressing the key (ca. one second). Pressing the key is
equivalent to an interruption of the power supply. Saved data are preserved, but all connections are interrupted.
If you press the reset key for approx. 30 seconds, the device performs a factory reset. Connection data for incoming and for outgoing phone calls are preserved. The configuration is
deleted and all passwords are reset.
The reset has finished once the status LED flashes continuously again after approx. 30
seconds.
8
be.IP 4isdn
2 Introduction
bintec elmeg GmbH
2.3 Presettings
Certain settings have already been pre-configured so that it only takes you a few steps to
start using your device for the first time.
Note
Consult the user's guide for your existing terminals to find out how the features can be
used and with which settings.
You can change these presettings to meet your personal requirements and connection situation.
Configuration interface
In the ex works state, you can access your device's configuration interface through one of
the LAN connections at this address:
• IP Address: • Netmask: In the ex works state, you should use the following access data to configure your device
using the configuration interface:
• User Name: • Password: Note
After you log into the device for the first time, you will be prompted to enter a secure
password. When you do this, please note the guidance that is displayed on secure
passwords! When the configuration procedure is complete, select the Save configuration button! Otherwise the new, secure password will be lost when there is a restart.
Select operating mode
be.IP 4isdn allows you to switch between the operation modes of a PABX and that of a
media gateway.
be.IP 4isdn
9
2 Introduction
bintec elmeg GmbH
Note
After switching to the media gateway operation mode you can find an adequate documentation of the software in the manual of the be.IP 4isdn.
Case 1: If the password has not yet been changed, you can select the operating mode
once you log in.
CAse 2: If the password has been changed, the device has been configured as a telephone
system ex works. You can also change operating mode in the menu Assistants+First
Steps->Operating Mode. Note that some features will not then be available. Assembly
and the basic configuration are exactly the same.
Note
If you switch from telephone system to media gateway or from media gateway to telephone system, the device does a factory reset. This means that the device reverts to
condition it was in when it was supplied. The configuration is deleted and all the passwords are reset.
Provider selection
After the first login to the web interface you are given the option to choose your Internet
provider.
If you want to configure a connection provided by Deutschen Telekom, follow the steps of
the Initial operation Telekom menu. Clicking Apply takes you through the individual steps
(see also the installation poster section First time use with the initial operation menu).
If you want to configure a connection offered by a different provider, you are taken to User
view of the status page of your device. If you click on one of the
buttons, you are taken
to the corresponding configuration assistent.
2.4 Support-Information
If you have any questions about your new product, please contact a local, certified retailer
for prompt technical support. Resellers have been trained by us and receive privileged support.
Further information on our support and service offers can be found on our web site at
www.bintec-elmeg.com .
10
be.IP 4isdn
3 Mounting
bintec elmeg GmbH
Chapter 3 Mounting
Warning
To avoid electric shocks, please take care when connecting telecommunications networks (TNV electric circuits). LAN ports also use RJ connectors.
Caution
To ensure that the be.IP 4isdn can operate free of faults, it must be mounted upright
on a wall or well ventilated inside of a device rack. The device should not be exposed
to direct sunlight or other sources of heat. Please note, too, the gaps that you need to
comply with (see Wall mounting on page 11).
3.1 Connecting terminals
3.1.1 Internal ISDN connection
The internal ISDN connection on the be.IP 4isdn gives each internal ISDN connection a
2.5 watt power supply for connecting a maximum of two unpowered ISDN terminals. In its
ex works state, the internal ISDN connection is set up as a "short passive bus" ("S0 bus").
It is the simple bus cabling in an ISDN system with a length of up to 120 m.
3.2 Reset button
The reset button which allows you to restart the device or to reset it to the ex works state is
located at the terminal area (cf. Reset on page 8).
3.3 Wall mounting
The various assembly processes are described in this section. Please comply with these
processes.
be.IP 4isdn
(1)
Find an installation site which is a maximum of 1.5 metres away from a 230 V mains
socket and 2.5 metres from the network operator's transfer point.
(2)
To prevent devices interfering with each other, do not install the device close to electronic devices such as hi-fi systems, office equipment or microwave ovens. Neither
11
3 Mounting
bintec elmeg GmbH
should you install it near heat sources such as radiators, or in damp rooms.
(3)
Comply with the gaps as indicated at the bottom in the picture.
(4)
Mark the drilling holes in the wall.
(5)
Check that all the points where the be.IP 4isdn is attached to the wall can bear its
weight. Ensure that there are no utility lines, cables etc located in the area where the
holes are marked.
(6)
Drill the holes at the points marked (if inserting into rawlplugs, use a 5 mm masonry
drill). Insert the rawlplug.
(7)
Screw the top two screws in in such a way that there is still a gap of about 5 mm
between the screw head and the wall.
(8)
Hang the be.IP 4isdn with the rear brackets from above behind the screw heads.
(9)
If necessary, install the sockets for the terminals. Connect the socket installation to
that of the device. The sockets are used for a permanent installation, for example in a
hallway. When they are installed, the connecting cables are connected to the connectors on the device,
(10) Plug the connectors on the device into the sockets.
(11) Connect the be.IP 4isdn to the external connections. To do this, you can follow the instructions given on the installation poster provided.
(12) Plug the power supply unit into the 230 V socket.
(13) Plug the barrel connector on the power supply unit into the corresponding socket on
your device.
(14) Now you are ready to use the device.
3.4 Pin Assignments
3.4.1 Ethernet interfaces
The devices feature an Ethernet interface with integrated 4 port switch (ETH1 - ETH4).
The 4-port switch is used to connect individual PCs or other switches. The connection occurs via RJ45 sockets.
The pin assignment for the Ethernet 10/100/1000 Base-T interface (RJ45 connector) is as
12
be.IP 4isdn
3 Mounting
bintec elmeg GmbH
follows:
RJ45 socket for Ethernet connection
Pin
Function
1
Pair 0 +
2
Pair 0 -
3
Pair 1 +
4
Pair 2 +
5
Pair 2 -
6
Pair 1 -
7
Pair 3 +
8
Pair 3 -
3.4.2 ISDN interface
The connection is made via an RJ45 socket:
The pin assignment for the ISDN interface (RJ45 socket) is as follows:
RJ45 socket for ISDN connection
be.IP 4isdn
Pin
Function
1
Not used
2
Not used
3
Transmit (+)
4
Receive (+)
5
Receive (-)
6
Transmit (-)
7
Not used
8
Not used
13
3 Mounting
bintec elmeg GmbH
3.4.3 VDSL interface
The be.IP 4isdn has an xDSL interface. The VDSL interface is connected via an RJ45
plug.
Only the two inner pins are used for the VDSL connection.
The pin assignment for the vDSL interface (RJ45 socket) is as follows:
RJ45 socket for VDSL connection
Pin
Function
1
Not used
2
Not used
3
Not used
4
Line 1a
5
Line 1b
6
Not used
7
Not used
8
Not used
3.4.4 Serial interface
Your device has a serial interface for connection to a console. This supports Baud rates
from 1200 to 115200 Bps.
The interface is designed as a 5-pole mini USB socket.
The pin assignment is as follows:
Pin assignment of the mini USB socket
14
Pin
Position
1
Not used
be.IP 4isdn
3 Mounting
bintec elmeg GmbH
be.IP 4isdn
Pin
Position
2
TxD
3
RxD
4
Not used
5
GND
15
4 Basic configuration
bintec elmeg GmbH
Chapter 4 Basic configuration
The way to obtain the basic configuration is explained below step-by-step. A detailed online
help system gives you extra support.
4.1 Preparations
Your device is factory configured as a DHCP server so that it can provide PCs on your LAN
that have no IP configuration with all the information required for a connection. How you set
up the PC that you want to do the basic configuration on so that it automatically gets an IP
configuration is described in Setting up a PC on page 18.
Note
If you already run a DHCP server on your LAN, it is recommended that you connect
only a single PC to your be.IP 4isdn so that a separate network is created.
4.1.1 Systemsoftware
Your device contains the version of the system software available at the time of production.
More recent versions may have since been released.
You can easily update it using the configuration interface in the Maintenance->Software
&Configuration menu. For a description of the procedure, see Software updates for be.IP
4isdn on page 22.
4.1.2 System requirements
To configure the device, your PC must meet the following system requirements:
• Suitable operating system (Windows, Linux, MAC OS)
• A web browser (Internet Explorer, Firefox, Chrome) in the current version
• Installed network card (Ethernet)
• Installed TCP/IP protocol
• High colour display to show the graphics correctly
16
be.IP 4isdn
4 Basic configuration
bintec elmeg GmbH
4.1.3 Gathering data
You will quickly collect the main data for doing the configuration with the configuration interface.
Before you start the configuration, you should gather the data for the following purposes:
• Network settings (only if you intend to integrate your device into an existing network infrastructure)
• SIP provider
• Internet access
The following table shows examples of possible values for the necessary access data. You
can enter your personal data in the "Your values" column, so that you can refer to these
values later when needed.
Basic configuration
For a basic configuration of your device, you need information that relates to your network
environment:
Network settings
Access data
Example value
Your values
IP address of your gateway
Netmask of your gateway
SIP provider
be.IP 4isdn
Access data
Example value
Description
Enter the name of your
SIP provider, e.g. .
Authentication ID
Enter you ID, e.g. your
Email Address
Password
Enter your password that
you received from your
SIP provider.
Registrar
Enter the appropriate re-
Your values
17
4 Basic configuration
bintec elmeg GmbH
Access data
Example value
Your values
gistrar, e. g.
.
Call number
e. g. Data for internet access over xDSL
Access data
Example value
Provider name
Protocol
" #
Encapsulation
$%% & '%
VPI (Virtual Path Identifier)
VCI (Virtual Circuit Identifier)
Connection ID (12-digit)
(
Your values
!
T-Online number (usually 12 digits) (
Joint user account
Password
)*
4.1.4 Setting up a PC
To access your device via the network and to be able to do a configuration using the configuration interface, the PC used for the configuration has to satisfy some prerequisites.
• Make sure that the TCP/IP protocol is installed on the PC.
Checking the TCP/IP protocol
Proceed as follows to check whether you have the protocol installed:
(1)
18
Click the Windows Start button and then Settings -> Control Panel -> Network Connections (Windows XP) or Control Panel -> Network and Sharing Center->
Change Adapter Settings (Windows 7).
be.IP 4isdn
4 Basic configuration
bintec elmeg GmbH
(2)
Click on LAN Connection.
(3)
Click on Properties in the status window.
(4)
Look for the Internet Protocol (TCP/IP) entry in the list of network components.
Installing the TCP/IP protocol
If you cannot find the Internet Protocol (TCP/IP) entry, install the TCP/IP protocol as follows:
(1)
First click Properties, then Install in the status window of the LAN Connection.
(2)
Select the Protocol entry.
(3)
Click Add.
(4)
Select Internet Protocol (TCP/IP) and click on OK.
(5)
Follow the on-screen instructions and restart your PC when you have finished.
Configuring a Windows PC as a DHCP client
Assign an IP address to your PC as follows:
(1)
Initially, proceed as described to display the network properties.
(2)
Select Internet Protocol (TCP/IP) and click on Properties.
(3)
Choose Determine IP address automatically.
(4)
Also choose Determine DNS server address automatically .
(5)
Close all the windows by selecting OK.
Your PC should now meet all the prerequisites for configuring your device.
Note
You can now launch the configuration interface for doing the configuration by entering
the preconfigured IP address of your device (192.168.0.251) in a supported browser
(Internet Explorer 6 or later, Mozilla Firefox 1.2 or later) and entering the pre-set login
data (User: , Password: ).
4.2 Configuring the system
be.IP 4isdn
19
4 Basic configuration
bintec elmeg GmbH
4.2.1 Network setting (LAN)
If you intend to integrate your device into an existing network infrastructure, select the Assistants->First steps->Basic Settings menu for the network settings. For the LAN IP configuration, the Address Mode is set to Static by default, since your system is delivered ex
works with a fixed IP. Enter the necessary IP Address for your device in your LAN and the
associated Netmask. Leave all the other settings and click OK. Save the configuration by
clicking on the Save Configuration button above the menu navigation.
4.2.2 Enter SIP provider
As an option, you may enter SIP providers for external telephone connections. Please note
the description in the online help for the menu VoIP->Settings->SIP Provider->New.
4.3 Setting up an internet connection
You can establish an Internet connection with your device.
4.3.1 Internet connection via the internal VDSL modem
To make it easier to configure an VDSL internet connection, the configuration interface has
a wizard to guide you through the connection set-up process simply and quickly.
(1)
In the user interface, go to the Assistants->Internet menu.
(2)
Use New to create a new entry, and copy the Connection Type + ,-$
. .
(3)
Follow the steps shown by the wizard. The wizard has its own online help, which offers all of the information you may require.
(4)
Once you have exited the wizard, save the configuration by clicking on the Save configuration button above the menu navigation.
4.3.2 Other internet connections
In addition to an VDSL connection over the internal VDSL modem, you can connect your
device to the internet with other types of connection or via an external modem. The Internet wizard in the configuration interface provides support with configurations of this type.
20
be.IP 4isdn
4 Basic configuration
bintec elmeg GmbH
4.3.3 Testing the configuration
Once you have finished configuring your device, you can test the connection in your LAN
and to the Internet.
Carry out the following steps to test your device:
(1)
Test the connection from any device in the local network to your device. In the Windows Start menu, click Run and enter followed by a space and then the IP address of your device (e.g. ). A window appears with the message
.
(2)
Test the Internet access by entering www.bintec-elmeg.com in the Internet browser.
Note
Incorrectly configured terminals may lead to unwanted connections and higher
charges! Monitor your device and make sure it only sets up connections at the times
you want it to. Watch the light indicators on your device (indicators for ISDN, DSL and
the Ethernet interfaces).
4.4 User access
Those who administer and set up the system can set up a personalised configuration access for the users. This will enable the users to view their main personal settings and customise some of them.
Note
Those who administer and set up the system can access the settings and data of all
the users. It is only the personal telephone book (User Phonebook) which the user
can set up for themselves which can only be managed and viewed with the personal
user login data.
To log into the configuration interface with the access data you have been assigned, enter
your user name and your password in the login window.
The administrator configures the user accesses in the Numbering->User Settings->Users
menu.
Users can also find help with the available configuration options in the online help system.
be.IP 4isdn
21
4 Basic configuration
bintec elmeg GmbH
4.5 Software updates for be.IP 4isdn
The range of functions in the be.IP 4isdn is continuously being extended. For new software
versions can be carried out easily with the GUI.
A functional Internet connection is required for any kind of an automatic update.
Proceed as follows:
(1)
Go to the Maintenance->Software &Configuration menu.
(2)
Select under Action / 0 12and under Source Location %3
12 1 / .
(3)
Confirm with Go.
Alternatively, you can carry out a software update in the User view. On the Status page,
click Update under Firmware Update to start the process. Do not interrupt the Internet
connection or the power supply.
After installation of the new system software, the system must be restarted.
The device will now connect to the download server and check whether an updated version
of the system software is available. If so, your device will be updated automatically. When
installation of the new software is complete, you will be invited to restart the device.
22
be.IP 4isdn
4 Basic configuration
bintec elmeg GmbH
Caution
Once you have clicked on Go the update cannot be cancelled/interrupted. If an error
occurs during the update, do not re-start the device and contact support.
be.IP 4isdn
23
5 Access and configuration
bintec elmeg GmbH
Chapter 5 Access and configuration
5.1 Access via LAN
Access via one of your device's Ethernet interfaces allows you to open the configuration interface in a web browser.
5.1.1 HTTP/HTTPS
With a current web browser, you can use the HTML interface to configure your device. For
this, enter the following in your web browser's address field
• !455
or
!455
5.2 Configuration
The configuration is done using the HTML configuration interface.
5.2.1 Configuration interface
The configuration interface is a web-based graphic user surface that you can use from any
PC with an up-to-date Web browser via an HTTP or HTTPS connection.
With the configuration interface you can perform all the configuration tasks easily and conveniently. It is integrated in your device and is available in English.
The settings you make are applied with the OK or Apply button in the relevant menu, and
you do not have to restart the device.
If you finish the configuration and want to save your settings so that they are loaded as the
boot configuration when you reboot your device, save these by clicking the Save configuration button.
You can also use the configuration interface to monitor the most important function parameters of your device.
24
be.IP 4isdn
5 Access and configuration
bintec elmeg GmbH
5.2.1.1 Open the configuration interface
(1)
Check whether the device is connected and switched on and that all the necessary
cables are correctly connected.
(2)
Check the settings of the PC from which you want to configure your device.
(3)
Open a web browser.
(4)
Enter !455
in the address field of the web browser.
(5)
You will prompted to change the administrator password. Change the login password.
You are now in the status menu of your device's configuration interface.
5.2.1.2 Operating elements
Configuration interface window
The configuration interface window is divided into three areas:
• The header
• The navigation bar
• The main configuration window
be.IP 4isdn
25
5 Access and configuration
bintec elmeg GmbH
Header
Configuration interface header bar
Menu
Function
Opens the navigation bar.
Logout: If you want to end the configuration, click this button to
log out of your device. A window is opened offering you the following options:
• Continue with the configuration,
• Save the configuration and close the window,
• Exit the configuration without saving.
Online Help: Click this button if you want help with the menu
now active. The description of the sub-menu where you are now
is displayed.
Language: From the dropdown menu, select the language in
which the configuration interface is to be displayed. Here, you
can select the language in which you want to carry out the configuration. and +! are available.
26
be.IP 4isdn
5 Access and configuration
bintec elmeg GmbH
Menu
Function
View: Select the desired view from the dropdown menu. '3++
,** , 6 and /can be selected. Also the Initial
operation can be start again from here.
Save configuration button.
If you click the Save configuration button, you will be asked
"Do you really want to save the current configuration as a boot
configuration?"
You can
• Save configuration
• Save configuration with boot backup
Navigation bar
be.IP 4isdn
27
5 Access and configuration
bintec elmeg GmbH
The navigation bar contains the main configuration menus and their sub-menus.
Click the main menu you require. The corresponding sub-menu then opens.
If you go to the sub-menu you want, the entry selected will be displayed in color. After selecting the sub-menu the navigation bar will be closed.
Status page
If you open the configuration interface the status page of your device is displayed after you
log in. The most important data of your device can be seen on this at a glance.
Main configuration window
The sub-menus generally contain several pages. These are called using the buttons at the
top of the main window. If you click a button, the window is opened with the basic parameters. You can extend this by clicking the Advanced Settings tab, which displays the addi-
28
be.IP 4isdn
5 Access and configuration
bintec elmeg GmbH
tional options.
Configuration elements
The various actions that you can perform when configuring your device in the configuration
interface are triggered by means of the following buttons:
Buttons
Button
Function
Updates the view.
If you do not want to save a newly configured list entry, cancel
this and any settings made by pressing Cancel.
Confirms the settings of a new entry and the parameter
changes in a list.
Immediately starts the configured action.
Calls the sub-menu to create a new entry.
Inserts an entry in an internal list.
Symbols
Icon
Function
Deletes the list entry.
Displays the menu for changing the settings of an entry.
Displays the details for an entry.
Voicemail message can be intercepted.
Messages will be saved.
Moves an entry. A combo box opens in which you can choose
the list entry that selected entry is to be placed in front of/after.
Creates another list entry first and opens the configuration
menu.
be.IP 4isdn
29
5 Access and configuration
bintec elmeg GmbH
Icon
Function
Sets the status of the entry to * .
Sets the status of the entry to ,*.
Indicates "Dormant" status for an interface or connection.
Indicates "Up" status for an interface or connection.
Indicates "Down" status for an interface or connection.
Indicates "Blocked" status for an interface or connection.
Indicates that data traffic is encrypted.
Triggers a WLAN bandscan.
Displays the next page in a list.
Displays the previous page in a list.
List options
Menu
Function
Update Interval
Here you can set the interval in which the view is to be updated.
To do this, enter a period in seconds in the input field and confirm it with
.
Filter
You can have the list entries filtered and displayed according to
certain criteria.
You can determine the number of entries displayed per page by
entering the required number in Viewxper page.
Use the
and
buttons to scroll one page forward and one
page back.
You can filter according to certain keywords within the configuration parameters by selecting the filter rule you want under Fil-
30
be.IP 4isdn
5 Access and configuration
bintec elmeg GmbH
Menu
Function
ter inx <Option> y and entering the search word in the input
field.
launches filter operation.
Configuration elements
Some lists contain configuration elements.
You can therefore change the configuration of the corresponding list entry directly in the list.
Configuration of the update interval
Filter list
On the status page you can open the option Automatic Refresh Interval using the button
.
Click Automatic Refresh Interval .
Enter the time and click
be.IP 4isdn
.
31
5 Access and configuration
bintec elmeg GmbH
Structure of the configuration menu
The menus contain the following basic structures:
Menu structure
Menu
Function
Basic configuration
menu/list
When you select a menu from the navigation bar, the menu of
basic parameters is displayed first. In a sub-menu containing
several pages, the menu containing the basic parameters is displayed on the first page.
The menu contains either a list of all the configured entries or
the basic settings for the function concerned.
Sub-menu
Sub-menu
Menu
The New button is available in each menu in which a list of all
the configured entries is displayed. Click the button to display
the configuration menu for creating a new list entry.
Click this button to process the existing list entry. You go to the
configuration menu.
Click this tab to display extended configuration options.
The following options are available for the configuration:
Configuration elements
Menu
Function
Eingabefelder
e.g. empty text field
Text field with hidden input
32
be.IP 4isdn
5 Access and configuration
bintec elmeg GmbH
Menu
Function
Enter the data.
Radiobuttons
e.g.
Select the corresponding option.
Checkbox
e.g. activation by selecting checkbox
Dropdown-Menüs
e.g.
Click the arrow to open the list. Select the required option using
the mouse.
Interne Listen
e.g.
Click
. A new list entry is created. Enter the corresponding
data. If list input fields remain empty, these are not saved when
you confirm with OK. Delete the entries by clicking the
icon.
Display of options that are not available
Options that are not available because they depend on the selection of other options are
generally hidden. If the display of these options could be helpful for a configuration decision, they are instead greyed out and cannot be selected.
Important
Please look at the messages displayed in the sub-menus. These provide information
on any incorrect configurations.
5.2.1.3 Menus
The configuration options of your device are contained in the sub-menus, which are displayed in the navigation bar in the left-hand part of the window.
be.IP 4isdn
33
5 Access and configuration
bintec elmeg GmbH
Note
Please note that not all devices have the full range of functions. Use your product specification to check which software your device has.
34
be.IP 4isdn
6 Assistants
bintec elmeg GmbH
Chapter 6 Assistants
The Assistants menu offers step-by-step instructions for the following basic configuration
tasks.
Choose the corresponding task from the navigation bar and follow the instructions and explanations on the separate pages of the Wizard.
be.IP 4isdn
35
7 System Management
bintec elmeg GmbH
Chapter 7 System Management
The System Management menu contains general system information and settings.
You see a system status overview. Global system parameters such as the system name,
date/time, passwords and licences are managed and the access and authentication methods are configured.
7.1 Status
If you log into the GUI, your device displays the status page in the Users view.
Here you can find links to the configuration assistants that will support you with an easy
configuration of the most important settings.
Moreover, you can carry out a Firmware Update. Click Update to start the process.
Note
Do not interrupt the Internet connection or the power supply.
After installation of the new system software, the system must be restarted.
In the Full Access and Expert views of your device, the status page displays the most
important system information.
You see an overview of the following data:
• System status
• Your device's activities: Resource utilisation, active sessions and tunnels
• Status and basic configuration of the LAN, WAN, ISDN, and ADSL interfaces
• Information on plugged add-on modules (if any)
You can customise the update interval of the status page by entering the desired period in
seconds as Automatic Refresh Interval and clicking on the Apply button.
Caution
Under Automatic Refresh Interval do not enter a value of less than seconds, otherwise the refresh interval of the screen will be too short to make further changes!
36
be.IP 4isdn
7 System Management
bintec elmeg GmbH
The menu System Management->Status consists of the following fields:
Fields in the System Information menu
Field
Value
Uptime
Displays the time past since the device was rebooted.
System Date
Displays the current system date and system time.
Serial Number
Displays the device serial number.
BOSS Version
Displays the currently loaded version of the system software.
Last configuration
stored
Displays day, date and time of the last saved configuration (boot
configuration in flash).
Fields in the Resource Information menu
Field
Value
CPU Usage
Displays the CPU usage as a percentage.
Memory Usage
Displays the usage of the working memory in MByte in relation
to the available total working memory in MByte. The usage is
also displayed in brackets as a percentage.
ISDN Usage Internal
Shows the number of active B channels and the maximum number of available B channels for incoming connections.
Active Sessions (SIF,
RTP, etc... )
Displays the total of all SIF, TDRC, and IP load balancing sessions.
Active IPSec Tunnels
Displays the number of currently active IPSec tunnels in relation
to the number of configured IPSec tunnels.
DSP Channels
Shows the currently used DSP channels.
Fields in the VoIP Trunk Lines menu
be.IP 4isdn
Field
Value
No.
Displays the consecutive number of the SIP provider (your IP
telephony provider).
Description
Displays the description of the SIP provider that has been
entered upon creation of the provider.
Registrar
Displays the server your system connects to in order to enable
IP phone calls.
Access Type
Displays if your connection is a point to multipoint or point to
point (DDI) connection.
37
7 System Management
bintec elmeg GmbH
Field
Value
Link
Displays the current status of the connection to this SIP provider.
Fields in the Physical Interfaces menu
Field
Value
Interface - Connection
Information - Link
The physical interfaces are listed here and their most important
settings are shown (ISDN: only the first 4 ports are listed). The
system also displays whether the interface is connected or active.
Fields in the WAN Interfaces menu
Field
Value
Description - Connection Information - Link
All the WAN interfaces are listed here and their most important
settings are shown. The system also displays whether the interface is active.
7.2 Global Settings
The basic system parameters are managed in the Global Settings menu.
7.2.1 System
Your device's basic system data is entered in the System Management->Global
Settings->System menu.
The System Management->Global Settings->System menu consists of the following
fields:
Fields in the menu Basic Settings
Field
Value
System Name
Enter the system name of your device. This is also used as the
PPP host name.
A character string with a maximum of 255 characters is possible.
The device type is entered as the default value.
38
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
Location
Enter the location of your device.
Contact
Enter the relevant contact person. Here you can enter the email address of the system administrator, for example.
A character string with a maximum of 255 characters is possible.
Maximum Number of
Syslog Entries
Enter the maximum number of syslog messages that are stored
internally in the device.
Possible values are to .
The default value is .
You can display the stored messages in Monitoring->Internal
Log.
Maximum Message
Select the priority of system messages above which a log
Level of Syslog Entries should be created.
System messages are only recorded internally if they have a
higher or identical priority to that indicated, i.e. all messages
generated are recorded at syslog level -73.
Possible values:
•
*0: Only messages with emergency priority are recorded.
• ,+: Messages with emergency and alert priority are recorded.
• %*+: Messages with emergency, alert and critical priority are recorded.
•
: Messages with emergency, alert, critical and error priority are recorded.
• 8: Messages with emergency, alert, critical, error and
warning priority are recorded.
• 9*: Messages with emergency, alert, critical, error,
warning and notice priority are recorded.
• 1 (default value): Messages with emergency,
alert, critical, error, warning, notice and information priority are
recorded.
be.IP 4isdn
39
7 System Management
bintec elmeg GmbH
Field
Value
• -73: All messages are recorded.
Maximum Number of
Accounting Log
Entries
Enter the maximum number of login process entries that are
stored internally in the device.
Possible values are to .
The default value is Cloud NetManager
communication
Only for devices with support for being managed by the Cloud
NetManager.
Enable or disable the option Cloud NetManager communication.
The function is enabled by default.
Cloud NetManager adOnly for devices with support for being managed by the Cloud
dress
NetManager.
The address of the bintec elmeg Cloud NetManager is preconfigured. If you want to run your own management system, you
need to enter the address of your server here.
Manual WLAN ControlThis function is only available on devices with a wireless LAN
ler IP Address
controller.
Enter the IP address of the WLAN controller.
The value can only be modified it the WLAN controller function
is enabled.
LED mode
Only for WLAN devices
Select the LEDs' lighting behaviour.
Possible values:
• 3 (default value): The LEDS display their default behaviour.
• '+!: Only the status LED flashes once per second.
• :11: All LEDs are disabled.
Show Manufacturer
Names
40
Here you can determine if the manufacturer part of a MAC address is to be "translated". The manufacturer part takes up to
eight characters at the beginning of the MAC address. Instead
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
of, e.g., 4
414(44*, &*%;(44* is displayed if this option is enabled.
Autosave Configuration
Here you can choose whether configuration changes are automatically saved. If you enable this option, settings are immediately saved so that they persist after a reboot of the device as
soon as you confirm them on a configuration page (usually with
the OK button).
Fields in the menu Power Settings (for devices with GPS only)
Field
Value
Power Off Timeout
Enter the time, in seconds, for how long the device is to remain
switched on after switching the motor off.
The default value is seconds.
7.2.2 Passwords
Setting the passwords is another basic system setting.
Note
All bintec elmeg devices are delivered with the same username and password. As long
as the password remains unchanged, they are not protected against unauthorised use.
Make sure you change the passwords to prevent unauthorised access to the device
If the password is not changed, under System Management->Status there appears
the warning: "System password not changed!"
The System Management->Global Settings->Passwords menu consists of the following
fields:
Fields in the System Password menu.
be.IP 4isdn
Field
Value
System Admin Password
Enter the password for the user name .
Confirm Admin Pass-
Confirm the password by entering it again.
This password is also used with SNMPv3 for authentication
(MD5) and encryption (DES).
41
7 System Management
bintec elmeg GmbH
Field
Value
word
Fields in the SNMP Communities menu.
Field
Value
SNMP Read Community
Enter the password for the user name .
SNMP Write Community
Enter the password for the user name .
Fields in the Global Password Options menu
Field
Value
Show passwords and
keys in clear text
Define whether the passwords are to be displayed in clear text
(plain text).
The function is enabled with !2
The function is disabled by default.
If you activate the function, all passwords and keys in all menus
are displayed and can be edited in plain text.
One exception is IPSec keys. They can only be entered in plain
text. If you press OK or call the menu again, they are displayed
as asterisks.
7.2.3 Date and Time
You need the system time for tasks such as correct timestamps for system messages, accounting or IPSec certificates.
You have the following options for determining the system time (local time):
ISDN/Manual
In devices with an ISDN interface, the system time can be updated via ISDN, i. e. the date
and time are taken from the ISDN when the first outgoing call is made. The time can also
be set manually on the device.
If the correct location of the device (country/city) is set for the Time Zone, switching from
summer time to winter time (and back) is automatic. This is independent of the exchange
time or the ntp server time. Summer time starts on the last Sunday in March by switching
42
be.IP 4isdn
7 System Management
bintec elmeg GmbH
from 2 a.m. to 3 a.m. The calendar-related or schedule-related switches that are scheduled
for the missing hour are then carried out. Winter time starts on the last Sunday in October
by switching from 3 a.m. to 2 a.m. The calendar-related or schedule-related switches that
are scheduled for the additional hour are then carried out.
If a value other than Universal Time Coordinated (UTC), option /)%<6, has been chosen
for the Time Zone, the switch from summer to winter time must be carried out manually
when required.
Time server
You can obtain the system time automatically, e.g. using various time servers. To ensure
that the device uses the desired current time, you should configure one or more time servers. Switching from summer time to winter time (and back) must be carried out manually if
the time is derived using this method by changing the value in the Time Zone field with an
option UTC+ or UTC-.
Note
If a method for automatically deriving the time is defined on the device, the values obtained in this way automatically have higher priority. A manually entered system time is
therefore overwritten.
The menu System Management->Global Settings->Date and Time consists of the following fields:
Fields in the menu Basic Settings
Field
Description
Time Zone
Select the time zone in which your device is installed.
You can select Universal Time Coordinated (UTC) plus or
minus the deviation in hours or a predefined location, e. g.
35&+.
Current Local Time
The current date and current system time are shown here. The
entry cannot be changed.
Fields in the menu Manual Time Settings
Field
Description
Set Date
Enter a new date.
Format:
be.IP 4isdn
43
7 System Management
bintec elmeg GmbH
Field
Description
• Day: dd
• Month: mm
• Year: yyyy
Set Time
Enter a new time.
Format:
• Hour: hh
• Minute: mm
Fields in the menu Automatic Time Settings (Time Protocol)
Field
Description
ISDN Timeserver
Only for devices with an ISDN interface.
Determine whether the system time is to be updated via ISDN.
If a time server is configured, the time is only determined over
ISDN until a successful update is received from this time server.
Updating over ISDN is deactivated for the period in which the
time is determined by means of a time server.
The function is activated by selecting 7+.
The function is disabled by default.
First Timeserver
Enter the primary time server, by using either a domain name or
an IP address.
In addition, select the protocol for the time server request.
Possible values:
• 9) (default value): This server uses the simple network
time protocol via UDP port 123.
• ) * 5 /-: This server uses the Time service
with UDP port 37.
• ) * 5 )%: This server uses the Time service
with TCP port 37.
• 9: This time server is not currently used for the time request.
44
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
Second Timeserver
Enter the secondary time server, by using either a domain name
or an IP address.
In addition, select the protocol for the time server request.
Possible values:
• 9) (default value): This server uses the simple network
time protocol via UDP port 123.
• ) * 5 /- : This server uses the Time service
with UDP port 37.
• ) * 5 )% : This server uses the Time service
with TCP port 37.
• 9: This time server is not currently used for the time request.
Third Timeserver
Enter the third time server, by using either a domain name or an
IP address.
In addition, select the protocol for the time server request.
Possible values:
• 9) (default value): This server uses the simple network
time protocol via UDP port 123.
• ) * 5 /- : This server uses the Time service
with UDP port 37.
• ) * 5 )% : This server uses the Time service
with TCP port 37.
• 9: This time server is not currently used for the time request.
Time Update Interval
Enter the time interval in minutes at which the time is automatically updated.
The default value is .
Time Update Policy
Enter the time period after which the system attempts to contact
the time server again following a failed time update.
Possible values:
• 9+ (default value): The system attempts to contact the
be.IP 4isdn
45
7 System Management
bintec elmeg GmbH
Field
Description
time server after 1, 2, 4, 8, and 16 minutes.
• ,: For ten minutes, the system attempts to contact the time server after 1, 2, 4, 8 seconds and then every 10
seconds.
•
+: For an unlimited period, the system attempts to
contact the time server after 1, 2, 4, 8 seconds and then every
10 seconds.
If certificates are used to encrypt data traffic in a VPN, it is extremely important that the correct time is set on the device. To
ensure this is the case, for Time Update Policy, select the
value +.
Internal Time Server
Select whether the internal timeserver is to be used.
The function is activated by selecting 7+. Time requests
from a client will be answered with the current system time. This
is given as GMT, without offset.
The function is disabled by default. Time requests from a client
are not answered.
Fields in the menu Time Settings (GPS) (for devices with GPS only)
Field
Description
Time Update Interval
Select whether the device is to receive the system time via
GPS.
If appropriate, enter the time (in seconds) for updating the system time via GPS.
The value 0 (default value) means that the system time is updated every time the GPS is fixed.
The function is activated by selecting 7+.
The function is disabled by default.
7.2.4 System Licences
This chapter describes how to activate the functions of the software licences you have purchased.
46
be.IP 4isdn
7 System Management
bintec elmeg GmbH
The following licence types exist:
• Licences already available in the device's ex works state
• Free extra licences
• Extra licences at additional cost
The data sheet for your device tells you which licences are available in the device's ex
works state and which can also be obtained free of charge or at additional cost. You can
access this data sheet at www.bintec-elmeg.com .
Entering licence data
You can obtain the licence data for extra licences via the online licensing pages in the support section at www.bintec-elmeg.com . Please follow the online licensing instructions.
(Please also note the information on the licence card for licences at additional cost.) You
will then receive an e-mail containing the following data:
• Licence Key and
• Licence Serial Number.
You enter this data in the System Management->Global Settings->System
Licences->New menu.
In the System Management->Global Settings->System Licences->New menu, a list of
all registered licences is displayed (Description, Licence Type, Licence Serial Number,
Status).
Possible values for Status
Licence
Meaning
OK
Subsystem is activated.
Not OK
Subsystem is not activated.
Not supported
You have entered a licence for a subsystem your device does
not support.
In addition, above the list is shown the System Licence ID required for online licensing.
Note
To restore the standard licences for a device, click the Default Licences button
(standard licences).
be.IP 4isdn
47
7 System Management
bintec elmeg GmbH
7.2.4.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to enter more licences.
Activating extra licences
You activate extra licences by adding the received licence information in the System Management->Global Settings->System Licences->New menu.
The menu System Management->Global Settings->System Licences->New consists of
the following fields:
Fields in the Basic Settings menu.
Field
Value
Licence Serial Number Enter the licence serial number you received when you bought
the licence.
Licence Key
Enter the licence key you received by e-mail.
Note
If 9 := is displayed as the status:
• Enter the licence data again.
• Check your hardware serial number.
If 9 3 is displayed as the status, you have entered a license for a subsystem that your device does not support. This means you cannot use the functions of
this licence.
Deactivating a licence
Proceed as follows to deactivate a licence:
(1)
Go to System Management->Global Settings->System Licences->New.
(2)
Press the
(3)
Confirm with OK.
icon in the line containing the licence you want to delete.
The licence is deactivated. You can reactivate your additional licence at any time by entering the valid licence key and licence serial number.
48
be.IP 4isdn
7 System Management
bintec elmeg GmbH
7.3 Interface Mode / Bridge Groups
In this menu, you define the operation mode for your device's interfaces.
Routing versus bridging
Bridging connects networks of the same type. In contrast to routing, bridges operate at layer 2 of the OSI model (data link layer), are independent of higher-level protocols and transmit data packets using MAC addresses. Data transmission is transparent, which means the
information contained in the data packets is not interpreted.
With routing, different networks are connected at layer 3 (network layer) of the OSI model
and information is routed from one network to the other.
Conventions for port/interface names
If your device has a radio port, it receives the interface name WLAN. If there are several radio modules, the names of wireless ports in the user interface of your device are made up
of the following parts:
(a) WLAN
(b) Number of the physical port (1 or 2)
Example: 8$,9 The name of the Ethernet port is made up of the following parts:
(a) ETH
(b) Number of the port
Example: )>
The name of the interface connected to an Ethernet port is made up of the following parts:
(a) Abbreviation for interface type, whereby stands for internet.
(b) Number of the Ethernet port
(c) Number of the interface
Example: (first interface on the first Ethernet port)
The name of the bridge group is made up of the following parts:
(a) Abbreviation for interface type, whereby 7 stands for bridge group.
(b) Number of the bridge group
be.IP 4isdn
49
7 System Management
bintec elmeg GmbH
Example: 7
(first bridge group)
The name of the wireless network (VSS) is made up of the following parts:
Abbreviation for interface type, whereby stands for wireless network.
(a) Number of the wireless module
(b) Number of the interface
Example: (first wireless network on the first wireless module)
The name of the bridge link is made up of the following parts:
(a) Abbreviation for interface type
(b) Number of the wireless module on which the bridge link is configured
(c) Number of the bridge link
Example: 2
(first bridge link on the first wireless module)
The name of the client link is made up of the following parts:
(a) Abbreviation for interface type
(b) Number of the wireless module on which the client link is configured
(c) Number of the client link
Example: (first client link on the first wireless module)
The name of the virtual interface connected to an Ethernet port is made up of the following
parts:
(a) Abbreviation for interface type
(b) Number of the Ethernet port
(c) Number of the interface connected to the Ethernet port
(d) Number of the virtual interface
Example: (first virtual interface based on the first interface on the first Ethernet
port)
7.3.1 Interfaces
You define separately whether each interface is to operate in routing or bridging mode.
If you want to set bridging mode, you can either use existing bridge groups or create a new
bridge group.
50
be.IP 4isdn
7 System Management
bintec elmeg GmbH
The default setting for all existing interfaces is routing mode. When selecting the option
92 & 3 for Mode / Bridge Group, a bridge group, i.e. 7
, 7 etc. is
automatically created and the interface is run in bridging mode.
The System Management->Interface Mode / Bridge Groups->Interfaces menu consists
of the following fields:
Fields in the Interfaces menu.
Field
Description
Interface Description
Displays the name of the interface.
Mode / Bridge Group
Select whether you want to run the interface in ?3
. or whether you want to assign the interface to an existing
( 7
, 7 etc.) or new bridge group ( 92 & 3).
When selecting 92 & 3, a new bridge group is
automatically created after you click the OK button.
Configuration Interface Select the interface via which the configuration is to be carried
out.
Possible values:
• +* (default value): Ex works setting The right configuration interface must be selected from the other options.
• : No interface is defined as configuration interface.
• @1* A: Select the interface to be used for configuration. If this interface is in a bridge group, it is assigned
the group's IP address when it is taken out of the group.
7.3.1.1 Add
Choose the Add button to edit the mode of PPP interfaces.
The System Management->Interface Mode / Bridge Groups->Interfaces->Add menu
consists of the following fields:
Fields in the Interfaces menu.
Field
Description
Interface
Select the interface whose status should be changed.
Edit for devices the WIxxxxn and RS series
be.IP 4isdn
51
7 System Management
bintec elmeg GmbH
For WLAN clients in bridge mode (so-called MAC Bridge) you can also edit additional settings via the
icon.
You can realise bridging for devices behind access clients with the MAC Bridge function. In
wildcard mode you cannot define how Unicast non-IP frames or non-ARP frames are processed. To use the MAC bridge function, you must carry out configuration steps in several
menus.
(1)
Select GUI menu Wireless LAN->WLAN->Radio Settings and click the icon to modify an entry.
(2)
Select Operation Mode = ,** %+ and save the settings with OK.
(3)
Select the System Management->Interface Mode / Bridge Groups->Interfaces
menu. The additional interface sta1-0 is displayed.
(4)
For interface sta1-0 select Mode / Bridge Group = 7
"@,A# and Configuration Interface= and save the settings with OK.
(5)
Click the Save configuration button to save all of the configuration settings. You can
use the MAC Bridge.
The System Management->Interface Mode / Bridge Groups->Interfaces->
menu
consists of the following fields:
Fields in the Layer-2.5 Options menu.
Field
Value
Interface
Shows the interface that is being edited.
Wildcard Mode
Select the Wildcard mode you want to use on the interface.
Possible values:
• (default value): Wildcard mode is not used.
• *: With this setting, you must enter the MAC address of
a device that is connected over IP under Wildcard MAC Address. Each packet without IP and without ARP is forwarded
to this device. This occurs even when the device is no longer
connected.
• 1: If you choose this setting, the MAC address of the first
non-IP unicast frame or non-ARP unicast frame, which occurs
on any of the Ethernet interfaces, is used as the wildcard
MAC address. This wildcard MAC address can only be reset
by rebooting the device or by selecting another wildcard
mode.
• +: If you choose this setting, the internal WLAN MAC ad-
52
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
dress is used to establish a connection to the access point. As
soon as a non-IP unicast frame or non-ARP unicast frame appears, it is forwarded to the MAC address from which the last
non-IP unicast frame or non-ARP unicast frame was received
on the Ethernet interface of the device. This wildcard MAC address is renewed with each non-IP unicast frame or non-ARP
unicast frame.
Wildcard MAC Address Only for Wildcard Mode = *
Enter the MAC address of a device that is connected over IP.
Transparent MAC Address
Only for Wildcard Mode = *, 1
Choose whether or not the Wildcard MAC Address are used in
addition as WLAN MAC address to establish the connection to
the access point.
The function is enabled with 7+.
The function is disabled by default.
7.4 Administrative Access
In this menu, you can configure the administrative access to the device.
7.4.1 Access
In the System Management->Administrative Access->Access menu, a list of all IPcapable interfaces is displayed.
For an Ethernet interface you can select the access parameters )+, >, >)), >)
), , 9. and for the ISDN interfaces -9 $.
Note
Not all of the options above will be available in every bintec elmeg device. Consult the
data sheet of your device which connection types are supported!
For PABX systems only: You can also authorise your device for maintenance work from
bintec elmeg's Customer Service department. To do this you enable either Service Login
be.IP 4isdn
53
7 System Management
bintec elmeg GmbH
(ISDN Web-Access) or Service Call Ticket (SSH Web Access), depending on the service you require, and select the OK button. Follow the instructions given by Telekom's Customer Service!
Service Login (ISDN Web-Access) is disabled by default. If the option is activated, it is
deactived again after ca. 30 minutes.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Description
Restore Default Settings
Only when you make changes to the administrative access configuration are relevant access rules set up and activated. You
can restore the default settings with the
icon.
7.4.1.1 Add
Select the Add button to configure administrative access for additional interfaces.
The System Management->Administrative Access->Access->Add menu consists of the
following fields:
Fields in the menu Access
Field
Description
Interface
Select the interface for which administrative access is to be configured.
7.4.2 SSH
Your devices offers encrypted access to the shell. You can enable or disable this access in
the System Management->Administrative Access->SSH Enabled menu (standard
value). You can also access the options for configuring the SSH login.
You need an SSH client application, e.g. PuTTY, to be able to reach the SSH Daemon.
If you wish to use SSH Login together with the PuTTY client, you may need to comply with
some special configuration requirements, for which we have prepared FAQs. You will find
these in the Service/Support section at www.bintec-elmeg.com .
To be able to reach the shell of your device via an SSH client, make sure the settings for
the SSH Daemon and SSH client are the same.
54
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Note
If configuration of an SSH connection is not possible, restart the device to initialise the
SSH Daemon correctly.
The System Management->Administrative Access->SSH menu consists of the following
fields:
Fields in the menu SSH (Secure Shell) Parameters
Field
Value
SSH service active
Select whether the SSH Daemon is to be enabled for the interface.
The function is activated by selecting 7+.
The function is enabled by default.
SSH Port
Here you can enter the port via which the SSH connection is to
be established.
The default value is .
Maximum number of
concurrent connections
Enter the maximum number of simultaneously active SSH connections.
The default value is .
Fields in the menu Authentication and Encryption Parameters
Field
Value
Encryption Algorithms Select the algorithms that are to be used to encrypt the SSH
connection.
Possible options:
• - • &+21!
• , • , By default - , &+21! and , are enabled.
be.IP 4isdn
55
7 System Management
bintec elmeg GmbH
Field
Value
Hashing Algorithms
Select the algorithms that are to be available for message authentication of the SSH connection.
Possible options:
• .-
• >,
• ?.- By default .-, >, and ?.- are enabled.
Fields in the menu Key Status
Field
Value
RSA Key Status
Shows the status of the RSA key.
If an RSA key has not been generated yet, 9 is
displayed in red and a link, , is provided. If you select
the link, the generation process is triggered and the view is updated. The status is displayed in green. When
generation has been completed successfully, the status
changes from to . If an error occurs
during the generation, 9 and the link
are displayed again. You can then repeat generation.
If the /B2 status is displayed, generation of a key is not
possible, for example because there is not enough space in the
FlashROM.
The status is 9 by default.
ED25519 Key Status
Shows the status of the ED25519 key.
If an RSA key has not been generated yet, 9 is
displayed in red and a link, , is provided. If you select
the link, the generation process is triggered and the view is updated. The status is displayed in green. When
generation has been completed successfully, the status
changes from to . If an error occurs
during the generation, 9 and the link
are displayed again. You can then repeat generation.
If the /B2 status is displayed, generation of a key is not
possible, for example because there is not enough space in the
56
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
FlashROM.
The status is 9 by default.
DSA Key Status
Shows the status of the DSA key.
If no DSA key has yet been generated, 9 is displayed in red and a link, , is provided. If you select
the link, the generation process is triggered and the view is updated. The status is displayed in green. When
generation has been completed successfully, the status
changes from to . If an error occurs
during the generation, 9 and the link
are displayed again. You can then repeat generation.
If the /B2 status is displayed, generation of a key is not
possible, for example because there is not enough space in the
FlashROM.
The status is 9 by default.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Login Grace Time
Value
Enter the time (in seconds) that is available for establishing the
connection. If a client cannot be successfully authenticated during this time, the connection is terminated.
The default value is seconds.
Compression
Select whether data compression should be used.
The function is activated by selecting 7+.
The function is disabled by default.
TCP Keepalives
Select whether the device is to send keepalive packets.
The function is activated by selecting 7+.
The function is enabled by default.
Logging Level
be.IP 4isdn
Select the syslog level for the syslog messages generated by
57
7 System Management
bintec elmeg GmbH
Field
Value
the SSH Daemon.
Possible settings:
• 1 (default value): Fatal and simple errors of the
SSH Daemon and information messages are recorded.
• '+: Only fatal errors of the SSH Daemon are recorded.
•
: Fatal and simple errors of the SSH Daemon are recorded.
• -73: All messages are recorded.
7.4.3 SNMP
SNMP (Simple Network Management Protocol) is a network protocol used to monitor and
control network elements (e.g. routers, servers, switches, printers, computers etc.) from a
central station. SNMP controls communication between the monitored devices and monitoring station. The protocol describes the structure of the data packets that can be transmitted, as well as the communication process.
The data objects queried via SNMP are structured in tables and variables and defined in
the MIB (Management Information Base). This contains all the configuration and status
variables of the device.
SNMP can be used to perform the following network management tasks:
• Surveillance of network components
• Remote controlling and configuration of network components
• Error detection and notification
You use this menu to configure the use of SNMP.
The menu System Management->Administrative Access->SNMP consists of the following fields:
Fields in the Basic Settings menu.
Field
Value
SNMP Version
Select the SNMP version your device is to use to listen for external SNMP access.
Possible values:
58
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
• : SNMP Version 1
• *: Community-Based SNMP Version 2
• : SNMP Version 3
By default, , * and are enabled.
If no option is selected, the function is deactivated.
SNMP Listen UDP Port Shows the UDP port ( ) at which the device receives SNMP
requests.
The value cannot be changed.
SNMP multicast discovery
Enable or disable the function SNMP multicast discovery.
The function is enabled with 7+.
The function is enabled by default.
Tip
If your SNMP Manager supports SNMPv3, you should, if possible, use this version as
older versions transfer all data unencrypted.
7.5 Remote Authentication
This menu contains the settings for user authentication.
7.5.1 RADIUS
RADIUS (Remote Authentication Dial In User Service) is a service that enables authentication and configuration information to be exchanged between your device and a RADIUS
server. The RADIUS server administrates a database with information about user authentication and configuration and for statistical recording of connection data.
RADIUS can be used for:
• Authentication
• Accounting
• Exchange of configuration data
be.IP 4isdn
59
7 System Management
bintec elmeg GmbH
For an incoming connection, your device sends a request with user name and password to
the RADIUS server, which then searches its database. If the user is found and can be authenticated, the RADIUS server sends corresponding confirmation to your device. This confirmation also contains parameters (called RADIUS attributes), which your device uses as
WAN connection parameters.
If the RADIUS server is used for accounting, your device sends an accounting message at
the start of the connection and a message at the end of the connection. These start and
end messages also contain statistical information about the connection (IP address, user
name, throughput, costs).
RADIUS packets
The following types of packets are sent between the RADIUS server and your device
(client):
Packet types
Field
Value
ACCESS_REQUEST
Client -> Server
If an access request is received by your device, a request is
sent to the RADIUS server if no corresponding connection partner has been found on your device.
ACCESS_ACCEPT
Server -> Client
If the RADIUS server has authenticated the information contained in the ACCESS_REQUEST, it sends an ACCESS_ACCEPT to your device together with the parameters
used for setting up the connection.
ACCESS_REJECT
Server -> Client
If the information contained in the ACCESS_REQUEST does
not correspond to the information in the user database of the
RADIUS server, it sends an ACCESS_REJECT to reject the
connection.
ACCOUNTING_START
Client -> Server
If a RADIUS server is used for accounting, your device sends
an accounting message to the RADIUS server at the start of
each connection.
60
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
ACCOUNTING_STOP
Client -> Server
If a RADIUS server is used for accounting, your device sends
an accounting message to the RADIUS server at the end of
each connection.
A list of all entered RADIUS servers is displayed in the System Management->Remote
Authentication->RADIUS menu.
7.5.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to add RADIUS serv-
ers.
The System Management->Remote Authentication->RADIUS->New menu consists of
the following fields:
Fields in the Basic Parameters menu.
Field
Value
Authentication Type
Select what the RADIUS server is to be used for.
Possible values:
• ,3!* (default value only for PPP connections): The RADIUS server is used for controlling access to a
network.
• ,**3 (for PPP connections only): The RADIUS server is used for recording statistical call data.
• $ ,3!*: The RADIUS server is used for
controlling access to the SNMP shell of your device.
• * ,3!*: The RADIUS server is used for
sending configuration data for IPSec peers to your device.
• 8$,9 "
6#: The RADIUS server is used for controlling
access to a wireless network.
• C,/)>: The RADIUS server is used for authenticating IPSec
peers via XAuth.
Vendor Mode
Only for Authentication Type = ,**3
In hotspot applications, select the mode define by the provider.
be.IP 4isdn
61
7 System Management
bintec elmeg GmbH
Field
Value
In standard applications, leave the value set to -13+.
Possible values for hotspot applications:
• '* )+*: For France Telecom hotspot applications.
• 7* > : For hotspot applications.
Server IP Address
Enter the IP address of the RADIUS server.
RADIUS Secret
Enter the shared password used for communication between
the RADIUS server and your device.
Default User Password Some Radius servers require a user password for each RADIUS request. Enter the password that your device sends as the
default user password in the prompt for the dialout routes on the
RADIUS server.
Priority
If a number of RADIUS server entries were created, the server
with the highest priority is used first. If this server does not answer, the server with the next-highest priority is used.
Possible values from (highest priority) to ( (lowest priority).
The default value is .
See also Policy in the Advanced Settings.
Entry active
Select whether the RADIUS server configured in this entry is to
be used.
The function is activated by selecting 7+.
The function is enabled by default.
Group Description
Define a new RADIUS group description or assign the new RADIUS entry to a predefined group. The configured RADIUS
servers for a group are queried according to Priority and the
Policy .
Possible values:
• 92 (default value): Enter a new group description in the text
field.
• -13+ 3 : Select this entry for special applications,
such as Hotspot Server configuration.
62
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Value
• @3 9A: Select a predefined group from the list.
The Advanced Settings menu consists of the following fields:
Fields in the Advanced Settings menu.
Field
Value
Policy
Select how your device is to react if a negative response to a request is received.
Possible values:
• ,3! (default value): A negative response to a
request is accepted.
• 93! : A negative response to a request is
not accepted. A request is sent to the next RADIUS server until your device receives a response from a server configured
as authoritative.
UDP Port
Enter the UDP port to be used for RADIUS data.
RFC 2138 defines the default ports 1812 for authentication
(1645 in older RFCs) and 1813 for accounting (1646 in older
RFCs). You can obtain the port to be used from the documentation for your RADIUS server.
The default value is .
Server Timeout
Enter the maximum wait time between ACCESS_REQUEST
and response in milliseconds.
After timeout, the request is repeated according to Retries or
the next configured RADIUS server is requested.
Possible values are whole numbers between and .
The default value is (1 second).
Alive Check
Here you can activate a check of the accessibility of a RADIUS
server in Status -2 .
An Alive Check is carried out regularly (every 20 seconds) by
sending an ACCESS_REQUEST to the IP address of the RADIUS server. If the server is reachable, Status is set to
+ again. If the RADIUS server is only reachable over a
be.IP 4isdn
63
7 System Management
bintec elmeg GmbH
Field
Value
switched line (dialup connection), this can cause additional
costs if the server is 2 for a long time.
The function is activated by selecting 7+.
The function is enabled by default.
Retries
Enter the number of retries for cases when there is no response
to a request. If an response has still not been received after
these attempts, the Status is set to 2. In Alive Check =
7+ your device attempts to reach the server every 20
seconds. If the server responds, Status is set back to + .
Possible values are whole numbers between and .
The default value is . To prevent Status being set to 2, set
this value to .
RADIUS Dialout
Only for Authentication Type = ,3!* and
* ,3!*.
Select whether your device receives requests from RADIUS
server dialout routes. This enables temporary interfaces to be
configured automatically and your device can initiate outgoing
connections that are not configured permanently.
The function is activated by selecting 7+.
The function is disabled by default.
If the function is active, you can enter the following options:
• ?+ +: Enter the time period in seconds
between update intervals.
The default entry here is i.e. an automatic reload is not carried out.
7.5.2 Options
This setting possible here causes your device to carry out authentication negotiation for incoming calls, if it cannot identify the calling party number (e.g. because the remote terminal
does not signal the calling party number). If the data (password, partner PPP ID) obtained
by executing the authentication protocol is the same as the data of a listed remote terminal
or RADIUS user, your device accepts the incoming call.
64
be.IP 4isdn
7 System Management
bintec elmeg GmbH
The menu System Management->Remote Authentication->Options consists of the following fields:
Fields in the Global RADIUS Options menu.
Field
Description
Authentication for PPP By default, the following authentication sequence is used for inDialin
coming calls with RADIUS: First CLID, then PPP and then PPP
with RADIUS.
Options:
• 7: Only inband RADIUS requests (PAP,CHAP, MSCHAP V1 & V2) (i.e. PPP requests without CLID) are sent to
the RADIUS server defined in Server IP Address.
• :37 "%$-# : Only outband RADIUS requests (i.e. requests for calling line identification = CLID) are sent to the
RADIUS server.
7 is enabled by default, :37 "%$-# is diabled
by default.
7.6 Configuration Access
In the Configuration Access menu you can configure user profiles.
To do so, you create access profiles and users and assign each user at least one access
profile. An access profile makes available that part of the GUI that a user requires for their
tasks. Parts of the GUI that are not required are blocked.
7.6.1 Access Profiles
The menu System Management->Configuration Access->Access Profiles displays a
list of all the access profiles that have been configured. You can delete existing entries with
the icon
.
By default, the access profiles )%%;,-.9, >:) $, %>,? , >:9 &::= ,
&C;/ ?;,%% are preconfigured for PABX systems. You can change these using
the icon
or reset them to the default settings using the icon .
be.IP 4isdn
65
7 System Management
bintec elmeg GmbH
7.6.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional ac-
cess profiles.
To create an access profile you can use all the entries in the navigation bar of the GUI plus
Save configuration and Switch to SNMP Browser. You can create a maximum of 29 access profiles.
The menu System Management->Configuration Access->Access Profiles->New consists of the following fields:
Fields in the menu Basic Settings
Field
Description
Description
Enter a unique name for the access profile.
Level No.
The system automatically assigns a sequential number to the
access profile. This cannot be edited.
Fields in the menu Buttons
Field
Description
Save configuration
If you activate the button Save configuration the user is permitted to save configurations.
Note
Note that the passwords in the saved file can be viewed in
clear text.
Enable or disable Save configuration.
The function is enabled with 7+.
The function is disabled by default.
Switch to SNMP
Browser
66
If you activate the button Switch to SNMP Browser, the user
can switch to the SNMP browser view, access the parameters
and modify all the settings displayed there.
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
Caution
Note that the permission for Switch to SNMP Browser
means that the user can access the entire MIB, because no
individual access profile can be created in this view. The
user can save the changed MIB with the permission for
Save configuration.
With the permission for Switch to SNMP Browser you remove the configured GUI restrictions at the MIB level once
more.
Enable or disable Switch to SNMP Browser.
The function is enabled with 7+.
The function is disabled by default.
Fields in the menu Navigation Entries
Field
Description
Menus
You see all the menus from the GUI's navigation bar. Menus
that contain at least one sub-menu are flagged by
and
The icon
.
indicates pages.
When you create a new access profile, no elements are assigned yet, i.e. all the available menus, sub-menus and pages
are flagged with the icon
.
Each element in the navigation bar can have three values. Click
the icon
in the row you want to display these three values.
Possible values:
• -0: The menu and all its lower-level menus are blocked.
• ,++2: The menu is released. Lower-level menus may need
to be specifically released.
• ,++2 ++: The menu and all its lower-level menus are released.
You can select ,++2 and ,++2 ++ in the corresponding
row to assign elements to the current access profile.
be.IP 4isdn
67
7 System Management
bintec elmeg GmbH
Field
Description
Elements that are assigned to the current access profile are
flagged with the icon
.
indicates a menu that is blocked, but which has at least one
released sub-menu.
7.6.2 Users
The menu System Management->Configuration Access->Users displays a list of all the
users that have been configured. You can delete existing entries with the icon
.
There are no preconfigured users.
You can click the button
to display the details of the configured user. You can see which
fields and menus are assigned to the user.
The icon
means that Read-only is permitted. If a row is flagged with the icon
the information is released for reading and writing. The icon
indicates blocked
entries.
7.6.2.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to enter additional
users.
The menu System Management->Configuration Access->Users->New consists of the
following fields:
Fields in the menu Basic Settings
68
Field
Description
User
Enter a unique name for the user.
Password
Enter a password for the user.
User must change
password
The administrator can use the option User must change password to specify that the user must select their own password
the first time they log in. To do this, the option Save configuration needs to be enabled in the menu Access Profiles. If this
option is not enabled, a warning message displays.
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
Enable or disable User must change password.
The function is enabled with 7+.
The function is disabled by default.
Access Level
Use Add to assign at least one access profile to the user. Selecting Read-only specifies that the user can view the parameters of the access profile, but not change them. Selecting Readonly is only possible if the option Switch to SNMP Browser in
the menu Access Profiles is not enabled.
If the option Switch to SNMP Browser is enabled, a warning
message displays because the user can switch to the SNMP
browser view, access the parameters and make any changes
they like. The option Read-only is not available in the SNMP
browser view.
If intersecting access profiles are assigned to a user, read and
write have a higher priority than Read-only. Buttons cannot be
set to the setting Read-only.
7.7 Certificates
An asymmetric cryptosystem is used to encrypt data to be transported in a network, to generate or check digital signatures and the authenticate users. A key pair consisting of a public key and a private key is used to encrypt and decrypt the data.
For encryption the sender requires the public key of the recipient. The recipient decrypts
the data using his private key. To ensure that the public key is the real key of the recipient
and is not a forgery, a so-called digital certificate is required.
This confirms the authenticity and the owner of a public key. It is similar to an official passport in that it confirms that the holder of the passport has certain characteristics, such as
gender and age, and that the signature on the passport is authentic. As there is more than
one certificate issuer, e.g. the passport office for a passport, and as such certificates can
be issued by several different issuers and in varying qualities, the trustworthiness of the issuer is extremely important. The quality of a certificate is regulated by the German Signature Act or respective EU Directives.
Certification authorities that issue so-called qualified certificates are organised in a hierarchy with the Federal Network Agency as the higher certifying authority. The structure and
content of a certificate are stipulated by the standard used. X.509 is the most important and
be.IP 4isdn
69
7 System Management
bintec elmeg GmbH
the most commonly use standard for digital certificates. Qualified certificates are personal
and extremely trustworthy.
Digital certificates are part of a so-called Public Key Infrastructure (PKI). PKI refers to a
system that can issue, distribute and check digital certificates.
Certificates are issued for a specific period, usually one year, i.e. they have a limited validity period.
Your device is designed to use certificates for VPN connections and for voice connections
over Voice over IP.
7.7.1 Certificate List
A list of all existing certificates is displayed in the System
Management->Certificates->Certificate List menu.
7.7.1.1 Edit
Click the
icon to display the content of the selected object (key, certificate, or request).
The certificates and keys themselves cannot be changed, but a few external attributes can
be changed, depending on the type of the selected entry.
The System Management->Certificates->Certificate List->
menu consists of the fol-
lowing fields:
Fields in the Edit parameters menu.
Field
Description
Description
Shows the name of the certificate, key, or request.
Certificate is CA Certificate
Mark the certificate as a certificate from a trustworthy certification authority (CA).
Certificates issued by this CA are accepted during authentication.
The function is enabled with )3.
The function is disabled by default.
Certificate Revocation
List (CRL) Checking
Only for Certificate is CA Certificate = )3
Define the extent to which certificate revocation lists (CRLs) are
70
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
to be included in the validation of certificates issued by the owner of this certificate.
Possible settings:
• -7+: No CRLs check.
• ,+20: CRLs are always checked.
• :+0 1 %?$ -73 (default value): A check is only carried out if a CRL
Distribution Point entry is included in the certificate. This can
be determined under "View Details" in the certificate content.
• / 1 3 *1*: The settings of the higher level certificate are used, if one exists. It is
does not, the same procedure is used as that described under
"Only if a CRL Distribution Point is present".
Force certificate to be
trusted
Define that this certificate is to be accepted as the user certificate without further checks during authentication.
The function is enabled with )3.
The function is disabled by default.
Caution
It is extremely important for VPN security that the integrity of all certificates manually
marked as trustworthy (certification authority and user certificates) is ensured. The displayed "fingerprints" can be used to check this integrity: Compare the displayed values
with the fingerprints specified by the issuer of the certificate (e.g. on the Internet). It is
sufficient to check one of the two values.
7.7.1.2 Certificate Request
Registration authority certificates in SCEP
If SCEP (Simple Certificate Enrollment Protocol) is used, your device also supports separate registration authority certificates.
Registration authority certificates are used by some Certificate Authorities (CAs) to handle
certain tasks (signature and encryption) during SCEP communication with separate keys,
and to delegate the operation to separate registration authorities, if applicable.
be.IP 4isdn
71
7 System Management
bintec elmeg GmbH
When a certificate is downloaded automatically, i.e. if CA Certificate = -2+
is selected, all the certificates needed for the operation are loaded automatically.
If all the necessary certificates are already available in the system, these can also be selected manually.
Select the Certificate Request button to request or import more certificates.
The menu System Management->Certificates->Certificate List->Certificate Request
consists of the following fields:
Fields in the Certificate Request menu.
Field
Description
Certificate Request De- Enter a unique description for the certificate.
scription
Mode
Select the way in which you want to request the certificate.
Possible settings:
• .3+ (default value): Your device generates a PKCS#10
for the key. This file can then be uploaded directly in the
browser or copied in the
menu using the View details
field. This file must be provided to the CA and the received
certificate must then be imported manually to your device.
• % : The key is requested from a CA using the Simple Certificate Enrolment Protocol.
Generate Private Key
Only for Mode = .3+
Select an algorithm for key creation.
?, (default value) and -, are available.
Also select the length of the key to be created.
Possible values: , (, , , , .
Please note that a key with a length of 512 bits could be rated
as unsecure, whereas a key of 4096 bits not only needs a lot of
time to create, but also occupies a major share of the resources
during IPSec processing. A value of 768 or more is, however,
recommended and the default value is 1024 bits.
72
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
SCEP URL
Only for Mode = % Enter the URL of the SCEP server, e.g. http://scep.bintec-elmeg.com:8080/scep/scep.dll
Your CA administrator can provide you with the necessary data.
CA Certificate
Only for Mode = % Select the CA certificate.
• In -2+ : In CA Name, enter the name of the CA
certificate of the certification authority (CA) from which you
wish to request your certificate, e.g. *22. Your CA administrator can provide you with the necessary data.
If no CA certificates are available, the device will first download the CA certificate of the relevant CA. It then continues
with the enrolment process, provided no more important parameters are missing. In this case, it returns to the Generate
Certificate Request menu.
If the CA certificate does not contain a CRL distribution point
(Certificate Revocation List, CRL), and a certificate server is
not configured on the device, the validity of certificates from
this CA is not checked.
• <name of an existing certificate>: If all the necessary certificates are already available in the system, you select these
manually.
RA Sign Certificate
Only for Mode = % Only for CA Certificate not = -2+ Select a certificate for signing SCEP communication.
The default value is / %, %1* , i.e. the
CA certificate is used.
RA Encrypt Certificate
Only for Mode = % Only if RA Sign Certificate not = / %, %1*
be.IP 4isdn
73
7 System Management
bintec elmeg GmbH
Field
Description
If you use one of your own certificates to sign communication
with the RA, you can select another one here to encrypt communication.
The default value is / ?, %1* , i.e.
the same certificate is used as for signing.
Password
Only for Mode = % You may need a password from the certification authority to obtain certificates for your keys. Enter the password you received
from the certification authority here.
Fields in the Subject Name menu.
Field
Description
Custom
Select whether you want to enter the name components of the
subject name individually as specified by the CA or want to
enter a special subject name.
If 7+ is selected, a subject name can be given in Summary with attributes not offered in the list. Example:
"CN=VPNServer, DC=mydomain, DC=com, c=DE".
If the field is not selected, enter the name components in Common Name, E-mail, Organizational Unit, Organization, Locality, State/Province and Country.
The function is disabled by default.
Summary
Only for Custom = enabled.
Enter a subject name with attributes not offered in the list.
Example: "CN=VPNServer, DC=mydomain, DC=com, c=DE".
Common Name
Only for Custom = disabled.
Enter the name according to CA.
E-mail
Only for Custom = disabled.
Enter the e-mail address according to CA.
74
be.IP 4isdn
7 System Management
bintec elmeg GmbH
Field
Description
Organizational Unit
Only for Custom = disabled.
Enter the organisational unit according to CA.
Organization
Only for Custom = disabled.
Enter the organisation according to CA.
Locality
Only for Custom = disabled.
Enter the location according to CA.
State/Province
Only for Custom = disabled.
Enter the state/province according to CA.
Country
Only for Custom = disabled.
Enter the country according to CA.
The menu Advanced Settings consists of the following fields:
Fields in the Subject Alternative Names menu.
Field
Description
#1, #2, #3
For each entry, define the type of name and enter additional
subject names.
Possible values:
• 9 (default value): No additional name is entered.
• : An IP address is entered.
• -9: A DNS name is entered.
•
+: An e-mail address is entered.
• /?: A uniform resource identifier is entered.
• -9: A distinguished name (DN) name is entered.
• ?-: A registered identity (RID) is entered.
Fields in the Options menu
be.IP 4isdn
Field
Description
Autosave Mode
Select whether your device automatically stores the various
75
7 System Management
bintec elmeg GmbH
Field
Description
steps of the enrolment internally. This is an advantage if enrolment cannot be concluded immediately. If the status has not
been saved, the incomplete registration cannot be completed.
As soon as the enrolment is completed and the certificate has
been downloaded from the CA server, it is automatically saved
in the device configuration.
The function is enabled with 7+.
The function is enabled by default.
7.7.1.3 Import
Choose the Import button to import certificates.
The menu System Management->Certificates->Certificate List->Import consists of the
following fields:
Fields in the Import menu.
Field
Description
External Filename
Enter the file path and name of the certificate to be imported, or
use Browse... to select it from the file browser.
Local Certificate Description
Enter a unique description for the certificate.
File Encoding
Select the type of coding so that your device can decode the
certificate.
Possible values:
• ,3 (default value): Activates automatic code recognition. If
downloading the certificate in auto mode fails, try with a certain type of encoding.
• &
• &0
Password
You may need a password to obtain certificates for your keys.
Enter the password here.
76
be.IP 4isdn
7 System Management
bintec elmeg GmbH
7.7.2 CRLs
In the System Management->Certificates->CRLs menu, a list of all CRLs (Certification
Revocation List) is displayed.
If a key is no longer to be used, e.g. because it has fallen into the wrong hands or has been
lost, the corresponding certificate is declared invalid. The certification authority revokes the
certificate and publishes it on a certificate blacklist, so-called CRL. Certificate users should
always check against these lists to ensure that the certificate used is currently valid. This
check can be automated via a browser.
The Simple Certificate Enrollment Protocol (SCEP) supports the issue and revocation of
certificates in networks.
7.7.2.1 Import
Choose the Import button to import CRLs.
The System Management->Certificates->CRLs->Import menu consists of the following
fields:
Fields in the CRL Import menu.
Field
Description
External Filename
Enter the file path and name of the CRL to be imported, or use
Browse... to select it from the file browser.
Local Certificate Description
File Encoding
Enter a unique description for the CRL.
Select the type of encoding, so that your device can decode the
CRL.
Possible values:
• ,3 (default value): Activates automatic code recognition. If
downloading the CRL in auto mode fails, try with a certain
type of encoding.
• &
• &0
Password
be.IP 4isdn
Enter the password required for the import.
