Description:

This document describes how the LANCOM Layer-2 Management protocol (LL2M) works under LCOS LX and how you can use it to configure LANCOM devices.


Requirements:


Use and operation of the LL2M protocol:

A basic pre-requisite for accessing the device configuration is an IP connection between the configuration computer and the device. No matter whether you use LANconfig, WEBconfig or SSH; it is impossible to send any configuration commands to the device without an IP connection. In the event of erroneous configuration of the TCP/IP settings or VLAN parameters, this IP connection may be impossible to establish.

The only option in this case is to access the device via the serial configuration interface (not available on all devices) or to reset the device to its factory settings.
However, both options require physical access to the device—this may not always be possible for the concealed installation of access points and can represent considerable overhead for larger-scale installations.

The LANCOM Layer-2 Management protocol (LL2M) provides access to the configuration of a device even without an IP connection. All this protocol requires is a connection on layer 2 (i.e. via Ethernet directly or via layer-2 switches) to establish a configuration session.

LL2M connections are supported on LAN or WLAN connections, but not via WAN. Connections via LL2M are encrypted and are resistant to replay attacks.

LL2M establishes a client-server structure for this purpose: The LL2M client sends requests or commands to the LL2M server, which then responds to the requests or runs the commands. The LL2M client is integrated into LCOS LX and is run from the command line.

The LL2M server is also integrated into LCOS LX. In the default configuration it is permanently activated after power-on.


Using the LL2M protocol:

1) Configuring the LL2M server by LANconfig:

LL2M is already activated in the default configuration, so usually no further adjustments are required at this point.

1.1) Open the configuration for the LANCOM device in LANconfig and switch to the menu item Management → Admin → LL2M settings.

1.2) Make sure the option Operating is set to Yes.


2) Configuring the LL2M server by WEBconfig:

LL2M is already activated in the default configuration, so usually no further adjustments are required at this point.

2.1) Open the configuration for the LANCOM device in WEBconfig and go to the menu item System configuration → LL2M configuration.

2.2) Make sure the option Operating is set to Yes.


3) Configuring the LL2M server by SSH client:

LL2M is already activated in the default configuration, so usually no further adjustments are required at this point.

The command ls /Setup/Config/LL2M displays all relevant parameters in LCOS.
  • Operating:
    Enables/disables the LL2M server. An LL2M client can contact an enabled LL2M server for the duration of the time limit following device power-on.
    • The command set / Setup/Config/LL2M/Operating No will disable the LL2M server.
    • The command set / Setup/Config/LL2M/Operating Yes will enable the LL2M server.

4) Commands for the LL2M client:

An encrypted tunnel is set up for every LL2M command to protect the transmitted access credentials. To use the integrated LL2M client, open an SSH connection to a LANCOM router or access point that has local access to the LL2M server via the available physical medium (LAN, WLAN). This CLI session allows the use of the following commands to contact the LL2M server.

In order for commands entered at the LL2M client to be executed on the LL2M server, you must have administrator rights on the LL2M server.

The “ll2mdetect” command:

With the command ll2mdetect the LL2M client sends a SYSINFO request by multicast (or optionally by broadcast) to all available LL2M servers, as long as no additional parameters are added to the command. The LL2M servers reached by the ll2mdetect command then return system information such as their hardware, serial number, etc. back to the LL2M client for display.

The response from the LL2M server contains the following information:

  • Device name
  • Device type
  • Serial number
  • MAC address
  • Hardware release
  • Firmware version with date

The ll2mdetect command can be restricted using the following parameters:

  • -a <MAC address>: Restricts the ll2mdetect command to those devices with the specified MAC address only.
    • The MAC address is specified in the format 00a057010203, 00-a0-57-01-02-03 or 00:a0:57:01:02:03. If no MAC address is specified, the request is sent to all LL2M-enabled devices.
    • To contact groups of MAC addresses, the wildcard * can be used to represent any number of characters and the placeholder x can represent individual characters in a MAC address, e.g. 00-a0-57-xx-xx-xx for all LANCOM MAC addresses.
  • -b : Sends the ll2mdetect command as a broadcast and not as a multicast.
    • Example of firmware name with wildcard: The command ll2mdetec -10.72* displays all devices with firmware version 10.72.
  • -r <hardware release>: Restricts the ll2mdetect command to those devices of the corresponding hardware release only.
    • Example: The command ll2mdetect -r A sends a SYSINFO request to all devices of hardware release A.
  • -s <serial number>: Restricts the ll2mdetect command to a device with a specific serial number.
  • -v <VLAN-ID> : With this additional parameter, the packet containing the ll2mdetect command is given the specified VLAN tag in order to pass through the network structure.
  • -i <interface>: Conducts the search only on the specified interface.

“ll2mexec” command:

The LL2M client uses this command to send a single-line command to run on the LL2M server. Several commands can be combined in a single LL2M command by using semicolons as separators.

Depending on the command, either the actions are run on the remote device and the responses from the remote device are sent to the LL2M client for display.


The command ll2mexec must be entered in the following syntax:

ll2mexec -i <interface> <user>:<password>@<MAC address>

  • -i <interface>: Sends the ll2mexec command via the specified logical LAN interface (e.g. LAN-1). The specification of the interface is always required.
  • <User>: Administrator account of the remote device. As a rule, the default administrator root is used for this, but it is also possible to use a separately created administrator with all permissions.
  • -p <password> : The main device password of the remote device.
  • -v <VLAN-ID>: Set the appropriate VLAN (only for devices with VLAN support)
  • <MAC address>: MAC address of the device to be reached via LL2M.

If the password contains special characters, such as $, ", or \ , these characters must each be preceded by an escape character in order for the password to be accepted.

  • A $, for example, needs an additional leading $ ($$).
  • A \ also needs an additional leading \ (\\).
  • A " needs a leading \ (\")

Example: The password ertgbh$1 is entered as ertgbh$$1

The ll2mexec command can be restricted to a certain VLAN using the following parameters.

  • -v <VLAN-ID> : Sends the ll2mexec command over the specified VLAN only. If no VLAN ID is specified, the VLAN ID of the first defined IP network is used.

In the situation that the VLAN module is enabled and the Hybrid tagging mode is operating, using LL2M to access a target in the network with the same VLAN ID as the PVID requires the use of the parameter -v 0 so that the communication is “untagged”. Otherwise access via LL2M is not possible.


5) Practical example of using the LL2M protocol:

5.1) Changing the device name:

In this example, the device name on an LCOS router or access point should be changed to MyLANCOM.

5.1.1) From the command line, connect to the router or access point on the local network that should act as an LL2M client.

5.1.2) Enter the command ll2mdetect to display information about all devices found. The MAC address of the access point whose name is to be changed is in this example 00:a0:57:2b:bf:fa.

5.1.3) Enter the following command

ll2mexec -i ETH1 root:Test12345@00:a0:57:2b:bf:fa set Setup/Name MyLANCOM

to use LL2M with administrator rights (root) to connect to the access point.

With the command set Setup/Name MyLANCOM the name of the access point is set to the value MyLANCOM.


5.2) Disabling the VLAN module on an access point:

This example assumes that a LANCOM access point, which is managed by a LANCOM WLAN controller, is no longer accessible or configurable due to a misconfiguration. The VLAN module was activated by mistake on the access point, although no VLAN is used in the network.

Using the LL2M protocol makes it is possible to access the access point via the wireless LAN controller and correct the faulty parameter. Please proceed as follows:

5.2.1) Connect to the WLAN controller (LL2M client) from the command line.

5.2.2) Enter the command ll2mdetect to display information about all devices found. The MAC address of the access point in this example is 00:a0:57:2b:bf:fa.

5.2.3) Enter the following command

ll2mexec -i ETH1 root:Test12345@00:a0:57:2b:bf:fa

to use LL2M with administrator rights (root) to connect to the access point. 

5.2.4) In this practical example, the mistakenly activated VLAN module in the access point should be deactivated again. To do this, enter the command cd Setup/VLAN at the command prompt. Use the ls command to view the parameters.

5.2.5) Enter the command set Operating no to disable the VLAN module in the access point. The change is immediately enabled in the access point, and the device can be accessed again.

5.2.6) This concludes the trouble-shooting with the use of the LL2M protocol.

A useful help when carrying out configurations with the SSH client is the LCOS LX Menu Reference Manual.


All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH