Page 1
Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX CUSTOMER FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 SUPPORT Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 INFORMATION Web site: www.blackbox.com • E-mail: info@blackbox.com...
Page 2
Black Box LR11xx Series Router Configurations Guide FEDERAL COMMUNICATIONS COMMISSION CANADIAN DEPARTMENT OF COMMUNICATIONS RADIO FREQUENCY INTERFERENCE STATEMENTS This equipment generates, uses, and can radiate radio frequency energy and if not installed and used properly, that is, in strict accordance with the manu- facturer’s instructions, may cause interference to radio communication.
Page 3
Normas Oficiales Mexicanas (NOM) Electrical Safety Statement INSTRUCCIONES DE SEGURIDAD Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas.
Page 4
Black Box LR11xx Series Router Configurations Guide El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación.
Configure the Black Box LR1104A ..........22 Example 3 ..................22 Configure the Black Box LR1104A ..........22 ..............23 ONFIGURING ECURITY IPSec Configurations .................23 Example 1: Managing the Black Box LR1104A Securely Over an IPSec Tunnel .................24 Example 2: Single Proposal: Tunnel Mode Between Two Black...
Page 6
Configure the Black Box LR1114A System at Site 1 ....64 PPP and MLPPP Configuration ............ 64 Configure the Black Box LR1104A System at the Main Site ..64 HDLC Configuration ..............64 Configure the Black Box LR1104A System at the Main Site ..64 ..............
Page 9
Configure interface bundle mip .............127 Configure ip routing ...............127 ..........129 ANAGING EDUNDANT CONNECTIONS Trunk Group/Failover ................129 Configuration Details ..............129 Configure the Black Box LR1114A for Failover Operation ..130 WAN I ...........131 NTERFACE ONFIGURATIONS T1 Interface Configuration ..............131 Module Configuration ..............131 T1 ....................131...
Page 10
Black Box LR11xx Series Router Configurations Guide Configure the LR1104A LR1104A at Site 1 ......... 141 Configure the LR1104A ..............141 Configure the LR1104A LR1114A at Site 2 ......... 142 Configure the LR1104A ..............142...
1.1.1 Feature Overview Black Box DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be relayed to a single remote DHCP server. Black Box’s implementation of DHCP relay is based on RFC 1532.
Black Box LR11xx Series Router Configurations Guide Figure 2 BOOTP Requests Unicast BOOTREQUEST Broadcast BOOTREQUEST Tasman 1400 DHCP Client DHCP Relay Agent DHCP Server 1.1.2.2 BOOTP Replies BOOTP replies are messages from the server to the client. Reply messages include DHCP OFFER, DHCP ACK, DHCP NAK, etc.
DHCP Relay Blackbox> configure terminal Blackbox/configure> interface ethernet 0 Blackbox/configure/interface/ethernet 0> dhcp server_address 20.1.1.1 1.1.4.2 Disabling DHCP Relay Blackbox/configure/interface/ethernet 0> no dhcp server_address 20.1.1.1 1.1.4.3 Configuring the Gateway Address field when NAT is enabled Blackbox/configure/interface/ethernet 0> dhcp gateway_address 192.168.20.1 1.1.5 Displaying DHCP Configuration The following screen captures show the displayed results of issuing show commands relevant to DHCP relay, with and without gateway addresses configured.
1.1.7 DHCP Limitations There are limitations when using DHCP relay on a Black Box system. Only one DHCP server can be specified per interface. DHCP can be enabled only on Ethernet interfaces (not on bundles). And last, DHCP can be enabled in IP routing (static and dynamic) mode,...
ONFIGURING NTERNET ROUP ANAGEMENT ROTOCOL 2.1IGMP Configuration Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic. IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of which they are members by multicasting IGMP Group Membership Reports.
Black Box LR11xx Series Router Configurations Guide 2.1.1 IGMP Commands The IGMP commands are: ip igmp ignore-v1-messages ignore-v2-messages last-member-query-count last-member-query-interval query-interval query-response-interval require-router-alert robustness send-router-alert startup-query-count startup-query-interval group filter version debug ip igmp debug ip igmp state debug ip igmp normal...