77
7 System Management
bintec elmeg GmbH
7.7.3 Certificate Servers
A list of certificate servers is displayed in the System Management->Certificates->Certificate Servers menu.
A certification authority (certification service provider, Certificate Authority, CA) issues your
certificates to clients applying for a certificate via a certificate server. The certificate server
also issues the private key and provides certificate revocation lists (CRL) that are accessed
by the device via LDAP or HTTP in order to verify certificates.
7.7.3.1 New
Choose the New button to set up a certificate server.
The System Management->Certificates->Certificate Servers->New menu consists of
the following fields:
Fields in the Basic Parameters menu.
78
Field
Description
Description
Enter a unique description for the certificate server.
LDAP URL Path
Enter the LDAP URL or the HTTP URL of the server.
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
Chapter 8 Physical Interfaces
In this menu, you configure the physical interfaces that you have used when connecting
your gateway. The configuration interface only shows the interfaces that are available on
your device. In the System Management->Status menu, you can see a list of all physical
interfaces and information on whether the interfaces are connected or active and whether
they have already been configured.
8.1 Ethernet Ports
An Ethernet interface is a physical interface for connection to the local network or external
networks.
The Ethernet ports ETH1 to ETH4 are assigned to a single logical Ethernet interface in ex
works state. The logical Ethernet interface is assigned and is preconfigured with the
IP Address and Netmask .
Note
To ensure your system can be reached, when splitting ports make sure that Ethernet
interface with the preconfigured IP address and netmask is assigned to a port
that can be reached via Ethernet. If in doubt, carry out the configuration using a serial
connection via the Serial 1 interface.
ETH1 - ETH4
The interfaces can be used separately. They are logically separated from each other, each
separated port is assigned the desired logical Ethernet interface in the Ethernet Interface
Selection field of the Port Configuration menu. For each assigned Ethernet interface, another interface is displayed in the list in the LAN->IP Configuration menu, and the interface can be confugred completely independently.
VLANs for Routing Interfaces
Configure VLANs to separate individual network segments from each other, for example
(e.g. individual departments of a company) or to reserve bandwidth for individual VLANs
when managed switches are used with the QoS function.
be.IP 4isdn
79
8 Physical Interfaces
bintec elmeg GmbH
8.1.1 Port Configuration
Port Separation
Your device makes it possible to run the switch ports as one interface or to logically separate these from each other and to configure them as independent Ethernet interfaces.
During configuration, please note the following: The splitting of the switch ports into several
Ethernet interfaces merely logically separates these from each other. The available total
bandwidth of max. 1000 mbps full duplex for all resulting interfaces remains the same. For
example, if you split all the switch ports from each other, each of the resulting interfaces
only uses a part of the total bandwidth. If you group together several switch ports into one
interface, the full bandwidth of max. 1000 mbps full duplex is available for all the ports together.
The menu Physical Interfaces->Ethernet Ports->Port Configuration consists of the following fields:
Fields in the Switch Configuration menu.
Field
Description
Switch Port
Shows the respective switch port. The numbering corresponds
to the numbering of the Ethernet ports on the back of the
device.
Ethernet Interface Selection
Assign a logical Ethernet interface to the switch port.
Configured Speed /
Mode
Select the mode in which the interface is to run.
You can select from four interfaces, to . In the
basic setting, switch port 1 - 4 has the interface assigned to it.
Possible values:
• '3++ ,3 (default value)
• ,3 7 +0
• ,3 7 +0
• ,3 7 +0
• ,3 7 5 '3++ -3+6
• ,3 7 5 >+1 -3+6
80
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
Field
Description
• ,3 7 5 '3++ -3+6
• ,3 7 5 >+1 -3+6
• '6 7 5 '3++ -3+6
• '6 7 5 '3++ -3+6
• '6 7 5 >+1 -3+6
• '6 7 5 '3++ -3+6
• '6 7 5 >+1 -3+6
• 9: The interface is created but remains inactive.
Current Speed / Mode
Shows the actual mode and actual speed of the admin interface.
Possible values:
• 7 5 '3++ -3+6
• 7 5 '3++ -3+6
• 7 5 >+1 -3+6
• 7 5 '3++ -3+6
• 7 5 >+1 -3+6
• -2
Flow Control
Select whether a flow control should be conducted on the corresponding interface.
Possible values:
• -7+ (default value): No flow control is performed.
•
7+. Flow will be controlled.
• ,3: Flow will be controlled automatically.
8.2 ISDN Ports
In this menu, you configure the ISDN interfaces of your device. Here you enter data such
as the type of ISDN-BRI connection to which your gateway is connected. You can use the
ISDN interfaces of your gateway for various types of use.
You must carry out two steps to configure the ISDN interfaces:
• Enter the settings for your ISDN connection: Here you set the most important parameters
be.IP 4isdn
81
8 Physical Interfaces
bintec elmeg GmbH
of your ISDN connection.
• MSN Configuration: Here you tell your device how to react to incoming calls from the
WAN.
8.2.1 ISDN Configuration
Note
If the ISDN protocol is not detected, it must be selected manually under Port Usage
und ISDN Configuration Type . The automatic D channel detection is then switched
off. An incorrectly set ISDN protocol prevents ISDN connections being set up.
In the Physical Interfaces->ISDN Ports->ISDN Configuration menu, a list of all ISDN
ports and their configuration are displayed.
8.2.1.1 Edit
Choose the
icon to edit the configuration of the ISDN port.
The Physical Interfaces->ISDN Ports->ISDN Configuration->
menu consists of the
following fields:
Fields in the Basic Parameters menu
Field
Description
Port Name
Shows the name of the ISDN port.
Mode
Select the mode.
Possible values:
•
6+
• +
Autoconfiguration on
Bootup
Only if Mode = 6+
Select whether the ISDN switch type (D channel detection for
switched line) is to be automatically identified.
The function is enabled with Enabled.
The function is disabled by default.
82
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
Field
Description
Port Usage
Only if Autoconfiguration on Bootup is disabled.
Select the protocol that you want to use for the ISDN port.
Possible values:
• 9 3: The ISDN connection is not used.
• -+3 " 3 -9#
• D
ISDN Configuration
Type
Only if Autoconfiguration on Bootup is disabled and for Port
Usage = -+3 " 3 -9# or D
Select the ISDN connection type.
Possible values:
• .3+ (default value): Point-to-multipoint
connection
• : Point-to-point ISDN access.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu
Field
Description
X.31 (X.25 in D Channel)
Select whether you want to use X.31 (X.25 in the D channel)
e.g. for CAPI applications.
The function is enabled with 7+.
The function is disabled by default.
X.31 TEI Value
Only if X.31 (X.25 in D Channel) is enabled
With the ISDN autoconfiguration, the X.31-TEI is detected automatically. If the autoconfiguration has not detected TEI, you can
manually enter the value assigned by the exchange.
Possible values are to .
The default value is (for automatic detection).
X.31 TEI Service
Only for X.31 (X.25 in D Channel) enabled
Select the service for which you want to use X.31 TEI.
be.IP 4isdn
83
8 Physical Interfaces
bintec elmeg GmbH
Field
Description
Possible values:
• %,
• %, -13+
• *B 2*! (default value)
%, and %, -13+ are only for the use of X.31 TEI for
CAPI applications. For %,, the TEI value set in the CAPI application is used. For %, -13+, the value of the CAPI application is ignored and the default value set here is always
used.
*B 2*! is set if you want to use X.31 TEI for the X.25
device.
8.2.2 MSN Configuration
In this menu, you can assign the available ISDN numbers to the required services (e.g.
PPP routing, ISDN login).
If you use the ISDN interface for outgoing and incoming dialup connections, your own numbers for this interface can be entered in this menu (these settings are not possible for
leased lines). Your device distributes the incoming calls to the internal services according
to the settings in this menu. Your own number is included as the calling party number for
outgoing calls.
The device supports the following services:
• PPP (Routing): The PPP (routing) service is your device's general routing service. This
enables ISDN remote terminals to establish data connections with your LAN, among other things. This enables partners outside your own local network to access hosts within
your LAN. It is also possible to establish outgoing data connections to ISDN remote terminals.
• ISDN Login: The ISDN login service enables both incoming data connections with access
to the SNMP shell of your device, and outgoing data connections to other devices. As a
result, your device can be remotely configured and administrated.
• IPSec: Devices support the DynDNS service to enable hosts without fixed IP addresses
to obtain a secure connection over the Internet. With the IPSec Callback function and using a direct ISDN call to an IPSec peer with a dynamic IP address you can signal to this
IPSec peer that you are online and waiting for the setup of an IPSec tunnel over the Internet. If the called peer currently has no connection to the Internet, the ISDN call causes
a connection to be set up. The identification of the caller from his or her ISDN number is
84
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
enough information to initiate setting up a tunnel.
• X.25 PAD: X.25 PAD is used to provide a protocol converter, which converts nonpacket-oriented protocols to packet-oriented communication protocols and vice versa.
Data terminal equipment sending or receiving data on a non-data-packet-oriented basis
can this be adapted in line with Datex-P (public data packet network based on the principle of a packet switching exchange).
When a call comes in, your device first uses the entries in this menu to check the type of
call (data or voice call) and the called party number, whereby only part of the called party
number reaches the device, which is forwarded from the local exchange or, if available, the
PBX. The call is then assigned to the corresponding service.
Note
If no entry is specified (ex works state), every incoming ISDN call is accepted by the
ISDN Login service. To avoid this, you should make the necessary entries here. As
soon as an entry exists, the incoming calls not assigned to any entry are forwarded to
the CAPI service.
A list of all MSNs is displayed in the Physical Interfaces->ISDN Ports->MSN Configuration menu.
8.2.2.1 New
Set the New, button to set up a new MSN.
The menu Physical Interfaces->ISDN Ports->MSN Configuration->New consists of the
following fields:
Fields in the Basic Parameters menu
Field
Description
ISDN Port
Select the ISDN port for which the MSN is to be configured.
Service
Select the service to which a call is to be assigned on the MSN
below.
Possible values:
• -9 $ (default value): Enables login with -9 $
• "?3#: Default setting for PPP routing. Contains
automatic detection of the PPP connections stated below ex-
be.IP 4isdn
85
8 Physical Interfaces
bintec elmeg GmbH
Field
Description
cept -:E&.
• *: Enables a number to be defined for IPSec callback.
• :! "#: Other services can be selected: B
(Allows 64 kpbs PPP data connections), B (Allows
56 kpbs PPP data connections), E
"
# E
"
#, E
"
#, E
"
# (Allows PPP connections with V.110 and
bitrates of 9,600 bps, 14,400 bps, 19,200 bps, 38,400 bps),
E
(Allows PPP connections with V.120).
MSN
Enter the number used to check the called party number. For
the call to be accepted, it is sufficient for the individual numbers
in the entry to agree, taking account of MSN Recognition.
MSN Recognition
Select the mode your device is to use for the number comparison for MSN with the called party number of the incoming call.
Possible values:
• ?! $1 (default value)
• $1 ?! "--#: Always select if your device is connected to a point-to-point connection.
Bearer Service
Select the type of incoming call (service detection).
Possible values:
• - < E* (default value): Both data and voice calls.
• -: data call
• E*: Voice call (modem, voice, analog fax)
8.3 DSL Modem
The ADSL modem is ideal for high-speed Internet access and remote access use in SMEs
or remote offices.
8.3.1 DSL Configuration
In this menu, you make the basic settings for your ADSL connection.
86
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
The menu Physical Interfaces->DSL Modem->DSL Configuration consists of the following fields:
Fields in the DSL Port Status menu.
Field
Description
DSL Chipset
Shows the key of the installed chipset.
Physical Connection
Shows the current ADSL operation mode. The value cannot be
changed.
Possible values:
• /B2: The ADSL link is not active.
• ,9 ): ANSI T1.413
• ,-$: ADSL classic, G.DMT, ITU G.992.1
• + : Splitterless ADSL, ITU G.992.2
• ,-$: G.DMT.Bis, ITU G.992.3
• ,-$ - $): ADSL2 Double Ended Line Test
• ,-$ +3: ADSL2 Plus, ITU G.992.5
• ,-$ +3 - $): ADSL2 Plus Double Ended Line Test
• ? ,-$: Reach Extended ADSL2
• ? ,-$ - $): Reach Extended ADSL2 Double Ended Line
Test.
• ,-$ )/) ,6 .
• ,-$< )/) ,6 .
• ,-$ ,6 F
• ,-$< ,6 F
Fields in the Current Line Speed menu.
Field
Description
Downstream
Displays the data rate in the receive direction (direction from
CO/DSLAM to CPE/router) in bits per second.
The value cannot be changed.
Upstream
Displays the data rate in the send direction (direction from CPE/
router to CO/DSLAM) in bits per second.
The value cannot be changed.
be.IP 4isdn
87
8 Physical Interfaces
bintec elmeg GmbH
Fields in the DSL Parameter menu.
Field
Description
DSL Mode
Select the ADSL synchronization type.
Possible values:
• ,-$ ,3 (default value): The ADSL mode is automatically adapted for the remote terminal.
• ,-$ :ADSL1 / G.DMT is used.
• ,-$: ADSL2 / G.992.3 is used.
• ,-$ +3: ADSL2 Plus / G.992.5 is used.
• ,3 ",6.#: Only for Annex A devices. The ADSL mode is automatically adapted to the other end with reference to G.992.3 Annex M.
• ,-$ +3 ",6.#: Only for Annex A devices. ADSL2
Plus / G.992.3 Annex M is used.
• ,-$ ,6 F: Only for Annex J devices. ADSL2 Plus /
G.992.3 Annex J is used.
• ,-$< ,6 F: Only for Annex J devices. ADSL2 Plus /
G.992.5 Annex J is used.
• *: The ADSL interface is not active.
Transmit Shaping
Select whether the data rate in the send direction is to be reduced. This is only needed in a few cases for special DSLAMs.
Possible values:
• -13+ "$ # (default value): The data rate in
the send direction is not reduced.
• G
7 to G
G
7: The data rate in the
send direction is reduced to a maximum of 128,000 bps to
2,048,000 bps in defined steps.
• /1:The data rate is reduced to the value entered
in Maximum Upstream Bandwidth.
The default value is -13+ "$ #.
Maximum Upstream
Bandwidth
88
Only for Transmit Shaping = /1
Enter the maximum data rate in the send direction in bits per
second.
be.IP 4isdn
8 Physical Interfaces
bintec elmeg GmbH
Field
Description
SNR Margin
The signal-to-noise ratio (SNR) can be controlled via the slider
from 0 to 5 dB. Change the value only for DLS line problems.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
ADSL Line Profile
Select the internet service provider you require and, in doing so,
implicitly select the modem parameter set used by this provider.
-3*! )+B is entered as the default value.
If your provider is not shown in the list, use the 13+ setting.
be.IP 4isdn
89
9 LAN
bintec elmeg GmbH
Chapter 9 LAN
In this menu, you configure the addresses in your LAN and can structure your local network
using VLANs.
9.1 IP Configuration
In this menu, you can edit the IP configuration of the LAN and Ethernet interfaces of your
device.
9.1.1 Interfaces
The existing IP interfaces are listed in the LAN->IP Configuration->Interfaces menu. You
can edit the IP configuration of the interfaces or create virtual interfaces for special applications. Here is a list of all of the interfaces (logical Ethernet interfaces and others created in
the subsystems) configured in the System Management->Interface Mode / Bridge
Groups->Interfaces menu.
Use the
to edit the settings of an existing interface (bridge groups, Ethernet interfaces in
routing mode).
You can use the New button to create virtual interfaces. However, this is only needed in
special applications (e.g. BRRP).
Depending on the option selected, different fields and options are available. All the configuration options are listed below.
Change the status of the interface by clicking the
Press the
or the
button in the Action column.
button to display the details of an existing interface.
Note
For IPv4 note that:
If your device has obtained an IP address dynamically from a DHCP server operated
in your network for the basic configuration, the default IP address is deleted automatically and your device will no longer function over this address.
However, if you have set up a connection to the device over the default IP address or
have assigned an IP address with the Dime Manager in the basic configuration, you
90
be.IP 4isdn
9 LAN
bintec elmeg GmbH
will only be able to access your device over this IP address. The device will no longer
obtain an IP configuration dynamically over DHCP.
Example of subnets
If your device is connected to a LAN that consists of two subnets, you should enter a
second IP Address / Netmask.
The first subnet has two hosts with the IP addresses 192.168.42.1 and 192.168.42.2, for
example, and the second subnet has two hosts with the IP addresses 192.168.46.1 and
192.168.46.2. To be able to exchange data packets with the first subnet, your device uses
the IP address 192.168.42.3, for example, and 192.168.46.3 for the second subnet. The
netmasks for both subnets must also be indicated.
Here is an example for an IPv6 address:
Your device can act either as router or as device at one interface. In general, it acts as
router at the LAN interfaces, and as host at the WAN and PPP interfaces.
If your device acts as router, its own IPv6 addresses can be created as follows: a Link Prefix can be derived from a General Prefix or you can manually specify a static value. One
host address can be created through ,3 3, for additional host addresses you can
specify static values.
If your device acts a router, it commonly distributes the configured link prefix to the hosts
through Router Advertisements. A DHCP server may distribute additional information to the
hosts, e,g., the address of a timer server. A client can create its own host address either
through Stateless Address Autoconfiguration (SLAAC) or have this address assigned by a
DHCP server.
In order to make use of the router mode described above, use the following settings in the
menu LAN->IP Configuration->Interfaces->New: IPv6 Mode = ?3, Transmit
Router Advertisement = 7+, DHCP Server 7+ and IPv6 Addresses = Add.
If your device acts as host, it has a Link Prefix assigned by another router through Router
Advertisements. The host address is then automatically derived through SLAAC. Additional
information like, e.g., the General Prefix of the provider or the address of a time server can
be received through DHCP. Use the following settings in the menu LAN->IP
Configuration->Interfaces->New: IPv6 Mode = %+, Accept Router Advertisement
= 7+ and DHCP Client = 7+.
be.IP 4isdn
91
9 LAN
bintec elmeg GmbH
9.1.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create virtual inter-
faces.
The LAN->IP Configuration->Interfaces->/New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Based on Ethernet Interface
This field is only displayed if you are editing a virtual routing interface.
Select the Ethernet interface for which the virtual interface is to
be configured.
Interface Mode
Only for physical interfaces in routing mode and for virtual interfaces.
Select the configuration mode of the interface.
Possible values:
• / (default value): The interface is not assigned for
a specific purpose.
• ) "E$,9#: This option only applies for routing interfaces.
You use this option to assign the interface to a VLAN. This is
done using the VLAN ID, which is displayed in this mode and
can be configured. The definition of a MAC address in MAC
Address is optional in this mode.
VLAN ID
Only for Interface Mode = ) "E$,9#
This option only applies for routing interfaces. Assign the interface to a VLAN by entering the VLAN ID of the relevant VLAN.
Possible values are (default value) to .
MAC Address
92
Enter the MAC address associated with the interface. For virtual
interfaces, you can use the MAC address of the physical interface under which the virtual interface was created by activating
Use built-in, but VLAN IDs must be different. You can also al-
be.IP 4isdn
9 LAN
bintec elmeg GmbH
Field
Description
locate a virtual MAC address. The first 6 characters of the MAC
are preset (but can be changed).
If Use built-in is active, the predefined MAC address of the allocated physical interface is used.
Use built-in is activated by default.
Fields in the Basic IPv4 Parameters menu.
Field
Description
Security Policy
Select the security settings to be used with the interface.
Possible values:
• )3 (default value): All IP packets are allowed through
except for those which are explicitly prohibited..
• /3: Only those packets are transmitted that can be
attributed to a connection that has been initiated from a trusted zone.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
Address Mode
Select how an IP address is assigned to the interface.
Possible values:
• * (default value): The interface is assigned a static IP
address in IP Address / Netmask.
• ->%: An IP address is assigned to the interface dynamically
via DHCP.
IP Address / Netmask
Only for Address Mode = *
With Add, add a new address entry, enter the IP Address and
the corresponding Netmask of the virtual interface.
Fields in the Basic IPv6 Parameters menu.
Field
Description
IPv6
Select whether this interface should use Internet Protocol version 6 (IPv6) for data transmission.
The function is activated by selecting 7+ .
be.IP 4isdn
93
9 LAN
bintec elmeg GmbH
Field
Description
The function is disabled by default.
Security Policy
Only for IPv6 = 7+
Select the security settings to be used with the interface.
Possible values:
• )3 (default value): All IP packets are allowed through
except for those which are explicitly prohibited.
We recommend you use this setting if you want to use IPv6
on your LAN.
• /3: Only those packets are transmitted that can be
attributed to a connection that has been initiated from a trusted zone.
We recommend you use this setting if you want to use IPv6
outside of your LAN.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IPv6 Mode
Only for IPv6 = 7+
Select whether the interface is to be operated in host or in
router mode. Depending on your selection different parameters
are presented for you to configure.
Possible values:
• ?3 ") ?3 ,# (default
value): Select whether Router Advertisements are to be sent
via the interface.
Using Router Advertisements the list of prefixes is propagated
and the router propagates itself as the standard gateway.
The function is activated by selecting 7+ .
The function is enabled by default.
• >: The interface is operated in host mode.
DHCP Server
94
Only for IPv6 = 7+ and IPv6 Mode = ?3
") ?3 ,#
be.IP 4isdn
9 LAN
bintec elmeg GmbH
Field
Description
Specify if your device is to act as DHCP server, i.e., if it is to
transmit DHCP options in order to distribute information about
the DNS servers to the clients.
Enable this option if hosts are to create IPv6 addresses through
SLAAC.
The function is activated by selecting 7+ .
The function is enabled by default.
IPv6 Addresses
Only for IPv6 = 7+
You can assign IPv6 Addresses to the selected interface..
Add allows you to create one or more address entries.
A new windows opens that allows you to specify an IPv6 address consisting of a Link Prefix and a host identifier.
If your device operates in host mode (IPv6 Mode = >, Accept Router Advertisement 7+ and DHCP Client = 7+), its IPv6 addresses are determined through SLAAC.
You need not configure an IPv6 address manually, but you can
enter addtional addresses if desired.
If your device is operating in router mode (IPv6 Mode = ?3
") ?3 ,#, Transmit Router
Advertisement = 7+ and DHCP Server = 7+),
you need to configure its IPv6 addresses here.
Accept Router Advertisement
Only for IPv6 = 7+ and IPv6 Mode = >
Select if Router Advertisements are to be received on the selected interface. Router Advertisements are used, e.g., to create
the prefix list.
The function is activated by selecting 7+ .
The function is enabled by default.
DHCP Client
Only for IPv6 = ,B and IPv6 Mode = >
Select if your device is to act as DHCP client, i.e., if it is to receive DHCP options in order to obtain information about the
be.IP 4isdn
95
9 LAN
bintec elmeg GmbH
Field
Description
DNS servers.
The function is activated by selecting 7+ .
The function is enabled by default.
Use Add to create more entries.
Fields in the Basic Parameters menu.
Field
Advertise
Description
Only for IPv6 Mode = ?3 ") ?3 ,
#
Here you can determine if the prefix being defined in the current
window is propagated per Router Advertisement over the selected interface.
The function is activated by selecting 7+ .
The function is enabled by default.
Fields in the Link Prefix menu.
Field
Setup Mode
Description
Select in which way the Link Prefix is to be determined.
Possible values:
• ' + 16 (default value): The Link Prefix is
derived from a General Prefix.
• *: You can enter the link prefix.
General Prefix
Only for Setup Mode = ' + 16
Select the General Prefix the Link Prefix is to be derived from.
You can choose from the General Prefixes available under Network->IPv6 General Prefixes->General Prefix Configuration >New.
Auto Subnet ConfigurOnly if Setup Mode = ' + 16 and if a Generation
al Prefix has been selected.
Select if the subnet is to be created automatically. Automatic
96
be.IP 4isdn
9 LAN
bintec elmeg GmbH
Field
Description
subnet creation will use ID for the first subnet, ID for the
second, etc.
Possible values for the sub net ID are: - .
The subnet ID describes the fourth of the four 16 bit fields of a
Link Prefix. Upon subnet creation the decimal ID value is converted to a hexadecimal one.
The function is activated by selecting 7+ .
The function is enabled by default.
If the function is disabled, you can define a subnet by entering a
Subnet ID.
Subnet ID
Only if Auto Subnet Configuration is not active.
Enter a Subnet ID in order to define a subnet. The subnet ID describes the fourth of the four 16 bit fields of a Link Prefix.
Possible values are - .
Upon subnet creation the decimal ID value is converted to a
hexadecimal one.
Link Prefix
Only for Setup Mode = *
You can specify the Link Prefix of an IPv6 address. This prefix
must end with 44. Its predetermined length is .
Fields in the Host Address menu.
Field
Generation Mode
Description
Determine if the Host Identifier of the IPv6 address is to be
automatically derived from the MAC address through EUI-64.
The function is activated by selecting 7+ .
The function is enabled by default.
EUI-64 triggers the following process:
• The hexadecimal 48 bit MAC address is split into 2 x 24 bit.
• ''' is inserted into the created gap in order to obtain 64 bit.
be.IP 4isdn
97
9 LAN
bintec elmeg GmbH
Field
Description
• The hexadecimal notation of the 64 bit is converted to a binary notation.
• Bit no. 7 of the first 8 bit field is set to .
Static Addresses
Independently of the automatic creation described under Generation Mode, you can manually specify the Host Identifier of
one or more IPv6 addresses with Add. Its predefined length is
. Start any entry with 44 .
The fields in the Advanced menu are part if the prefix information sent inside of Router Advertisements if Advertise is enabled. The menu Advanced consists of the following fields:
Fields in the Advanced IPv6 Settings menu
Field
Description
On Link Flag
Select whether the On-Link Flag (L-Flag) should be set. This allows the host to enter the prefix from the prefix list.
The function is activated by selecting )3 .
The function is enabled by default.
Autonomous Flag
Select whether the Autonomous Address Configuration Flag
(A-Flag) should be set. This allows the host to use the prefix
and the 64 bit interface ID, to derive its address.
The function is activated by selecting )3 .
The function is enabled by default.
Preferred Lifetime
Enter a time period in seconds. During this time, addresses derived from the prefix through SLAAC are preferred.
The default value is seconds.
Valid Lifetime
Enter a time period in seconds, for which the prefix is valid.
The default value is seconds.
Note
The value for the valid lifetime should be lower than the one
configured for the option Router Lifetime under Advanced
IPv6 Settings.
98
be.IP 4isdn
9 LAN
bintec elmeg GmbH
The menu Advanced Settings consists of the following fields:
Fields in the Advanced IPv4 Settings menu.
Field
Description
DHCP MAC Address
Only for Address Mode = ->%
If Use built-in is activated (default setting), the hardware MAC
address of the Ethernet interface is used. In the case of physical
interfaces, the current MAC address is entered by default.
If you disable Use built-in, you enter an MAC address for the
virtual interface, e.g. 4414
4714
.
Some providers use hardware-independent MAC addresses to
allocate their clients IP addresses dynamically. If your provider
has assigned you a MAC address, enter this here.
DHCP Hostname
Only for Address Mode = ->%
Enter the host name requested by the provider. The maximum
length of the entry is 45 characters.
DHCP Broadcast Flag
Only for Address Mode = ->%
Choose whether or not the BROADCAST bit is set in the DHCP
requests for your device. Some DHCP servers that assign IP
addresses by UNICAST do not respond to DHCP requests with
the set BROADCAST bit. In this case, it is necessary to send
DHCP requests in which this bit is not set. In this case, disable
this option.
The function is activated by selecting 7+.
The function is enabled by default.
Create Default Route
Only for Address Mode = ->%
Select, whether a default route is to be defined for this interface.
The function is activated by selecting 7+.
The function is enabled by default.
Proxy ARP
be.IP 4isdn
Select whether your device is to respond to ARP requests from
its own LAN on behalf of defined remote terminals.
99
9 LAN
bintec elmeg GmbH
Field
Description
The function is activated by selecting 7+.
The function is disabled by default.
TCP-MSS Clamping
Select whether your device is to apply MSS Clamping. To prevent IP packets fragmenting, the MSS (Maximum Segment
Size) is automatically decreased by the device to the value set
here.
The function is activated by selecting 7+.
The function is disabled by default. Once enabled, the default
value is entered in the input field.
Fields in the Advanced IPv6 Settings menu
Field
Description
Router Lifetime
Only for IPv6 = 7+, IPv6 Mode = ?3 ")
?3 ,# and Transmit Router Advertisement = 7+
Enter a time period in seconds. The router remains in the default router list throughout this interval.
The default value is seconds. The maximum value is
seconds. A value of means that the router is not a
default router, and will not be entered in the default router list.
Note
The value for the Router Lifetime should be higher than
the shortest valid lifetime for a link prefix configured for this
interface under Basic IPv6 Parameters.
Router Preference
Only for IPv6 = 7+, IPv6 Mode = ?3 ")
?3 ,# and Transmit Router Advertisement = 7+
Select your router's preference for choice of default router. This
is useful for cases where a node receives advertisements from
multiple routers, or for back-up scenarios.
Possible values:
100
be.IP 4isdn
9 LAN
bintec elmeg GmbH
Field
Description
• >!
• .3 (default value)
• $2
DHCP Mode
Only for IPv6 = 7+, IPv6 Mode = ?3 ")
?3 ,# and Transmit Router Advertisement = 7+
Select the information to be forwarded to the DHCP client.
Note
To achieve this, your router must not be set up as a DHCP
server.
By selecting :! -9 G (default value) no address- related information, such
as i.e. DNS, VoIP, etc., is passed through.
Enable this option if hosts inside of the network are to automatically create their IP addresses through SLAAC. In this case, the
router sends only data via DHCP that are not address-related.
By selecting . , .
hosts receive IPv6 addresses as well as not address-related information through DHCP.
DNS Propagation
Only for IPv6 Mode = ?3 ") ?3 ,
# and Transmit Router Advertisement 7+
Select if an in which way DNS server addresses are to be
propagated in Router Advertisements. A maximum of two DNS
server addresses is propagated.
Possible values:
• :11: No DNS server address propagation
• +1: The device sends its own IP adderss as DSN server
address. If the device has multiple addresses, they are used
in the following order:
• Global addresses
be.IP 4isdn
101
9 LAN
bintec elmeg GmbH
Field
Description
• ULA (Unique Local Addresses)
• Link local addresses
• :!: Statically configured as well as dynamically learned
DNS server entries are propagated according to their priority.
If there are no entries, no address is propagated.
9.2 VLAN
By implementing VLAN segmentation in accordance with 802.1Q, you can configure
VLANs on your device. The wireless ports of an access point, in particular, are able to remove the VLAN tag of a frame sent to the clients and to tag received frames with a predefined VLAN ID. This functionality makes an access point nothing less than a VLANcompliant switch with the enhancement of grouping clients into VLAN groups. In general,
VLAN segmenting can be configured with all interfaces.
VLAN for Bridging and VLAN for Routing
In the LAN->VLAN menu, VLANs (virtual LANs) are configured with interfaces that operate
in Bridging mode. Using the VLAN menu, you can make all the settings needed for this and
query their status.
Caution
For interfaces that operate in Routing mode, you only assign a VLAN ID to the interface. You define this via the parameters Interface Mode = ) "E$,9# and field
VLAN ID in menu LAN->IP Configuration->Interfaces->New.
9.2.1 VLANs
In this menu, you can display all the VLANs already configured, edit your settings and create new VLANs. By default, the . VLAN with VLAN Identifier = is available,
to which all interfaces are assigned.
9.2.1.1 Edit or New
Choose the
icon to edit existing entries. Select the New button in order to create new
VLANs.
102
be.IP 4isdn
9 LAN
bintec elmeg GmbH
The LAN->VLAN->VLANs->New menu consists of the following fields:
Fields in the Configure VLAN menu.
Field
Description
VLAN Identifier
Enter the number that identifies the VLAN. In the
menu, you
can no longer change this value.
Possible values are (default value) to .
VLAN Name
Enter a unique name for the VLAN. A character string of up to
32 characters is possible.
The predefined VLAN name is ..
VLAN Members
Select the ports that are to belong to this VLAN. You can use
the Add button to add members.
For each entry, also select whether the frames to be transmitted
from this port are to be transmitted ) (i.e. with VLAN information) or / (i.e. without VLAN information).
9.2.2 Port Configuration
In this menu, you can define and view the rules for receiving frames at the VLAN ports.
The LAN->VLANs->Port Configuration menu consists of the following fields:
Fields in the Port Configuration menu.
Field
Description
Interface
Shows the port for which you define the PVID and processing
rules.
PVID
Assign the selected port the required PVID (Port VLAN Identifier).
If a packet without a VLAN tag reaches this port, it is assigned
this PVID.
Drop untagged frames If this option is enabled, untagged frames are discarded. If the
option is disabled, untagged frames are tagged with the PVID
defined in this menu.
be.IP 4isdn
103
9 LAN
bintec elmeg GmbH
Field
Description
Drop non-members
If this option is enabled, all tagged frames that are tagged with a
VLAN ID to which the selected port does not belong are discarded.
9.2.3 Administration
In this menu, you make general settings for a VLAN. The options must be configured separately for each bridge group.
The LAN->VLANs->Administrationmenu consists of the following fields:
Fields in the Bridge Group br<ID> VLAN Options menu
Field
Description
Enable VLAN
Enable or disable the specified bridge group for VLAN.
The function is enabled with 7+.
The function is not activated by default.
104
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Chapter 10 Wireless LAN Controller
By using the wireless LAN controller, you can set up and manage a WLAN infrastructure
with multiple access points (APs). The WLAN controller has a Wizard which assists you in
the configuration of your access points. The system uses the CAPWAP protocol (Control
and Provisioning of Wireless Access Points Protocol) for any communication between masters and slaves.
In smaller WLAN infrastructures with up to six APs, one of the AP's assumes the master
function and manages the other AP's as well as itself. In larger WLAN networks a gateway,
e.g. such as a bintec R1202, assumes the master function and manages the AP's.
Provided the controller has "located" all of the APs in its system, each of these shall receive a new passport and configuration in succession, i.e. they are managed via the WLAN
controller and can no longer be amended "externally".
With the WLAN controller you can
• automatically detect individual access points (APs) and connect to a WLAN network
• Load the system software into the APs
• Load the configuration into the APs
• Monitor and manage APs
Please refer to your gateway's data sheet to find out the number of APs that you can manage with your gateway's wireless LAN controller and details of the licenses required.
10.1 Wizard
The Wizard menu offers step-by-step instructions for the set up of a WLAN infrastructure.
The Wizard guides you through the configuration.
Note
We highly recommended that you use the Wizard when initially configuring your WLAN
infrastructure.
10.1.1 Wireless LAN Controller Wizard
Here you can configure all of the various settings that you require for the actual wireless
LAN controller.
be.IP 4isdn
105
10 Wireless LAN Controller
bintec elmeg GmbH
10.1.1.1 Basic Settings
The wireless LAN controller uses the following settings:
Region
Select the country in which the wireless controller is to be operated.
Please note: The range of channels that can be used varies depending on the country setting.
Interface
Select the interface to be used for the wireless controller.
DHCP Server
Select whether an external DHCP server shall assign IP addresses to the APs or if you
wish to assign fixed IP addresses yourself. Alternatively, you can use your device as a DHCP server. For this internal DHCP server, CAPWAP option 138 is active in order to allow
communication between the master and slaves.
If you use static IP addresses in your network, you must enter these to all APs manually.
The IP addresses of the wireless LAN controller must be entered for each AP in the System Management->Global Settings->System menu in the Manual WLAN Controller IP
Address field.
Please note: Make sure that option 138 is active when using an external DHCP server.
If you wish to use a bintec elmegbintec elmeg Gateway for example as a DHCP server,
click on the GUI menu for this device under Local Services->DHCP Server->DHCP Configuration->New->Advanced Settings in the DHCP Options field on the Add button. Select as Option %,8, %++ and in the Value field enter the IP address of the
WLAN controller.
IP Address Range
If the IP addresses are to be assigned internally, you must enter the start and end IP address of the desired range.
Please note: If you click on Next, a warning appears which informs you that continuing will
overwrite the wireless LAN controller configuration. By clicking on OK you signal that you
agree with this and wish to continue with the configuration.
106
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
10.1.1.2 Radio Profile
Select which frequency band your WLAN controller shall use.
If the >H ? 1+ is set then the 2.4 GHz frequency band is used.
If the >H ? 1+ is set then the 5 GHz frequency band is used.
If the corresponding device contains two wireless modules, you can Use two independent
radio profiles. This assigns >H ? 1+ to module 1 and >H ?
1+ to module 2.
The function is activated by selecting 7+.
The function is disabled by default.
10.1.1.3 Wireless Network
All of the configured wireless networks (VSS) are displayed in the list. At least one wireless
network (VSS) is set up. This entry cannot be deleted.
Click on
to edit an existing entry.
You can also delete entries using the
icon.
With Add, you can create new entries. You can create up to eight wireless networks (VSS)
for a wireless module.
Note
If you wish to use the default wireless network that is set up, you must at least change
the Preshared Key parameters. Otherwise you will be prompted.
10.1.1.3.1 Change or add wireless networks
Click on
to edit an existing entry.
With Add, you can create new entries.
The following parameters are available
Network Name (SSID)
Enter the name of the wireless network (SSID).
be.IP 4isdn
107
10 Wireless LAN Controller
bintec elmeg GmbH
Enter an ASCII string with a maximum of 32 characters.
Also select whether the Network Name (SSID) E7+ is to be transmitted.
IGMP Snooping
IGMP snooping reduces the data traffic and thus the network load.
The function is activated by selecting 7+.
Security Mode
Select the security mode (encryption and authentication) for the wireless network.
Please note: 8,
means 802.11x.
WPA Mode
Select for Security Mode = 8,= or 8,
WPA oder WPA 2 or both.
, whether you wish to use
Preshared Key
Enter the WPA password for Security Mode = 8,=.
Enter an ASCII string with 8 - 63 characters.
Important
Change the default Preshared Key! If the key has not been changed, your device will
not be protected against unauthorised access!
Radius Server
You can control access to a wireless network via a RADIUS server.
With Add, you can create new entries.
Enter the IP address and the password of the desired RADIUS server.
EAP Preauthentification
For Security Mode = 8, , select whether the EAP preauthentification function is to be 7+. This function tells your device that WLAN clients, which are already
connected to another access point, can first carry out 802.1x authentication as soon as
they are within range. Such WLAN clients can then simply connect over the existing network connection with your device.
108
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
VLAN
Select whether the VLAN segmentation is to be used for this wireless network.
If you wish to use VLAN segmentation, enter a value between and in the input
field in order to identify the VLAN. (VLAN ID is not possible!).
Note
Before you continue, please ensure that all access points that the WLAN controller
shall manage are correctly wired and switched on.
10.1.1.4 Start automatic installation
You will see a list of all detected access points.
If you wish to change the settings of a detected AP, click on
in the corresponding entry.
You will see the settings for all selected access points. You can change these settings.
The following parameters are available in the Access Point Settings menu:
Location
Displays the stated locality of the AP. You can enter another locality.
Assigned Wireless Network (VSS)
Displays the wireless networks that are currently assigned.
The following parameters are available in the wireless module 1 menu:
(The parts wireless module 1 and wireless module 2 are displayed if the AP has two wireless modules.)
Operation Mode
Select the mode in which the wireless module is to be operated.
Possible values:
• : (default value): The wireless module is used as an access point in your network.
• :11: The wireless module is not active.
Active Radio Profile
be.IP 4isdn
109
10 Wireless LAN Controller
bintec elmeg GmbH
Displays the wireless module profile that is currently selected. You can select another wireless module profile from the list if more than one wireless module profile are being set up.
Channel
Displays the channel that is assigned. You can select an alternative channel.
The number of channels you can select depends on the country setting. Please consult the
data sheet for your device.
Note
Configuring the network name (SSID) in Access Point mode means that wireless networks can be logically separated from each other, but they can still physically interfere
with each other if they are operating on the same or closely adjacent wireless channels. So if you are operating two or more radio networks close to each other, it is advisable to allocate the networks to different channels. Each of these should be spaced
at least four channels apart, as a network also partially occupies the adjacent channels.
In the case of manual channel selection, please make sure first that the APs actually support these channels.
Transmit Power
Displays the transmission power in dBm. You can select another transmission power.
With OK you apply the settings.
Select the access points that your WLAN controller shall manage. In the Manage column,
click on the desired entries or click on Select all in order to select all entries. Click the
Deselect all button to disable all entries and to then select individual entries if required
(e.g. for large lists).
Click on Start in order to install the WLAN and automatically assign the frequencies.
Note
If there are not enough licences available, the message "The maximum number of
slave access points that can be supported has been exceeded". Please check your licences. If this message is displayed then you should obtain additional licences if appropriate.
During the installation of the WLAN and the allocation of frequencies, on the messages dis-
110
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
played you will see how far the installation has progressed. The display is continuously updated.
Provided that non-overlapping wireless channels are located for all access points, the configuration that is set in the Wizard is transferred to the access points.
When the installation is complete, you will see a list of the Managed access points.
Under Configure the Alert Service for WLAN surveillance, click Start to monitor your
managed APs. You are taken to the External Reporting->Alert Service->Alert Recipient
menu with the default setting Event = . , 11+. You can specify that you
wish to be notified by e-mail if the . , 11+ event occurs.
Click under New Neighborscan on Start, to rescan adjacent AP's. You will receive a warning that the wireless modules of the access points must also be disabled for a certain period of time. When you start the process with OK, a progress bar is displayed. The located
AP display is updated every ten seconds.
10.1.2 Wireless LAN Controller VLAN Configuration
In order to separate WLANs (VSS) from each other, you can activate the VLAN function
and assign a VLAN ID during the configuration of a VSS. For the separation from other interfaces to work properly, you need to create a virtual interface with its own IP configuration, and, if applicable, a corresponding DHCP pool which provides IP addresses to clients
connecting to this VLAN. You can make this settings - as usual - in the menus LAN->IP
Configuration and Local Services->DHCP Server, correspondingly; or you make use of
the menu offered here. All settings you make here are automatically transferred to the other
menus, as well.
You are shown an overview of VLANs that have already been created with their VLAN IDs
and their corresponding IP and DHCP configuration. In order to edit an entry, select the
icon in the respective line. To create a new entry, select New. A new entry can only be created for a VSS with a VLAN ID that does not yet have a VLAN configuration.
10.1.2.1 Edit or Neu
Select the
symbol in order to edit an existing entry. Select the New button in order to
create additional VLANs.
The menu Wireless LAN Controller->Wizard->Wireless LAN Controller VLAN Configuration->New consists of the following fields:
Fields in the menu VSS VLAN Network Configuration
be.IP 4isdn
111
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Dsecription
VLAN ID
Select an existing VLAN from the pull down menu. Only those
IDs without a configuration are offered.
IP Address/Netmask
Specify the IP configuration of the new interface. Make sure that
the address has not been used before.
DHCP Server
In order to provide clients connecting to this VLAN with an IP
configuration, you can either use an external DHCP server, or
you can use the integrated one of your device.
Possiblöe values:
•
6+ *: Select this option if you are already
operating a DHCP server in you netweork, tor if clients connecting to this VLAN have a static IP configuration. Make sure
that an external DHCP server can be reached from the VLAN.
• +: Select this option if you intend to use your device
as DHCP server for this VLAN.
IP Address Range
Only for DHCP Server = +
Specify the first and the last IP address which your device is to
distribute inside the VLAN. Make sure that the address range
corresponds to the IP address of the interface for this VLAN,
and that it does not overlap with other IP address pools.
The DHCP configuration automatically assumes your device to
be the gateway. The lease time is 120 minutes. If you want to
adjust these settings, go the the menu Local Services->DHCP
Server->DHCP Configuration.
10.2 Controller Configuration
In this menu, you make the basic settings for the wireless LAN controller.
10.2.1 General
The Wireless LAN Controller->Controller Configuration->General menu consists of the
following fields:
Fields in the Basic Settings menu.
112
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Status
Enable theStatus option to make the basic settings for the wireless LAN controller.
The function is disabled by default.
Delete the complete
WLAN Controller configuration
Only for Status = disabled.
Region
Select the country in which the wireless LAN controller is to be
operated.
You can delete a configuration using the
icon.
Possible values are all the countries configured on the device's
wireless module.
The range of channels that can be used varies depending on
the country setting.
The default value is 0.
Interface
Select the interface to be used for the wireless controller.
DHCP Server
Select whether an external DHCP server shall assign IP addresses to the APs or if you wish to assign fixed IP addresses
yourself. Alternatively, you can use your device as a DHCP
server. For this internal DHCP server, CAPWAP option 138 is
active in order to allow communication between the master and
slaves.
Please note: Make sure that option 138 is active when using an
external DHCP server.
If you wish to use a bintec elmegbintec elmeg Gateway for example as a DHCP server, click on the GUI menu for this device
under Local Services->DHCP Server->DHCP
Pool->New->Advanced Settings in the DHCP Options field
on the Add button. Select as Option %,8,
%++ and in the Value field enter the IP address of the
WLAN controller.
If you use static IP addresses in your network, you must enter
these to all APs manually. The IP addresses of the wireless
LAN controller must be entered for each AP in the System
Management->Global Settings->System menu in the Manual
be.IP 4isdn
113
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
WLAN Controller IP Address field.
Possible values:
•
6+ * (default value): An external DHCP
server with an CAPWAP option 138 enabled assigns the IP
addresses to the APs or you can give static IP addresses to
the APs.
• +: Your device, on which the CAPWAP option 138 is
active, assigns the IP addresses to the APs.
IP Address Range
Only for DHCP Server = +
Enter the start and end IP address of the range. These IP addresses and your device must originate from the same network.
Slave AP location
Select whether the APs that the wireless LAN controller is to
manage are located in the LAN or the WAN.
Possible values:
• $*+ "$,9# (default value)
• ? "8,9#
The ? "8,9# setting is useful if, for example, there is a
wireless LAN controller installed at head office and its APs are
distributed to different branches. If the APs are linked via VPN,
it may be that a connection is terminated. If this happens, the
relevant AP with the setting ? "8,9# maintains its configuration until the connection is reestablished. It then boots up
and the controller and the AP then resynchronize.
Slave AP LED mode
Select the lighting scheme of the slave AP LEDs.
Possible values:
• (default value): All LEDs show their standard behavior.
• '+!: Only the status LED flashes once per second.
• :11: All LEDs are deactivated.
114
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
10.2.2 Slave AP Autoprofile
The Wireless LAN Controller offers the option of automatically including and configuring an
access point that is being integrated into the network accessible by the WLAN Controller. In
order to be able to automatically assign a configuration to a new access point you have to
configure a profile that is valid for all new access points that match certain criteria.
10.2.2.1 Edit or New
The Wireless LAN Controller->Controller Configuration->Slave AP Autoprofile ->New
menu consists of the following fields:
Fields in the Access Point Filter menu
Field
Description
MAC Address
Enter the MAC address of an access point that is to be configured automatically when it is integrated into the network.
By default, All is activated so that the entry matches every new
access point.
IP Address / Netmask
Enter an IP address and a netmask. You can enter host as well
as network addresses so that you can filter for individual access
points as well as for groups of access points from a specific
subnet.
Fields in the Access Point Settings menu
Field
Description
Location
Specify the location of the AP.
Description
Enter a unique description for the AP.
Fields in the Radio 1 or in the Radio 2
Field
Operating Mode
Description
Wählen Sie aus, ob der Betriebsmodus vom verwendeten Funkmodulprofil bestimmt werden soll.
The function is activated by selecting 7+.
The function is enabled by default.
Active Radio Profile
Only for Operating Mode = 7+
Select a radio profile.
be.IP 4isdn
115
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Possible values:
• >H ? 1+
• >H ? 1+
Assigned Wireless
Network (VSS)
Only for Operating Mode = 7+
Add a new radio profile with Add.
10.3 Slave AP configuration
In this menu, you will find all of the settings that are required to manage the slave access
points.
10.3.1 Slave Access Points
In the Wireless LAN Controller->Slave AP configuration->Slave Access Points menu a
list of all APs found with the wizard is displayed.
You will see an entry with a parameter set for each access point ( Location, Name, IP Address, LAN MAC Address, Channel, Search Channel, Status, Action). Choose whether
the selected Access Pont is to be managed by the WLAN Controller by clicking the
button or the
button in the Action column.
You can disconnect the Access Point from the WLAN Controller and therefore remove it
from your WLAN infrastructure by click on the
button. The Access Point then receives
the -* status, but is no longer ..
Click on the START button under Channel reallocation in order to reassign any assigned
channels, e.g. when a new access point has been added.
Possible values for Status
116
Status
Meaning
Discovered
The AP has registered at the wireless LAN controller. The controller has prompted the required parameters from the AP.
Initialising
The WLAN controller and the APs "communicate" via CAPWAP.
The configuration is transferred and enabled to the APs.
Managed
The AP is set to "Managed" status. The controller has sent a
configuration to the AP and has enabled this. The AP is managed centrally from the controller and cannot be configured via
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Status
Meaning
the GUI.
No License Available
The AP does not have an unassigned licence for this AP.
Offline
The AP is either administratively disabled or switched off or has
its power supply cut off etc.
10.3.1.1 Edit
Choose the
icon to edit existing entries.
You can also delete entries using the
icon. If you have deleted APs, these will be loc-
ated again but shall not be configured.
The data for wireless module 1 and wireless module 2 are displayed in the Wireless LAN
Controller->Slave AP configuration->Slave Access Points->
menu if the corresponding device has two wireless modules. With devices featuring a single wireless module,
the data for wireless module 1 are displayed.
The menu consists of the following fields:
Fields in the Access Point Settings menu.
Field
Description
Device
Displays the type of device for the AP.
Location
Displays the locality of the AP. The locations are given numbers
if no location has been entered. You can enter another locality.
Name
Displays the name of the AP. You can change the name.
Description
Enter a unique description for the AP.
CAPWAP Encryption
Select whether communication between the master and slaves
is to be encrypted.
The function is activated by selecting 7+.
The function is enabled by default.
You can override the encryption in order to view the communication for debugging purposes.
Fields in the Wireless module1 or in the Wireless module 2 menu.
be.IP 4isdn
117
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Operation Mode
Displays the mode in which the wireless module is to be operated. You can change the mode.
Possible values:
• : (default value): The wireless module is used as an access
point in your network.
• :11: The wireless module is not active.
Active Radio Profile
Displays the wireless module profile that is currently selected.
You can select another wireless module profile from the list if
more than one wireless module profile are being set up.
Channel
Displays the channel that is assigned. You can select another
channel.
The number of channels you can select depends on the country
setting. Please consult the data sheet for your device.
Access Point mode
Configuring the network name (SSID) in Access Point mode
means that wireless networks can be logically separated from
each other, but they can still physically interfere with each other
if they are operating on the same or closely adjacent wireless
channels. So if you are operating two or more radio networks
close to each other, it is advisable to allocate the networks to
different channels. Each of these should be spaced at least four
channels apart, as a network also partially occupies the adjacent channels.
In the case of manual channel selection, please make sure first
that the APs actually support these channels.
Possible values (according to the selected wireless module profile):
• For Active Radio Profile = >H ? 1+
Possible values are to and ,3 (default value).
• For Active Radio Profile = >H ? 1+
Possible values are , , , and ,3 (default value)
118
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Used Channel
Only for managed APs.
Displays the channel that is currently in use.
Transmit Power
Displays the transmission power. You can select another transmission power.
Possible values:
• .6 (default value): The maximum antenna power is used.
• &
• &
• &
• &
• &
• ( &
Assigned Wireless
Network (VSS)
Displays the wireless networks that are currently assigned.
10.3.2 Radio Profiles
An overview of all created wireless module profiles is displayed in the Wireless LAN Controller->Slave AP configuration->Radio Profiles menu. A profile with 2.4 GHz and a profile with 5 GHz are created by default; the 2.4 GHz profile cannot be deleted.
For each wireless module profile you will see an entry with a parameter set ( Radio
Profiles, Configured Radio Modules, Operation Band, Wireless Mode).
10.3.2.1 Edit or New
Choose the
icon to edit existing entries. Select the New button in order to create new
wireless module profiles.
The Wireless LAN Controller->Slave AP configuration->Radio Profiles->
/ New
menu consists of the following fields:
Fields in the menu Radio Profile Definition
be.IP 4isdn
119
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Operation Mode
Description
Enter the desired description of the wireless module profile.
Define the mode in which the wireless module profile is to be
operated.
Possible values:
• :11 (default value): The wireless module profile is not active.
• ,** : Your device is used as an access point in
your network.
Operation Band
Select the frequency band of the wireless module profile.
Possible values:
• >H 5:3 (default value): Your device is operated at 2.4 GHz inside or outside buildings.
• >H : Your device is operated at 5 GHz inside
buildings.
• >H :3: Your device is operated at 5 GHz outside
buildings.
• >H 5:3: Your device is operated at 5 GHz inside
or outside buildings.
• >H :3: Only for so-called Broadband Fixed
Wireless Access (BFWA) applications. The frequencies in the
frequency range from 5755 MHz to 5875 MHz may only be
used in conjunction with commercial offers for public network
accesses and requires registration with the Federal Network
Agency.
Fields in the menu Performance Settings
Field
Wireless Mode
Description
Select the wireless technology that the access point is to use.
For Operation Band = >H 5:3
Possible values:
• : The device operates only in accordance with
802.11g. 802.11b clients have no access.
• 7: Your device operates only in accordance with
120
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
802.11b and forces all clients to adapt to it.
• 6 "75#: Your device adapts to the client
technology and operates according to either 802.11b or
802.11g.
• 6 + "75#: Your device adapts to the client technology and operates according to either 802.11b or
802.11g. Only a data rate of 1 and 2 mbps needs to be supported by all clients (basic rates). This mode is also needed
for Centrino clients if connection problems occur.
• 6 ! "75#: Your device adapts to the
client technology and operates according to either 802.11b or
802.11g. The following applies for mixed-short: The data rates
5.5 and 11 mbps must be supported by all clients (basic
rates).
• 755: Your device operates according to either
802.11b, 802.11g or 802.11n.
• 5: Your device operates according to either
802.11g or 802.11n.
• : Your device operates only according to 802.11n.
For Operation Band = >H , >H :3, >H 5:3 or >H :3
Possible values:
• : The device operates only in accordance with
802.11a.
• : Your device operates only according to 802.11n.
• 5: Your device operates according to either
802.11a or 802.11n.
• 5: Your device operates according to 802.11ac,
802.11a or 802.11n.
• 5: Your device operates according to either
802.11ac or 802.11n.
Bandwidth
Not for Operation Band = >H 5:3
Select how many channels are to be used.
Possible values:
be.IP 4isdn
121
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
• .>H (default value): One channel with 20 MHz bandwidth
is used.
• .>H: Two channels each with 20 MHz bandwidth are
used. In the case one channel acts as a control channel and
the other as an expansion channel.
Number of Spatial
Streams
Select how many traffic flows are to be used in parallel.
Possible values:
• : Three traffic flows are used.
• : Two traffic flows are used.
• : One traffic flow is used.
Airtime fairness
This function is not available for all devices.
The Airtime fairness function ensures that the access point's
send resources are distributed intelligently to the connected clients. This means that a powerful client (e. g. a 802.11n client)
cannot achieve only a poor flow level, because a less powerful
client (e. g. a 802.11a client) is treated in the same way when
apportioning.
The function is enabled with 7+.
The function is disabled by default.
This fuction is only applied to unprioritized frames of the WMM
Classe "Background".
Cyclic Background
Scanning
Not all devices support this function.
You can enable the Cyclic Background Scanning function so
that a search is run at regular intervals for neighbouring or
rogue access points in the network. This search is run without
negatively impacting the function as an access point.
Enable or disable the function Cyclic Background Scanning.
The function is enabled with 7+.
The function is not activated by default.
The menu Advanced Settings consists of the following fields:
122
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Fields in the menu Advanced Settings
Field
Channel Plan
Description
Select the desired channel plan.
The channel plan makes a preselection when a channel is selected. This ensures that no channels overlap, i.e. a distance of
four channels is maintained between the channels used. This is
useful if more access points are used with overlapping radio
cells.
Possible values:
• ,++: All channels can be dialled when a channel is selected.
• ,3: Depending on the region, operation band, wireless
mode and bandwidth, the channels that have a distance of 4
channels are provided.
• / 1: You can select the desired channels yourself.
User Defined Channel
Plan
Only for Channel Plan = / 1
The currently selected channels are displayed here.
With Add you can add channels. If all available channels are
displayed, you cannot add any more entries.
You can also delete entries using the
Beacon Period
icon.
Enter the time in milliseconds between the sending of two
beacons.
This value is transmitted in Beacon and Probe Response
Frames.
Possible values are to .
The default value is .
DTIM Period
Enter the interval for the Delivery Traffic Indication Message
(DTIM).
The DTIM field is a data field in transmitted beacons that informs clients about the window to the next broadcast or multicast transmission. If clients operate in power save mode, they
be.IP 4isdn
123
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
come alive at the right time and receive the data.
Possible values are to .
The default value is .
RTS Threshold
Short Guard Interval
Max. Transmission
Rate
Here you can specify the data packet length threshold in bytes
(1..2346) as of which the RTS/CTS mechanism is to be used.
This makes sense if several clients that are not in each other's
wireless range are run in one access point.
Enable this function to reduce the guard interval (= time
between transmission of two data symbols) from 800 ns to 400
ns.
Select the transmission speed.
Possible values:
• ,3 (default value): The transmission speed is determined
automatically.
• @E+3A: According to setting for Operation Band, Bandwidth, Number of Spatial Streams and Wireless Mode various fixed values in mbps are available.
Short Retry Limit
Enter the maximum number of attempts to send a frame with
length less than or equal to the value defined in RTS
Threshold. After this many failed attempts, the packet is discarded.
Possible values are to .
The default value is (.
Long Retry Limit
Enter the maximum number of attempts to send a data packet
of length greater than the value defined in RTS Threshold.
After this many failed attempts, the packet is discarded.
Possible values are to .
The default value is .
Fragmentation
Threshold
124
Enter the maximum size as of which the data packets are to be
fragmented (i.e. split into smaller units). Low values are recom-
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
mended for this field in areas with poor reception and in the
event of radio interference.
Possible values are to .
The default value is .
10.3.3 Wireless Networks (VSS)
An overview of all created wireless networks is displayed in the Wireless LAN Controller>Slave AP configuration->Wireless Networks (VSS) menu. A wireless network is created by default.
For every wireless network (VSS), you see an entry with a parameter set (VSS Description, Network Name (SSID), Number of associated radio modules, Security, Status,
Action).
Under Assign unassigned VSS to all radio modules click on the Start button to assign a
newly-created VSS to all wireless modules.
10.3.3.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to configure additional
wireless networks.
The Wireless LAN Controller->Slave AP configuration->Wireless Networks
(VSS)->New menu consists of the following fields:
Fields in the menu Service Set Parameters
Field
Description
Network Name (SSID)
Enter the name of the wireless network (SSID).
Enter an ASCII string with a maximum of 32 characters.
Also select whether the Network Name (SSID) is to be transmitted.
The network name is displayed by selecting E7+.
It is visible by default.
be.IP 4isdn
125
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Intra-cell Repeating
Select whether communication between the WLAN clients is to
be permitted within a radio cell.
The function is activated by selecting 7+.
The function is enabled by default.
ARP Processing
Select whether the ARP processing function should be enabled.
The ARP data traffic is reduced in the network by the fact that
ARP broadcasts that have been converted to ARP unicasts are
forwarded to IP addresses that are known internally. Unicasts
are quicker and clients with an enabled power save function are
not addressed.
The function is activated by selecting 7+.
The function is disabled by default.
Make sure that ARP processing cannot be applied together with
the MAC bridge function.
WMM
Select whether voice or video prioritisation via WMM (Wireless
Multimedia) is to be activated for the wireless network so that
optimum transmission quality is always achieved for time-critical
applications. Data prioritisation is supported in accordance with
DSCP (Differentiated Services Code Point) or IEEE802.1d.
The function is activated by selecting 7+.
The function is enabled by default.
U-APSD
Select whether the Unscheduled Automatic Power Save Delivery (U-APSD) mode is to be enabled.
The function is activated by selecting 7+.
The function is enabled by default.
IGMP Snooping
126
IGMP snooping reduces the data traffic and thus the network
load, as Multicast packets from the LAN are not forwarded. Only
those Multicast packets will be forwarded that are requested by
the respective clients. When you enable IGMP snooping, IGMP
snooping, therefore, provides the framework in which Multicast
is applied.
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
The function is activated by selecting 7+.
The function is disabled by default.
Fields in the menu Security Settings
Field
Security Mode
Description
Select the security mode (encryption and authentication) for the
wireless network.
Possible values:
• * (default value): Neither encryption nor authentication
• 8 : WEP 40 bits
• 8 : WEP 104 bits
• 8,=: WPA Preshared Key
• 8,
Transmit Key
: 802.11x
Only for Security Mode = 8 or 8 Select one of the keys configured in WEP Key as a standard
key.
The default value is =0 .
WEP Key 1-4
Only for Security Mode = 8 , 8 Enter the WEP key.
Enter a character string with the right number of characters for
the selected WEP mode. For 8 you need a character
string with 5 characters, for 8 with 13 characters, e. g.
!++ for 8 , 2 for 8 .
WPA Mode
Only for Security Mode = 8,= and 8,
Select whether you want to use WPA (with TKIP encryption) or
WPA 2 (with AES encryption), or both.
Possible values:
• 8, 8, (default value): WPA and WPA 2 can be
used.
be.IP 4isdn
127
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
• 8,: Only WPA is used.
• 8, : Only WPA2 is used.
WPA Cipher
Only for Security Mode = 8,= and 8,
and for WPA Mode = 8, and 8, 8, Select the type of encryption you want to apply to WPA.
Possible values:
• )= (default value): TKIP is used.
• , : AES is used.
• , )=: AES or TKIP is used.
WPA2 Cipher
Only for Security Mode = 8,= and 8,
and for WPA Mode = 8, and 8, 8,
Select the type of encryption you want to apply to WPA2.
Possible values:
• , (default value): AES is used.
• )=: TKIP is used.
• , )=: AES or TKIP is used.
Preshared Key
Only for Security Mode = 8,=
Enter the WPA password.
Enter an ASCII string with 8 - 63 characters.
Note: Change the default Preshared Key! If the key has not
been changed, your device will not be protected against unauthorised access!
Radius Server
Only for Security Mode = 8, You can control
access to a wireless network via a RADIUS server.
With Add, you can create new entries. Enter the IP address and
the password of the RADIUS server.
EAP Preauthentification
128
Only for Security Mode = 8,
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
Select whether the EAP preauthentification function is to be activated. This function tells your device that WLAN clients, which
are already connected to another access point, can first carry
out 802.1x authentication as soon as they are within range.
Such WLAN clients can then simply connect over the existing
network connection with your device.
The function is activated by selecting 7+.
The function is enabled by default.
Fields in the menu Client load balancing
Field
Description
Max. number of clients
Enter the maximum number of clients that can be connected to
- hard limit
this wireless network (SSID)
The maximum number of clients that can register with a wireless module depends on the specifications of the respective
WLAN module. This maximum is distrubuted across all wireless
networks configured for this radio module. No more new wireless networks can be created and a warning message will appear if the maximum number of clients is reached.
Possible values are whole numbers between and .
The default value is .
Max. number of clients
Not all devices support this function.
- soft limit
To avoid a radio module being fully utilised, you can set a "soft"
restriction on the number of connected clients. If this number is
reached, new connection queries are initially rejected. If the client cannot find another wireless network and, therefore, repeats
its query, the connection is accepted. Queries are only definitively rejected when the Max. number of clients - hard limit is
reached.
The value of the Max. number of clients - soft limit must be
the same as or less than that of the Max. number of clients hard limit.
The default value is .
You can disable this function if you set Max. number of clients
be.IP 4isdn
129
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
- soft limit and Max. number of clients - hard limit to identical
values.
Client Band select
Not all devices support this function.
This function requires a dual radio setup where the same wireless networkis configured on both radio modules, but in different
frequency bands.
The Client Band select option enables clients to be moved
from the frequency band originally selected to a less busy one,
providing the client supports this. To achieve a changeover, the
connection attempt of a client is initially refused so that the client repeats the attempt in a different frequency band.
Possible values:
• -7+ H 1 1 (default
value): The function is not used for this VSS. This is useful if
clients are to switch between different radio cells with as little
delay as possible, e. g. with Voice over WLAN.
• G >H 7 1: Preference is given to accepting clients in the 2.4 GHz band.
• >H 7 1: Preference is given to accepting
clients in the 5 GHz band.
Fields in the menu MAC-Filter
Field
Access Control
Description
Select whether only certain clients are to be permitted for this
wireless network.
The function is activated by selecting 7+.
The function is disabled by default.
Allowed Addresses
Dynamic blacklisting
130
Use Add to make entries and enter the MAC addresses (MAC
Address) of the clients to be permitted.
You can use the Dynamic blacklisting function to identify clients that want to gain possibly unauthorised access to the network and block them for a certain length of time. A client is
blocked if the number of unsuccessful login attempts with a specified time exceeds a certain number. This threshold value and
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
the duration of the block can be configured. A blocked client is
blocked at all the APs that are managed by the wireless LAN
controller for the VSS concerned, so neither are they able to log
into a different radio cell in that VSS. If a client needs to be
blocked permanently, this can be done in the Wireless LAN
Controller->Monitoring->Rogue Clients menu.
The function is activated by selecting 7+.
The function is activated by default.
Failed attempts per
Time
Enter the number of failed attempts that have to originate from a
specific MAC address during a certain time for a blacklist entry
to be created.
Default values are failed attempts during seconds.
Blacklist blocktime
Enter the time for which an entry in the dynamic blacklist remains valid.
Default value is seconds.
Fields in the menu VLAN
Field
Description
VLAN
Select whether the VLAN segmentation is to be used for this
wireless network.
The function is activated by selecting 7+.
The function is disabled by default.
VLAN ID
Enter the number that identifies the VLAN.
Possible values are to .
VLAN ID 1 is not possible as it is already in use.
Fields in the menu Bandwidth limitation for each WLAN client
Field
Description
Rx Shaping
Select a bandwidth limitation in the receive direction.
Possible values are
• 9 + (default value)
be.IP 4isdn
131
10 Wireless LAN Controller
bintec elmeg GmbH
Field
Description
• G .75, G .75, .75 up to .75
in single Mbit/s steps, .75, .75, .75,
.75 and .75.
Tx Shaping
Select a bandwidth limitation in the transmit direction.
Possible values are
• 9 + (default value)
• G .75, G .75, .75 up to .75
in single Mbit/s steps, .75, .75, .75,
.75 and .75.
Fields in the menu Data-rate trimming
Field
Description
2,4 GHz band rate proData Rate Trimming allows you to optimize the performance of
file
your wireless LAN. You can block low transfer rates and enforce
the use of higher rates. Clients slowing down other clients
through the use of low transfer rates are disconnected from the
access point.
Select the rate profile to be applied:
• ,++ ". .&5# - All clients supporting a transfer
rate of 1 MBit/s are allowed to connect to the access point.
• . .&5 " 7 *#- see above, for
clients with a minimum supported rate of 6 Mbit/s; clients using the obsolete standard 802.11b are not allowed.
• . .&5 "B 7I#- see
above, for clients with a minimum supported rate of 12 Mbit/s
• . .&5 "B 7I#- see
above, for clients with a minimum supported rate of 24 Mbit/s
5 GHz band rate profile
Possible values:
• ,++ ". .&5# - All clients supporting a transfer
rate of 6 MBit/s are allowed to connect to the access point.
• ,7 .&5 - see above, for clients with a minimum supported rate of 12 Mbit/s
• ,7 .&5 - see above, for clients with a minimum supported rate of 24 Mbit/s
132
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Fields in the menu Low RSSI threshold management
Field
RSSI threshold
Description
The option RSSI threshold allows you to define a threshold for
the expected strength of a client signal. If the signal strength of
a client falls below this value for longer than determined by the
Grace time, the client is disconnected from the access
point. This forces the client to connect to a different access
point offering the best possible signal strength.
Specify the lower RSSI threshold in dBm. A client falling below
this value for longer than allowed by the grace time is disconnected.
The default value is dBm.
Grace time
Specify the time (in seconds) during which the signal strength of
a client may fall below the RSSI threshold without the client being disconnected.
The default value is seconds.
10.4 Monitoring
This menu is used to monitor your WLAN infrastructure.
Note
In order to ensure adequate timing between the WLAN Controller and the connected
Slave APs, the internal time server of the WLAN Controller should be enabled.
10.4.1 WLAN Controller
In the Wireless LAN Controller->Monitoring->WLAN Controller menu, an overview of
the most relevant Wireless LAN Controller parameters is displayed. The display is refreshed every 30 seconds.
Values in the Overview list
be.IP 4isdn
Status
Meaning
AP discovered
Displays the number of discovered access points.
AP offline
Displays the number of access points not connected to the
133
10 Wireless LAN Controller
bintec elmeg GmbH
Status
Meaning
Wireless LAN Controller.
AP managed
Displays the number of managed access points.
WLAN Controller: VSS Displays the data traffic in receive and transmit direction in
throughput
bytes per second.
CPU usage [%]
Displays the percentaged CPU load over time.
Memory usage [%]
Displays the percentaged memory consumption over time.
Connected clients/VSS Displays the number of connected clients per wireless network
(VSS) over time.
10.4.2 Slave Access Points
The menu Wireless LAN Controller->Monitoring->Slave Access Points shows a survey
of all detected access points. Each access point is displayed along with the following parameters: Location, Name, IP Address, LAN MAC Address, Channel, Tx Bytes and Rx
Bytes. Moreover, you can see if an access point is in . or -* state.
Via the
icon, you can open an summary with additional details about the Slave Access
Points.
10.4.2.1 Overview
In the Overview menu, additional information about the selected access point is displayed.
The display is refreshed every 30 seconds.
Values in the Overview list
Status
Meaning
Throughput
Displays the received and transmitted data traffic per radio module over time.
Connected clients
Displays the number of connected clients per radio module over
time.
10.4.2.2 Radio 1
In the Radio Module menu, the received and transmitted data traffic per client is displayed
over time. Each graph in the display is distinctly assigned to a client by its color and MAC
address.
Values in the Radio list
134
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Status
Meaning
Throughput/client
Displays the received and transmitted data traffic per client over
time.
10.4.3 Active Clients
In the Wireless LAN Controller->Monitoring->Active Clients menu, current values of all
active clients are displayed.
For each client you will see an entry with the following parameter set: Location, Slave AP
Name, VSS, Client MAC, Client IP Address, Signal : Noise (dBm) , Tx Bytes, Rx
Bytes, Tx Discards, Rx Discards, Status, Uptime.
Possible values for Status
Status
Meaning
None
The client is no longer in a valid status.
Logon
The client is currently logging on with the WLAN.
Associated
The client is logged on with the WLAN.
Authenticate
The client is in the process of being authenticated.
Authenticated
The client is authenticated.
Via the
icon, you can open a summary with additional details about the Active Clients.
Value in the list WLAN Client list
Status
Meaning
Throughput
Displays the data traffic - separated into received and transmitted traffic - for the selected WLAN client over time.
Signal
Displays the signal strength of the selected WLAN client over
time.
10.4.4 Wireless Networks (VSS)
In the Wireless LAN Controller->Monitoring->Wireless Networks (VSS) menu, an overview of the currently used AP is displayed. You see which wireless module is assigned to
which wireless network. For each wireless a parameter set is displayed (Location, Slave
AP Name, VSS, MAC Address (VSS), Channel, Status).
be.IP 4isdn
135
10 Wireless LAN Controller
bintec elmeg GmbH
10.4.5 Client Management
The Wireless LAN Controller->Monitoring->Client Management menu displays information on the client management by the access points. You can, e.g., see the number of connected clients, the number of clients that are affected by the 2,4/5 GHz changeover and
the number of rejected clients.
You can delete the values of an entry using the
symbol.
