Black Box LR1104A-T1/E1 Bedienungsanleitung

Black Box LR11xx Series Router Configurations CUSTOMERSUPPORTINFORMATIONOrder toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-8

Black Box LR11xx Series Router Configurations Guide10Configure the LR1104A LR1104A at Site 1 ... 141Configure the LR110

Black Box LR11xx Series Router Configurations Guide102To install the advanced VPN and firewall license and use all the security features available in

GRE Configuration Examples103Figure 36 Fig 2 Simple GRE configuration18.3.1Configuring Site to Site TunnelTo configure GRE in a site to site tunnel c

Black Box LR11xx Series Router Configurations Guide104NOTEThe peer of a local WAN interface cannot be used as a tunnel destination.Step 4: Verify that

Configuring GRE Site to Site with105Step 5: Configure the Cisco side:18.4 Configuring GRE Site to Site with IPSecThis example extends the first exampl

Black Box LR11xx Series Router Configurations Guide106Step 5: Check the status of the tunnel by entering: Blackbox> show ip interface tunnel t0Step

19CONFIGURING OSPF AND FRAMERELAY19.1 OSPF - Frame RelayThe following example shows OSPF running between a Black Box LR1112A and a router over a seria

Black Box LR11xx Series Router Configurations Guide10819.1.1Configuring the host nameLR1112A> configure terminalLR1112A/configure> hostname LR11

20CONFIGURING PROTOCOLINDEPENDENT MULTICASTINGROUTING20.1 PIM ConfigurationProtocol Independent Multicast (PIM) protocols route multicast packets to m

Black Box LR11xx Series Router Configurations Guide110Configure MRT Stale Multiplier Blackbox/configure/ip/pim>mrt-stale-mult <number>Configu

PIM Configuration111The show and debug PIM commands are:Configure PIM interface assert holdtime Blackbox/configure/ip/pim/interface wan1>assert-hol

1DHCP RELAY1.1DHCP RelayThis application describes the functionality of the DHCP relay feature and includes CLI command examples.1.1.1 Feature Overvie

Black Box LR11xx Series Router Configurations Guide11220.1.2PIM Configuration ExamplesThis section shows examples of how the PIM commands are used.To

PIM Configuration113To configure the threshold-dr option such that the data from S addressed to G must exceed an average of 1500 KBytes per second bef

Black Box LR11xx Series Router Configurations Guide114To display information for all interfaces, enter:Blackbox/configure> display ip pim interface

PIM Configuration115Blackbox/configure> display ip pim timersPIM Timers: Hello Interval: 145 Hello Hold Time: 60 Hello Priorit

Black Box LR11xx Series Router Configurations Guide116

21MTRACE CONFIGURATION21.1 Multicast Traceroute FacilityWith multicast distribution trees, tracing from a source to a multicast destination is difficu

Black Box LR11xx Series Router Configurations Guide118Maximum hops is set to 32 and TTL is set to 127 in all mtrace packets as default.For mtrace to w

22CONFIGURING QUALITY OF SERVICEROUTING22.1 Configuring QoSBlack Box QoS ensures bandwidth guarantees throughout the system by implementing Random Ear

Black Box LR11xx Series Router Configurations Guide12022.1.2Definitions Committed RateEach traffic class can be assigned a CR parameter in Kbps. This

Configuring QoS121Configuration for the example in Figure 38:22.1.3.1 Create bundle AppTestLR1104A/configure> interface bundle AppTestLR1104A/confi

Black Box LR11xx Series Router Configurations Guide14Figure 2 BOOTP Requests1.1.2.2 BOOTP RepliesBOOTP replies are messages from the server to the cl

Black Box LR11xx Series Router Configurations Guide122Figure 39 Assigning VLAN IdentifiersConfiguration for Figure 39:22.1.4.1 Create bundle VLANtest

Configuring QoS12322.1.5.1 Configuring bulk statisticsLR1104A/configure/.../qos> bulk_stats_ftpPrimary FTP server: 10.1.3.1Secondary FTP server: 10

Black Box LR11xx Series Router Configurations Guide124

23VIRTUAL LAN TAGGING23.1 Managing Traffic with VLAN TaggingFigure 41 Aggregation Using VLAN TaggingThe illustration above shows two customers connec