IGMP Configuration Blackbox/configure/ip/igmp/interface ethernet0> ip igmp ignore-v2-messages Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure> 2.1.2.5 Example 5 The following example configures the Last Member Query Count to be 4 on ethernet 0. Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 4 2.1.2.6 Example 6 In the following example for interface ethernet 0, the Robustness is configured to be 4. The Last Member Query count is configured to be 5.
Page 18
Black Box LR11xx Series Router Configurations Guide...
“permit” statement. The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked.
- he wishes to permit FTP sessions from all networks to the internal FTP server (222.199.19.12), deny FTP sessions to all other addresses, and permit all other traffic to flow through the Black Box unit. 3.1.2.1 Configure the Black Box LR1104A Blackbox>...
This guide provides information and examples on how to configure IPSec. There are three licenses that control access to the features: Basic VPN Management ( vpn_mgmt )—allows users to manage a remote Black Box router. Firewall ( firewall )—allows users to manage the firewall features. Also includes Basic VPN Management.
Securely Over an IPSec Tunnel The following example demonstrates how to manage a Black Box router through an IP security tunnel. Steps are presented for configuring the Black Box1 and Black Box2 routers to assist any host on the LAN side of Black Box-2 to manage the Black Box1 router through the IP security tunnel.
Page 23
Mode Transform ------ ---- ---- --------- Black Box 172.14.0.2 Main P1 pre-g1-3des-sha Blackbox> Step 7: Display IKE policies in detail Displays the encryption algorithm, hash algorithm, authentication mode, and other details of the IKE policies. Step 8: Configure the IPSec tunnel to the remote host Black Box1/configure/crypto>...
Page 24
Black Box LR11xx Series Router Configurations Guide Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also enabled) Black Box1/configure> firewall internet Black Box1/configure/firewall internet> policy 1000 in service ike self Black Box1/configure/firewall internet/policy 1000 in>...
Page 25
Example 1: Managing the Black Black Box1> show firewall policy internet detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled...
The following example demonstrates how to form an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24. The security requirements are as follows: Phase 1: 3DES with SHA1 Phase 2: IPSec ESP with AES (256-bit) and HMAC-SHA1 Figure 9 Tunnel Mode Between Two Black Box Security Gateways - Single Proposals 172.16.0.1 172.16.0.2 TRUSTED...
Page 27
Peer Mode Transform ------ ---- ---- --------- Black Box 172.14.0.2 Main P1 pre-g1-3des-sha Blackbox> Step 7: Configure IPSec tunnel to the remote host Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24 10.0.2.0 24...
Page 28
Black Box LR11xx Series Router Configurations Guide For IPSec only – when you create an outbound tunnel, an inbound tunnel is automatically created. The inbound tunnel applies the name that you provide for the outbound tunnel and adds the prefix “IN” to the name.
Page 29
Black Box1/configure/firewall corp/policy 1000 in> exit Black Box1/configure/firewall corp> exit Step 8.5: Display firewall policies in the corp map (applicable only if firewall license is enabled) Black Box 1> show firewall policy corp Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,...
Page 30
Black Box LR11xx Series Router Configurations Guide Black Box1> show firewall policy corp detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is transit Logging is disable Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24 Source Port is any, Dest Port is any, any...
As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal, which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example. Figure 10 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals 172.16.0.1 172.16.0.2...
Page 32
Black Box LR11xx Series Router Configurations Guide Blackbox> show crypto interfaces Interface Network Name Type --------- ------- wan1 Untrusted ethernet0 trusted Blackbox> Step 4: Add route to peer LAN Black Box1/configure> ip route 10.0.2.0 24 wan1 Step 5: Configure IKE to the peer gateway Black Box1/configure>...
The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using user group method with extended authentication (XAUTH) for remote VPN clients. The client could be any standard IPSec VPN client.
Page 34
Black Box LR11xx Series Router Configurations Guide Step 2: As in Step2 of Example 1 Step 3: As in Step3 of Example 1 Step 4: Configure dynamic IKE policy for a group of mobile users Black Box1/configure> crypto Black Box1/configure/crypto> dynamic Black Box1/configure/crypto/dynamic>...