10.5 Neighbor Monitoring
This menu serves the monitoring of remote access points.
10.5.1 Neighbor APs
In the Wireless LAN Controller->Neighbor Monitoring->Neighbor APs menu, the adjacent AP's found during the scan are displayed. Rogue APs, i.e. APs which are not managed by the WLAN controller but are using an SSID managed by the WLAN controller are
highlighted in red.
Note
Check the rogue APs shown carefully, as an attacker could attempt to spy on data in
your network using a rogue AP.
Although each AP is found more than once, it is only displayed once with the strongest signal. You see the following parameters for each AP: SSID, MAC Address, Signal dBm,
Channel, Security, Last seen, Strongest signal received by , Total detections.
The entries are displayed in alphabetical order by SSID. Security shows the security settings of the AP. Under Strongest signal received by, you will see the parameters Location and Name of the APs in which the displayed AP was found. Total detections shows
how often the corresponding AP was found during the scan.
Click under New Neighborscan on Start, to rescan adjacent AP's. You will receive a warning that the wireless modules of the access points must also be disabled for a certain period of time. When you start the process with OK, a progress bar is displayed. The located
AP display is updated every ten seconds.
136
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
10.5.2 Rogue APs
APs which are using an SSID from their own network but are not managed by Wireless
LAN Controller are displayed in the Wireless LAN Controller->Neighbor
Monitoring->Rogue APs menu. Rogue APs which have been found for the first time are
displayed with a red background.
For each rogue AP you will see an entry with the following parameter set: SSID, MAC Address, Signal dBm, Channel, Last seen, Detected via AP, Accepted.
Note
Check the rogue APs shown carefully, as an attacker could attempt to spy on data in
your network using a rogue AP.
You can class a rogue AP as trustworthy by enabling the Accepted checkbox. If an alarm
has been configured, this is then removed and no longer sent. The red background disappears.
Click under New Neighborscan on Start, to rescan adjacent AP's. You will receive a warning that the wireless modules of the access points must also be disabled for a certain period of time. When you start the process with OK, a progress bar is displayed. The located
AP display is updated every ten seconds.
10.5.3 Rogue Clients
The Wireless LAN Controller->Neighbor Monitoring->Rogue Clients menu displays the
clients which have attempted to gain unauthorised access to the network and which are
therefore on the blacklist. The blacklist is configured for each VSS in the Wireless LAN
Controller->Slave AP configuration->Wireless Networks (VSS) menu. You can also
add a new entry to the static blacklist.
Possible values for Rogue Clients
Status
Meaning
Rogue Client MAC Ad- Displays the MAC address of the client on the blacklist.
dress
Network Name (SSID)
Displays the SSID involved.
Attacked Access Point Displays the AP concerned.
Signal dBm
be.IP 4isdn
Displays the signal strength of the client during the attempted
137
10 Wireless LAN Controller
bintec elmeg GmbH
Status
Meaning
access.
Type of attack
This displays the type of potential attack, e. g. an incorrect authentication.
First seen
Displays the time of the first registered attempted access.
Last seen
Displays the time of the last registered attempted access.
Static Blacklist
You can categorise a rogue client as untrustworthy by selecting
the checkbox in the Static Blacklist column. The block on the
client does not then end automatically, rather you need to lift it
manually.
Delete
You can delete entries with the
symbol.
10.5.3.1 New
Choose the New button to configure additional blacklist entries.
The menu consists of the following fields:
Fields in the New Blacklist Entry menu
Field
Description
Rogue Client MAC Ad- Enter the MAC address of the client you intend to include in the
dress
static blacklist.
Network Name (SSID)
Pick the wireless network you want to exclude the rogue client
from.
10.6 Maintenance
This menu is used for the maintenance of your managed APs.
10.6.1 Firmware Maintenance
In the Wireless LAN Controller->Maintenance->Firmware Maintenance menu, a list of
all Managed Access Points is displayed.
For each managed AP you will see an entry with the following parameter set: Update firmware, Location, Device, IP Address, LAN MAC Address, Firmware Version , Status.
138
be.IP 4isdn
10 Wireless LAN Controller
bintec elmeg GmbH
Click the Select all button to select all of the entries for a firmware update. Click the
Deselect all button to disable all entries and to then select individual entries if required
(e.g. if there is a large number of entries and only individual APs are to be given software
updates).
Possible values for Status
Status
Meaning
Image already exists.
The software image already exists; no update is required.
Error
An error has occurred.
Running
The operation is currently in progress.
Done
The update is complete.
The Wireless LAN Controller->Maintenance->Firmware Maintenance menu consists of
the following fields:
Fields in the Firmware Maintenance menu
Field
Action
Description
Select the action you wish to execute.
After each task, a window is displayed showing the other steps
that are required.
Possible values:
• / 0 12: You can also start an update
of the system software.
• *13 2! 1: You
can save a configuration which contains the AP status information.
Source Location
Select the source for the action.
Possible values:
• >)) (default value): The file is stored respectively
on a remote server specified in the URL.
• %3 12 1 / : The file is on
the official update server. (Only for Action= / 0
12)
• )') : The file is stored respectively on a TFTP
server specified in the URL.
be.IP 4isdn
139
10 Wireless LAN Controller
bintec elmeg GmbH
Field
URL
140
Description
Only for Source Location = >)) or )') Enter the URL of the update server from which the system software file is loaded or on which the configuration file is saved.
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Chapter 11 Networking
11.1 Routes
Default Route
With a default route, all data is automatically forwarded to one connection if no other suitable route is available. If you set up access to the Internet, you must configure the route to
your Internet Service Provider (ISP) as a default route. If, for example, you configure a corporate network connection, only enter the route to the head office or branch office as a default route if you do not configure Internet access over your device. If, for example, you
configure both Internet access and a corporate network connection, enter a default route to
the ISP and a network route to the head office. You can enter several default routes on
your device, but only one default route can be active at any one time. If you enter several
default routes, you should thus note differing values for Metric.
11.1.1 IPv4 Route Configuration
A list of all configured routes is displayed in the Network->Routes->IPv4 Route Configuration menu.
In the ex works state, a predefined entry with the parameters Destination IP Address =
, Netmask = ,Gateway = , Interface =
$,9; 9
, Route Type = 92B ?3 1* is displayed.
11.1.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional
routes.
If the 6 option is selected for the Route Class, an extra configuration section
opens.
The Network->Routes->IPv4 Route Configuration->New menu consists of the following
fields:
Fields in the menu Basic Parameters
be.IP 4isdn
141
11 Networking
bintec elmeg GmbH
Field
Description
Route Type
Select the type of route.
Possible values:
• -13+ ?3 1*: Route via a specific interface which is to be used if no other suitable route is available.
• -13+ ?3 20: Route via a specific gateway which is to be used if no other suitable route is available.
• > ?3 1*: Route to an individual host
via a specific interface.
• > ?3 20: Route to an individual host via
a specific gateway.
• 92B ?3 1* (default value): Route to
a network via a specific interface.
• 92B ?3 20: Route to a network via a
specific gateway.
Only for interfaces that are operated in DHCP client mode:
Even if an interface is configured for DHCP client mode, routes
can still be configured for data traffic via that interface. The settings received from the DHCP server are then copied, along
with those configured here, to the active routing table. This enables, e. g., in the case of dynamically changing gateway addresses, particular routes to be maintained, or routes with different metrics (i. e. of differing priority) to be specified. However, if
the DHCP server sends static routes, the settings configured
here are not copied to the routing.
• -13+ ?3 )+ ->%: The information of
the gateway to be used is received via DHCP and integrated
into the route.
• > ?3 )+ ->%: The settings received
by DHCP are supplemented by routing information about a
particular host.
• 92B ?3 )+ ->%: The settings received by DHCP are supplemented by routing information
about a particular network.
142
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
Note
When the DHCP lease expires or when the device is restarted, the routes that consist from the combination of DHCP settings and those made here are initially deleted once
more from the active routing. If the DHCP is reconfigured
they are re-generated and re-activated.
Interface
Select the interface to be used for this route.
Route Class
Select the type of Route Class.
Possible values:
• (default value): Defines a route with the default
parameters.
•
6: Select whether the route is to be defined with extended parameters. If the function is active, a route is created
with extended routing parameters such as source interface
and source IP address, as well as protocol, source and destination port, type of service (TOS) and the status of the
device interface.
Fields in the menu Route Parameters
Field
Description
Local IP Address
Only for Route Type = -13+ ?3 1*,
> ?3 1* or 92B ?3 1*
Enter the own IP address of the router on the selected interface.
Destination IP Address/Netmask
Only for Route Type > ?3 1* or 9
2B ?3 1*
Enter the IP address of the destination host or destination network.
When Route Type = 92B ?3 1*
Also enter the relevant netmask in the second field.
be.IP 4isdn
143
11 Networking
bintec elmeg GmbH
Field
Gateway IP Address
Description
Only for Route Type = -13+ ?3 20, >
?3 20 or 92B ?3 20
Enter the IP address of the gateway to which your device is to
forward the IP packets.
Metric
Select the priority of the route.
The lower the value, the higher the priority of the route.
Value range from to . The default value is .
Fields in the menu Extended Route Parameters
Field
Description
Description
Enter a description for the IP route.
Source Interface
Select the interface over which the data packets are to reach
the device.
The default value is 9.
Source IP Address/
Netmask
Enter the IP address and netmask of the source host or source
network.
Layer 4 Protocol
Select a protocol.
Possible values: ,>, ,0 ,
, ? ,
%., ., $), :', ., )%, /-.
The default value is ,0.
Source Port
Only for Layer 4 Protocol = )% or /-
Enter the source port.
First select the port number range.
Possible values:
• ,0 (default value): The route is valid for all port numbers.
• +: Enables the entry of a port number.
144
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• ?: Enables the entry of a range of port numbers.
• +: Entry of privileged port numbers: 0 ... 1023.
• : Entry of server port numbers: 5000 ... 32767.
• %+ : Entry of client port numbers: 1024 ... 4999.
• %+ : Entry of client port numbers: 32768 ... 65535.
• 9 +: Entry of unprivileged port numbers: 1024
... 65535.
Enter the appropriate values for the individual port or start port
of a range in Port and, for a range, the end port in to Port.
Destination Port
Only for Layer 4 Protocol = )% or /-
Enter the destination port.
First select the port number range.
Possible values:
• ,0 (default value): The route is valid for all port numbers.
• +: Enables the entry of a port number.
• ?: Enables the entry of a range of port numbers.
• +: Entry of privileged port numbers: 0 ... 1023.
• : Entry of server port numbers: 5000 ... 32767.
• %+ : Entry of client port numbers: 1024 ... 4999.
• %+ : Entry of client port numbers: 32768 ... 65535.
• 9 +: Entry of unprivileged port numbers: 1024
... 65535.
Enter the appropriate values for the individual port or start port
of a range in Port and, for a range, the end port in to Port.
DSCP / TOS Value
Select the Type of Service (TOS).
Possible values:
• (default value): The type of service is ignored.
• -% &0 E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in binary format).
• -% -*+ E+3: Differentiated Services Code Point
be.IP 4isdn
145
11 Networking
bintec elmeg GmbH
Field
Description
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
Enter the relevant value for -% &0 E+3, -%
-*+ E+3, -% >6*+ E+3, ): &0
E+3, ): -*+ E+3 and ): >6*+
E+3.
Mode
Select when the interface defined in Route Parameters ->Interface is to be used.
Possible values:
• -+3 2 (default value): The route can be used if
the interface is "up". If the interface is "dormant", then dial and
wait until the interface is "up".
• ,3!: The route can always be used.
• -+3 *3: The route can be used when the
interface is "up". If the interface is "dormant", then select and
use the alternative route (rerouting) until the interface is "up".
• 9 +3: The route can be used when the interface is
"up".
• ,+20 +3: The route can be used when the interface
is "up". If the interface is "dormant", then dial and wait until the
interface is "up". In this case, an alternative interface with a
poorer metric is used for routing until the interface is "up".
11.1.2 IPv6 Route Configuration
A list of all configured IPv6 routes is displayed in the Network->Routes->IPv6 Route Configuration menu.
146
be.IP 4isdn
11 Networking
bintec elmeg GmbH
11.1.2.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional
routes.
Routes without an
icon have been created by the router automatically and cannot be
edited.
The Network->Routes->IPv6 Route Configuration->New menu consists of the following
fields:
Fields in the Route Parameters menu
Field
Description
Description
Enter a description for the IPv6 route.
Route Active
Select if the route is to be active or inactive..
With 7+ the status of the route will be set to active.
The function is enabled by default.
Route Type
Select the type of route.
Possible values:
• -13+ ?3 1* : Route via a specific interface which is used if no other adequate route is available.
• -13+ ?3 20 : Route via a specific gateway which is used if no other adequate route is available.
• > ?3 1*: Route to a single host via a
specific interface.
• > ?3 20: Route to a single host via a
specific gateway.
• 92B ?3 1*: Route to a network via
a specific interface.
• 92B ?3 20 (default value): Route to a
network via a specific gateway.
Destination Interface
Select the IPv6 interface to be used for this route.
You can choose from those interfaces available under LAN->IP
Configuration->Interfaces->New that are IPv6-enabled.
be.IP 4isdn
147
11 Networking
bintec elmeg GmbH
Field
Description
Source Address /
Length
Enter the source IPv6 address along with the corresponding
prefix length.
44 describes an unspecific address.
By default the prefix length is predefined.
Destination Address /
Length
Enter the destination IPv6 address along with the corresponding
prefix length.
44 describes an unspecific address.
By default the prefix length is predefined.
Gateway Address
Enter a the IPv6 address for the next hop.
Metric
Select the priority of the route.
The lower the value, the higher the priority of the route.
Value range from to . The default value is .
11.1.3 IPv4 Routing Table
A list of all IPv4 routes is displayed in the Network->Routes->IPv4 Routing Table menu.
The routes do not all need to be active, but can be activated at any time by relevant data
traffic.
In the ex works state, a predefined entry with the parameters Destination IP Address =
, Netmask = ,Gateway = , Interface =
$,9; 9
, Route Type = 92B ?3 1*, Protocol = $*+ is
displayed.
Fields in the menu IPv4 Routing Table
Field
Destination IP Address
Netmask
Gateway
148
Description
Displays the IP address of the destination host or destination
network.
Displays the netmask of the destination host or destination network.
Displays the gateway IP address. Nothing is displayed here
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
when routes are received by DHCP.
Interface
Metric
Displays the interface used for this route.
Displays the route's priority.
The lower the value, the higher the priority of the route.
Route Type
Extended Route
Protocol
Delete
Displays the route type.
Displays whether a route has been configured with advanced
parameters.
Displays how the entry has been created , e.g. manually ( $*
+) or via one of the available protocols.
You can delete entries with the
symbol.
11.1.4 IPv6 Routing Table
A list of all configured IPv6 routes is displayed in the Network->Routes->IPv6 Routing Table menu.
Fields in the IPv6 Routing Table menu
Field
Route
Interface
Metric
Description
Displays the source and destination address, which is used for
this route, as well as the gateway IP address. Nothing is displayed here when routes are received by DHCP.
Displays the interface used for this route.
Displays the route's priority.
The lower the value, the higher the priority of the route.
Protocol
be.IP 4isdn
Displays how the entry has been created , e.g. manually ( $*
+) or via one of the available protocols.
149
11 Networking
bintec elmeg GmbH
11.1.5 Options
Back Route Verify
The term Back Route Verify describes a very simple but powerful function. If a check is activated for an interface, incoming data packets are only accepted over this interface if outgoing response packets are routed over the same interface. You can therefore prevent the
acceptance of packets with false IP addresses - even without using filters.
In the ex works state, the two entries and ! are displayed by default setting 7+ 1 *1* 1*.
The Networking->Routes->Options menu consists of the following fields:
Fields in the Back Route Verify menu.
Field
Description
Mode
Select how the interfaces to be activated for Back Route Verify
are to be specified.
Possible values:
•
7+ 1 ++ 1*: Back Route Verify is activated for all interfaces.
•
7+ 1 *1* 1* (default value): A
list of all interfaces is displayed in which Back Route Verify is
only enabled for specific interfaces.
• -7+ 1 ++ 1*: Back route verify is disabled for all interfaces.
No.
Only for Mode = 7+ 1 *1* 1*
Displays the serial number of the list entry.
Interface
Only for Mode = 7+ 1 *1* 1*
Displays the name of the interface.
Back Route Verify
Only for Mode = 7+ 1 *1* 1*
Select whether &*B ?3 E10 is to be activated for the
interface.
The function is enabled with 7+.
150
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
By default, the function is deactivated for all interfaces.
11.2 IPv6 General Prefixes
IPv6 General Prefixes are usually distributed by IPv6 providers. They can be statically assigned or obtained through DHCP. In most cases, they define /48 or /56 networks. You can
derive /64 subnets from these prefixes and have them distributed in your network.
General Prefixes have two key advantages:
• A single route is sufficient for all traffic between the provider and the customer.
• If your provider assigns a new General Prefix through DHCP or changes the static General Prefix assigned to you, there is little or no configuration to be done: In the case of
DHCP you obtain the new General Prefix automatically; and in the case of a statically assigned General Prefix, you need to introduce it into your system once. All subnets and
IPv6 addresses derived from the General Prefix change automatically after an update.
In order to IPv6 you need to configure how subnets and IPV6 addresses are created and
distributed (see Configuring IPv6 addresses in Interfaces on page 90 and the menu
LAN->IP Configuration->Interfaces for the IPv6-relevant parameters.
11.2.1 General Prefix Configuration
A list of all configured IPv6 prefixes is displayed in the Networking->IPv6 General Prefixes->General Prefix Configuration menu.
11.2.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional
prefixes.
Fields in the Basic Parameters menu.
Field
Description
General Prefix active
Select if the prefix is to be active or inactive..
With 7+ the status of the prefix will be set to active.
The function is enabled by default.
Name
be.IP 4isdn
Enter a name for the General Prefix.
151
11 Networking
bintec elmeg GmbH
Field
Description
A meaningful name helps selecting the General Prefix from a
prefix list.
Type
Specify how the address range is to be assigned.
Possible values:
• -0* (default value): The general prefix will be set dynamically by DHCP transmission, e.g. from a provider.
• *: The prefix is fixed, e. g. by a provider.
From Interface
Only with Type = -0*
Select the IPv6 interface from which a General Prefix is to be
obtained.
You can choose from all interfaces that are availabe under
LAN->IP Configuration->Interfaces->New and that fullfil the
following conditions:
• IPv6 is 7+.
• IPv6 Mode = >
• DHCP Client is 7+.
Used Prefix / Length
Only with Type = *
Enter the prefix to be used. Enter the corresponding length. This
prefix must end with ::.
The default value is .
11.3 NAT
Network Address Translation (NAT) is a function on your device for defined conversion of
source and destination addresses of IP packets. If NAT is activated, IP connections are still
only allowed by default in one direction, outgoing (forward) (= protective function). Exceptions to the rule can be configured (in NAT Configuration on page 154).
Specific instructions for configuring NAT, see the end of the chapter NAT - Configuration
example on page 160.
152
be.IP 4isdn
11 Networking
bintec elmeg GmbH
11.3.1 NAT Interfaces
A list of all NAT interfaces is displayed in the Networking->NAT->NAT Interfaces menu.
For every NAT interface, the 9,) *, $7*B *, + -0 and
) !3! can be selected.
In addition, 12 displays how many port forwarding rules were configured
for this interface.
Options in the menu NAT Interfaces
Field
Description
NAT active
Select whether NAT is to be activated for the interface.
The function is disabled by default.
Loopback active
The NAT loopback function also enables network address translation for connectors whereby NAT is not activated. This is often
used in order to interpret queries from the LAN as if they were
coming from the WAN. You can use this to test the server services.
The function is disabled by default.
Silent Deny
Select whether IP packets are to be silently denied by NAT. If
this function is deactivated, the sender of the denied IP packet
is informed by means of an appropriate ICMP or TCP RST message.
The function is disabled by default.
PPTP Passthrough
Select whether the setup and operation of several simultaneous, outgoing PPTP connections from hosts in the network are
also to be permitted if NAT is activated.
The function is disabled by default.
If PPTP Passthrough is enabled, the device itself cannot be
configured as a tunnel endpoint.
Portforwardings
be.IP 4isdn
Shows the number of portforwarding rules configured in Networking->NAT->NAT Configuration .
153
11 Networking
bintec elmeg GmbH
11.3.2 NAT Configuration
In the Networking->NAT->NAT Configuration menu you can exclude data from NAT
simply and conveniently as well as translate addresses and ports. For outgoing data traffic
you can configure various NAT methods, i.e. you can determine how an external host establishes a connection to an internal host.
11.3.2.1 New
Choose the New button to set up NAT.
The Networking->NAT->NAT Configuration ->New menu consists of the following fields:
Fields in the menu Basic Parameters
Field
Description
Description
Enter a description for the NAT configuration.
Interface
Select the interface for which NAT is to be configured.
Possible values:
• ,0 (default value): NAT is configured for all interfaces.
• @1* A: Select one of the interfaces from the
list.
Type of traffic
Select the type of data traffic for which NAT is to be configured.
Possible values:
• * "- 9,)# (default value): The data
traffic that comes from outside.
• 3 "3* 9,)#: Outgoing data traffic.
• 6*+3 "8!3 9,)#: Data traffic excluded from
NAT.
NAT method
Only for Type of traffic = 3 "3* 9,)#
Select the NAT method for outgoing data traffic. The starting
point for choosing the NAT method is a NAT scenario in which
an "internal" source host has initiated an IP connection to an "external" destination host over the NAT interface, and in which an
internally valid source address and internally valid source port
are translated to an externally valid source address and an ex-
154
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
ternally valid source port.
Possible values:
• 13++* (UDP only): Any given external host may send IP
packets via the external address and the external port to the
initiating source address and the initial source port.
• ** (UDP only): Like full-cone NAT; as external host, however, only the initial "external" destination host
is allowed.
• ** (UDP only): Like restricted-cone
NAT; however, exclusively data from the initial destination
port are allowed.
• 0* (standard value) any protocol: Outbound, an externally valid source address and an externally valid source
port are administratively set. Inbound, only response packets
within the existing connection are allowed.
In the NAT Configuration ->Specify original traffic menu, you can configure for which
data traffic NAT is to be used.
Fields in the menu Specify original traffic
Field
Description
Service
Not for Type of traffic = 3 "3* 9,)# and NAT
method = 13++*, ** or **.
Select one of the preconfigured services.
Possible values:
• /1 (default value)
• @* A
Action
Only for Type of traffic = 6*+3 "8!3 9,)#
Select which data packets are to be excluded by NAT.
Possible values:
•
be.IP 4isdn
6*+3 (default value): All the data packets that match the
following parameters that are to be configured (protocol,
source IP address/network mask, destination IP address/net-
155
11 Networking
bintec elmeg GmbH
Field
Description
mask, etc.) are excluded by NAT.
• - 6*+3: All the data packets that do not match the
following parameters that are to be configured (protocol,
source IP address/network mask, destination IP address/netmask, etc.) are excluded by NAT.
Protocol
Only for certain services.
Not for Type of traffic = 3 "3* 9,)# and NAT
method = 13++*, ** or **. In this case UDP is automatically defined.
Select a protocol. According to the selected Service, different
protocols are available.
Possible values:
• ,0 (default value)
• ,>
• %!
•
•
• • ?
• >.
• %.
• .
• • ?
• • • • C • :
• =0+
• $)
• :'
156
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• /
• ?-
• ?E
• =
• )%
• )$
• /-
• E??
• C9-
Source IP Address/
Netmask
Only for Type of traffic = * "- 9,)# or
6*+3 "8!3 9,)#
Enter the source IP address and corresponding netmask of the
original data packets, as the case arises.
Original Destination IP Only for Type of traffic = * "- 9,)#
Address/Netmask
Enter the destination IP address and corresponding netmask of
the original data packets, as the case arises.
Original Destination
Port/Range
Only for Type of traffic = * "- 9,)#,
Service = 31 and Protocol = )%, /-, )%5
/-
Enter the destination port or the destination port range of the
original data packets. The default setting ,++ means that the
port is not specified.
Original Source IP Address/Netmask
Only for Type of traffic = 3 "3* 9,)#
Original Source Port/
Range
Only for Type of traffic = 3 "3* 9,)#, NAT
method = 0*, Service = 31 and Protocol = )%, /-, )%5/-
Enter the source IP address and corresponding netmask of the
original data packets, as the case arises.
Enter the source port of the original data packets. The default
setting ,++ means that the port remains unspecified.
be.IP 4isdn
157
11 Networking
bintec elmeg GmbH
Field
Description
If you select *10 you can specify a single port, if
you select *10 you can specify a continuous range of ports which will be a applied for filtering the outgoing data traffic
Source Port/Range
Only for Type of traffic = 6*+3 "8!3 9,)#, Service = 31 and Protocol = )%, /-, )%5/-
Enter the source port or the source port range of the original
data packets. The default setting ,++ means that the port remains unspecified.
Destination IP Address/Netmask
Only for Type of traffic = 6*+3 "8!3 9,)# or
3 "3* 9,)# and NAT method = 0*
Enter the destination IP address and corresponding netmask of
the original data packets, as the case arises.
Destination Port/Range Only for Type of traffic = 3 "3* 9,)#, NAT
method = 0*, Service = 31 and Protocol = )%, /-, )%5/- or Type of traffic = 6*+3
"8!3 9,)#, Service = 31 and Protocol =
)%, /-, )%5/-
Enter the destination port or the destination port range of the
original data packets. The default setting ,++ means that the
port remains unspecified.
In the NAT Configuration ->Replacement Values menu you can define, depending on
whether you're dealing with inbound or outbound data traffic, new addresses and ports, to
which specific addresses and ports from the NAT Configuration ->Specify original traffic
menu can be translated.
Fields in the menu Replacement Values
Field
Description
New Destination IP Ad- Only for Type of traffic = * "- 9,)#
dress/Netmask
Enter the destination IP address and corresponding netmask to
which the original destination IP address is to be translated.
New Destination Port
158
Only for Type of traffic = * "- 9,)#,
Service = 31 and Protocol = )%, /-, )%5
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
/-
Leave the destination port as it appears or enter the destination
port to which the original destination port is to be translated.
Select :+ to leave the original destination port. If you
disable :+, an input field appears and you can enter a
new destination port.
:+is active by default.
New Source IP Address/Netmask
Only for Type of traffic = 3 "3* 9,)# and
NAT method = 0*
Enter the source IP address to which the original source IP address is to be translated, with corresponding netmask, as the
case arises.
New Source Port
Only for Type of traffic = 3 "3* 9,)#, NAT
method = 0*, Service = 31, Protocol =
)%, /-, )%5/- and Original Source Port/Range=
,++ or *10 Leave the source port as it appears or enter a new source port
to which the original source port is to be translated.
:+ leaves the original source port. If you disable :
+, an input field appears in which you can enter a new
source port. :+is active by default.
If you select *10 for Original Source Port/
Range, you can choose from the following options:
• / :+ 3* 5?: The range specified
for Original Source Port/Range is not changed, all port numbers are retained.
• / 3* 5? 2!: There is an
input field for you to specify the port number with which to
start the port range that replaces the original port rannge. The
count of ports is retained.
be.IP 4isdn
159
11 Networking
bintec elmeg GmbH
11.3.3 NAT - Configuration example
Requirements
• Basic configuration of the gateway
• A working Internet access. For example, Company Connect with 8 IP addresses.
• The Ethernet interface ETH is connected to the access router to the internet (IP address
5)
• The IP address to are entered on Ethernet interface ETH.
Example scenario
Configuration target
• You configure NAT enables for accessing your gateway over HTTP.
• You also want to access your terminal server and the corporate web server over the Internet.
Overview of Configuration Steps
Enable NAT
Field
Menu
Value
NAT active
Network->NAT->NAT Interfaces
Enabled for $,9; 9
Silent Deny
Network->NAT->NAT Interfaces
Enabled for $,9; 9
Configured NAT enables
160
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Menu
Value
Description
Network->NAT->NAT
Configuration->New
e.g. /
Interface
Network->NAT->NAT
Configuration->New
$,9; 9
Type of traffic
Network->NAT->NAT
Configuration->New
*
"- 9,)#
Service
Network->NAT->NAT
Configuration->New
/1
Protocol
Network->NAT->NAT
Configuration->New
)%
Original Destination IP Network->NAT->NAT
Address/Netmask
Configuration->New
>, e.g.
Original Destination
Port/Range
Network->NAT->NAT
Configuration->New
New Destination IP Ad- Network->NAT->NAT
dress/Netmask
Configuration->New
(
New Destination Port
Network->NAT->NAT
Configuration->New
:+ disabled, Field
Menu
Value
Description
Network->NAT->NAT
Configuration->New
e.g. 87
Interface
Network->NAT->NAT
Configuration->New
$,9; 9
Type of traffic
Network->NAT->NAT
Configuration->New
*
"- 9,)#
Service
Network->NAT->NAT
Configuration->New
!
Protocol
Network->NAT->NAT
Configuration->New
Web server
Original Destination IP Network->NAT->NAT
Address/Netmask
Configuration->New
New Destination Port
be.IP 4isdn
Network->NAT->NAT
Configuration->New
>, e.g.
>, e.g.
:+
161
11 Networking
bintec elmeg GmbH
Terminal Server
Field
Menu
Value
Description
Network->NAT->NAT
Configuration->New
e.g. )+
Interface
Network->NAT->NAT
Configuration->New
$,9; 9
Type of traffic
Network->NAT->NAT
Configuration->New
*
"- 9,)#
Service
Network->NAT->NAT
Configuration->New
/1
Protocol
Network->NAT->NAT
Configuration->New
)%
Original Destination IP Network->NAT->NAT
Address/Netmask
Configuration->New
Original Destination
Port/Range
Network->NAT->NAT
Configuration->New
New Destination IP Ad- Network->NAT->NAT
dress/Netmask
Configuration->New
New Destination Port
Network->NAT->NAT
Configuration->New
>, e.g.
:+
11.4 Load Balancing
The increasing amount of data traffic over the Internet means it is necessary to send data
over different interfaces to increase the total bandwidth available. IP load balancing enables the distribution of data traffic within a certain group of interfaces to be controlled.
Specific instructions for configuring load balancing, see Load balancing - Configuration example on page 169.
11.4.1 Load Balancing Groups
If interfaces are combined to form groups, the data traffic within a group is divided according to the following principles:
• In contrast to Multilink PPP-based solutions, load balancing also functions with accounts
with different providers.
• Session-based load balancing is achieved.
162
be.IP 4isdn
11 Networking
bintec elmeg GmbH
• Related (dependent) sessions are always routed over the same interface.
• A decision on distribution is only made for outgoing sessions.
A list of all configured load balancing groups is displayed in the Networking->Load Balancing->Load Balancing Groups menu. You can click the
icon next to any list entry to
go to an overview of the basic parameters that affect this group.
Note
Note that the interfaces that are combined into a load balancing group must have
routes with the same metric. If necessary, go to the Networking->Routes menu and
check the entries there.
11.4.1.1 New
Choose the New button to create additional groups.
The menu Networking->Load Balancing->Load Balancing Groups->New consists of the
following fields:
Fields in the Basic Parameters menu.
Field
Description
Group Description
Enter the desired description of the interface group.
Distribution Policy
Select the way the data traffic is to be distributed to the interfaces configured for the group.
Possible values:
• ?3?7 (default value): A newly added
session is assigned to one of the group interfaces according
to the percentage assignment of sessions to the interfaces.
The number of sessions is decisive.
• $ &2!: A newly added session is
assigned to one of the group interfaces according to the share
of the total data rate handled by the interfaces. The current
data rate based on the data traffic is decisive in both the send
and receive direction.
Consider
Only for Distribution Policy = $ &2!
Choose the direction in which the current data rate is to be con-
be.IP 4isdn
163
11 Networking
bintec elmeg GmbH
Field
Description
sidered.
Options:
• -2+: Only the data rate in the receive direction is considered.
• /+: Only the data rate in the send direction is considered.
By default, the -2+ and /+ options are disabled.
Distribution Mode
Select the state the interfaces in the group may have if they are
to be included in load balancing.
Possible values:
• ,+20 (default value): Also includes idle interfaces.
• :+0 3 * 1*: Only interfaces in the up
state are included.
In the Interface area, you add interfaces that match the current group context and configure these. You can also delete interfaces.
Use Add to create more entries.
Fields in the Basic Parameters menu.
Field
Group Description
Distribution Policy
Description
Shows the description of the interface group.
Displays the type of data traffic selected.
Fields in the Interface Selection for Distribution menu.
Field
Description
Interface
Select the interfaces that are to belong to the group from the
available interfaces.
Distribution Ratio
Enter the percentage of the data traffic to be assigned to an interface.
The meaning differs according to the Distribution Ratio employed:
164
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• For
?3?7 is based on the number of distributed sessions.
• For $ &2!, the data rate is the decisive factor.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Route Selector
The Route Selector parameter is an additional criterion to help
define a load balancing group more precisely. Here, routing information is added to the "interface" entry within a load balancing group. The route selector is required in certain scenarios to
enable the IP sessions managed by the router to be balanced
uniquely for each load balancing group. The following rules apply when using the parameter:
• If an interface is only assigned to one load balancing group, it
is not necessary to configure the route selector.
• If an interface is assigned to multiple load balancing groups,
configuration of the route selector is essential.
• The route selector must be configured identically for all interface entries within a load balancing group.
Select the Destination IP Address of the desired route.
You can choose between all routes and all extended routes.
Tracking IP Address
You can use the Tracking IP Address parameter to have a
particular route monitored.
The load balancing status of the interface and the status of the
routes connected to the interface can be influenced using this
parameter. This means that routes can be enabled or disabled
irrespective of the interface's operation status. The connection
is monitored using the gateway's host surveillance function
here. Host surveillance entries must be configured in order to
use this function. These can be configured in the Local Services->Surveillance->Hosts menu. Here, it is important that
only the host surveillance entries with the action Monitor are
be.IP 4isdn
165
11 Networking
bintec elmeg GmbH
Field
Description
taken into account in the context of load balancing. Links
between the load balancing function and the host surveillance
function are made through the configuration of the Tracking IP
Address in the Load Balancing->Load Balancing
Groups->Advanced Settings menu. The interface's load balancing status now varies according to the status of the assigned
host surveillance entry.
Select the IP address for the route to be monitored.
You can choose from the IP addresses you have entered in the
Local Services->Surveillance->Hosts->New menu under
Monitored IP Address and which are monitored with the aid of
the Action to be executed field (Action = .).
11.4.2 Special Session Handling
Special Session Handling enables you to route part of the data traffic to your device via a
particular interface. This data traffic is excluded from the Load Balancing function.
You can use the Special Session Handling function with online banking, for example, to
ensure that the HTTPS data traffic is sent to a particular link. Since a check is run in online
banking to see whether all the data traffic comes from the same source, data transmission
using Load Balancing might be terminated at times without Special Session Handling.
The Networking->Load Balancing->Special Session Handling menu displays a list of
entries. If you have not configured any entries, the list is empty.
Every entry contains parameters which describe the properties of a data packet in more or
less detail. The first data packet which the properties configured here match specifies the
route for particular subsequent data packets.
Which data packets are subsequently routed via this route is configured in the Networking>Load Balancing->Special Session Handling->New->Advanced Settings menu.
If in the Networking->Load Balancing->Special Session Handling->New menu, for example, you select the parameter Service = ! "$# (and leave the default value for
all the other parameters), the first HTTPS packet specifies the Destination Address and
the Destination Port (i. e. Port 443 with HTTPS) for data packets sent subsequently.
If, underFrozen Parameters , for the two parameters Destination Address and Destination Port you leave the default setting 7+, the HTTPS packets with the same source
IP address as the first HTTPS packet are routed via port 443 to the same Destination Address via the same interface as the first HTTPS packet.
166
be.IP 4isdn
11 Networking
bintec elmeg GmbH
11.4.2.1 Edit or New
Choose the
icon to edit existing entries. Select the New button create new entries.
The Networking->Load Balancing->Special Session Handling->New menu consists of
the following fields:
Fields in the Basic Parameters menu.
Field
Description
Admin Status
Select whether the Special Session Handling should be activated.
The function is activated by selecting 7+.
The function is enabled by default.
Description
Enter a name for the entry.
Service
Select one of the preconfigured services, if required. The extensive range of services configured ex works includes the following:
• *0
• +J
• 3!
• *!
• *+;
• 0
• !*
• *
The default value is / 1.
Protocol
Select a protocol, if required. The ,0 option (default value)
matches any protocol.
Destination IP Address/Netmask
Enter, if required, the destination IP address and netmask of the
data packets.
Possible values:
be.IP 4isdn
167
11 Networking
bintec elmeg GmbH
Field
Description
• ,0 (default value)
• >: Enter the IP address of the host.
• 92B: Enter the network address and the related netmask.
Destination Port/Range Enter, if required, a destination port number or a range of destination port numbers.
Possible values:
• ,++ (default value): The destination port is not specified.
• *10 : Enter a destination port.
• *10 : Enter a destination port range.
Source Interface
If required, select your device's source interface.
Source IP Address/
Netmask
Enter, if required, the source IP address and netmask of the
data packets.
Possible values:
• ,0 (default value)
• >: Enter the IP address of the host.
• 92B: Enter the network address and the related netmask.
Source Port/Range
Enter, if required, a source port number or a range of source
port numbers.
Possible values:
• ,++ (default value): The destination port is not specified.
• *10 : Enter a destination port.
• *10 : Enter a destination port range.
Special Handling Timer Enter the time period during which the specified data packets
are to be routed via the route that has been defined.
The default value is seconds.
The menu Advanced Settings consists of the following fields:
168
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Fields in the Advanced Settings menu.
Field
Description
Frozen Parameters
Specify whether, when data packets are subsequently sent, the
two parameters Destination Address and Destination Port
must have the same value as the first data packet, i. e. whether
the subsequent data packets must be routed via the same Destination Port to the same Destination Address.
The two parameters Destination Address and Destination
Port are enabled by default.
If you leave the default setting 7+ for one or both parameters, the value of the parameter concerned must be the
same as in the first data packet with data packets sent subsequently.
You can disable one or both parameters if you wish.
The Source IP Address parameter must always have the same
value in data packets sent subsequently as it did in the first data
packet. So it cannot be disabled.
11.4.3 Load balancing - Configuration example
Requirements
• Gateway with the ADSL modem integrated
• An external ADSL modem
• Two independent ADSL Internet connections
Example scenario
be.IP 4isdn
169
11 Networking
bintec elmeg GmbH
Configuration target
• The data traffic is distributed half and half to the two ADSL lines based on IP sessions.
• We shall then take the example of encrypted HTTP connections (HTTPS) to describe
how to effectively avoid any loss of connection that might occur when distributing to different Internet accesses.
Note
When creating the ADSL connections, besides the public IP address, the bintec R3002
also obtains the IP addresses of the DNS servers for resolving the name of the configured Internet provider. Particularly when using different Internet providers, the use of
the DSN servers needs to be connection-specific.
The configuration of the DNS servers is automatically created when you create the
ADSL connections and can be seen in the menu Local SevicesDNSDNS Server.
Overview of Configuration Steps
Set up first Internet connection
Field
Menu
Value
Connection Type
Assistants->Internet Access->Internet + ,-$ .
Connections->New
Description
Assistants->Internet Access->Internet e.g. ,-$
Connections->New->Next
Type
Assistants->Internet Access->Internet /1 Connections->New->Next
!
" #
Login Name
Assistants->Internet Access->Internet e.g.
Connections->New->Next
1;K
Password
Assistants->Internet Access->Internet e.g. Connections->New->Next
Note
The message you get when you create the second ADSL connection may be ignored.
The IP load distribution avoids routing conflicts due to multiple standard routes!
170
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Set up the second Internet connection
Field
Menu
Value
Connection Type
Assistants->Internet Access->Internet
6+ 6-$ .
Connections->New
Description
Assistants->Internet Access->Internet e.g. ,-$
Connections->New->Next
Physical Ethernet
Port
Assistants->Internet Access->Internet e.g. )>
Connections->New->Next
Type
Assistants->Internet Access->Internet /1
Connections->New->Next
Login Name
Assistants->Internet Access->Internet e.g.
Connections->New->Next
L
K+
Password
Assistants->Internet Access->Internet e.g. Connections->New->Next
Create a load balancing group
Field
Menu
Value
Group Description
Network->Load Balancing->Load Balancing Groups->New
e.g. ,**
Distribution Policy
Network->Load Balancing->Load Balancing Groups->New
?3?7
Distribution Mode
Network->Load Balancing->Load Balancing Groups->New
,+20
Interface
Network->Load Balancing->Load Balancing Groups->New->Add
8,9;,-$
Distribution Ratio
Network->Load Balancing->Load Balancing Groups->New->Add
Interface
Network->Load Balancing->Load Balancing Groups->New->Add
8,9;,-$
Distribution Ratio
Network->Load Balancing->Load Balancing Groups->New->Add
Special Session Handling
be.IP 4isdn
Field
Menu
Value
Description
Network->Load Balancing->Special
Session Handling->New
e.g. >))
Service
Network->Load Balancing->Special
Session Handling->New
! "$#
171
11 Networking
bintec elmeg GmbH
Field
Menu
Value
Special Handling
Timer
Network->Load Balancing->Special
Session Handling->New
seconds
11.5 QoS
QoS (Quality of Service) makes it possible to distribute the available bandwidths effectively
and intelligently. Certain applications can be given preference and bandwidth reserved for
them. This is an advantage, especially for time-critical applications such as VoIP.
The QoS configuration consists of three parts:
• Creating IP filters
• Classifying data
• Prioritising data
11.5.1 IPv4/IPv6 Filter
In the Networking->IPv4/IPv6 Filter->QoS Filter menu IP filters are configured.
The list also displays any configured entries from Networking->Access Rules->Rule
Chains.
11.5.1.1 New
Choose the New button to define more IP filters.
The Networking->IPv4/IPv6 Filter->QoS Filter->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the filter.
Service
Select one of the preconfigured services. The extensive range
of services configured ex works includes the following:
• *0
• +J
• 3!
• *!
172
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• *+;
• 0
• !*
• *
The default value is / 1.
Protocol
Select a protocol.
The ,0 option (default value) matches any protocol.
Type
Only for Protocol = %.
Select the type.
Possible values: ,0, *! +0, - 3*!
7+, 3* J3*!, ?*, *!, ) 6*,
), ) +0.
See RFC 792.
The default value is ,0.
Connection State
With Protocol = )%, you can define a filter that takes the
status of the TCP connections into account.
Possible values:
•
7+!: All TCP packets that would not open any new
TCP connection on routing over the gateway match the filter.
• ,0 (default value): All TCP packets match the filter.
Destination IPv4 Address/Netmask
Enter the destination IPv4 address of the data packets and the
corresponding netmask.
Possible values:
• ,0 (default value): The destination IP address/netmask are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the corresponding netmask.
Destination IPv6 Address/Length
be.IP 4isdn
Enter the destination IPv6 address of the data packets and the
prefix length.
173
11 Networking
bintec elmeg GmbH
Field
Description
Possible values:
• ,0 (default value): The destination IP address/length are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the prefix length.
Destination Port/Range Only for Protocol = )%, /- or )%5/-
Enter a destination port number or a range of destination port
numbers.
Possible values:
• ,++ (default value): The destination port is not specified.
• *10 : Enter a destination port.
• *10 : Enter a destination port range.
Source IPv4 Address/
Netmask
Enter the source IPv4 address of the data packets and the corresponding netmask.
Possible values:
• ,0 (default value): The source IP address/netmask are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the corresponding netmask.
Source IPv6 Address/
Length
Enter the source IPv6 address of the data packets and the prefix length.
Possible values:
• ,0 (default value): The source IP address/length are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the prefix
length.
Source Port/Range
Only for Protocol = )%, /- or )%5/-
Enter a source port number or a range of source port numbers.
174
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
Possible values:
• ,++ (default value): The source port is not specified.
• *10 : Enter a source port.
• *10 : Enter a source port range.
DSCP/TOS Filter
(Layer 3)
Select the Type of Service (TOS).
Possible values:
• (default value): The type of service is ignored.
• -% &0 E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in binary format, 6 bit).
• -% -*+ E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
COS Filter
(802.1p/Layer 2)
Enter the service class of the IP packets (Class of Service,
CoS).
Value range to (.
The default value is .
The default value is .
be.IP 4isdn
175
11 Networking
bintec elmeg GmbH
11.5.2 QoS Classification
The data traffic is classified in the Networking->QoS->QoS Classification menu, i.e. the
data traffic is associated using class IDs of various classes. To do this, create class plans
for classifying IP packets based on pre-defined IP filters. Each class plan is associated to
at least one interface via its first filter.
11.5.2.1 New
Choose the New button to create additional data classes.
The Networking->QoS->QoS Classification->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Class map
Choose the class plan you want to create or edit.
Possible values:
• 92 (default value): You can create a new class plan with
this setting.
• @9 1 *+ +A: Shows a class plan that has
already been created, which you can select and edit. You can
add new filters.
Description
Only for Class map = 92
Enter the name of the class plan.
Filter
Select an IP filter.
If the class plan is new, select the filter to be set at the first point
of the class plan.
If the class plan already exists, select the filter to be attached to
the class plan.
To select a filter, at least one filter must be configured in the
Networking->QoS->QoS Filter menu.
Direction
Select the direction of the data packets to be classified.
Possible values:
176
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• *: Incoming data packets are assigned to the class
(Class ID) that is then to be defined.
• :3 (default value): Outgoing data packets are assigned to the class (Class ID) that is then to be defined.
• &!: Incoming and outgoing data packets are assigned to
the class (Class ID) that is then to be defined.
High Priority Class
Enable or disable the high priority class. If the high priority class
is active, the data packets are associated with the class with the
highest priority and priority 0 is set automatically.
The function is enabled with 7+.
The function is disabled by default.
Class ID
Only for High Priority Class not active.
Choose a number which assigns the data packets to a class.
Note
The class ID is a label to assign data packets to specific
classes. (The class ID does not define the priority.)
Possible values are whole numbers between and .
Set DSCP/Traffic Class
Here you can set or change the DSCP/TOS value of the IP data
Filter (Layer 3)
packets, based on the class (Class ID) that has been defined.
Possible values:
• (default value): The DSCP/TOS value of the IP
data packets remains unchanged.
• -% &0 E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in binary format).
• -% -*+ E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
be.IP 4isdn
177
11 Networking
bintec elmeg GmbH
Field
Description
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
Set COS value
(802.1p/Layer 2)
In the header of the Ethernet packets filtered by the selected filter, you can here set/change the service class (Layer 2 priority).
Possible values are whole numbers between and (.
The default value is .
Interfaces
Only for Class map = 92
When creating a new class plan, select the interfaces to which
you want to link the class plan. A class plan can be assigned to
multiple interfaces.
11.5.3 QoS Interfaces/Policies
In the Networking->QoS->QoS Interfaces/Policies menu, you set prioritisation of data.
Note
Data can only be prioritized in the outgoing direction.
Packets in the high-priority class always take priority over data with class IDs 1 - 254.
It is possible to assign or guarantee each queue and thus each data class a certain part of
the total bandwidth of the interface. In addition, you can optimise the transmission of voice
data (real time data).
Depending on the respective interface, a queue is created automatically for each class, but
only for data traffic classified as outgoing and for data traffic classified in both directions. A
priority is assigned to these automatic queues. The value of the priority is equal to the
value of the class ID. You can change the default priority of a queue. If you add new
queues, you can also use classes in other class plans via the class ID.
178
be.IP 4isdn
11 Networking
bintec elmeg GmbH
11.5.3.1 New
Choose the New button to create additional prioritisations.
The Networking->QoS->QoS Interfaces/Policies->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
Interface
Select the interface for which QoS is to be configured.
Prioritisation Algorithm
Select the algorithm according to which the queues are to be
processed. This activates and deactivates QoS on the selected
interface.
Possible values:
• 0 D33: QoS is activated on the interface. The
available bandwidth is distributed strictly according to the
queue priority.
• 8! ?3 ?7: QoS is activated on the interface.
The available bandwidth is distributed according to the
weighting (weight) of the queue. Exception: High-priority packets are always handled with priority.
• 8! ' D33: QoS is activated on the interface. The available bandwidth is distributed as “fairly” as possible among the (automatically detected) traffic flows in a
queue. Exception: High-priority packets are always handled
with priority.
• -7+ (default value): QoS is deactivated on the interface. The existing configuration is not deleted, but can be activated again if required.
Traffic shaping
Activate or deactivate data rate limiting in the send direction.
The function is enabled with 7+.
The function is disabled by default.
Maximum Upload
Speed
be.IP 4isdn
Only for Traffic shaping = enabled.
Enter a maximum data rate for the selected interface in the
179
11 Networking
bintec elmeg GmbH
Field
Description
send direction in kbit per second.
Possible values are to .
The default value is , i.e. no limits are set, the selected interface can occupy its maximum bandwidth.
Protocol Header Size
below Layer 3
Only for Traffic shaping = enabled.
Choose the interface type to include the size of the respective
overheads of a datagram when calculating the bandwidth.
Possible values:
• / 1 : Value in byte.
Possible values are to .
• /1 "*+ > :11M
# (default
value)
Can only be selected for Ethernet interfaces
•
!
•
! E$,9
• !
• ! E$,9
Can only be selected for IPSec interfaces:
• * !
• * ! E$,9
• * • * Encryption Method
!
E$,9
Only if an IPSec Peers is selected as Interface, Traffic shaping is ,* and Protocol Header Size below Layer 3 is
not /1 "*+ > :11M
#.
Select the encryption method used for the IPSec connection.
The encryption algorithm determines the length of the block
cipher which is taken into account during bandwidth calculation.
Possible values:
180
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
• - G - G &+21!G % "*! 7+*B
H M &#
• AES128, AES192, AES256, Twofish - (cipher block size =
128 Bit)
Real Time Jitter Control
Only for Traffic shaping = enabled
Real Time Jitter Control optimises latency when forwarding real
time datagrams. The function ensures that large data packets
are fragmented according to the available upload bandwidth.
Real Time Jitter Control is useful for small upload bandwidths (<
800 kbps).
Activate or deactivate Real Time Jitter Control.
The function is enabled with 7+.
The function is disabled by default.
Control Mode
Only for Real Time Jitter Control = enabled.
Select the mode for optimising voice transmission.
Possible values:
• ,++ ?) : All RTP streams are optimised. The
function activates the RTP stream detection mechanism for
the automatic detection of RTP streams. In this mode, the
Real Time Jitter Control is activated as soon as an RTP
stream has been detected.
• *: Voice data transmission is not optimised.
• %++ ?) +0: This mode is used if
either the VoIP Application Layer Gateway (ALG) or the VoIP
Media Gateway (MGW) is active. Real Time Jitter Control is
activated by the control instances ALG or MGW.
• ,+20: Real Time Jitter Control is always active, even if no
real time data is routed.
Queues/Policies
Configure the desired QoS queues.
For each class created from the class plan, which is associated
with the selected interface, a queue is generated automatically
and displayed here (only for data traffic classified as outgoing
be.IP 4isdn
181
11 Networking
bintec elmeg GmbH
Field
Description
and for data traffic classified as moving in both directions).
Add new entries with Add. The Edit Queue/Policy menu
opens.
By creating a QoS policy a DEFAULT entry with the lowest priority 255 is automatically created.
The menu Edit Queue/Policy consists of the following fields:
Fields in the Edit Queue/Policy menu.
Field
Description
Description
Enter the name of the queue/policy.
Outbound Interface
Shows the interface for which the QoS queues are being configured.
Prioritisation queue
Select the queue priority type.
Possible values:
• %+ & (default value): Queue for data classified as
“normal”.
• >! 0: Queue for data classified as “high priority”.
• -13+: Queue for data that has not been classified or data
of a class for which no queue has been configured.
Class ID
Only for Prioritisation queue = %+ &
Select the QoS packet class to which this queue is to apply.
To do this, at least one class ID must be given in the Networking->QoS->QoS Classification menu.
Priority
Only for Prioritisation queue = %+ &
Choose the priority of the queue. Possible values are (high
priority) to (low priority).
The default value is .
Weight
182
Only for Prioritisation Algorithm = 8! ?3
?7 or 8! ' D33
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
Choose the priority of the queue. Possible values are to .
The default value is .
RTT Mode (Realtime
Traffic Mode)
Active or deactivate the real time transmission of the data.
The function is enabled with 7+.
The function is disabled by default.
RTT mode should be activated for QoS classes in which real
time data has priority. This mode improves latency when forwarding real time datagrams.
It is possible to configure multiple queues when RTT mode is
enabled. Queues with enabled RTT mode must always have a
higher priority than queues with disabled RTT mode.
Traffic Shaping
Activate or deactivate data rate (=Traffic Shaping) limiting in the
send direction.
The data rate limit applies to the selected queue. (This is not the
limit that can be defined on the interface.)
The function is enabled with 7+.
The function is disabled by default.
Maximum Upload
Speed
Only for Traffic Shaping = enabled.
Enter a maximum data rate for the queue in kbits.
Possible values are to .
The default value is .
Overbooking allowed
Only for Traffic Shaping = enabled.
Enable or disable the function. The function controls the bandwidth limit.
If Overbooking allowed is activated, the bandwidth limit set for
this queue can be exceeded, as long as free bandwidth exists
on the interface.
If Overbooking allowed is deactivated, the queue can never
be.IP 4isdn
183
11 Networking
bintec elmeg GmbH
Field
Description
occupy bandwidth beyond the bandwidth limit that has been set.
The function is enabled with 7+.
The function is disabled by default.
Burst size
Only for Traffic Shaping = enabled.
Enter the maximum number of bytes that may still be transmitted temporarily when the data rate permitted for this queue has
been reached.
Possible values are to .
The default value is .
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Dropping Algorithm
Choose the procedure for rejecting packets in the QoS queue, if
the maximum size of the queue is exceeded.
Possible values:
• )+ - (default value): The newest packet received is
dropped.
• > -: The oldest packet in the queue is dropped.
• ? -: A randomly selected packet is dropped from
the queue.
Congestion Avoidance Enable or disable preventative deletion of data packets.
(RED)
Packets which have a data size of between Min. queue size
and Max. queue size are preventively dropped to prevent
queue overflow (RED=Random Early Detection). This procedure ensures a smaller long-term queue size for TCP-based data
traffic, so that traffic bursts can also usually be transmitted
without large packet losses.
The function is activated with 7+.
The function is disabled by default.
184
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
Min. queue size
Enter the lower threshold value for the process Congestion
Avoidance (RED) in bytes.
Possible values are to .
The default value is .
Max. queue size
Enter the upper threshold value for the process Congestion
Avoidance (RED) in bytes.
Possible values are to .
The default value is .
11.6 Access Rules
Accesses to data and functions are restricted with access lists (which user gets to use
which services and files).
You define filters for IP packets in order to allow or block access from or to the various
hosts in connected networks. This enables you to prevent undesired connections being set
up via the gateway. Access lists define the type of IP traffic the gateway is to accept or
deny. The access decision is based on information contained in the IP packets, e.g.:
• source and/or destination IP address
• packet protocol
• source and/or destination port (port ranges are supported)
Access lists are an effective means if, for example, sites with LANs interconnected over a
bintec elmeg gateway wish to deny all incoming FTP requests or only allow Telnet sessions
between certain hosts.
Access filters in the gateway are based on the combination of filters and actions for filter
rules (= rules) and the linking of these rules to form rule chains. They act on the incoming
data packets to allow or deny access to the gateway for certain data.
A filter describes a certain part of the IP data traffic based on the source and/or destination
IP address, netmask, protocol and source and/or destination port.
You use the rules that you set up in the access lists to tell the gateway what to do with the
filtered data packets, i.e. whether it should allow or deny them. You can also define several
rules, which you arrange in the form of a chain to obtain a certain sequence.
be.IP 4isdn
185
11 Networking
bintec elmeg GmbH
There are various approaches for the definition of rules and rule chains:
Allow all packets that are not explicitly denied, i.e.:
• Deny all packets that match Filter 1.
• Deny all packets that match Filter 2.
• ...
• Allow the rest.
or
Allow all packets that are explicitly allowed, i.e.:
• Allow all packets that match Filter 1.
• Allow all packets that match Filter 2.
• ...
• Deny the rest.
or
Combination of the two possibilities described above.
A number of separate rule chains can be created. The same filter can also be used in different rule chains.
You can also assign a rule chain individually to each interface.
Caution
Make sure you don’t lock yourself out when configuring filters.
If possible, access your gateway for filter configuration over the serial console (not
available for all devices) interface or ISDN Login.
11.6.1 Access Filter
This menu is for configuration of access filter Each filter describes a certain part of the IP
traffic and defines, for example, the IP addresses, the protocol, the source port or the destination port.
A list of all access filters is displayed in the Networking->Access Rules->Access Filter
menu.
186
be.IP 4isdn
11 Networking
bintec elmeg GmbH
11.6.1.1 Edit or New
Choose the
icon to edit existing entries. To configure access fitters, select the New but-
ton.
The Networking->Access Rules->Access Filter->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter a description for the filter.
Service
Select one of the preconfigured services. The extensive range
of services configured ex works includes the following:
• *0
• +J
• 3!
• *!
• *+;
• 0
• !*
• *
The default value is / 1.
Protocol
Select a protocol.
The ,0 option (default value) matches any protocol.
Type
Only if Protocol = %.
Possible values:
• ,0
•
*! +0
• - 3*!7+
• 3* J3*!
• ?*
•
be.IP 4isdn
*!
187
11 Networking
bintec elmeg GmbH
Field
Description
• ) 6*
• )
• ) +0
The default value is ,0.
See RFC 792.
Connection State
Only if Protocol = )%
You can define a filter that takes the status of the TCP connections into account.
Possible values:
• ,0 (default value): All TCP packets match the filter.
•
Destination IPv4 Address/Netmask
7+!: All TCP packets that would not open any new
TCP connection on routing over the gateway match the filter.
Enter the destination IPv4 address of the data packets and the
corresponding netmask.
Possible values:
• ,0 (default value): The destination IP address/netmask are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the corresponding netmask.
Destination IPv6 Address/Length
Enter the destination IPv6 address of the data packets and the
prefix length.
Possible values:
• ,0 (default value): The destination IP address/length are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the prefix length.
Destination Port/Range
Only if Protocol = )%, /-
Enter a destination port number or a range of destination port
numbers that matches the filter.
188
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Description
Possible values:
• ,++ (default value): The filter is valid for all port numbers
• *10 : Enables the entry of a port number.
• *10 : Enables the entry of a range of port
numbers.
Source IPv4 Address/
Netmask
Enter the source IPv4 address of the data packets and the corresponding netmask.
Possible values:
• ,0 (default value): The source IP address/netmask are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the corresponding netmask.
Source IPv6 Address/
Length
Enter the source IPv6 address of the data packets and the prefix length.
Possible values:
• ,0 (default value): The source IP address/length are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the prefix
length.
Source Port/Range
Only if Protocol = )%, /-
Enter a source port number or the range of source port numbers.
Possible values:
• ,++ (default value): The filter is valid for all port numbers
• *10 : Enables the entry of a port number.
• *10 : Enables the entry of a range of port
numbers.
DSCP/TOS Filter
(Layer 3)
Select the Type of Service (TOS).
Possible values:
be.IP 4isdn
189
11 Networking
bintec elmeg GmbH
Field
Description
• (default value): The type of service is ignored.
• -% &0 E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in binary format, 6 bit).
• -% -*+ E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
COS Filter
(802.1p/Layer 2)
Enter the service class of the IP packets (Class of Service,
CoS).
Possible values are whole numbers between and (.
The default value is .
11.6.2 Rule Chains
Rules for IP filters are configured in the Rule Chains menu. These can be created separately or incorporated in rule chains.
In the Networking->Access Rules->Rule Chains menu, all created filter rules are listed.
11.6.2.1 Edit or New
Choose the
icon to edit existing entries. To configure access lists, select the New but-
ton.
The Networking->Access Rules->Rule Chains->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
190
be.IP 4isdn
11 Networking
bintec elmeg GmbH
Field
Rule Chain
Description
Select whether to create a new rule chain or to edit an existing
one.
Possible values:
• 92 (default value): You can create a new rule chain with this
setting.
• @9 1 ! 3+ *!A: Select an already existing
rule chain, and thus add another rule to it.
Description
Access Filter
Enter the name of the rule chain.
Select an IP filter.
If the rule chain is new, select the filter to be set at the first point
of the rule chain.
If the rule chain already exists, select the filter to be attached to
the rule chain.
Action
Define the action to be taken for a filtered data packet.
Possible values:
• ,++2 1 1+ *! (default value): Allow packet
if it matches the filter.
• ,++2 1 1+ *!: Allow packet if it
does not match the filter.
• -0 1 1+ *!: Deny packet if it matches the
filter.
• -0 1 1+ *!: Deny packet if it does
not match the filter.
• : Use next rule.
To set the rules of a rule chain in a different order select the
button in the list menu for
the entry to be shifted. A dialog box opens, in which you can decide under Move whether
the entry 7+2 (default value) or 7 another rule of this rule chain is to be shifted.
11.6.3 Interface Assignment
In this menu, the configured rule chains are assigned to the individual interfaces and the
gateway’s behavior is defined for denying IP packets.
be.IP 4isdn
191
11 Networking
bintec elmeg GmbH
A list of all configured interface assignments is displayed in the Networking->Access
Rules->Interface Assignment menu.
11.6.3.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to configure additional
assignments.
The Networking->Access Rules->Interface Assignment->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Interface
Select the interface for which a configured rule chain is to be assigned.
Rule Chain
Select a rule chain.
Silent Deny
Define whether the sender is to be informed if an IP packet is
denied.
•
7+ (default value): The sender is not informed.
• -7+: The sender receives an ICMP message.
Reporting Method
Define whether a syslog message is to be generated if a packet
is denied.
Possible values:
• 9 : No syslog message.
• 1 (default value): A syslog message is generated with the
protocol number, source IP address and source port number.
• -3: A syslog message is generated with the contents of the
first 64 bytes of the denied packet.
192
be.IP 4isdn
12 Multicast
bintec elmeg GmbH
Chapter 12 Multicast
What is multicasting?
Many new communication technologies are based on communication from one sender to
several recipients. Therefore, modern telecommunication systems such as voice over IP or
video and audio streaming (e.g. IPTV or Webradio) focus on reducing data traffic, e.g. by
offering TriplePlay (voice, video, data). Multicast is a cost-effective solution for effective use
of bandwidth because the sender of the data packet, which can be received by several recipients, only needs to send the packet once. The packet is sent to a virtual address
defined as a multicast group. Interested recipients log in to these groups.
Other areas of use
One classic area in which multicast is used is for conferences (audio/video) with several recipients. The most well-known are probably the MBone Multimedia Audio Tool (VAT),
Video Conferencing Tool (VIC) and Whiteboard (WB). VAT can be used to hold audio conferences. All subscribers are displayed in a window and the speaker(s) are indicated by a
black box. Other areas of use are of particular interest to companies. Here, multicasting
makes it possible to synchronise the databases of several servers, which is valuable for
multinationals or even companies with just a few locations.
Address range for multicast
For, IPv4 the IP addresses 224.0.0.0 to 239.255.255.255 (224.0.0.0/4) are reserved for
multicast in the class D network. An IP address from this range represents a multicast
group to which several recipients can log in. The multicast router then forwards the required packets to all subnets with logged in recipients.
Multicast basics
Multicast is connectionless, which means that any trouble-shooting or flow control needs to
be guaranteed at application level.
At transport level, UDP is used almost exclusively, as, in contrast to TCP, it is not based on
a point-to-point connection.
At IP level, the main difference is therefore that the destination address does not address a
be.IP 4isdn
193
12 Multicast
bintec elmeg GmbH
dedicated host, but rather a group, i.e. during the routing of multicast packets, the decisive
factor is whether a recipient is in a logged-in subnet.
In the local network, all hosts are required to accept all multicast packets. For Ethernet or
FDD, this is based on MAC mapping, where the group address is encoded into the destination MAC address. For routing between several networks, the routers first need to make
themselves known to all potential recipients in the subnet. This is achieved by means of
Membership Management protocols such as IGMP for IPv4 and MLP for IPv6.
Membership Management protocol
In IPv4, IGMP (Internet Group Management Protocol) is a protocol that hosts can use to
provide the router with multicast membership information. IP addresses of the class D address range are used for addressing. An IP address in this class represents a group. A
sender (e.g. Internet radio) sends data to this group. The addresses (IP) of the various
senders within a group are called the source (addresses). Several senders (with different
IP addresses) can therefore transmit to the same multicast group, leading to a 1-to-n relationship between groups and source addresses. This information is forwarded to the router
by means of reports. In the case of incoming multicast data traffic, a router can use this information to decide whether a host in its subnet wants to receive it. Your device supports
the current version IGMP V3, which is upwardly compatible, which means that both V3 and
V1/V2 hosts can be managed.
Your device supports the following multicast mechanisms:
• Forwarding: This relates to static forwarding, i.e. incoming data traffic for a group is
passed in all cases. This is a useful option if multicast data traffic is to be permanently
passed.
• IGMP: IGMP is used to gather information about the potential recipients in a subnet. In
the case of a hop, incoming multicast data traffic can thus be selected.
Tip
With multicast, the focus is on excluding data traffic from unwanted multicast groups.
Note that if forwarding is combined with IGMP, the packets can be forwarded to the
groups specified in the forwarding request.
12.1 General
194
be.IP 4isdn
12 Multicast
bintec elmeg GmbH
12.1.1 General
In the Multicast->General->General menu you can disable or enable the multicast function.
The Multicast->General->General menu consists of the following fields:
Fields in the Basic Settings menu.
Field
Description
Multicast Routing
Select whether Multicast Routing should be used.
The function is enabled with 7+.
The function is disabled by default.
12.2 IGMP
IGMP (Internet Group Management Protocol, see RFC 3376) is used to signal the information about group (membership) in a subnet. As a result, only the packets explicitly wanted
by a host enter the subnet.
Special mechanisms ensure that the requirements of the individual clients are taken into
consideration. At the moment there are three versions of IGMP (V1 - V3); most current systems use V3, and less often V2.
Two packet types play a central role in IGMP: queries and reports.
Queries are only transmitted from a router. If several IGMP routers exist in a network, the
router with the lowest IP address is the "querier". We differentiate here between a general
query (sent to 224.0.0.1), a group-specific query (sent to a group address) and the groupand-source-specific query (sent to a specific group address). Reports are only sent by
hosts to respond to queries.
12.2.1 IGMP
In this menu, you configure the interfaces on which IGMP is to be enabled.
12.2.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to configure IGMP on
other interfaces.
be.IP 4isdn
195
12 Multicast
bintec elmeg GmbH
The Multicast->IGMP->IGMP->New menu consists of the following fields:
Fields in the IGMP Settings menu.
Field
Description
Interface
Select the interface on which IGMP is to be enabled, i.e. queries
are sent and responses are accepted.
Query Interval
Enter the interval in seconds in which IGMP queries are to be
sent.
Possible values are to .
The default value is .
Maximum Response
Time
For the sending of queries, enter the time interval in seconds
within which hosts must respond. The hosts randomly select a
time delay from this interval before sending the response. This
spreads the load in networks with several hosts, improving performance.
Possible values are G
to G
.
The default value is G
.
Robustness
Select the multiplier for controlling the timer values. A higher
value can e.g. compensate for packet loss in a network susceptible to loss. If the value is too high, however, the time between
logging off and stopping of the data traffic can be increased
(leave latency).
Possible values are to .
The default value is .
Last Member Query In- Define the time after a query for which the router waits for an
terval
answer.
If you shorten the interval, it will be more quickly detected that
the last member has left a group so that no more packets for
this group should be forwarded to this interface.
Possible values are G
to G
.
The default value is G
.
196
be.IP 4isdn
12 Multicast
bintec elmeg GmbH
Field
Description
IGMP State Limit
Limit the number of reports/queries per second for the selected
interface.
Mode
Specify whether the interface defined here only works in host
mode or in both host mode and routing mode.
Possible values:
• ?3 (default value): The interface is operated in Routing
mode.
• >: The interface is only operated in host mode.
IGMP Proxy
IGMP Proxy enables you to simulate several locally connected interfaces as a subnet to an
adjacent router. Queries coming in to the IGMP Proxy interface are forwarded to the local
subnets. Local reports are forwarded on the IPGM Proxy interface.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
IGMP Proxy
Select whether your device is to forward the hosts' IGMP messages in the subnet via its defined Proxy Interface.
Proxy Interface
Only for IGMP Proxy = enabled
Select the interface on your device via which queries are to be
received and collected.
Fallback Proxy Interface 1
Only for IGMP Proxy = enabled
Select the fallback interface 1 on your device via which queries
are to be received and collected. This interface will be used if
the proxy function cannot be carried out on the Proxy Interface.
Fallback Proxy Interface 2
Only for IGMP Proxy = enabled
Select the fallback interface 2 on your device via which queries
are to be received and collected. This interface will be used if
the proxy function cannot be carried out on the Fallback Proxy
Interface 1.
be.IP 4isdn
197
12 Multicast
bintec elmeg GmbH
12.2.2 Options
In this menu, you can enable and disable IGMP on your system. You can also define
whether IGMP is to be used in compatibility mode or only IGMP V3 hosts are to be accepted.
The Multicast->IGMP->Options menu consists of the following fields:
Fields in the Basic Settings menu.
Field
Description
IGMP Status
Select the IGMP status.
Possible values:
• ,3 (default value): Multicast is activated automatically for
hosts if the hosts open applications that use multicast.
• /: Multicast is always on.
• -2: Multicast is always off.
Mode
Only for IGMP Status = / or ,3
Select Multicast Mode.
Possible values:
• %7+0 . (default value): The router uses IGMP version 3. If it notices a lower version in the network, it
uses the lowest version it could detect.
• E +0: Only IGMP version 3 is used.
Maximum Groups
Enter the maximum number of groups to be permitted, both internally and in reports.
The default value is .
Maximum Sources
Enter the maximum number of sources that are specified in version 3 reports and the maximum number of internally managed
sources per group.
The default value is .
IGMP State Limit
198
Enter the maximum permitted total number of incoming queries
and messages per second.
be.IP 4isdn
12 Multicast
bintec elmeg GmbH
Field
Description
The default value is , i.e. the number of IGMP status messages is not limited.
12.3 Forwarding
12.3.1 Forwarding
In this menu, you specify which multicast groups are always passed between the interfaces
of your device.
12.3.1.1 New
Choose the New button to create forwarding rules for new multicast groups.
The Multicast->Forwarding->Forwarding->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
All Multicast Groups
Select whether all multicast groups, i.e. the complete multicast
address range 224.0.0.0/4, are to be forwarded from the defined
Source Interface to the defined Destination Interface. To do
this, check 7+
Disable the option if you only want to forward one defined multicast group to a particular interface.
The option is deactivated by default.
be.IP 4isdn
Multicast Group Address
Only for All Multicast Groups = not active.
Source Interface
Select the interface on your device to which the selected multicast group is sent.
Destination Interface
Select the interface on your device to which the selected multicast group is to be forwarded.
Enter here the address of the multicast group you want to forward from a defined Source Interface to a defined Destination
Interface.
199
13 WAN
bintec elmeg GmbH
Chapter 13 WAN
This menu offers various options for configuring accesses or connections from your LAN to
the WAN. You can also optimise voice transmission here for telephone calls over the Internet.
13.1 Internet + Dialup
In this menu, you can set up Internet access or dialup connections.
In addition, you can create address pools for the dynamic assignment of IP addresses.
To enable your device to set up connections to networks or hosts outside your LAN, you
must configure the partners you want to connect to on your device. This applies to outgoing
connections (your device dials its WAN partner) and incoming connections (a remote partner dials the number of your device).
If you want to set up Internet access, you must set up a connection to your Internet Service
Provider (ISP). For broadband Internet access, your device provides the PPPover-Ethernet (PPPoE), PPP-over-PPTP and PPP-over-ATM (PPPoA) protocols.
