Canopy IP, Nat, Vlan

IP, NAT & VLAN
Place your image on

top of this gray box.
If no graphic is
applicable, delete gray
box and notch-out
Canopy Technical Training Course MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other
product or service names are the property of their respective owners. © Motorola, Inc. 2003.
Objectives
• Describe Canopy addressing

• Describe the function of each IP address on a
Canopy unit
• Explain how IP addressing is handled in Canopy,
with and without NAT enabled
• Describe the VLAN feature
1
Recap: Canopy in Place of a Wireless Switch
IP 129.188.181.93 Internet
Router
IP 124.2.198.1
AP
Ethernet
(Layer 2)
Addressing
SM SM SM IP 216.32.120.133
IP 124.2.198.30 IP 124.2.198.31 IP 124.2.198.32
IP Address Handling
• Data traffic
– without NAT: Canopy system works as a Layer 2 Bridge,
performing no IP address routing / switching
– With NAT: Canopy performs IP address translation
• Management traffic
– Operation and Maintenance of Canopy’s system
2
IP Addresses in Canopy (No NAT)
• This slide lists all IP addresses that can be

RF Pub configured in a Canopy system that does not
C.C.C.Y use NAT.
Internet /
Intranet RF Pvt
D.D.D.1
BAM RF Pub
C.C.C.Z CMM C.C.C.X CPE
A.A.A.2
RF Pvt
D.D.D.X CPE
NOC A.A.A.3
C.C.C.W
CPE
A.A.A.4
DHCP Server Hub/Switch/

Router
A.A.A.1
IP Addresses in Canopy – IP Traffic

(No NAT)
• Computers connected to the SM are accessed

directly by their IP addresses, which might
have been assigned by a DHCP server on the
network.
Internet /
Intranet
CMM CPE
A.A.A.2
CPE
A.A.A.3
CPE
A.A.A.4
Hub/Switch/
Router
3
IP Addresses in Canopy – Network
Management (No NAT)
• Canopy units can be remotely accessed for

O&M purposes via RF Public address …
RF Pub
C.C.C.Y
En
able
RF Pvt d:
Pu
D.D.D.1 blic
@
SM
RF Pub
CMM C.C.C.X
RF Pvt
D.D.D.X
NOC
C.C.C.W
Hub/Switch/
Router

Management (No NAT)
• … or via the LUID, when SMs are configured

as “Private IP.”
RF Pub
C.C.C.Y Dis
able
RF Pvt d:
Priv
D.D.D.1 ate
@
SM
Via
LU RF Pub
CMM ID C.C.C.X
RF Pvt
D.D.D.X
NOC
C.C.C.W
Hub/Switch/
Router
4
NAT (Network Address Translation)
• Network Address Translation (NAT) provides a means for using

private (non-routable over the internet) IP addresses behind a
router, switch or firewall and translating any of these addresses
wishing to access the public network to one routable (public) IP
address.
• Network Address Translation (NAT) may also function as a

firewall, preventing access to the private network from the public
network.
• Usually the NAT device performs port translation and “stateful”

inspection of incoming packets to confirm they are a response to
packets that were generated from the private network.
IP Addresses in Canopy (NAT)
RF Pub • This slide lists all IP addresses that can be

C.C.C.Y
Internet / configured in a Canopy system using NAT
Intranet RF Pvt
D.D.D.1
RF Pub
BAM C.C.C.X
C.C.C.Z CMM CPE
A.A.A.2
RF Pvt
D.D.D.X
CPE
NOC A.A.A.3
C.C.C.W
NAT Pvt CPE
NAT Pub A.A.A.1 A.A.A.4
B.B.B.X
Hub/Switch/ DMZ
DHCP Server
Router A.A.A.DMZ
B.B.B.1
5
• When NAT (Network Address Translation) is enabled, a Subscriber

Module becomes a Layer 3 switch.
• Canopy NAT configurations can vary depending on network

configuration, IP addressing and if DHCP is enabled.
• An SM with NAT enabled uses four IP addresses, all of which can

be private (non-routable over the internet), depending on network
requirements.
• Canopy with NAT enabled supports HTTP, other non-embedded

protocols, and the pass-through of Level 2 Tunneling Protocol
(L2TP) over IPSec.
IP Addresses in Canopy – IP Traffic (NAT)
• Computer connected to the SM starts a

connection using its its non-routable IP
address
• This non-routable IP address is translated by
the SM into a routable IP address (NAT)
Internet /
Intranet CMM CPE
A.A.A.2
CPE
A.A.A.3
NAT Pvt CPE

A.A.A.1 A.A.A.4
NAT Pub
B.B.B.X
Hub/Switch/ DMZ
Router A.A.A.DMZ
6
IP Addresses in Canopy – IP Traffic (NAT)
• A remote host can communicate back with the

computer via the routable IP address, which is
translated back to the original non-routable IP
address by the SM (NAT)
• This connection must have been originated by
Internet / the computer connected to the SM
Intranet
CMM CPE
A.A.A.2
CPE
A.A.A.3
NAT Pvt CPE

A.A.A.1 A.A.A.4
NAT Pub
B.B.B.X
Hub/Switch/ DMZ
Router A.A.A.DMZ
IP Addresses at Canopy – IP Traffic (NAT)
• A remote host can communicate directly with

a device connected to an SM configured with
a DMZ address.
• In this case, the connection can be originated
by the remote host.
Internet /
Intranet
CMM CPE
A.A.A.2
CPE
A.A.A.3
NAT Pvt
CPE
A.A.A.1
A.A.A.4
Hub/Switch/ DMZ
Router A.A.A.DMZ
7
• Basic NAT supports non-embedded protocols (such as HTTP) and

requires ALG’s (Application Layer Gateways) written for that device
to support embedded protocols like ICMP (Internet Control Message
Protocols), Ping and FTP (File Transfer Protocol).
• Effective with release 4.2, Canopy also supports NAT pass-through

of virtual private networks (VPNs).
• Canopy’s NAT includes ALG’s for ICMP, FTP and L2TP over IPSec.
It does not support PPTP.
• When NAT is enabled, the DHCP server and DHCP client are
enabled by default. Either or both of these features can be disabled,
depending on network needs.

Management (NAT)
• Canopy units can be remotely accessed for

O&M purposes via RF Public address …
RF Pub
C.C.C.Y
En
able
RF Pvt d:
Pu
D.D.D.1 blic
@
SM
RF Pub
CMM C.C.C.X
RF Pvt
D.D.D.X
NOC
C.C.C.W
Hub/Switch/
Router
8
Management (NAT)
• … or via the LUID, when SMs are configured

RF Pub as “Private IP.”
C.C.C.Y Dis
able
RF Pvt d:
Priv
D.D.D.1 ate
@
SM
Via
LU RF Pub
CMM ID C.C.C.X
RF Pvt
D.D.D.X
NOC
C.C.C.W
Hub/Switch/
Router

Management (NAT)
• Canopy units can be locally accessed for

O&M purposes via NAT private IP address
CMM CPE
A.A.A.2
CPE
A.A.A.3
NAT Pvt
A.A.A.1
CPE
A.A.A.4
NOC
C.C.C.W Hub/Switch/ DMZ
Router A.A.A.DMZ
9
• Canopy provides the following five states of NAT and

DHCP:
– NAT Disabled - No NAT
– NAT with DHCP Client and DHCP Server
– NAT with DHCP Client
– NAT with DHCP Server
– NAT with no DHCP
• NAT, DHCP client and the DHCP server can be

enabled or disabled as necessary.
• When making changes to these pages simply check

“Save Changes,” then go to the IP Configuration page
to see the IP addressing options available for that
combination of NAT and DHCP.
• It is not necessary to reboot the SM each time “Save

Changes” is clicked.
10
Port Filtering
• Canopy allows the operator to filter (block)

specific protocols and ports from leaving the
SM and entering the Canopy network.
– Protects the network from packet loading or probing by
network users.
– Provides a level of protection to users from each other.
• Protocol and port filtering is set per SM.

– Filtering takes place as packets leave the SM headed to the
air interface, except SNMP.
– If an SM is configured to filter SNMP, then SNMP packets are
blocked from entering the SM.
Port Filtering, With / Without NAT
• With NAT disabled, operators can:

– filter protocols and three user-specified ports
– allow all protocols except those specified
– block all protocols except those specified
• With NAT enabled, the operator can filter three

user-specified ports.
• Protocol and port filtering is set on the SM’s

Advanced Network Configuration page.
11
Protocol & Port Filtering – NAT Disabled
With NAT disabled,

operators can block
PPPoE, any
combination of the
IPv4 protocols listed,
or ARP.
Selecting “All others”
ensures that only the
protocols specifically
NOT selected here
will be allowed.
Protocol & Port Filtering – NAT Enabled
With NAT enabled,

operators can specify up to
three ports to be blocked.
For example, specifying
ports 20 and 21 for TCP and
UDP will stop users from
using FTP. Specifying ports
161 and 162 for TCP and
UDP will block a
subscriber’s access to
SNMP.
12
AP VLAN Configuration
AP VLAN Config - VLAN enabled
13
AP VLAN Membership
AP VLAN Stats
14
SM VLAN Config
SM VLAN Config - VLAN enabled
15
SM VLAN Membership
VLAN Config
VLAN enable Dynamic learning disable
Dynamic learning enable Allow only Tagged disable
Allow only Tagged disable
Untagged Ingress VID = 2
Management VID = 1
Management VID = 1
VLAN Membership = 2 (add Member)
CMM
Dynamic learning disable Dynamic learning disable

Allow only Tagged disable Allow only Tagged disable
Untagged Ingress VID = 3 Untagged Ingress VID = 3
Switch
Management VID = 1 Management VID = 1
VLAN
VLAN Membership = 3 (add Member) VLAN Membership = 3 (add Member)
16
VLAN Config (untagged)
Allow only Tagged disable Untagged Ingress VID = 2
VID = 2 untagged
CMM

Switch
VLAN
VLAN Config (VID = 2)

VID = 2 VID = 2
CMM

Switch
VLAN
17
VLAN Config (other VID)
DROP VID ? 2
CMM

Switch
VLAN
VLAN Config (management)

VID = 1
untagged
VID = 1
CMM

Switch
VLAN
18

Canopy IP, Nat, Vlan

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Canopy IP, Nat, Vlan

Enviado por

Direitos autorais:

Formatos disponíveis

IP, NAT & VLAN

Place your image on

• Describe Canopy addressing

IP 124.2.198.30 IP 124.2.198.31 IP 124.2.198.32

• This slide lists all IP addresses that can be

DHCP Server Hub/Switch/

IP Addresses in Canopy – IP Traffic

• Computers connected to the SM are accessed

• Canopy units can be remotely accessed for

IP Addresses in Canopy – Network

• … or via the LUID, when SMs are configured

• Network Address Translation (NAT) provides a means for using

• Network Address Translation (NAT) may also function as a

• Usually the NAT device performs port translation and “stateful”

IP Addresses in Canopy (NAT)

RF Pub • This slide lists all IP addresses that can be

• When NAT (Network Address Translation) is enabled, a Subscriber

• Canopy NAT configurations can vary depending on network

• An SM with NAT enabled uses four IP addresses, all of which can

• Canopy with NAT enabled supports HTTP, other non-embedded

IP Addresses in Canopy – IP Traffic (NAT)

• Computer connected to the SM starts a

NAT Pvt CPE

• A remote host can communicate back with the

NAT Pvt CPE

IP Addresses at Canopy – IP Traffic (NAT)

• A remote host can communicate directly with

• Basic NAT supports non-embedded protocols (such as HTTP) and

• Effective with release 4.2, Canopy also supports NAT pass-through

IP Addresses in Canopy – Network

• Canopy units can be remotely accessed for

• … or via the LUID, when SMs are configured

IP Addresses in Canopy – Network

• Canopy units can be locally accessed for

• Canopy provides the following five states of NAT and

NAT (Network Address Translation)

• NAT, DHCP client and the DHCP server can be

• When making changes to these pages simply check

• It is not necessary to reboot the SM each time “Save

• Canopy allows the operator to filter (block)

• Protocol and port filtering is set per SM.

Port Filtering, With / Without NAT

• With NAT disabled, operators can:

• With NAT enabled, the operator can filter three

• Protocol and port filtering is set on the SM’s

With NAT disabled,

Protocol & Port Filtering – NAT Enabled

With NAT enabled,

AP VLAN Config - VLAN enabled

SM VLAN Config - VLAN enabled

VLAN Membership = 2 (add Member)

Dynamic learning disable Dynamic learning disable

Dynamic learning disable Dynamic learning disable

VLAN Config (VID = 2)

Dynamic learning disable Dynamic learning disable

Dynamic learning disable Dynamic learning disable

VLAN Config (management)

Dynamic learning disable Dynamic learning disable

Você também pode gostar