Page 35
Example 4: IPSec remote access Black Box1/configure/crypto/dynamic> ipsec policy sales Black Box1/configure/crypto/dynamic/ipsec/policy sales> match address 10.0.1.0 24 Default proposal created with priority1-esp-3des-sha1-tunnel and activated. Black Box1/configure/crypto/dynamic/ipsec/policy sales> proposal 1 Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> encryption-algorithm aes256-cbc Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> exit Black Box1/configure/crypto/dynamic/ipsec/policy sales>...
Page 36
Black Box LR11xx Series Router Configurations Guide Black Box1> show crypto dynamic ipsec policy all detail Policy sales is enabled, User group name sales Direction is outbound, Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)
Page 37
Example 4: IPSec remote access Black Box1/configure> firewall internet Black Box1/configure/firewall internet> policy 1000 in service ike self Black Box1/configure/firewall internet/policy 1000 in> exit Black Box1/configure/firewall internet> exit Step 12: Display firewall policies in the internet map (applicable only if firewall license is enabled) Black Box1>...
4.1Example 5: IPSec remote access to corporate LAN using mode configuration method The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using mode-configuration method. The client could be any standard mode configuration enabled IPSec VPN client.
Page 39
Example 5: IPSec remote access VPN Client 1 Local Outer Address: Dynamic Local Inner Assigned Address: 10.0.1.100/32 Local ID: blackbox.com david@tasmannetworks. VPN Client 2 Black Box 1 Tasman #1 Local Outer Address: VPN Server Dynamic 172.16.0.1 Corporate Local Inner Assigned Mode Config IP Headquarters Address: 10.0.1.101/32...
Page 40
Black Box LR11xx Series Router Configurations Guide Black Box1> show crypto dynamic ike policy all Policy Remote-id Mode Transform Address-Pool ------ --------- ---- --------- ------------ sales U david@BlackBox... Aggressive P1 pre-g1-3des-sha1 1 S 20.1.1.100 E20.1.1.150 Step 6: Display dynamic IKE policies in detail Black Box1>...
Page 41
Example 5: IPSec remote access Black Box1> show crypto dynamic ipsec policy all detail Policy sales is enabled, Modeconfig Group Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any) Destination ip address (ip/mask/port): (any/any/any) Proposal of priority 1 Protocol: esp...
Page 42
Black Box LR11xx Series Router Configurations Guide Black Box1> show firewall policy internet detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike...
Page 43
Example 5: IPSec remote access Black Box1> show firewall policy corp detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is transit Logging is disable Source Address is 20.1.1.100-20.1.1.150, Dest Address is 10.0.1.0/24 Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled...
Page 44
Black Box LR11xx Series Router Configurations Guide...
PECIFICATIONS 5.1IPSec Appendix This appendix provides information about IPSec supported protocols and modes, encryption algorithms and block sizes, and Black Box IPSec and IKE default values. IPSec Supported Protocols and Algorithms The following tables provide supported protocol and algorithm information.
Group 2 1024-bits 5.1.1 Black Box IKE and IPSec Defaults To minimize configuration required by the user, default IKE and IPSec values have been implemented in Black Box’s encryption scheme. 5.1.1.1 IKE Defaults The following table lists IKE defaults. When the user creates an IKE policy specifying an IKE peer, an IKE proposal with priority 1 is automatically created.
Page 47
IPSec Appendix Figure 12 IPSec Default Values Parameter Name Black Box Default Value Key management type Automatic Hash algorithm SAH1 Encryption algorithm 3DES Protocol Mode Tunnel Lifetime 3600 seconds Direction Position in SPD where policy added End Perfect forward secrecy...
Page 48
Black Box LR11xx Series Router Configurations Guide...
Specific IPMux Routes 6.1.2 Proxy ARP and Packet Forwarding In the simple network example below, router 1, router 2, and both Black Box Ethernets are on a single 29-bit IP subnet. Consider the sequence that occurs when router 1 pings router 2.
200.1.1.3/29 Router 1 broadcasts an ARP request for 200.1.1.1. Black Box 1 recognizes that router 200.1.1.1 is reachable via its WAN interface, based on a configured IP route. Black Box 1 Proxy ARPs, responding with the MAC address mapped to bundle WAN1.
Router/DSU 192.1.1.7/28 6.1.5 Split Subnet This is similar to the single subnet scheme in that all four routers are in the same 28-bit subnet, but the Black Box products are on smaller, 30-bit subnets. Table 7 Split Subnet Addressing POP Router 192.1.1.1/28...
This approach relies on configuring the POP router with a secondary Ethernet address for each remote site. The remote router is also configured with a secondary address in that same subnet. The 30-bit approach uses reserved addresses for bundle addressing. The router primary and the directly connected Black Box reside in a different 30-bit subnet. Table 9 30-Bit Secondary Addressing POP Router 200.1.1.1/30 primary...
Table 10 Addressing Schemes: Pros and Cons Approach Pros Cons Single Subnet Minimizes consumption of IP POP Black Box requires two route statements address space per remote connection. Split Subnet Less routes required in Black Consumes 29-bit subnet per remote site.
Page 54
Black Box LR11xx Series Router Configurations Guide...
7.1Connecting a Black Box Router to a Router/CSU via HDLC The following diagram details a single T1 connection between a Black Box and a remote router/CSU combination. Secondary IP addressing is used for IP multiplexing. Figure 15 IP Multiplexing Application 10.1.1.2/24...
Site 1 utilizes a Black Box LR1114A communicating over a 4 x T1 WAN bundle. Site 2 utilizes a Black Box LR1114A communicating over a 2 x T1 WAN bundle. Site 3 utilizes a router/T1 CSU combination to communicate over a single This example focuses on the main site Black Box LR1104A - refer to other configuration examples for details on remote site configurations.
Page 58
203.1.1.1/24 The main site Black Box LR1104A is configured with three WAN bundles. Each bundle has a unique name and an IP address from a unique WAN subnet associated with it. The main site router is configured with the following IP...
Configuring Multiple PPP and 8.1.1 Configure the Black Box LR1104A at the Main Site MainLR1104A/configure> interface ethernet 0 MainLR1104A/configure/interface/ethernet> ip addr 200.1.1.2 255.255.255.0 MainLR1104A/configure/interface/ethernet> exit MainLR1104A/configure> module ct3 1 MainLR1104A/configure/module/ct3> t1 1-4 esf b8zs line gen_det description "4 x T1 to Site 1"...
Page 60
Black Box LR11xx Series Router Configurations Guide...
SITE 2 Site 1 uses a Black Box LR1114A system to establish a 6 Mbps MLPPP connection (four T1 lines) to the main site. In this example, MLPPP segmentation is configured lower than the default setting of 512 bytes, and the differential delay tolerance is tighter than the default 128 milliseconds.
Blackbox/configure/interface/bundle> mlppp seg_threshold LR1114A differential_delay Blackbox/configure/interface/bundle> ip addr 192.168.1.2 255.255.255.0 Blackbox/configure/interface/bundle> exit 9.1.2 PPP and MLPPP Configuration 9.1.2.1 Configure the Black Box LR1104A System at the Main Site Blackbox/configure> interface bundle ToSite1 Blackbox/configure/interface/bundle> link ct3 1 5-8 Blackbox/configure/interface/bundle> encap ppp Blackbox/configure/interface/bundle>...
Just as virus protection software requires updates to protect against the latest intrusion attacks, firewalls must be updated. In this release of Black Box software, administrators are able to filter traffic on specific ports, protect against Denial of Services attacks, enable IP packet reassembly, and so forth.
A typical and basic firewall implementation is one which protects traffic to and from a network, a server farm, and the Internet. In this example, the firewall features in the Black Box router will protect the CORP network and the server farm in the DMZ from unauthorized access from the Internet.
Firewall Configuration Ex- 10.2.1 Stopping DoS Attacks The following commands show how to configure the firewall to defend against Denial of Service (DoS) attacks. Black Box provides protection against FTP bounce, ICMP error checks, IP sequence number checks, unaligned timestamps, MIME flooding, source routing checks, SYN flooding, and WIN nuke attacks.
Black Box system’s public IP address, a source port allocated from its list of available ports, and the same destination IP address and port number generated by the PC. The Black Box system also adds an entry into a table it keeps, which maps the internal address and source port number that the PC generated against the port number it allocated to this session.
NAT IP address from 60.1.1.1 to 60.1.1.2. In case of many-to-many NAT, only IP address translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the source address in the IP header with one of the NAT IP address and the source port will be the same as the original.
Black Box LR11xx Series Router Configurations Guide 10.4.2 Static NAT (one to one) Figure 20 Static NAT 10.1.1.1 OPAL INTERNET 50.1.1.1-50.1.1.3 10.1.1.2 10.1.1.3 In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example, for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3.
NAT allows multiple IP addresses to be mapped to one address. There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the IP address to the nat-ip parameter in the policy command. In the second method, create a pool of type PAT and then attach it to the policy.
Page 76
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> firewall corp Blackbox/configure/firewall corp> object Blackbox/configure/firewall corp/object> nat-pool addresspoolPat pat 50.1.1.5 Blackbox/configure/firewall corp/object> exit Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1 10.1.1.3 any any Blackbox/configure/firewall corp/policy 2 out> apply-object nat-pool addresspoolPat Blackbox/configure/firewall corp/policy 2 out> exit 2...
Modulo-N, Hash Threshold, and HRW are not disruptive. RFC 2991 recommends to use HRW method to select the next-hop for multicast packet forwarding. or this reason, Black Box-only scenarios apply the HRW method as the default. This is similar to the Cisco Systems IPv6 multicast multipath implementation.
<addr> - source or RP address When multipath is disabled, Black Box selects the nexthop address with lowest ip address. For equal cost routes the nexthops are stored in the increasing (ascending) order of IP address. show ip rpf command displays the selected path, based on the configured multipath method and the nexthops of the best route to the IP address passed.
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet together with the destination IP address and port. When the packet arrives at the Black Box system it will be de-encapsulated, modified, and re-encapsulated.
Black Box LR11xx Series Router Configurations Guide Figure 22 illustrates dynamic and static NAT. The static translation between 192.168.1.6 and 100.1.1.6 automatically matches the port addresses, thus a request destined for 100.1.1.6 tcp port 25 is translated to 192.168.1.6 tcp port 25 and so on.
Network Address Translation Figure 23 provides an example of static port mapping. TCP port 81 of the web server at private address 192.168.1.6 is mapped to the same TCP port of the public address. Figure 23 Mapping Ports Internet 100.1.1.1/29 192.168.1.254/24 www server is running on TCP port 81...
Black Box LR11xx Series Router Configurations Guide Figure 24 Reverse NAT Internet 100.1.1.1/29 FTP, SMTP, HTTP Server Ethernet 1 199.7.3.2/24 199.7.3.2/24 Ethernet 0 www server is running 192.168.1.254/24 on TCP port 81 FTP, SMTP, HTTP Server 192.168.1.6/24 10/100 BaseT Ethernet...
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet together with the destination IP address and port. When the packet arrives at the Black Box system it will be de-encapsulated, modified, and re-encapsulated.
Page 84
Black Box LR11xx Series Router Configurations Guide translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the source address in the IP header with one of the NAT IP address and the source port will be the same as the original.
NAT Configuration Examples 13.1.2Static NAT (one to one) Figure 26 Static NAT 10.1.1.1 OPAL INTERNET 50.1.1.1-50.1.1.3 10.1.1.2 10.1.1.3 In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example, for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3.
NAT allows multiple IP addresses to be mapped to one address. There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the IP address to the nat-ip parameter in the policy command. In the second method, create a pool of type PAT and then attach it to the policy.
14.2.1 Remote Access: User Group One of the methods to achieve IPSec remote access in Black Box is the user group method. In this method, the administrator creates an IKE policy for a logical group of users such as a department in an organization. Each user in the group is identified with unique information that is uniquely configured in the IKE policy.
The following example demonstrates how to manage the Black Box gateway from a secure VPN management host. An application would look like a host in a remote site is interested in managing Black Box router using SNMP. But the remote host is interested in doing securely. The SNMP response that is generated in Black Box router for a request from the management host is called self-generated traffic.
Page 89
IPSec Remote Access User Figure 28 User Group Remote Access Configuration VPN Client 2 Black Box Tasman #1 Local Outer Address: VPN Server Dynamic 172.16.0.1 Local ID: blackbox.com admin@tasmannetworks .com To create the user group configuration enter: Blackbox>configure term Blackbox/configure>interface bundle wan Blackbox/configure/interface/bundle wan>link t1 1-2...
14.5 IPSec Remote Access Mode Configuration Group Method The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using mode-configuration method. The client could be any standard mode config enabled IPSec VPN client.
Page 91
IPSec Remote Access Mode Con- To configure the IKE policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0. Blackbox/configure>crypto corp Blackbox/configure/crypto>dynamic Blackbox/configure/crypto/dynamic>ike policy IDCsales modecfg-group Blackbox/configure/crypto/dynamic/ike/policy IDCsales>modeconfig-group Blackbox/configure/crypto/dynamic/ike/policy IDCsales>local-address 172.16.0.1 To configure the user name (optional) for remote-id: Blackbox/configure/crypto/dynamic/ike/policy IDCsales>remote-id email-id sampledata david@Blackbox.com Blackbox/configure/crypto/dynamic/ike/policy IDCsales>remote-id email-id sampledata...
Page 92
Black Box LR11xx Series Router Configurations Guide...
ETWORKING WITH OUTING NFORMATION ROTOCOL 15.1Routing Information Protocol 15.1.1Configuring RIP for Ethernet 0 and WAN 1 Interfaces LR1114A> configure terminal LR1114A/configure> router rip LR1114A/configure/router rip> interface ethernet0 LR1114A/configure/router rip/interface ethernet0> exit LR1114A/configure/router rip> interface wan1 LR1114A/configure/router rip> exit 15.1.2Displaying RIP Configuration Execute show ip rip global to display RIP configuration information Figure 30 show ip rip global Command >...
Page 94
Black Box LR11xx Series Router Configurations Guide Figure 31 show ip rip interface all Command > show ip rip interface all RIP is configured for interface <ethernet0> Mode: RIP 2 Metric: 5 Authentication: None Split Horizon: Poison Routers : None...
All Black Box systems support IP routing utilizing static routes. The following diagram shows a remote Black Box “A” connected over an MLPPP bundle to the main Black Box “B”. Black Box B in turn routes to the customer router.
Black Box LR11xx Series Router Configurations Guide 16.1.1Configure the Router at Site “A” Blackbox> configure term Blackbox/configure> interface ethernet 0 Blackbox/configure/interface/ethernet> ip addr 198.1.1.1 255.255.255.0 Blackbox/configure/interface/ethernet> exit Blackbox/configure> interface bundle wan1 Blackbox/configure/interface/bundle> link t1 1-2 Blackbox/configure/interface/bundle> encap ppp Blackbox/configure/interface/bundle> ip addr 10.1.1.1 255.255.255.252 Blackbox/configure/interface/bundle>...
OUTING 17.1 OSPF Routing Protocol The following example shows a Black Box LR1114A connected to a router over a single T1 link. IP addresses 10.10.10.0, 20.20.20.0, and 30.30.30.0 are assigned to area 760. Figure 33 Configuring OSPF Between a Black Box LR1114A System and a Router 10.10.10.0/24...
---------- The metric shows a value of 2. By default, Black Box assigns a cost value of 1 to all interfaces. The cost can be changed by entering it under the appropriate interface in the OSPF command tree structure. For example: LR1114A/configure>...
18.2 Installing Licenses There are three licenses that control access to the features: Basic VPN Management ( vpn_mgmt )—allows users to manage a remote Black Box router. Firewall ( firewall )—allows users to manage the firewall features. Also includes Basic VPN Management.
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> system licenses ? NAME licenses - Configure feature upgrade licenses SYNTAX licenses license_type <cr> DESCRIPTION license_type -- Specifies the type of feature upgrade license The parameter may have any of the following values:...
GRE Configuration Examples Figure 36 Fig 2 Simple GRE configuration 40.1.1.0 10.3.1.0 192.168.94.220 192.168.55.75 18.3.1Configuring Site to Site Tunnel To configure GRE in a site to site tunnel configuration: Step 1: Configure the interface. Blackbox> configure terminal Blackbox/configure> interface bundle wan1 Blackbox/configure/interface/bundle wan1>...
Page 102
Black Box LR11xx Series Router Configurations Guide NOTE The peer of a local WAN interface cannot be used as a tunnel destination. Step 4: Verify that the tunnel is up and running. (If it is not, check the fields.) Gateway Source Address Blackbox>...
Configuring GRE Site to Site with Step 5: Configure the Cisco side: cisco > config t cisco(config)#interface Ethernet2/0 cisco(config-if)#ip address 192.168.55.75255.255.255.0 cisco(config-if)#exit cisco(config)#interface Tunnel 0 cisco(config-if)#ip address 103.1.1.1 255.255.255.0 cisco(config-if)#tunnel source 192.168.55.75 cisco(config-if)#tunnel destination 192.168.94.220 cisco(config-if)#exit cisco(config)#ip route 0.0.0.0 0.0.0.0 192.168.55.254 cisco(config)#ip route 10.3.1.0 255.255.255.0 Tunnel0 18.4 Configuring GRE Site to Site with IPSec This example extends the first example by adding encryption to the tunnel.
This example extends the previous IPSec configuration example by enabling Open Shortest Path First (OSPF) protocol which provides redundant paths for the tunnel. Step 1: To enable OSPF, add to the Black Box configuration above: Blackbox> configure terminal Blackbox/configure> router routerid 2.2.2.2 Blackbox/configure>...
RAME ELAY 19.1 OSPF - Frame Relay The following example shows OSPF running between a Black Box LR1112A and a router over a serial T1 link with back-to-back Frame Relay. Figure 37 OSPF Over a Single T1 with Frame Relay 10 x T1 MLPPP 10.10.10.0/24...
There are two modes of PIM protocol – Dense mode (DM) and Sparse mode (SM). Black Box supports SM only. PIM-DM floods multicast traffic throughout the network initially and then generates prune messages as required.
Page 108
Black Box LR11xx Series Router Configurations Guide Configure MRT Stale Blackbox/configure/ip/pim>mrt-stale-mult <number> Multiplier Configure MRT SPT Blackbox/configure/ip/pim>mrt-spt-multiplier <number> Multiplier Configure Probe Period Blackbox/configure/ip/pim>probe-period <time> Configure Registration Blackbox/configure/ip/pim>register-suppress-timeout suppression timeout <time> Configure DR to switch Blackbox/configure/ip/pim>dr-switch-immediate immediate Configure RP to switch Blackbox/configure/ip/pim>rp-switch-immediate...
Black Box LR11xx Series Router Configurations Guide 20.1.2PIM Configuration Examples This section shows examples of how the PIM commands are used. To access PIM mode, enter: Blackbox/configure/ip> pim Blackbox/configure/ip/pim> The following example enters the BSR mode. Blackbox/configure/ip/pim> cbsr Blackbox/configure/ip/pim/cbsr> The following command sets Ethernet1 as the BSR interface.
Page 111
PIM Configuration To configure the threshold-dr option such that the data from S addressed to G must exceed an average of 1500 KBytes per second before an SPT switch is initiated. If this router is a DR for the pair (S,G), then the same data must exceed an average of 1500 KBytes per second before an SPT switch is initiated.
Page 112
Black Box LR11xx Series Router Configurations Guide To display information for all interfaces, enter: Blackbox/configure> display ip pim interface all To see all IP PIM interface information for Ethernet1, enter: Blackbox/configure/ip/pim/interface ethernet1> display ip pim interface ethernet1 To display IP PIM statistics for ethernet1, enter: Blackbox/configure/ip/pim/interface ethernet1>...
RPF. For these, mtrace relies on Black Box Networks’ implementation of the mtrace protocol is manageable through the CLI and can be executed from any command sub-tree of the Black Box CLI.
Black Box LR11xx Series Router Configurations Guide Maximum hops is set to 32 and TTL is set to 127 in all mtrace packets as default. For mtrace to work: IGMP must be enabled in the router IGMP should be enabled on at least one interface.
The root class has no parent and is identified as root-out or root-in. There is no theoretical limit to the number of classes that can be created. The only limitation that can arise is due to available memory in the Black Box system.
Black Box LR11xx Series Router Configurations Guide 22.1.2Definitions Committed Rate Each traffic class can be assigned a CR parameter in Kbps. This is the amount of bandwidth that the class or flow is guaranteed at all times, even during congestion. The sum of the CRs for all classes in a given direction cannot exceed the access bandwidth of their parent class.