Note
Note your provider's instructions.
Dialin connections over ISDN are used to establish a connection to networks or hosts outside your LANs.
All the entered connections are displayed in a list, which contains the Description, the
User Name, the Authentication and the current Status.
The Status field can have the following values:
Possible values for Status
Field
Description
connected
not connected (dialup connection); connection setup possible
not connected (e.g. because of an error during setup of an outgoing connection, a renewed attempt is only possible after a
specified number of seconds)
200
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
administratively set to down (deactivated); connection setup not
possible
13.1.1 PPPoE
A list of all PPToE interfaces is displayed in the WAN->Internet + Dialup->PPPoE menu.
PPP over Ethernet (PPPoE) is the use of the Point-to-Point Protocol (PPP) network protocol over an Ethernet connection. Today, PPPoE is used for ADSL connections in Germany. In Austria, the Point To Point Tunnelling Protocol (PPTP) was originally used for ADSL access. However, PPPoE is now offered here too by some providers.
13.1.1.1 New
Choose the New button to set up new PPPoE interfaces.
The menu WAN->Internet + Dialup->PPPoE->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter a name to uniquely identify the PPPoE partner. The first
character in this field must not be a number No special characters or umlauts must be used.
PPPoE Mode
Select whether you want to use a standard Internet connection
over PPPoE ( ) or your Internet access is to be set
up over several interfaces ( .3++B). If you choose .3+
+B, you can connect several DSL connections from a provider over PPP as a static bundle in order to obtain more bandwidth. Each of these DSL connections should use a separate
Ethernet connection for this. At the moment, many providers are
still in the process of preparing the PPPoE Multilink function.
For PPPoE Multilink, we recommend using your device's Ethernet switch in Split-Port mode and to use a separate Ethernet interface e.g. , for each PPPoE connection.
If you also want to use an external modem for PPPoE Multilink,
you must run your device's Ethernet switch in Split-Port mode.
PPPoE Ethernet Interface
be.IP 4isdn
Only for PPPoE Mode = 201
13 WAN
bintec elmeg GmbH
Field
Description
Select the Ethernet interface specified for a standard PPPoE
connection.
If you want to use an external DSL modem, select the Ethernet
port to which the modem is connected.
When using the internal DSL modem, select here the EthoA interface configured in WAN->ATM->Profiles->New.
Select ,3* in order to enable the automatic VDSL/ADSL mode. In this mode, the interface for the Internet connection
is selected automatically. Note that there has to be an interface
entry in the ATM menu. This is not required for a VDSL connection.
PPPoE Interfaces for
Multilink
Only for PPPoE Mode = .3++B
User Name
Enter the user name.
Password
Enter the password.
VLAN
Certain Internet service providers require a VLAN-ID. Activate
this function to be able to enter a value under VLAN ID.
VLAN ID
Select the interfaces you want to use for your Internet connection. Click the Add button to create new entries.
Only if VLAN is enabled.
Enter the VLAN-ID that you received from your provider.
Always on
Select whether the interface should always be activated.
The function is enabled with 7+.
The function is disabled by default.
Only activate this option if you have Internet access with a flatrate charge.
Connection Idle
Timeout
202
Only if Always on is disabled.
Enter the idle time in seconds for static short hold. The static
short hold setting determines how many seconds should pass
between sending the last traffic data packet and clearing the
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
connection.
Possible values are to (seconds). deactivates the
short hold.
The default value is .
Example: for FTP transmission, for LAN-to-LAN transmission, for Internet connections.
Fields in the IPv4 Settings menu.
Field
Description
Security Policy
Select the security settings to be used with the interface.
Possible values:
• )3 : All IP packets are allowed through except for
those which are explicitly prohibited.
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IP Address Mode
Select whether your device is to be assigned a static IP address
or whether it should be assigned this dynamically.
Possible values:
• , (default value): Your device is dynamically assigned an IP address.
• *: You enter a static IP address.
Default Route
Select whether the route to this connection partner is to be
defined as the default route.
The function is enabled with 7+.
The function is enabled by default.
Create NAT Policy
be.IP 4isdn
Specify whether Network Address Translation (NAT) is to be activated.
203
13 WAN
bintec elmeg GmbH
Field
Description
The function is enabled with 7+.
The function is enabled by default.
Local IP Address
Only if IP Address Mode = *
Enter the static IP address of the connection partner.
Route Entries
Only if IP Address Mode = *
Define other routing entries for this connection partner.
Add new entries with Add.
• ? ,: IP address of the destination host or
network.
• 9B: Netmask for Remote IP Address If no entry is
made, your device uses a default netmask.
• .*: The lower the value, the higher the priority of the
route (range of values ... ). The default value is .
Fields in the IPv6 Settings menu
Field
Description
IPv6
Select whether the selected PPPoE interface should use Internet Protocol version 6 (IPv6) for data transmission.
The function is activated by selecting 7+ .
The function is disabled by default.
Security Policy
Select the security settings to be used with the interface.
Possible values:
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
We recommend you use this setting if you want to use IPv6
outside of your LAN.
• )3: All IP packets are allowed through except for those
which are explicitly prohibited.
204
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
We recommend you use this setting if you want to use IPv6
on your LAN.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IPv6 Mode
Only for IPv6 = 7+
The selected PPPoE interface is operated in host mode.
Accept Router Advertisement
Only for IPv6 = 7+ and IPv6 Mode = >
Select if Router Advertisements are to be received on the selected interface. Router Advertisements are used, e.g., to create
the prefix list.
The function is activated by selecting 7+ .
The function is enabled by default.
DHCP Client
Only for IPv6 = 7+ and IPv6 Mode = >
Determine if your device is to act as DHCP client.
The function is activated by selecting 7+ .
The function is enabled by default.
IPv6 Addresses
Only for IPv6 = 7+
You can assign IPv6 Addresses to the selected interface..
Add allows you to create one or more address entries.
A new windows opens that allows you to specify an IPv6 address consisting of a Link Prefix and a host identifier.
If your device operates in host mode (IPv6 Mode = >, Accept Router Advertisement 7+ and DHCP Client = 7+), its IPv6 addresses are determined through SLAAC.
You need not configure an IPv6 address manually, but you can
enter addtional addresses if desired.
If your device is operating in router mode (IPv6 Mode = ?3
") ?3 ,#, Transmit Router
be.IP 4isdn
205
13 WAN
bintec elmeg GmbH
Field
Description
Advertisement = 7+ and DHCP Server = 7+),
you need to configure its IPv6 addresses here.
Use Add to create more entries.
Fields in the Link Prefix menu.
Field
Setup Mode
Description
Select in which way the Link Prefix is to be determined.
Possible values:
• ' + 16 (default value): The Link Prefix is
derived from a General Prefix.
• *: You can enter the link prefix.
General Prefix
Only for Setup Mode = ' + 16
Select the General Prefix the Link Prefix is to be derived from.
You can choose from the General Prefixes available under Network->IPv6 General Prefixes->General Prefix Configuration >New.
Auto Subnet ConfigurOnly if Setup Mode = ' + 16 and if a Generation
al Prefix has been selected.
Select if the subnet is to be created automatically. Automatic
subnet creation will use ID for the first subnet, ID for the
second, etc.
Possible values for the sub net ID are: - .
The subnet ID describes the fourth of the four 16 bit fields of a
Link Prefix. Upon subnet creation the decimal ID value is converted to a hexadecimal one.
The function is activated by selecting 7+ .
The function is enabled by default.
If the function is disabled, you can define a subnet by entering a
Subnet ID.
Subnet ID
206
Only if Auto Subnet Configuration is not active.
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Enter a Subnet ID in order to define a subnet. The subnet ID describes the fourth of the four 16 bit fields of a Link Prefix.
Possible values are - .
Upon subnet creation the decimal ID value is converted to a
hexadecimal one.
Link Prefix
Only for Setup Mode = *
You can specify the Link Prefix of an IPv6 address. This prefix
must end with 44. Its predetermined length is .
Fields in the Host Address menu.
Field
Generation Mode
Description
Determine if the Host Identifier of the IPv6 address is to be
automatically derived from the MAC address through EUI-64.
The function is activated by selecting 7+ .
The function is enabled by default.
EUI-64 triggers the following process:
• The hexadecimal 48 bit MAC address is split into 2 x 24 bit.
• ''' is inserted into the created gap in order to obtain 64 bit.
• The hexadecimal notation of the 64 bit is converted to a binary notation.
• Bit no. 7 of the first 8 bit field is set to .
Static Addresses
Independently of the automatic creation described under Generation Mode, you can manually specify the Host Identifier of
one or more IPv6 addresses with Add. Its predefined length is
. Start any entry with 44 .
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Block after connection Enter the wait time in seconds before the device should try
failure for
again after an attempt to set up a connection has failed. The de-
be.IP 4isdn
207
13 WAN
bintec elmeg GmbH
Field
Description
fault value is .
Maximum Number of
Dialup Retries
Enter the number of unsuccessful attempts to setup a connection before the interface is blocked.
Possible values are to .
The default value is .
Authentication
Select the authentication protocol for this connection partner.
Select the authentication specified by your provider.
Possible values:
• , (default value): Only run PAP (PPP Password Authentication Protocol); the password is transferred unencrypted.
• %>,: Only run CHAP (PPP Challenge Handshake Authentication Protocol as per RFC 1994); password is transferred encrypted.
• ,5%>,: Primarily run CHAP, otherwise PAP.
• .%>,: Only run MS-CHAP version 1 (PPP Microsoft
Challenge Handshake Authentication Protocol).
• ,5%>,5.%>,: Primarily run CHAP, on denial then the
authentication protocol required by the connection partner.
(MSCHAP version 1 or 2 possible.)
• .%>,: Run MS-CHAP version 2 only.
• 9: Some providers use no authentication. In this case, select this option.
DNS Negotiation
Select whether your device receives IP addresses for Primary
DNS Server and Secondary DNS Server from the connection
partner or sends these to the connection partner.
The function is enabled with 7+.
The function is enabled by default.
Prioritize TCP ACK
Packets
Select whether the TCP download is to be optimised in the
event of intensive TCP upload. This function can be specially
applied for asymmetrical bandwidths (ADSL).
The function is enabled with 7+.
208
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
The function is disabled by default.
LCP Alive Check
Select whether the availability of the remote terminal is to be
checked by sending LCP echo requests or replies. This makes
it possible to switch to a backup connection more quickly in the
event of line faults.
The function is enabled with 7+.
The function is enabled by default.
Fiels in the IPv4 Advanced Settings menu
Field
Description
MTU
Enter the maximum packet size (Maximum Transfer Unit, MTU)
in bytes that is allowed for the connection.
With default value ,3*, the value is specified by link
control at connection setup.
If you disable ,3*, you can enter a value.
Possible values are to .
The default value is .
13.1.2 PPTP
A list of all PPTP interfaces is displayed in the WAN->Internet + Dialup->PPTP menu.
In this menu, you configure an Internet connection that uses the Point Tunnelling Protocol
(PPTP) to set up a connection. This is required in Austria, for example.
13.1.2.1 New
Choose the New button to set up new PPTP interfaces.
The menu WAN->Internet + Dialup->PPTP->New consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
Field
Description
Description
Enter a name for uniquely identifying the internet connection.
209
13 WAN
bintec elmeg GmbH
Field
Description
The first character in this field must not be a number No special
characters or umlauts must be used.
PPTP Ethernet Interface
Select the IP interface over which packets are to be transported
to the remote PPTP terminal.
If you want to use an external DSL modem, select the Ethernet
port to which the modem is connected.
When using the internal DSL modem, select here the EthoA interface configured in Physical
Interfaces->ATM->Profiles->New, e.g. !
.
User Name
Enter the user name.
Password
Enter the password.
Always on
Select whether the interface should always be activated.
The function is enabled with 7+.
The function is disabled by default.
Only activate this option if you have Internet access with a flatrate charge.
Connection Idle
Timeout
Only if Always on is disabled.
Enter the idle interval in seconds. This determines how many
seconds should pass between sending the last traffic data packet and clearing the connection.
Possible values are to (seconds). deactivates the
timeout.
The default value is .
Example: for FTP transmission, for LAN-to-LAN transmission, for Internet connections.
Fields in the IPv4 Settings menu.
Field
Security Policy
210
Description
Select the security settings to be used with the interface.
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Possible values:
• )3 : All IP packets are allowed through except for
those which are explicitly prohibited..
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IP Address Mode
Select whether your device is to be assigned a static IP address
or whether it should be assigned this dynamically.
Possible values:
• , (default value): Your device is automatically assigned a temporarily valid IP address from the provider.
• * : You enter a static IP address.
Default Route
Select whether the route to this connection partner is to be
defined as the default route.
The function is enabled with 7+.
The function is enabled by default.
Create NAT Policy
Specify whether Network Address Translation (NAT) is to be activated.
The function is enabled with 7+.
The function is enabled by default.
Local IP Address
Only for IP Address Mode = *
Assign an IP address from your LAN to the PPT interface, which
is to be used as your device's internal source address.
Route Entries
Only if IP Address Mode = *
Define other routing entries for this PPTP partner.
Add new entries with Add.
be.IP 4isdn
211
13 WAN
bintec elmeg GmbH
Field
Description
• ? ,: IP address of the destination host or
network.
• 9B: Netmask for Remote IP Address If no entry is
made, your device uses a default netmask.
• .*: The lower the value, the higher the priority of the
route (range of values ... ). The default value is .
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Block after connection Enter the wait time in seconds before the device should try
failure for
again after an attempt to set up a connection has failed. The default value is .
Maximum Number of
Dialup Retries
Enter the number of unsuccessful attempts to setup a connection before the interface is blocked.
Possible values are to .
The default value is .
Authentication
Select the authentication protocol for this Internet connection.
Select the authentication specified by your provider.
Possible values:
• , (default value): Only run PAP (PPP Password Authentication Protocol); the password is transferred unencrypted.
• %>,: Only run CHAP (PPP Challenge Handshake Authentication Protocol as per RFC 1994); password is transferred encrypted.
• ,5%>,: Primarily run CHAP, otherwise PAP.
• .%>,: Only run MS-CHAP version 1 (PPP Microsoft
Challenge Handshake Authentication Protocol).
• ,5%>,5.%>,: Primarily run CHAP, on denial then the
authentication protocol required by the connection partner.
(MSCHAP version 1 or 2 possible.)
• .%>,: Run MS-CHAP version 2 only.
• 9: Some providers use no authentication. In this case, se-
212
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
lect this option.
DNS Negotiation
Select whether your device receives IP addresses for Primary
DNS Server and Secondary DNS Server from the connection
partner or sends these to the connection partner.
The function is enabled with 7+.
The function is enabled by default.
Prioritize TCP ACK
Packets
Select whether the TCP download is to be optimised in the
event of intensive TCP upload. This function can be specially
applied for asymmetrical bandwidths (ADSL).
The function is enabled with 7+.
The function is disabled by default.
PPTP Address Mode
Displays the address mode. The value cannot be changed.
Possible values:
• *: The Local PPTP IP Address will be assigned to the
selected Ethernet port.
Local PPTP IP Address Assign the PPTP interface an IP address that is used as the
source address.
The default value is .
Remote PPTP IP Address
Enter the IP address of the PPTP partner.
LCP Alive Check
Select whether the availability of the remote terminal is to be
checked by sending LCP echo requests or replies. This makes
it possible to switch to a backup connection more quickly in the
event of line faults.
The default value is .
The function is enabled with 7+.
The function is enabled by default.
be.IP 4isdn
213
13 WAN
bintec elmeg GmbH
13.1.3 PPPoA
A list of all PPPoA interfaces is displayed in the WAN->Internet + Dialup->PPPoA menu.
In this menu, you configure a xDSL connection used to set up PPPoA connections. With
PPPoA, the connection is configured so that the PPP data flow is transported directly over
an ATM network (RFC 2364). This is required by some providers. Note your provider's specifications.
When using the internal DSL modem, a PPPoA interface must be configured with Client
Type = : - for this connection in WAN->ATM->Profiles->New.
13.1.3.1 New
Choose the New button to set up new PPPoA interfaces.
The menu WAN->Internet + Dialup->PPPoA->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter a name for uniquely identifying the connection partner.
The first character in this field must not be a number No special
characters or umlauts must be used.
ATM PVC
Select an ATM profile created in the ATM->Profiles menu, indicated by the global identifiers VPI and VCI specified by the
provider.
User Name
Enter the user name.
Password
Enter the password for the PPPoA connection.
Always on
Select whether the interface should always be activated.
The function is enabled with 7+.
The function is disabled by default.
Only activate this option if you have Internet access with a flatrate charge.
Connection Idle
Timeout
214
Only if Always on is disabled.
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Enter the idle time in seconds for static short hold. The static
short hold setting determines how many seconds should pass
between sending the last traffic data packet and clearing the
connection.
Possible values are to (seconds). deactivates the
short hold.
The default value is .
Example: for FTP transmission, for LAN-to-LAN transmission, for Internet connections.
Fields in the IPv4 Settings menu.
Field
Security Policy
Description
Select the security settings to be used with the interface.
Possible values:
• )3 : All IP packets are allowed through except for
those which are explicitly prohibited..
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IP Address Mode
Choose whether your device has a static IP address or is assigned one dynamically.
Possible values:
• , (default value): Your device is dynamically assigned an IP address.
• *: You enter a static IP address.
Default Route
Select whether the route to this connection partner is to be
defined as the default route.
The function is enabled with 7+.
The function is enabled by default.
be.IP 4isdn
215
13 WAN
bintec elmeg GmbH
Field
Description
Create NAT Policy
Specify whether Network Address Translation (NAT) is to be activated.
The function is enabled with 7+.
The function is enabled by default.
Local IP Address
Only for IP Address Mode = *
Enter the static IP address you received from your provider.
Route Entries
Only if IP Address Mode = *
Define other routing entries for this connection partner.
Add new entries with Add.
• ? ,: IP address of the destination host or
network.
• 9B: Netmask for Remote IP Address If no entry is
made, your device uses a default netmask.
• .*: The lower the value, the higher the priority of the
route (range of values ... ). The default value is .
Fields in the IPv6 Settings menu
Field
Description
IPv6
Select whether the selected ATM profile should use Internet
Protocol version 6 (IPv6) for data transmission.
The function is activated by selecting 7+ .
The function is disabled by default.
Security Policy
Select the security settings to be used with the ATM profile.
Possible values:
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
We recommend you use this setting if you want to use IPv6
outside of your LAN.
216
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
• )3: All IP packets are allowed through except for those
which are explicitly prohibited.
We recommend you use this setting if you want to use IPv6
on your LAN.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IPv6 Mode
Only for IPv6 = 7+
The selected PPPoE interface is operated in host mode.
Accept Router Advertisement
Only for IPv6 = 7+ and IPv6 Mode = >
Determine if Router Advertisements are to be received over this
ATM profile. Router Advertisements are used to create the default router list as well as the prefix list.
The function is activated by selecting 7+ .
The function is enabled by default.
DHCP Client
Only for IPv6 = 7+ and IPv6 Mode = >
Determine if your device is to act as DHCP client.
The function is activated by selecting 7+ .
The function is enabled by default.
IPv6 Addresses
Only for IPv6 = 7+
You can assign IPv6 Addresses to the selected interface..
Add allows you to create one or more address entries.
A new windows opens that allows you to specify an IPv6 address consisting of a Link Prefix and a host identifier.
If your device operates in host mode (IPv6 Mode = >, Accept Router Advertisement 7+ and DHCP Client = 7+), its IPv6 addresses are determined through SLAAC.
You need not configure an IPv6 address manually, but you can
enter addtional addresses if desired.
be.IP 4isdn
217
13 WAN
bintec elmeg GmbH
Field
Description
If your device is operating in router mode (IPv6 Mode = ?3
") ?3 ,#, Transmit Router
Advertisement = 7+ and DHCP Server = 7+),
you need to configure its IPv6 addresses here.
Use Add to create more entries.
Fields in the Link Prefix menu.
Field
Setup Mode
Description
Select in which way the Link Prefix is to be determined.
Possible values:
• ' + 16 (default value): The Link Prefix is
derived from a General Prefix.
• *: You can enter the link prefix.
General Prefix
Only for Setup Mode = ' + 16
Select the General Prefix the Link Prefix is to be derived from.
You can choose from the General Prefixes available under Network->IPv6 General Prefixes->General Prefix Configuration >New.
Auto Subnet ConfigurOnly if Setup Mode = ' + 16 and if a Generation
al Prefix has been selected.
Select if the subnet is to be created automatically. Automatic
subnet creation will use ID for the first subnet, ID for the
second, etc.
Possible values for the sub net ID are: - .
The subnet ID describes the fourth of the four 16 bit fields of a
Link Prefix. Upon subnet creation the decimal ID value is converted to a hexadecimal one.
The function is activated by selecting 7+ .
The function is enabled by default.
If the function is disabled, you can define a subnet by entering a
Subnet ID.
218
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Subnet ID
Description
Only if Auto Subnet Configuration is not active.
Enter a Subnet ID in order to define a subnet. The subnet ID describes the fourth of the four 16 bit fields of a Link Prefix.
Possible values are - .
Upon subnet creation the decimal ID value is converted to a
hexadecimal one.
Link Prefix
Only for Setup Mode = *
You can specify the Link Prefix of an IPv6 address. This prefix
must end with 44. Its predetermined length is .
Fields in the Host Address menu.
Field
Generation Mode
Description
Determine if the Host Identifier of the IPv6 address is to be
automatically derived from the MAC address through EUI-64.
The function is activated by selecting 7+ .
The function is enabled by default.
EUI-64 triggers the following process:
• The hexadecimal 48 bit MAC address is split into 2 x 24 bit.
• ''' is inserted into the created gap in order to obtain 64 bit.
• The hexadecimal notation of the 64 bit is converted to a binary notation.
• Bit no. 7 of the first 8 bit field is set to .
Static Addresses
Independently of the automatic creation described under Generation Mode, you can manually specify the Host Identifier of
one or more IPv6 addresses with Add. Its predefined length is
. Start any entry with 44 .
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Block after connection Enter the wait time in seconds before the device should try
be.IP 4isdn
219
13 WAN
bintec elmeg GmbH
Field
Description
failure for
again after an attempt to set up a connection has failed. The default value is .
Maximum Number of
Dialup Retries
Enter the number of unsuccessful attempts to setup a connection before the interface is blocked.
Possible values are to .
The default value is .
Authentication
Select the authentication protocol for this Internet connection.
Select the authentication specified by your provider.
Possible values:
• , (default value): Only run PAP (PPP Password Authentication Protocol); the password is transferred unencrypted.
• %>,: Only run CHAP (PPP Challenge Handshake Authentication Protocol as per RFC 1994); password is transferred encrypted.
• ,5%>,: Primarily run CHAP, otherwise PAP.
• .%>,: Only run MS-CHAP version 1 (PPP Microsoft
Challenge Handshake Authentication Protocol).
• ,5%>,5.%>,: Primarily run CHAP, on denial then the
authentication protocol required by the connection partner.
(MSCHAP version 1 or 2 possible.)
• .%>,: Run MS-CHAP version 2 only.
• 9: Some providers use no authentication. In this case, select this option.
DNS Negotiation
Select whether your device receives IP addresses for Primary
DNS Server and Secondary DNS Server from the connection
partner or sends these to the connection partner.
The function is enabled with 7+.
The function is enabled by default.
Prioritize TCP ACK
Packets
220
Select whether the TCP download is to be optimised in the
event of intensive TCP upload. This function can be specially
applied for asymmetrical bandwidths (ADSL).
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
The function is enabled with 7+.
The function is disabled by default.
LCP Alive Check
Select whether the availability of the remote terminal is to be
checked by sending LCP echo requests or replies. This is recommended for leased lines, PPTP and L2TP connections.
The function is enabled with 7+.
The function is enabled by default.
13.1.4 IP Pools
The IP Pools menu displays a list of all IP pools.
Your device can operate as a dynamic IP address server for PPP connections. You can
use this function by providing one or more pools of IP addresses. These IP addresses can
be assigned to dialling-in connection partners for the duration of the connection.
Any host routes entered always have priority over IP addresses from the address pools.
This means that, if an incoming call has been authenticated, your device first checks
whether a host route is entered in the routing table for this caller. If not, your device can allocate an IP address from an address pool (if available). If address pools have more than
one IP address, you cannot specify which connection partner receives which address. The
addresses are initially assigned in order. If a new dial-in takes place within an interval of
one hour, an attempt is made to allocate the same IP address that was assigned to this
partner the previous time.
13.1.4.1 Edit or New
Choose the New button to set up new IP address pools. Choose the
icon to edit exist-
ing entries.
Fields in the menu Basic Parameters
be.IP 4isdn
Field
Description
IP Pool Name
Enter any description to uniquely identify the IP pool.
IP Address Range
Enter the first (first field) and last (second field) IP address of
the IP address pool.
221
13 WAN
bintec elmeg GmbH
Field
Description
DNS Server
Primary: Enter the IP address of the DNS server that is to be
used, preferably, by clients who draw an address from this pool.
Secondary: Optionally, enter the IP address of an alternative
DNS server.
13.2 ATM
ATM (Asynchronous Transfer Mode) is a data transmission procedure that was originally
designed for broadband ISDN.
ATM is currently used in high-speed networks. You will need ATM, for example, if you want
high-speed access to the Internet via the integrated ADSL or SHDSL modem.
In an ATM network, different applications such as speech, video and data, can be transmitted side-by-side in the asynchronous time multiplex procedure. Each transmitter is provided
with time sections for transmitting data. With asynchronous transmission, unused time sections of a transmitter are used by another transmitter.
With ATM, the packet switching procedure is connected-based. A virtual connection is used
for data transmission that negotiates between the transmitter and recipient or is configured
on both sides. This determines the route that the data should take, for example. Multiple
virtual connections can be set up over a single physical interface.
The data is transmitted in so-called cells or slots of constant size. Each cell consists of 48
bytes of usage data and 5 bytes of control information. The control information contains,
amongst other things, the ATM address which is similar to the Internet address. The ATM
address is made up of the Virtual Path Identifier (VPI) and the Virtual Connection Identifier
(VCI); this identifies the virtual connection.
Various types of traffic flows are transported over ATM. To take account of the various demands of these traffic flows on the networks, e.g. in terms of cell loss and delay time, suitable values can be defined using the service categories. Uncompressed video data, for example, requires different parameters to time-uncritical data.
In ATM networks Quality of Service (QoS) is available, i.e. the size of various network parameters, such as bit rate, delay and jitter can be guaranteed.
OAM (Operation, Administration and Maintenance) is used to monitor the data transmission
in ATM. OAM includes configuration management, error management and performance
measurement.
222
be.IP 4isdn
13 WAN
bintec elmeg GmbH
13.2.1 Profiles
A list of all ATM profiles is displayed in the WAN->ATM->Profiles menu.
If the connection for your Internet access is set up using the internal modem, the ATM connection parameters must be set for this. An ATM profile combines a set of parameters for a
specific provider.
Note
The ATM encapsulations are described in RFCs 1483 and 2684. You will find the
RFCs on the relevant pages of the IETF (www.ietf.org/rfc.html ).
13.2.1.1 New
Choose the New button to set up new ATM profiles.
The menu WAN->ATM->Profiles->New consists of the following fields:
Fields in the ATM Profiles Parameter menu.
Field
Description
Provider
Select one of the preconfigured ATM profiles for your provider
from the list or manually define the profile using /
1 .
Description
Only for Provider = /1 Enter the desired description for the connection.
ATM Interface
Only if several ATM interfaces are available, e.g. if several interfaces are separately configured in devices with SHDSL.
Select the ATM interface that you wish to use for the connection.
Type
Only for Provider = /1 Select the protocol for the ATM connection.
Possible values:
•
be.IP 4isdn
! ,). (default value): Ethernet over ATM
223
13 WAN
bintec elmeg GmbH
Field
Description
(EthoA) is used for the ATM connection (Permanent Virtual
Circuit, PVC).
• ?3 *+ ,).: Routed Protocols over
ATM (RPoA) is used for the ATM connection (Permanent Virtual Circuit, PVC).
• ,).: PPP over ATM (PPPoA) is used for the ATM
connection (Permanent Virtual Circuit, PVC).
Virtual Path Identifier
(VPI)
Only for Provider = /1 Enter the VPI value of the ATM connection. The VPI is the identification number of the virtual path to be used. Note your provider's instructions.
Possible values are to .
The default value is .
Virtual Channel Identifier (VCI)
Only for Provider = /1 Enter the VCI value of the ATM connection. The VCI is the identification number of the virtual channel. A virtual channel is the
logical connection for the transport of ATM cells between two or
more points. Note your provider's instructions.
Possible values are to .
The default value is 32.
Encapsulation
Only for Provider = /1 Select the encapsulation to be used. Note your provider's instructions.
Possible values (in accordance with RFC 2684):
• $$% & '% (Default value for Ethernet over
ATM : Is only displayed for Type = ! ,)..
Bridged Ethernet with LLC/SNAP encapsulation without
Frame Check Sequence (checksums).
• $$% & '%: only displayed for Type = !
,)..
Bridged Ethernet with LLC/SNAP encapsulation with Frame
224
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Check Sequence (checksums).
• 9 : (default value for Routed Protocols over ATM): Is
only displayed for Type = ?3 *+ ,)..
Encapsulation with LLC/SNAP header, suitable for IP routing.
• $$%: only displayed for Type = ,)..
Encapsulation with LLC header.
• E% .3++6 (default value for PPP over ATM):
Bridged Ethernet without additional encapsulation (Null Encapsulation) with Frame Check Sequence (checksums).
Fields in menu Ethernet over ATM Settings (appears only for Type = Ethernet over
ATM)
Field
Description
Default Ethernet for
PPPoE Interfaces
Only for Type = ! ,).
Select whether this Ethernet-over-ATM interface is to be used
for all PPPoE connections
The function is enabled with 7+.
The function is disabled by default.
Address Mode
Only for Type = ! ,).
Select how an IP address is to be assigned to the interface.
Possible values:
• * (default value): The interface is assigned a static IP
address in IP Address / Netmask.
• ->%: An IP address is assigned to the interface dynamically
via DHCP.
IP Address/Netmask
Only for Address Mode = *
Enter the IP addresses (IP Address) and the corresponding
netmasks (Netmask) of the ATM interfaces. Add new entries
with Add.
MAC Address
be.IP 4isdn
Enter a MAC address for the internal router interface of ATM
225
13 WAN
bintec elmeg GmbH
Field
Description
connection, e.g. 4
414
4714
. An entry is only required in special cases.
For Internet connections, it is sufficient to select the option Use
built-in (default setting). An address is used which is derived
from the MAC address of the .
DHCP MAC Address
Only for Address Mode = ->%
Enter the MAC address of the internal router interface of ATM
connection, e.g. 4414
4714
.
If your provider has assigned you an MAC address for DHCP,
enter this here.
You can also select the Use built-in option (default setting) An
address is used which is derived from the MAC address of the
.
DHCP Hostname
Only for Address Mode = ->%
If necessary, enter the host name registered with the provider to
be used by your device for DHCP requests.
The maximum length of the entry is 45 characters.
Fields in menu Routed Protocols over ATM Settings (appears only for Type =
Routed Protocols over ATM)
Field
Description
IP Address/Netmask
Enter the IP addresses (IP Address) and the corresponding
netmasks (Netmask) of the ATM interface. Add new entries
with Add.
Prioritize TCP ACK
Packets
Select whether the TCP download is to be optimised in the
event of intensive TCP upload. This function can be specially
applied for asymmetrical bandwidths (ADSL).
The function is enabled with 7+.
The function is disabled by default.
Field in menu PPP over ATM Settings (appears only for Type = PPP over ATM)
226
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Client Type
Select whether the PPPoA connection is to be set up permanently or on demand.
Possible values:
• : - (default value): The PPPoA is only set up on
demand, e.g. for Internet access.
You'll find additional information on PPP over ATM under
PPPoA on page 214.
13.2.2 Service Categories
In the WAN->ATM->Service Categories menu is displayed a list of already configured
ATM connections (PVC, Permanent Virtual Circuit) to which specific data traffic parameters
were assigned.
Your device supports QoS (Quality of Service) for ATM interfaces.
Caution
ATM QoS should only be used if your provider specifies a list of data traffic parameters
(traffic contract).
The configuration of ATM QoS requires extensive knowledge of ATM technology and
the way the bintec elmegbintec elmeg devices function. An incorrect configuration can
cause considerable disruption during operation. If applicable, save the original configuration on your PC.
13.2.2.1 New
Choose the New button to create additional categories.
The menu WAN->ATM->Service Categories->New consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
Field
Description
Virtual Channel Connection (VCC)
Select the already configured ATM connection (displayed by the
combination of VPI and VCI) for which the service category is to
be defined.
227
13 WAN
bintec elmeg GmbH
Field
Description
ATM Service Category
Select how the data traffic of the ATM connection is to be controlled.
A priority is implicitly assigned when you select the ATM service
category: from CBR (highest priority) through VBR.1 /VBR.3 to
VBR (lowest priority).
Possible settings:
• /*1 & ? "/&?# (default value): No specific data rate is guaranteed for the connection. The Peak Cell
Rate (PCR) specifies the limit above which data is discarded.
This category is suitable for non-critical applications.
• % & ? "%&?#: (Constant Bit Rate) The connection is assigned a guaranteed data rate determined by the
Peak Cell Rate (PCR). This category is suitable for critical
(real-time) applications that require a guaranteed data rate.
• E7+ & ? E "E&?#: A guaranteed data
rate is assigned to the connection - Sustained Cell Rate
(SCR). This may be exceeded by the volume configured in
Maximum Burst Size (MBS). Any additional ATM traffic is
discarded. The Peak Cell Rate (PCR) constitutes the maximum possible data rate. This category is suitable for non-critical
applications with burst data traffic.
• E7+ & ? E "E&?#: A guaranteed data
rate is assigned to the connection - Sustained Cell Rate
(SCR). This may be exceeded by the volume configured in
Maximum Burst Size (MBS). Additional ATM traffic is
marked and handled with low priority based on the utilisation
of the destination network, i.e. is discarded if necessary. The
Peak Cell Rate (PCR) constitutes the maximum possible data
rate. This category is suitable for critical applications with
burst data traffic.
Peak Cell Rate (PCR)
Enter a value for the maximum data rate in bits per second.
Possible values: to .
The default value is .
Sustained Cell Rate
(SCR)
Only for ATM Service Category = E7+ & ? E
"E&?# or E7+ & ? E "E&?#
Enter a value for the minimum available, guaranteed data rate
228
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
in bits per second.
Possible values: to .
The default value is .
Maximum Burst Size
(MBS)
Only for ATM Service Category = E7+ & ? E
"E&?# or E7+ & ? E "E&?#
Enter a value for the maximum number of bits per second by
which the PCR can be exceeded briefly.
Possible values: to .
The default value is .
13.2.3 OAM Controlling
OAM is a service for monitoring ATM connections. A total of five hierarchies (flow level F1
to F5) are defined for OAM information flow. The most important information flows for an
ATM connection are F4 and F5. The F4 information flow concerns the virtual path (VP) and
the F5 information flow the virtual channel (VC). The VP is defined by the VPI value, the
VC by VPI and VCI.
Note
Generally, monitoring is not carried out by the terminal but is initiated by the ISP. Your
device then only needs to react correctly to the signals received. This is ensured
without a specific OAM configuration for both flow level 4 and flow level 5.
Two mechanisms are available for monitoring the ATM connection: Loopback Tests and
OAM Continuity Check (OAM CC). These can be configured independently of each other.
Caution
The configuration of OAM requires extensive knowledge of ATM technology and the
way the bintec elmegbintec elmeg devices functions. An incorrect configuration can
cause considerable disruption during operation. If applicable, save the original configuration on your PC.
be.IP 4isdn
229
13 WAN
bintec elmeg GmbH
In the WAN->ATM->OAM Controlling menu, a list of all monitored OAM flow levels is displayed.
13.2.3.1 New
Choose the New button to set up monitoring for other flow levels.
The menu WAN->ATM->OAM Controlling->New consists of the following fields:
Fields in the OAM Flow Configuration menu.
Field
Description
OAM Flow Level
Select the OAM flow level to be monitored.
Possible values:
• ': (virtual channel level) The OAM settings are used for the
virtual channel (default value).
• ' : (virtual path level) The OAM settings are used on the virtual path.
Virtual Channel Connection (VCC)
Only for OAM Flow Level = '
Virtual Path Connection (VPC)
Only for OAM Flow Level = '
Select the already configured ATM connection to be monitored
(displayed by the combination of VPI and VCI).
Select the already configured virtual path connection to be monitored (displayed by the VPI).
Fields in the Loopback menu.
Field
Description
Loopback End-to-End
Select whether you activate the loopback test for the connection
between the endpoints of the VCC or VPC.
The function is enabled with 7+.
The function is disabled by default.
End-to-End Send Inter- Only if Loopback End-to-End is enabled.
val
Enter the time in seconds after which a loopback cell is to be
sent.
230
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
Possible values are to .
The default value is 5.
End-to-End Pending
Requests
Only if Loopback End-to-End is enabled.
Enter the number of directly consecutive loopback cells that
may fail to materialise before the connection is regarded as interrupted ("down"). Possible values are to .
The default value is .
Loopback Segment
Select whether you want to activate the loopback test for the
segment connection (segment = connection of the local endpoint to the next connection point) of the VCC or VPC.
The function is enabled with 7+.
The function is disabled by default.
Segment Send Interval Only if Loopback Segment is enabled.
Enter the time in seconds after which a loopback cell is sent.
Possible values are to .
The default value is .
Segment Pending Requests
Only if Loopback Segment is enabled.
Enter the number of directly consecutive loopback cells that
may fail to materialise before the connection is regarded as interrupted ("down").
Possible values are to .
The default value is .
Fields in the CC Activation menu.
Field
Description
Continuity Check (CC)
End-to-End
Select whether you activate the OAM-CC test for the connection
between the endpoints of the VCC or VPC.
Possible values:
be.IP 4isdn
231
13 WAN
bintec elmeg GmbH
Field
Description
• (default value): OAM CC requests are responded
to after CC negotiation (CC activation negotiation).
• ,*: OAM CC requests are sent after CC negotiation (CC
activation negotiation).
• &!: OAM CC requests are sent and answered after CC negotiation (CC activation negotiation).
• 9 : Depending on the setting in the Direction
field, OAM CC requests are either sent and/or responded to.
There is no CC negotiation.
• : The function is disabled.
Also select whether the test cells of the OAM CC are to be sent
or received.
Possible values:
• &! (default value): CC data is both received and generated.
• B: CC data is received.
• 3*: CC data is generated.
Continuity Check (CC)
Segment
Select whether you want to activate the OAM-CC test for the
segment connection (segment = connection of the local endpoint to the next connection point) of the VCC or VPC.
Possible values:
• (default value): OAM CC requests are responded
to after CC negotiation (CC activation negotiation).
• ,*: OAM CC requests are sent after CC negotiation (CC
activation negotiation).
• &!: OAM CC requests are sent and answered after CC negotiation (CC activation negotiation).
• 9 : Depending on the setting in the Direction
field, OAM CC requests are either sent and/or responded to.
There is no CC negotiation.
• 9: The function is disabled.
Also select whether the test cells of the OAM CC are to be sent
or received.
Possible settings:
232
be.IP 4isdn
13 WAN
bintec elmeg GmbH
Field
Description
• &! (default value): CC data is both received and generated.
• B: CC data is received.
• 3*: CC data is generated.
13.3 Real Time Jitter Control
When telephoning over the Internet, voice data packets normally have the highest priority.
Nevertheless, if the upstream bandwidth is low, noticeable delays in voice transmission can
occur when other packets are routed at the same time.
The real time jitter control function solves this problem. So that the "line" is not blocked for
too long for the voice data packets, the size of the other packets can be reduced, if required, during a telephone call.
13.3.1 Controlled Interfaces
In the WAN->Real Time Jitter Control->Controlled Interfaces a list of functions is displayed for which the Real Time Jitter Control function is configured.
13.3.1.1 New
Click the New button to optimise voice transmission for other interfaces.
The menu WAN->Real Time Jitter Control->Controlled Interfaces->New consists of the
following fields:
Fields in the Basic Settings menu.
Field
Description
Interface
Define for which interfaces voice transmission is to be optimised.
Control Mode
Select the mode for the optimisation.
Possible values:
• %++ ?) +0 (default value): By
means of the data routed via the media gateway, the system
detects voice data traffic and optimises the voice transmission.
be.IP 4isdn
233
13 WAN
bintec elmeg GmbH
Field
Description
• ,++ ?) : All RTP streams are optimised.
• *: Voice data transmission is not optimised.
• ,+20: Voice data transmission is always optimised.
Maximum Upload
Speed
234
Enter the maximum available upstream bandwidth in kbp/s for
the selected interface.
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Chapter 14 VPN
A connection that uses the Internet as a "transport medium" but is not publicly accessible is
referred to as a VPN (Virtual Private Network). Only authorised users have access to such
a VPN, which is seemingly also referred to as a VPN tunnel. Normally the data transported
over a VPN is encrypted.
A VPN allows field staff or staff working from home offices to access data on the company's
network. Subsidiaries can also connect to head office over VPN.
The connection partner is authenticated with a password, using preshared keys or certificates.
With IPSec the data is encrypted using AES or 3DES, for example.
14.1 IPSec
IPSec enables secure connections to be set up between two locations (VPN). This enables
sensitive business data to be transferred via an unsecure medium such as the Internet.
The devices used function here as the endpoints of the VPN tunnel. IPSec involves a number of Internet Engineering Task Force (IETF) standards, which specify mechanisms for the
protection and authentication of IP packets. IPSec offers mechanisms for encrypting and
decrypting the data transferred in the IP packets. The IPSec implementation can also be
smoothly integrated in a Public Key Infrastructure (PKI, see Certificates on page 69). IPSec
implementation achieves this firstly by using the Authentication Header (AH) protocol and
Encapsulated Security Payload (ESP) protocol and secondly through the use of cryptographic key administration mechanisms like the Internet Key Exchange (IKE) protocol.
Additional IPv4 Traffic Filter
bintec elmeg gateways support two different methods of setting up IPSec connections:
• a method based on policies and
• a method based on routing.
The policy-based method uses data traffic filters to negotiate the IPSec phase 2 SAs. This
allows for a very "fine-grained" filter to be applied to the IP packet, even at the level of the
protocol and the port.
The routing-based method offers various advantages over the policy-based method, e.g.,
NAT/PAT within a tunnel, IPSec in combination with routing protocols and the creation of
VPN backup scenarios. With the routing-based method, the configured or dynamically
be.IP 4isdn
235
14 VPN
bintec elmeg GmbH
learned routes are used to negotiate the IPSec phase 2 SAs. Although this method does
simplify many configurations, problems may also be caused by competing routes or the
"coarser" filtering of data traffic.
The Additional IPv4 Traffic Filter parameter fixes this problem. You can apply a "finer" filter, i.e. you can enter the source IP address or the source port. If a Additional IPv4 Traffic
Filter is configured, this is used to negotiate the IPSec phase 2 SAs; the route now only
determines which data traffic is to be routed.
If an IP packet does not match the defined Additional IPv4 Traffic Filter , it is rejected.
If an IP packet meets the requirements in an Additional IPv4 Traffic Filter , IPSec phase 2
negotiation begins and data traffic is transferred over the tunnel.
Note
The parameter Additional IPv4 Traffic Filter is exclusively relevant for the initiator of
the IPSec connection, it is only used for outgoing traffic.
Note
Please note that the phase 2 policies must be configured identically on both of the
IPSec tunnel endpoints.
14.1.1 IPSec Peers
An endpoint of a communication is defined as peer in a computer network. Each peer offers its services and uses the services of other peers.
A list of all configured IPSec Peers is sorted by priority displayed in the
VPN->IPSec->IPSec Peers menu.
Peer Monitoring
The menu for monitoring a peer is called by selecting the
button for the peer in the peer
list. See Values in the IPSec Tunnels list on page 415.
14.1.1.1 New
Choose the New button to set up more IPSec peers.
236
be.IP 4isdn
14 VPN
bintec elmeg GmbH
The menu VPN->IPSec->IPSec Peers->New consists of the following fields:
Fields in the menu Peer Parameters
Field
Description
Administrative Status
Select the status to which you wish to set the peer after saving
the peer configuration.
Possible values:
• / (default value): The peer is available for setting up a tunnel
immediately after saving the configuration.
• -2: The peer is initially not available after the configuration
has been saved.
Description
Enter a description of the peer that identifies it.
The maximum length of the entry is 255 characters.
Peer Address
Select the IP Version. You can choose if IPv4 or IPv6 is to be
preferred or if only one IP version is to be permitted.
Note
This selection is only relevant if an IP address is entered as
host name.
Possible values:
• 1
• 1
• :+0
• :+0
Enter the public IP address of the peer or a resolvable host
name.
This entry can be omitted in certain configurations, but in that
case your device cannot initiate an IPSec connection.
Peer ID
Select the ID type and enter the peer ID.
This entry is not necessary in certain configurations.
be.IP 4isdn
237
14 VPN
bintec elmeg GmbH
Field
Description
The maximum length of the entry is 255 characters.
Possible ID types:
• '3++0 D3+1 - 9 "'D-9#: Any string
•
+ ,
• E ,
• ,9-9 "-3! 9#
• =0 -: Any string
On the peer device, this ID corresponds to the Local ID Value.
Internet Key Exchange Select the version of the Internet Exchange Protocol to be used.
Possible values:
• = (default value): Internet Key Exchange Protocol Version 1
• = : Internet Kex Exchange Protocol Version 2
Authentication Method
Only for Internet Key Exchange = = Select the authentication method.
Possible values:
• ! =0 (default value): If you do not use certificates for the authentication, you can select Preshared Keys.
These are configured during peer configuration in the IPSec
Peers. The preshared key is the shared password.
• ?, 3: Phase 1 key calculations are authenticated
using the RSA algorithm.
Local ID Type
Only for Internet Key Exchange = = Select the local ID type.
Possible ID types:
• '3++0 D3+1 - 9 "'D-9#
•
+ ,
• E ,
• ,9-9 "-3! 9#
238
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
• =0 -: Any string
Local ID
Only for Internet Key Exchange = = Enter the ID of your device.
For Authentication Method = -, 3 or ?, 3 the option Use Subject Name from certificate is displayed.
When you enable the option Use Subject Name from certificate, the first alternative subject name indicated in the certificate
is used, or, if none is specified, the subject name of the certificate is used.
Note: If you use certificates for authentication and your certificate contains alternative subject names (see Certificates on
page 69), you must make sure your device selects the first alternative subject name by default. Make sure you and your peer
both use the same name, i.e. that your local ID and the peer ID
your partner configures for you are identical.
Preshared Key
Enter the password agreed with the peer.
The maximum length of the entry is 50 characters. All characters are possible except for 6 at the start of the entry.
IP Version of the
tunneled Networks
Select if IPv4, IPv6 or both versions are allowed for the VPN
tunnel.
Possible values:
• • • Fields in the menu IPv4 Interface Routes
Field
Security Policy
Description
Select the security settings to be used with the interface.
Possible values:
• )3 : All IP packets are allowed through except for
be.IP 4isdn
239
14 VPN
bintec elmeg GmbH
Field
Description
those which are explicitly prohibited.
• /3 (default value): Only those packets are transmitted that can be attributed to a connection that has been initiated from a trusted zone.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
IP Address Assignment
Select the configuration mode of the interface.
Possible values:
• * (default value): Enter a static IP address.
• = %1 . %+: Select this option if your gateway receives an IP address from the server as IPSec client.
• = %1 . : Select this option if your gateway assigns an IP address as server for connecting clients.
This is taken from the selected IP Assignment Pool.
Config Mode
Only where IP Address Assignment = =
or = %1 . %+
%1 .
Possible values:
• 3++ (default value): The client requests the IP address and
the gateway answers the request.
• 3!: The gateway suggests an IP address to the client and
the client must either accept or reject this.
This value must be identical for both sides of the tunnel.
IP Assignment Pool
Only if IP Address Assignment = =
%1 . Select an IP pool configured in the VPN->IPSec->IP
Poolsmenu. If an IP pool has not been configured here yet, the
message 9 0 1 appears in this field.
Default Route
Only for IP Address Assignment = * or =
. %+
%1
Select whether the route to this IPSec peer is to be defined as
the default route.
240
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
The function is enabled with 7+.
The function is disabled by default.
Local IP Address
Only for IP Address Assignment = * or =
. %1
Enter the WAN IP address of your IPSec tunnel. This can be the
same IP address as the address configured on your router as
the LAN IP address.
Metric
Only for IP Address Assignment = * or =
. %+ and Default Route = 7+
%1
Select the priority of the route.
The lower the value, the higher the priority of the route.
Value range from to . The default value is .
Route Entries
Only for IP Address Assignment = * or =
. %+
%1
Define routing entries for this connection partner.
• ? ,: IP address of the destination host or
LAN.
• 9B: Netmask for ? ,.
• .*: The lower the value, the higher the priority of the
route (possible values ). The default value is .
Fields in the menu Additional IPv4 Traffic Filter
Field
Description
Additional IPv4 Traffic
Filter
Only for Internet Key Exchange = = Use Add to create a new filter.
Fields in the IPv6 Interface Routes menu
Field
Description
Security Policy
Select the security settings to be used with the interface..
Possible values:
be.IP 4isdn
241
14 VPN
bintec elmeg GmbH
Field
Description
• /3 : IP packets are only allowed through if the connection has been initiated from "inside".
We recommend you use this setting if you want to use IPv6
outside of your LAN.
• )3 (default value): All IP packets are allowed through
except for those which are explicitly prohibited.
We recommend you use this setting if you want to use IPv6
on your LAN.
You can configure exceptions for the selected setting in the
Firewall on page 277 menu.
Local IPv6 Network
Select a network. You can choose from the Link Prefixes avialbale under LAN->IP Configuration->Interfaces->New.
Enter the Local IPv6 address and the corresponding prefix
length. The default prefix length is /64.This prefix must end with
::.
Remote IPv6 Network
Add a new prefix. Enter the address of the other tunnel endpoint. The default prefix Length is and the default Priority is
. The lower the value entered for Priority, the higher the priority of the route.
Additional data traffic filters
bintec elmeg Gateways support two different methods for establishing IPSec connections:
• a method based on policies and
• a method based on routing.
The policy-based method uses data traffic filters to negotiate the IPSec phase 2 SAs. This
enables the filtering of the IP packets to be very "fine grained" down to protocol and port
level.
The routing-based method offers various advantages over the policy-based method, e.g.,
NAT/PAT within a tunnel, IPSec in combination with routing protocols and the creation of
VPN backup scenarios. With the routing-based method, the configured or dynamically
learned routes are used to negotiate the IPSec phase 2 SAs. While it is true that this method simplifies many configurations, at the same time there can be problems due to competing routes or the "coarser" filtering of the data traffic.
The Additional IPv4 Traffic Filter parameter fixes this problem. You can filter more
242
be.IP 4isdn
14 VPN
bintec elmeg GmbH
"finely", i. e. you can, e. g., specify the source IP address or the source port. If there is a
Additional IPv4 Traffic Filter configured, it is used to negotiate the IPSec phase 2 SAs;
the route only determines which data traffic is to be routed.
If an IP packet does not match the defined Additional IPv4 Traffic Filter it is discarded.
If an IP packet meets the requirements in an Additional IPv4 Traffic Filter , IPSec phase 2
negotiation begins and data traffic is transferred over the tunnel.
Note
The parameter Additional IPv4 Traffic Filter is only relevant to the initiator of the
IPSec connection, it only applies to outgoing data traffic.
Note
Please note that the phase 2 policies must be configured identically on both of the
IPSec tunnel endpoints.
Add new entries with Add.
Fields in the menu Basic Parameters
Field
Description
Description
Enter a description for the filter.
Protocol
Select a protocol. The ,0 option (default value) matches all
protocols.
Source IP Address/
Netmask
Enter, if required, the source IP address and netmask of the
data packets.
Possible values:
• ,0
• >: Enter the IP address of the host.
• 92B (default value): Enter the network address and the
related netmask.
Source Port
Only for Protocol = )% or /-
Enter the source port of the data packets. The default setting be.IP 4isdn
243
14 VPN
bintec elmeg GmbH
Field
Description
,++ (= -1) means that the port remains unspecified.
Destination IP Address/Netmask
Enter the destination IP address and corresponding netmask of
the data packets.
Destination Port
Only for Protocol = )% or /-
Enter the destination port of the data packets. The default setting ,++ (= -1) means that the port remains unspecified.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced IPSec Options
Field
Description
Phase-1 Profile
Select a profile for Phase 1. Besides user-defined profiles, predefined profiles are available.
Possible values:
• 9 "3 13+ 1+#: Uses the profile marked
as standard in VPN->IPSec->Phase-1 Profiles
• .3++: Uses a special profile which contains the
proposals for Phase 1 3DES/MD5, AES/MD5 and Blowfish/
MD5 regardless of the proposal selection in menu
VPN->IPSec->Phase-1 Profiles.
• @1+A: Uses a profile configured in menu
VPN->IPSec->Phase-1 Profiles for Phase 1.
Phase-2 Profile
Select a profile for Phase 2. Besides user-defined profiles, predefined profiles are available.
Possible values:
• 9 "3 13+ 1+#: Uses the profile marked
as standard in VPN->IPSec->Phase-2 Profiles
• .3++: Uses a special profile which contains the
proposals for Phase 2 3DES/MD5, AES-128/MD5 and Blowfish/MD5 regardless of the proposal selection in menu
VPN->IPSec->Phase-2 Profiles.
• @1+A: Uses a profile configured in menu
VPN->IPSec->Phase-2 Profiles for Phase 2.
244
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
XAUTH Profile
Select a profile created in VPN->IPSec->XAUTH Profiles if you
wish to use this IPSec peer XAuth for authentication.
If XAuth is used together with IKE Config Mode, the transactions for XAuth are carried out before the transactions for IKE
Config Mode.
Number of Admitted
Connections
Choose how many users can connect using this peer profile.
Possible values:
• : / (default value): Only one peer can be connected
with the data defined in this profile.
• .3++ /: Several peers can be connected with the
data defined in this profile. The peer entry is duplicated for
each connection request with the data defined in this profile.
The dynamic peer configuration on the gateway must not specify a peer ID or a peer IP address. Clients connecting to the
gateway, however, must have a peer ID specified in the client
peer configuration, since the ID is still used to differentiate the
tunnels created via the dynamic peer.
The resulting gateway peer would match all incoming tunnel
requests. It is, therefore, essential to put it at the end of the
IPSec peer list on the gateway. Otherwise all peers that follow
the dynamic peer in the peer list would be inactive.
Start Mode
Select how the peer is to be switched to the active state.
Possible values:
• : - (default value): The peer is switched to the active
state by a trigger.
• ,+20 3: The peer is always active.
Backup Peer
be.IP 4isdn
If a peer has been configured for the Start Mode ,+20 3,
you can select another, already configured peer as a backup
option. If the current peer becomes inactive, e.g. because of an
outage of the central VPN dial-in node, the backup peer can initiate a connection to a backup VPN dial-in node. If the primary
dial-in node becomes available again, the connection is seamlessly switched back.
245
14 VPN
bintec elmeg GmbH
Field
Description
This solution requires that the routing for the peers has to be
configured in a way that a connection to the remote site is actually possible via either of them. Moreover, the routing metric for
the backup peer should be lesser than for the primary peer. This
ensures that the tunnel is switched back to the primary peer as
soon as its connection is available again.
Fields in the menu Advanced IP Options
Field
Description
Public Interface
Specify the public (or WAN) interface that this peer is to use to
connect to its VPN partner. If you select %! 70 ?3
, the decision as to via which interface the data traffic is
routed is made based on the current routing table. If you select
an interface, the interface is used taking into consideration the
setting under Public Interface Mode.
Public Interface Mode
Only when an interface is selected for Public Interface.
Specify how strictly the setting is handled.
Possible values:
• '*: Only the selected interface is used, independently
from the priorities in the current routing table.
• 1: The priorities in the current routing table will be
used. Only if several equivalent routes are available, the route
via the selected interface will be applied.
Public Source IPv4 AdIf you are operating more than one Internet connection in paraldress
lel, here you can specify the public IP address that is to be used
as the source address for the peer's data traffic. Select whether
the Public Source IPv4 Address is to be enabled.
The function is enabled with 7+.
In the input field, enter the public IP address that is to be used
as the sender address.
The function is disabled by default.
Public Source IPv6 AdIf you are operating more than one Internet connection in paraldress
lel, here you can specify the public IP address that is to be used
as the source address for the peer's data traffic. Select whether
246
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
the Public Source IPv6 Address is to be enabled.
The function is enabled with 7+.
In the input field, enter the public IP address that is to be used
as the sender address.
The function is disabled by default.
IPv4 Back Route Verify Select whether a check on the back route should be activated
for the interface to the connection partner.
The function is enabled with 7+.
The function is disabled by default.
MobIKE
Only for peers with IKEv2.
MobIKE In cases of changing public IP addresses, enables only
these addresses to be updated in the SAs without the SAs
themselves having to be renegotiated.
The function is enabled by default.
Note that MobIKE requires a current IPSec client, e. g. the current Windows 7 or Windows 8 client or the latest version of the
bintec elmeg IPSec client.
IPv4 Proxy ARP
Select whether your device is to respond to ARP requests from
its own LAN on behalf of the specific connection partner.
Possible values:
• * (default value): Deactivates Proxy ARP for this
IPSec peer.
• / -: Your device only responds to an ARP request if the status of the connection to the IPSec peer is
/ (active) or - (dormant). In the case of -,
your device only responds to the ARP request; the connection
is not set up until someone actually wants to use the route.
• / +0: Your device responds to an ARP request only if the
status of the connection to the IPSec peer is / (active), i.e.
a connection already exists to the IPSec peer.
be.IP 4isdn
247
14 VPN
bintec elmeg GmbH
IPSec Callback
bintec elmeg devices support the DynDNS service to enable hosts without fixed IP addresses to obtain a secure connection over the Internet. This service enables a peer to be
identified using a host name that can be resolved by DNS. You do not need to configure
the IP address of the peer.
The DynDNS service does not signal whether a peer is actually online and cannot cause a
peer to set up an Internet connection to enable an IPSec tunnel over the Internet. This possibility is created with IPSec callback: Using a direct ISDN call to a peer, you can signal
that you are online and waiting for the peer to set up an IPSec tunnel over the Internet. If
the called peer currently has no connection to the Internet, the ISDN call causes a connection to be set up. This ISDN call costs nothing (depending on country), as it does not have
to be accepted by your device. The identification of the caller from his or her ISDN number
is enough information to initiate setting up a tunnel.
To set up this service, you must first configure a call number for IPSec callback on the
passive side in the Physical Interfaces->ISDN Ports->MSN Configuration->New menu.
The value * is available for this purpose in the field Service. This entry ensures that
incoming calls for this number are routed to the IPSec service.
If callback is active, the peer is caused to initiate setting up an IPSec tunnel by an ISDN
call as soon as this tunnel is required. If callback is set to passive, setting up a tunnel to the
peer is always initiated if an ISDN call is received on the relevant number ( MSN in menu
Physical Interfaces->ISDN Ports->MSN Configuration->New for Service *). This
ensures that both peers are reachable and that the connection can be set up over the Internet. The only case in which callback is not executed is if SAs (Security Associations)
already exist, i.e. the tunnel to the peer already exists.
Note
If a tunnel is to be set up to a peer, the interface over which the tunnel is to be implemented is activated first by the IPSec Daemon. If IPSec with DynDNS is configured on
the local device, the own IP address is propagated first and then the ISDN call is sent
to the remote device. This ensures that the remote device can actually reach the local
device if it initiates the tunnel setup.
Transfer of IP Address over ISDN
Transferring the IP address of a device over ISDN (in the D channel and/or B channel)
opens up new possibilities for the configuration of IPSec VPNs. This enables restrictions
that occur in IPSec configuration with dynamic IP addresses to be avoided.
248
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Note
To use the IP address transfer over ISDN function, you must obtain a free-of-charge
extra licence.
You can obtain the licence data for extra licences via the online licensing pages in the
support section at www.bintec-elmeg.com . Please follow the online licensing instructions.
Before System Software Release 7.1.4, IPSec ISDN callback only supported tunnel setup if
the current IP address of the initiator could be determined by indirect means (e.g. via
DynDNS). However, DynDNS has serious disadvantages, such as the latency until the IP
address is actually updated in the database. This can mean that the IP address propagated
via DynDNS is not correct. This problem is avoided by transferring the IP address over
ISDN. This type of transfer of dynamic IP addresses also enables the more secure ID Protect mode (main mode) to be used for tunnel setup.
Method of operation: Various modes are available for transferring your own IP address to
the peer: The address can be transferred free in the D channel or in the B channel, but
here the call must be accepted by the remote station and therefore incurs costs. If a peer
whose IP address has been assigned dynamically wants to arrange for another peer to set
up an IPSec tunnel, it can transfer its own IP address as per the settings described in
Fields in the menu IPv4 IPSec Callback on page 250. Not all transfer modes are supported
by all telephone companies. If you are not sure, automatic selection by the device can be
used to ensure that all the available possibilities can be used.
Note
The callback configuration should be the same on the two devices so that your device
is able to identify the IP address information from the called peer.
The following roles are possible:
• One side takes on the active role, the other the passive role.
• Both sides can take on both roles (both).
The IP address transfer and the start of IKE phase 1 negotiation take place in the following
steps:
be.IP 4isdn
(1)
Peer A (the callback initiator) sets up a connection to the Internet in order to be assigned a dynamic IP address and be reachable for peer B over the Internet.
(2)
Your device creates a token with a limited validity and saves it together with the cur-
249
14 VPN
bintec elmeg GmbH
rent IP address in the MIB entry belonging to peer B.
(3)
Your device sends the initial ISDN call to peer B, which transfers the IP address of
peer A and the token as per the callback configuration.
(4)
Peer B extracts the IP address of peer A and the token from the ISDN call and assigns them to peer A based on the calling party number configured (the ISDN number
used by peer A to send the initial call to peer B).
(5)
The IPSec Daemon at peer B's device can use the transferred IP address to initiate
phase 1 negotiation with peer A. Here the token is returned to peer A in part of the
payload in IKE negotiation.
(6)
Peer A is now able to compare the token returned by peer B with the entries in the
MIB and so identify the peer without knowing its IP address.
As peer A and peer B can now mutually identify each other, negotiations can also be conducted in the ID Protect mode using preshared keys.
Note
In some countries (e.g. Switzerland), the call in the D channel can also incur costs. An
incorrect configuration at the called side can mean that the called side opens the B
channel the calling side incurs costs.
The following options are only available on devices with an ISDN connection:
Fields in the menu IPv4 IPSec Callback
Field
Description
Mode
Select the Callback Mode.
Possible values:
• * (default value): IPSec callback is deactivated. The
local device neither reacts to incoming ISDN calls nor initiates
ISDN calls to the remote device.
• : The local device only reacts to incoming ISDN calls
and, if necessary, initiates setting up an IPSec tunnel to the
peer. No ISDN calls are sent to the remote device to cause
this to set up an IPSec tunnel.
• ,*: The local device sends an ISDN call to the remote
device to cause this to set up an IPSec tunnel. The device
does not react to incoming ISDN calls.
• &!: Your device can react to incoming ISDN calls and send
ISDN calls to the remote device. The setting up of an IPSec
250
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
tunnel is executed (after an incoming ISDN call) and initiated
(by an outgoing ISDN call).
Incoming Phone Num- Only for Mode = or &!
ber
Enter the ISDN number from which the remote device calls the
local device (calling party number). Wildcards may also be
used.
Outgoing Phone Num- Only for Mode = ,* or &!
ber
Enter the ISDN number with which the local device calls the remote device calls (called party number). Wildcards may also be
used.
Transfer own IP address over ISDN/GSM
Select whether the IP address of your own device is to be transferred over ISDN for IPSec callback.
The function is enabled with 7+.
The function is disabled by default.
Transfer Mode
Only for Transfer own IP address over ISDN/GSM = enabled
Select the mode in which your device is to attempt to transfer its
IP address to the peer.
Possible values:
• ,3* 7 : Your device automatically determines the most favourable mode. It first tries all D channel
modes before switching to the B channel. (Costs are incurred
for using the B channel.)
• ,3* +0 - %!+ .: Your device automatically determines the most favourable D channel mode.
The use of the B channel is excluded.
• / *1* - %!+ .: Your device tries to
transfer the IP address in the mode set in the Mode field.
• )0 *1* - %!+ .G 1++ 7*B &
%!+: Your device tries to transfer the IP address in the
mode set in the Mode field. If this does not succeed, the IP
address is transferred in the B channel. (This incurs costs.)
• / +0 & %!+ .: Your device transfers the IP
be.IP 4isdn
251
14 VPN
bintec elmeg GmbH
Field
Description
address in the B channel. This incurs costs.
D Channel Mode
Only for Transfer Mode = / *1* - %!+
. or )0 *1* - %!+ .G 1++ 7*B
& %!+
Select the D channel mode in which your device tries to transfer
the IP address.
Possible values:
• $$% (default value): The IP address is transferred in the "LLC
information elements" of the D channel.
• /&,--?: The IP address is transferred in the subaddress "information elements" of the D channel.
• $$% /&,--?: The IP address is transferred in both the
"LLC" and "subaddress information elements".
14.1.2 Phase-1 Profiles
A list of all configured tunnel profiles is displayed in the VPN->IPSec->Phase-1 Profiles
menu.
In the Default column, you can mark the profile to be used as the default profile.
14.1.2.1 New
Choose the Create new IKEv1 Profile or Create new IKEv2 Profile button to create additional profiles.
The menu VPN->IPSec->Phase-1 Profiles->Create new IKEv1 Profile consists of the following fields:
Fields in the Phase-1 (IKE) Parameters / Phase-1 (IKEv2) Parameters menu.
252
Field
Description
Description
Enter a description that uniquely defines the type of rule.
Proposals
In this field, you can select any combination of encryption and
message hash algorithms for IKE phase 1 on your device. The
combination of six encryption algorithms and four message
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
hash algorithms gives 24 possible values in this field. At least
one proposal must exist. Therefore the first line of the table cannot be deactivated.
Encryption algorithms (Encryption):
• - : 3DES is an extension of the DES algorithm with an effective key length of 112 bits, which is rated as secure. It is
the slowest algorithm currently supported.
• )21!: Twofish was a final candidate for the AES
(Advanced Encryption Standard). It is rated as just as secure
as Rijndael (AES), but is slower.
• &+21!: Blowfish is a very secure and fast algorithm.
Twofish can be regarded as the successor to Blowfish.
• %,): CAST is also a very secure algorithm, marginally
slower than Blowfish, but faster than 3DES.
• - : DES is an older encryption algorithm, which is rated as
weak due to its small effective length of 56 bits.
• , (default value): Rijndael has been nominated as AES
due to its fast key setup, low memory requirements, high level
of security against attacks and general speed. The partner's
AES key length is used here. If this has also selected the
parameter , , a key length of 128 bits is used.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 128 bits.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 192 bits.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 256 bits.
Hash algorithms (Authentication):
• .-: MD5 (Message Digest #5) is an older hash algorithm. It
is used with a 96 bit digest length for IPSec.
• >, (default value): SHA1 (Secure Hash Algorithm #1) is a
be.IP 4isdn
253
14 VPN
bintec elmeg GmbH
Field
Description
hash algorithm developed by NSA (United States National Security Association). It is rated as secure, but is slower than
MD5. It is used with a 96 bit digest length for IPSec.
• ?.- : RipeMD 160 is a 160 bit hash algorithm. It is
used as a secure replacement for MD5 and RipeMD.
• ): Tiger 192 is a relatively new and very fast algorithm.
• >,: SH2 (Secure Hash Algorithmus #2) is a hash algorithm which has been designed to supersede SHA 1. It can
be used with hash lengths of 256, 384 or 512 bits.
• >,: SHA-2 with 384 bit hash length.
• >,: SHA-2 with 512 bit hash length.
Depending on the hardware of your device some options may
not be available.
Please note that the quality of the algorithms is subject to relative aspects and may change due to mathematical or cryptographic developments.
DH Group
The Diffie-Hellman group defines the parameter set used as the
basis for the key calculation during phase 1. "MODP" as supported by bintec elmeg devices stands for "modular exponentiation".
The following groups with their corresponding bit values are
available:
• "( &#
• "
&#
• " &#
• "
&#
• "
( &#
• "
&#
Depending on the hardware of your device some options may
not be available.
Lifetime
Create a lifetime for phase 1 keys.
The following options are available for defining the Lifetime:
254
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
• Input in Seconds: Enter the lifetime for phase 1 key in
seconds. The value can be a whole number from 0 to
2147483647. The default value is , which means the
key must be renewed once four hours have elapsed.
• Input in kBytes: Enter the lifetime for phase 1 keys as amount
of data processed in kBytes. The value can be a whole number from 0 to 2147483647. The default value is , which
means that the number of transmitted kBytes is irrelevant.
Authentication Method Only for Phase-1 (IKE) Parameters
Select the authentication method.
Possible values:
• ! =0 (default value): If you do not use certificates for the authentication, you can select Preshared Keys.
These are configured during peer configuration in the
VPN->IPSec->IPSec Peers. The preshared key is the shared
password.
• -, 3: Phase 1 key calculations are authenticated
using the DSA algorithm.
• ?, 3: Phase 1 key calculations are authenticated
using the RSA algorithm.
• ?, *0: In RSA encryption the ID payload is also
encrypted for additional security.
Local Certificate
Only for Phase-1 (IKE) Parameters
Only for Authentication Method = -, 3, ?,
3 or ?, *0
This field enables you to select one of your own certificates for
authentication. It shows the index number of this certificate and
the name under which it is saved. This field is only shown for
authentication settings based on certificates and indicates that a
certificate is essential.
Mode
Only for Phase-1 (IKE) Parameters
Select the phase 1 mode.
Possible values:
be.IP 4isdn
255
14 VPN
bintec elmeg GmbH
Field
Description
• , (default value): The Aggressive Mode is necessary if one of the peers does not have a static IP address
and preshared keys are used for authentication. It requires
only three messages to configure a secure channel.
• . . "- *#: This mode (also designated
Main Mode) requires six messages for a Diffie-Hellman key
calculation and thus for configuring a secure channel, over
which the IPSec SAs can be negotiated. A condition is that
both peers have static IP addresses if preshared keys are
used for authentication.
Also define whether the selected mode is used exclusively
(Strict), or the peer can also propose another mode.
Local ID Type
Only for Phase-1 (IKE) Parameters
Select the local ID type.
Possible values:
• '3++0 D3+1 - 9 "'D-9#
•
+ ,
• E ,
• ,9-9 "-3! 9#
• =0 Local ID Value
Only for Phase-1 (IKE) Parameters
Enter the ID of your device.
For Authentication Method = -, 3, ?, 3 or ?, *0 the Use Subject Name from certificate option is displayed.
When you enable the Use Subject Name from certificate option, the first alternative subject name indicated in the certificate
is used, or, if none is specified, the subject name of the certificate is used.
Note: If you use certificates for authentication and your certificate contains alternative subject names (see Certificates on
page 69), you must make sure your device selects the first alternative subject name by default. Make sure you and your peer
256
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
both use the same name, i.e. that your local ID and the peer ID
your partner configures for you are identical.
Alive Check
During communication between two IPSec peers, one of the peers may become unavailable, e.g. due to routing problems or a reboot. However, this can only be detected when
the end of the lifetime of the security connection is reached. Up until this point the data
packets are lost. These are various methods of performing an alive check to prevent this
happening. In the Alive Check field you can specify whether a method should be used to
check the availability of a peer.
Two methods are available: Heartbeats and Dead Peer Detection.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Alive Check
Only for Phase-1 (IKE) Parameters
Select the method to be used to check the functionality of the
IPSec connection.
In addition to the default method Dead Peer Detection (DPD),
the (proprietary) Heartbeat method is implemented. This sends
and receives signals every 5 seconds, depending on the configuration. If these signals are not received after 20 seconds, the
SA is discarded as invalid.
Possible values:
• ,3* (default value): Your device detects and uses
the mode supported by the remote terminal.
• *: Your device sends and expects no heartbeat. Set
this option if you use devices from other manufacturers.
• >7 " 6* +0#: Your device expects a
heartbeat from the peer but does not send one itself.
• >7 " +0#: Your device expects no heartbeat from the peer, but sends one itself.
• >7 " N 6*#: Your device expects a
heartbeat from the peer and sends one itself.
• - -*: Use DPD (dead peer detection) in
be.IP 4isdn
257
14 VPN
bintec elmeg GmbH
Field
Description
accordance with RFC 3706. DPD uses a request-reply protocol to check the availability of the remote terminal and can
be configured independently on both sides. This option only
checks the availability of the peer if data is to be sent to it.
• - -* "+#: Use DPD (dead peer detection) in accordance with RFC 3706. DPD uses a requestreply protocol to check the availability of the remote terminal
and can be configured independently on both sides. This option is used to carry out a check at certain intervals depending
on forthcoming data transfers.
Only for Phase-1 (IKEv2) Parameters
Enable or disable alive check.
The function is enabled by default.
Block Time
Define how long a peer is blocked for tunnel setups after a
phase 1 tunnel setup has failed. This only affects locally initiated
setup attempts.
Possible values are to (seconds); means the
value in the default profile is used and means that the peer is
never blocked.
The default value is . If a peer has been configured in "always up" mode, there is an implicit minimum block time of 15
seconds which is aplied independently from the configured
value.
NAT Traversal
NAT Traversal (NAT-T) also enables IPSec tunnels to be
opened via one or more devices on which network address
translation (NAT) is activated.
Without NAT-T, incompatibilities may arise between IPSec and
NAT (see RFC 3715, section 2). These primarily prevent the
setup of an IPSec tunnel from a host within a LANs and behind
a NAT device to another host or device. NAT-T enables these
kinds of tunnels without conflicts with NAT device, activated
NAT is automatically detected by the IPSec Daemon and NAT-T
is used.
Only for = 1+
258
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
Possible values:
•
7+ (default value): NAT Traversal is enabled.
• -7+: NAT Traversal is disabled.
• '*: The device always behaves as it would if NAT were in
use.
Only for = 1+
The function is enabled with 7+.
The function is enabled by default.
CA Certificates
Only for Phase-1 (IKE) Parameters
Only for Authentication Method = -, 3, ?,
3 or ?, *0
If you enable the Trust the following CA certificates option,
you can select up to three CA certificates that are accepted for
this profile.
This option can only be configured if certificates are loaded.
14.1.3 Phase-2 Profiles
You can define profiles for phase 2 of the tunnel setup just as for phase 1.
In the VPN->IPSec->Phase-2 Profiles menu, a list of all configured IPSec phase 2 profiles
is displayed.
In the Default column, you can mark the profile to be used as the default profile.
14.1.3.1 New
Choose the New button to create additional profiles.
The menu VPN->IPSec->Phase-2 Profiles->New consists of the following fields:
Fields in the Phase-2 (IPSEC) Parameters menu.
be.IP 4isdn
Field
Description
Description
Enter a description that uniquely identifies the profile.
259
14 VPN
bintec elmeg GmbH
Field
Description
The maximum length of the entry is 255 characters.
Proposals
In this field, you can select any combination of encryption and
message hash algorithms for IKE phase 2 on your default. The
combination of six encryption algorithms and two message hash
algorithms gives 12 possible values in this field.
Encryption algorithms (Encryption):
• - : 3DES is an extension of the DES algorithm with an effective key length of 112 bits, which is rated as secure. It is
the slowest algorithm currently supported.
• ,$$ : All options can be used.
• , (default value): Rijndael has been nominated as AES
due to its fast key setup, low memory requirements, high level
of security against attacks and general speed. The partner's
AES key length is used here. If this has also selected the
parameter , , a key length of 128 bits is used.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 128 bits.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 192 bits.
• , : Rijndael has been nominated as AES due to its
fast key setup, low memory requirements, high level of security against attacks and general speed. Here, it is used with a
key length of 256 bits.
• )21!: Twofish was a final candidate for the AES
(Advanced Encryption Standard). It is rated as just as secure
as Rijndael (AES), but is slower.
• &+21!: Blowfish is a very secure and fast algorithm.
Twofish can be regarded as the successor to Blowfish.
• %,): CAST is also a very secure algorithm, marginally
slower than Blowfish, but faster than 3DES.
• - : DES is an older encryption algorithm, which is rated as
weak due to its small effective length of 56 bits.
260
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
Hash algorithms (Authentication):
• .-: MD5 (Message Digest #5) is an older hash algorithm. It
is used with a 96 bit digest length for IPSec.
• ,$$ : All options can be used.
• >, (default value): SHA1 (Secure Hash Algorithm #1) is a
hash algorithm developed by NSA (United States National Security Association). It is rated as secure, but is slower than
MD5. It is used with a 96 bit digest length for IPSec.
• >,: SH2 (Secure Hash Algorithmus #2) is a hash algorithm which has been designed to supersede SHA 1. It can
be used with hash lengths of 256, 384 or 512 bits.
• >,: SHA-2 with 384 bit hash length.
• >,: SHA-2 with 512 bit hash length.
Note that RipeMD 160 and Tiger 192 are not available for message hashing in phase 2.
Depending on the hardware of your device some options may
not be available.
Use PFS Group
As PFS (Perfect Forward Secrecy) requires another DiffieHellman key calculation to create new encryption material, you
must select the exponentiation features. If you enable PFS (
7+), the options are the same as for the configuration of
DH Group in the VPN->IPSec->Phase-1 Profiles menu. PFS is
used to protect the keys of a renewed phase 2 SA, even if the
keys of the phase 1 SA have become known.
The following groups with their corresponding bit values are
available:
• "( &#
• "
&#
• " &#
• "
&#
• "
( &#
• "
&#
Depending on the hardware of your device some options may
not be available.
be.IP 4isdn
261
14 VPN
bintec elmeg GmbH
Field
Description
Lifetime
Define how the lifetime is defined that will expire before phase 2
SAs need to be renewed.
The new SAs are negotiated shortly before expiry of the current
SAs. As for RFC 2407, the default value is eight hours, which
means the key must be renewed once eight hours have
elapsed.
The following options are available for defining the Lifetime:
• Input in Seconds: Enter the lifetime for phase 2 key in
seconds. The value can be a whole number from to
((. The default value is (
.
• Input in kBytes: Enter the lifetime for phase 2 keys as amount
of data processed in kBytes. The value can be a whole number from to ((. The default value is .
Rekey after : Specify the percentage in the course of the lifetime
at which the phase 2 keys are to be regenerated.
The percentage entered is applied to both the lifetime in
seconds and the lifetime in kBytes.
The default value is %.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
IP Compression
Select whether compression is to be activated before data encryption. If data is compressed effectively, this can result in
higher performance and a lower volume of data to be transferred. In the case of fast lines or data that cannot be compressed, you are advised against using this option as the performance can be significantly affected by the increased effort
during compression.
The function is enabled with 7+.
The function is disabled by default.
Alive Check
Select whether and how IPSec heartbeats are used.
A bintec elmeg IPSec heartbeat is implemented to determine
262
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
whether or not a Security Association (SA) is still valid. This
function sends and receives signals every 5 seconds, depending on the configuration. If these signals are not received after
20 seconds, the SA is discarded as invalid.
Possible values:
• ,3* (default value): Automatic detection of whether
the remote terminal is a bintec elmeg device. If it is, >
7 " N 6*# (for a remote terminal with bintec
elmeg) or * (for a remote terminal without bintec elmeg) is set.
• *: Your device sends and expects no heartbeat. Set
this option if you use devices from other manufacturers.
• >7 " 6* +0#: Your device expects a
heartbeat from the peer but does not send one itself.
• >7 " +0#: Your device expects no heartbeat from the peer, but sends one itself.
• >7 " N 6*#: Your device expects a
heartbeat from the peer and sends one itself.
Propagate PMTU
Select whether the PMTU (Path Maximum Transfer Unit) is to
be propagated during phase 2.
The function is enabled with 7+.
The function is enabled by default.
14.1.4 XAUTH Profiles
In the XAUTH Profiles menu a list of all XAUTH profiles is displayed.
Extended Authentication for IPSec (XAuth) is an additional authentication method for IPSec
tunnel users.
The gateway can take on two different roles when using XAuth as it can act as a server or
as a client:
• As a server the gateway requires a proof of authorisation.
• As a client the gateway provides proof of authorisation.
In server mode multiple users can obtain authentication via XAuth, e.g. users of Apple
be.IP 4isdn
263
14 VPN
bintec elmeg GmbH
iPhones. Authorisation is verified either on the basis of a list or via a Radius Server. If using
a one time password (OTP), the password check can be carried out by a token server (e.g.
SecOVID from Kobil), which is installed behind the Radius Server. If a company's
headquarters is connected to several branches via IPSec, several peers can be configured.
A specific user can then use the IPSec tunnel over various peers depending on the assignment of various profiles. This is useful, for example, if an employee works alternately in different branches, if each peer represents a branch and if the employee wishes to have onsite access to the tunnel.
XAuth is carried out once IPSec IKE (Phase 1) has been completed successfully and before IKE (Phase 2) begins.
If XAuth is used together with IKE Config Mode, the transactions for XAuth are carried out
before the transactions for IKE Config Mode.
14.1.4.1 New
Choose the New button to create additional profiles.
The VPN->IPSec->XAUTH Profiles ->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter a description for this XAuth profile.
Role
Select the role of the gateway for XAuth authentication.
Possible values:
• (default value): The gateway requires a proof of authorisation.
• %+: The gateway provides proof of authorisation.
Mode
Only for Role = Select how authentication is carried out.
Possible values:
• ?,-/ (default value): Authentication is carried out via a
Radius server. It is configured in the System
Management->Remote Authentication->RADIUS menu and
selected in the RADIUS Server Group ID field.
264
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
• $*+: Authentication is carried out via a local list.
Name
Only for Role = %+
Enter the authentication name of the client.
Password
Only for Role = %+
Enter the authentication password.
RADIUS Server Group
ID
Only for Role = Users
Only for Role = and Mode = $*+
Select the desired list in System Management->Remote Authentication->RADIUS configured RADIUS group.
If your gateway is configured as an XAuth server, the clients
can be authenticated via a locally configured user list. Define
the members of the user group of this XAUTH profile here by
entering the authentication name of the client (Name) and the
authentication password (Password). Add new members with
Add.
14.1.5 IP Pools
In the IP Pools menu a list of all IP pools for your configured IPSec connections is displayed.
If for an IPSec peer you have set IP Address Assignment = %1 . ,
you must define the IP pools here from which the IP addresses are assigned.
14.1.5.1 Edit or New
Choose the New button to set up new IP address pools. Choose the
icon to edit exist-
ing entries.
Fields in the menu Basic Parameters
be.IP 4isdn
Field
Description
IP Pool Name
Enter any description to uniquely identify the IP pool.
265
14 VPN
bintec elmeg GmbH
Field
Description
IP Address Range
Enter the first (first field) and last (second field) IP address of
the IP address pool.
DNS Server
Primary: Enter the IP address of the DNS server that is to be
used, preferably, by clients who draw an address from this pool.
Secondary: Optionally, enter the IP address of an alternative
DNS server.
14.1.6 Options
The menu VPN->IPSec->Options consists of the following fields:
Fields in the Global Options menu.
Field
Description
Enable IPSec
Select whether you want to activate IPSec.
The function is enabled with 7+.
The function is active as soon as an IPSec Peer is configured.
Delete complete IPSec If you click the
configuration
of your device.
icon, delete the complete IPSec configuration
This cancels all settings made during the IPSec configuration.
Once the configuration is deleted, you can start with a completely new IPSec configuration.
You can only delete the configuration if Enable IPSec = not activated.
IPSec Debug Level
Select the priority of the syslog messages of the IPSec subsystem to be recorded internally.
Possible values:
•
*0 (highest priority)
• ,+
• %*+
•
266
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
• 8
• 9*
• 1
• -73 (default value, lowest priority)
Syslog messages are only recorded internally if they have a
higher or identical priority to that indicated, i.e. all messages
generated are recorded at syslog level "debug".
The Advanced Settings menu is for adapting certain functions and features to the special
requirements of your environment, i.e. mostly interoperability flags are set. The default values are globally valid and enable your system to work correctly to other bintec elmeg
devices, so that you only need to change these values if the remote terminal is a third-party
product or you know special settings are necessary. These may be needed, for example, if
the remote end operates with older IPSec implementations.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
IPSec over TCP
Determine whether IPSec over TCP is to be used.
IPSec over TCP is based on NCP pathfinder technology. This
technology insures that data traffic (IKE, ESP, AH) between
peers is integrated into a pseudo HTTPS session.
The function is enabled with 7+.
The function is disabled by default.
Send Initial Contact
Message
Select whether IKE Initial Contact messages are to be sent during IKE (phase 1) if no SAs with a peer exist.
The function is enabled with 7+.
The function is enabled by default.
Sync SAs with ISP interface state
Select whether all SAs are to be deleted whose data traffic was
routed via an interface on which the status has changed from
/ to -2, - or &+*B.
The function is enabled with 7+.
be.IP 4isdn
267
14 VPN
bintec elmeg GmbH
Field
Description
The function is disabled by default.
Use Zero Cookies
Select whether zeroed ISAKMP Cookies are to be sent.
These are equivalent to the SPI (Security Parameter Index) in
IKE proposals; as they are redundant, they are normally set to
the value of the negotiation currently in progress. Alternatively,
your device can use zeroes for all values of the cookie. In this
case, select 7+.
Zero Cookie Size
Only for Use Zero Cookies = enabled.
Enter the length in bytes of the zeroed SPI used in IKE proposals.
The default value is .
Dynamic RADIUS Authentication
Select whether RADIUS authentication is to be activated via
IPSec.
The function is enabled with 7+.
The function is disabled by default.
Fields in the PKI Handling Options menu.
Field
Description
Ignore Certificate Request Payloads
Select whether certificate requests received from the remote
end during IKE (phase 1) are to be ignored.
The function is enabled with 7+.
The function is disabled by default.
Send Certificate Request Payloads
Select whether certificate requests are to be sent during IKE
(phase 1).
The function is enabled with 7+.
The function is enabled by default.
Send Certificate
Chains
Select whether complete certificate chains are to be sent during
IKE (phase 1).
The function is enabled with 7+.
268
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
The function is enabled by default.
Deactivate this function if you do not wish to send the peer the
certificates of all levels (from your level to the CA level).
Send CRLs
Select whether CRLs are to be sent during IKE (phase 1).
The function is enabled with 7+.
The function is disabled by default.
Send Key Hash Payloads
Select whether key hash payloads are to be sent during IKE
(phase 1).
In the default setting, the public key hash of the remote end is
sent together with the other authentication data. Only applies for
RSA encryption. Activate this function with 7+ to suppress this behaviour.
14.2 be.IP Secure Client
Here you can download the current Secure IPsec Client software for free.
14.3 LISP Light
The Locator/ID Separation Protocol (LISP) provides a new kind of addressing nodes for a
more efficient structuring of the internet.
A large number of reasons warrants the introduction of LIPS, the main one being the
quickly increasing number of mobile devices accessing the internet as well as local networks. Having to change the complete IP address for every change of location is inefficient
and lets routing tables grow out of proportion quickly and unnecessarily.
LISP employs the concept of separating the notion of identity and location of a device inside the network: A Routing Locator (RLOC) specifies the location of a device, and an Endpoint Identifier (EID) specifies its identity. A mapping systems connects both parameters.
When using traditional IP-addressing, identity and location are linked to each other by the
IP address. If a device receives a new IP address via DHCP - as is the rule especially in
mobile computing -, the new IP address is completely unrelated to the previous one, i.e.,
not only the location has changed, but the complete combination of location+identity has
be.IP 4isdn
269
14 VPN
bintec elmeg GmbH
been replaced. As a result, all routes to the previous address and to the device have to be
replaced, as well.
From the perspective of LISP addressing, the internet can be seen as structured as follows:
The internet is broken into a public realm, the Internet Core, and into private, LISP-enabled
networks, LISP sites, which are connected to the Internet Core. The interfaces between
both are operat3ed by LISP routers working as Ingress or Egress Tunnel routers (ITR or
ETR, respectively). Ingress Tunnel Routers provide entrance to the Internet Core and
Egress Tunnel Routers provide entrance to the local network (i.e. an exit from the Internet
Core). Both services can be offered by the same device, however:
The parameters Routing Locator (RLOC) and Endpoint Identifier (EID) are - practically - a
pair of "common" IPv4 or IPv6 addresses. (IPv6 is currently not supported by LISP Light.)
The Routing Locator (RLOC) determines the routing via a public, globally routable IP address to a LISP Site, i.e. to a location within the Internet where an Egress Router provides
access to a LISP-enabled network. The Endpoint Identifier (EID) is used to address a specific device inside of the LIPS Site with a private address. This private address has to be
unique across all interconnected LIPS Sites, but does not have to be globally unique.
If an IP packet has to be routed from one LISP Site to another one, e.g. from a Local to a
Remote Site, the corresponding RLOC-EID pair has to be known. Map Server and Map Resolver provide this information. A Map Server learns RLOC-EID entries from Egress Tunnel
Routers and stores them inside of a database. A Map Resolver receives map requests
from Ingress Tunnel Routers and query the RLOC-EID entries in the database.
When routing an IP packet, the Ingress Tunnel Router adds additional information the
packet that already contains the EID (the private sender and destination address) inside
the so-called "inner" header: The IP packet receives an additional header, the so-called
"outer" header, which contains the RLOC consisting of the public sender and destination
address. When the IP packet has arrived at the destination LISP Site through by means of
the RLOC, the Egress Tunnel Router unwraps it. Using the EID information the packet is
then transmitted to the final recipient.
LISP Light means that only a subset of the LISP specification from RFC 6830 has been
implemented in order to provide the core routing functions.
270
be.IP 4isdn
14 VPN
bintec elmeg GmbH
14.3.1 Router (ITR/ETR)
The menu VPN->LISP Light->Router (ITR/ETR) displays a list of all Egress Tunnel
Routers (ETR, top card) and of all Ingress Tunnel Routers (ITR, bottom card). Your device
operates as Egress Tunnel Router as well as as Ingress Tunnel Router.
14.3.1.1 Add Egress Tunnel Router
Here you carry out the configuration of the Egress Tunnel Router role. For a standard LISP
configuration you have to configure at least one Map Server.
The device propagates its own IP address to the Map Server(s) in order to signal that it can
receive data packets and via which RLOC it can be accessed as ETR.
An Egress Tunnel Router (ETR) propagates EID-RLOC entries for "its" LISP Sites and receives LISP data, unwraps them and sends them to the devices specidied in the EID.
The menu VPN->LISP Light->Router (ITR/ETR)->Add Egress Tunnel Router consists of
the following fields:
Fields in the menu Map Server
Field
Description
Map Server IP Address Specify the IP address of the Map Server that is to receive the
Map Request messages.
Key type (HMAC Algorithm)
Messages sent to the Map Server can be signed. Here you can
select the signing algorithm.
Possible values:
• >.,%>,
• >.,%>,
• 9
9 deactivates message signing.
Authentication key
The Authentication key must also be known to the Map Server
in order for it to verify message authenticity.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
be.IP 4isdn
271
14 VPN
bintec elmeg GmbH
Field
Description
Map-Register time
period (in sec.)
Configure the time to pass between two register messages sent
to the Map Server in seconds.
The default value is .
HMAC truncation
The message signature can be written to the data packet either
complete (HMAC truncation 9) or in truncated (HMAC
truncation 7+).
HMAC truncation 9 is the default setting.
14.3.1.2 Add Ingress Tunnel Router
Here you carry out the configuration of the Ingress Tunnel Router role. For a standard LIPS
configuration you must configure at least one Map Resolver.
An Ingress Tunnel Router (ITR) discovers EID-RLOC pairs and stores them in its mapping
cache. For discovery it sends map requests to a Map Resolver.
An Ingress Tunnel Router wraps the data packets into the inner and outer header and
sends them to the adequate LISP site using the address contained in the RLOC.
The menu VPN->LISP Light->Router (ITR/ETR)->Add Ingress Tunnel Router consist of
the followoing fields:
Fields in the menu Map Resolvers
Field
Description
Map Resolver IP Address
Specify the IP address of the Map Resolver that is to answer
Map Requests of the ITR.
In order to maintain reliability, more than one Map Resolver can
be specified.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Description
Map-Request minimum Specify the minimum time (in seconds) that is to pass between
time period (in sec.)
two requests for the same EID to the same Map Resolver. This
settings is to avoid Map Resolver overload.
272
be.IP 4isdn
14 VPN
bintec elmeg GmbH
Field
Description
The default value is one second.
Max. Number of
Specify how many consequent Map Requests may remain unpending Map-Requests answered before switching to the next Map Resolver.
This settings determines data loss tolerance.
The default value is .
Max. Delay before
switching to the next
Map-Resolver
Specify the time (in seconds) that may pass without an answer
to a Map Request before switching to the next Map Resolver.
This setting determines network latency tolerance.
The default value is .
14.3.2 Local/Remote-Sites
LISP-enabled networks are called LIPS Sites. A Local Site is the sum of all IP addresses
(EIDs) that belong to the local network and can be reached without a tunnel. Remote Sites
are address spaces that can only be reached through a tunnel.
The menu VPN->LISP Light->Local/Remote-Sites displays a list of all established LISP
Sites, separated into Local Sites (top card) and Remote Sites (bottom card).
14.3.2.1 Add Local Site
Here you can configure Local Sites.
The menu VPN->LISP Light->Local/Remote-Sites->Add Local Sites consist of the following fields:
Fields in the menu Local Site
Field
Description
Instance ID
You can select a LISP Instance if you have created one in the
menu VPN->LISP Light->EID Prefix Segregation (LISP Instances)->Add Instance. If you keep the default setting 9
1, a default instance is used.
EID prefix (IP address) Specify the IP prefix of the Endpoint Identifier (EID). Use a LAN
/ Length
address from your network.
be.IP 4isdn
273
14 VPN
bintec elmeg GmbH
Field
Description
Route Locator (RLOC)
IP address
In order for the remote tunnel router to know at which IP address your device can be reached, a globally routable IP address (RLOC of the ETR role) is automatically determined and
displayed.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Description
Interface binding
Selecting and interface is optional. If the same EID is used for
multiple interface, one of the interfaces can be assigned here.
Database Record TTL
(in min.)
Designates the cache entry life time (in minutes) reported to the
Map Server.
The default value is minutes.
Exclude EID prefix
from tree
If you intend to use a continuous address range, keep the default setting 3.
You can remove a sub range from an already created address
range. For this, create individual entries with the setting.
14.3.2.2 Add Remote Site
Here you can configure Remote Sites.
The menu VPN->LISP Light->Local/Remote-Sites->Add Remote Site consists of the following fields:
Fields in the menu Remote Site
Field
Description
ID
You can select a LISP Instance if you have created one in the
menu VPN->LISP Light->EID Prefix Segregation (LISP Instances)->Add Instance. If you keep the default setting 9
1, a default instance is used.
EID prefix (IP address) Specify the address range that can be reached through a tun/ Length
nel.
274
be.IP 4isdn
14 VPN
bintec elmeg GmbH
14.3.3 EID Prefix Segregation (LISP Instances)
The menu VPN->LISP Light->EID Prefix Segregation (LISP Instances) displays a list of
all configured LIPS Instances.
Note
If you intend to operate only a single network, you do not need to create any instances.
In this case a default instance is used.
If you intend to operate multiple separated networks (optionally with overlapping address ranges), you need to create an instance for each network.
14.3.3.1 Add Instance
Here you can configure LISP Instances.
The menu VPN->LISP Light->EID Prefix Segregation (LISP Instances)->Add Instance
consists of the following fields:
Fields in the menu LISP Instance
Field
Description
Description
Choose a name for the instance in order to distinguish it from
other instances more easily.
Instance ID
For the first instance you configure you can keep the default
value . For all further instances specify a unique integer value.
For each instance a virtual interface is created.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
be.IP 4isdn
Field
Description
Proxy-ETR-RLOC
If required, specify the IP address of a Proxy-ETR all IOP packets are tunneled to for which the Map Resolver answers with
"forward-native".
LISP interface MTU
Specify the maximun packet size (Maximum Transfer Unit,
275
14 VPN
bintec elmeg GmbH
Field
Description
MTU) in bytes that can be used for the connection between the
virtual LISP interfaces.
The default value is .
Maximum number of
cached EID/RLOC
entries per ins
Specify the maximum number of EID/RLOC entries in the
cache.
Maximum number of
RLOC addresses per
cached EID
Specify the maximum number of RLOC entries in the cache.
Default TTL of cached
EID/RLOC entry (in
minutes)
Normally, the server provides a value for the TTL (time to live).
Here you can specify a value for the case that the server does
not provide one (Default TTL Mode = '++7*B) or the serverprovided value is to be ignored (Default TTL Mode = '6).
Default TTL Mode
Here you can select the fefaulöt TTL mode.
The default value .
The default value is .
Possible values:
• '++7*B (default value): The server does not provide a
TTL value. The value specified for Default TTL of cached
EID/RLOC entry (in minutes) is used.
• '6: The value provided by the server is ignored. the value
specified for Default TTL of cached EID/RLOC entry (in
minutes) is used.
276
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Chapter 15 Firewall
The Stateful Inspection Firewall (SIF) provided for bintec elmeg gateways is a powerful security feature.
The SIF with dynamic packet filtering has a decisive advantage over static packet filtering:
The decision whether or not to send a packet cannot be made solely on the basis of source
and destination addresses or ports but also using dynamic packet filtering based on the
state of the connection to a partner.
This means packets that belong to an already active connection can also be forwarded.
The SIF also accepts packets that belong to an "affiliated connection". The negotiation of
an FTP connection takes place over port 21, for example, but the actual data exchange can
take place over a completely different port.
SIF and other security features
The Stateful Inspection Firewall fits into the existing security architecture of bintec elmeg.
The configuration work for the SIF is comparatively straightforward with systems like Network Address Translation (NAT) and IP Access Lists (IPAL).
As SIF, NAT and IPAL are active in the system simultaneously, attention must be given to
possible interaction: If any packet is rejected by one of the security instances, this is done
immediately. This is irrelevant whether another instance would accept it or not. Your need
for security features should therefore be accurately analysed.
The essential difference between SIF and NAT/IPAL is that the rules for the SIF are generally applied globally, i.e. not restricted to one interface.
In principle, the same filter criteria are applied to the data traffic as those used in NAT and
IPAL:
• Source and destination address of the packet (with an associated netmask)
• Service (preconfigured, e.g. Echo, FTP, HTTP)
• Protocol
• Port number(s)
To illustrate the differences in packet filtering, a list of the individual security instances and
their method of operation is given below.
NAT
be.IP 4isdn
277
15 Firewall
bintec elmeg GmbH
One of the basic functions of NAT is the translation of the local IP addresses of your LAN
into the global IP addresses you are assigned by your ISP and vice versa. All connections
initiated externally are first blocked, i.e. every packet your device cannot assign to an existing connection is rejected. This means that a connection can only be set up from inside to
outside. Without explicit permission, NAT rejects every access from the WAN to the LAN.
IP Access Lists
Here, packets are allowed or rejected exclusively on the basis of the criteria listed above,
i.e. the state of the connection is not considered (except for Services = )%).
SIF
The SIF sorts out all packets that are not explicitly or implicitly allowed. The result can be a
"deny", in which case no error message is sent to the sender of the rejected packet, or a
"reject", where the sender is informed of the packet rejection.
The incoming packets are processed as follows:
• The SIF first checks if an incoming packet can be assigned to an existing connection. If
so, it is forwarded. If the packet cannot be assigned to an existing connection, a check is
made to see if a suitable connection is expected (e.g. as affiliated connection of an existing connection). If so, the packet is also accepted.
• If the packet cannot be assigned to any existing or expected connection, the SIF filter
rules are applied: If a deny rule matches the packet, the packet is discarded without
sending an error message to the sender of the packet; if a reject rule matches, the packet
is discarded and an ICMP Host Unreachable message sent to the sender of the packet.
The packet is only forwarded if an accept rule matches.
• All packets without matching rules are rejected without sending an error message to the
sender when all the existing rules have been checked (=default behaviour).
Specific instructions for the configuration of Stateful Inspection Firewall (SIF), see the end
of the chapter Configuration on page 291.
15.1 Policies
278
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
15.1.1 IPv4 Filter Rules
The default behaviour with Action = ,** consists of two implicit filter rules: If an incoming packet can be assigned to an existing connection and if a suitable connection is expected (e.g. such as an affiliated connection of an existing connection), the packet is allowed.
The sequence of filter rules in the list is relevant: The filter rules are applied to each packet
in succession until a rule matches. If overlapping occurs, i.e. more than one filter rule
matches a packet, only the first rule is executed. This means that if the first rule denies a
packet, whereas a later rule allows it, the packet is rejected. A deny rule also has no effect
if a relevant packet has previously been allowed by another filter rule.
The security concept is based on the assumption that an infrastructure consists of trusted
and untrusted zones. The security policies )3 and /3 describe this assumption. They define the filter rules Trusted Interfaces and Untrusted Interfaces which
are created by default and cannot be deleted.
If you use the Security Policy )3, all data packets are accepted. You can create
additional filter rules that discard specific packets. In the same way, you can allow specific
packets when using the /3 policy.
A list of all configured filter rules is displayed in the Firewall->Policies+IPv4 Filter Rules
menu.
Using the
button in the line Trusted Interfaces , you can determine which interfaces are
Trusted . A new window opens with an interface list. You can mark individual interfaces as
trusted.
You can use the
button to insert another policy above the list entry. The configuration
menu for creating a new policy opens.
You can use the
button to move the list entry. A dialog box opens, in which you can se-
lect the position to which the policy is to be moved.
15.1.1.1 New
Note
Informationen on the selection of Trusted Interfaces can be found here: IPv4 Filter
Rules on page 279.
Choose the New button to create additional parameters.
be.IP 4isdn
279
15 Firewall
bintec elmeg GmbH
The menu Firewall->Policies+IPv4 Filter Rules->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Source
Select one of the preconfigured aliases for the source of the
packet.
In the list, all WAN/LAN interfaces, interface groups (see Firewall->Interfaces->Groups), addresses (see Firewall->Addresses->Address List) and address groups (see
Firewall->Addresses->Groups) are available.
The value ,0 means that neither the source interface nor the
source address is checked.
Destination
Select one of the preconfigured aliases for the destination of the
packet.
In the list, all WAN/LAN interfaces, interface groups (see Firewall->Interfaces->Groups), addresses (see Firewall->Addresses->Address List) and address groups (see
Firewall->Addresses->Groups).
The value ,0 means that neither the destination interface nor
the destination address is checked.
Service
Select one of the preconfigured services to which the packet to
be filtered must be assigned.
The extensive range of services configured ex works includes
the following:
• 1
• +
• • • !
• • • 9
Additional services are created in Firewall->Services->Service
List.
280
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Field
Description
In addition, the service groups configured in
Firewall->Services->Groups can be selected.
Action
Select the action to be applied to a filtered packet.
Possible values:
• ,** (default value): The packets are forwarded on the
basis of the entries.
• -0: The packets are rejected.
• ?O*: The packets are rejected. An error message is issued to the sender of the packet.
15.1.2 IPv6 Filter Rules
The default behaviour with Action = ,** consists of two implicit filter rules: If an incoming packet can be assigned to an existing connection and if a suitable connection is expected (e.g. such as an affiliated connection of an existing connection), the packet is allowed.
The sequence of filter rules in the list is relevant: The filter rules are applied to each packet
in succession until a rule matches. If overlapping occurs, i.e. more than one filter rule
matches a packet, only the first rule is executed. This means that if the first rule denies a
packet, whereas a later rule allows it, the packet is rejected. A deny rule also has no effect
if a relevant packet has previously been allowed by another filter rule.
The security concept is based on the assumption that an infrastructure consists of trusted
and untrusted zones. The security policies )3 and /3 describe this assumption. They define the filter rules Trusted Interfaces and Untrusted Interfaces which
are created by default and cannot be deleted.
If you use the Security Policy )3, all data packets are accepted. You can create
additional filter rules that discard specific packets. In the same way, you can allow specific
packets when using the /3 policy.
A list of all configured filter rules is displayed in the Firewall->Policies->IPv6 Filter Rules
menu.
Using the
button in the line Trusted Interfaces , you can determine which interfaces are
Trusted . A new window opens with an interface list. You can mark individual interfaces as
trusted.
be.IP 4isdn
281
15 Firewall
bintec elmeg GmbH
You can use the
button to insert another policy above the list entry. The configuration
menu for creating a new policy opens.
You can use the
button to move the list entry. A dialog box opens, in which you can se-
lect the position to which the policy is to be moved.
15.1.2.1 New
Choose the New button to create additional parameters.
The menu Firewall->Policies->IPv6 Filter Rules->New consists of the following fields:
Fields in the Basic Parameters menu
Field
Description
Source
Select one of the preconfigured aliases for the source of the
packet.
In the list, all WAN/LAN interfaces, interface groups (see Firewall->Interfaces->IPv6 Groups), adresses (see Firewall->Addresses->Address List) and address groups (see
Firewall->Addresses->Groups) are available for selection for
IPv6.
Destination
Select one of the preconfigured aliases for the destination of the
packet.
In the list, all WAN/LAN interfaces, interface groups (see Firewall->Interfaces->IPv6 Groups), addresss (see Firewall->Addresses->Address List) and address groups (see
Firewall->Addresses->Groups) are available for selection for
IPv6.
Service
Select one of the preconfigured services to which the packet to
be filtered must be assigned.
The extensive range of services configured ex works includes
the following:
• 1
• +
• • • !
• 282
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Field
Description
Additional services are created in Firewall->Services->Service
List.
In addition, the service groups configured in
Firewall->Services->Groups can be selected.
Action
Select the action to be applied to a filtered packet.
Possible values:
• ,** (default value): The packets are forwarded on the
basis of the entries..
• -0 : The packets are rejected.
• ?O* : The packets are rejected. An error message is issued to the sender of the packet.
15.1.3 Options
In this menu, you can disable or enable the IPv4 firewall and can log its activities. In addition, you can define after how many seconds of inactivity a session shall be ended.
Note
The IPv6 firewall is always active and cannot be disabled.
The menu Firewall->Policies->Options consists of the following fields:
Fields in the Global Firewall Options menu
Field
Description
IPv4 Firewall Status
Enable or disable the IPv4 firewall function.
The function is enabled with 7+
The function is enabled by default.
Logged Actions
Select the firewall syslog level.
The messages are output together with messages from other
subsystems.
Possible values:
be.IP 4isdn
283
15 Firewall
bintec elmeg GmbH
Field
Description
• ,++ (default value): All firewall activities are displayed.
• -0: Only reject and deny events are shown, see "Action".
• ,**: Only accept events are shown.
• 9: Syslog messages are not generated.
IPv4 Full Filtering
With TCP sessions, the SIF first verifies if a session has been
established completely and correctly. The filtering itself is carried out in a second step. The default setting IPv4 Full Filtering
has been designed to meet this "standard" case.
If - in a two-way communication - one traffic direction is sent
through the router, but the counter direction takes a different
route, the data traffic of this connection will be blocked because
the session is interpreted as "incomplete" by the SIF. This will
happen even if there is a rule that allows the same kind data
traffic in a complete session.
In order to allow the data traffic of "incomplete" sessions you
have to disable IPv4 Full Filtering .
STUN Handler
Port STUN server
Enable this option if you intend to allow network devices (esp.
SIP clients) to use STUN in order to identify the network address translation mode and the public IP address. The firewall
creates temporary rules that allow RTP data traffic for SIP
phone calls.
Only for STUN Handler= Enabled
Enter the number of the port to be used for the connection to
the STUN server.
The default value is 3478. A 5 digit sequence isd possible.
Fields in the Session Timer menu.
Field
Description
UDP Inactivity
Enter the inactivity time after which a UDP session is to be regarded as expired (in seconds).
Possible values are to .
The default value is .
TCP Inactivity
284
Enter the inactivity time after which a TCP session is to be re-
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Field
Description
garded as expired (in seconds).
Possible values are to .
The default value is .
PPTP Inactivity
Enter the inactivity time after which a PPTP session is to be regarded as expired (in seconds).
Possible values are to .
The default value is .
Other Inactivity
Enter the inactivity time after which a session of another type is
to be regarded as expired (in seconds).
Possible values are to .
The default value is .
Fields in the Factory Reset Firewall
Field
Description
Factory Reset Firewall
Click Reset to reset the firewall to factory defaults.
15.2 Interfaces
15.2.1 IPv4 Groups
A list of all configured IPv4 interface routes is displayed in the Firewall->Interfaces->IPv4
Groups menu.
You can group together the interfaces of your device. This makes it easier to configure firewall rules.
15.2.1.1 New
Choose the New button to set up new IPv4 interface groups.
The menu Firewall->Interfaces->IPv4 Groups->New consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
285
15 Firewall
bintec elmeg GmbH
Field
Description
Description
Enter the desired description of the IPv4 interface group.
Members
Select the members of the group from the available interfaces.
To do this, activate the field in the Selection column.
15.2.2 IPv6 Groups
A list of all configured IPv6 interface routes is displayed in the Firewall->Interfaces+IPv6
Groups menu.
You can group together the IPv6 interfaces of your device. This makes it easier to configure firewall rules.
15.2.2.1 New
Choose the New button to set up new IPv6 interface groups.
The menu Firewall->Interfaces->IPv6 Groups->New consists of the following fields
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the desired description of the IPv6 interface group.
Members
Select the members of the group from the available interfaces.
To do this, activate the field in the Selection column.
15.3 Addresses
15.3.1 Address List
A list of all configured addresses is displayed in the Firewall->Addresses->Address List
menu.
15.3.1.1 New
Choose the New button to create additional addresses.
The menu Firewall->Addresses->Address List->New consists of the following fields:
286
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the desired description of the address.
IPv4
Allows configuration of IPv4 address lists.
The function is enabled with 7+ .
The function is enabled by default.
Address Type
Only for IPv4 = 7+
Select the type of address you want to specify.
Possible values:
• , 5 37 (default value): Enter an IP address
with subnet mask.
• , ?: Enter an IP address range with a start and
end address.
Address / Subnet
Only for IPv4 = 7+
and Address Type = , 5 37
Enter the IP address of the host or a network address and the
related netmask.
The default value is .
IPv6
Allows configuration of IPv6 address lists.
The function is enabled with 7+ .
The function is disabled by default.
Address / Prefix
Only for IPv6 = 7+
Enter IPv6 address and the related prefix.
15.3.2 Groups
A list of all configured address groups is displayed in the Firewall->Addresses->Groups
menu.
be.IP 4isdn
287
15 Firewall
bintec elmeg GmbH
You can group together addresses. This makes it easier to configure firewall rules.
15.3.2.1 New
Choose the New button to set up additional address groups.
The menu Firewall->Addresses->Groups->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the desired description of the address group.
IP Version
Select the IP version used.
Possible values:
• • is selected by default.
Selection
Select the members of the group from the available Addresses.
To do this, activate the Fields in the Selection column.
15.4 Services
15.4.1 Service List
In the Firewall->Services->Service List menu, a list of all available services is displayed.
Choose the
icon to edit existing entries. You can delete existing entries with the icon
.
Note
Service is also removed from NAT service list! Recreation possible only by factory reset.
15.4.1.1 New
Choose the New button to set up additional services.
288
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
The menu Firewall->Services->Service List->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter an alias for the service you want to configure.
Protocol
Select the protocol on which the service is to be based. The
most important protocols are available for selection.
Destination Port Range Only for Protocol = )%, /-5)% or /-
In the first field, enter the destination port via which the service
is to run.
If a port number range is specified, in the second field enter the
last port of the port range. By default the field does not contain
an entry. If a value is displayed, this means that the previously
specified port number is verified. If a port range is to be
checked, enter the upper limit here.
Possible values are to .
Source Port Range
Only for Protocol = )%, /-5)% or /-
In the first field, enter the source port to be checked, if applicable.
If a port number range is specified, in the second field enter the
last port of the port range. By default the field does not contain
an entry. If a value is displayed, this means that the previously
specified port number is verified. If a port range is to be
checked, enter the upper limit here.
Possible values are to .
Type
Only for Protocol = %.
The Type field shows the class of ICMP messages, the Code
field specifies the type of message in greater detail.
Possible values:
• ,0 (default value)
•
be.IP 4isdn
*! ?+0
289
15 Firewall
bintec elmeg GmbH
Field
Description
• - 3*!7+
• 3* D3*!
• ?*
•
*!
• )
6*
• 7+
• )
• ) ?+0
• 1 ?J3
• 1 ?+0
• , .B ?J3
• , .B ?+0
Code
Selection options for the ICMP codes are only available for
Type = - 3*!7+
Possible values:
• ,0 (default value)
• 9 /*!7+
• > /*!7+
• *+ /*!7+
• /*!7+
• ' 9
• %3* 2! - 92B ,
+0 !7
• %3* 2! - > ,
+0 !7
15.4.2 Groups
A list of all configured service groups is displayed in the Firewall->Services->Groups
menu.
You can group together services. This makes it easier to configure firewall rules.
290
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
15.4.2.1 New
Choose the New button to set up additional service groups.
The menu Firewall->Services->Groups->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the desired description of the service group.
Members
Select the members of the group from the available service aliases. To do this, activate the Fields in the Selection column.
15.5 Configuration
15.5.1 SIF - Configuration example
Requirements
• Internet connection
• Your LAN must be connected to one of ports 1, 2, 3 or 4 on the gateway.
Example scenario
Configuration target
• Only certain Internet services are to be available for the staff of a company (HTTP, HT-
be.IP 4isdn
291
15 Firewall
bintec elmeg GmbH
TPS, FTP, DNS).
• The gateway should operate as a DNS proxy, which means that the clients use the gateway as a DNS server.
• Only the system administrator and the director should be able to established an HTTP
and a Telnet connection to the gateway.
• The director must be able to use all services in the Internet..
• All other data traffic will be blocked.
Important
An incorrect configuration of the firewall can significantly disrupt the functionality of the
gateway or drop the connections.
The usual principle for firewalls also applies: Everything that is not explicitly allowed is
prohibited.
This means accurate planning of the filter rules and filter rule chain is necessary to ensure correct operation.
Overview of Configuration Steps
Aliases for IP addresses and network address
292
Field
Menu
Value
Description
Firewall-> Addresses ->Ad- e.g. ,
dress List-> New
Address Type
Firewall ->Addresses-> Ad- , 5 37
dress List ->New
Address / Subnet
Firewall-> Addresses ->Ad- e.g. dress List-> New
with Description
Firewall-> Addresses ->Ad- e.g. -*
dress List ->New
Address Type
Firewall-> Addresses ->Ad- , 5 37
dress List-> New
Address / Subnet
Firewall ->Addresses-> Ad- e.g. dress List ->New
with Description
Firewall-> Addresses ->Ad- e.g. 7
dress List-> New
Address Type
Firewall-> Addresses ->Ad- , 5 37
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Field
Menu
Value
dress List ->New
Address / Subnet
Firewall-> Addresses ->Ad- e.g. dress List-> New
with Description
Firewall ->Addresses-> Ad- e.g. 92B +
dress List ->New
Address Type
Firewall-> Addresses ->Ad- , 5 37
dress List-> New
Address / Subnet
Firewall-> Addresses ->Ad- e.g. dress List ->New
with Address groups
Field
Menu
Value
Description
Gro
e.g. 7
Firewall->Addresses->ups>New
IP Version
Gro
Firewall->Addresses->ups>New
Selection
Gro
e.g. , and
Firewall->Addresses->ups- -*
>New
Service Sets
Field
Menu
Value
Description
Group
Ne
Firewall->Services->s->w
e.g. Members
Group
Ne
Firewall->Services->s->w
e.g. !, ! "$# and
1
Description
Group
Ne
Firewall->Services->s->w
e.g. ,
Members
Group
Ne
Firewall->Services->s->w
e.g. ! and +
Filter rules 1: Manage Gateway (System administrator)
be.IP 4isdn
293
15 Firewall
bintec elmeg GmbH
Field
Menu
Value
Source Location
Firewall ->Policies ->IPv4
Filter Rules-> New
7
Destination
Firewall-> Policies ->IPv4
Filter Rules-> New
7
Service
Firewall ->Policies ->IPv4
Filter Rules-> New
, Action
Firewall-> Policies ->IPv4
Filter Rules-> New
,**
Filter rules 2: Use gateway as DNS proxy
Field
Menu
Value
Source Location
Firewall ->Policie s->IPv4
Filter Rules-> New
$:%,$
Destination
Firewall-> Policies-> IPv4
Filter Rules-> New
,9P
Service
Firewall ->Policie s->IPv4
Filter Rules-> New
Action
Firewall-> Policies-> IPv4
Filter Rules-> New
,**
Source Location
Firewall ->Policie s->IPv4
Filter Rules-> New
9H2B;
Destination
Firewall-> Policies-> IPv4
Filter Rules-> New
7
Service
Firewall ->Policie s->IPv4
Filter Rules-> New
Action
Firewall-> Policies-> IPv4
Filter Rules-> New
,**
Filter rules 3: Deny access from outside to the Gateway
294
Field
Menu
Value
Source Location
Firewall ->Policie s->IPv4
Filter Rules-> New
,9P
Destination
Firewall-> Policies-> IPv4
Filter Rules-> New
7
Service
Firewall ->Policie s->IPv4
Filter Rules-> New
0
Action
Firewall-> Policies-> IPv4
Filter Rules-> New
-0
be.IP 4isdn
15 Firewall
bintec elmeg GmbH
Filter rules 4: Allow access to all services on the Internet (Director)
Field
Menu
Value
Source Location
Firewall ->Policie s->IPv4
Filter Rules-> New
-*
Destination
Firewall-> Policies-> IPv4
Filter Rules-> New
,9P
Service
Firewall ->Policie s->IPv4
Filter Rules-> New
0
Action
Firewall-> Policies-> IPv4
Filter Rules-> New
,**
Filter rules 5: Allow access to the Internet (Staff)
be.IP 4isdn
Field
Menu
Value
Source Location
Firewall ->Policie s->IPv4
Filter Rules-> New
92B;+
Destination
Firewall-> Policies-> IPv4
Filter Rules-> New
,9P
Service
Firewall ->Policie s->IPv4
Filter Rules-> New
Action
Firewall-> Policies-> IPv4
Filter Rules-> New
,**
295
16 VoIP
bintec elmeg GmbH
Chapter 16 VoIP
Voice over IP (VoIP) uses the IP protocol for voice and video transmission.
The main difference compared with conventional telephony is that the voice information is
not transmitted over a switched connection in a telephone network, but divided into data
packets by the Internet protocol and these packets are then passed to the destination over
undefined paths in a network. This technology uses the existing network infrastructure for
voice transmission and shares this with other communication services.
Das Session Initiation Protocol (SIP) dient dabei zum Aufbau, zum Abbau und zur Steuerung einer Kommunikationssitzung.
16.1 Settings
16.1.1 Extensions
Here you can configure the numbers of the terminal devices (=Extensions) connected to
the media gateway, i.e. the numbers of the SIP terminals and the numbers of the ISDN terminals, depending on the available interfaces.
A list of all existing subscribers is displayed in the VoIP->Settings->Extensions menu.
16.1.1.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create new exten-
sions.
The VoIP->Settings->Extensions->
->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the extension.
Extension / User Name ISDN terminals: Enter the subscriber number the extension.
SIP terminals: Enter the user name.
A maximum of 40 characters can be entered.
296
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
Interface Type
Select the interface type to be used.
The selection depends on the interfaces available.
Possible values:
• : A SIP terminal device is used for the call.
• -9: An ISDN terminal device is used for the call. Can only
be selected if ISDN interfaces configured with Euro ISDN
point-to-multipoint (NT mode) are available.
• ,+3: An analogue terminal device is used for the call.
Can only be selected if analogue interfaces are available.
Select ISDN interface
Only for Interface Type = -9
Select an ISDN interface. The ISDN interfaces you can select
depends on the device used.
Select analogue interface
Only for Interface Type = ,+3
Select an analogue interface.
Possible values:
• fxs5-1
• fxs5-2
• fxs5-3 (default value)
• fxs5-4
Registration
Only for Interface Type = Specify whether the registration mechanism is to be used by
SIP REGISTER. Normally, every SIP client (user) sends its current position to a REGISTRAR server by means of a REGISTER message. This information about the user and his current address is held by the REGISTRAR server and queried by
other proxies to find the user.
The function is enabled with 7+.
The function is enabled by default.
Apart from this standard procedure, the relevant data can also
be sent to a particular IP address that is already known to the
be.IP 4isdn
297
16 VoIP
bintec elmeg GmbH
Field
Description
correspondent. Registration and authentication are not then
needed and the Registration function is disabled. An example
of this method is Microsoft Exchange SIP.
Expire Time
Only if Registration is enabled.
Enter the time in seconds after which the current registration becomes invalid and a new registration request is therefore sent.
For clients, the external port is recognised automatically and
should not be changed.
Possible values are to .
The default value is .
SIP Endpoint IP Address
Authentication ID
Only if Registration is disabled.
For configurations with no registration (e.g. connection to a Microsoft Exchange Communication Server) the connection can
be set up as a static host. This requires you to specify the static
IP address of the terminal.
Only for Interface Type = Enter a name that is to be used for authentication.
A maximum of 20 characters can be entered.
The name given here must also be entered on the SIP telephone.
If you do not enter a name, the name in the Extension / User
Name field is used.
Password
Only for Interface Type = Enter a password here.
A maximum of 20 characters can be entered.
The password given here must also be entered on the SIP telephone.
Protocol
Select the protocol to be used for data transmission.
Possible values: /- (default value), )% or )$.
298
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
If a protocol has been automatically recognised, it should not be
changed.
Port
Enter the number of the UDP, TCP port or TLS ports to be used
for the connection to the server or proxy.
Possible values are to .
The default value is .
The menu Advanced Settings consists of the following fields:
Fields in the Codec Settings menu.
Field
Description
Codec Proposal Sequence
Choose the order in which the codecs are offered for use by the
media gateway. If the first codec cannot be used, the second is
tried and so on.
Possible values:
• -13+ (default value): the codec in the first position in the
menu will be used if possible.
• D3+0: The codecs are sorted by quality. If possible, the
codec with the best quality is used.
• $2: The codecs are sorted by required bandwidth. If
possible, the codec with the lowest bandwidth requirement is
used.
• >!: The codecs are sorted by required bandwidth. If
possible, the codec with the highest bandwidth requirement is
used.
Sort Order
Select the codecs to be proposed for the connection. The codecs chosen here are proposed in a certain order, depending
on the setting in the Codec Proposal Sequence field.
Possible values:
• ( 3$2: ISDN codec according to US law
• ( $2: ISDN codec according to EU law
• (: Compressed from 31 to 8 kbps; good voice quality
• (
: Compressed from 63 to 40 kbps
be.IP 4isdn
299
16 VoIP
bintec elmeg GmbH
Field
Description
• (: Compressed from 55 to 32 kbps
• (: Compressed from 47 to 24 kbps
• (: Compressed from 39 to 16 kbps
• -).' :37: DTMF Outband. First the system attempts to
use RFC 2833. If the remote terminal does not use this standard, SIP Info is used.
• ) '6: Allows the transmission of fax messages over
data networks.
• ?): SRTP is an encrypted variant of the Real-Time Transport Protocol (RTP).
• - "?'% #: Enable the transport of 64 kbit/s channel
data in RTP packets.
By default ( 3$2, ( $2 and ( are enabled.
The codecs actually used are the intersect of the codecs
defined here and those signalled by the provider. For outgoing
calls, any remaining codecs are dropped from the list that would
require more than the available bandwidth.
Fields in the Voice Quality Settings menu.
Field
Description
Echo Cancellation
Select whether echo cancellation should be used.
Echo cancellation is a technique to suppress echo feedback in
voice communication on full duplex lines.
The function is enabled with 7+.
The function is enabled by default.
Comfort Noise Genera- Specify whether Comfort Noise Generation should be used.
tion (CNG)
For digital voice transmission, this function introduces a low
level of background noise to avoid the impression that, during
pauses at the other end, the connection is lost.
The function is enabled with 7+.
The function is enabled by default.
300
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
Packet Size
Specify how many milliseconds of voice an RTP data packet
should contain.
Possible values are to .
The default value is .
16.1.2 SIP Accounts
If your want your device to connect to other SIP servers (e.g. servers of Internet SIP Service providers), you can configure the necessary entries here. In this case, the media gateway acts as a SIP client.
Furthermore, you can configure the entries for SIP trunking scenarios here. In this case,
the media gateway acts as a SIP server for other SIP servers. An example for this is the
connection of a SIP PBX (e.g. Asterisk) to the media gateway.
This means that not only all SIP provider accounts are configured here but also direct dialin PBXs connected with the media gateway.
Note
In no case should you use this menu to configure SIP extensions, i.e. for SIP clients or
PSTN clients such as SIP telephones, terminal adapters or ISDN telephones
SIP extensions can be configured in the VoIP->Extensionsmenu.
The VoIP->Settings->SIP Accounts menu displays a list of all existing SIP accounts (SIP
Client Mode and SIP Server Mode).
16.1.2.1 Edit or New
Select the New button to create new SIP accounts. Choose the
icon to edit existing
entries. In this menu SIP accounts are configured in SIP client mode as well as in SIP server mode.
The VoIP->Settings->SIP Accounts->
->New menu consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
301
16 VoIP
bintec elmeg GmbH
Field
Description
Description
Enter the name of the SIP account.
Administrative Status
Select whether the SIP account should be enabled or disabled.
The function is enabled with 7+.
The function is enabled by default.
Trunk Mode
Select whether and in which trunk mode the SIP account should
be operated.
Trunk mode (DDI, Direct Dial In) allows an incoming call to be
assigned correctly to a terminal (DDI). For an outgoing call, the
caller can be indicated to the called party.
The setting that you can use depends on the provider.
Possible values:
• :11 (default value): Trunk mode is not used. The SIP account has only one number.
• %+: The media gateway is operated as DDI client. It is
assigned a DDI.
• : The media gateway is operated as a DDI server so
that DDI clients can connect.
• 20: The media gateway is operated as DDI client, but
used as a trunk. This setting is used to connect a softwarebased IP PBX from Swyx.
Registrar
Only for Trunk Mode = :11, %+ and 20Enter the
IP address or domain name (FQDN) of the SIP registrar. The
maximum number of characters is 40.
Entries with spaces are not allowed.
SIP Endpoint IP Address
Only for Trunk Mode = and Registration type = 9
Enter the IP address or domain name (FQDN) of the SIP proxy
server.
Outbound Proxy
Only for Trunk Mode = :11, %+ or 20
Enter the name or IP address of the SIP outbound proxy server.
302
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
A maximum of 32 characters can be entered.
Here you must make an entry only if, for all SIP sessions, the
communication is not to be direct but via a further proxy.
In SIP client mode: Enter a name or IP address only if this is explicitly specified by the provider.
Realm
Enter a new domain name or a new IP address for the SIP
proxy server.
If you do not make an entry, the entry in the Registrar field is
used.
In SIP client mode: Enter a name or IP address only if this is explicitly specified by the provider.
Protocol
Select the protocol to be used for data transport.
Possible values: /- (default value) or )%
Enter the Port via which the data is to be transported.
The default value is .
In SIP client mode: The ports can be provider-specific.
User Name
In SIP client mode: Enter the username for authentication if your
VoIP provider has assigned one for you.
In SIP server mode: You must define the user name.
A maximum of 40 characters can be entered.
Authentication ID
Enter a name that is to be used for authentication with the outbound proxy.
If you do not enter a name, the name in the User Name field is
used.
In SIP client mode: Enter a name only if this is explicitly specified by the provider.
Password
be.IP 4isdn
In SIP client mode: The VoIP provider gives you a PIN or password for authentication. You must enter this value here.
303
16 VoIP
bintec elmeg GmbH
Field
Description
In SIP server mode: Define a PIN or a password.
A maximum of 40 characters can be entered.
Location
Set the location of the VoIP subscriber.
Possible values:
• 9 1 "? 1 9
2B :+0# (default value): The VoIP subscriber is only
registered if located within the private network.
• $,9: The VoIP subscriber is only registered if located in the
LAN.
Registration type
Specify how registration and authentication at a provider are to
be handled, or if they can omitted completely. In the latter case,
the relevant data are sent to a particular IP address that is
already known to the correspondent. Registration and authentication are not then needed and the Registration function is disabled. An example of this method is Microsoft Exchange SIP.
If a registration is required, it can be carried out in either of two
ways:
• +: With this option, a single MSN is registered with the
SIP provider.
• &3+B "&9%#: With this option, a SIP Trunk (DDI) is registered with the SIP provider, i.e. several numbers are registered under a single address.
• 9 : There is not registration.
Expire Time
Only if Registration type = + or &3+B "&9%#
Enter the time in seconds after which the current registration becomes invalid and a new registration request is therefore sent.
Possible values are to .
The default value is .
In answer to a REGISTER request, a server can set another Expire Time which overwrites the setting here.
Called Address
304
Determines from which parameter of the called address the
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
number is extracted.
Possible values:
• (default value): Extracts the number from the first
part of the address. If this fails, the number is extracted from
the second part of the address.
• ?J3 /?: In some applications (especially in DDI connections) the target address of a SIP call needs to be extracted from the Request URI. By activating this option the address is preferably read from this field of the invite.
Check Source IP
As a response to a DNS SRV request, your SIP provider transmits the addresses of valid registration servers. If you activate
this option, each SIP invite has its source IP checked against
these valid addresses. If it does not originate from one of them,
the invite is ignored. The option is not active per default.
TLS certificate check
Only for DDI / SIP trunk connections. If a connection is encrypted using TLS (Transport Layer Security) a validity check on the
server certificate of the remote station is performed. The option
is not active per default.
Fields in the Trunk Settings menu.
Field
Description
SIP Header Field:
FROM Display
Not for Trunk Mode = :11
The sender ID is placed in the "Display" field of the SIP header.
Possible values:
• 9 (default value): The sender ID is not sent.
• /: The user-configured user name is displayed.
• %++ ,: The user-configured number the called
party is displayed.
• &++ 937: The actual phone number from which the
calls is initiated (e.g. for billing purposes) is displayed.
SIP Header Field:
FROM User
be.IP 4isdn
Not for Trunk Mode = :11
The sender ID is sent in the "User" field of the SIP header.
305
16 VoIP
bintec elmeg GmbH
Field
Description
Possible values:
• /(default value): The user-configured user name is
displayed.
• %++ ,: The user-configured number the called
party is displayed.
• &++ 937: The actual phone number from which the
calls is initiated (e.g. for billing purposes) is displayed.
SIP Header Field: PPreferred
Not for Trunk Mode = :11
The so-called "p-preferred-identity" field is added to the SIP
header and contains the sender ID.
Possible values:
• 9 (default value): The sender ID is not sent.
• /: The user-configured user name is displayed.
• %++ ,: The user-configured number the called
party is displayed.
• &++ 937: The actual phone number from which the
calls is initiated (e.g. for billing purposes) is displayed.
SIP Header Field: PAsserted
Not for Trunk Mode = :11
The so-called "p-asserted-identity" field is added to the SIP
header and contains the sender ID.
Possible values:
• 9 (default value): The sender ID is not sent.
• /: The user-configured user name is displayed.
• %++ ,: The user-configured number the called
party is displayed.
• &++ 937: The actual phone number from which the
calls is initiated (e.g. for billing purposes) is displayed.
Subscribe Number
Only for Trunk Mode = %+ or You can set a number that is added as a prefix for outgoing
calls to the sender's number and is removed from the destination number for incoming calls. This corresponds to the trunk
306
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
(exchange) number of an exchange.
Billing Number
Enter the phone number from which the call is established.
The menu Advanced Settings consists of the following fields:
Fields in the Codec Settings menu.
Field
Description
Codec Proposal Sequence
Choose the order in which the codecs are offered for use by the
media gateway. If the first codec cannot be used, the second is
tried and so on.
Possible values:
• -13+ (default value): the codec in the first position in the
menu will be used if possible.
• D3+0: The codecs are sorted by quality. If possible, the
codec with the best quality is used.
• $2 &2!: The codecs are sorted by required bandwidth. If possible, the codec with the lowest bandwidth requirement is used.
• >! &2!: The codecs are sorted by required bandwidth. If possible, the codec with the highest bandwidth requirement is used.
Sort Order
Select the codecs to be proposed for the connection. The codecs chosen here are proposed in a certain order, depending
on the setting in the Codec Proposal Sequence field.
Possible values:
• ( 3$2: ISDN codec according to US law
• ( $2: ISDN codec according to EU law
• (: Compressed from 31 to 8 kbps; good voice quality
• (
: Compressed from 63 to 40 kbps
• (: Compressed from 55 to 32 kbps
• (: Compressed from 47 to 24 kbps
• (: Compressed from 39 to 16 kbps
• -).' :37: DTMF Outband. First the system attempts to
be.IP 4isdn
307
16 VoIP
bintec elmeg GmbH
Field
Description
use RFC 2833. If the remote terminal does not use this standard, SIP Info is used.
• ) '6: Allows the transmission of fax messages over
data networks.
• ?): SRTP is an encrypted variant of the Real-Time Transport Protocol (RTP).
• - "?'% #: Enable the transport of 64 kbit/s channel
data in RTP packets.
By default ( 3$2, ( $2 and ( are enabled.
The codecs actually used are the intersect of the codecs
defined here and those signalled by the provider. For outgoing
calls, any remaining codecs are dropped from the list that would
require more than the available bandwidth.
Fields in the Voice Quality Settings menu.
Field
Description
Echo Cancellation
Select whether echo cancellation should be used.
Echo cancellation is a technique to suppress echo feedback in
voice communication on full duplex lines.
The function is enabled with 7+.
The function is enabled by default.
Comfort Noise Genera- Specify whether Comfort Noise Generation should be used.
tion (CNG)
For digital voice transmission, this function introduces a low
level of background noise to avoid the impression that, during
pauses at the other end, the connection is lost.
The function is enabled with 7+.
The function is enabled by default.
Packet Size
Specify how many milliseconds of voice an RTP data packet
should contain.
Possible values are to .
308
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
The default value is .
16.1.3 Locations
In the VoIP->Settings->Locations menu you configure the locations of the VoIP subscribers who have been configured on your system, and define the bandwidth management
for the VoIP traffic.
Individual locations can be set up for using the bandwidth management. A location is identified from its fixed IP address or DynDNS address or from the interface to which the device
is connected. The available VoIP bandwidth (up- and downstream) can be set up for each
location.
Only for compact systems: A predefined entry with the parameters Description = $,9,
Parent Location = 9, Type = 1*, Interfaces = $,9; 9
is displayed.
Fields in the Registration behavior for VoIP subscribers without assigned location menu.
Field
Description
Default Behavior
Specify how the system is to proceed when registering VoIP
subscribers for whom no location has been defined.
Possible values:
• ? 1 92B :+0 (default
value): The VoIP subscriber is only registered if located within
the private network.
• 9 ++2: The VoIP subscriber is never registered.
• /* ?: The VoIP subscriber is always registered.
16.1.3.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create new entries.
The menu VoIP->Settings->Locations->New consists of the following fields:
Fields in the Basic Settings menu.
be.IP 4isdn
309
16 VoIP
bintec elmeg GmbH
Field
Description
Description
Enter the description of the entry.
Parent Location
You can cascade the SIP locations as you wish. Define here
which SIP location that has been defined constitutes the highlevel node for the SIP location to be configured here.
Type
Select whether the location is to be defined through IP addresses/DNS names or interfaces.
Possible values:
• , (default value): The SIP location is defined via
IP addresses or DNS names.
• 1*: The SIP location is defined via the available interfaces.
Addresses
Only for Type = ,
Enter the IP addresses of the devices at the SIP locations.
Click Add to configure new addresses.
Enter the IP address or DNS name that you want under IP Address/DNS Name.
Also enter the required Netmask.
Interfaces
Only for Type = 1*
Indicate the interfaces to which the devices of a SIP location are
connected.
Click Add to select a new interface.
Under Interface, select the interface you want.
Upstream Bandwidth
Limitation
Determine whether the upstream bandwidth is to be restricted.
The bandwidth is reduced with 7+.
The function is disabled by default.
Maximum Upstream
Bandwidth
310
Enter the maximum data rate in the send direction in kBits per
second.
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
Downstream Bandwidth Limitation
Determine whether the downstream bandwidth is to be restricted.
The bandwidth is reduced with 7+.
The function is disabled by default.
Maximum Downstream Enter the maximum data rate in the receive direction in kBits per
Bandwidth
second.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
DSCP Settings for rtp
Traffic
Select the Type of Service (TOS) for RTP data.
Possible values:
• -% &0 E+3 (default value): Differentiated Services Code Point according to RFC 3260 is used to signal the
priority of IP packets (indicated in binary format, 6 bit). The
preconfigured value is .
• -% -*+ E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
16.1.4 ISDN Trunks
Your device must have at least two ISDN connections in point-to-point mode (BRI or PRI),
which are configured as TE (party line) or NT for a configuration in the ISDN Trunks menu.
be.IP 4isdn
311
16 VoIP
bintec elmeg GmbH
In this menu, the ISDN party lines (bundles) are defined.
16.1.4.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create a new party
line.
The VoIP->Settings->ISDN Trunks menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the party line.
The maximum number of characters is 40.
ISDN Mode
Select the mode in which the party line is to be operated.
Possible values:
•
6 (default value): Point-to-Point TE connection
(telecom party line)
• )3B: Point-to-Point NT connection (for connection of a
PABX).
Members
Select the desired ISDN interfaces to be included with this party
line.
You can choose among the ISDN connections in point-to-point
mode (BRI or PRI), which are configured as TE (party line) or
NT.
16.1.5 Options
In the VoIP->Settings->Options menu you can perform global settings for the Media Gateway.
The VoIP->Settings->Options menu consists of the following fields:
Fields in the Basic Parameters menu.
312
Field
Description
Media Gateway Status
Select whether the media gateway function should be enabled.
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
The function is enabled with 7+.
The function is disabled by default.
Session Border Controller Mode
Specify how the media gateway should behave in conjunction
with a session border controller mode.
Possible values:
• ,3 (default value): for all extensions that exactly agree
with an existing SIP account, the call routing is handled by the
session border controller, i.e. all SIP messages configured for
the corresponding SIP account are forwarded to the session
border controller. For all other extensions, the call routing is
handled by the media gateway in accordance with the entries
configured under Call Routing. Note that the call routing is
handled by the media gateway if the provider is not available
(backup).
• :11: Call routing is handled exclusively by the media gateway
in accordance with the entries configured under Call Routing
and the local extensions. For calls that are to be routed via a
particular provider (SIP account), you must configure a corresponding call routing entry. Internal calls (from internal extension to internal extension) that are only to be routed internally do not require an additional call routing entry.
• @ )3BA: Select a SIP trunk account configured under
VoIP->Settings->SIP Accounts. In this case, the call routing
for all extensions is handled by the session border controller,
all SIP messages are forwarded to the session border controller. Note that the call routing is handled by the media gateway
if the provider is not available (backup).
Please note: Entries in Call Routing have priority ahead of the
session border controller configuration!
Call Routing for local
Extensions
Determine if routing entries are to be preferred over extensions.
7+
activates this function.
The function is enabled per default.
Media Stream Termina- Choose how RTP sessions are controlled by the system.
be.IP 4isdn
313
16 VoIP
bintec elmeg GmbH
Field
Description
tion
If the function is enabled, RTP sessions are terminated on the
media gateway, i.e. all RTP streams are controlled by the media
gateway and routed via the media gateway. The participating
terminal devices (e.g. SIP telephones) are not connected directly with one another. Note that, for VoIP to VoIP connections,
there is no code translation for different VoIP terminal codecs.
The codecs of media gateway and VoIP terminals must therefore agree.
If the function is disabled, RTP sessions are not terminated on
the media gateway, i.e. all RTP streams are routed by the media gateway without termination. The RTP data packets can be
routed in complex networks and thus also via other gateways.
The function is enabled with 7+.
The function is enabled by default.
Default Drop Extension You can specify an extension to which incoming calls are forwarded if they cannot be assigned to an extension or connected
PABX.
Dial Latency
Enter the maximum delay time before the system assumes the
call number entered is complete and starts the SIP dialling process (sends the SIP INVITE message). This timeout is reset
each time that a button is pressed.
Possible values are to .
The default value is .
If you terminate the number entered with #, dialling is immediate.
Fields in the Advanced Settings menu.
Field
ISDN Call Signalling
314
Description
If you have connected a PABX to one of the internal ISDN connections, you can specify how to treat subscriber numbers of a
DDI here. For some PABXs the type of number has to be identified, and the International Prefix / Country Code and/or the
National Prefix / Area Code have to be removed from the subscriber number in order to correctly identify the subscriber. You
can do this by selecting *1*4 +G be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
+ 377 37.
Possible values:
• 4 +20 3B2 37: The type of
number is not detected.
• *1*4 +G + 37
*7 37: The type of number is detected. If required, the International Prefix / Country Code and/or the
National Prefix / Area Code are removed from the subscriber number
Speed Dialing
Define short sequences of numbers that can be dialled instead
of the entire number.
Click Add to configure new speeddial numbers.
Enter the desired speeddial number for the user, e.g.
under Shortcut.
Under Replacement enter the subscriber number to be dialled
in place of the speed dial number, e.g. (.
In the example above, if a user types in Q, the device dials
(.
If the user wishes to call extension , he types in Q.
The device dials (.
A period at the end of the number indicates a complete number.
This is dialled immediately the period is recognised.
If you want to use a speeddial number from this list, you must dial * followed by the speeddial number.
16.2 Media Gateway
A media gateway serves as a translation instance between different telecommunications
networks, e.g between the plain old phone network and the next generation networks (IP
networks).
With the bintec elmegbintec elmeg Media Gateway, a company equipped with an automatic
PBX on a wired telephone network can be connected to a SIP Trunking Service Provider
on the Internet in order to use IP telephony.
be.IP 4isdn
315
16 VoIP
bintec elmeg GmbH
The bintec elmegbintec elmeg Media Gateway supports the binding of several SIP Provider
Accounts. With this gateway, you can set up extensions, create an extension number plan
and configure exchange functions and optimise voice data transmission for low bandwidth
of the upload connection.
Note
Your device must be equipped with a DSP module to be able to use the media gateway functions.
Please consult the data sheet of your device to find out whether the DSP module is an
integral component of your device or if you can mount a DSP module. Information on
mounting the DSP module is provided in the installation instructions included with the
module.
16.2.1 Call Routing
Here you can define the conditions for the routing of calls. Define a list with rules or rule
chains that are used to manipulate the indicated destination numbers.
A list of all existing entries is displayed in the VoIP->Media Gateway->Call Routing menu.
16.2.1.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create new entries.
The VoIP->Media Gateway->Call Routing->
->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the entry.
Administrative Status
Select whether the entry should be activated.
The function is enabled with 7+.
The function is enabled by default.
Type
316
Specify how calls are to be routed.
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Field
Description
Possible values:
• ,** ?3+: For calls forwarded by the media gateway to
a PBX or an ISDN TE connector or a SIP DDI client. For this,
the following can be used: PRI interfaces in NT mode, BRI interfaces in NT mode, SIP accounts in trunk mode (server
mode).
• -0: For calls that are not to be routed (to be blocked).
Calling Line
You can restrict the application of the entry to the line on which
the call comes in.
The selection depends on the interfaces available and on the
SIP accounts that have been created.
Possible values:
• @1* 6A: restricts the routing entry to the
selected PRI interface.
• [email protected]* 6A: restricts the routing entry to the
selected BRI interface.