Black Box LR11xx Series Router Configurations Guide126In this example application, the POP router is configured with the following three sub-interface

Managing Traffic with VLAN Tag-12723.1.1.5 Configure ip routingreston/configure> ipreston/configure/ip> route 205.1.1.0 255.255.255.0 ethernet0

Black Box LR11xx Series Router Configurations Guide128

24MANAGING REDUNDANTCONNECTIONS24.1 Trunk Group/FailoverRedundant connections are often required between Black Box systems and the switches to which t

Black Box LR11xx Series Router Configurations Guide130 The Black Box LR1114A is connected to a router via a bundle “WAN” (T1 PPP bundle) in IPMux mod

25WAN INTERFACE CONFIGURATIONS25.1 T1 Interface ConfigurationBlack Box systems are available with T1 WAN interfaces. Consult the Black Box System Inst

DHCP Relay15Blackbox> configure terminalBlackbox/configure> interface ethernet 0Blackbox/configure/interface/ethernet 0> dhcp server_address

Black Box LR11xx Series Router Configurations Guide132Configure a Fractional T1 HDLC Bundle Blackbox/configure> interface bundle demo1Blackbox/conf

26VIRTUAL LAN FORWARDING26.1 Managing VLAN TrafficFigure 43 VLAN Forwarding: Multi-Tenant Internet AccessThe example above shows each multi-tenant cu

Black Box LR11xx Series Router Configurations Guide134packet will be forwarded to the IP layer for local processing. If the address does not match the

Managing VLAN Traffic13526.1.1POP configuration: Black Box LR1104ALR1104A/configure> hostname POP-LR1104APOP-LR1104A/configure> no ftp_serverPOP

Black Box LR11xx Series Router Configurations Guide13626.1.2.1 Configure interface bundle uplinkbldg1-LR1114A/configure> interface bundle uplinkbld

27MUTLILINK FRAME RELAY27.1Multilink Frame Relay FRF.15 and FRF.16Multilink Frame Relay (MFR) is actually composed of two standards: FRF.15 and FRF.16

Black Box LR11xx Series Router Configurations Guide138each end if necessary. The frame switches are configured for DLCIs 101, 102, and 103 on the resp

28CONFIGURING FRAME RELAY ANDMULTILINK FRAME RELAY28.1 Layer Two ConfigurationsFR and MFRFigure 45 outlines a Multilink Frame Relay (MFR) configuratio

Black Box LR11xx Series Router Configurations Guide140Figure 46 MFR Configuration Detail28.1.1 FR ConfigurationA LR1104A LR1104A at Site 1 provides F

Layer Two Configurations FR14128.1.1.2 Configure the Clear Channel Bundle on the LR1104ABlackbox/configure> int bundle toFRSwit Blackbox/configure/

Black Box LR11xx Series Router Configurations Guide16Figure 7 Displaying Ethernet Interface Statistics1.1.7 DHCP LimitationsThere are limitations whe

Black Box LR11xx Series Router Configurations Guide142A LR1104A LR1114A at Site 2 serves as the Frame Relay termination point, connecting the Site 2 I

© Copyright 2004. Black Box Corporation. All rights reserved.

2CONFIGURING INTERNET GROUPMANAGEMENT PROTOCOL2.1IGMP ConfigurationInternet Group Management Protocol (IGMP) is enabled on hosts and routers that want

Black Box LR11xx Series Router Configurations Guide182.1.1 IGMP CommandsThe IGMP commands are:ip igmpignore-v1-messages ignore-v2-messages last-member

IGMP Configuration19Blackbox/configure/ip/igmp/interface ethernet0> ip igmp ignore-v2-messagesBlackbox/configure/ip/igmp/interface ethernet0> ex

Black Box LR11xx Series Router Configurations Guide20

3wFILTERING IP TRAFFIC3.1IP Packet Filter ListsBlack Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows

Black Box LR11xx Series Router Configurations Guide2FEDERAL COMMUNICATIONS COMMISSIONANDCANADIAN DEPARTMENT OF COMMUNICATIONSRADIO FREQUENCY INTERFERE

Black Box LR11xx Series Router Configurations Guide22Blackbox/configure/ip> apply_filter ether0 filtera inBlackbox/configure/ip> apply_filter WA

4CONFIGURING SECURITY4.1IPSec ConfigurationsThis guide provides information and examples on how to configure IPSec.There are three licenses that contr

Black Box LR11xx Series Router Configurations Guide244.2 Example 1: Managing the Black Box LR1104A Securely Over an IPSec TunnelThe following example

Example 1: Managing the Black25Blackbox> show crypto interfacesInterface NetworkName Type--------- -------wan1 Untrus

Black Box LR11xx Series Router Configurations Guide26Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (appl

Example 1: Managing the Black27Black Box1> show firewall policy internet detailPolicy with Priority 1000 is enabled, Direction is inboundAction per

Black Box LR11xx Series Router Configurations Guide28Black Box1/configure/crypto/> exitBlack Box1/configure> snmpBlack Box1/configure/snmp> c

Example 2: Single Proposal: Tun-29Black Box1/configure/interface/bundle wan1> link t1 1Black Box1/configure/interface/bundle wan1> encapsulation

Black Box LR11xx Series Router Configurations Guide30For IPSec only – when you create an outbound tunnel, an inbound tunnel is automatically created.

Example 2: Single Proposal: Tun-31Black Box1> show firewall policy internet detailPolicy with Priority 1000 is enabled, Direction is inboundAction

3Normas Oficiales Mexicanas (NOM)Electrical Safety StatementINSTRUCCIONES DE SEGURIDAD1. Todas las instrucciones de seguridad y operación deberán ser

Black Box LR11xx Series Router Configurations Guide32Black Box1> show firewall policy corp detailPolicy with Priority 1000 is enabled, Direction is

Example 3: Multiple IPSec Pro-33Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables.Use the show crypto i

Black Box LR11xx Series Router Configurations Guide34Blackbox> show crypto interfacesInterface NetworkName Type--------- ------

Example 4: IPSec remote access35Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> encryption_algorithm aes256-cbcBlack Box

Black Box LR11xx Series Router Configurations Guide36Step 2: As in Step2 of Example 1Step 3: As in Step3 of Example 1Step 4: Configure dynamic IKE pol

Example 4: IPSec remote access37Black Box1/configure/crypto/dynamic> ipsec policy salesBlack Box1/configure/crypto/dynamic/ipsec/policy sales> m

Black Box LR11xx Series Router Configurations Guide38Black Box1> show crypto dynamic ipsec policy all detailPolicy sales is enabled, User group nam

Example 4: IPSec remote access39Black Box1/configure> firewall internetBlack Box1/configure/firewall internet> policy 1000 in service ike selfBl

Black Box LR11xx Series Router Configurations Guide40Black Box1> show firewall policy corpAdvanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filt

Example 5: IPSec remote access41Step 1: As in Step1 of Example 1Step 2: As in Step2 of Example 1Step 3: As in Step3 of Example 1Step 4: Configure dyna

Black Box LR11xx Series Router Configurations Guide416. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo p

Black Box LR11xx Series Router Configurations Guide42Black Box1> show crypto dynamic ike policy allPolicy Remote-id Mode Transform

Example 5: IPSec remote access43Black Box1> show crypto dynamic ipsec policy all detailPolicy sales is enabled, Modeconfig GroupAction is ApplyKey

Black Box LR11xx Series Router Configurations Guide44Black Box1> show firewall policy internet detailPolicy with Priority 1000 is enabled, Directio

Example 5: IPSec remote access45Black Box1> show firewall policy corp detailPolicy with Priority 1000 is enabled, Direction is inboundAction permit

Black Box LR11xx Series Router Configurations Guide46

5IPSEC SPECIFICATIONS5.1IPSec AppendixThis appendix provides information about IPSec supported protocols and modes, encryption algorithms and block si

Black Box LR11xx Series Router Configurations Guide48Table 4 Diffie-Hellman Groups5.1.1 Black Box IKE and IPSec DefaultsTo minimize configuration re

IPSec Appendix49Figure 12 IPSec Default ValuesParameter Name Black Box Default ValueKey management type AutomaticHash algorithm SAH1Encryption algori

Black Box LR11xx Series Router Configurations Guide50

6FORWARDING IP TRAFFIC6.1IP MultiplexingIP Multiplexing is a method for the transparent forwarding of IP packets between LAN and WAN interfaces. LAN t

Contents5ContentsDHCP RELAY...13DHCP Relay ...