The illustration above shows two customers connected to an aggregation/IP services router using a Black Box LR1104A. All packets coming into the Black Box LR1104A on the single T1 bundle are tagged with VLAN ID 5. All packets coming across the 4 T1 bundle from DC are tagged with a VLAN tag of 10.
Black Box LR11xx Series Router Configurations Guide In this example application, the POP router is configured with the following three sub-interfaces: 205.1.1.1 205.1.1.5 10.1.1.5 23.1.1 Reston configuration: Black Box LR1104A LR1104A/configure> hostname reston reston/configure> no ftp_server reston/configure> no autoconf 23.1.1.1 Configure interface bundle balt1 reston/configure>...
For this configuration, a third IP address is utilized for the failover path. The Black Box LR1114A is configured for failover on E0. When E0 loses link conectivity, it will failover to E1 and continue to pass traffic. When E0 recovers, traffic will be switched back.
Black Box LR11xx Series Router Configurations Guide The Black Box LR1114A is connected to a router via a bundle “WAN” (T1 PPP bundle) in IPMux mode. To manage the Black Box LR1114A from the switch during normal mode, ping, telnet, or snmp to the Ethernet 0 IP address;...
25.1.2 Bundle Configuration Configuration of an interface bundle is required for use of any of the Black Box system WAN interfaces. Multiple physical interfaces may be linked to a single interface bundle; multi-link protocols, including MLPPP and Multilink Frame Relay, make use of NxT1 interfaces to create single logical interfaces.
Page 130
Black Box LR11xx Series Router Configurations Guide Configure a Fractional T1 HDLC Bundle Blackbox/configure> interface bundle demo1 Blackbox/configure/interface/bundle> link t1 3:1-3,8-10 Blackbox/configure/interface/bundle> encap hdlc Blackbox/configure/interface/bundle> ip addr 10.1.1.1 255.255.255.252 Blackbox/configure/interface/bundle> exit 27.1.3 T1 The following example creates a 1536 Kbps T1 bundle utilizing T1 number 4. This bundle uses IP unnumbered.
The management VLAN feature provides in-band communication with the Black Box systems as well as the Ethernet switches while remaining separate from customer traffic. The Black Box systems will examine the destination IP address of any packets received on the management VLAN. If the destination is the Black Box, the address of the...
Page 132
VLAN. When the Black Box system generates traffic on to the management VLAN, an ARP request is generated in the direction of the VLAN’s default route. If no default is configured, the ARP request will be generated in all possible directions, and the interface receiving the response will be cached with the reply.
A customer desiring to implement DTE-to-DTE MFR can use the architecture illustrated in Figure 1. The normal ordering process can be used to obtain the fame relay T1s. From the perspective of the CPE, the Black Box LR1114As combine those different frame relay PVCs into a consolidated, larger pipe.
The above configuration does not include statements for policing and traffic shaping, so all PVCs are given the full CIR for the interface. Once the AVC is configured, the Black Box systems can be configured for transparent IP multiplexing or for static routing. These details are omitted.
ONFIGURING RAME ELAY AND ULTILINK RAME ELAY 28.1 Layer Two Configurations FR and MFR Figure 45 outlines a Multilink Frame Relay (MFR) configuration with three sites. PVC 16 connects Site 1 to Site 3, while PVC 31 connects Site 2 to Site 3. The Frame Relay switching equipment is represented simply as a Frame cloud. Figure 45 MFT Configuration LR1114A SITE 1...
28.1.2 MFR Configuration The 4 x T1 MFR bundle between the LR1104A and the Black Box connects two Frame Relay switches, therefore it represents an NNI interface. The sample configuration defines the 4 x T1 bundle to be of Class C; that is, a minimum of 2 T1 links are required to be up in order to keep the bundle up.
Black Box LR11xx Series Router Configurations Guide A LR1104A LR1114A at Site 2 serves as the Frame Relay termination point, connecting the Site 2 IP network to the LR1104A. This MFR bundle utilizes 2 T1 links for an approximate 3 Mbps bandwidth. Since it is the Frame Relay terminating point and is defined as a DTE frame relay interface, an IP address is assigned to the WAN bundle.