• @ ,**3A: restricts the routing entry to the selected
SIP account.
• ,0: No restriction of the entry.
Calling Address
You can restrict the application of the entry to a particular caller.
To do this, you must specify the subscriber number exactly (no
wildcards).
Called Address
Enter the called address to which the rule is to be applied.
To do this, enter an address numerically (e.g. a subscriber number) or alphanumerically (e.g. for a trunk) that is to be compared
with a dialled address.
The following wildcards can be used:
• * means that at the end of a character string any number of
characters may follow,
• ? is a placeholder for an arbitrary character.
If the configured address agrees with the signalled address, the
entry is used.
be.IP 4isdn
317
16 VoIP
bintec elmeg GmbH
In the Routing Rules menu you can define rules to determine how the subscriber number
is manipulated before it is used for dialling.
Use Add to create more entries.
Fields in the Routing Rules menu (For Type = Accept Rule only)
Field
Description
Priority
Enter a whole number starting with 1 in ascending order to
define the order of filter rules.
The rules are worked through in the order given in the list.
If a line or SIP account is not available, the next rule is automatically used.
Administrative Status
Select whether the rule should be activated.
The rule is enabled with 7+.
The rule is active by default.
Line
Choose the ISDN line (PRI, BRI) or SIP account used for the
outgoing call.
Called Address Translation
Enter how the subscriber number is manipulated before it is
used for dialling.
Notation: <a:b>; i.e. a is replaced by b. Every rule must be
ended with a semicolon. A number of rules can be chained together using semicolons as separators, e.g. <a:b>;<c:d>;<e:f>.
After confirmation of entry, the rule chain is automatically sorted
by the "best match" method.
Numerical and alphanumerical values are permissible.
? is a placeholder for an arbitrary character.
Example 16.1. Example of a rule
• Rule: <:+49911>;
• number dialled: 96731234
• manipulated number: +4991196731234
318
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
16.2.2 CLID Translation
Here you define the processing of the calling party number for incoming calls.
You can, for example, add a prefix to a received call number in order to route corresponding outgoing calls via a particular SIP account.
In the VoIP->Media Gateway->CLID Translation menu, a list of all existing entries is
shown on which the received number is edited.
16.2.2.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create entries for
CLID translation.
The VoIP->Media Gateway->CLID Translation->
->New menu consists of the follow-
ing fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the entry.
Calling Line
Select the ISDN line or SIP account from which the call comes.
The selection depends on the interfaces available and on the
SIP accounts that have been created.
Possible values:
• @1* 6A: Restricts the entry to the selected
PRI interface.
• [email protected]* 6A: Restricts the entry to the selected
BRI interface.
• @ ,**3A: Restricts the entry to the selected SIP account.
• ,0: No restriction of the entry.
Called Line
Here you have the option of entering the destination line of the
call.
Possible values:
• @1* 6A: Restricts the entry to the selected
be.IP 4isdn
319
16 VoIP
bintec elmeg GmbH
Field
Description
PRI interface.
• [email protected]* 6A: Restricts the entry to the selected
BRI interface.
• @ ,**3A: Restricts the entry to the selected SIP account.
• ,0: No restriction of the entry.
Enter either Called Line or Called Address.
If a value other than ,0 is selected, Called Address should
not be used. If Called Line = ,0 and Called Address is not
used, all calls for Called Line are processed.
Called Address
Here you have the option of entering the destination address of
the call.
Enter either Called Line or Called Address. If Called Address
is used, then Called Line = ,0 can be set .
Calling Address Trans- Enter the transformation rule applied to the call numbers.
lation
Notation: <a:b>; i.e. a is replaced by b. Every rule must be
ended with a semicolon. A number of rules can be chained together using semicolons as separators, e.g. <a:b>;<c:d>;<e:f>;.
After confirmation of entry, the rule chain is automatically sorted
by the "best match" method.
? is a placeholder for an arbitrary digit.
Example 16.2. Example of a rule
• Rule: <:+49911>;
• number dialled: 96731234
• manipulated number: +4991196731234
16.2.3 Call Translation
You can create a list for the translation of subscriber numbers, i.e. this list associates internal and external numbers.
320
be.IP 4isdn
16 VoIP
bintec elmeg GmbH
Note
Which number (called party number or calling party number) is translated depends on
the direction (incoming or outgoing) of the call in question. For incoming calls it is the
called party number, for outgoing calls the calling party number that is translated.
For example, the internal number 340 can be shown externally as 09119673900 or a call
from outside for the number 09119673200 can be routed internally to the number 340.
In the VoIP->Media Gateway->Call Translation menu, a list of existing transformations is
displayed.
16.2.3.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to create entries for call
translation.
The VoIP->Media Gateway->Call Translation->
->New menu consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the call translation.
Direction
Select the direction for the entry.
Possible values:
• &! (default value): For incoming and outgoing calls
(bidirectional).
• *: For incoming calls.
• :3: For outgoing calls.
Associated Line
Select the ISDN line or SIP account via which the calls are to be
routed.
Possible values:
• @1* 6A: Restricts the call to the selected
PRI interface.
• [email protected]* 6A: Restricts the call to the selected
BRI interface.
be.IP 4isdn
321
16 VoIP
bintec elmeg GmbH
Field
Description
• @ ,**3A: restricts the call to the selected SIP account.
Local Address
Enter the internal number (e.g. extension or PABX number). For
incoming calls, the signalled Called Party Number (corresponds
in the menu to the External Address) is translated to Local
Address. For outgoing calls, the signalled Calling Party Number
(corresponds in the menu to the Local Address field) is translated to External Address.
Numerical and alphanumerical characters are permissible.
R is a placeholder for an arbitrary digit.
See Local Address and External Address must contain the
same number of wildcards.
External Address
Enter the external number (e.g. ISDN MSN or SIP account subscriber number). For incoming calls, the signalled Called Party
Number (corresponds in the menu to the External Address) is
translated to Local Address. For outgoing calls, the signalled
Calling Party Number (corresponds in the menu to the Local
Address field) is translated to External Address.
The External Address is not shown if the field Associated
Line = @ ,**3A is set. In this case, the User Name of
the selected SIP Account is used as External Address..
322
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Chapter 17 Local Services
This menu offers services for the following application areas:
• Name resolution (DNS)
• Configuration via web browser (HTTPS)
• Locating of dynamic IP addresses using a DynDNS provider
• Configuration of gateway as a DHCP server (assignment of IP addresses)
• Assignment of incoming and outgoing data and voice calls to authorised users (CAPI
server)
• Automation of tasks according to schedule (scheduling)
• Alive checks for hosts or interfaces, ping tests
• Realtime video/audio conferences (Messenger services, universal plug & play)
• Provision of public Internet accesses (hotspot).
• Start network devices that are switched off via an integrated network card
(Wake-On-LAN)
• Data traffic of a specific interface (Trace Interface)
17.1 DNS
Each device in a TCP/IP network is usually located by its IP address. Because host names
are often used in networks to reach different devices, it is necessary for the associated IP
address to be known. This task can be performed by a DNS server, which resolves the
host names into IP addresses. Alternatively, name resolution can also take place over the
HOSTS file, which is available on all PCs.
Your device offers the following options for name resolution:
• DNS Proxy, for forwarding DNS requests sent to your device to a suitable DNS server.
This also includes specific forwarding of defined domains (Forwarded Domains).
• DNS cache, for saving the positive and negative results of DNS requests.
• Static entries (static hosts), to manually define or prevent assignments of IP addresses to
names.
• DNS monitoring (statistics), to provide an overview of DNS requests on your device.
Name server
be.IP 4isdn
323
17 Local Services
bintec elmeg GmbH
Under Local Services->DNS->DNS Servers->New you enter the IP addresses of name
servers that are queried if your device cannot answer requests itself or by forwarding
entries. Global name servers and name servers that are attached to an interface can both
be entered.
Your device can also receive the global name servers dynamically via PPP or DHCP and
transfer them dynamically if necessary.
Strategy for name resolution on your device
A DNS request is handled by your device as follows:
(1)
If possible, the request is answered directly from the static or dynamic cache with IP
address or negative response.
(2)
Otherwise, if a suitable forwarding entry exists, the relevant DNS server is asked, depending on the configuration of the Internet or dialin connections, if necessary by setting up a WAN connection at extra cost. If the DNS server can resolve the name, the
information is forwarded and a dynamic entry created in the cache.
(3)
Otherwise, if name servers have been entered, taking into account the priority configured and if the relevant interface status is "up", the primary DNS server is queried
and then the secondary DNS server. If one of the DNS servers can resolve the name,
the information is forwarded and a dynamic entry created in the cache.
(4)
Otherwise, if a suitable Internet or dialin connection is selected as the standard interface, the relevant DNS server is asked, depending on the configuration of the Internet
or dialin connections, if necessary by setting up a WAN connection at extra cost. If
one of the DNS servers can resolve the name, the information is forwarded and a dynamic entry created in the cache.
(5)
Otherwise, if overwriting the addresses of the global name servers is allowed in the
WAN->Internet + Dialup menu (Interface Mode = -0*), a connection is set up
– if necessary at extra cost – to the first Internet or dialin connection configured to enable DNS server addresses to be requested from DNS servers ( DNS Negotiation =
7+), if this has not been already attempted. When the name servers have been
negotiated successfully, these name servers are then available for more queries.
(6)
Otherwise the initial request is answered with a server error.
If one of the DNS servers answers with , the initial request is immediately answered accordingly and a corresponding negative entry is made in the DNS
cache of your device.
17.1.1 Global Settings
The menu Local Services->DNS->Global Settings consists of the following fields:
324
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Fields in the Basic Parameters menu
Field
Description
Domain Name
Enter the standard domain name of your device.
WINS Server
Enter the IP address of the first and, if necessary, alternative
global Windows Internet Name Server (=WINS) or NetBIOS
Name Server (=NBNS).
Primary
Secondary
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu
Field
Description
Positive Cache
Select whether the positive dynamic cache is to be activated,
i.e. successfully resolved names and IP addresses are to be
stored in the cache.
The function is activated by selecting 7+.
The function is enabled by default.
Negative Cache
Select whether the negative dynamic cache is to be activated,
i.e. whether queried names for which a DNS server has sent a
negative response are stored as negative entries in the cache.
The function is activated by selecting 7+.
The function is enabled by default.
Cache Size
Enter the maximum total number of static and dynamic entries.
Once this value is reached, the dynamic entry not requested for
the longest period of time is deleted when a new entry is added.
Cache Size is reduced by the user, dynamic entries are deleted
if necessary. Statistical entries are not deleted. Cache Size
cannot be set to lower than the current number of static entries.
Possible values: .. .
The default value is .
Maximum TTL for Pos- Enter the value to which the TTL is to be set for a positive dyitive Cache Entries
namic DNS entry in the cache if its TTL is or its TTL exceeds
be.IP 4isdn
325
17 Local Services
bintec elmeg GmbH
Field
Description
the value for Maximum TTL for Positive Cache Entries .
The default value is .
Maximum TTL for Neg- Enter the value set to which the TTL is to be set in the case of a
ative Cache Entries
negative dynamic entry in the cache.
The default value is .
Fallback interface to
get DNS server
Select the interface to which a connection is set up for name
server negotiation if other name resolution attempts were not
successful.
The default value is ,3*, i.e. a one-time connection is
set up to the first suitable connection partner configured in the
system.
Fields in the IP address to use for DNS/WINS server assignment menu
Field
As DHCP Server
Description
Select which name server addresses are sent to the DHCP client if your device is used as DHCP server.
Possible values:
• 9: No name server address is sent.
• :2 , (default value): The address of your
device is transferred as the name server address.
• -9 : The addresses of the global name servers
entered on your device are sent.
As IPCP Server
Select which name server addresses are to be transmitted by
your device in the event of dynamic server name negotiation if
your device is used as the IPCP server for PPP connections.
Possible values:
• 9: No name server address is sent.
• :2 ,: The address of your device is transferred
as the name server address.
• -9 (default value): The addresses of the global
name servers entered on your device are sent.
326
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
17.1.2 DNS Servers
A list of all configured DNS servers is displayed in the Local Services->DNS->DNS Servers menu.
17.1.2.1 Edit or New
Choose the
icon to edit existing entries. Select the New button to set up additional DNS
servers.
Here you can configure both global DNS servers and DNS servers that are to be assigned
to a particular interface.
Configuring a DNS server for a particular interface can be useful, for example, if accounts
with different providers have been set up via different interfaces and load balancing is being used.
The Local Services->DNS->DNS Servers->New menu consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Admin Status
Select whether the DNS server should be enabled.
The function is activated by selecting 7+.
The function is enabled by default.
Description
Enter a description for DNS server.
Priority
Assign a priority to the DNS server.
You can assign more than one pair of DNS servers ( Primary
DNS Server and Secondary DNS Server) to an interface (i. e.
for example, to an Ethernet port or a PPPoE WAN partner). The
pair with the highest priority is used if the interface is "up".
Possible values from (highest priority) to (lowest priority).
The default value is .
Interface Mode
be.IP 4isdn
Select whether the IP addresses of name servers for resolving
the names of Internet addresses are to be obtained automatically or whether up to two fixed DNS server addresses are to be
327
17 Local Services
bintec elmeg GmbH
Field
Description
entered, depending on the priority.
Possible values:
• *
• -0* (default value)
Interface
Select the interface to which the DNS server pair is to be assigned.
For Interface Mode = -0*
A global DNS server is created with the setting 9.
For Interface Mode = *
A DNS server is configured for all interfaces with the ,0
setting.
IP Version
Select the IP version used.
Possible values:
• • is selected by default.
328
Primary IPv4 DNS
Server
Only if Interface Mode = *
Secondary IPv4 DNS
Server
Only if Interface Mode = *
Primary IPv6 DNS
Server
Only if Interface Mode = *
Secondary IPv6 DNS
Server
Only if Interface Mode = *
Enter the IPv4 address of the first name server for Internet address name resolution.
Optionally, enter the IPv4 address of an alternative name server.
Enter the IPv6 address of the first name server for Internet address name resolution.
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Optionally, enter the IPv6 address of an alternative name server.
17.1.3 Static Hosts
A list of all configured static hosts is displayed in the Local Services->DNS->Static Hosts
menu.
17.1.3.1 New
Choose the New button to set up new static hosts.
The menu Local Services->DNS->Static Hosts->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
DNS Hostname
Enter the host name to which the IP Address defined in this
menu is to be assigned if a positive response is received to a
DNS request. If a negative response is received to a DNS request, no address is specified.
The entry can also start with the wildcard *, e.g.
*.bintec-elmeg.com.
If a name is entered without a dot, this is completed with OK
"<Name.> " after confirmation.
Entries with spaces are not allowed.
Response
In this entry, select the type of response to DNS requests.
Possible values:
• 9: A DNS request for DNS Hostname gets a negative response.
• (default value): A DNS request for DNS Hostname is answered with the related IP Address.
• 9: A DNS request is ignored; no answer is given.
IPv4 Address
be.IP 4isdn
Only if Response = 329
17 Local Services
bintec elmeg GmbH
Field
Description
Enter the IPv4 address assigned to DNS Hostname.
IPv6 Address
Only if Response = Enter the IPv6 address assigned to DNS Hostname.
17.1.4 Domain Forwarding
In the Local Services->DNS->Domain Forwarding menu, a list of all configured forwardings for defined domains is displayed.
17.1.4.1 New
Choose the New button to set up additional forwardings.
The menu Local Services->DNS->Domain Forwarding->New consists of the following
fields:
Fields in the Forwarding Parameters menu.
Field
Description
Forward
Select whether requests for a host or domain are to be forwarded.
Possible values:
• > (default value)
• -
Host
Only for Forward = >
Enter the name of the host for which requests are to be forwarded.
If you enter a name without a ".", the entry is supplemented with
the name supplied by the value specified in Local
Services->DNS->Global Settings for Domain Name as soon
as you confirm with OK.
Domain
Only for Forward = -
Enter the name of the domain for which requests are to be for-
330
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
warded.
The entry can start with the wildcard "*", e.g.
"*.bintec-elmeg.com".
If you enter a name without a leading wildcard "*" a leading wildcard "*" is supplemented as soon as you confirm with OK.
Forward to
Select if matching DNS requests are to be forwarded to the
DNS server of an Interface or to a manually specified DNS
Server.
Possible values:
• 1* (default value): Requests are forwarded to the
DNS server assigned to either an automatically selected or to
a user-selected interface.
• -9 : Requests are forwarded to the specified DNS
Server.
Interface
Only for Forward to = 1*
Select the interface that has the DNS server assinged which is
to receive the DNS requests.
Primary DNS Server
(IPv4/IPv6)
Only for Forward to = -9 Enter the IPv4/IPv6 address of the primary DNS server.
Secondary DNS Server Only for Forward to = -9 (IPv4/IPv6)
Enter the IPv4/IPv6 address of the secondary DNS server.
17.1.5 Dynamic Hosts
In the menu Local Services->DNS->Dynamic Hosts, you can find relevant information on
dynamic DNS entries.
17.1.6 Cache
In the Local Services->DNS->Cache menu, a list of all available cache entries is displayed.
be.IP 4isdn
331
17 Local Services
bintec elmeg GmbH
You can select individual entries using the checkbox in the corresponding line, or select
them all using the Select all button.
A dynamic entry can be converted to a static entry by marking the entry and confirming with
Make static. This corresponding entry disappears from the list and is displayed in the list in
the Static Hosts menu. The TTL is transferred.
17.1.7 Statistics
In the Local Services->DNS->Statistics menu, the following statistical values are displayed:
Fields in the DNS Statistics menu.
Field
Description
Received DNS Packets Shows the number of received DNS packets addressed direct to
your device, including the response packets for forwarded requests.
Invalid DNS Packets
Shows the number of invalid DNS packets received and addressed direct to your device.
DNS Requests
Shows the number of valid DNS requests received and addressed direct to your device.
Cache Hits
Shows the number of requests that were answered with static or
dynamic entries from the cache.
Forwarded Requests
Shows the number of requests forwarded to other name servers.
Cache Hitrate (%)
Indicates the number of Cache Hits pro DNS request in percentage.
Successfully
Answered Queries
Shows the number of successfully answered requests (positive
and negative).
Server Failures
Shows the number of requests that were not answered by any
name server (either positively or negatively).
17.2 HTTPS
You can operate the user interface of your device from any PC with an up-to-date Web
browser via an HTTPS connection.
HTTPS (HyperText Transfer Protocol Secure) is the procedure used to establish an en-
332
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
crypted and authenticated connection by SSL between the browser used for configuration
and the device.
17.2.1 HTTPS Server
In the Local Services->HTTPS->HTTPS Server menu, configure the parameters of the
backed up configuration connection via HTTPS.
The Local Services->HTTPS->HTTPS Server menu consists of the following fields:
Fields in the HTTPS Parameters menu.
Field
Description
HTTPS TCP Port
Enter the port via which the HTTPS connection is to be established.
Possible values are to .
The default value is .
Local Certificate
Select a certificate that you want to use for the HTTPS connection.
Possible values:
• + (default value): Select this option if you want to
use the certificate built into the device.
• @%1* A: Under System Management->Certificates->Certificate List select entered certificate.
17.3 DynDNS Client
The use of dynamic IP addresses has the disadvantage that a host in the network can no
longer be found once its IP address has changed. DynDNS ensures that your device can
still be reached after a change to the IP address.
The following configuration steps are necessary:
• Registration of a host name at a DynDNS provider
• Configuration of your device
Registration
be.IP 4isdn
333
17 Local Services
bintec elmeg GmbH
The registration of a host name means that you define an individual user name for the
DynDNS service, e.g. 0;*+. The service providers offer various domain names for
this, so that a unique host name results for your device , e.g.
0;*+*. The DynDNS provider relieves you of the task of answering all DNS requests concerning the host 0;*+* with the dynamic
IP address of your device.
To ensure that the provider always knows the current IP address of your device, your
device contacts the provider when setting up a new connection and propagates its present
IP address.
17.3.1 DynDNS Update
In the Local Services->DynDNS Client->DynDNS Update menu, a list of all configured
DynDNS registrations for updating is displayed
17.3.1.1 New
Choose the New button to set up further DynDNS registrations to be updated.
The menu Local Services->DynDNS Client->DynDNS Update->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Host Name
Enter the complete host name as registered with the DynDNS
provider.
Interface
Select the WAN interface whose IP address is to be propagated
over the DynDNS service (e.g. the interface of the Internet Service Provider).
User Name
Enter the user name as registered with the DynDNS provider.
Password
Enter the password as registered with the DynDNS provider.
Provider
Select the DynDNS provider with which the above data is registered.
A choice of DynDNS providers is already available in the unconfigured state and their protocols are supported.
334
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Other DynDNS providers can be configured in the Local Services->DynDNS Client->DynDNS Provider menu.
The default value is -0-9.
Enable update
Select whether the DynDNS entry configured here is to be activated.
The function is activated by selecting 7+.
The function is disabled by default.
The menu Advanced Settings consists of the following fields:
Fields in the Advanced Settings menu.
Field
Description
Mail Exchanger (MX)
Enter the full host name of a mail server to which e-mails are to
be forwarded if the host currently configured is not to receive
mail.
Ask your provider about this forwarding service and make sure
e-mails can be received from the host entered as MX.
Wildcard
Select whether forwarding of all subdomains of the Host Name
is to be enabled for the current IP address of the Interface
(advanced name resolution).
The function is activated by selecting 7+.
The function is disabled by default.
17.3.2 DynDNS Provider
A list of all configured DynDNS providers is displayed in the Local Services->DynDNS Client->DynDNS Provider menu.
17.3.2.1 New
Choose the New button to set up new DynDNS providers.
The menu Local Services->DynDNS Client->DynDNS Provider->New consists of the following fields:
be.IP 4isdn
335
17 Local Services
bintec elmeg GmbH
Fields in the Basic Parameters menu.
Field
Description
Provider Name
Enter a name for this entry.
Server
Enter the host name or IP address of the server on which the
provider’s DynDNS service runs.
Update Path
Enter the path on the provider’s server that contains the script
for managing the IP address of your device.
Ask your provider for the path to be used.
Port
Enter the port at which your device is to reach your provider’s
server.
Ask your provider for the relevant port.
The default value is .
Protocol
Select one of the protocols implemented.
Possible values:
• -0-9 (default value)
• * -0-9
• :-
• >9
• -P9
• 3->).$
• 3-)%
• %3 -0-9
• - 6
Update Interval
Enter the minimum time (in seconds) that your device must wait
before it is allowed to propagate its current IP address to the
DynDNS provider again.
The default value is seconds.
336
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
17.4 DHCP Server
You can configure your device as a DHCP (Dynamic Host Configuration Protocol) server.
Your device and each PC in your LAN requires its own IP address. One option for allocating IP addresses in your LAN is the Dynamic Host Configuration Protocol (DHCP). If you
configure your device as a DHCP server, the device automatically assigns IP addresses to
requesting PCs in the LAN from a predefined IP address pool.
If a client requires an IP address for the first time, it sends a DHCP request (with its MAC
address) to the available DHCP server as a network broadcast.* The client then receives
its IP address from bintec elmeg (as part of a brief exchange).
You therefore do not need to allocate fixed IP addresses to PCs, which reduces the
amount of configuration work in your network. To do this, you set up a pool of IP addresses, from which your device assigns IP addresses to hosts in the LAN for a defined
period of time. A DHCP server also transfers the addresses of the domain name server
entered statically or by PPP negotiation (DNS), NetBIOS name server (WINS) and default
gateway.
For specific instructions how to use your device as a DHCP server, DHCP client or DHCP
relay agent, see the ent of the chapter DHCP - Configuration example on page 344.
17.4.1 IP Pool Configuration
The Local Services->DHCP Server->IP Pool Configuration menu displays a list of all the
configured IP pools. This list is global and also displays pools configured in other menus.
17.4.1.1 Edit or New
Choose the New button to set up new IP address pools. Choose the
icon to edit exist-
ing entries.
Fields in the menu Basic Parameters
be.IP 4isdn
Field
Description
IP Pool Name
Enter any description to uniquely identify the IP pool.
IP Address Range
Enter the first (first field) and last (second field) IP address of
the IP address pool.
DNS Server
Primary: Enter the IP address of the DNS server that is to be
337
17 Local Services
bintec elmeg GmbH
Field
Description
used, preferably, by clients who draw an address from this pool.
Secondary: Optionally, enter the IP address of an alternative
DNS server.
17.4.2 DHCP Configuration
To activate your device as a DHCP server, you must first define IP address pools from
which the IP addresses are distributed to the requesting clients.
A list of all configured DHCP pools is displayed in the Local Services->DHCP
Server->DHCP Configuration menu.
In the list, for each entry, you have the possibility under Status of enabling or disabling the
configured DHCP pools.
Note
In the ex works state the DHCP pool is preconfigured with the IP addresses
192.168.0.10 to 192.168.0.49 and is used if there is no other DHCP server available in
the network.
17.4.2.1 Edit or New
Choose the New button to set up new DHCP pools. Choose the
icon to edit existing
entries.
The Local Services->DHCP Server->DHCP Configuration->New menu consists of the
following fields:
Fields in the menu Basic Parameters
Field
Description
Interface
Select the interface over which the addresses defined in IP
Pool Name are to be assigned to DHCP clients.
When a DHCP request is received over this Interface, one of
the addresses from the address pool is assigned.
IP Pool Name
338
Select an IP pool name configured in the Local Services->DHCP Server->IP Pool Configuration menu.
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Pool Usage
Select if the DHCP pool is to be used for requests from clients
in a network directly connected to an Ethernet interface, or if it is
to be used for DHCP requests from a remote network that are
sent to your device via a DHCP relay station.
In the second case, it is possible to use an IP address pool for
the remote network.
Possible values:
• $*+ (default value): The DHCP pool is only used for DHCP
requests from a network directly connected to an Ethernet interface.
• ?+0: The DHCP pool is only used for DHCP requests forwarded from remote networks.
• $*+5?+0: The DHCP pool can be used for both kinds of
requests.
Description
Enter any description to uniquely identify the DHCP pool.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Description
Gateway
Select which IP address is to be transferred to the DHCP client
as gateway.
Possible values:
• / 3 20 (default value): Here, the IP address defined for the Interface is transferred.
• 9 20: No IP address is sent.
• *10: Enter the corresponding IP address.
Lease Time
Enter the length of time (in minutes) for which an address from
the pool is to be assigned to a host.
After the Lease Time expires, the address can be reassigned
by the server.
The default value is .
be.IP 4isdn
339
17 Local Services
bintec elmeg GmbH
Field
Description
DHCP Options
Specify which additional data is forwarded to the DHCP client.
Possible values for Option:
• ) (default value): Enter the IP address of the
time server to be sent to the client.
• -9 : Enter the IP address of the DNS server to be
sent to the client.
• -9 - 9: Enter the DNS domain to be sent to the
client.
• 8959&9 : Enter the IP address of the WINS/
NBNS server to be sent to the client.
• 8959&) 9 )0: Select the type of the WINS/NBT
node to be sent to the client.
• )') : Enter the IP address of the TFTP server to be
sent to the client.
• %,8, %++: Enter the IP address of the CAPWAP
controller to be sent to the client.
• /?$ " #: This option enables you to
send a client any URL.
Use this option to send querying IP1x0 telephones the URL of
the provisioning server if the telephones are to be provisioned
automatically. The URL then needs to take the form !
[email protected] 1 ! A5;.
Multiple entries are possible. Add additional entries with the
Add button.
Vendor Specific Information (DHCP Option 43)
The options for a Vendor String or a vendor-specific group of DHCP options ( Vendor
Group) enable you to transmit any manufacturer-specific information or configuration parameters to DHCP clients. You can also define entire groups of DHCP options to be transmitted.
340
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Note
For some products settings have already been predefined in this section. These are
required for the seamless integration of telephones or LTE access routers and should
not be changed or deleted.
Choose the
icon to edit an existing entry or one of the Add buttons to add an entry. In
the popup menu, you configure manufacturer-specific settings in the DHCP server for specific telephones, for example.
Fields in the Basic Parameters menu for vendor strings
Field
Description
Select vendor
Here, you can select for which manufacturer specific values
shall be transmitted for the DHCP server.
Possible values:
• :! (default value)
• 7*
APN
Only für Select vendor = 7*
Enter the Access Point Namen (APN) of the SIM card.
PIN
Only für Select vendor = 7*
Enter the PIN of the SIM card.
Vendor Description
Only für Select vendor = :!
Type in the name of the manufacturer for which you want to
transfer specific DHCP server settings.
Vendor ID
Vendor Option String
Only für Select vendor = :!
To identify the device, enter the manufacturer ID.
Only für Select vendor = :!
Enter the manufacturer specific configuration parameters.
Fields in the Basic Parameters menu for vendor groups
be.IP 4isdn
Field
Description
Select vendor
Here, you can select for which manufacturer specific values
341
17 Local Services
bintec elmeg GmbH
Field
Description
shall be transmitted for the DHCP server.
Possible values:
• (default value)
• :!
Provisioning Server
Only für Select vendor = Enter which manufacturer value shall be transmitted.
For the setting Select vendor = , the default value
+ is displayed.
You can complete the IP address of the desired server.
Vendor Description
Only für Select vendor = :!
Type in the name of the manufacturer for which you want to
transfer specific DHCP server settings.
Vendor ID
Only für Select vendor = :!
To identify the device, enter the manufacturer ID.
Custom DHCP Options Only für Select vendor = :!
Use Add to add more entries.
You can add custom DHCP options.
17.4.3 IP/MAC Binding
The Local Services->DHCP Server->IP/MAC Binding menu displays a list of all clients
that received an IP address from your device via DHCP.
You can allocate an IP address from a defined IP address pool to specific MAC addresses.
You can do this by selecting the Static Binding option in the list to convert a list entry as a
fixed binding, or you manually create a fixed IP/MAC binding by configuring this in the New
sub-menu.
342
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Note
You can only create new static IP/MAC bindings if IP address ranges were configured
in Local Services->DHCP Server->DHCP Pool, and in the Local Services->DHCP
Server->IP Pool Configuration menu is assigned a valid IP Pool.
17.4.3.1 New
Choose the New button to set up new IP/MAC bindings.
The menu Local Services->DHCP Server->IP/MAC Binding->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Description
Enter the name of the host to which the MAC Address the IP
Address is to be bound.
A character string of up to 256 characters is possible.
IP Address
Enter the IP address to be assigned to the MAC address specified in MAC Address is to be assigned.
MAC Address
Enter the MAC address to which the IP address specified in IP
Address is to be assigned.
17.4.4 DHCP Relay Settings
If your device for the local network does not distribute any IP addresses to the clients by
DHCP, it can still forward the DHCP requests on behalf of the local network to a remote
DHCP server. The DHCP server then assigns the your device an IP address from its pool,
which in turn sends this to the client in the local network.
The menu Local Services->DHCP Server->DHCP Relay Settings consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
Field
Description
Primary DHCP Server
Enter the IP address of a server to which BootP or DHCP re-
343
17 Local Services
bintec elmeg GmbH
Field
Description
quests are to be forwarded.
The default value is .
Secondary DHCP Serv- Enter the IP address of an alternative BootP or DHCP server.
er
The default value is .
17.4.5 DHCP - Configuration example
Requirements
• An optional DHCP server
Example scenaria
Example scenario as DHCP Server
344
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Example scenario as DHCP Client
be.IP 4isdn
345
17 Local Services
bintec elmeg GmbH
Example scenario as DHCP Relay Server
Configuration target
You can use your device as a DHCP server, DHCP client or DHCP relay agent.
Overview of Configuration Steps
DHCP Server
346
Field
Menu
Value
IP Pool Name
Local Services->DHCP Server->IP
Pool Configuration->New
e.g. +
IP Address Range
Local Services->DHCP Server->IP
Pool Configuration->New
e.g. and
Interface
Local Services->DHCP Server->DH- e.g. CP Configuration->New
IP Pool Name
Local Services->DHCP Server->DH- +
CP Configuration->New
Pool Usage
Local Services->DHCP Server->DH- $*+
CP Configuration->New
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Menu
Value
Gateway
Local Services->DHCP Server->DH- / ?3 CP Configuration->New->Ad20
vanced Settings
Lease Time
Local Services->DHCP Server->DH- e.g. CP Configuration->New->Advanced Settings
IP address to use for
DNS/WINS server assignment
Local Services->DNS->Global Settings->Advanced Settings
e.g. :2 Field
Menu
Value
Address Mode
LAN->IP Configuration->Interfaces- ->%
> <en1-4>->
DHCP MAC Address
(optional)
LAN->IP Configuration->Interfaces- MAC address for a spe> <en1-4> ->
->Advanced Setcific DHCP server
DHCP Client
tings
DHCP Relay Server
Field
Menu
Value
Primary DHCP Server
Local Services->DHCP Server->DH- e.g. CP Relay Settings
Secondary DHCP Serv- Local Services->DHCP Server->DH- if one exists
er (optional)
CP Relay Settings
17.5 DHCPv6 Server
You can operate your device as a DHCPv6 server. The DHCPv6 server can either assign
IP addresses as well as DHCPv6 options or DHCPv6 options only without any addresses.
These parameters are collected in a so called "Option Set". An option set can be linked to
an interface (see Local Services->DHCPv6 Server->DHCPv6 Server->New), or it can be
configured globally (see Local Services->DHCPv6 Server->DHCPv6 Global
Options->New). DHCP options can, e.g., contain information about DNS or time servers.
be.IP 4isdn
347
17 Local Services
bintec elmeg GmbH
Note
An IPv6 address pool is created by assigning an IPv6 Link Prefix (a subnet with a
length of /64) to an DHCPv6 option set. The definition of a separate set of IP addresses like, e.g. fc00:1:2:3::1..fc00:1:2:3::100, is - in contrast with IPv4 - not specified
for IPv6.
The following requirements must be met for the configuration of an IPV6 address pool:
(a) IPv6 has to be activated for the respective interface.
(b) An IPv6 Link Prefix (subnet) with a length of /64 has to be configured for the respective
interface. An IPv6 link prefix can be defined in either of two ways:
• The IPv6 Link Prefix is derived from a General IPv6 Prefix (a prefix with a length of,
e.g., /56 or /48). In this case, the General IPv6 Prefix has to be configured in the
menu Networking->IPv6 General Prefixes->General Prefix Configuration .
• The IPv6 Link Prefix with a length of /64 is manually configured for the respective interface and is not derived from a General IPv6 Prefix.
(c) The DHCP Server option has to be enabled for the interface.
Moreover, the following settings are recommended:
• The options Preferred Lifetime and Valid Lifetime should be set to values higher than
the value configured for the option Router Lifetime.
With a Router Lifetime of 600 seconds a Preferred Lifetime of, e.g., 900 seconds and a
Valid Lifetime of 1800 seconds are reasonable settings.
• The option DHCP Mode should be enabled.
In order to make the settings mentioned above, go to the menu LAN->IP
Configuration->Interfaces. Choose the intended interface with the
icon. Activate IPv6
and set the IPv6 Mode to ?3 ") ?3 ,#. In the field
IPv6-Adressen, click Add and configure the Link Prefix. Confirm your configuration with
Accept. The configuration of the recommended settings s then carried out in the following
menus:
• Router Lifetime: LAN->IP Configuration->Interfaces->New->Advanced
Settings->Advanced IPv6 Settings
• Preferred Lifetime and Valid Lifetime: LAN->IP
Configuration->Interfaces->New->Basic IPv6 Parameters->Add->Advanced
348
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
17.5.1 DHCPv6 Server
Here you can create interface-related address pools and define DHCP options inside of an
DHCP Option Set.
17.5.1.1 Edit or New
Use the New button in order to create an Option Set. Use the
icon in order to edit an
existing entry.
The menu consists of the following fields:
Fields in the menu Basic Parameters
Field
Name
Interface
Description
Enter a name for the Option Set.
Select the IPv6 interface the Option Set is assigned to.
You can choose from interfaces with the following configuration:
• IPv6 is enabled.
• The option DHCP Server is enabled.
In the ex works state, IPv6 is disabled for all interfaces. If the intended interface is not offered for selection, configure it according to the requirements detailed in the introduction of this section. Configuration is done on the menu LAN->IP Configuration->Interfaces.
Address assignment
The definition of an IPv6 address pools is carried out by assigning an IPv6 Link Prefix (subnet with a length of /64) to a DHCPv6 Option Set. The IPv6 address pool always comprises the
complete 64 Bit address space of the selected IPv6 Link Prefix.
Address assignment is random.
Use Add to assign one or more IPv6 Link Prefixes to the IPv6
Option Set.
Note
Note that only such IPv6 Link Prefixes are available for selection that are assigned to the selected interface.
be.IP 4isdn
349
17 Local Services
bintec elmeg GmbH
Fields in the menu Server Options
Field
DNS domains search
list
Description
Use Add to create a list of domain names which is queried by
the client during name resolution (DHCPv6 Option 24 "Domain
Search List"). Domain names will be transmitted to the clients in
the order defined by the list.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Server Options
Field
DNS Server
Description
Here you can configure the DNS servers that are propagated by
DHCPv6. (DHCPv6 Option 23 "DNS Recursive Name Server").
Per default, the global DNS server of the system are propagated. (Global DNS servers are configured by the field DNS
Propagation in the menu LAN->IP Configuration->Interfaces>
->Advanced Settings if IPv6 = 7+ .)
You can also manually specify DNS servers and have them
propagated to the clients. To do this disable the option Use RA
or Global Fallback DNS Server and create the desired DNS
server entries using Add.
SNTP Server
Here you can configure the time servers to be propagated by
DHCPv6 (DHCPv6 Option 31 "Simple Network Time Protocol
Server"). Use Add to create the desired time server entries.
17.5.2 DHCPv6 Global Options
In this menu, you can configure those DHCPv6 options which are globally valid for the DHCPv6 server. An option that has been configured here will be propagated if there is no
more specific definition is available (e.g., no interface- or vendor-ID-specific definition).
The menu consist of the following fields:
Fields in the menu Basic Parameters
Field
DNS domains search
list
350
Description
Use Add to create a list of domain names which is queried by
the client during name resolution (DHCPv6 Option 24 "Domain
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Search List"). Domain names will be transmitted to the clients in
the order defined by the list. The domain name (e.g.
dev.bintec.de.) mast end with a dot (.).
The menu Advanced Settings consist of the following fields:
Fields in the menu Server preference
Field
Server preference
Description
The DHCPv6 advertisements sent by the DHCPv6 server to the
clients may contain the DHCPv6 option 7 "Preference".
Possible values are .
In a network with multiple DHCPv6 servers this option controls
which server takes the highest priority. If a client receives DHCPv6 advertisements with different priorities from different servers, it will usually accept the parameters from the highest priority server. The client can, however, also accept DHCPv6 advertisements with a lower priority if the set of parameters in the advertisement provides more of the options requested by the client.
A value of means "not specified" (lowest priority), denotes the highest priority.
Fields in the menu Advanced Server Fallback Options
Field
DNS Server
Description
Here you can configure the DNS servers that are propagated by
DHCPv6. (DHCPv6 Option 23 "DNS Recursive Name Server").
Per default, the global DNS server of the system are propagated. (Global DNS servers are configured by the field DNS
Propagation in the menu LAN->IP Configuration->Interfaces>
->Advanced Settings if IPv6 = 7+ .)
You can also manually specify DNS servers and have them
propagated to the clients. To do this disable the option Use RA
or Global Fallback DNS Server and create the desired DNS
server entries using Add.
SNTP Server
be.IP 4isdn
Here you can configure the time servers to be propagated by
DHCPv6 (DHCPv6 Option 31 "Simple Network Time Protocol
351
17 Local Services
bintec elmeg GmbH
Field
Description
Server"). Use Add to create the desired time server entries.
17.5.3 Stateful Clients
Here you see an entry for each Stateful Client that has contacted the server and has been
assigned an IPv6 address.
17.5.4 Stateful Clients Configuration
During a stateful configuration of IPv6 clients not only the DHCP options, but also the IPv6
prefix is transmitted to the client.
17.5.4.1 Edit or New
Use New to create entries for Stateful Clients. Normally, you do not have to create any
entries.Use
in order to edit existing entries. You should check each automatically created entry once to verify the settings and adjust them if required.
The menu consists of the following fields.
Fields in the menu Basic Parameters
Field
DUID
Description
Clients use the DUID field (DHCP Unique Identifier) in order to
identify themselves and request an IP address from the DHCPv6 server.
If you create an entry using New you can specify the DUID as a
16 - 20 digit HEX number. You can enter them using a "-"
(minus) as separator (Windows style), or you can enter them in
a single block (Linux style).
Accept Client FQDN
Administrative FQDNs
If Accept Client FQDN is enabled, the client is entered into the
cache of the Domain Name Server with the parameter FQDN
(Fully Qualified Domain Name).
With Add, you can specify an FQDN (Fully Qualified Domain
Name) - even for automatically created entries.
Static Interface IdentifiThe field Static Interface Identifier is the host portion of the
er
352
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
IPv6 address, i.e., the last 64 Bit of the IP address. This prefix
must start with ::.
17.6 CAPI Server
You can use the CAPI Server function to assign user names and passwords to users of the
CAPI applications on your device. This makes sure that only authorised users can receive
incoming calls and make outgoing calls via CAPI.
The CAPI service allows connection of incoming and outgoing data and voice calls to communications applications on hosts in the LAN that access the Remote CAPI interface of
your device. This enables, for example, hosts connected to your device to receive and
send faxes.
Note
All incoming calls to the CAPI are offered to all registered and "eavesdropping" CAPI
applications in the LAN.
In the ex works state, a user with the user name 13+ and no password is
entered for the CAPI subsystem.
Once you've created your intended users with password, you should delete the 13+ user without password.
17.6.1 User
A list of all configured CAPI users is displayed in the Local Services->CAPI Server->User
menu.
17.6.1.1 New
Choose the New button to set up new CAPI users.
The menu Local Services->CAPI Server->User->New consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
Field
Description
User Name
Enter the user name for which access to the CAPI service is to
353
17 Local Services
bintec elmeg GmbH
Field
Description
be allowed or denied.
Password
Enter the password which the user User Name shall use for
identification to gain access to the CAPI service.
Access
Select whether access to the CAPI service is to be permitted or
denied for the user.
The function is activated by selecting 7+.
The function is enabled by default.
17.6.2 Options
The menu Local Services->CAPI Server->Options consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Enable server
Select whether your device is to be enabled as a CAPI server.
The function is activated by selecting 7+.
The function is enabled by default.
Faxheader
Select whether the fax header should be printed at the top of
outgoing faxes.
The function is activated by selecting 7+.
The function is disabled by default.
CAPI Server TCP Port
The field can only be edited if Enable server is enabled.
Enter the TCP port number for remote CAPI connections.
The default value is .
354
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
17.7 Scheduling
Your device has an event scheduler which enables certain standard actions (activation or
deactivation of interfaces, for example) to be carried out. In addition, every existing MIB
variable can be configured with any value.
You configure the desired Actions and define the triggers controlling the date and other
conditions of the Actions. A trigger may be a single event or a sequence of events collected in an Event List. For a single event, create an Event List containing only one element.
It is possible to trigger operations on a time-controlled basis. What's more, the status or accessibility of interfaces, or their data traffic can lead to performance of the configured operations, as also the validity of licences. Here again, it is possible to configure every MIB variable with any value as initiator.
Activate the Schedule Interval option under Options to put the event scheduler into operation. The system uses this time interval to check if at least one event has occurrred. This
triggers the configured action.
Specific instructions for configuring Time-controlled Tasks (Scheduling), see the end of the
chapter Configuration example - Time-controlled Tasks (Scheduling) on page 372.
Caution
The configuration of actions that are not available as defaults requires extensive knowledge of the method of operation of bintec elmeg gateways. An incorrect configuration
can cause considerable disruption during operation. If applicable, save the original
configuration on your PC.
Note
To run the event scheduler, the date configured on your device must be 1.1.2000 or
later.
17.7.1 Trigger
All configured event lists are displayed in the Local Services->Scheduling->Trigger
menu. Each event list contains at least one event intended to trigger a configured action.
be.IP 4isdn
355
17 Local Services
bintec elmeg GmbH
17.7.1.1 New
Choose the New button to create additional event lists.
The menu Local Services->Scheduling->Trigger->New consists of the following fields:
Fields in the Basic Parameters menu
Field
Description
Event List
You can create a new event list with 92 (default value). You
give this list a name with Description. You use the remaining
parameters to create the first event in the list.
If you want to add to an existing event list, select the event list
you want and add at least one more event to it.
You can use event lists to create complex conditions for initiating an action. The events are processed in the same order in
which they are created in the list.
4Description
Only for Event List 92
Enter your chosen designation for the Event List.
Event Type
Select the type of initiator.
Possible values:
• ) (default value): The operations configured and assigned
in Actions are initiated at specific points in time.
• .&59.: The operations configured and assigned in Actions are initiated when the defined MIB variables assumes
the assigned values.
• 1* 3: Operations configured and assigned in
Actions are initiated, when the defined interfaces take on a
specified status.
• 1* )11*: Operations configured and assigned
in Actions are initiated when the data traffic on the specified
interfaces falls below or exceeds the defined value.
• ): Operations configured and assigned in Actions
are initiated when the specified IP address is / is not accessible.
• %1* $1: Operations configured and as-
356
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
signed in Actions are initiated when the defined period of
validity is reached.
• '3* &3: The option '3* &3 determines that pushing the function button on the device can serve
as a trigger for any configured action. Pushing the button for
approx. one second (but less than three seconds) sets the
button status to ,*, pushing it for more than three
seconds sets it to *. Actions depending on the state
of the button are then carried out after the next cyclical query
determined by the Schedule Interval. In this way, e.g., a
WLAN interface can be activated when the button is pushed
for a second. Pushing the button for more than three seconds
deactivates the interface again.
Monitored Variable
Only for Event Type .&59.
Select the MIB variable whose defined value is to be configured
as initiator. First, select the System in which the MIB variable is
saved, then the MIB Table and finally the MIB Variable itself.
Only the MIB tables and MIB variables present in the respective
area are displayed.
Compare Condition
Only for Event Type .&59.
Select whether the MIB variable (default value),
J3+, $, 9 J3+ must have the value given in %
E+3 or must lie within ? to initiate the operation.
Compare Value
Only for Event Type .&59.
Enter the value of the MIB variable.
Index Variables
Only for Event Type .&59.
If required, select MIB variables to uniquely identify a specific
data set in a MIB Table, e.g. %16. The combination
of Index Variable (normally an index variable labelled by a *)
and Index Value creates the unique identification of a specific
table entry.
Create additional Index Variables with Add.
Monitored Interface
be.IP 4isdn
Only for Event Type 1* 3 and 1*
357
17 Local Services
bintec elmeg GmbH
Field
Description
)11*
Select the interface whose defined status or data traffic shall initiate an event.
Interface Status
Only for Event Type 1* 3
Select the status that the interface must have in order to initiate
the intended operation.
Possible values:
• / (default value): The function is enabled.
• -2: The interface is disabled.
Traffic Direction
Only for Event Type 1* )11*
Select the direction of the data traffic whose values should be
monitored as initiating an operation.
Possible values:
• ?C (default value): Incoming data traffic is monitored.
• )C: Outgoing data traffic is monitored.
Interface Traffic Condi- Only for Event Type 1* )11*
tion
Select whether the value for data traffic must be (default value) or $ the value specified in )1
)11* in order to initiate the operation.
Transferred Traffic
Only for Event Type 1* )11*
Enter the desired value in kBytes for the data traffic to serve as
comparison.
The default value is .
Destination IP Address Only for Event Type )
Enter the IP address whose accessibility is to be checked.
Source IP Address
Only for Event Type )
Enter an IP address to be used as sender address for the ping
test.
358
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Possible values:
• ,3* (default value): The IP address of the interface
over which the ping is sent is automatically entered as sender
address.
• *1*: Enter the desired IP address in the input field.
Status
Only for Event Type )
Select whether Destination IP Address ?*!7+ must be
(default value) or /*!7+ in order to initiate the operation.
Interval
Only for Event Type )
Enter the time in Seconds after which a ping must be resent.
The default value is seconds.
Trials
Only for Event Type )
Enter the number of ping tests to be performed until Destination IP Address as /*!7+ applies.
The default value is .
Monitored Certificate
Only for Event Type %1* $1
Select the certificate whose validity should be checked.
Remaining Validity
Only for Event Type %1* $1
Indicate the remaining validity of the certificate in percentage.
Function Button Status
Only for Event Type '3* &3.
When creating the trigger the dropdown selection Function
Button Status allows you to choose which status of the function button activates or deactivates the trigger. If you set the
status to :, the trigger becomes active if the status of the function button is ,*, and inactive, if the state of the function
button is *. If your set it to :11, the trigger becomes
active if the state of the function button is *, and inactive if the state of the function button is ,*. The current
be.IP 4isdn
359
17 Local Services
bintec elmeg GmbH
Field
Description
state is checked cyclically at the configured schedule interval.
Fields in the Select time interval menu
Field
Description
Time Condition
Only for Event Type = )
First select the type of time entry in Condition Type.
Possible values:
• 8B0 : Select a weekday in Condition Settings.
• (default value): In Condition Settings, select a particular period.
• -0 1 .!: Select a specific day of the month in Condition Settings.
Possible values for Condition Settings in Condition Type =
8B0:
.0 (default value) ... 30.
Possible values for Condition Settings in Condition Type =
:
• -+0 : The initiator becomes active daily (default value).
• .0 '0 : The initiator becomes active daily from
Monday to Friday.
• .0 30 : The initiator becomes active daily
from Monday to Saturday.
• 30 30 : The initiator becomes active on Saturdays and Sundays.
Possible values for Condition Settings in Condition Type =
-0 1 .!:
... .
360
Start Time
Enter the time from which the initiator is to be activated. Activation is carried on the next scheduling interval. the default value
of this interval is 55 seconds.
Stop Time
Enter the time from which the initiator is to be deactivated. De-
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
activation is carried on the next scheduling interval. If you do not
enter a Stop Time or set a Stop Time = Start Time, the initiator is activated, and deactivated after 10 seconds.
17.7.2 Actions
In the Local Services->Scheduling->Actions menu is displayed a list of all operations to
be initiated by events or event chains configured in Local
Services->Scheduling->Trigger.
17.7.2.1 New
Choose the New button to configure additional operations.
The menu Local Services->Scheduling->Actions->New consists of the following fields:
Fields in the menu Basic Parameters
Field
Description
Command Type
Description
Enter your chosen designation for the action.
Select the desired action.
Possible values:
• ?7 (default value): Your device is rebooted.
• .&59.: The desired value is entered for a MIB variable.
• 1* 3: The status of an interface is modified.
• 8+ 3: Only for devices with a wireless LAN. The
status of a WLAN-SSID is modified.
• 12 /: A software update is initiated.
• %13 .: A configuration file is loaded
onto your device or backed up by your device.
• ): Accessibility of an IP address is checked.
• %1* .: A certificate is to be renewed,
deleted or entered.
• >H 8$,9 &*: Only for devices with a wireless
LAN. A scan of the 5 GHz frequency band is performed.
• >H 8$,9 &*: Only for devices with a wireless
be.IP 4isdn
361
17 Local Services
bintec elmeg GmbH
Field
Description
LAN. A scan of the 5.8 GHz frequency range is performed.
• 8$%4 92 9!7 *: Only for devices with a WLAN
controller. A Neighbor Scan is initiated by the WLAN network
controlled by the WLAN controller.
• 8$%4 E : Only for devices with a WLAN controller.
The status of a wireless network is modified.
• 8$,94 : .: The operating mode of a WLAN
radio module is modified.
Event List
Event List Condition
Select the event list you want which has been created in Local
Services->Scheduling->Trigger.
For the selected chains of events, select how many of the configured events must occur for the operation to be initiated.
Possible values:
• ,++ (default value): The operation is initiated if all events occur.
• :: The operation is initiated if a single event occurs.
• 9: The operation is triggered if no event occurs.
• : : The operation is triggered if one of the events does
not occur.
Reboot device after
Only if Command Type = ?7
Enter the timespan in seconds that must elapse after occurrence of the event until the device is restarted.
The default value is seconds.
MIB/SNMP Variable to
add/edit
Only if Command Type = .&59.
Select the MIB table in which the MIB variable whose value
shall be changed is saved. First, select the System, then the
MIB Table. Only the MIB tables present in the respective area
are displayed.
Command Mode
Only if Command Type = .&59.
Select how the MIB entry is to be manipulated.
Possible settings:
362
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
• %! 6 0 (default value): An existing entry
shall be modified.
• % 2 .& 0: A new entry shall be created.
Index Variables
Only if Command Type = .&59.
Where required, select MIB variables to uniquely identify a specific data set in MIB Table, e.g. %16. The unique
identification of a particular table entry is derived from the combination of Index Variable (usually an index variable which is
flagged with *) and Index Value.
Use Index Variables to create more entries with Add.
Trigger Status
Only if Command Type = .&59.
Select what status the event must have in order to modify the
MIB variable as defined.
Possible values:
• ,* (default value): The value of the MIB variable is modified if the initiator is active.
• *: The value of the MIB variable is modified if the initiator is inactive.
• &!: The value of the MIB variable is differentially modified if
the initiator status changes.
MIB Variables
Only if Command Type = .&59.
Select the MIB variable whose value is to be configured as dependent upon initiator status.
If the initiator is active (Trigger Status ,*), the MIB variable is described with the value entered in Active Value.
If the initiator is inactive (Trigger Status *), the MIB
variable is described with the value entered in Inactive Value.
If the MIB variable is to be modified, depending on whether the
initiator is active or inactive (Trigger Status &!), it is described with an active initiator with the value entered in Active
Value and with an inactive initiator with the value in Inactive
Value.
be.IP 4isdn
363
17 Local Services
bintec elmeg GmbH
Field
Description
Use Add to create more entries.
Interface
Only if Command Type = 1* 3
Select the interface whose status should be changed.
Set interface status
Only if Command Type = 1* 3
Select the status to be set for the interface.
Possible values:
• / (default value)
• -2
• ?
Local WLAN SSID
Only if Command Type = 8+ 3
Select the desired wireless network whose status shall be
changed.
Set status
Only if Command Type = 8+ 3 or 8$%4 E Select the status for the wireless network.
Possible values:
• ,* (default value)
• -*
Source Location
Only if Command Type = 12 /
Select the source for the software update.
Possible values:
• %3 12 1 / (default
value): The latest software will be downloaded from the update server.
• >)) : The latest software will be downloaded from
an HTTP server that you define in /?$.
• >)) : The latest software will be downloaded from
an HTTPS server that you define in /?$.
364
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
• )') : The latest software will be downloaded from
an TFTP server that you define in /?$.
Server URL
Where Command Type = 12 / if Source Location not %3 12 1 / Enter the URL of the server from which the desired software
version is to be retrieved.
Where Command Type = %13
. with Action = *13 or 6
*13
Enter the URL of the server from which a configuration file is to
be retrieved, or on which the configuration file is to be backed
up.
File Name
For Command Type = 12 /
Enter the file name of the software version.
Where Command Type = %1* . with
Action = *1*
Enter the file name of the certificate file.
Action
For Command Type = %13 .
Select which operation is to be performed on a configuration
file.
Possible values:
• *13 (default value)
•
6 *13
• ? *13
• -+ *13
• %0 *13
For Command Type = %1* .
Select which operation you wish to perform on a certificate file.
Possible values:
be.IP 4isdn
365
17 Local Services
bintec elmeg GmbH
Field
Description
• *1* (default value)
• -+ *1*
• % Protocol
Only for Command Type = %1* . and
%13 . if Action = *1
3
Select the protocol for the data transfer.
Possible values:
• >)) (default value)
• >))
• )')
CSV File Format
Only where Command Type = %13 .
and Action = *13 or 6 *1
3
Select whether the file is to be sent in the CSV format.
The CSV format can easily be read and modified. In addition,
you can view the corresponding file clearly using Microsoft Excel for example.
The function is enabled by default.
Remote File Name
Only if Command Type = %13 .
For Action = *13
Enter the name of the file under which it is saved on the server
from which it is to be retrieved.
For Action = 6 *13
Enter the file name under which it should be saved on the server.
Local File Name
366
Only where Command Type = %13
. and Action = *13, ?
*13 or %0 *13
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
At import, renaming or copying enter a name for the configuration file under which to save it locally on the device.
File Name in Flash
Where Command Type = %13
. and Action = 6 *13
Select the file to be exported.
Where Command Type = %13
. and Action = ? *13
Select the file to be renamed.
Where Command Type = %13
. and Action = -+ *13
Select the file to be deleted.
Where Command Type = %13
. and Action = %0 *13
Select the file to be copied.
Configuration contains
Only where Command Type = %13
certificates/keys
. and Action = *13 or 6
*13
Select whether the certificates and keys contained in the configuration are to be imported or exported.
The function is disabled by default.
Encrypt configuration
Only where Command Type = %13
. and Action = *13 or 6
*13
Define whether the data of the selected Action are to be encrypted..
The function is disabled by default.
Reboot after execution
Only if Command Type = %13 .
Select whether your device should restart after the intended Action.
be.IP 4isdn
367
17 Local Services
bintec elmeg GmbH
Field
Description
The function is disabled by default.
Version Check
Only where Command Type = %13
. and Action = *13
Select whether, when importing a configuration file, to check on
the server for the presence of a more current version of the
already loaded configuration. If not, the file import is interrupted.
The function is disabled by default.
Destination IP Address
Only if Command Type = )
Enter the IP address whose accessibility is to be checked.
Source IP Address
Only if Command Type = )
Enter an IP address to be used as sender address for the ping
test.
Possible values:
• ,3* (default value): The IP address of the interface
over which the ping is sent is automatically entered as sender
address.
• *1*: Enter the desired IP address in the input field.
Interval
Only if Command Type = )
Enter the time in Seconds after which a ping must be resent.
The default value is second.
Count
Only if Command Type = )
Enter the number of ping tests to be performed until Destination IP Address is considered unreachable.
The default value is .
Server Address
Only where Command Type = %1*
. and Action = *1*
Enter the URL of the server from which a certificate file is to be
retrieved.
368
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Local Certificate Description
Description
Where Command Type = %1* . and
Action = *1*
Enter a description for the certificate under which to save it on
the device.
Where Command Type = %1* . and
Action = -+ *1*
Select the certificate to be deleted.
Password for protected Certificate
Only where Command Type = %1*
. and Action = *1*
Select whether to use a secure certificate requiring a password
and enter it into the entry field.
The function is disabled by default.
Overwrite similar certiOnly where Command Type = %1*
ficate
. and Action = *1*
Select whether to overwrite a certificate already present on the
your device with the new one.
The function is disabled by default.
Write certificate in conOnly where Command Type = %1*
figuration
. and Action = *1*
Select whether to integrate the certificate in a configuration file;
and if so, select the desired configuration file.
The function is disabled by default.
Certificate Request DeOnly where Command Type = %1*
scription
. and Action = % Enter a description under which the SCEP certificate on your
device is to be saved.
URL SCEP Server URL
Only where Command Type = %1*
. and Action = % Enter the URL of the SCEP server, e.g. !
be.IP 4isdn
369
17 Local Services
bintec elmeg GmbH
Field
Description
455*7*+*4
5*5*++
Your CA administrator can provide you with the necessary data.
Subject Name
Only where Command Type = %1*
. and Action = % Enter a subject name with attributes.
Example: S%9ME9G -%M0G -%M*G
*M- S
CA Name
Only where Command Type = %1*
. and Action = % Enter the name of the CA certificate of the certification authority
(CA) from which you wish to request your certificate, e.g.
*22. Your CA administrator can provide you with the
necessary data.
Password
Only where Command Type = %1*
. and Action = % To obtain certificates, you may need a password from the certification authority. Enter the password you received from the certification authority here.
Key Size
Only where Command Type = %1*
. and Action = % Select the length of the key to be created. Possible values are
(default value), and .
Autosave Mode
Only where Command Type = %1*
. and Action = % Select whether your device automatically stores the various
steps of the enrolment internally. This is an advantage if enrolment cannot be concluded immediately. If the status has not
been saved, the incomplete registration cannot be completed.
As soon as the enrolment is completed and the certificate has
been downloaded from the CA server, it is automatically saved
in the device configuration.
The function is enabled by default.
370
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Use CRL
Description
Only where Command Type = %1*
. and Action = % Define the extent to which certificate revocation lists (CRLs) are
to be included in the validation of certificates issued by the owner of this certificate.
Possible values:
• ,3 (default value): In case there is an entry for a CDP,
CRL distribution point this should be evaluated in addition to
the CRLs globally configured in the device.
• P: CRLs are always checked.
• 9: No checking of CRLs.
Select radio
Only where Command Type = >H 8$,9 &*, >H 8$,9 &* or
8$,94 : .
Select the WLAN module on which to perform the frequency
band scan.
WLC SSID
Only where Command Type = 8$%4 E Select the wireless network administered over the WLAN controller whose status should be changed.
Operation Mode (Active)
Only where Command Type = 8$,94 : .
Select the required operating mode for the selected radio module if it currently has the status ,*. You may select from
any of the operating modes that your device supports. So the
choice may vary from device to device.
Operation Mode (Inactive)
Only where Command Type = 8$,94 : .
Select the required operating mode for the selected radio module if it currently has the status -2. You may select from any
of the operating modes that your device supports. So the choice
may vary from device to device.
be.IP 4isdn
371
17 Local Services
bintec elmeg GmbH
17.7.3 Options
You configure the schedule interval in the Local Services->Scheduling->Options menu.
The Local Services->Scheduling->Options menu consists of the following fields:
Fields in the Scheduling Options menu
Field
Description
Schedule Interval
Select whether the schedule interval is to be enabled.
Enter the interval in seconds after which the system checks
whether events have occured.
Possible values are to .
The value is recommended (5 minute accuracy).
17.7.4 Configuration example - Time-controlled Tasks
(Scheduling)
Requirements
• Basic configuration of the gateway.
Example scenario
372
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Example scenario Time-controlled Tasks
Configuration target
• You want to reboot your gateway automatically overnight.
• The WLAN interface is to be suspended at the weekend.
• In addition, the configuration is to be backed up automatically once a month on a TFTP
server.
Overview of Configuration Steps
Daily reboot
be.IP 4isdn
Field
Menu
Value
Event List
Local Services -> Scheduling ->
Trigger -> New
92
Description
Local Services -> Scheduling ->
Trigger -> New
e.g. ) ?7
Event Type
Local Services -> Scheduling ->
Trigger -> New
)
Time Condition
Local Services -> Scheduling ->
Trigger -> New
Condition Type = , Condition Settings
= -+0
Start Time
Local Services -> Scheduling ->
Trigger -> New
Hour Minute Description
Local Services -> Scheduling ->
Actions -> New
e.g. ?7 !
*
373
17 Local Services
bintec elmeg GmbH
Field
Menu
Value
Command Type
Local Services -> Scheduling ->
Actions -> New
?7
Event List
Local Services -> Scheduling ->
Actions -> New
) ?7
Event List Condition
Local Services -> Scheduling ->
Actions -> New
,++
Reboot device after
Local Services -> Scheduling ->
Actions -> New
e.g. Seconds
Schedule Interval
Local Services -> Scheduling ->
Options
7+, sec
Suspending the WLAN interface
374
Field
Menu
Value
Event List
Local Services -> Scheduling ->
Trigger -> New
92
Description
Local Services -> Scheduling ->
Trigger -> New
e.g. ) 2*!
11 8$,9 1*
Event Type
Local Services -> Scheduling ->
Trigger -> New
)
Time Condition
Local Services -> Scheduling ->
Trigger -> New
Condition Type = , Condition Settings
= 30 30
Start Time
Local Services -> Scheduling ->
Trigger -> New
Hour Minute Stop Time
Local Services -> Scheduling ->
Trigger -> New
Hour Minute Description
Local Services -> Scheduling ->
Actions -> New
e.g. 2*! 11 8$,9
1*
Command Type
Local Services -> Scheduling ->
Actions -> New
1* 3
Event List
Local Services -> Scheduling ->
Actions -> New
) 2*! 11
8$,9 1*
Event List Condition
Local Services -> Scheduling ->
Actions -> New
,++
Interface
Local Services -> Scheduling ->
Actions -> New
e.g. Set interface status
Local Services -> Scheduling ->
-2
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Menu
Value
Actions -> New
Schedule Interval
Local Services -> Scheduling ->
Options
7+, sec
Monthly configuration backup
Field
Menu
Value
Event List
Local Services -> Scheduling ->
Trigger -> New
92
Description
Local Services -> Scheduling ->
Trigger -> New
e.g. ) *1
3 7*B3
Event Type
Local Services -> Scheduling ->
Trigger -> New
)
Time Condition
Local Services -> Scheduling ->
Trigger -> New
Condition Type = -0
1 .!, Condition
Settings = Start Time
Local Services -> Scheduling ->
Trigger -> New
Hour Minute Description
Local Services -> Scheduling ->
Actions -> New
Configuration backup
Command Type
Local Services -> Scheduling ->
Actions -> New
Configuration Management
Event List
Local Services -> Scheduling ->
Actions -> New
Trigger configuration
backup
Event List Condition
Local Services -> Scheduling ->
Actions -> New
All
Action
Local Services -> Scheduling ->
Actions -> New
Export configuration
Server URL
Local Services -> Scheduling ->
Actions -> New
e.g.
1455
CSV File Format
Local Services -> Scheduling ->
Actions -> New
Remote File Name
Local Services -> Scheduling ->
Actions -> New
e.g. !+0
7*B3*1
File Name in Flash
Local Services -> Scheduling ->
Actions -> New
7
Configuration contains Local Services -> Scheduling ->
certificates/keys
Actions -> New
be.IP 4isdn
7+
7+
375
17 Local Services
bintec elmeg GmbH
Field
Menu
Schedule Interval
Local Services -> Scheduling ->
Options
Value
7+, sec
17.8 Surveillance
In this menu, you can configure an automatic availability check for hosts or interfaces and
automatic ping tests.
You can monitor temperature with devices from the bintec WI series.
Note
This function cannot be configured on your device for connections that are authenticated via a RADIUS server.
17.8.1 Hosts
A list of all monitored hosts is displayed in the Local Services->Surveillance->Hosts
menu.
17.8.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional
monitoring tasks.
The menu Local Services->Surveillance->Hosts->New consists of the following fields:
Fields in the Host Parameters menu
Field
Description
Group ID
If the availability of a group of hosts or the default gateway is to
be monitored by your device, select an ID for the group or the
default gateway.
The group IDs are automatically created from to . If an
entry has not yet been created, a new group is created using
the 92 - option. If entries have been created, you can select one from the list of created groups.
Each host to be monitored must be assigned to a group.
376
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
The operation configured in Interface is only executed if no
group member can be reached.
Fields in the Trigger menu.
Field
Description
Monitored IP Address
Enter the IP address of the host to be monitored.
Possible values:
• -13+ 20 (default value): The default gateway is
monitored.
• *1*: Enter the IP address of the host to be monitored
manually in the adjacent input field.
Source IP Address
Select how the IP address is to be determined that your device
uses as the source address of the packet sent to the host to be
monitored.
Possible values:
• ,3* (default value): The IP address is determined
automatically.
• *1*; Enter the IP address in the adjacent input field.
Interval
Enter the time interval (in seconds) to be used for checking the
availability of hosts.
Possible values are to .
The default value is .
Within a group, the smallest Interval of the group members is
used.
Successful Trials
Specify how many pings need to be answered for the host to be
regarded as accessible.
You can use this setting to specify, for example, when a host is
deemed to be accessible once more, and used again, instead of
a backup device.
Possible values are to .
be.IP 4isdn
377
17 Local Services
bintec elmeg GmbH
Field
Description
The default value is .
Unsuccessful Trials
Specify how many pings need to be unanswered for the host to
be regarded as inaccessible.
You can use this setting to specify, for example, when a host is
deemed to be inaccessible, and that a backup device should be
used.
Possible values are to .
The default value is .
Action to be performed Select which Action should be run. For most actions, you select
an Interface to which the Action relates.
All physical and virtual interfaces can be selected.
For each interface, select whether it is to be enabled ( 7+),
disabled ( -7+ default value), reset ( ?), or the connection restablished ( ?+).
With Action = . you can monitor the IP address that is
specified under Monitored IP Address. This information can be
used for other functions, such as the Tracking IP Address .
17.8.2 Interfaces
A list of all monitored hosts is displayed in the Local Services->Surveillance->Interfaces
menu.
17.8.2.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to set up monitoring for
other interfaces.
The menu Local Services->Surveillance->Interfaces->New consists of the following
fields:
Fields in the Basic Parameters menu.
378
Field
Description
Monitored Interface
Select the interface on your device that is to be monitored.
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Trigger
Select the state or state transition of Monitored Interface that
is to trigger a particular Interface Action.
Possible values:
• 1* 3 (default value)
• 1* 2
Interface Action
Select the action that is to follow the state or state transition
defined in Trigger.
The action is applied to the Interface(s) selected in Interface.
Possible values:
•
7+ (default value): Activation of interface(s)
• -7+: Deactivation of interface(s)
Interface
Select the interface(s) for which the action defined in Interface
is to be performed.
You can choose all physical and virtual interfaces as well as options ,++ 1* and ,++ * 1*.
17.8.3 Ping Generator
In the Local Services->Surveillance->Ping Generator menu, a list of all configured, automatically generated pings is displayed.
17.8.3.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create additional
pings.
The menu Local Services->Surveillance->Ping Generator->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
Destination IP Address Enter the IP address to which the ping is automatically sent.
be.IP 4isdn
379
17 Local Services
bintec elmeg GmbH
Field
Description
Source IP Address
Enter the source IP address of the outgoing ICMP echo request
packets.
Possible values:
• ,3*: The IP address is determined automatically.
• *1* (default value): Enter the IP address in the adjacent input field e.g. to test a particular extended route.
Interval
Enter the interval in seconds during which the ping is sent to the
address specified in Remote IP Address.
Possible values are to .
The default value is .
Trials
Enter the number of ping tests to be performed until Destination IP Address as /*!7+ applies.
The default value is .
17.9 UPnP
Universal Plug and Play (UPnP) makes it possible to use current messenger services (e.g.
real time video/audio conferencing) as peer-to-peer communication where one of the peers
lies behind a NAT-enabled gateway.
UPnP enables (mostly) Windows-based operating systems to take control of other devices
with UPnP functionality on the local network. These include gateways, access points and
print servers. No special device drivers are needed as known common protocols are used,
such as TCP/IP, HTTP and XML.
Your gateway makes it possible to use the subsystem of the Internet Gateway Device
(IGD) from the UPnP function range.
In a network behind a NAT-enabled gateway, the UPnP-configured computers act as LAN
UPnP clients. To do this, the UPnP function on the PC must be enabled.
The pre-configured port used for UPnP communication between LAN UPnP clients and the
gateway is (. The LAN UPnP client acts as a so-called service control point, i.e. it recognizes and controls the UPnP devices on the network.
The ports assigned dynamically by, for example, MSN Messenger, lie in the range from
380
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
to . The ports are released internally to the gateway on demand, i.e. when an
audio/video transfer is started in Messenger. When the application is closed, the ports are
immediately closed again.
The peer-to-peer-communication is initiated via public SIP servers with only the information
from the two clients being forwarded. The clients then communicate directly with one another.
For further information about UPnP, see www.upnp.org .
17.9.1 Interfaces
In this menu, you configure the UPnP settings individually for each interface of your gateway.
You can determine whether UPnP requests from clients are accepted by each interface (for
requests from the local network) and/or whether the interface can be controlled via UPnP
requests.
The menu Local Services->UPnP->Interfaces consists of the following fields:
Fields in the Interfaces menu.
Field
Description
Interface
Shows the name of the interface for which the UPnP settings
are to be made. The entry cannot be changed.
Answer to client request
Determine whether UPnP requests from clients are to be
answered via the particular interface (from the local network).
The function is enabled with 7+.
The function is disabled by default.
Interface is UPnP con- Determine whether the NAT configuration of this interface is
trolled
controlled by UPnP.
The function is enabled with 7+.
