Black Box LR1104A-T1/E1 - Manual

2 C ONFIGURING I NTERNET G ROUP M ANAGEMENT P ROTOCOL 2.1IGMP Configuration Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic. IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups...

3w F ILTERING IP T RAFFIC 3.1IP Packet Filter Lists Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces: Ethern...

4 C ONFIGURING S ECURITY 4.1IPSec Configurations This guide provides information and examples on how to configure IPSec. There are three licenses that control access to the features: „ Basic VPN Management ( vpn_mgmt )—allows users to manage a remote Black Box router. „ Firewall ( firewall )—allows ...

Black Box LR11xx Series Router Configurations Guide 24 4.2 Example 1: Managing the Black Box LR1104A Securely Over an IPSec Tunnel The following example demonstrates how to manage a Black Box router through an IP security tunnel. Steps are presented for configuring the Black Box1 and Black Box2 rout...

Black Box LR11xx Series Router Configurations Guide 28 Black Box1/configure/crypto/> exit Black Box1/configure> snmp Black Box1/configure/snmp> community public rw Black Box1/configure/snmp> exit Step 12: Display SNMP communities Blackbox>show snmp communities Community = public, priv...

Example 3: Multiple IPSec Pro- 33 Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables. Use the show crypto ike sa all and show crypto ipsec sa all commands. 4.4 Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways The f...

Example 4: IPSec remote access 35 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> encryption_algorithm aes256-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit B...

Black Box LR11xx Series Router Configurations Guide 40 Black Box1> show firewall policy corp Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter Pri Dir Source Addr Destination Addr Sport Dport Proto Ac...

5 IPS EC S PECIFICATIONS 5.1IPSec Appendix This appendix provides information about IPSec supported protocols and modes, encryption algorithms and block sizes, and Black Box IPSec and IKE default values. IPSec Supported Protocols and Algorithms The following tables provide supported protocol and alg...

6 F ORWARDING IP T RAFFIC 6.1IP Multiplexing IP Multiplexing is a method for the transparent forwarding of IP packets between LAN and WAN interfaces. LAN to WAN forwarding is accomplished through a Proxy ARP process. A Black Box system maps a unique MAC address to each WAN link then responds with th...

Black Box LR11xx Series Router Configurations Guide 52 Figure 13 Proxy ARP and Packet Forwarding 1 Router 1 broadcasts an ARP request for 200.1.1.1. 2 Black Box 1 recognizes that router 200.1.1.1 is reachable via its WAN interface, based on a configured IP route. 3 Black Box 1 Proxy ARPs, responding...

IP Multiplexing 55 6.1.8 Secondary Addressing – 29 Bit This approach utilizes a 29-bit subnet for each remote connection. Within each 29-bit subnet is the POP router secondary, the Black Box WAN addressing, and the remote router secondary. 6.1.9 Pros and Cons of Different IP Addressing Schemes The f...

7 IP M ULTIPLEXING HDLC C ONFIGURATIONS 7.1Connecting a Black Box Router to a Router/CSU via HDLC The following diagram details a single T1 connection between a Black Box and a remote router/CSU combination. Secondary IP addressing is used for IP multiplexing. Figure 15 IP Multiplexing Application T...

8 IP M ULTIPLEXING PPP AND MLPPP C ONFIGURATIONS 8.1Configuring Multiple PPP and MLPPP Bundles The following figure shows a Black Box LR1104A at the main site communicating with three remote sites. Site 1 utilizes a Black Box LR1114A communicating over a 4 x T1 WAN bundle. Site 2 utilizes a Black Bo...

Configuring Multiple PPP and 61 8.1.1 Configure the Black Box LR1104A at the Main Site MainLR1104A/configure> interface ethernet 0 MainLR1104A/configure/interface/ethernet> ip addr 200.1.1.2 255.255.255.0 MainLR1104A/configure/interface/ethernet> exit MainLR1104A/configure> module ct3 1 ...

Black Box LR11xx Series Router Configurations Guide 66 10.2 Firewall Configuration Examples 10.2.1 Basic Firewall Configuration Figure 18 illustrates the basic elements of a firewall. Refer to this illustration in the configuration example below. Figure 18 Basic Firewall Configuration A typical and ...

Black Box LR11xx Series Router Configurations Guide 74 10.2.2 Packet Reassembly To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter: 10.3 NAT Configurations Network Address Translation (NAT) was defined to serve two purposes: „ Allowed LAN adminis...

11 M ULTIPATH M ULTICAST C ONFIGURATIONS 11.1Multipath Multicast The multicast multipath feature allows load balancing on multicast traffic across equal cost paths. Equal cost multipath routing is useful when multiple equal cost routes to the same destination exist. These routes can be discovered an...

Black Box LR11xx Series Router Configurations Guide 80 11.2Multipath Commands The following table lists the multipath commands: When multipath is disabled, Black Box selects the nexthop address with lowest ip address. For equal cost routes the nexthops are stored in the increasing (ascending) order ...

12 C ONFIGURING NAT 12.1Network Address Translation Network Address Translation (RFC 1631) is commonly known as NAT. This application discusses NAT and provides a technical explanation and configuration examples. Features: „ Dynamic Address/Port Translation „ Static Address/Port Translation „ Forwar...

13 NAT C ONFIGURATION E XAMPLES 13.1 NAT Configurations Network Address Translation (NAT) was defined to serve two purposes: „ Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls „ Stretched the number of available IP addresses by allowing LANs to use one ...

14 R EMOTE A CCESS VPN S 14.1 Secure Remote Access Using IPSec VPN The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment closets. Increasingly, companies have a need to provide remote access to their corporate resources for the employees on the m...

Black Box LR11xx Series Router Configurations Guide 90 14.2.2 Remote Access: Mode Configuration The other method to achieve IPSec remote access in Black Box is the mode configuration method. This method makes the VPN client an extension of the LAN being accessed by the VPN client. The remote client ...

Black Box LR11xx Series Router Configurations Guide 92 14.5 IPSec Remote Access Mode Configuration Group Method The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using mode-configuration method. The client could be any standard mode config enabled IPSec...

15 N ETWORKING WITH R OUTING I NFORMATION P ROTOCOL 15.1Routing Information Protocol 15.1.1Configuring RIP for Ethernet 0 and WAN 1 Interfaces LR1114A> configure terminal LR1114A/configure> router rip LR1114A/configure/router rip> interface ethernet0 LR1114A/configure/router rip/interface e...

16 C ONFIGURING S TATIC R OUTES 16.1 Static Routing Configuration All Black Box systems support IP routing utilizing static routes. The following diagram shows a remote Black Box “A” connected over an MLPPP bundle to the main Black Box “B”. Black Box B in turn routes to the customer router. Figure 3...

17 C ONFIGURING O PEN S HORTEST P ATH F IRST R OUTING 17.1 OSPF Routing Protocol The following example shows a Black Box LR1114A connected to a router over a single T1 link. IP addresses 10.10.10.0, 20.20.20.0, and 30.30.30.0 are assigned to area 760. Figure 33 Configuring OSPF Between a Black Box L...

Black Box LR11xx Series Router Configurations Guide 100 17.1.4Configuring ospf LR1114A/configure> router routerid 10.10.10.1 LR1114A/configure> router ospf LR1114A/configure/router/ospf> area 760 LR1114A/configure/router/ospf/area 760> exit 17.1.5Configuring ospf interface parameters LR1...

18 C ONFIGURING G ENERIC R OUTING E NCAPSULATION 18.1 Configuring GRE Generic Routing Encapsulation (GRE) is a standards-based (RFC1701, RFC2784) tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between routers ...

Black Box LR11xx Series Router Configurations Guide 102 To install the advanced VPN and firewall license and use all the security features available in this release, enter: 18.3 GRE Configuration Examples This example explains how to configure a basic GRE tunnel as shown in Figure 36. Blackbox/confi...

Configuring GRE Site to Site with 105 Step 5: Configure the Cisco side: 18.4 Configuring GRE Site to Site with IPSec This example extends the first example by adding encryption to the tunnel. Step 1:Prepare the WAN link: Step 2: Configure the tunnel: Step 3: Configure the routes: Step 4: Define the ...

Black Box LR11xx Series Router Configurations Guide 106 Step 5: Check the status of the tunnel by entering: Blackbox> show ip interface tunnel t0 Step 6:Validate the tunnel configuration by entering: Blackbox> show crypto ipsec policy all Or enter: Blackbox> show crypto ike policy all 18.5 ...

19 C ONFIGURING OSPF AND F RAME R ELAY 19.1 OSPF - Frame Relay The following example shows OSPF running between a Black Box LR1112A and a router over a serial T1 link with back-to-back Frame Relay. Figure 37 OSPF Over a Single T1 with Frame Relay Area 760 Tasman 6300 Router 10.10.10.0/24 .1 .2 .1 30...

Black Box LR11xx Series Router Configurations Guide 108 19.1.1Configuring the host name LR1112A> configure terminal LR1112A/configure> hostname LR1112A 19.1.2Configuring interface ethernet 0 LR1112A/configure> interface ethernet 0 LR1112A/configure/interface/ethernet0> ip address 10.10.1...

20 C ONFIGURING P ROTOCOL I NDEPENDENT M ULTICASTING R OUTING 20.1 PIM Configuration Protocol Independent Multicast (PIM) protocols route multicast packets to multicast groups. PIM is protocol independent because it can leverage whichever unicast routing protocol is used to populate unicast routing ...

21 MTRACE C ONFIGURATION 21.1 Multicast Traceroute Facility With multicast distribution trees, tracing from a source to a multicast destination is difficult, since the branch of the multicast tree on which the destination lies is unknown. The technique used by the traceroute tool to trace unicast ne...

23 V IRTUAL LAN T AGGING 23.1 Managing Traffic with VLAN Tagging Figure 41 Aggregation Using VLAN Tagging The illustration above shows two customers connected to an aggregation/IP services router using a Black Box LR1104A. All packets coming into the Black Box LR1104A on the single T1 bundle are tag...

25 WAN I NTERFACE C ONFIGURATIONS 25.1 T1 Interface Configuration Black Box systems are available with T1 WAN interfaces. Consult the Black Box System Installation Guide for details on WAN interface types, cabling, and pinouts. This document outlines the configuration of module parameters (Layer 1) ...

26 V IRTUAL LAN F ORWARDING 26.1 Managing VLAN Traffic Figure 43 VLAN Forwarding: Multi-Tenant Internet Access The example above shows each multi-tenant customer represented as a separate VLAN on the Ethernet switch. The connection in the customer office can be routed or bridged, depending on whethe...