Black Box LR11xx Series Router Configurations Guide52Figure 13 Proxy ARP and Packet Forwarding1 Router 1 broadcasts an ARP request for 200.1.1.1.2 Bl

IP Multiplexing536.1.4 Single SubnetThe emphasis in the single subnet approach is that all seven devices have interfaces in a single 28-bit subnet 192

Black Box LR11xx Series Router Configurations Guide546.1.6 Secondary Addressing – POP OnlySecondary addressing approaches rely on configuring the POP

IP Multiplexing556.1.8 Secondary Addressing – 29 Bit This approach utilizes a 29-bit subnet for each remote connection. Within each 29-bit subnet is t

Black Box LR11xx Series Router Configurations Guide56

7IP MULTIPLEXING HDLCCONFIGURATIONS7.1Connecting a Black Box Router to a Router/CSU via HDLCThe following diagram details a single T1 connection betwe

Configuration Guide587.1.1 Configure the Black Box LR1104A at Site 2Site2-LR1104A> configure term Site2-LR1104A/configure> interface ethernet 0

8IP MULTIPLEXING PPP AND MLPPPCONFIGURATIONS8.1Configuring Multiple PPP and MLPPP BundlesThe following figure shows a Black Box LR1104A at the main si

Black Box LR11xx Series Router Configurations Guide60Figure 16 IP Multiplexing ApplicationThe main site Black Box LR1104A is configured with three W

Configuring Multiple PPP and618.1.1 Configure the Black Box LR1104A at the Main SiteMainLR1104A/configure> interface ethernet 0 MainLR1104A/configu

Black Box LR11xx Series Router Configurations Guide6Box Security Gateways ... 28Exam

Black Box LR11xx Series Router Configurations Guide62

9CONFIGURING PPP, MLPPP, ANDHDLC9.1Layer Two Configurations: PPP, MLPPP, and HDLCBlack Box systems may be configured for a variety of Layer 2 protocol

Black Box LR11xx Series Router Configurations Guide649.1.1 MLPPP Configuration9.1.1.1 Configure the Black Box LR1114A System at Site 1Blackbox> con

10CONFIGURING FIREWALLS10.1FirewallsConfiguring firewalls allows administrators to adapt network protection policies to meet ever-changing hacker and

Black Box LR11xx Series Router Configurations Guide6610.2 Firewall Configuration Examples10.2.1 Basic Firewall ConfigurationFigure 18 illustrates the

Firewall Configuration Ex-67Step 2: Create the security zones CORP and DMZ and attach interfaces:Step 3: Verify that the interfaces are attached to th

Black Box LR11xx Series Router Configurations Guide68Step 5: Verify the firewall policy for Security Zone CORP:Step 6: Verify that the HTTP filter obj

Firewall Configuration Ex-69Step 8:Verify the firewall policy for Security Zone DMZStep 9: Verify that the FTP filter objects for Security Zone DMZ ar

Black Box LR11xx Series Router Configurations Guide70Blackbox/configure> show configuration runningPlease wait... (up to a minute)terminal exit te

Firewall Configuration Ex-71 qos exit qos vrrp_mode 0 aaa exit aaa crypto trusted exit ethernetinterface ethernet 1 ip a

Contents7NAT Configuration Examples ...74Dynamic NAT (many to many) ...

Black Box LR11xx Series Router Configurations Guide72 multicast exit multicast route 0.0.0.0 0.0.0.0 wan 1 exit ippolicy community_list exit

Firewall Configuration Ex-7310.2.1 Stopping DoS AttacksThe following commands show how to configure the firewall to defend against Denial of Service (

Black Box LR11xx Series Router Configurations Guide7410.2.2 Packet ReassemblyTo configure the firewall to perform IP reassembly of oversized packets t

NAT Configuration Examples7510.4.1 Dynamic NAT (many to many)In dynamic (many-to-many) NAT type, multiple source IP addresses in the corporate network

Black Box LR11xx Series Router Configurations Guide7610.4.2 Static NAT (one to one)Figure 20 Static NATIn static (one-to-one) NAT type, for each IP a

NAT Configuration Examples7710.4.3Port Address Translation (Many to one) Figure 21 Mapping Multiple NAT Addresses to One Public IP AddressNAT all

Black Box LR11xx Series Router Configurations Guide78Blackbox/configure> firewall corpBlackbox/configure/firewall corp> object Blackbox/configur

11MULTIPATH MULTICASTCONFIGURATIONS11.1Multipath MulticastThe multicast multipath feature allows load balancing on multicast traffic across equal cost

Black Box LR11xx Series Router Configurations Guide8011.2Multipath CommandsThe following table lists the multipath commands:When multipath is disabled

12CONFIGURING NAT12.1Network Address TranslationNetwork Address Translation (RFC 1631) is commonly known as NAT. This application discusses NAT and pr

Black Box LR11xx Series Router Configurations Guide8Configuring the host name ... 99Configuri

Black Box LR11xx Series Router Configurations Guide82Figure 22 illustrates dynamic and static NAT. The static translation between 192.168.1.6 and 100.

Network Address Translation83Figure 23 provides an example of static port mapping. TCP port 81 of the web server at private address 192.168.1.6 is map

Black Box LR11xx Series Router Configurations Guide84Figure 24 Reverse NAT12.1.6 Configuration for Figure 3Blackbox> configure terminalBlackbox/co

13NAT CONFIGURATION EXAMPLES13.1 NAT ConfigurationsNetwork Address Translation (NAT) was defined to serve two purposes: Allowed LAN administrators to

Black Box LR11xx Series Router Configurations Guide86translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall

NAT Configuration Examples8713.1.2Static NAT (one to one)Figure 26 Static NATIn static (one-to-one) NAT type, for each IP address in the corporate ne

Black Box LR11xx Series Router Configurations Guide8813.1.3Port Address Translation (Many to one) Figure 27 Mapping Multiple NAT Addresses to One

14REMOTE ACCESS VPNS14.1 Secure Remote Access Using IPSec VPNThe corporate network no longer has a clearly defined perimeter inside secure building an

Black Box LR11xx Series Router Configurations Guide9014.2.2 Remote Access: Mode ConfigurationThe other method to achieve IPSec remote access in Black

IPSec Remote Access User91Figure 28 User Group Remote Access ConfigurationTo create the user group configuration enter:Blackbox>configure termBlac

Contents9VIRTUAL LAN TAGGING...125Managing Traffic with VLAN Tagging ...

Black Box LR11xx Series Router Configurations Guide9214.5 IPSec Remote Access Mode Configuration Group Method The following example demonstrates how t

IPSec Remote Access Mode Con-93To configure the IKE policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0.B

Black Box LR11xx Series Router Configurations Guide94

15NETWORKING WITH ROUTINGINFORMATION PROTOCOL15.1Routing Information Protocol15.1.1Configuring RIP for Ethernet 0 and WAN 1 InterfacesLR1114A> conf

Black Box LR11xx Series Router Configurations Guide96Figure 31 show ip rip interface all Command> show ip rip interface allRIP is configured for i

16CONFIGURING STATIC ROUTES16.1 Static Routing ConfigurationAll Black Box systems support IP routing utilizing static routes. The following diagram sh

Black Box LR11xx Series Router Configurations Guide9816.1.1Configure the Router at Site “A”Blackbox> configure termBlackbox/configure> interface

17CONFIGURING OPEN SHORTEST PATHFIRST ROUTING17.1 OSPF Routing ProtocolThe following example shows a Black Box LR1114A connected to a router over a si

Black Box LR11xx Series Router Configurations Guide10017.1.4Configuring ospfLR1114A/configure> router routerid 10.10.10.1LR1114A/configure> rout

18CONFIGURING GENERIC ROUTINGENCAPSULATION18.1 Configuring GREGeneric Routing Encapsulation (GRE) is a standards-based (RFC1701, RFC2784) tunneling pr