The function is disabled by default.
17.9.2 General
In this menu, you make the basic UPnP settings.
be.IP 4isdn
381
17 Local Services
bintec elmeg GmbH
The Local Services->UPnP->General menu consists of the following fields:
Fields in the General menu.
Field
Description
UPnP Status
Decide how the gateway processes UPnP requests from the
LAN.
The function is enabled with 7+. The gateway proceeds
with UPnP releases in accordance with the parameters contained in the request from the LAN UPnP client, independently
of the IP address of the requesting LAN UPnP client.
The function is disabled by default. The gateway rejects UPnP
requests, NAT releases are not made.
UPnP TCP Port
Enter the number of the port on which the gateway listens for
UPnP requests.
The possible values are to , the default value is (.
17.10 HotSpot Gateway
Important
The Hotspot Gateway must not be operated with IPv6 enabled, since IPv6 data traffic
is not registered by the Hotspot Gateway and, therefore, cannot be controlled.
The HotSpot Solution allows provision of public Internet accesses (using WLAN or wired
Ethernet). The solution is adapted to setup of smaller and larger Hotspot solutions for
cafes, hotels, companies, communal residences, campgrounds, etc.
The HotSpot Solution consists of a bintec elmegbintec elmeg gateway installed onsite
(with its own WLAN access point or additional connected WLAN device or wired LAN) and
of the Hotspot server, centrally located at a computing centre. The operator account is administered on the server via an administration terminal (e.g., a hotel reception PC); this includes functions such as registration entry, generating tickets, statistical analysis, etc.
Login sequence at the Hotspot server
• When a new user connects with the Hotspot, he/she is automatically assigned an IP ad-
382
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
dress via DHCP.
• As soon as he attempts to access any Internet site with a browser, the user is redirected
to the home/login page.
• After the user has entered the registration data (user/password), these are sent to the
central RADIUS server (Hotspot server) as RADIUS registration.
• Following successful registration, the gateway opens Internet access.
• For each user, the gateway sends regular additional information to the RADIUS server
for recording accounting data.
• When the ticket expires, the user is automatically logged off and again redirected to the
home/login page.
Requirements
To operate a Hotspot, the customer requires:
• a bintec elmegbintec elmeg device as hotspot gateway with active Internet access and
configured hotspot server entries for login and accounting (see menu System Management->Remote Authentication->RADIUS->New with Group Description 13+
3 )
• bintec elmegbintec elmeg Hotspot hosting (article number 5510000198)
• Access data
• Documentation
• Software licensing
Please note that you must first activate the licence.
Go to www.bintec-elmeg.com then Service/Support -> Services -> Online Services.
- Enter the required data (please note the relevant explanations on the license sheet),
and follow the instructions of the online licensing.
- You then receive the Hotspot server's login data.
Note
Activation may require 2-3 business days.
Access data for gateway configuration
be.IP 4isdn
RADIUS Server IP
62.245.165.180
RADIUS Server Password
Set by bintec elmeg GmbH
383
17 Local Services
bintec elmeg GmbH
Domain
Individually set for customers by customer/dealer
Walled Garden Network
Individually set for customers by customer/dealer
Walled Garden Server URL
Individually set for customers by customer/dealer
Terms & Conditions URL
Individually set for customers by customer/dealer
Access data for configuration of the Hotspot server
Admin URL
https://hotspot.bintec-elmeg.com/
Username
Individually set by bintec elmeg
Password
Individually set by bintec elmeg
Note
Also refer to the WLAN Hotspot Workshop that is available to download from
www.bintec-elmeg.com
17.10.1 HotSpot Gateway
In the HotSpot Gateway menu, you can configure the bintec elmeg gateway installed
onsite for the Hotspot Solution.
A list of all configured hotspot networks is displayed in the Local Services->HotSpot
Gateway->HotSpot Gateway menu.
You can use the Enabled option to enable or disable the corresponding entry.
17.10.1.1 Edit or New
You configure the hotspot networks in the Local Services->HotSpot Gateway->HotSpot
Gateway->
menu. Choose the New button to set up additional Hotspot networks.
The Local Services->HotSpot Gateway->HotSpot Gateway->
menu consists of the
following fields:
Fields in the menu Basic Parameters
Field
Interface
384
Description
Choose the interface to which the Hotspot LAN or WLAN is connected. When operating over LAN, enter the Ethernet interface
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
here (e. g. en1-0). If operating over WLAN, the WLAN interface
to which the access point is connected must be selected.
Caution
For security reasons you cannot configure your device over
an interface that is configured for the Hotspot. Therefore
take care when selecting the interface you want to use for
the Hotspot.
If you select the interface over which the current configuration session is running, the current connection will be lost.
You must then log in again over a reachable interface that
is not configured for the Hotspot to configure your device.
Domain at the HotSpot Enter the domain name that you used when setting up the HotServer
Spot server for this customer. The domain name is required so
that the Hotspot server can distinguish between the different clients (customers).
Walled Garden
Enable this function if you want to define a limited and free area
of websites (intranet).
The function is not activated by default.
Walled Network / Netmask
Only if Walled Garden is enabled.
Enter the network address of the Walled Network and the corresponding Netmask of the intranet server.
For the address range resulting from Walled Network / Netmask, clients require no authentication.
Example: Enter 192.168.0.0 / 255.255.255.0, if all IP addresses
from 192.168.0.0 to 19.168.0.255 are free. Enter 192.168.0.1 /
255.255.255.255, if only the IP address 192.168.0.1 is free.
Walled Garden URL
Only if Walled Garden is enabled.
Enter the Walled Garden URL of the intranet server. Freely accessible websites must be reachable over this address.
Terms &Conditions
be.IP 4isdn
Only if Walled Garden is enabled.
385
17 Local Services
bintec elmeg GmbH
Field
Description
In the Terms &Conditions input field, enter the address of the
general terms and conditions on the intranet server, or public
server, e.g., http://www.webserver.de/agb.htm. The page must
lie within the address range of the walled garden network.
Additional freely accessible Domain
Names
Post Login URL
Language for login
window
Only if Walled Garden is enabled.
Add further URLs or IP addresses with Add. The web pages
can be accessed via these additional freely accessible addresses.
Here you can specify the URL a user is redirected to after logging in to the Hotspot Solution.
Here you can choose the language for the start/login page.
The following languages are supported: +!, -3*!,
+, 'T, U+, 33V and 9
+ .
The language can be changed on the start/login page at any
time.
The menu Advanced Settings consists of the following fields:
Fields in the menu Advanced Settings
Field
Ticket Type
Description
Select the ticket type.
Possible values:
• E3*!: Only the user name must be entered. Define a default password in the input field.
• /52 (default value): User name and password must be entered.
Allowed HotSpot Client
Here you can define which type of users can log in to the Hotspot.
Possible values:
• ,++: All clients are approved.
• ->% %+: Prevents users who have not received an IP
386
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
address from DHCP from logging in.
Max. Sessions per
User
Login Frameset
Enter the maximum number of sessions per user.
Enable or disable the login window.
The login window on the HTML homepage consists of two
frames.
When the function is enabled, the login form displays on the lefthand side.
When the function is disabled, only the website with information,
advertising and/or links to freely accessible websites is displayed.
The function is enabled by default.
Pop-Up window for
status indication
Specify whether the device uses pop-up windows to display the
status.
The function is enabled by default.
Default Idle Timeout
Enable or disable the Default Idle Timeout. If a hotspot user
does not trigger any data traffic for a configurable length of time,
they are logged out of the hotspot.
The function is enabled by default.
The default value is seconds.
17.10.2 Options
In the Local Services->HotSpot Gateway->Options menu, general settings are performed for the hotspot.
The Local Services->HotSpot Gateway->Options menu consists of the following fields:
Fields in the Basic Parameters menu.
be.IP 4isdn
Field
Description
Host for multiple locations
If several locations (branches) are set up on the Hotspot server,
enter the value of the NAS identifier (RADIUS server parameter)
that has been registered for this location on the Hotspot server.
387
17 Local Services
bintec elmeg GmbH
17.11 Wake-On-LAN
With the function Wake-On-LAN you can start network devices that are switched off via an
integrated network card. The network card also needs a power supply, even when the computer is switched off. You can use filters and rule chains to define the conditions that need
to be met to send the so-called magic packet, and select the interfaces that are to be monitored for the defined rule chains. Configuring the filters and rule chains is largely like configuring filters and rule chains in the menu Access Rules.
17.11.1 Wake-On-LAN Filter
The menu Local Services->Wake-On-LAN->Wake-On-LAN Filter displays a list of all the
WOL filters that have been configured.
17.11.1.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to enter additional fil-
ters.
The Local Services->Wake-On-LAN->Wake-On-LAN Filter->New menu consists of the
following fields:
Fields in the menu Basic Parameters
Field
Description
Description
Enter the name of the filter.
Service
Select one of the preconfigured services. The extensive range
of services configured ex works includes the following:
• *0
• +J
• 3!
• *!
• *+;
• 0
• !*
• *
The default value is ,0.
388
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Protocol
Select a protocol.
The option ,0 (default value) matches any protocol.
Type
Only for Protocol = %.
Select the type.
Possible values: ,0, *! +0, - 3*!
7+, 3* J3*!, ?*, *!, ) 6*,
), ) +0.
See RFC 792.
The default value is ,0.
Connection State
With Protocol = )%, you can define a filter that takes the
status of the TCP connections into account.
Possible values:
•
7+!: All TCP packets that would not open any new
TCP connection on routing over the gateway match the filter.
• ,0 (default value): All TCP packets match the filter.
Destination IPv4 Address/Netmask
Enter the destination IPv4 address of the data packets and the
corresponding netmask.
Possible values:
• ,0 (default value): The destination IP address/netmask are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the corresponding netmask.
Destination IPv6 Address/Length
Enter the destination IPv6 address of the data packets and the
prefix length.
Possible values:
• ,0 (default value): The destination IP address/length are
not specified.
• >: Enter the destination IP address of the host.
• 92B: Enter the destination network address and the pre-
be.IP 4isdn
389
17 Local Services
bintec elmeg GmbH
Field
Description
fix length.
Destination Port/Range Only for Protocol = )%, /- or )%5/-
Enter a destination port number or a range of destination port
numbers.
Possible values:
• ,++ (default value): The destination port is not specified.
• *10 : Enter a destination port.
• *10 : Enter a destination port range.
Source IPv4 Address/
Netmask
Enter the source IPv4 address of the data packets and the corresponding netmask.
Possible values:
• ,0 (default value): The source IP address/netmask are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the corresponding netmask.
Source IPv6 Address/
Length
Enter the source IPv6 address of the data packets and the prefix length.
Possible values:
• ,0 (default value): The source IP address/length are not
specified.
• >: Enter the source IP address of the host.
• 92B: Enter the source network address and the prefix
length.
Source Port/Range
Only for Protocol = )%, /- or )%5/-
Enter a source port number or a range of source port numbers.
Possible values:
• ,++ (default value): The source port is not specified.
• *10 : Enter a source port.
• *10 : Enter a source port range.
390
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
DSCP/TOS Filter
(Layer 3)
Select the Type of Service (TOS).
Possible values:
• (default value): The type of service is ignored.
• -% &0 E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in binary format, 6 bit).
• -% -*+ E+3: Differentiated Services Code Point
according to RFC 3260 is used to signal the priority of IP
packets (indicated in decimal format).
• -% >6*+ E+3: Differentiated Services Code
Point according to RFC 3260 is used to signal the priority of
IP packets (indicated in hexadecimal format).
• ): &0 E+3: The TOS value is specified in binary
format, e.g. 00111111.
• ): -*+ E+3: The TOS value is specified in decimal
format, e.g. 63.
• ): >6*+ E+3: The TOS value is specified in
hexadecimal format, e.g. 3F.
COS Filter
(802.1p/Layer 2)
Enter the service class of the IP packets (Class of Service,
CoS).
Value range to (.
The default value is .
The default value is .
17.11.2 WOL Rules
The menu Local Services->Wake-On-LAN->WOL Rules displays a list of all the WOL
rules that have been configured.
17.11.2.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to enter additional
rules.
be.IP 4isdn
391
17 Local Services
bintec elmeg GmbH
The Local Services->Wake-On-LAN->WOL Rules->New menu consists of the following
fields:
Fields in the menu Basic Parameters
Field
Wake-On-LAN Rule
Chain
Description
Select whether to create a new rule chain or to edit an existing
one.
Possible values:
• 92 (default value): You can create a new rule chain with this
setting.
• @9 1 ! 3+ *!A: Shows a rule chain that has
already been created, which you can select and edit.
Description
Only where Wake-On-LAN Rule Chain = 92
Enter the name of the rule chain.
Wake-On-LAN Filter
Select a WOL filter.
If the rule chain is new, select the filter to be set at the first point
of the rule chain.
If the rule chain already exists, select the filter to be attached to
the rule chain.
To select a filter, at least one filter must be configured in the
Local Services->Wake-On-LAN->WOL Rules menu.
Action
Define the action to be taken for a filtered data packet.
Possible values:
• B 8:$ 1 1+ *!: Run WOL if the filter
matches.
• B 1 1+ *!: Run WOL if the filter does not match.
• -0 8:$ 1 1+ *!: Do not run WOL if the filter matches.
• -0 8:$ 1 1+ *!: Do not run
WOL if the filter does not match.
• 3+ B 6 3+: This rule is ignored and the next one in the chain is examined.
392
be.IP 4isdn
17 Local Services
bintec elmeg GmbH
Field
Description
Type
Select whether the Wake on LAN magic packet is to be sent as
a UDP packet or as an Ethernet frame via the interface specified in Send WOL packet over Interface .
Send WOL packet over Select the interface which is to be used to send the Wake on
Interface
LAN magic packet.
Target MAC-Address
Only where Action = B 8:$ 1 1+
*! and B 1 1+ *!
Enter the MAC address of the network device that is to be enabled using WOL.
Password
Only where Action = B 8:$ 1 1+
*! and B 1 1+ *!
If the network device that is to be enabled supports the "SecureOn" function, enter the corresponding password for this
device here. The device is only enabled if the MAC address and
password are correct.
17.11.3 Interface Assignment
In this menu, the configured rule chains are assigned to individual interfaces which are then
monitored for these rule chains.
A list of all configured interface assignments is displayed in the Local Services->WakeOn-LAN->Interface Assignment menu.
17.11.3.1 Edit or New
Choose the
icon to edit existing entries. Choose the New button to create other entries.
The Local Services->Wake-On-LAN->Interface Assignment->New menu consists of the
following fields:
Fields in the menu Basic Parameters
be.IP 4isdn
Field
Description
Interface
Select the interface for which a configured rule chain is to be assigned.
Rule Chain
Select a rule chain.
393
17 Local Services
bintec elmeg GmbH
17.12 Trace Interface
The menu Trace Interface allows recording the data traffic of a specific interface and allows you to save the recording as a PCAP file once the process has been stopped.
17.12.1 Trace Interface
Fields in the Trace Settings menu
Field
Description
Interface Selection
Select the interface the data traffic of which is to be recorded.
Trace Mode
Here you can choose the layers on which the data traffic of the
selected interface is to be recorded. Available choices are:
• $0 • • $0 • As soon as you start the recording with the START button, a window informs you about the
recording. During recording you can leave the menu and use the GUI as usual. Once you
stop the recording with the STOP button, information on the created file is displayed and
you can either delete ot save it as a PCAP file.
17.12.2 Trace VoIP/SIP
The menu Trace VoIP/SIP allows you to capture VoIP/SIP messages at various levels and
save them to a text file on your computer. You can choose from the following capture
levels, a description what information is written to the file is provided depending on your selection:
• State information: The device writes the current state of the VoIP/SIP subsystem to a file
you can then download.
• Events: The device continuously writes VoIP/SIP information to the capture buffer as
soon as you click the Start button. Once you click the Stop button, you are presented with
the download option.
• SIP: The device continuously writes all SIP messages (only) to the capture buffer as
soon as you click the Start button. Once you click the Stop button, you are presented with
the download option.
394
be.IP 4isdn
18 Maintenance
bintec elmeg GmbH
Chapter 18 Maintenance
This menu provides you with numerous functions for maintaining your device. It firstly
provides a menu for testing availability within the network. You can manage your system
configuration files. If more recent system software is available, you can use this menu to install it. If you need other languages for the configuration interface, you can import these.
You can also trigger a system reboot in this menu.
18.1 Log out Users
It can happen that an incompletely terminated configuration session affects functions of the
configuration interface. In this case, all active configurations can be checked and - if applicable - terminated.
18.1.1 Log out Users
In this menu, you are presented with a list of all active configuration sessions.
Fields in the manu Log out Users
Field
Description
Class
Dislays the class the signed-on user belongs to.
User
Displays the user name.
Remote IP Address
Displays the IP address from which the connection has been
established. This may be the address ofa PC, but it may also be
the address of an intermediate router.
Expires
Displays when the connection will be automatically terminated
by the device.
Log out immediately
If you activate the check box, this user will be disconnected
from the system when you click Logout.
18.1.1.1 Logout Options
After you have confirmed your selection of connections to be terminated with Logout you
can choose if any configuration related to the connections is to be saved before the user is
actually disconnected, and in which way.
be.IP 4isdn
395
18 Maintenance
bintec elmeg GmbH
18.2 Diagnostics
In the Maintenance->Diagnostics menu, you can test the availability of individual hosts,
the resolution of domain names and certain routes.
18.2.1 Ping Test
You can use the ping test to check whether a certain host in the LAN or an internet address
can be reached.
Fields in the Ping Test menu
Field
Description
Test Ping Mode
Select the IP version to be used for the ping test.
Possible values:
• • Test Ping Address
Enter the IP address to be tested.
Use Interface
Only for Test Ping Mode = For link local addresses select the interface to be used for the
ping test. -13+ can be used for global addresses.
Pressing the Go button starts the ping test. The Output field displays the ping test messages.
18.2.2 DNS Test
The DNS test is used to check whether the domain name of a particular host is correctly resolved. The Output field displays the DSN test messages. The ping test is launched by entering the domain name to be tested in DNS Address and clicking the Go button.
18.2.3 Traceroute Test
You use the traceroute test to display the route to a particular address (IP address or domain name), if this can be reached.
396
be.IP 4isdn
18 Maintenance
bintec elmeg GmbH
Fielder in the Traceroute Test menu
Field
Description
Traceroute Mode
Select the IP version to be used for the Traceroute test.
Possible values:
• • Traceroute Address
Enter the IP address to be tested.
Pressing the Go button starts the Traceroute test. The Output field displays the traceroute
test messages.
18.3 Software &Configuration
You can use this menu to manage the software version of your device, your configuration
files and the language of the GUI.
18.3.1 Options
Your device contains the version of the system software available at the time of production.
More recent versions may have since been released. You may therefore need to carry out
a software update.
Every new system software includes new features, better performance and any necessary
bugfixes from the previous version. You can find the current system software at
www.bintec-elmeg.com . The current documentation is also available here.
Important
If you want to update your software, make sure you consider the corresponding release notes. These describe the changes implemented in the new system software.
The result of an interrupted update (e.g. power failure during the update) could be that
your gateway no longer boots. Do not turn your device off during the update.
An update of BOOTmonitor and/or Logic is recommended in a few cases. In this case,
the release notes refer expressly to this fact. Only update BOOTmonitor or Logic if
bintec elmeg GmbH explicitly recommends this.
be.IP 4isdn
397
18 Maintenance
bintec elmeg GmbH
Flash
Your device saves its configuration in configuration files in the flash EEPROM (Electrically
Erasable Programmable Read Only Memory). The data even remains stored in the flash
when your device is switched off.
RAM
The current configuration and all changes you set on your device during operation are
stored in the working memory (RAM). The contents of the RAM are lost if the device is
switched off. So if you modify your configuration and want to keep these changes for the
next time you start your device, you must save the modified configuration in the flash
memory before switching off: The Save configuration button over the navigation area of
the GUI. This configuration is then saved in the flash in a file with the name 7. When
you start your device, the 7 configuration file is used by default.
Actions
The files in the flash memory can be copied, moved, erased and newly created. It is also
possible to transfer configuration files between your device and a host via HTTP.
Configuration file format
The file format of the configuration file allows encryption and ensures compatibility when
restoring the configuration on the gateway in various system software versions. This is a
CSV format, which can be read and modified easily. In addition, you can view the corresponding file clearly using Microsoft Excel for example. The administrator can store encrypted backup files for the configuration. When the configuration is sent by e-mail (e.g for support purposes) confidential configuration data can be protected fully if required. You can
save or import files with the actions "Export configuration", "Export configuration with status
information" and "Load configuration". If you want to save a configuration file with the action
"Export configuration" or "Export configuration with status information", you can choose
whether the configuration file is saved encrypted or without encryption.
Caution
If you have saved a configuration file in an old format via the SNMP shell with the command, there is no guarantee that it can be reloaded to the device. As a result, the
old format is no longer recommended.
The Maintenance->Software &Configuration ->Options menu consists of the following
fields:
398
be.IP 4isdn
18 Maintenance
bintec elmeg GmbH
Fields in the Currently Installed Software menu.
Field
Description
BOSS
Shows the current software version loaded on your device.
Shows the current system logic loaded on your device.
System Logic
ADSL Logic
Shows the current version of the ADSL logic loaded on your
device.
Fields in the Software and Configuration Options menu.
Field
Action
Description
Select the action you wish to execute.
After each task, a window is displayed showing the other steps
that are required.
Possible values:
• 9 ,* (default value):
•
6 *13: The configuration file Current
File Name in Flash is transferred to your local host. If you
click the Go button, a dialog box is displayed, in which you
can select the storage location on your PC and enter the desired file name.
• *13: Under Filename select a configuration file you want to import. Please note: Click Go to first
load the file under the name 7 in the flash memory for the
device. You must restart the device to enable it.
Please note: The files to be imported must be in CSV format!
• %0 *13: The configuration file in the Source
File Name field is saved as Destination File Name.
• -+ *13: The configuration in the Select
file field is deleted.
• ? *13: The configuration file in the Select file field is renamed to New File Name.
• ? 7*B3 *13: Only if, under Save
configuration with the setting *13 7*B 3 3 7 *13 the current
configuration was saved as boot configuration and the previous boot configuration was also archived.
be.IP 4isdn
399
18 Maintenance
bintec elmeg GmbH
Field
Description
You can load back the archived boot configuration.
• -+ 12512: The file in the Select file
field is deleted.
• +3: You can import additional language versions of the GUI into your device. You can download the files
to your PC from the download area at
www.bintec-elmeg.com and from there import them to your
device
• / 0 12: You can launch an update of
the system software, the ADSL logic and the BOOTmonitor.
• E* .+ 8 '+: (Only displayed if an
SD card is inserted, if supported by you device) In file name,
select the ;21+H file that you wish to import.
•
6 *13 2! 1:
The active configuration from the RAM is transferred to your
local host. If you click the Go button, a dialog box is displayed, in which you can select the storage location on your
PC and enter the desired file name.
• ' ..%5- %: Occasionally, the additional internal
Flash memory has to be formatted. All stored data are deleted.
Current File Name in
Flash
For Action = 6 *13
Select the configuration file to be exported.
Include certificates
and keys
For Action = 6 *13, 6 *13
2! 1
Define whether the selected Action should also be applied for
certificates and keys.
The function is activated by selecting 7+.
The function is enabled by default.
Configuration Encryption
400
Only for Action = *13, 6 *
13, 6 *13 2! 1. Define whether the data of the selected Action
are to be encrypted.
be.IP 4isdn
18 Maintenance
bintec elmeg GmbH
Field
Description
The function is activated by selecting 7+.
The function is disabled by default.
If the function is enabled, you can enter the Password in the
text field.
Filename
Only for Action = *13, +
3 / 0 12.
Enter the path and name of the file or select the file with
Browse... via the explorer/finder.
Source File Name
Only for Action = %0 *13
Select the source file to be copied.
Destination File Name
Only for Action = %0 *13
Enter the name of the copy.
Select file
Only for Action = ? *13, -+ *
13 or -+ 12512
Select the file or configuration to be renamed or deleted.
New File Name
Only for Action = ? *13
Enter the new name of the configuration file.
Source Location
Only for Action = / 0 12
Select the source of the update.
Possible values:
• $*+ '+ (default value): The system software file is
stored locally on your PC.
• >)) : The file is stored on a remote server specified
in the URL.
• %3 12 1 / : The file is on
the official update server.
URL
be.IP 4isdn
Only for Source Location = >)) 401
18 Maintenance
bintec elmeg GmbH
Field
Description
Enter the URL of the update server from which the system software file is loaded.
In the Advanced Settings menu, the version of the currently installed system flash files will
be displayed.
18.4 Reboot
18.4.1 System Reboot
In this menu, you can trigger an immediate reboot of your device. Once your system has
restarted, you must call the GUI again and log in.
Pay attention to the LEDs on your device. For information on the meaning of the LEDs, see
the Technical Data chapter of the manual.
Note
Before a reboot, make sure you confirm your configuration changes by clicking the
Save configuration button, so that these are not lost when you reboot.
If you wish to restart your device, click the OK button. The device will reboot.
18.5 Factory Reset
In the menu Maintenance->Factory Reset, you can reset your device to the ex works
state without having to have physical access to it.
402
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
Chapter 19 External Reporting
In this system menu, you define what system protocol messages are saved on which computers, and whether the system administrator should receive an e-mail for certain events.
Information on IP data traffic can also be saved--depending on the individual interfaces. In
addition, SNMP traps can be sent to specific hosts in case of error.
19.1 Syslog
Events in various subsystems of your device (e.g. PPP) are logged in the form of syslog
messages (system logging messages). The number of messages visible depends on the
level set (eight steps from *0 over 1 to -73).
In addition to the data logged internally on your device, all information can and should be
transmitted to one or more external PCs for storage and processing, e.g. to the system administrator’s PC. The syslog messages saved internally on your device are lost when you
reboot.
Warning
Make sure you only pass syslog messages to a safe computer. Check the data regularly and ensure that there is always enough spare capacity available on the hard disk
of your PC.
Syslog Daemon
All Unix operating systems support the recording of syslog messages. For Windows PCs,
the Syslog Demon included in the DIME Tools can record the data and distribute to various
files depending on the contents (can be called in the download area at
www.bintec-elmeg.com ).
19.1.1 Syslog Servers
Configure your device as a syslog server so that defined system messages can be sent to
suitable hosts in the LAN.
In this menu, you define which messages are sent to which hosts and with which conditions.
be.IP 4isdn
403
19 External Reporting
bintec elmeg GmbH
A list of all configured system log servers displayed in the External
Reporting->Syslog->Syslog Servers menu.
19.1.1.1 New
Select the New button to set up additional syslog servers.
The menu External Reporting->Syslog->Syslog Servers->New consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
IP Address
Enter the IP address of the host to which syslog messages are
passed.
Level
Select the priority of the syslog messages that are to be sent to
the host.
Possible values:
•
*0 (highest priority)
• ,+
• %*+
•
• 8
• 9*
• 1 (default value)
• -73 (lowest priority)
Syslog messages are only sent to the host if they have a higher
or identical priority to that indicated, i.e. at syslog level
-73 all messages generated are forwarded to the host.
Facility
Enter the syslog facility on the host.
This is only required if the Log Host is a Unix computer.
Possible values: +*+
(
.
The default value is +*+
.
404
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
Field
Description
Timestamp
Select the format of the time stamp in the syslog.
Possible values:
• 9 (default value): No system time indicated.
• ): System time without date.
• - N): System time with date.
Protocol
Select the protocol for the transfer of syslog messages. Note
that the syslog server must support the protocol.
Possible values:
• /- (default value)
• )%
Type of Messages
Select the message type.
Possible values:
• 0 N,**3 (default value)
• 0
• ,**3
19.2 IP Accounting
In modern networks, information about the type and number of data packets sent and received over the network connections is often collected for commercial reasons. This information is extremely important for Internet Service Providers that bill their customers by data
volume.
However, there are also non-commercial reasons for detailed network accounting. If, for
example, you manage a server that provides different kinds of network services, it is useful
for you to know how much data is generated by the individual services.
Your device contains the IP Accounting function, which enables you to collect a lot of useful
information about the IP network traffic (each individual IP session).
19.2.1 Interfaces
In this menu, you can configure the IP Accounting function individually for each interface.
be.IP 4isdn
405
19 External Reporting
bintec elmeg GmbH
In the External Reporting->IP Accounting->Interfaces menu, a list of all interfaces configured on your device is shown. For each entry, you can activate IP Accounting by setting
the checkmark. In the IP Accounting column, you do not need to click each entry individually. Using the options Select all or Deselect all you can enable or disable the IP accounting function for all interfaces simultaneously.
19.2.2 Options
In this menu, you configure general settings for IP Accounting.
In the External Reporting->IP Accounting->Options menu, you can define the Log
Format of the IP accounting messages. The messages can contain character strings in
any order, sequences separated by a slash, e.g. W or W or defined tags.
Possible format tags:
Format tags for IP Accounting messages
Field
Description
%d
Date of the session start in the format DD.MM.YY
%t
Time of the session start in the format HH:MM:SS
%a
Duration of the session in seconds
%c
Protocol
%i
Source IP Address
%r
Source Port
%f
Source interface index
%I
Destination IP Address
%R
Destination Port
%F
Destination interface index
%p
Packets sent
%o
Octets sent
%P
Packets received
%O
Octets received
%s
Serial number for accounting message
%%
%
By default, the following format instructions are entered in the Log Format field: 9 )4
XXXX*X4X5X1 A X4X?5X'XXXX:YXZ
406
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
19.3 Alert Service
It was previously possible to send syslog messages from the router to any syslog host. Depending on the configuration, e-mail alerts are sent to the administrator as soon as relevant
syslog messages appear.
19.3.1 Alert Recipient
A list of Syslog messages is displayed in the Alert Recipient menu.
19.3.1.1 New
Select the New to create additional alert recipients.
The menu External Reporting->Alert Service->Alert Recipient->New consists of the following fields:
Fields in the Add / Edit Alert Recipient menu.
Field
Alert Service
Description
Displays the alert service. You can select an alert service for
devices with UMTS.
Possible values:
• E-mail
• SMS
Recipient
Message Compression
Enter the recipient's e-mail address. The entry is limited to 40
characters.
Select whether the text in the alert E-mail is to be shortened.
The e-mail then contains the syslog message only once plus the
number of relevant events.
Enable or disable the field.
The function is enabled by default.
Subject
Event
be.IP 4isdn
You can enter a subject.
This feature is available only for devices with Wireless LAN
Controller.
407
19 External Reporting
bintec elmeg GmbH
Field
Description
Select the event to trigger an email notification.
Possible values:
• 0+ * (default value): A Syslog message includes a specific string.
• 92 9!7 , 13: A new adjacent AP has been
found.
• 92 ?3 , 13: A new Rogue AP has been found,
i.e. an AP using an SSID of its own network, yet is not a component of this network.
• 92 + , "8)# 13: A new unconfigured AP has
reported to the WLAN.
• . , 11+: A managed AP is no longer accessible.
Matching String
You must enter a "Matching String". This must occur in a syslog
message as a necessary condition for triggering an alert.
The entry is limited to 55 characters. Bear in mind that without
the use of wildcards (e.g. "*"), only those strings that correspond
exactly to the entry fulfil the condition. The "Matching String"
entered therefore usually contains wildcards. To be informed of
all syslog messages of the selected level, just enter "*".
Severity
Select the severity level which the string configured in the
Matching String field must reach to trigger an e-mail alert.
Possible values:
*0 (default value), ,+, %*+, , 8
, 9*, 1, -73
Monitored Subsystems
Select the subsystems to be monitored.
Add new subsystems with Add.
Message Timeout
Enter how long the router must wait after a relevant event before it is forced to send the alert mail.
Possible values are to . The value disables the
timeout. The default value is .
408
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
Field
Number of Messages
Description
Enter the number of syslog messages that must be reached before an E-mail can be sent for this case. If timeout is configured,
the mail is sent when this expires, even if the number of messages has not been reached.
Possible values are to ; the default value is .
19.3.2 Alert Settings
The menu External Reporting->Alert Service->Alert Settings consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Alert Service
Description
Select whether the alert service is to be enabled for the interface.
The function is enabled with 7+.
The function is enabled by default.
Maximum E-mails per
Minute
Limit the number of outgoing mails per minute. Possible values
are to , the default value is .
Fields in the E-mail Parameters menu.
Field
Description
Sender E-mail Address Enter the mail address to be entered in the sender field of the Email.
SMTP Server
Enter the address (IP address or valid DNS name) of the mail
server to be used for sending the mails.
The entry is limited to 40 characters.
SMTP Port
Encryption of e-mails (SSL / TLS).
The field SMTP Port is per default preset to and SSL Encryption is enabled.
SMTP Authentication
be.IP 4isdn
Authentication expected by the SMTP server.
409
19 External Reporting
bintec elmeg GmbH
Field
Description
Possible values:
• 9 (default value): The server accepts and send emails
without further authentication.
•
.): The server only accepts e-mails if the router logs in
with the correct user name and password.
• .) 1 :: The server requires that e-mails are
called via POP3 by the sending IP with the correct POP3 user
name and password before sending an e-mail.
User Name
Only if SMTP Authentication = .) or .) 1 :
Enter the user name for the POP3 or SMTP server.
Password
Only if SMTP Authentication = .) or .) 1 :
Enter the password of this user.
POP3 Server
Only if SMTP Authentication = .) 1 :
Enter the address of the server from which the e-mails are to be
retrieved.
POP3 Timeout
Only if SMTP Authentication = .) 1 :
Enter how long the router must wait after the POP3 call before it
is forced to send the alert mail.
The default value is seconds.
Fields in the SMS Parameters menu (for devices with UMTS only)
Field
Description
SMS Device
You can receive notification of system alerts in text messages.
Select the device to be used to send the text message.
Maximum SMS per Day Limit the maximum number of SMS sent during a single day.
Activating 9 $ allows any number of SMS to be
sent.
The defualt value is 10 SMS per day.
Note: Entering a value of is equivalent to activating 9 $
.
410
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
19.4 SNMP
SNMP (Simple Network Management Protocol) is a protocol from the IP protocol family for
transporting management information about network components.
Every SNMP management system contains an MIB. SNMP can be used to configure, control and administrate various network components from one system. Such an SNMP tool is
included on your device: the Configuration Manager. As SNMP is a standard protocol, you
can use any other SNMP managers, e.g. HPOpenView.
For more information on the SNMP versions, see the relevant RFCs and drafts:
• SNMP V. 1: RFC 1157
• SNMP V. 2c: RFC 1901 - 1908
• SNMP V. 3: RFC 3410 - 3418
19.4.1 SNMP Trap Options
In the event of errors, a message - known as a trap packet - is sent unrequested to monitor
the system.
In the External Reporting->SNMP->SNMP Trap Options menu, you can configure the
sending of traps.
The menu External Reporting->SNMP->SNMP Trap Options consists of the following
fields:
Fields in the Basic Parameters menu.
Field
Description
SNMP Trap Broadcast- Select whether the transfer of SNMP traps is to be activated.
ing
Your device then sends SNMP traps to the LAN's broadcast address.
The function is activated by selecting 7+.
The function is disabled by default.
SNMP Trap UDP Port
Only if SNMP Trap Broadcasting is enabled.
Enter the number of the UDP port to which your device is to
send SNMP traps.
be.IP 4isdn
411
19 External Reporting
bintec elmeg GmbH
Field
Description
Any whole number is possible.
The default value is .
SNMP Trap Community
Only if SNMP Trap Broadcasting is enabled.
Enter a new SNMP code. This must be sent by the SNMP Manager with every SNMP request so that this is accepted by your
device.
A character string of between and characters is possible.
The default value is 9. ).
19.4.2 SNMP Trap Hosts
In this menu, you specify the IP addresses to which your device is to send the SNMP traps.
In the External Reporting->SNMP->SNMP Trap Hosts menu, a list of all configured SNMP trap hosts is displayed.
19.4.2.1 New
Select the New button to create additional SNMP trap hosts.
The menu External Reporting->SNMP->SNMP Trap Hosts->New consists of the following fields:
Fields in the Basic Parameters menu.
Field
Description
IP Address
Enter the IP address of the SNMP trap host.
19.5 SIA
412
be.IP 4isdn
19 External Reporting
bintec elmeg GmbH
19.5.1 SIA
In the menu External Reporting->SIA->SIA, you can create and download a file that
provides extensive support information about the status of your device like, e.g., the current
configuration, available memory, uptime etc.
be.IP 4isdn
413
20 Monitoring
bintec elmeg GmbH
Chapter 20 Monitoring
This menu contains information that enable you to locate problems in your network and
monitor activities, e.g. at your device's WAN interface.
20.1 Internal Log
20.1.1 System Messages
In the Monitoring->Internal Log->System Messages menu, a list of all internally stored
system messages is displayed. Above the table you will find the configured vales for the
Maximum Number of Syslog Entries and Maximum Message Level of Syslog Entries
fields. These values can be changed in the System Management->Global
Settings->System menu.
Values in the System Messages list
Field
Description
No.
Displays the serial number of the system message.
Date
Displays the date of the record.
Time
Displays the time of the record.
Level
Displays the hierarchy level of the message.
Subsystem
Displays which subsystem of the device generated the message.
Message
Displays the message text.
20.2 IPSec
20.2.1 IPSec Tunnels
A list of all configured IPSec tunnel providers is displayed in the
Monitoring->IPSec->IPSec Tunnels menu.
Values in the IPSec Tunnels list
414
Field
Description
Description
Displays the name of the IPSec tunnel.
be.IP 4isdn
20 Monitoring
bintec elmeg GmbH
Field
Description
Remote IP
Displays the IP address of the remote IPSec Peers.
Remote Networks
Displays the currently negotiated subnets of the remote terminal.
Security Algorithm
Displays the encryption algorithm of the IPSec tunnel.
Status
Displays the operating status of the IPSec tunnel.
Action
Enables you to change the status of the IPSec tunnel as displayed.
Details
Opens a detailed statistics window.
You change the status of the IPSec tunnel by clicking the
button or the
button in the
Action column.
By clicking the
button, you display detailed statistics on the IPSec connection.
Values in the IPSec Tunnels list
Field
Description
Description
Shows the description of the peer.
Local IP Address
Shows the WAN IP address of your device.
Remote IP Address
Shows the WAN IP address of the connection partner.
Local ID
Shows the ID of your device for this IPSec tunnel.
Remote ID
Shows the ID of the peer.
Negotiation Type
Shows the exchange type.
Authentication Method Shows the authentication method.
MTU
Shows the current MTU (Maximum Transfer Unit).
Alive Check
Shows the method for checking that the peer is reachable.
NAT Detection
Displays the NAT detection method.
Local Port
Shows the local port.
Remote Port
Shows the remote port.
Packets
Shows the total number of incoming and outgoing packets.
Bytes
Shows the total number of incoming and outgoing bytes.
Errors
Shows the total number of errors.
IKE (Phase-1) SAs (x)
The parameters of the IKE (Phase 1) SAs are displayed here.
Role / Algorithm / Lifetime remaining / Status
be.IP 4isdn
415
20 Monitoring
bintec elmeg GmbH
Field
Description
IPSec (Phase-2) SAs
(x)
Shows the parameters of the IPSec (Phase 2) SAs.
Role / Algorithm / Lifetime remaining / Status
Messages
The system messages for this IPSec tunnel are displayed here.
20.2.2 IPSec Statistics
In the Monitoring->IPSec->IPSec Statistics menu, statistical values for all IPSec connections are displayed.
The Monitoring->IPSec->IPSec Statistics menu consists of the following fields:
Fields in the Licences menu
Field
Description
IPSec Tunnels
Shows the IPSec licences currently in use (In Use) and the
maximum number of licenses usable (Maximum).
Fields in the Peers menu
Field
Description
Status
Displays the number of IPSec tunnels by their current status.
• Up: Currently active IPSec tunnels.
• Going up: IPSec tunnels currently in the tunnel setup phase.
• Blocked: IPSec tunnels that are blocked.
• Dormant: Currently inactive IPSec tunnels.
• Configured: Configured IPSec tunnels.
Fields in the SAs menu.
Field
Description
IKE (Phase-1)
Shows the number of active phase 1 SAs (Established) from
the total number of phase 1 SAs (Total).
IPSec (Phase-2)
Shows the number of active phase 2 SAs (Established) from
the total number of phase 2 SAs (Total).
Fields in the Packet Statistics menu.
416
be.IP 4isdn
20 Monitoring
bintec elmeg GmbH
Field
Description
Total
Shows the number of all processed incoming (In) or outgoing
(Out) packets.
Passed
Shows the number of incoming (In) or outgoing (Out) packets
forwarded in plain text.
Dropped
Shows the number of all rejected incoming (In) or outgoing
(Out) packets.
Encrypted
Shows the number of all incoming (In) or outgoing (Out) packets protected by IPSec.
Errors
Shows the number of incoming (In) or outgoing (Out) packets
for which processing led to errors.
20.3 ISDN/Modem
20.3.1 Current Calls
In the Monitoring->ISDN/Modem->Current Calls menu, a list of the existing ISDN connections (incoming and outgoing) is displayed.
Values in the Current Calls list
be.IP 4isdn
Field
Description
Service
Displays the service to or from which the call is connected: ,
*, C, :).
Remote Number
Displays the number that was dialled (in the case of outgoing
calls) or from which the call was made (in the case of incoming
calls).
Interface
Displays additional information for PPP connections.
Direction
Displays the send direction: *, :3.
Charge
Displays the costs of the current connection.
Duration
Displays the duration of the current connection.
Stack
Displays the related ISDN port (STACK).
Channel
Displays the number of the ISDN B channel.
Status
Displays the state of the connection: 3++, *,
+, **, *+, *, **,
**, 3, *J, *, 3J, 3J, +*.
417
20 Monitoring
bintec elmeg GmbH
20.3.2 Call History
In the Monitoring->ISDN/Modem->Call History menu, a list of the last 20 ISDN calls
(incoming and outgoing) completed since the last system start is displayed.
Values in the Call History list
Field
Description
Service
Displays the service to or from which the call was connected:
, *, C, :).
Remote Number
Displays the number that was dialled (in the case of outgoing
calls) or from which the call was made (in the case of incoming
calls).
Interface
Displays additional information for PPP connections.
Direction
Displays the send direction: *, :3.
Charge
Displays the costs of the connection.
Start Time
Displays the time at which the call was made or received.
Duration
Displays the duration of the connection.
20.4 Interfaces
20.4.1 Statistics
In the Monitoring->Interfaces->Statistics menu, current values and activities of all device
interfaces are displayed.
With the filter bar, you can select whether to display Transfer Totals or Transfer
Throughput. The values per second are shown on the Transfer Throughput display.
Change the status of the interface by clicking the
or the
button in the Action column.
Values in the Statistics list
418
Field
Description
No.
Shows the serial number of the interface.
Description
Displays the name of the interface.
Type
Displays the interface text.
Tx Packets
Shows the total number of packets sent.
be.IP 4isdn
20 Monitoring
bintec elmeg GmbH
Field
Description
Tx Bytes
Displays the total number of octets sent.
Tx Errors
Shows the total number of errors sent.
Rx Packets
Shows the total number of packets received.
Rx Bytes
Displays the total number of bytes received.
Rx Errors
Shows the total number of errors received.
Status
Shows the operating status of the selected interface.
Unchanged for
Shows the length of time for which the operating status of the
interface has not changed.
Action
Enables you to change the status of the interface as displayed.
Click the
button to display the statistical data for the individual interfaces in detail.
Values in the Statistics list
Field
Description
Description
Displays the name of the interface.
MAC Address
Displays the interface text.
IP Address / Netmask
Shows the IP address and the netmask.
NAT
Indicates if NAT is activated for this interface.
Tx Packets
Shows the total number of packets sent.
Tx Bytes
Displays the total number of octets sent.
Rx Packets
Shows the total number of packets received.
Rx Bytes
Displays the total number of bytes received.
Fields in the TCP Connections menu
be.IP 4isdn
Field
Description
Status
Displays the status of an active TCP connection.
Local Address
Displays the local IP address of the interface for an active TCP
connection.
Local Port
Displays the local port of the IP address for an active TCP connection.
Remote Address
Displays the IP address to which an active TCP connection exists.
Remote Port
Displays the port to which an active TCP connection exists.
419
20 Monitoring
bintec elmeg GmbH
20.4.2 Network Status
The menu Monitoring->Interfaces->Network Status provides an overview of all IP interfaces currently configured on the device. You can find information on the status of an interface as well as on relevant parameters like its IPv4 and/or IPv6 IP address, the MAC address of the interface and the currently valid MTU.
20.5 Bridges
20.5.1 br<x>
In the Monitoring->Bridges-> br<x> menu, the current values of the configured bridges
are shown.
Values in the br<x> list
Field
Description
MAC Address
Shows the MAC addresses of the associated bridge.
Port
Shows the port on which the bridge is active.
20.6 HotSpot Gateway
20.6.1 HotSpot Gateway
A list of all linked hotspot users is displayed in the Monitoring->HotSpot Gateway->HotSpot Gateway menu.
Values in the HotSpot Gateway list
Field
Description
User Name
Displays the user's name.
IP Address
Shows the IP address of the user.
Physical Address
420
Shows the physical address of the user.
Logon
Displays the time of the notification.
Interface
Shows the interface used.
be.IP 4isdn
20 Monitoring
bintec elmeg GmbH
20.7 QoS
In the Monitoring->QoS menu, statistics are displayed for interfaces on which QoS has
been configured.
20.7.1 QoS
A list of all interfaces for which QoS was configured is displayed in the
Monitoring->QoS->QoS menu.
Values in the QoS list
be.IP 4isdn
Field
Description
Interface
Shows the interface for which QoS has been configured.
QoS Queue
Shows the QoS queue, which has been configured for this interface.
Send
Shows the number of sent packets with the corresponding packet class.
Dropped
Shows the number of rejected packets with the corresponding
packet class in case of overloading.
Queued
Shows the number of waiting packets with the corresponding
packet class in case of overloading.
421
Glossary
bintec elmeg GmbH
Glossary
422
2G
See GSM.
3DES
See DES.
3G
See UMTS.
4G
See LTE.
802.11
The 802.11 norm describes wireless LAN (WLAN). There are a variety of amendments: 802.11a: Gross data transfer rates: 54 Mbit/s,
frequency band: 5 GHz, 802.11b/g: Gross data transfer rates: 11
Mbit/s, frequency band: 2.4 GHz, 802.11g: Gross data transfer
rates: 54 Mbit/s, frequency band: 2.4 GHz, 802.11n: Gross data
transfer rates: 600 Mbit/s, frequency band: 2.4 GHz (optional: 5
GHz)
A-subscriber
The A-subscriber is the caller.
a/b interface
An a/b interface is used to connect an analogue terminal. In the
case of an ISDN terminal (terminal adapter) with a/b interface, a
connected analogue terminal is enabled to use the supported ISDN
performance features.
Access client
Client mode is an operating mode of a wireless access point (AP) in
which the latter behaves like a wireless adapter vis-a-vis the higher
level AP. With an AP run in client mode, individual computers or entire sub-networks can be connected to higher level networks.
Access point
An access point (AP) is a device for wirelessly connecting clients
(computers). The AP thus serves to create a wireless network
(WLAN) and connect that WLAN to a wired Ethernet network
(bridging).
Accounting
Accounting refers to the recording of connection data, e.g. date,
time, connection duration, charging information and number of data
packets transferred.
Activity monitor
The activity monitor is used to oversee the status of physical and virtual device interfaces.
Ad-hoc network
In an ad-hoc network, individual clients connect to an independent
wireless LAN via a wireless adapter. Ad-hoc networks work independently, with no access point on a peer-to-peer basis. The ad-hoc
mode is also referred to as IBSS (Independent Basic Service Set)
be.IP 4isdn
Glossary
bintec elmeg GmbH
mode and is useful in very small networks, e. g. when linking two
notebooks with no access point.
ADSL
Asymmetric digital subscriber line. See DSL.
AES
Advanced Encryption Standard (AES, Rijndael) is an encryption
method (see Cipher). AES uses a fixed block length of 128 bits. The
key length is 128, 192 or 256 bits. AES is a very fast and secure algorithm.
Agent
The call centre agent is a member of a call centre.
Aggressive mode
When an IPSec connection is being established, aggressive mode is
used to implement a phase 1 exchange. Aggressive mode offers no
identity protection for negotiating nodes, since they have to transmit
their identity before they can establish a secure channel. See also
Main mode.
AH
The authentication header (AH) is used with IPSec to ensure the authenticity and integrity of the packets transmitted and to authenticate
the sender.
Analogue
Analogue signals are used to transmit data. They are more susceptible to errors than digital signals.
Analogue terminals Terminals that transmit voice and other information analogously,
e.g. telephones, fax machines, answering machines and modems.
Performance features can only be used with terminals that dial using
the MFC dialling method and that have an R or flash key.
be.IP 4isdn
Annex A
Annex A is a DSL variant which occurs in connection with analogue
telephone connections, e. g. in France.
Annex B
Annex B is a DSL variant which occurs in connection with ISDN, e.
g. in Germany.
Annex J
Annex J is a DSL variant purely for data transmission, with no voice
data (unbundled connection). Annex J is an extension of specification G.992. These DSL connections require no splitter and have a
greater range and faster transmission speed.
Annex L
Annex L is an extension of Annex A. The range is increased at the
expense of the data transmission rate.
Annex M
Annex M is an extension of Annex A. The upstream is increased at
the expense of the downstream.
423
Glossary
bintec elmeg GmbH
Announcement
The announcement is a performance feature. The announcement
function enables a connection to be established to other phones
which is automatically accepted by the subscribers called. The caller
speaks and those called hear the announcement. If one of those
called lifts the receiver, a normal connection is established.
ANSI T1.413
ANSI T1.413 is an ADSL variant.
Answering machine Analogue answering machines are configured as an analogue terminal and selected via the terminal type. The PABX voice mail system is used as the answering machine.
ARP
The Address Resolution Protocol (ARP) supplies the associated
MAC addresses to IPv4 addresses. The information required is
shared between the network nodes, stored in the device's cache,
and deleted again after the ARP lifetime has expired. For IPv6 this
functionality is provided by the Neighbor Discovery Protocol (NDP).
ARS
The PABX uses Automatic Route Selection (ARS) to determine the
ideal route to the called party, depending on the provider, service,
QoS, …
ATM
Asynchronous Transfer Mode (ATM) is a data transmission technology in which the data traffic is coded in small packets – called cells
or slots – with a fixed length and is transmitted via asynchronous
time multiplexing.
Authentication
Check on the user's identify.
Authorisation
Based on their identity (authentication), the user can access certain
services and resources.
Authorisation class See CoS.
Automatic callback
on busy (CCBS)
Callback on busy is a performance feature. If the connection of the
subscriber called is engaged, a callback can be requested. When
the called subscriber's phone call ends, the caller is phoned and
automatically connected to the called subscriber.
Automatic callback Callback on no reply is a performance feature. If the called subon no reply (CCBS) scriber fails to take the call, a callback can be requested. When the
called subscriber ends a call, the caller is phoned and automatically
connected to the called subscriber.
Automatic outside
line
424
Automatic outside line enables the phone number of an external
party to be dialled (without entering a code).
be.IP 4isdn
Glossary
bintec elmeg GmbH
Automatic redialling If the connection of the called party is engaged, an automatic redial
can be initiated. This notifies the caller as soon as the line is free.
Automatic Route Se- Automatic route selection can be used to route calls whatever the
lection
number (zone) dialled, via specified providers or bundles.
AUX
AUX is a signal input for external devices, e. g. analogue or GSM
modems.
B channel
See Basic Rate Interface and Primary Rate Interface.
B channel
See B channel.
B subscriber
The B subscriber is the called party.
Back Route Verify
If a Back Route Verify is activated for an interface, incoming data
packets are only accepted over this interface if outgoing response
packets are routed over the same interface.
Backbone area
The core area of a network which connects all the sub-networks
(areas) with one another is known as the backbone.
Basic Rate Interface The Basic Rate Interface is a network connection to the ISDN. This
type of connection is often abbreviated to BRI. A basic rate interface
includes two basic channels (B channels) each with 64 kbps and
one control and signalling channel (D channel) with 16 kbps. There
are two operating modes for the Basic Rate Interface: Point-to-point
ISDN and Point-to-multipoint The Primary Rate Interface (PRI) is
used with larger installations.
be.IP 4isdn
Beacon
The central access point sends beacons to create a wireless LAN in
infrastructure mode. These messages contain the network name
(SSID), a list of the supported transmission rates and the type of encryption.
Bit
A binary digit (bit) is the smallest unit of data in computing technology. Signals are represented in the logical states "0" and "1".
Black / White List
Entries in the Black List are blocked, entries in the White List are allowed through. (Example: Any telephone number beginning with
01234 is blocked in the Black List. The number 01234987 can nonetheless be approved in the White List.)
Blowfish
Blowfish is an encryption method (see Cipher). Blowfish uses a fixed
block length of 64 bits. The key length can be between 32 and 448
bits.
425
Glossary
426
bintec elmeg GmbH
BootP
The Bootstrap Protocol (BootP) is used to automatically issue an IP
address.
Bps
Bits per second. A unit of measure for the transmission rate.
BRI
See Basic Rate Interface
Bridge
A bridge is a network component for connecting the same types of
network at Level 2 of the OSI model. Data packets are transmitted
using MAC addresses. The use of bridges divides up the network
and reduces the load.
Broadcast
In a broadcast, data packets are sent from one point to all the subscribers in a network, e. g. if the recipient is not yet known. Examples of this are the ARP and DHCP protocols. The communication is via broadcast addresses: MAC networks:
FF:FF:FF:FF:FF:FF, IPv4 networks: 255.255.255.255, IPv6 networks: ff00::/8
Broker
Brokering makes it possible to switch between two subscribers
without the waiting subscriber being able to hear the other conversation.
BRRP
BRRP is an implementation of the Virtual Router Redundancy Protocol (VRRP). The aim of the method is to compensate for the failure of the default gateway. Multiple routers are combined to form
one virtual router. If one of these routers falls over, the others are
able to replace it.
Bundle
The external connections of a PABX can be grouped into bundles.
Busy On Busy
If Busy on Busy is enabled, anyone who calls an engaged subscriber hears the engaged tone. Call waiting or call forwarding to a
team are not possible.
CA
Certificate Authority. See Certificate.
Cache
The device temporarily stores data used in name resolution in the
cache. See also ARP.
Call allocation
With call allocation, calls coming into the PBX are assigned to particular numbers or applications (remote access, ISDN login, ...).
Call centre
A call centre provides support, shares information and sells over the
telephone.
Call deflection
Call deflection (CD) is a performance feature. A call can be forwar-
be.IP 4isdn
Glossary
bintec elmeg GmbH
ded without it having been taken.
Call deflection (CD) See Call forwarding.
Call forwarding
Call forwarding is a performance feature. When call forwarding (CF)
is used, incoming calls can be routed to another, internal or external,
phone number. The call can be forwarded in the telephone system
or the switchboard, or by the SIP provider.
Call pickup
See pickup
Call Through
Call Through refers to dialling into the system via an external connection and the system putting the call through to a different external connection. This can reduce call costs.
Call variant
The call variant specifies which terminals a call is signalled to. The
calendar can be used to control the individual call variants on a time
basis.
Call waiting
Call waiting is a performance feature. Another caller is signalled during a phone call.
Call waiting protec- When call waiting protection is enabled, other callers are not sigtion
nalled on the terminal. The caller hears the engaged tone.
Callback on Busy
See Automatic callback on busy (CCBS)
Callback on no reply See Automatic callback on no reply (CCBS)
Called party number The number of the party being phoned.
Caller list
On system telephones, missed calls are saved in a caller list. To
achieve this, calling line identification presentation (CLIP) needs to
be enabled.
Calling party numberThe number of the calling terminal.
be.IP 4isdn
CAPI
The Common ISDN Application Programming Interface (CAPI) is a
programming interface for ISDN. It enables application programs to
access ISDN hardware from a PC. See also TAPI.
CAPWAP
Control And Provisioning of Wireless Access Points Protocol
(CAPWAP) is used to have wireless access points (slaves) monitored by a WLAN controller (master). It uses UDP port 5246 for
monitoring and 5247 to send data.
CAST
CAST is an encryption method (see Cipher). CAST uses a fixed
427
Glossary
bintec elmeg GmbH
block length of 64 bits. The key length can be between 40 and 128
bits. Alternative names are CAST-128 and CAST5.
428
Certificate
A certificate identifies a person, an institution, a device or an application. A public key certificate is a digital certificate and it creates a
connection between the identity and a public key. Certificates with
public keys are issued by a certification authority (CA). Certificates
that can no longer be trusted may be revoked using certificate revocation lists (CRLs)
CFB
Call Forwarding Busy (CFB) is a performance feature. CFB forwards
callers to a different connection if the connection of the party called
is engaged.
CFNR
Call Forwarding No Reply (CFNR) is a performance feature. CFNR
forwards callers to a different connection if the call is not taken.
Channel
A wireless channel is a frequency band used for wireless LAN.
Devices that send on adjacent channels disrupt one another.
Channel bundling
When channels are bundled, the B channels in an ISDN connection
are combined to increase data throughput.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol for PPP connections. As well as the standard
CHAP, Microsoft also has the variants MS-CHAPv1 and MSCHAPv2. You dial into a network via PPP and you authenticate
yourself with a username and password. The username and password are transmitted encrypted. See also PAP.
Cipher
A block cipher is an encryption algorithm. In this encryption method,
a data block of a fixed size (normally 64 bit) is rewritten to a block of
the same size using a so-called key. The longer the key, the more
secure the algorithm.
CLID
Calling Line Identification (CLID), also known as Caller ID, is used
for authentication. A caller is identified by means of his or her ISDN
extension number before the connection is established.
Client
A client uses the services provided by a server. Clients are usually
workstations.
CLIP
See Display caller number (CLIP / CLIR).
CLIP no Screening
See also Display caller number (CLIP / CLIR). With CLIP no Screening, as well as the normal caller number, another number is also
sent, e. g. the number of the switchboard or a service number. The
be.IP 4isdn
Glossary
bintec elmeg GmbH
normal number can also be suppressed using CLIP, so that the
party called only sees the other number.
CLIP off Hook
See Display caller number (CLIP / CLIR).
CLIR
See Display caller number (CLIP / CLIR).
Code procedure
A sequence (code procedure) (consisting of 0 - 9, *, # and R) can be
entered on the telephone keypad in order to access the PBX's functions.
COLP
See Display called party number (COLP / COLR).
COLP no Screening See also Display called party number (COLP / COLR). With COLP
no Screening, as well as the normal caller number, another number
is also sent, e. g. the number of the switchboard or a service number. The normal number can also be suppressed using COLP, so
that the party called only sees the other number.
be.IP 4isdn
COLR
See Display called party number (COLP / COLR).
Conference call
With a conference call, multiple internal subscribers can speak to
one another on the phone at the same time.
Configuration
The configuration refers to all of a device's settings. It is stored internally, in MIB tables. This data can be backed up, loaded and deleted externally. The configuration is edited using the HTTP(S) user
interface, an SNMP client or connected telephones.
CoS
The term Class of Service (CoS) means different things depending
on the area in which it is applied. In telecommunications CoS refers
to the permission class assigned to the user. The permission class
defines the user's rights, e. g. exchange access right, features that
can be used, access to applications, ... In network technology CoS
refers to the classification of certain services as per IEEE 802.1p.
CoS enables priorities to be set in a targeted way, while Quality of
Service (QoS) is used to set up explicit bandwidth guarantees or restrictions. Data packets are classified using a DSCP (Differentiated
Services Code Point) value.
CRC
Cyclic Redundancy Check (CRC) is a method of detecting errors in
the data transmission.
CRL
See Certificate.
D channel
See Basic Rate Interface and Primary Rate Interface.
429
Glossary
bintec elmeg GmbH
Daemon
A daemon refers to a program that runs in the background and
provides certain services.
Data compression
Data compression is a method of reducing the data volume transmitted. See STAC and MPPC.
Datagram
A datagram is a self-contained data entity with user and control
data. It generally stands for the terms data frame, data packet and
data segment.
DCN
DCN stands for data communication network.
DDI
DDI stands for Direct Dial In. See Point-to-point ISDN access and
Direct dial-in (VoIP).
Dead Peer Detection In IPSec, Dead Peer Detection is used to identify IKE peers that can
no longer be accessed.
DECT
Digital Enhanced Cordless Telecommunications (DECT) is a standard for cordless telephones and wireless PABX systems.
Default gateway
All the data traffic which is not intended for one's own network is
sent to the default gateway (default router).
Default route
See Standard route
Default route
The default route is used when no other suitable route is available.
Default router
See Default gateway.
Deffie-Hellman
Diffie-Hellman is a public key algorithm for negotiating and establishing keys. Because data is neither encrypted nor signed, the
method is only secure if the connecting partners authenticate themselves using other mechanisms such as RSA and DSA.
Denial-Of-Service At- In a Denial-Of-Service Attack (DoS), a network component is
tack
flooded with queries so that it becomes totally overloaded. As a result, the system or a particular service can no longer function.
430
DES
The Data Encryption Standard (DES) is an encryption method (see
Cipher). DES uses a fixed block length of 64 bits. The key length is
56 bits. Triple DES or 3DES is based on using DES three times
(three different, independent keys).
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows IP addresses to be assigned dynamically. A DHCP server allocates each
client in a network an IP address from a defined address pool. The
be.IP 4isdn
Glossary
bintec elmeg GmbH
clients need to be configured accordingly.
Dial preparation
Dial preparation describes the entering of the telephone number before initiating the call, e. g. by lifting the receiver.
Dialling control
See Black / White List.
Dialup connection
When required, a dialup connection is established by dialling a
phone number, in contrast to a fixed connection (see Leased line)
which is permanently enabled.
Digital
Digital signals are used to transmit data. They are less susceptible
to errors than analogue signals.
DIME
Desktop Internetworking Management Environment (DIME) is used
to configure and monitor gateways.
Direct call
If the direct call function is set up, the user merely has to lift the telephone receiver to, after a short wait, automatically get a connection
to a particular phone number.
Direct dial exception See Point-to-point ISDN access and Direct dial-in (VoIP).
Direct dial-in (VoIP) Direct dial-in is a VoIP connection that is also known as pointto-point. It is used to connect a PBX. A main phone number and a
number block are issued. Each of the numbers in the number block
is called a direct dial exception. (Example: Main number 1234, number block: 1 - 99, numbers of the individual extensions: 1234-1,
1234-2, 1234-3, …)
Direct dialling range See number block in Point-to-point ISDN access and Direct dial-in
(VoIP)
DISA
DISA - Direct Inward System Access A call, after it has been taken
by the PBX, is automatically forwarded after a code has been
entered. In the PBX, this code is assigned to an internal telephone
number.
Display called party Connected Line Identification Presentation (COLP) is used to send
number (COLP /
the phone number of the called party (B phone number) to the
COLR).
caller. Connected Line Identification Restriction (COLR) is used to
suppress the transmission of the phone number of the called party
to the caller.
Display caller num- Calling Line Identification Presentation (CLIP) is used to send the
ber (CLIP / CLIR).
caller's phone number (A phone number) to the called party. CLIP
off Hook sends the phone number of the caller waiting. Calling Line
be.IP 4isdn
431
Glossary
bintec elmeg GmbH
Identification Restriction (CLIR) is used to suppress the transmission
of the phone number of the caller to the called party.
DNS
The Domain Name System (DNS) is used to convert the domain
name (e. g. www.example.org) to an IP address (name resolution).
Do not disturb
See Station guarding.
Domain
A domain is a contiguous sub-set of the DNS (e. g. example.org).
Door intercom
A door intercom is mounted on entrances, and may be part of a
PBX.
Downstream
The gateway receives the data from a higher-level network and forwards it to its connected network.
DSA
The Digital Signature Algorithm (DSA) is used to create digital signatures and encrypt data packets. Signatures can be used to verify
changes made to the information in the data packet. DSA is used for
public-key cryptography (IPSec). See also RSA. Key generation is
quicker with DSA than with RSA, but key processing is slower.
DSCP
Data packets can be marked with a Differentiated Services Codepoint (DSCP). DSCP values classify data packets in such a way that
important packets can be routed through the network more quickly.
See also QoS.
DSL modem
See Modem.
DSP
A digital signal processor (DSP) converts analogue, ISDN and VoIP
signals to one another. So, e. g., analogue terminals can also be
used on an SIP connection.
DSS1
Digital Subscriber Signalling System No. 1 (DSS1) is a signalling
protocol for the D channel in the ISDN. It is also known as Euro
ISDN.
DTIM
A Delivery Traffic Indication Message informs the clients that multicast or broadcast data is available at the access point.
DTMF
See Multifrequency code dialling method.
DTMF Inband / Out- See also Multifrequency code dialling method. With inband, the
band
DTMF signal is transmitted in the voice band (G.711) With outband,
the DTMF signal is transmitted as specified in RFC 2833.
Dynamic IP address In contrast to a static IP address, a dynamic IP address is assigned
432
be.IP 4isdn
Glossary
bintec elmeg GmbH
temporarily by DHCP. Network components such as the web server
or printer usually have static IP address, while clients such as notebooks or workstations usually have dynamic IP addresses.
DynDNS
A DynDNS provider can be used to link a domain name with a dynamically changing IP address.
Encapsulation
Encapsulation of data packets is a particular protocol to transmit the
data packets in a network. See also VPN.
Encryption
Refers to the encryption of data, e.g. using MPPE.
Engaged when busy See Busy on Busy.
ESP
Encapsulating Security Payload (ESP) is a protocol for IPSec. It
uses protocol number 50 and supports data encryption and authentication.
Ethernet
Ethernet is a specification for cable data networks. Ethernet works
on the first and second layer of the OSI model.
Euro ISDN
Standard ISDN in Europe, based on the DSS1 signalling protocol.
Eurofile transfer
Eurofile transfer (EFT) is a protocol for sharing files over ISDN.
Exchange access
right
The telephone system distinguishes between the following exchange access rights: Unlimited: Any international, national or internal connection is permitted. National long-distance calls: Only domestic connections may be established - i. e. dialling any number
that begins with 0 but not with 00. Incoming external calls can be received without restrictions. Locality: Only connections to the same
area code may be established. So the number may not begin with a
0. Incoming external calls can be received without restrictions. Incoming: Only connections to other terminals in the telephone system
may be established. Incoming external calls can be received without
restrictions. Internal: Only connections within the telephone system
are permitted.
Extension
In PBX systems, an extension refers to the terminal connected to
the system.
Extension number
See Point-to-point ISDN access and Direct dial-in (VoIP).
Extension number
block
See Point-to-point ISDN access and Direct dial-in (VoIP).
Extension numbers See Extension number block in Point-to-point ISDN access.
be.IP 4isdn
433
Glossary
bintec elmeg GmbH
range
434
Fax
Fax is used to send text, graphics and documents over the phone
network. A distinction is drawn between Group 3 fax machines for
the analogue network (transmission rate: 9.6 or 14,4 kbit/s) and
Group 4 fax machines for ISDN (transmission rate: 64 kbit/s). To
connect Group 3 fax machines to ISDN, a terminal adapter or a suitable PBX is required.
Filter
A filter comprises a number of criteria (e.g. protocol, port number,
source and destination address). If these criteria match a data packet, the data packet can be subjected to a particular action (forward,
reject, ...). This creates a filter rule.
Filter rule
A rule that defines which data packets should or should not be
transmitted by the gateway.
Firmware
The firmware (system software) is programming code that is permanently embedded in the device. It provides the device's functions.
Flash key
The flash key on a telephone is the R button. The key interrupts the
line briefly to start certain functions such as inquiries.
Follow-me
Follow-me is a performance feature. This function can be used to
route incoming calls from a different extension to one's own terminal.
Fragmentation
If the overall length of the data packet is greater than the Maximum
Transmission Unit (MTU) of the network interface, the data packet
has to be broken down into multiple physical data blocks using IP
fragmentation. The reverse process is known as reassembly.
Frame
A data frame is an information unit (Protocol Data Unit) in the data
link layer in the OSI model.
Frame relay
Frame relay is a data transmission technology and upgrade of X.25
(smaller packets, less error checking). Frame relay is primarily used
for GSM networks.
FTP
The File Transfer Protocol (FTP) regulates data transmission in IP
networks. It regulates the exchange between FTP server and client.
Full-duplex
With full-duplex, data can be sent and received simultaneously over
a line.
Function keys
Function keys are special keys on system telephones which can be
assigned phone numbers or functions.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
FXO
Foreign Exchange Office (FXO) refers to the connection to the analogue terminal. See also FXS.
FXS
Foreign Exchange Station (FXS) refers to the analogue connection
to the connection socket or PBX. See also FXO.
G.711
G.711 is an audio codec. Audio signals from the frequency range
between 300 Hz and 3400 Hz are passed with a sampling rate of 8
kHz. At a data transmission rate of 64 kbit/s, the codec achieves excellent voice quality (MOS value: 4.4). The A-law quantisation method is used in Europe, and the µ-law method in the USA.
G.722
G.722 is an audio codec. Audio signals from the frequency range
between 50 Hz and 7000 Hz are passed with a sampling rate of 16
kHz. At a data transmission rate of 64 kbit/s, the codec achieves
outstanding voice quality (MOS value: 4.5).
G.726
G.726 is an audio codec. Audio signals from the frequency range
between 200 Hz and 3400 Hz are passed with a sampling rate of 8
kHz. The codec achieves an acceptable voice quality. MOS value:
3.7 (16 kbit/s), 3.8 (24 kbit/s), 3.9 (32 kbit/s), 4.2 (40 kbit/s). There
are two different coding methods: I.366 and X.420
G.729
G.729 is an audio codec. Audio signals from the frequency range
between 300 Hz and 2400 Hz are passed with a sampling rate of 16
kHz. At a data transmission rate of 8 kbit/s, the codec achieves an
acceptable voice quality (MOS value: 3.9).
G.991.1
Data transmission recommendation for HDSL.
G.991.2
Data transmission recommendation for SHDSL.
G.992.1
Data transmission recommendation for ADSL. There are two country-specific versions: G.992.1 Annex A and G.992.1 Annex B. Data
transfer rates: 12 Mbit/s (downstream), 1.3 Mbit/s (upstream)
G.992.2
Data transmission recommendation for ADSL (G.LITE / ADSL-Lite).
There are two versions: G.992.2 Annex A and G.992.2 Annex B.
Data transfer rates: 12 Mbit/s (downstream), 1.3 Mbit/s (upstream)
G.992.3
Data transmission recommendation for xDSL2. There are three variants: G.992.3 Annex A/B (G.DMT to ADSL2) with data transmission
rates of 12 Mbit/s in the downstream and 1.0 Mbit/s in the upstream,
G.992.3 Annex L (RE-ADSL2) with data transmission rates of 5
Mbit/s in the downstream and 0.8 Mbit/s in the upstream and
G.992.3 Annex M (ADSL2) with data transmission rates of 12 Mbit/s
435
Glossary
bintec elmeg GmbH
in the downstream and 2.5 Mbit/s in the upstream.
436
G.992.4
Data transmission recommendation for ADSL2 with Annex A/B.
Data transmission rates: 12 Mbit/s (downstream), 1.0 Mbit/s
(upstream)
G.992.5
Data transmission recommendation for xDSL2+. There are three
variants: G.992.5 Annex A/B (ADSL2+) with data transmission rates
of 25 Mbit/s in the downstream and 1.0 Mbit/s in the upstream,
G.992.5 Annex L (RE-ADSL2+) with data transmission rates of 25
Mbit/s in the downstream and 1.0 Mbit/s in the upstream and
G.992.5 Annex M (ADSL2+) with data transmission rates of 25 Mbit/
s in the downstream and 3.5 Mbit/s in the upstream.
G.993.1
Data transmission recommendation for VDSL. Data transmission
rates: 52 Mbit/s (downstream), 16 Mbit/s (upstream)
G.993.2
Data transmission recommendation for VDSL2. Data transmission
rates: 200 Mbit/s (downstream), 200 Mbit/s (upstream)
G.DMT
See F.992.1.
G.Lite
See F.992.2.
G.SHDSL
See G.991.2.
Gateway
The gateway is a network component for connecting different types
of network.
GPRS
General Packet Radio Service (GPRS) is the name for the packetoriented service for transmitting data in GSM networks.
GRE
Generic Routing Encapsulation (GRE) is a network protocol for encapsulating other protocols so that they can be transported via the
Internet Protocol (IP) in the form of a tunnel (VPN). GRE uses protocol number 47.
GSM
The Global System for Mobile Communications (GSM), also known
as 2G, is a mobile communications standard. It achieves, along with
GPRS, a specified max. data transmission rate of 171.2 kbit/s.
Half-duplex
With half-duplex, data can only be sent and received back-to-back
over a line.
Hands-free calling
With hands-free calling, calls can be made without lifting the receiver. Other people in the room can participate in the conversation using a microphone and loudspeakers.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
Hash
To ensure data integrity, the information needs to be protected from
unauthorised manipulation while it is being transmitted. To ensure
that this happens, every item of communication received has to
match the information originally sent. Therefore erratic mathematical
value functions (hash functions) are used to calculate checksums
(hash values). These are encrypted and sent as a digital signature
with the message. The recipient, in turn, checks the signature before
opening the packet. If the signature and, thus, the content of the
data packet has changed, the packet is discarded. The hash algorithms used most frequently are Message Digest Version 5 (MD5)
and Secure Hash Algorithm (SHA1).
HDSL
High Data Rate Digital Subscriber Line. See DSL.
Heartbeat
A network's subscribers use heartbeats to signal that they are ready
to receive.
Hold
A telephone call is put on hold without breaking the connection
(inquiry/brokering). A distinction is drawn between holding the connection in the PBX (holding in the system) and holding in the switchboard or by the SIP provider.
Hold for enquiry
With hold for enquiry, the phone call with the first party is held while
one conducts a second call.
Hop
Hop is the term for the connection from one network node to the
next.
Host
A host is a computer system that provides its services to the network.
Host name
The domain name of a host. See DNS.
Host route
A host route is the name for the route to a single host.
Hotspot
A hotspot is a public internet access point via WLAN or wired Ethernet.
HSDPA
High Speed Downlink Packet Access (HSDPA, 3.5G, 3G+ or UMTS
broadband) is a data transmission method in the UMTS mobile communications standard.
HTTP
The HyperText Transfer Protocol (HTTP) is a protocol for transmitting HTML pages (web pages) between server and client. By default
it uses port 80.
HTTPS
The HyperText Transfer Protocol Secure (HTTPS) is a protocol
437
Glossary
bintec elmeg GmbH
which protects against eavesdropping when transmitting HTML
pages (web pages) between server and client. HTTPS is schematically identical to HTTP. SSL / TLS is used for additional data encryption. The standard port for HTTPS connections is 443.
438
Hyperchannel
With a hyperchannel, multiple subscribers have access to the transmission medium. A subscriber can only transmit their data if no other subscriber is using the medium. A hyperchannel network is
mainly used for short-range operation with top data rates.
IAE
IAE refers to the standard socket (ISDN connection unit) to which
ISDN terminals are connected.
ICMP
The Internet Control Message Protocol (ICMP) is used to exchange
information and error messages over IPv4. The version ICMPv6 exists for IPv6.
IGMP
The Internet Group Management Protocol (IGMP) is used in IPv4
networks to organise multicast groups.
IKE
The Internet Key Exchange Protocol (IKE) is used for automatic key
management with IPSec connections. The IKE process runs in two
phases. During phase 1, the IKE subscribers authenticate themselves to one another and establish a secure channel. In phase 2,
the two IPSec subscribers negotiate the SAs. There are two versions of the IKE mechanism.
Infrastructure network
In an infrastructure network the individual terminals (clients) form a
wireless LAN via a central access point. This central access point
may also be an agent in other networks.
Internal call tone
The internal call tone on a PBX is used to differentiate between internal and external calls.
Internal telephone
numbers
Internal phone numbers are used for calls within the PBX.
IP
The Internet Protocol (IP) is a network protocol and it is the basis for
the Internet. It works on the network layer of the OSI model. The
TCP and UDP protocols are based on IP. There are two versions,
Internet Protocol version 4 (IPv4) and Internet Protocol version 6
(IPv6).
IP address
IP addresses are used to navigate in an IP network, to unambiguously identify the source and destination. IPv4 addresses consist of
32 bits, IPv6 addresses of 128 bits. So, with IPv4 232, i.e.
be.IP 4isdn
Glossary
bintec elmeg GmbH
4.294.967.296 addresses can be represented, with IPv6 2128 =
340.282.366.920.938.463.463.374.607.431.768.211.456 addresses.
Dotted decimal notation, e. g. 192.168.0.250, is used for IPv4.
Hexadecimal notation, e. g. 2001:db8:85a3::8a2e:370:7344, is used
for IPv6. See also netmask.
be.IP 4isdn
IPCP
The Internet Protocol Control Protocol (IPCP) is used, in a similar
way to DHCP, to configure a host with an IP address, gateway and
DNS server, when a PPP network connection is being used. With
the extension Robust Header Compression over PPP, the header
can be compressed for faster data transmission. Similarly, in IPv6
networks, the functionality is provided by the Internet Protocol version 6 Control Protocol (IPV6CP).
IPSec
IPSec (Internet Protocol Security) is a network protocol for encapsulating other protocols so that they can be transported via the Internet
Protocol (IP) in the form of a tunnel (VPN). The protocol number for
IPSec depends on the protocol used. The Authentification Header
(AH) uses protocol number 51, while the Encapsulating Security
Payload (ESP) uses number 50.
IPv6
See IP.
ISDN
Integrated Services Digital Network (ISDN) is a data transmission
standard that includes telephony, fax and data transmission. There
are two ISDN connection variants: Basic Rate Interface and Primary
Rate Interface.
ISDN address
The ISDN address of an ISDN device comprises an ISDN number
followed by other numbers that relate to the specific terminal.
ISDN login
The ISDN login is used to remotely configure the device via SNMP.
To do so, it needs to have a configured ISDN or wireless connection.
ISDN number
The ISDN number is the network address of the ISDN interface.
ISDN router
See Router.
ISDN-BRI
See BRI.
ISDN-Internal/External
Alternative name for the So bus.
ISDN-PRI
See PRI.
ISP
Internet Service Providers (ISPs) supply technical services for using
439
Glossary
bintec elmeg GmbH
the Internet.
440
ITU
The International Telecommunication Union (ITU) coordinates the
setting up and operating of telecommunications networks and services.
Keepalive
Keepalive packets are used to check that the communication partner can be contacted.
Keepalive
Keepalive is a mechanism for maintaining the network connection
and for checking that the communication partner can be reached.
Specific packets are usually sent to the network for this purpose.
Keypad
The keypad protocol (network direct) is used to access and manage
performance features provided by the switchboard.
L2TP
The Layer 2 Tunneling Protocol (L2TP) is a network protocol for encapsulating other protocols so that they can be transported via the
Internet Protocol (IP) in the form of a tunnel (VPN). By default, L2TP
uses protocol number 1701. The architecture in an L2TP network
consists of an L2TP access concentrator (LAC) which may also be
permanently integrated into the client, and the L2TP network server
(LNS). The LAC establishes the connections to the LNS and manages them. The authorisation is regulated using a network access
server (NAS), which can be implemented in the LAC or LNS. The
LNS is responsible for routing and controlling the packets received
from the LAC. The user data itself is exchanged unencrypted, while
control messages for maintaining the accessibility of the tunnel endpoints are transmitted securely.
LAC
See L2TP.
LAN
A Local Area Network (LAN) refers to a network that is geographically very limited and normally spans one building or a company head
office.
Layer
A layer refers to a layer in the OSI model.
LCP
The Link Control Protocol (LCP) is used in PPP connections to automatically negotiate encapsulation, process limits for varying packet
sizes, authenticate the connection partner, determine faulty links,
identify connection faults and terminate the connection.
LDAP
The Lightweight Directory Access Protocol (LDAP) regulates the
communication between a client and the directory server. LDAP is
used for sharing and updating directories, e. g. a phone book.
be.IP 4isdn
Glossary
bintec elmeg GmbH
Lease time
The lease time refers to the validity period of a dynamic IP address
that a client has been given by a DHCP server.
Leased line
See Leased line
Leased line
A leased line is a permanent connection of two communication partners via telecommunications network.
Line access author- See Exchange access right.
isation
LLC
The Link Layer Control (LLC) regulates the media allocation at MAC
level.
LNS
See L2TP.
Load balancing
With load balancing, data is sent via different interfaces in order to
increase the overall bandwidth available. In contrast to Multilink,
load balancing also functions with accounts with different providers.
Loopback
In a loopback switch the sender and recipient are identical.
LTE
Long Term Evolution (LTE), also known as 4G, is a mobile communications standard with a standardised maximum data transmission
rate of 300 Mbit/s.
MAC address
The Media Access Control address (MAC address) is the hardware
address of the network adapter and is used to identify the device at
the hardware level.
Main Mode
When establishing an IPSec connection, main mode is used to implement a phase 1 exchange by setting up a secure channel. See
also Aggressive mode.
Man-in-the-Middle at- In a Man-in-the-Middle attack, the attacker is physically or logically
tack
between the two communication partners and so is able to view, and
even manipulate, the data traffic.
be.IP 4isdn
MD5
Message Digest Algorithm 5 (MD5) is a hash function that generates
a 128 bit hash value (checksum). See also Hash.
Media gateway
A media gateway converts the network type of digital voice, audio or
image information. For example, the signals from an ISDN network
can be converted to an IP network.
Metric
The metric is a measure for the properties of the route. The fastest
route has the lowest metric (costs). Simplified, this is connecting
441
Glossary
bintec elmeg GmbH
with the smallest number of node points (routers).
442
MFC
See Multifrequency code dialling method.
MFV
See Multifrequency code dialling method.
MIB
The Management Information Base (MIB) describes the data that
can be queried or modified via a network management protocol (e.
g. SNMP). The MIB is a database that describes all the devices and
functions in the network.
MLP
The Multicast Listener Discovery (MLD) is used in IPv6 networks to
organise multicast groups.
Mobile subscriber
If the mobile subscriber is enabled, an external telephone, e. g. a
mobile phone can be called in parallel (parallel calling). The system's functions, e. g. callback, can also be used externally. For
these functions, the external telephone's star key is interpreted as
the R key.
Modem
A modem is an electronic device that converts digital signals to frequency signals in order to distribute data in a wired or wireless network.
MOH
See Music on hold.
MPDU
The MAC Protocol Data Unit (MPDU) refers to a data packet, including management frames and fragmented MSDUs, exchanged wirelessly.
MPPC
Microsoft Point-to-Point Compression (MPPC) is a method of data
compression.
MPPE
Microsoft Point-To-Point Encryption (MPPE) is used to encrypt data
transmitted via PPP. It was developed by Microsoft and Cisco and
specified as RFC 3078.
MS-CHAP
The Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP) is a method of authentication. MS-CHAPv1 is intended
for authenticating DCN connections and is largely the same as the
standard CHAP. MS-CHAPv2 is an authentication method for PPTP
connections (VPN).
MSDU
A MAC Service Data Unit (MSDU) is a data packet that is exchanged at LLC level.
MSN
See Multiple subscriber number
be.IP 4isdn
Glossary
bintec elmeg GmbH
MSS
The Maximum Segment Size (MSS) defines the maximum number
of bytes that can be used as user data in a TCP segment. The MSS
must be smaller than the Maximum Transmission Unit (MTU) to
avoid fragmenting the IP packets.
MSS clamping
MSS clamping reduces the Maximum Segment Size (MSS) in order
to connect networks with different Maximum Transmission Units
(MTU).
MTU
The Maximum Transmission Unit (MTU) is the largest possible data
unit that can be transmitted over a physical line.
Multicast
With a multicast, data packets are sent from one point to particular
subscribers in a network. In IPv4 this is controlled via the address
range 224.0.0.0 to 239.255.255.255 and the IGMP protocol, while in
IPv6 it is controlled by ff00::/8 addresses and ICMPv6.
Multifrequency code The multifrequency code dialling method, also known as tone dialdialling method
ling, MFV, MFC and DTMF, is a signalling method for automatic
telephone routing. Key inputs are represented by overlaid, sinusoidal signals. See also Pulse dialling.
Multilink
With multilink, multiple interfaces (PPP, PPPoE, ...) are combined
into a single virtual connection in order to increase the total bandwidth available.
Multiple subscriber Multiple subscriber numbers are the individual phone numbers in the
number
ISDN point-to-multipoint connection.
be.IP 4isdn
Music on Hold
The term Music On Hold (MOH) refers to automated announcements or hold music on the PBX.
Music on hold
See Music on hold.
MWI
The Message Waiting Indicator (MWI) signals that a new message
is available.
NAPT
Network Address Port Translation (NAPT) is another term for PAT.
See PAT.
NAT
Network Address Translation (NAT) is used to replace the source
and destination IP addresses of a data packet with others. This enables different networks to be connected to one another. See also
PAT.
NBNS
Like DNS, NetBIOS Name Service (NBSN) is used in centralised
name resolution. See also WINS and DNS.
443
Glossary
bintec elmeg GmbH
Netmask
With IPv4 in connection with the IP address, the netmask, also network mask and subnet mask, defines the network by dividing the IP
address into network and device parts and thus determining which
addresses need to be routed. Example of a netmask:
255.255.255.0. With IPv6 one refers to prefix length.
Network address
A network address is the address of the network as a whole. The
network mask and prefix length divide the IP address into the network address and host address (device address). Example of a network address: 192.168.0.250/24
Network direct
See Keypad.
Network route
The network route refers to the route to a particular network.
Network termination Network termination (NT) refers to a connection or operating type. A
terminal is given access to a communication network at the NT interface (connection socket). The connector is called a TAE with an
analogue connection, an NTBA with the basic ISDN connection, and
NTPMGF with the ISDN Primary Rate Interface. In the NT operation,
the gateway is connected to the PABX's external S0 and is an external exchange connection for it. See also TE.
444
NT
See Network termination.
NTBA
See Network termination.
NTP
The Network Time Protocol (NTP) is used to synchronise the time of
day.
NTPMGF
See Network termination.
OAM
OAM is a service for monitoring ATM connections.
Open hold for enquiry
With open hold for enquiry, a call is put on hold and either party can
then resume it once more.
OSI model
The OSI model divides the flow of communication between the
physical medium and the user level into layers. The requirements at
each layer are met by relevant protocols.
OSPF
OSPF is a dynamic routing protocol which is usually used in larger
network installations as an alternative to RIP.
PABX
Private Automatic Branch Exchange (PABX) is another expression
for a telephone system.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
PABX
PABX is another term for a telephone system.
PAP
The Password Authentication Protocol (PAP) is an authentication
method for connections via PPP. Unlike with CHAP, the username
and password are not sent encrypted.
Parallel call
See Mobile subscriber.
Park
When a call is parked, the connection is held even if the receiver of
the terminal involved is replaced or the cable connection is cut off.
PAT
Port and Address Translation (NAT) is used to replace the source
and destination IP addresses and source and destination ports of a
data packet with others. This enables different networks to be connected to one another. See also NAT.
PBX
Private Branch Exchange (PABX) is another expression for a telephone system.
PDM
See Pulse dialling
Peer
A peer is the endpoint of a communication in the network.
Phase 1/2
See IKE.
Pick-up
With pick-up, calls can be received using code procedures on an internal terminal that is not part of active call allocation.
PIM
The Protocol Independent Multicast (PIM) enables the dynamic routing of multicast packets on the Internet.
PIN
A personal identification number (PIN) can be used to authenticate
oneself on the device so that one can use the device's functions.
Ping
Ping is a diagnostic tool that can be used to check whether a particular host in an IP network can be contacted. A measurement is
taken of the time interval between sending a data packet (ICMP(v6)
echo request packet) and receiving a response packet sent back immediately. This enables the connection quality to be determined.
PKCS
The Public-Key Cryptography Standards (PKCS) are standards for
public key cryptography. The PKCS are designed for binary and ASCII data and are compatible with the X.509 standard. The public
standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12 and #15.
PKCS #10 describes the syntax for certification inquiries.
PKI
A public key infrastructure (PKI) is used to issue, distribute and veri-
445
Glossary
bintec elmeg GmbH
fy digital certificates for an encryption procedure.
PMTU
The Path MTU (PMTU) describes the maximum packet size that can
be transmitted along the entire connection route without needing to
be fragmented.
Point-to-multipoint
Point-to-multipoint connection is an ISDNB connection. It is used to
connect ISDN terminals. Multiple subscriber numbers (MSNs) are
provided. See also Point-to-point ISDN access
Point-to-multipoint
See Single phone number (VoIP).
Point-to-point
See Point-to-point ISDN access and Direct dial-in (VoIP).
Point-to-point connection number:
See Point-to-point ISDN access
Point-to-point ISDN Point-to-point ISDN access refers to an ISDN connection that is also
access
called point-to-point. It is used to connect a PBX. A point-to-point
number and a number block are issued. Each of the numbers in the
number block is called a direct dial exception. (Example: Pointto-point connection number: 1234, number block: 1 - 99, numbers of
the individual extensions: 1234-1, 1234-2, 1234-3, …) See also
Point-to-multipoint connection.
446
Pool
An address pool is a collection of IP addresses that can be assigned
to the connected clients, e. g. by DHCP.
POP3
The Post Office Protocol Version 3 (POP3) is a transmission protocol which controls how a client accesses emails from an email
server.
Port
The port number is used to decide the service (telnet, FTP, ...) to
which an incoming data packet should be sent.
POTS
Plain Old Telephone System (POTS) refers to the analogue telephone network.
PPP
The Point-to-Point Protocol (PPP) is a standardised technology for
setting up a direct connection between the network nodes via dialup lines.
PPPoA
The Point-to-Point-over-ATM Protocol (PPPoA) enables PPP data
packets to be transported directly over an ATM network.
PPPoE
The Point-to-Point-over-Ethernet Protocol (PPPoE) enables PPP
data packets to be transported directly over an Ethernet network.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
PPTP
The Point-to-Point Tunneling Protocol (PPTP) is a network protocol
for encapsulating other protocols so that they can be transported via
the Internet Protocol (IP) in the form of a tunnel (VPN). PPTP uses
protocol number 1723. The PPTP architecture is divided into two logical systems. The PPTP Access Concentrator (PAC) and the PPTP
Network Server (PNS). The PAC is usually integrated into the Windows client. It establishes the connection to the PNS and manages
it. The PNS is responsible for routing and controlling the packets received by the PNS.
Pre-shared key
A pre-shared key (PSK) is a key for an encryption procedure. The
parties shared the key's value beforehand.
Prefix
See Network address
Prefix delegation
In IPv6 networks, prefix delegation is used to assign the network address (prefix) to the router.
Prefix length
See netmask.
PRI
See Primary Rate Interface.
Primary Rate Interface
The Primary Rate Interface is a network connection to the ISDN.
This type of connection is often also called a PRI or S2Minterface. A
Primary Rate Interface offers 30 user channels (B channels), each
with 64 kbits/s, in Europe and 23 in the USA, one control channel (D
channel) with 64 kbits/s and one synchronisation channel with 64
kbits/s in Europe and 8 64 kbits/s in the USA. See also Basic Rate
Interface.
Proposal
When an IPSec connection is being established, the initiator of the
connection makes proposals with relation to the authentication and
encryption methods to be used.
Protocol
Protocols regulate the flow of a data communication on different
levels of the OSI model. Protocols control addressing, coding, authentication, formatting, etc. Examples: Ethernet, IP, TCP, HTTP
Proxy
A proxy is a network component. The proxy is an agent. It routes a
query from the source with its own IP address to the destination.
Pulse dialling
Pulse dialling is a signalling method for automated telephone routing. Key inputs are represented by a defined number of dc pulses.
See also Multifrequency code dialling method (MF).
PVID
The Port VLAN Identifier (PVID) is the standard VLAN ID for the port
concerned. A packet that reaches this port without a VLAN tag is as-
447
Glossary
bintec elmeg GmbH
signed this ID.
Q-SIG
Q-Interface Signalling Protocol (Q-SIG) is an ISDN-based signalling
protocol for linking PABX systems.
QoS
Quality of Service (QoS) describes the properties of the communication service. It is defined using bandwidth, delay, packet losses and
jitter. To transmit time-critical data packets for VoIP or video streaming as quickly as possible, QoS is used to sort all the data packets
into groups and forward them on in the network either more quickly
or slowly, depending on their priority.
Queue
The data packets accumulate in a queue before they are sent.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a clientserver protocol for authenticating, authorising and accounting for
users with dial-in connections. The RADIUS server authenticates
the client, e. g. by checking the username and password. See also
TACACS+.
RE-ADSL2
See G.992.5.
Real Time Jitter Con- Real Time Jitter Control is used, where necessary, to reduce the
trol
size of data packets during a telephone conversation so that voice
packets are not blocked.
Registrar
The SIP server (registrar) needs to be used in case the subscribers
to a VoIP call are not using static IP addresses The SIP server registers the clients' IP addresses and sends this data to the SIP
proxy, which connects the calls. The SIP proxy and SIP registrar are
usually identical.
Reject / reject func- When a phone number that has not been set up in the telephone
tion
system is dialled, or if the connection of the party called is engaged,
or the party called does not take the call, the reject function determines how to proceed with the call. The call can be routed to a different destination or discarded.
448
Repeater
A repeater is a device that strengthens electric or optical signals and
thus increases the range of the network.
Reset
This returns the device to its unconfigured state.
RFC
A Request For Comments (RFC) is a document that describes the
standards and guidelines for the Internet.
Rijndael
See AES.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
RIP
The Routing Information Protocol (RIP) is a routing protocol. It is restricted to small networks. See also OSPF.
RipeMD 160
RACE Integrity Primitives Evaluation Message Digest (RipeMD 160)
is a hash function that generates a 160 bit hash value (checksum).
See also Hash.
RJ45
RJ45 refers to a jack or connector with a maximum of eight wires to
the digital terminals' connection.
Roaming
With roaming, a client moves through a WLAN logging on and off at
different access points in the same network.
Room monitoring
Room monitoring is a performance feature. One can listen in to the
sounds in a room.
Router
A router is a network component for connecting different types of
network at the network layer of the OSI model. Data packets are
transmitted using IP addresses. Routing tables are used to identify
the best routes through the network. In order to keep the routing
tables up to date, the routers exchange information via routing protocols (e.g. OSPF, RIP).
Router advertisement
Router advertisements are messages that the router sends to the
network. They announce the presence of the router in the network.
Router announcements are also used to issue prefixes, organise the
autoconfiguration and specify the standard router.
Routing
Routing refers to the identifying of routes for sending messages.
RSA
The RSA algorithm (named after its inventors, Rivest, Shamir and
Adleman) is used to create digital signatures and encrypt data packets. The signature can be used to verify changes made to the information in the data packet. RSA is used for public-key cryptography (IPSec). See also DSA. Key generation is slower with RSA
than with DSA, but key processing is faster.
RTP
The Real-Time Transport Protocol (RTP) is used to transmit audio
and video data (streams) via IP-based networks.
RTS threshold
Once the number of frames in the data packet exceeds the RTS
threshold, a connection check (RTS/CTS handshake) is run before a
data packet is sent.
RTSP
The Real-Time Streaming Protocol (RTSP) controls the transmission of audio and video data (streams) via IP-based networks. While
the Real-Time Transport Protocol (RTP) is used to transmit user
449
Glossary
bintec elmeg GmbH
data, the main function of RTSP lies in controlling the data streams.
450
Rule chain
A rule chain contains a combination of different filter rules. A filter
rule selects part of the data traffic based on particular features, e. g.
the source IP address, and applies an action, e. g. block, on this
part.
S0 bus
The S0 bus is an interface for the ISDN Basic Rate Interface, and
links multiple ISDN terminals to the NTBA. The bus is implemented
by a four-wire circuit. See also UP0.
S2M interface
See Primary Rate Interface.
SA
So-called security associations (SA) receive information about the
measures to secure the communication connection. One SA, at
least, is a prerequisite for establishing a secure connection. An SA
receives the subscriber's IP address, the authentication protocol
used, the encryption algorithm used, the security parameter index
(SPI), the selector and the period of validity.
SAD
All the parameters that are set while configuring IPSec are stored in
the router in the form of databases. These are the Security Policy
Database (SPD) and the Security Association Database (SAD). The
SAD receives information about every security connection. That is,
which encryption algorithms, keys, protocols, session numbers or
periods of validity are to be used. For an outgoing connection, an
SPD entry displays an SAD entry. In this way, the SPD can specify
which SA is to be used for a particular packet. With an incoming
connection, the SAD is addressed in order to specify how the packet
is to be processed.
SCEP
The Simple Certificate Enrollment Protocol (SCEP) is used to manage digital certificates.
Scheduling
Scheduling refers to the planning of tasks. Particular actions (e. g.
deactivating an interface) are triggered by events (e. g. time or
changing a MIB variable).
Serial interface
The serial interface is used to exchange data between computers
and peripheral devices. It can be used to configure the device or to
transmit data via an IP infrastructure (Serial over IP).
Server
A server offers services used by clients.
SFP
Small Form-factor Pluggable (SFP) is a plug-in connector that was
developed for extremely fast Ethernet.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
SHA1
Secure Hash Algorithm version 1 (SHA1) is a hash function that
generates a 160 bit hash value (checksum). See also Hash.
SHDSL
Symmetrical High-bit-rate Digital Subscriber Line. See DSL.
Shell
The shell is an input interface (e. g. command line or graphic user
interface) between computer and user.
Short hold
The short hold is the defined amount of time after which a network
connection is automatically cleared if no more data is transmitted.
SIF
With a Stateful Inspection Firewall (SIF), the routing of a data packet
is not determined only by source and destination addresses but also
using dynamic packet filtering based on the connection status.
Simplex operation
Simplex operation is a performance feature. Simplex operations are
used to take a call automatically and switch the speaker function on.
If the called party lifts the receiver, a normal voice connection is established.
Single phone number (VoIP)
Single phone number access is a VoIP connection that is also
known as a point-to-multipoint connection. It is used to connect VoIP
terminals. Multiple subscriber numbers (MSNs) are provided. See
also Direct dial-in (VoIP)
SIP
The Session Initiation Protocol is a network protocol for setting up a
communication session between two or more subscribers. The protocol is used for IP telephony (VoIP).
SIP provider
A SIP provider does the switching between a SIP connection and
other analogue, ISDN and VoIP connections.
SMTP
The Simple Mail Transfer Protocol (SMTP) is used to exchange
emails.
SNMP
The Simple Network Management Protocol (SNMP) is used to configure, control and monitor different network components (e. g.
routers, servers, etc.) from a single, central system. The network
component settings that can be changed are stored in a database –
the Management Information Base (MIB). SNMP uses UDP. The
network component receives requests to port 161 while the managing system receives confirmation messages (TRAPs) at port 162.
SNTP
The Simple Network Time Protocol (SNTP) is used to transmit the
time and to synchronise the server and client.
Softkey
A softkey refers to a key whose function is determined by the asso-
451
Glossary
bintec elmeg GmbH
ciated screen display.
452
Spatial streams
Spatial streams are data streams that are sent out at the same time
on the same frequency in the wireless LAN. The transmission rate is
multiplied as a result.
SPD
All the parameters that are set while configuring IPSec are stored in
the router in the form of databases. These are the Security Policy
Database (SPD) and the Security Association Database (SAD). The
Security Policy Database lists the forms of data traffic that are to be
secured. Factors such as the source and destination address of the
data packet are used to do this.
Speaker function
With the speaker function, the people present in the room can listen
in to the telephone call.
Speed dial number
A speed dial index (000...999) is assigned to every number in the
phone book. This speed dial index can be used to dial instead of the
long phone number.
Splitter
A broadband access unit, commonly known as a splitter, is used to
split signals that come via a subscriber loop into data and telephone
lines.
SRTP
The Secure Real-Time Transport Protocol (SRTP) is the variant of
the Real-Time Transport Protocol (RTP) that is encrypted using
AES.
SSH
Secure Shell (SSH) is a network protocol that can be used to establish an encrypted connection to a device's shell.
SSID
The Service Set Identifier (SSID) defines a wireless network that is
based on IEEE 802.11. The SSID is the network name of the wireless LAN. All the access points and clients that belong to the same
network use the same SSID. The SSID string can be up to 32 characters long and is placed, unencrypted, in front of all packets. A client uses SSID ANY to contact all the accessible access points. The
user is then shown all the available WLANs and he can select the
appropriate network. If an access point is used for different networks, each wireless network is given a separate MSSID (Multi Service Set Identifier).
SSL
Secure Sockets Layer (SSL) is a protocol for data encryption. Since
version 3.1, the new term Transport Layer Security (TLS) has been
used. SSL is mainly used for HTTPS to encrypt the data transmission between web server and web browser.
be.IP 4isdn
Glossary
bintec elmeg GmbH
STAC
STAC is used to reduce the data volume transmitted (data compression).
Static IP Address
In contrast to a dynamic IP address, the static IP address is assigned permanently by the user. Network components such as the
web server or printer usually have static IP address, while clients
such as notebooks or workstations usually have dynamic IP addresses.
Station guarding
When station guarding is enabled, acoustic call signalling is
switched off. This function is also known as Do not disturb.
STUN Server
Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs). A STUN server enables VoIP
devices behind an active NAT to access the network.
Sub-addressing
As well as the ISDN telephone number, a sub-address can also be
sent when establishing the connection. This sub-address can transmit any additional information. It can be used, e. g., to systematically
address multiple ISDN terminals that can be reached under one
telephone number, or to open particular programs on a PC.
Subnet
A sub-network in an IP network is known as a subnet. A subnet is
defined like a normal network, via an IP address and (sub-)netmask
(IPv4) and prefix length (IPv6). Example: 192.168.1.250/24
(192.168.1.250/255.255.255.0, 256 possible IP addresses) is a subnet of 192.168.1.250/16 (192.168.1.250/255.255.0.0, 65536 possible IP addresses).
Suppress telephone See Display caller number (CLIP / CLIR) and Display called party
number
number (COLP / COLR).
be.IP 4isdn
Switch
A switch is a network component that connects individual network
segments to one another. On the one hand, a switch can be operated as a bridge to the data link layer in the OSI model. Unlike the
bridge, however, a switch has more than one input and output. On
the other hand, the switch can be operated as a gateway to the network layer in the OSI model. The device comparable to the switch in
the physical layer is known as the hub.
Switch contact
A telephone can be used to switch a device connected to the switch
contact, e. g. a door opener, on and off.
SWYX
SwyxWare is a software-based communication solution for VoIP.
Syslog
The syslog protocol is used to transmit status messages in an IP
453
Glossary
bintec elmeg GmbH
network. In this way, different network components can be monitored from a single, central system. Syslog messages are sent as
unencrypted text messages over the UDP port 514.
454
System telephone
A system telephone has multiple function and special keys and can
use the performance features of a PBX.
T.38
T.38 or Fax over IP (FoIP) refers to fax transmission via an IP network.
TA
See Terminal adapter
TACACS+
The Terminal Access Controller Access Control System Plus
(TACACS+) is a client-server protocol for authenticating, authorising
and accounting for users. The TACACS+ server authenticates the
client by checking, e. g., the username and password. In contrast to
the UDP-based RADIUS protocol, TACACS+ uses TCP on port 49
and transmits the entire communication encrypted.
TAPI
The Telephony Applications Programming Interface (TAPI) is a programming interface for ISDN. It enables application programs to access ISDN hardware from a PC. See also CAPI.
TCP
The Transmission Control Protocol (TCP) is a connection-oriented
protocol. It works on the transport layer of the OSI model. With a
connection-oriented protocol, a logical connection is established before transmission and maintained. This enables data to be transmitted reliably. Nonetheless, control information is constantly being
sent alongside the actual data packets. This causes the data volume
sent to increase. See also UDP.
TCP-ACK packet
An ACK (acknowledgement) signal is used when transmitting data
to confirm the receipt or the processing of data or commands. TCP
uses ACK signals for communication.
TCU
See Network termination. A distinction is drawn between F-coded
connectors for telephones and N-coded connectors for fax machines, modems and answering machines.
TE
Terminal equipment (TE) refers to a connection or operating type.
The TE connector is a terminal's connector. In TE operation, the
gateway is connected to the PABX's internal S0 and thus constitutes
an ISDN terminal. See also NT.
TEI
Under ISDN protocol DSS1, the Terminal Endpoint Identifier (TEI) is
an identifier for terminals.
be.IP 4isdn
Glossary
bintec elmeg GmbH
Telefax
See Fax.
Telnet
Telecommunication Network (Telnet) is a network protocol. It enables communication with another, remote device in the network, e.
g. PCs, routers, etc.
Terminal adapter
A terminal adapter (TA) can be used to connect terminals to an interface on which they cannot be operated directly, e. g. analogue
terminals to an ISDN connection.
TFTP
The Trivial File Transfer Protocol (TFTP) regulates the transmission
of files. Compared with FTP, there is no option to display data, issue
permissions or authenticate users.
Three-party confer- The three-party conference is a performance feature. Three subence
scribers can speak to one another on the phone simultaneously.
be.IP 4isdn
Tiger 192
Tiger 192 is a hash function that generates a 192 bit hash value
(checksum). See also Hash.
Time service
The Time protocol is used to synchronise the date and time. The
protocol uses port 37 via TCP and UDP.
Time slot
A time slot is a period of time which is permanently assigned within
a transmission frame, and is usually equivalent to one transmission
channel.
TLS
See SSL.
Tone dialling
See Multifrequency code dialling method.
TOS
Type of Service (TOS) is a field in the header of IP data packets. It
specifies the priority of the data packet. See also QoS.
Traceroute
Traceroute is used to determine which routers will be used to route
data packets to the queried destination host.
Trigger
This refers to a trigger impulse.
Triple DES
See DES.
Trunk
A trunk consists of bundled connections or transmission channels.
See also Bundle.
TTL
The Time to live (TTL) is the configured period of validity of a data
packet. With the Internet Protocol (IP), TTL specifies how many
hops a data packet may pass. The maximum value is 255 hops. The
455
Glossary
bintec elmeg GmbH
TTL is reduced by 1 with each hop. If a data packet has not yet
reached its destination when its TTL expires, it is discarded.
456
Twofish
Twofish is an encryption method (see Cipher). Twofish uses a fixed
block length of 128 bits. The key length is 128, 192 or 256 bits.
U-ADSL
Universal Asymmetric Digital Subscriber Line (UADSL) is a DSL
variant. It was developed as ANSI T1.413 and standardised as
G.992.2. U-ADSL enables different communication technologies to
be used in parallel, e. g. ISDN and POTS, and does not require a
splitter.
UDP
The User Datagram Protocol (UDP) is a connectionless protocol. It
works on the transport layer of the OSI model. With a connectionless protocol, no control is integrated for delivering the packet. The
control must take place in the application layer. Conversely, UDP is
faster than connection-oriented protocols.
ULA
Unique Local Addresses (ULA) are IPv6 addresses that are not
routed. They can be used in private networks (e. g. a LAN). ULAs
begin with the prefix fd.
UMTS
The Universal Mobile Telecommunications System (UMTS), also
known as 3G, is a mobile communications standard with a specified
max. data transmission rate of 384 kbit/s and 21 Mbit/s in association with HSPA+.
Unicast
With Unicast, data packets are transmitted from a sender to a single
recipient.
UP0
The UP0 connection is an interface for the ISDN Basic Rate Interface, and links one ISDN terminal to the NTBA. The connection is
implemented via a two-wire circuit, and offers a greater range than
the S0 bus.
UPnP
Universal Plug and Play (UPnP) is used to control devices (audio
devices, routers, printers, etc.) from any manufacturer via an IPbased network.
Upstream
The gateway forwards the data from its own network.
URL
A Uniform Resource Locator (URL) identifies a file's storage location. Example: http://www.example.org/index.htp (Internet website)
UUS
With User to User Signalling (USS), text messages can be exchanged with other subscribers.
be.IP 4isdn
Glossary
bintec elmeg GmbH
be.IP 4isdn
V.110
V.110 describes a method of aligning bitsteams with 0.6, 1.2, 2.4,
2.8, 7.2, 9.6, 12, 14.4, 19.2 and 38.4 kbit/s with the ISDN bitstream
of 64 kbit/s.
VDSL
Very High Speed Digital Subscriber Line. See DSL.
VID
See VLAN.
VLAN
A network can be divided up into one or more logical sub-networks–
so-called Virtual Local Area Networks (VLAN) – by the network components no longer forwarding the data packet of a defined subnetwork to other sub-networks. Each VLAN is assigned a unique
number, This number is called a VLAN ID (VID) and assigned to the
data packets in the VLAN tag.
Voice mailbox
A voice mailbox is a user's personal answering machine in a voicemail system.
Voicemail system
A voicemail system enables voice messages to be stored, accessed
and forwarded, like an answering machine, but with more options.
VoIP
Voice over IP (VoIP), also known as IP telephony, refers to the
transmitting of voice via an IP network. The telephone is connected
and disconnected using signalling protocols, e. g. SIP.
VPN
A virtual private network (VPN) is used to transport private data
packets through a public network. The data is separated from the
publicly accessible data by being encapsulated in new protocols so
that they can be routed to the intended recipient. In this context, one
also refers to a tunnel that is established between the private networks of the two connected parties. VPN protocols are IPSec,
PPTP, L2TP and GRE.
VSS
The Virtual Service Set (VSS) refers to a prefix for wireless LAN interfaces.
Walled garden
In the context of hotspots, a walled garden refers to the area of the
website which is available to users free of charge and without logging in.
WAN
A Wide Area Network (WAN) refers to a network that is spread over
a large geographic area. Global WAN networks provide access to
the Internet.
WDS
The Wireless Distribution System (WDS) is used to establish a wireless connection between access points.
457
Glossary
458
bintec elmeg GmbH
Web server
A web server provides HTML documents (web pages).
WEP
Wired Equivalent Privacy (WEP) is an encryption protocol for
WLANs. The key length is 40 or 104 bits.
WINS
The Windows Internet Name Service (WINS) is a translation of the
NetBIOS over TCP/IP network protocol by Microsoft. Like DNS,
WINS is used for centralised name resolution. See also DNS.
WLAN
Wireless Local Area Network (Wireless LAN, WLAN) refers to a local wireless network based on the 802.11 standard.
WMM
Wi-Fi Multimedia (WMM) prioritises the data packets from different
applications, thus improving the transmission of voice, music and
video data in WLAN networks. To do this, WMM provides qualityof-service features (QoS) for IEEE 802.11-based networks.
WPA
Wi-Fi-Protected Access (WPA) is an encryption protocol for WLANs.
WPA uses dynamic keys that are based on the Temporal Key Integrity Protocol (TKIP).
WPA 2
Wi-Fi Protected Access (WPA) is an encryption protocol for WLANs.
WPA 2 uses AES.
WPA Enterprise
With WPA 1 / 2, WPA Enterprise enables subscribers to be authenticated using the Extensible Authentication Protocol (EAP). After
successful authentication, the server transfers a shared key to the
client and the access point for data transfer in the WLAN.
WPA-PSK
With WPA 1 / 2, WPA-PSK enables subscribers to be authenticated
using pre-shared keys. The access point and the client use the
same string for the key calculation in the WLAN. This string needs to
be configured by the users.
X.25
X.25 is a standardised series of protocols for wide area networks
(WANs) via the telephone network.
X.31
The X.31 standard describes the connecting of ISDN and X.25 systems. It is a standard for connecting card terminals.
X.500
The X.500 standard describes the setting up of a directory service. See also LDAP.
X.509
The X.509 standard describes the generating of certificates for a
public key insfrastructure (PKI).
X.75
X.75 is a standardised series of protocols for ISDN networks with a
be.IP 4isdn
Glossary
bintec elmeg GmbH
transmission rate of 64 kbit/s.
be.IP 4isdn
XAuth
XAUTH (Extended Authentication) is used to add further authentication mechanisms to IKE. After a successful phase 1 authentication,
the user can be separately identified again. The identifying is done
using the username and password, PAP, CHAP or hardware-based
systems.
Zone
A zone refers to a phone number or numbers that begin with the
same sequence.
459
Index
bintec elmeg GmbH
Index
2,4 GHz band basic rates (Mbit/s) 132
2,4 GHz band rate profile 132
2,4 GHz band supported rates (Mbit/s)
132
5 GHz band basic rates (Mbit/s) 132
5 GHz band rate profile 132
5 GHz band supported rates (Mbit/s)
132
Accept Client FQDN 352
Accept Router Advertisement 93 ,
204 , 216
Access 353
Access Control 130
Access Filter 190
Access Level 68
Action 155 , 190 , 280 , 282 , 361 ,
392
Action to be performed 377
Active Radio Profile 117
Additional freely accessible Domain
Names 384
Additional IPv4 Traffic Filter 241 , 243
Address / Prefix 287
Address / Subnet 287
Address assignment 349
Address Mode 93 , 225
Address Range 287
Address Type 287
Addresses 309
Admin Status 167
Administrative FQDNs 352
Administrative Status 237 , 301 , 316
, 318 , 327
Advertise 96
Airtime fairness 120
Alert Service 407
Alive Check 63 , 257 , 262
All Multicast Groups 199
Allowed Addresses 130
Allowed HotSpot Client 386
Always on 201 , 209 , 214
460
APN 341
ARP Processing 125
Assigned Wireless Network (VSS)
117
Associated Line 321
ATM Interface 223
ATM PVC 214
ATM Service Category 227
Authentication 207 , 212 , 219
Authentication ID 296 , 301
Authentication Method 237 , 252
Authentication Type 61
Auto Subnet Configuration 96 , 206 ,
218
Autonomous Flag 98
Autosave Mode 75 , 361
Bandwidth 120
Based on Ethernet Interface 92
Beacon Period 123
Billing Number 305
Blacklist blocktime 130
Block after connection failure for 207 ,
212 , 219
Block Time 257
Burst size 182
CA Certificate 72
CA Certificates 257
CA Name 361
Called Address 301 , 316 , 319
Called Address Translation 318
Called Line 319
Calling Address 316
Calling Address Translation 319
Calling Line 316 , 319
CAPWAP Encryption 117
Certificate is CA Certificate 70
Certificate Request Description 72 ,
361
Certificate Revocation List (CRL)
Checking 70
Channel 117
Channel Plan 123
Class ID 176 , 182
Class map 176
be.IP 4isdn
Index
bintec elmeg GmbH
Client Band select 129
Client Type 226
Code 289
Codec Proposal Sequence 299 , 307
Comfort Noise Generation (CNG) 300
, 308
Command Mode 361
Command Type 361
Common Name 74
Compare Condition 356
Compare Value 356
Config Mode 239
Configuration contains certificates/keys
361
Congestion Avoidance (RED) 184
Connected clients 134
Connection Idle Timeout 201 , 209 ,
214
Connection State 172 , 187 , 388
Consider 163
Continuity Check (CC) End-to-End
231
Continuity Check (CC) Segment 231
Control Mode 179 , 233
COS Filter (802.1p/Layer 2) 172 , 187
, 388
Count 361
Country 74
Create Default Route 99
Create NAT Policy 203 , 210 , 215
CSV File Format 361
Custom 74
Custom DHCP Options 341
Cyclic Background Scanning 120
D Channel Mode 250
Default Ethernet for PPPoE Interfaces
225
Default Idle Timeout 386
Default Route 203 , 210 , 215 , 239
Default User Password 61
Description 66 , 70 , 78 , 117 , 119 ,
144 , 147 , 154 , 167 , 172 , 176 ,
182 , 187 , 190 , 201 , 209 , 214 ,
223 , 237 , 243 , 252 , 259 , 264 ,
be.IP 4isdn
285 , 286 , 287 , 288 , 289 , 291 ,
296 , 301 , 309 , 312 , 316 , 319 ,
321 , 327 , 338 , 343 , 356 , 361 ,
388 , 392
Destination 280 , 282
Destination Address / Length 147
Destination Interface 147 , 199
Destination IP Address 356 , 361 ,
379
Destination IP Address/Netmask 143
, 155 , 167 , 243
Destination IPv4 Address/Netmask
172 , 187 , 388
Destination IPv6 Address/Length 172
, 187 , 388
Destination Port 144 , 243
Destination Port Range 289
Destination Port/Range 155 , 167 ,
172 , 187 , 388
Device 117
DH Group 252
DHCP Broadcast Flag 99
DHCP Client 93 , 204 , 216
DHCP Hostname 99 , 225
DHCP MAC Address 99 , 225
DHCP Mode 100
DHCP Options 339
DHCP Server 93 , 111
Direction 176 , 321
Distribution Mode 163
Distribution Policy 163 , 164
Distribution Ratio 164
DNS domains search list 350
DNS Hostname 329
DNS Negotiation 207 , 212 , 219
DNS Propagation 100
DNS Server 221 , 265 , 337 , 350
Domain 330
Domain at the HotSpot Server 384
Downstream Bandwidth Limitation
309
Dropping Algorithm 184
DSCP / TOS Value 144
DSCP Settings for rtp Traffic 311
461
Index
bintec elmeg GmbH
DSCP/Traffic Class Filter (Layer 3)
172 , 187 , 388
DTIM Period 123
DUID 352
Dynamic blacklisting 130
E-mail 74
EAP Preauthentification 127
Echo Cancellation 300 , 308
Enable update 334
Encapsulation 223
Encrypt configuration 361
Encryption Method 179
End-to-End Pending Requests 230
End-to-End Send Interval 230
Entry active 61
Event 407
Event List 356 , 361
Event List Condition 361
Event Type 356
Expire Time 296 , 301
Extension / User Name 296
External Address 321
External Filename 76 , 77
Facility 404
Failed attempts per Time 130
File Encoding 76 , 77
File Name 361
File Name in Flash 361
Filter 176
Force certificate to be trusted 70
Forward 330
Forward to 330
Fragmentation Threshold 123
From Interface 151
Frozen Parameters 169
Function Button Status 356
Gateway 339
Gateway Address 147
Gateway IP Address 143
General Prefix 96 , 206 , 218
General Prefix active 151
Generate Private Key 72
Generation Mode 97 , 207 , 219
Grace time 133
462
Group Description 61 , 163 , 164
Group ID 376
High Priority Class 176
Host 330
Host Name 334
IGMP Proxy 197
IGMP Snooping 125
IGMP State Limit 196
Incoming Phone Number 250
Index Variables 356 , 361
Interface 51 , 52 , 54 , 141 , 154 , 164
, 179 , 192 , 196 , 233 , 327 , 330 ,
334 , 338 , 349 , 361 , 378 , 384 ,
393
Interface Action 378
Interface Mode 92 , 327
Interface Status 356
Interface Traffic Condition 356
Interface Type 296
Interfaces 176 , 309
Internet Key Exchange 237
Interval 356 , 361 , 377 , 379
Intra-cell Repeating 125
IP Address 225 , 226 , 343 , 404 , 412
IP Address / Netmask 93
IP Address Assignment 239
IP Address Mode 203 , 210 , 215
IP Address Range 111 , 221 , 265 ,
337
IP Address/Netmask 111
IP Assignment Pool 239
IP Compression 262
IP Pool Name 221 , 265 , 337 , 338
IP Version 288 , 327
IP Version of the tunneled Networks
237
IPv4 287
IPv4 Address 329
IPv4 Back Route Verify 246
IPv4 Proxy ARP 246
IPv6 93 , 204 , 216 , 287
IPv6 Address 329
IPv6 Addresses 93
IPv6 Mode 93 , 204 , 216
be.IP 4isdn
Index
bintec elmeg GmbH
ISDN Mode 312
Key Size 361
Language for login window 384
Last Member Query Interval 196
Layer 4 Protocol 144
LCP Alive Check 207 , 212 , 219
LDAP URL Path 78
Lease Time 339
Level 404
Level No. 66
Licence Key 48
Licence Serial Number 48
Lifetime 252 , 259
Line 318
Link Prefix 96 , 206 , 218
Local Address 321
Local Certificate 252
Local Certificate Description 76 , 77 ,
361
Local File Name 361
Local ID 237
Local ID Type 237 , 252
Local ID Value 252
Local IP Address 143 , 203 , 210 ,
215 , 239
Local IPv6 Network 241
Local PPTP IP Address 212
Local WLAN SSID 361
Locality 74
Location 117 , 301
Login Frameset 386
Long Retry Limit 123
Loopback End-to-End 230
Loopback Segment 230
MAC Address 92 , 225 , 343
Mail Exchanger (MX) 335
Matching String 407
Max. number of clients - hard limit
129
Max. number of clients - soft limit 129
Max. queue size 184
Max. Transmission Rate 123
Maximum Burst Size (MBS) 227
Maximum Downstream Bandwidth
be.IP 4isdn
309
Maximum Number of Dialup Retries
207 , 212 , 219
Maximum Response Time 196
Maximum Upload Speed 179 , 182 ,
233
Maximum Upstream Bandwidth 309
Members 285 , 286 , 291 , 312
Menus 67
Message Compression 407
Message Timeout 407
Metric 143 , 147 , 239
MIB Variables 361
MIB/SNMP Variable to add/edit 361
Min. queue size 184
MobIKE 246
Mode 72 , 144 , 196 , 250 , 252 , 264
Monitored Certificate 356
Monitored Interface 356 , 378
Monitored IP Address 377
Monitored Subsystems 407
Monitored Variable 356
MTU 209
Multicast Group Address 199
Name 117 , 151 , 264 , 349
NAT method 154
NAT Traversal 257
Netmask 225 , 226
Network Name (SSID) 125
New Destination IP Address/Netmask
158
New Destination Port 158
New Source IP Address/Netmask 158
New Source Port 158
Number of Admitted Connections 244
Number of Messages 407
Number of Spatial Streams 120
OAM Flow Level 230
On Link Flag 98
Operation Band 119
Operation Mode 117 , 119
Organization 74
Organizational Unit 74
Original Destination IP Address/Net-
463
Index
bintec elmeg GmbH
mask 155
Original Destination Port/Range 155
Original Source IP Address/Netmask
155
Original Source Port/Range 155
Outbound Interface 182
Outbound Proxy 301
Outgoing Phone Number 250
Overbooking allowed 182
Overwrite similar certificate 361
Packet Size 300 , 308
Parent Location 309
Password 68 , 72 , 76 , 77 , 201 , 209
, 214 , 264 , 296 , 301 , 334 , 353 ,
361 , 392
Password for protected Certificate
361
Peak Cell Rate (PCR) 227
Peer Address 237
Peer ID 237
Phase-1 Profile 244
Phase-2 Profile 244
PIN 341
Policy 63
Pool Usage 338
Pop-Up window for status indication
386
Port 296 , 336
Post Login URL 384
PPPoE Ethernet Interface 201
PPPoE Interfaces for Multilink 201
PPPoE Mode 201
PPTP Address Mode 212
PPTP Ethernet Interface 209
Preferred Lifetime 98
Preshared Key 127 , 237
Primary DNS Server DNS-Server
(IPv4/IPv6) 330
Primary IPv4 DNS Server 327
Primary IPv6 DNS Server 327
Prioritisation Algorithm 179
Prioritize TCP ACK Packets 207 , 212
, 219 , 226
Priority 61 , 182 , 318 , 327
464
Priority Queueing 182
Propagate PMTU 262
Proposals 252 , 259
Protocol 155 , 167 , 172 , 187 , 243 ,
289 , 296 , 301 , 336 , 361 , 388 ,
404
Protocol Header Size below Layer 3
179
Provider 223 , 334
Provider Name 336
Provisioning Server 341
Proxy ARP 99
Proxy Interface 197
Public Interface 246
Public Interface Mode 246
Public Source IPv4 Address 246
Public Source IPv6 Address 246
Query Interval 196
Queues/Policies 179
RA Encrypt Certificate 72
RA Sign Certificate 72
RADIUS Dialout 63
RADIUS Secret 61
Radius Server 127
RADIUS Server Group ID 264
Real Time Jitter Control 179
Realm 301
Reboot after execution 361
Reboot device after 361
Recipient 407
Registrar 301
Registration 296 , 301
Remaining Validity 356
Remote File Name 361
Remote IPv6 Network 241
Remote PPTP IP Address 212
Reporting Method 192
Response 329
Retries 63
Robustness 196
Role 264
Route Active 147
Route Class 141
Route Entries 203 , 210 , 215 , 239
be.IP 4isdn
Index
bintec elmeg GmbH
Route Selector 165
Route Type 141 , 147
Router Lifetime 100
Router Preference 100
RSSI threshold 133
RTS Threshold 123
RTT Mode (Realtime Traffic Mode)
182
Rule Chain 190 , 192 , 393
Rx Shaping 131
Save configuration 66
SCEP URL 72
Secondary DNS Server (IPv4/IPv6)
330
Secondary IPv4 DNS Server 327
Secondary IPv6 DNS Server 327
Security Mode 127
Security Policy 93 , 93 , 203 , 204 ,
210 , 215 , 216 , 239 , 241
Segment Pending Requests 230
Segment Send Interval 230
Select analogue interface 296
Select ISDN interface 296
Select radio 361
Select vendor 341 , 341
Selection 288
Send WOL packet over Interface 392
Server 336
Server Address 361
Server IP Address 61
Server Timeout 63
Server URL 361
Service 155 , 167 , 172 , 187 , 280 ,
282 , 388
Set COS value (802.1p/Layer 2) 176
Set DSCP/Traffic Class Filter (Layer 3)
176
Set interface status 361
Set status 361
Setup Mode 96 , 206 , 218
Severity 407
Short Guard Interval 123
Short Retry Limit 123
Silent Deny 192
be.IP 4isdn
SIP Endpoint IP Address 296 , 301
SIP Header Field: FROM Display 305
SIP Header Field: FROM User 305
SIP Header Field: P-Asserted 305
SIP Header Field: P-Preferred 305
SNTP Server 350
Sort Order 299 , 307
Source 280 , 282
Source Address / Length 147
Source Interface 144 , 167 , 199
Source IP Address 356 , 361 , 377 ,
379
Source IP Address/Netmask 144 ,
155 , 167 , 243
Source IPv4 Address/Netmask 172 ,
187 , 388
Source IPv6 Address/Length 172 ,
187 , 388
Source Location 361
Source Port 144 , 243
Source Port Range 289
Source Port/Range 155 , 167 , 172 ,
187 , 388
Special Handling Timer 167
Start Mode 244
Start Time 360
State/Province 74
Static Addresses 97 , 207 , 219
Static Interface Identifier 352
Status 356
Stop Time 360
Subject 407
Subject Name 361
Subnet ID 96 , 206 , 218
Subscribe Number 305
Successful Trials 377
Summary 74
Sustained Cell Rate (SCR) 227
Switch to SNMP Browser 66
Target MAC-Address 392
TCP-MSS Clamping 99
Terms &Conditions 384
Throughput 134
Throughput/client 134
465
Index
bintec elmeg GmbH
Ticket Type 386
Time Condition 360
Timestamp 404
Tracking IP Address 165
Traffic Direction 356
Traffic shaping 179 , 182
Transfer Mode 250
Transfer own IP address over ISDN/
GSM 250
Transferred Traffic 356
Transmit Key 127
Transmit Power 117
Transparent MAC Address 52
Trials 356 , 379
Trigger 378
Trigger Status 361
Trunk Mode 301
Tx Shaping 131
Type 151 , 172 , 187 , 223 , 289 , 309
, 316 , 388 , 392
Type of Messages 404
Type of traffic 154
U-APSD 125
UDP Port 63
Unsuccessful Trials 377
Update Interval 336
Update Path 336
Upstream Bandwidth Limitation 309
URL SCEP Server URL 361
Use CRL 361
Use PFS Group 259
Used Channel 117
Used Prefix / Length 151
User 68
User Defined Channel Plan 123
User must change password 68
User Name 201 , 209 , 214 , 301 ,
334 , 353
Users 264
Valid Lifetime 98
Vendor Description 341 , 341
Vendor ID 341 , 341
Vendor Mode 61
Vendor Option String 341
466
Vendor Specific Information (DHCP Option 43) 339
Version Check 361
Virtual Channel Connection (VCC)
227 , 230
Virtual Channel Identifier (VCI) 223
Virtual Path Connection (VPC) 230
Virtual Path Identifier (VPI) 223
VLAN 131 , 201
VLAN ID 92 , 111 , 131 , 201
VLAN Identifier 103
VLAN Members 103
VLAN Name 103
Wake-On-LAN Filter 392
Wake-On-LAN Rule Chain 392
Walled Garden 384
Walled Garden URL 384
Weight 182
Wildcard 335
Wildcard MAC Address 52
Wildcard Mode 52
Wireless Mode 120
WLC SSID 361
WMM 125
WPA Cipher 127
WPA Mode 127
WPA2 Cipher 127
Write certificate in configuration 361
XAUTH Profile 244
ACCESS_ACCEPT 60
ACCESS_REJECT 60
ACCESS_REQUEST 60
ACCOUNTING_START 60
ACCOUNTING_STOP 60
Action 139 , 399 , 414 , 418
ADSL Logic 399
Alert Service 409
Alive Check 415
Answer to client request 381
AP discovered 133
AP managed 133
AP offline 133
As DHCP Server 326
As IPCP Server 326
be.IP 4isdn
Index
bintec elmeg GmbH
Attacked Access Point 137
Authentication for PPP Dialin 65
Authentication Method 415
Autosave Configuration 38
Back Route Verify 150
BOSS 399
Bytes 415
Cache Hitrate (%) 332
Cache Hits 332
Cache Size 325
CAPI Server TCP Port 354
Channel 417
Charge 417 , 418
Class 395
Cloud NetManager address 38
Cloud NetManager communication 38
Compression 57
Configuration Encryption 399
Configuration Interface 51
Confirm Admin Password 41
Connected clients/VSS 133
Contact 38
CPU usage [%] 133
Current File Name in Flash 399
Current Local Time 43
Date 414
Default Behavior 309
Default Drop Extension 312
Delete 137 , 148
Delete complete IPSec configuration
266
Delete the complete WLAN Controller
configuration 112
Description 414 , 415 , 418 , 419
Destination File Name 399
Destination IP Address 148
Details 414
DHCP Server 112
Dial Latency 312
Direction 417 , 418
DNS domains search list 350
DNS Requests 332
DNS Server 351
Domain Name 325
be.IP 4isdn
Done 139
Drop non-members 103
Drop untagged frames 103
Dropped 416 , 421
DSA Key Status 56
Duration 417 , 418
Dynamic RADIUS Authentication 267
ED25519 Key Status 56
Enable IPSec 266
Enable server 354
Enable VLAN 104
Encrypted 416
Encryption Algorithms 55
Error 139
Errors 415 , 416
Expires 395
Extended Route 148
Factory Reset Firewall 285
Fallback interface to get DNS server
325
Faxheader 354
Filename 399
First seen 137
First Timeserver 44
Forwarded Requests 332
Gateway 148
Hashing Algorithms 55
Host for multiple locations 387
HTTPS TCP Port 333
IGMP State Limit 198
IGMP Status 198
Ignore Certificate Request Payloads
268
IKE (Phase-1) 416
IKE (Phase-1) SAs 415
Image already exists. 139
Include certificates and keys 399
Interface 103 , 112 , 148 , 149 , 150 ,
381 , 417 , 418 , 420 , 421
Interface Description 51
Interface is UPnP controlled 381
Interface Selection 394
Internal Time Server 44
Invalid DNS Packets 332
467
Index
bintec elmeg GmbH
IP Address 420
IP Address / Netmask 419
IP Address Range 112
IPSec (Phase-2) 416
IPSec (Phase-2) SAs 415
IPSec Debug Level 266
IPSec over TCP 267
IPSec Tunnels 416
IPv4 Firewall Status 283
IPv4 Full Filtering 283
ISDN Timeserver 44
Last seen 137
LED mode 38
Level 414
Local Address 419
Local Certificate 333
Local ID 415
Local IP Address 415
Local Port 415 , 419
Location 38
Log Format 406
Log out immediately 395
Logged Actions 283
Logging Level 57
Login Grace Time 57
Logon 420
Loopback active 153
MAC Address 419 , 420
Manual WLAN Controller IP Address
38
Maximum E-mails per Minute 409
Maximum Groups 198
Maximum Message Level of Syslog
Entries 38
Maximum Number of Accounting Log
Entries 38
Maximum number of concurrent connections 55
Maximum Number of Syslog Entries
38
Maximum Sources 198
Maximum TTL for Negative Cache
Entries 325
Maximum TTL for Positive Cache
468
Entries 325
Media Gateway Status 312
Media Stream Termination 312
Memory usage [%] 133
Message 414
Messages 415
Metric 148 , 149
Mode 150 , 198
Mode / Bridge Group 51
MTU 415
Multicast Routing 195
NAT 419
NAT active 153
NAT Detection 415
Negative Cache 325
Negotiation Type 415
Netmask 148
Network Name (SSID) 137
New File Name 399
No. 150 , 414 , 418
Other Inactivity 284
Packets 415
Passed 416
Password 409
Physical Address 420
POP3 Server 409
POP3 Timeout 409
Port 153 , 420
Port STUN server 283
Positive Cache 325
Power Off Timeout 41
PPTP Inactivity 284
PPTP Passthrough 153
Primary DHCP Server 343
Protocol 148 , 149
PVID 103
QoS Queue 421
Queued 421
Received DNS Packets 332
Region 112
Remote Address 419
Remote ID 415
Remote IP 414
Remote IP Address 395 , 415
be.IP 4isdn
Index
bintec elmeg GmbH
Remote Networks 414
Remote Number 417 , 418
Remote Port 415 , 419
Restore Default Settings 54
Rogue Client MAC Address 137
Route 149
Route Type 148
RSA Key Status 56
Running 139
Rx Bytes 418 , 419
Rx Errors 418
Rx Packets 418 , 419
Schedule Interval 372
Second Timeserver 44
Secondary DHCP Server 343
Security Algorithm 414
Select file 399
Send 421
Send Certificate Chains 268
Send Certificate Request Payloads
268
Send CRLs 268
Send Initial Contact Message 267
Send Key Hash Payloads 268
Sender E-mail Address 409
Server Failures 332
Server preference 351
Service 417 , 418
Session Border Controller Mode 312
Set Date 43
Set Time 43
Show Manufacturer Names 38
Show passwords and keys in clear text
42
Signal 135
Signal dBm 137
Silent Deny 153
Slave AP LED mode 112
Slave AP location 112
SMS Device 410
SMTP Authentication 409
SMTP Port 409
SMTP Server 409
SNMP Listen UDP Port 58
be.IP 4isdn
SNMP multicast discovery 58
SNMP Read Community 42
SNMP Trap Broadcasting 411
SNMP Trap Community 411
SNMP Trap UDP Port 411
SNMP Version 58
SNMP Write Community 42
SNTP Server 351
Source File Name 399
Source Location 139 , 399
Speed Dialing 314
SSH Port 55
SSH service active 55
SSID 137
Stack 417
Start Time 418
Static Blacklist 137
Status 112 , 414 , 416 , 417 , 418 ,
419
STUN Handler 283
Subsystem 414
Successfully Answered Queries 332
Sync SAs with ISP interface state 267
System Admin Password 41
System Logic 399
System Name 38
TCP Inactivity 284
TCP Keepalives 57
Test Ping Address 396
Test Ping Mode 396
Third Timeserver 44
Throughput 135
Time 414
Time Update Interval 44 , 46
Time Update Policy 44
Time Zone 43
Total 416
Trace Mode 394
Traceroute Address 397
Traceroute Mode 397
Tx Bytes 418 , 419
Tx Errors 418
Tx Packets 418 , 419
Type 418
469
Index
bintec elmeg GmbH
Type of attack 137
UDP Inactivity 284
Unchanged for 418
UPnP Status 382
UPnP TCP Port 382
URL 139 , 399
Use Interface 396
Use Zero Cookies 267
User 395
User Name 409 , 420
WINS Server 325
WLAN Controller: VSS throughput
133
Zero Cookie Size 267
Certificate Request 71
Logout Options 395
Overview 134
Access Type 37
Active IPSec Tunnels 37
Active Sessions (SIF, RTP, etc... )
BOSS Version 37
CPU Usage 37
Description 37
ISDN Usage Internal 37
Last configuration stored 37
Memory Usage 37
No. 37
Registrar 37
Serial Number 37
Status 37
System Date 37
Uptime 37
Access Filter 186
Access Profiles 65
Actions 361
Active Clients 135
Address List 286
Administration 104
Alert Recipient 407
Alert Settings 409
Cache 331
Call History 418
Call Routing 316
Call Translation 320
470
37
Certificate List 70
Certificate Servers 78
CLID Translation 319
Client Management 136
Controlled Interfaces 233
CRLs 77
Current Calls 417
Date and Time 42
DHCP Configuration 338
DHCP Relay Settings 343
DHCPv6 Global Options 350
DHCPv6 Server 349
DNS Servers 327
DNS Test 396
Domain Forwarding 330
Dynamic Hosts 331
DynDNS Provider 335
DynDNS Update 334
Extensions 296
Firmware Maintenance 138
General 112 , 381
General Prefix Configuration 151
Global Settings 324
Groups 285 , 287 , 290
Hosts 376
HotSpot Gateway 384
HTTP 53
HTTPS 53
HTTPS Server 333
Interface Assignment 191 , 393
Interfaces 50 , 90 , 378 , 381 , 405
IP Pool Configuration 337
IP Pools 221 , 265
IP/MAC Binding 342
IPSec Peers 236
IPSec Statistics 416
IPSec Tunnels 414
IPv4 Filter Rules 279
IPv4 Route Configuration 141
IPv4 Routing Table 148
IPv4/IPv6 Filter 172
IPv6 Route Configuration 146
IPv6 Routing Table 149
ISDN Login 53
be.IP 4isdn
Index
bintec elmeg GmbH
ISDN Trunks 311
Load Balancing Groups 162
Log out Users 395
NAT Configuration 154
NAT Interfaces 153
Neighbor APs 136
Network Status 420
OAM Controlling 229
Options 64 , 150 , 198 , 266 , 283 ,
312 , 354 , 372 , 387 , 397 , 406
Passwords 41
Phase-1 Profiles 252
Phase-2 Profiles 259
Ping 53
Ping Generator 379
Ping Test 396
Port Configuration 103
PPPoA 214
PPPoE 201
PPTP 209
Profiles 223
QoS Classification 176
QoS Interfaces/Policies 178
Radio Profiles 119
RADIUS 59
Rogue APs 137
Rogue Clients 137
Rule Chains 190
Service Categories 227
Service List 288
SIP Accounts 301
Slave Access Points 116 , 134
SNMP 53 , 58
SNMP Trap Hosts 412
SNMP Trap Options 411
Special Session Handling 166
SSH 53 , 54
Stateful Clients 352
Static Hosts 329
Statistics 332 , 418
Syslog Servers 403
System 38
System Licences 46
System Messages 414
be.IP 4isdn
System Reboot 402
Telnet 53
Traceroute Test 396
Trigger 355
User 353
Users 68
VLANs 102
Wake-On-LAN Filter 388
Wireless Networks (VSS) 125 , 135
WLAN Controller 133
WOL Rules 391
XAUTH Profiles 263
Administrative Access 53
Internet + Dialup 200
Remote Authentication 59
Access Rules 185
Additional IPv4 Traffic Filter 235
Addresses 286
Alert Service 407
ATM 222
Bridges 420
CAPI Server 353
Certificates 69
Controller Configuration 112
DHCP Server 337
DHCPv6 Server 347
Diagnostics 396
DNS 323
DynDNS Client 333
Factory Reset 402
Forwarding 199
General 194
Global Settings 38
HotSpot Gateway 382 , 420
HTTPS 332
IGMP 195
Interface Mode / Bridge Groups 49
Interfaces 285 , 418
Internal Log 414
IP Accounting 405
IP Configuration 90
IPSec 235 , 414
IPv6 General Prefixes 151
ISDN/Modem 417
471
Index
bintec elmeg GmbH
Load Balancing 162
Log out Users 395
Maintenance 138
Media Gateway 315
Monitoring 133
NAT 152
Neighbor Monitoring 136
Policies 278
QoS 172 , 421
Real Time Jitter Control 233
Reboot 402
Routes 141
Scheduling 355
Services 288
SIA 412
Slave AP configuration 116
SNMP 411
Software &Configuration 397
Surveillance 376
Syslog 403
Trace Interface 394
UPnP 380
VLAN 102
Wake-On-LAN 388
External Reporting 403
Maintenance 395
Monitoring 414
VoIP 296
Firewall 277
LAN 90
Wireless LAN Controller 105
DHCP-Client (Configuration example)
344
DHCP-Relay-Server (Configuration example) 344
DHCP-Server (Configuration
example) 344
NAT (Configuration example) 160
SIF (Configuration example) 291
#
#1#2, #3
A
472
75
Access via LAN 24
ADSL Line Profile 89
Assistants 35
Authentication key 271
Autoconfiguration on Bootup
82
B
Basic configuration 16
Basic settings in ex works state
Bearer Service 85
9
C
Configuration 24
Configuration Access 65
Configuration example - DHCP-Client
344
Configuration example - DHCP-Relay-Server 344
Configuration example DHCP-Server 344
Configuration example - Load
balancing 169
Configuration example - NAT 160
Configuration example - Scheduling
372
Configuration example - SIF 291
Configuration example - Time-controlled
Tasks 372
Configured Speed / Mode 80
Current Speed / Mode 80
D
Database Record TTL (in min.) 274
Default TTL in minutes of cached EID/
RLOC entry 275
Default Ttl Mode 275
Description 275
Description - Connection Information Link 38
Downstream 87
Drilling template 11
DSL Chipset 87
DSL Configuration 86
be.IP 4isdn
Index
bintec elmeg GmbH
DSL Mode 88
DSL Modem 86
DSP Channels 37
Local Services
E
Map Resolver IP Address 272
Map Server IP Address 271
Map-Register time period (in sec.)
271 , 272
Map-Resolver IP Address 274
Maximum number of cached EID/RLOC
entries per ins 275
Maximum number of RLOC addresses
per cached EID 275
Maximum Upstream Bandwidth 88
Mode 82
MSN 85
MSN Recognition 85
MSN Configuration 84
Multicast 193
M
EID prefix (IP address) / Length 273
Ethernet Ports 79
Ethernet Interface Selection 80
Exclude EID prefix from tree 274
F
Flow Control 80
Function button 356
G
Gathering configuration data
323
17
H
N
HMAC truncation 271 , 272
HTTP/HTTPS 24
Netmask 17
Network setting 20
Networking 141
I
Instance-ID 273 , 275
Interface - Connection Information Link 38
Interface binding 274
Internal ISDN connection 11
IP address 17
ISDN Configuration 82
ISDN Configuration Type 82
ISDN Port 85
ISDN Ports 81
K
Key type (HMAC Algorithm)
L
LISP interface MTU 275
Load balancing (Configuration
example) 169
be.IP 4isdn
271
O
Open configuration interface 25
Operating elements 25
Operation Mode (Active) 361
Operation Mode (Inactive) 361
P
Physical Connection 87
Physical Interfaces 79
Pin Assignments 12
Port Configuration 80
Port Name 82
Port Usage 82
Preparations 16
Proxy-ETR-RLOC 275
R
473
Index
bintec elmeg GmbH
Radio1 134
Reset 8
Reset button 11
Route Locator (RLOC) IP address
273
X.31 TEI Service 83
X.31 TEI Value 83
S
Scheduling (Configuration example)
372
Service 85
Setting up a PC 18
SNR Margin 88
Software updates 22
Status 36
Support 10
Switch Port 80
System Management 36
System requirements 16
Systemsoftware 16
T
Time-controlled Tasks (Configuration
example) 372
Transmit Shaping 88
U
Upstream 87
User access 21
V
VPN
235
W
Wall mounting 11
Walled Network / Netmask
WAN 200
WEP Key 1-4 127
Wizard for network setting
384
20
X
X.31 (X.25 in D Channel)
474
83
be.IP 4isdn
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement