Black Box Network Router LR1102A T1 E1 User Manual

May 2004  
LR1102A-T1/E1  
LR1104A-T1/E1  
LR1112A-T1/E1  
LR1114A-T1/E1  
Black Box LR11xx Series Router Configurations  
Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX  
FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746  
Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018  
CUSTOMER  
SUPPORT  
INFORMATION  
Web site: www.blackbox.com  
E-mail: i[email protected]  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Normas Oficiales Mexicanas (NOM)  
Electrical Safety Statement  
INSTRUCCIONES DE SEGURIDAD  
1.  
2.  
3.  
Todas las instrucciones de seguridad y operación deberán ser leídas antes de que  
el aparato eléctrico sea operado.  
Las instrucciones de seguridad y operación deberán ser guardadas para referencia  
futura.  
Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación  
deben ser respetadas.  
4.  
5.  
Todas las instrucciones de operación y uso deben ser seguidas.  
El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la  
tina de baño, lavabo, sótano mojado o cerca de una alberca, etc.  
6.  
7.  
8.  
El aparato eléctrico debe ser usado únicamente con carritos o pedestales que sean  
recomendados por el fabricante.  
El aparato eléctrico debe ser montado a la pared o al techo sólo como sea  
recomendado por el fabricante.  
Servicio—El usuario no debe intentar dar servicio al equipo eléctrico más allá a lo  
descrito en las instrucciones de operación. Todo otro servicio deberá ser referido a  
personal de servicio calificado.  
9.  
El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su  
uso. La colocación del aparato eléctrico sobre una cama, sofá, alfombra o superfi-  
cie similar puede bloquea la ventilación, no se debe colocar en libreros o gabi-  
netes que impidan el flujo de aire por los orificios de ventilación.  
10.  
El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como  
radiadores, registros de calor, estufas u otros aparatos (incluyendo amplificado-  
res) que producen calor.  
11.  
12.  
13.  
El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo  
descrito en el instructivo de operación, o como se indique en el aparato.  
Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del  
equipo no sea eliminada.  
Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisa-  
dos ni pellizcados por objetos colocados sobre o contra ellos, poniendo particular  
atención a los contactos y receptáculos donde salen del aparato.  
14.  
15.  
El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomenda-  
ciones del fabricante.  
En caso de existir, una antena externa deberá ser localizada lejos de las lineas de  
energia.  
3
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
16.  
17.  
18.  
El cable de corriente deberá ser desconectado del cuando el equipo no sea usado  
por un largo periodo de tiempo.  
Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados  
sobre la cubierta u orificios de ventilación.  
Servicio por personal calificado deberá ser provisto cuando:  
A: El cable de poder o el contacto ha sido dañado; o  
B: Objectos han caído o líquido ha sido derramado dentro del aparato; o  
C: El aparato ha sido expuesto a la lluvia; o  
D: El aparato parece no operar normalmente o muestra un cambio en su desem-  
peño; o  
E: El aparato ha sido tirado o su cubierta ha sido dañada.  
4
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
Contents  
Example 1: Managing the Black Box LR1104A Securely Over  
5
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Example 3: Multiple IPSec Proposals: Tunnel Mode Between  
Example 4: IPSec remote access to corporate LAN using user  
Example 5: IPSec remote access to corporate LAN using mode  
6
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
IPSec Remote Access User Group Method – Single Proposal,  
7
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
8
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
9
Download from Www.Somanuals.com. All Manuals Search And Download.  
1
DHCP RELAY  
1.1DHCP Relay  
This application describes the functionality of the DHCP relay feature and includes CLI command examples.  
1.1.1 Feature Overview  
Black Box DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be  
relayed to a single remote DHCP server. Black Box’s implementation of DHCP relay is based on RFC 1532.  
BOOTP/DHCP messages are relayed (vs. forwarded) between the server and client.  
Figure 1 DHCP Relay Overview  
LAN  
DHCP Relay Agent  
WAN  
LAN  
LAN  
DHCP Relay Agent  
LR1104A  
DHCP Server  
DHCP Relay Agent  
LR1114A  
1.1.2 Functionality  
The DHCP relay feature uses BOOTP requests and replies to negotiate packet delivery between the DHCP client and server.  
1.1.2.1 BOOTP Requests  
BOOTP requests are messages from client to server. Request messages include DHCP DISCOVER, DHCP REQUEST,  
DHCP RELEASE, etc. The relay agent modifies the packet header by adding relay information to the DHCP gateway address  
(giaddr) field. The server replies to the gateway address specified in the packet’s giaddr field.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Black Box LR11xx Series Router Configurations Guide  
Figure 2 BOOTP Requests  
Unicast BOOTREQUEST  
Broadcast BOOTREQUEST  
DHCP Relay Agent  
DHCP Client  
DHCP Server  
1.1.2.2 BOOTP Replies  
BOOTP replies are messages from the server to the client. Reply messages include DHCP OFFER, DHCP ACK, DHCP  
NAK, etc. The relay agent looks up the MAC address and either sends the packet to the client or broadcasts it on the  
LAN.  
Figure 3 BOOTP Replies  
Unicast  
Unicast/Broadcast  
BOOTREPLY  
BOOTREPLY  
DHCP Relay Agent  
DHCP Client  
DHCP Server  
1.1.3 Using DHCP Relay with NAT  
When NAT is enabled, the DHCP server may discard packets because the giaddr does not match the source of the packet.  
Additionally, it may not know how to route the packet back to the client. See Figure 4. The solution is that the gateway  
address (giaddr) field needs to have IP address 192.168.20.1 (in this example). The DHCP server configuration should be  
able to give 10.1.1.x addresses for packets from 192.168.20.1. However, there may be a limitation that the DHCP server  
does not allow configuration using IP addresses from a different subnet, although this is mentioned in the RFC.  
Figure 4 A Typical Scenario  
Network Address Translation  
DHCP Client  
PRIVATE  
PUBLIC  
192.168.20.1  
10.1.1.x  
Network  
10.1.1.1  
Router  
DHCP Relay Agent  
DHCP Client  
DHCP Server  
DHCP Client  
1.1.4 Command Line Interface  
The following are examples of command strings relevant to DHCP relay:  
1.1.4.1 Enabling DHCP Relay  
14  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
DHCP Relay  
Blackbox> configure terminal  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/interface/ethernet 0> dhcp server_address 20.1.1.1  
1.1.4.2 Disabling DHCP Relay  
Blackbox/configure/interface/ethernet 0> no dhcp server_address 20.1.1.1  
1.1.4.3 Configuring the Gateway Address field when NAT is enabled  
Blackbox/configure/interface/ethernet 0> dhcp gateway_address 192.168.20.1  
1.1.5 Displaying DHCP Configuration  
The following screen captures show the displayed results of issuing show commands relevant to DHCP relay, with and without  
gateway addresses configured.  
Figure 5 show dhcp_relay Command  
> show dhcp_relay  
DHCP RELAY CONFIGURATION  
---------------------------  
Ethernet 0: Disabled  
Ethernet 1: Enabled: DHCP Server 10.1.1.1  
Figure 6 show dhcp_relay Command  
> show dhcp_relay  
DHCP RELAY CONFIGURATION  
---------------------------  
Ethernet 0: Disabled  
Ethernet 1: Enabled: DHCP Server 10.1.1.1 (Gateway  
Address: 192.168.20.1)  
1.1.6 Displaying Statistics  
15  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Figure 7 Displaying Ethernet Interface Statistics  
> show interface ethernet 1  
ethernet 1  
ipaddr  
netmask  
192.168.120.1  
255.255.255.0  
description -  
status  
down, operationally down  
configured auto  
speed  
mode  
-
-
actual  
speed  
mode  
100  
half_duplex  
1500  
mtu  
ethernet1 (unit number 1)  
Type: ETHERNET (802.3)  
Flags: (0x807c203) UP, MULTICAST-ROUTE  
Internet Address: 192.168.120.1  
Internet Netmask: 255.255.255.0  
Internet Broadcast: 192.168.120.255  
Maximum Transfer Unit: 1500 bytes  
Mac Address: 00:00:23:00:60:01  
port counters since last boot/clear  
Bytes Rx  
0 Bytes Tx  
0
0
0
0
0
Packets Rx  
0 Packets Tx  
0 Collisions  
0 Late Collisions  
0 Up/Down States (Phys)  
2
Runts Rx  
Babbels Rx  
Err Packets Rx  
Up/Down States (Admin)  
port counters for the last five minutes  
Bytes Rx  
0 Bytes Tx  
0
0
0
0
Packets Rx  
Runts Rx  
0 Packets Tx  
0 Collisions  
Babbels Rx  
0 Late Collisions  
1.1.7 DHCP Limitations  
There are limitations when using DHCP relay on a Black Box system. Only one DHCP server can be specified per interface. DHCP  
can be enabled only on Ethernet interfaces (not on bundles). And last, DHCP can be enabled in IP routing (static and dynamic) mode,  
but not in IP Mux mode.  
16  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
2
CONFIGURING INTERNET GROUP  
MANAGEMENT PROTOCOL  
2.1IGMP Configuration  
Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic.  
IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of  
which they are members by multicasting IGMP Group Membership Reports. When multicast routers listen for these  
reports, they can exchange group membership information with other multicast routers. This reporting system allows  
distribution trees to be formed to deliver multicast datagrams. The original version of IGMP was defined in RFC 1112,  
Host Extensions for IP Multicasting. Extensions to IGMP, known as IGMP version 2.  
IGMPv2 improves performance and supports the following message types:  
IGMP Query: IGMP Query is sent by the router to know which groups have members on the attached network.  
IGMP Reports: IGMP reports are sent as a response to the query by hosts to announce their group membership.  
Reports can be sent “unsolicited” when the hosts come up.  
IGMP Leaves: IGMP Leaves are sent by the host when it relinquishes membership of a group.  
The latest extension to the IGMP standard is Version 3, which includes interoperability with version 2 and version 1  
hosts, also provides support for source filtering. Source filtering enables a multicast receiver host to signal to a router  
which groups it wants to receive multicast traffic from, and from which source(s) this traffic is expected. This  
membership information enables the router to forward traffic only from those sources from which receivers requested  
the traffic.  
IGMPv3 supports applications that explicitly signal sources from which they want to receive traffic. With IGMPv3,  
receivers signal membership to a multicast host group in the following two modes:  
INCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP  
addresses (the INCLUDE list) from which it wants to receive traffic.  
EXCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP  
addresses (the EXCLUDE list) from which it does not want to receive traffic. This indicates that the host wants  
to receive traffic only from other sources whose IP addresses are not listed in the EXCLUDE list. To receive  
traffic from all sources, like in the case of the Internet Standard Multicast (ISM) service model, a host expresses  
EXCLUDE mode membership with an empty EXCLUDE list.  
IGMPv3 is used by the hosts to express their desire to be a part of the source-specific multicast (SSM) which is an  
emerging standard used by routers to direct multicast traffic to the host only if its is from a specific source.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
2.1.1 IGMP Commands  
The IGMP commands are:  
ip igmp  
ignore-v1-messages  
ignore-v2-messages  
last-member-query-count  
last-member-query-interval  
query-interval  
query-response-interval  
require-router-alert  
robustness  
send-router-alert  
startup-query-count  
startup-query-interval  
group filter  
version  
debug ip igmp  
debug ip igmp state  
debug ip igmp normal  
debug ip igmp packet query  
debug ip igmp packet report  
debug ip igmp packet leave  
show ip igmp groups  
show ip igmp interface  
clear ip igmp groups  
2.1.2 IGMP Configuration Examples  
Use the examples shown in this section to use IGMP in multicast configurations.  
2.1.2.1 Example 1  
The following example enables IGMP.  
Blackbox/configure> ip igmp  
2.1.2.2 Example 2  
With the command line still in Interface Configuration Mode, the following example disables IGMP.  
Blackbox/configure> no ip igmp  
2.1.2.3 Example 3  
In the following example, the ignore-v1-messages command is used to disable processing of IGMPv1 messages on  
interface ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> ignore-v1-messages  
Blackbox/configure/ip/igmp/interface ethernet0> exit 3  
Blackbox/configure>  
2.1.2.4 Example 4  
In the following example, the ignore-v2-messages command disables processing of IGMPv1 messages on  
interface ethernet 0.  
18  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
IGMP Configuration  
Blackbox/configure/ip/igmp/interface ethernet0> ip igmp ignore-v2-messages  
Blackbox/configure/ip/igmp/interface ethernet0> exit 3  
Blackbox/configure>  
2.1.2.5 Example 5  
The following example configures the Last Member Query Count to be 4 on ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 4  
2.1.2.6 Example 6  
In the following example for interface ethernet 0, the Robustness is configured to be 4. The Last Member Query count is  
configured to be 5.  
Blackbox/configure/ip/igmp/interface ethernet0> robustness 4  
Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 5  
Blackbox/configure/ip/igmp/interface ethernet0> exit 3  
Blackbox/configure>  
2.1.2.7 Example 7  
The following example configures ethernet 0 with the default Last Member Query Interval of 2000 milliseconds (20 seconds).  
Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-interval 2000  
2.1.2.8 Example 8  
The following example configures ethernet 0 with the default Query Interval to be 200 seconds.  
Blackbox/configure/ip/igmp/interface ethernet0> query-interval 200  
2.1.2.9 Example 9  
The following example configures the default Query Response Interval to be 10 seconds (or 100 deciseconds) for ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> query-response-time 100  
2.1.2.10Example 10  
The following example turns require-router-alert on for interface ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> require-router-alert  
2.1.2.11Example 11  
The following example configures the default Robustness to be 3 for interface ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> ip igmp robustness 3  
2.1.2.12Example 12  
The following example turns the send-router-alert option off for interface ethernet 1.  
Blackbox/configure/ip/igmp/interface ethernet1> no send-router-alert  
2.1.2.13Example 13  
The following example configures IGMP version 2 to run on interface ethernet 0.  
Blackbox/configure/ip/igmp/interface ethernet0> version 2  
Blackbox/configure/ip/igmp/interface ethernet0> exit 3  
Blackbox/configure>  
19  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                 
Black Box LR11xx Series Router Configurations Guide  
20  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3w  
FILTERING IP TRAFFIC  
3.1IP Packet Filter Lists  
Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets  
that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces:  
Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box  
system) or OUT (packets going out of the Black Box system).  
IP packet filtering capability can be used to restrict access to the Black Box system from untrusted, external networks or  
from specific, internal networks. An example would be a filter that prohibits external users from establishing Telnet  
sessions to the Black Box system, and allows only specific internal users Telnet access to the system.  
At the end of every rule list is an implied “deny all traffic” statement. Therefore, all packets not explicitly permitted  
by filtering rules, are denied. This effectively means that once you enter a “deny” statement in your filter list, you  
are implicitly denying all packets from crossing the interface. Therefore, it is important that each filter list contain at  
least one “permit” statement.  
The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the  
Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule  
statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is  
passed since no further rules are checked.  
The Black Box OS permits easy re-ordering of filter commands through filter_list insert and delete commands.  
3.1.1 Example1  
Consider a Black Box connected via a bundle “WAN1” (wan IP address 200.1.1.1) to an ISP, with Ethernet 0 (IP  
address 222.199.19.3) connected to the internal network. The network administrator wants to completely block Telnet  
access to the Black Box from all external networks as well as from all internal networks except 222.199.19.0/28. All  
other TCP/IP traffic, such as FTP, Ping, and HTTP, is to flow unrestricted through the Black Box system.  
3.1.1.1 Configure the Black Box LR1104A.  
Blackbox> configure term  
Blackbox/configure> ip  
Blackbox/configure/ip> filter_list filtera (gives the list a name)  
Blackbox/configure/ip/filter_list> add deny tcp any 200.1.1.1 dport =23  
Blackbox/configure/ip/filter_list> add permit tcp 222.199.19.0/28 222.199.19.3 dport =23  
Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.3 dport =23  
Blackbox/configure/ip/filter_list> add permit ip any any  
Blackbox/configure/ip/filter_list> exit  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure/ip> apply_filter ether0 filtera in  
Blackbox/configure/ip> apply_filter WAN1 filtera in  
Blackbox/configure/ip> exit  
Blackbox/configure> exit  
Blackbox> save local  
3.1.2 Example 2  
Consider the same network addressing as in example 1. The network administrator has a slightly different  
requirement - he wishes to permit FTP sessions from all networks to the internal FTP server (222.199.19.12), deny  
FTP sessions to all other addresses, and permit all other traffic to flow through the Black Box unit.  
3.1.2.1 Configure the Black Box LR1104A  
Blackbox> configure terminal  
Blackbox/configure> ip  
Blackbox/configure/ip> filter_list filterb (gives the list a name)  
Blackbox/configure/ip/filter_list> add permit tcp any 222.199.19.12 dport =21  
Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.0 dport =21  
Blackbox/configure/ip/filter_list> add permit ip any any  
Blackbox/configure/ip/filter_list> exit  
Blackbox/configure/ip> apply_filter WAN1 filterb in  
Blackbox/configure/ip> exit  
Blackbox/configure> exit  
Blackbox> save local  
3.1.3 Example 3  
Example 3 focuses on a filter list where the network administrator is specifically denying all traffic from a specific  
external network (197.100.200.0/24) access through the Black Box unit.  
3.1.3.1 Configure the Black Box LR1104A  
Blackbox> configure terminal  
Blackbox/configure> ip  
Blackbox/configure/ip> filter_list filterc (gives the list a name)  
Blackbox/configure/ip/filter_list> add deny ip 197.100.200.0/24 any  
Blackbox/configure/ip/filter_list> add permit ip any any  
Blackbox/configure/ip/filter_list> exit  
Blackbox/configure/ip> apply_filter WAN1 filterc in  
Blackbox/configure/ip> exit  
Blackbox/configure> exit  
Blackbox> save local  
22  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
4
CONFIGURING SECURITY  
4.1IPSec Configurations  
This guide provides information and examples on how to configure IPSec.  
There are three licenses that control access to the features:  
Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router.  
Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management.  
Advanced VPN and firewall (vpn_plus_firewall)—Allows users to manage remote LANs. Also includes  
Basic VPN and Firewall licenses.  
To see the licenses available in this release, enter:  
Blackbox/configure> system licenses ?  
NAME  
licenses - Configure feature upgrade licenses  
SYNTAX  
licenses license_type <cr>  
DESCRIPTION  
license_type  
-- Specifies the type of feature upgrade license  
The parameter may have any of the following values:  
enable_1_port -- Enable 1 port  
enable_2_ports-- Enable 2 ports  
enable_3_ports-- Enable 3 ports  
enable_4_ports-- Enable 4 ports  
BGP4  
-- BGP4 routing  
vpn_mgmt  
firewall  
-- Enable VPN Mgmt License  
-- Enable Firewall and VPN Mgmt License  
vpn_plus_firewall-- Enable Advance VPN and Firewall License  
To install the advanced VPN and firewall license and use all the security features available in this release, enter:  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure> system licenses vpn_plus_firewall  
Enter Security Upgrade License key: 024f3bc296b4ea7265  
4.2 Example 1: Managing the Black Box LR1104A  
Securely Over an IPSec Tunnel  
The following example demonstrates how to manage a Black Box router through an IP security tunnel. Steps are  
presented for configuring the Black Box1 and Black Box2 routers to assist any host on the LAN side of Black  
Box-2 to manage the Black Box1 router through the IP security tunnel.  
The security requirements are as follows:  
Phase 1: 3DES with SHA1  
Phase 2: IPSec ESP with AES and HMAC-SHA1  
Figure 8 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals  
172.16.0.1  
172.16.0.2  
TRUSTED  
TRUSTED  
IPSec ESP  
Network  
10.0.2.0/24  
BlackBox2  
UNTRUSTED  
Black Box 1  
Network  
10.0.1.0/24  
Step 1: Configure a WAN bundle of network type untrusted  
Black Box1/configure> interface bundle wan1  
message: Configuring new bundle  
Black Box1/configure/interface/bundle wan1> link t1 1  
Black Box1/configure/interface/bundle wan1> encapsulation ppp  
Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24  
Black Box1/configure/interface/bundle wan1> crypto untrusted  
Black Box1/configure/interface/bundle wan1> exit  
Step 2: Configure the Ethernet interface with trusted network type  
Black Box1/configure> interface ethernet 0  
message: Configuring existing Ethernet interface  
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24  
Black Box1/configure/interface/ethernet 0> crypto trusted  
Black Box1/configure/interface/ethernet 0> exit  
Step 3: Display the crypto interfaces  
24  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Example 1: Managing the Black  
Blackbox> show crypto interfaces  
Interface  
Name  
Network  
Type  
---------  
wan1  
ethernet0  
-------  
Untrusted  
trusted  
Blackbox>  
Step 4: Add route to peer LAN  
Black Box1/configure> ip route 10.0.2.0 24 wan1  
Step 5: Configure IKE to the peer gateway  
Black Box1/configure> crypto ike policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1  
message: Default proposal created with priority1-des-sha1-pre_shared-g1.  
message: Key String has to be configured by the user.  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm  
3des-cbc  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> exit  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit  
Step 6: Display IKE policies  
Blackbox> show crypto ike policy all  
Policy  
------  
Peer  
----  
Mode  
----  
Transform  
---------  
Black Box 172.14.0.2  
Main  
P1 pre-g1-3des-sha  
Blackbox>  
Step 7: Display IKE policies in detail  
Displays the encryption algorithm, hash algorithm, authentication mode, and other details of the IKE policies.  
Step 8: Configure the IPSec tunnel to the remote host  
Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 172.16.0.1 32  
10.0.2.0 24  
message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1>  
encryption-algorithm aes128-cbc  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit  
Step 9: Display IPSec policies  
Displays the policy just added.  
Step 10: Display IPSec policies in detail  
Shows the details of the IPSec policies.  
25  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also  
enabled)  
Black Box1/configure> firewall internet  
Black Box1/configure/firewall internet> policy 1000 in service ike self  
Black Box1/configure/firewall internet/policy 1000 in> exit  
Black Box1/configure/firewall internet> exit  
Step 10.2: Configure firewall policies to allow desired services through untrusted interface to manage the router (applicable only if  
firewall license is also enabled)  
Black Box1/configure> firewall internet  
Black Box1/configure/firewall internet> policy 1001 in service snmp self  
Black Box1/configure/firewall internet/policy 1001 in> exit  
Black Box1/configure/firewall internet> policy 1002 in service telnet self  
Black Box1/configure/firewall internet/policy 1002 in> exit  
Black Box1/configure/firewall internet> policy 1003 in protocol icmp self  
Black Box1/configure/firewall internet/policy 1003 in> exit  
Black Box1/configure/firewall internet> exit  
Step 10.3: Display firewall policies in the internet map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy internet  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in any  
1001 in any  
1002 in any  
Destination Addr  
----------------  
Sport Dport Proto Action Advanced  
----------------- ------ --------  
any  
any  
any  
any  
any  
ike  
PERMIT SE  
PERMIT SE  
PERMIT SE  
snmp  
telnet  
any  
1003 in any  
1024 out any  
any  
any  
icmp PERMIT SE  
any  
any  
PERMIT SE  
Step 10.4: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)  
26  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 1: Managing the Black  
Black Box1> show firewall policy internet detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is ike  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1001 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is snmp  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1002 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is telnet  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1003 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, Protocol is icmp  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Step 11: Enable SNMP on the Black Box1 router  
27  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1/configure/crypto/> exit  
Black Box1/configure> snmp  
Black Box1/configure/snmp> community public rw  
Black Box1/configure/snmp> exit  
Step 12: Display SNMP communities  
Blackbox>show snmp communities  
Community = public, privileges=rw  
Blackbox>  
Step 13: Repeat steps 1 - 10 with suitable modifications on Black Box2 prior to managing Black Box1 from Black Box2’s LAN  
side  
Step 14: Test the IPSec tunnel for managing the Black Box1 router from a host on Black Box2’s LAN.  
Step 15: When the SNMP manager starts managing Black Box1 from Black Box2’s LAN, display the IKE and IPSec SA  
tables using:  
show crypto ike sa all  
show crypto ike sa all detail  
show crypto ipsec sa all  
show crypto ipsec sa all detail  
4.3 Example 2: Single Proposal: Tunnel Mode Between  
Two Black Box Security Gateways  
The following example demonstrates how to form an IP security tunnel to join two private networks: 10.0.1.0/24 and  
10.0.2.0/24. The security requirements are as follows:  
Phase 1: 3DES with SHA1  
Phase 2: IPSec ESP with AES (256-bit) and HMAC-SHA1  
Figure 9 Tunnel Mode Between Two Black Box Security Gateways - Single Proposals  
172.16.0.1  
172.16.0.2  
TRUSTED  
TRUSTED  
IPSec ESP  
Network  
10.0.2.0/24  
BlackBox 2  
UNTRUSTED  
BlackBox 1  
Network  
10.0.1.0/24  
Step 1: Configure a WAN bundle of network type untrusted  
28  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Example 2: Single Proposal: Tun-  
Black Box1/configure/interface/bundle wan1> link t1 1  
Black Box1/configure/interface/bundle wan1> encapsulation ppp  
Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24  
Black Box1/configure/interface/bundle wan1> crypto untrusted  
Black Box1/configure/interface/bundle wan1> exit  
Step 2: Configure the Ethernet interface with trusted network type  
Black Box1/configure> interface ethernet 0  
message: Configuring existing Ethernet interface  
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24  
Black Box1/configure/interface/ethernet 0> crypto trusted  
Black Box1/configure/interface/ethernet 0> exit  
Step 3: Display the crypto interfaces  
Blackbox> show crypto interfaces  
Interface  
Name  
Network  
Type  
---------  
wan1  
ethernet0  
-------  
Untrusted  
trusted  
Blackbox>  
Step 4: Add route to peer LAN  
Black Box1/configure> ip route 10.0.2.0 24 wan1  
Step 5: Configure IKE to the peer gateway  
Black Box1/configure> crypto ike policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1  
message: Default proposal created with priority1-des-sha1-pre_shared-g1.  
message: Key String has to be configured by the user.  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm  
3des-cbc  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1> exit  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit  
Black Box1/configure/crypto/exit  
Black Box1/configure>  
Step 6: Display IKE policies  
Blackbox> show crypto ike policy all  
Policy  
------  
Peer  
----  
Mode  
----  
Transform  
---------  
Black Box 172.14.0.2  
Main  
P1 pre-g1-3des-sha  
Blackbox>  
Step 7: Configure IPSec tunnel to the remote host  
Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24  
10.0.2.0 24  
NOTE  
29  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
For IPSec only – when you create an outbound tunnel, an inbound tunnel is automatically created. The inbound tunnel applies the name that  
you provide for the outbound tunnel and adds the prefix “IN” to the name.  
message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1>  
encryption-algorithm aes256-cbc  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit  
Step 8: Display IPSec policies  
Using the show crypto ipsec policy allcommand.  
Step 8.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also  
enabled)  
Black Box1/configure> firewall internet  
Black Box1/configure/firewall internet> policy 1000 in service ike self  
Black Box1/configure/firewall internet/policy 1000 in> exit  
Black Box1/configure/firewall internet> exit  
Step 8.2: Display firewall policies in the internet map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy internet  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in any  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
any  
any  
ike  
PERMIT SE  
1024 out any  
any any any PERMIT SE  
Step 8.3: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)  
30  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 2: Single Proposal: Tun-  
Black Box1> show firewall policy internet detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is ike  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Step 8.4: Configure firewall policies to allow transit traffic from remote LAN to the local LAN (applicable only if firewall license is  
also enabled)  
Black Box1/configure> firewall corp  
Black Box1/configure/firewall corp> policy 1000 in address 10.0.2.0 24 10.0.1.0 24  
Black Box1/configure/firewall corp/policy 1000 in> exit  
Black Box1/configure/firewall corp> exit  
Step 8.5: Display firewall policies in the corp map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy corp  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in 10.0.2.0/24  
1022 out any  
1023 in any  
1024 out any  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
10.0.1.0/24  
any any any PERMIT E  
any any any PERMIT SE  
any any any PERMIT SE  
any any any PERMIT E  
any  
any  
any  
Step 8.6: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)  
31  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1> show firewall policy corp detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is transit  
Logging is disable  
Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Max-Connections 1024, Connection-Rate is disabled  
Policing is disabled, Bandwidth is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1022 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1023 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is transit  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Max-Connections 1024, Connection-Rate is disabled  
Policing is disabled, Bandwidth is disabled  
Bytes In 11258, Bytes Out 5813  
Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing traffic.  
Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 to the 10.0.2.0  
network  
32  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 3: Multiple IPSec Pro-  
Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables.  
Use the show crypto ike sa alland show crypto ipsec sa allcommands.  
4.4 Example 3: Multiple IPSec Proposals: Tunnel Mode  
Between Two Black Box Security Gateways  
The following example demonstrates how a security gateway can use multiple ipsec (phase2) proposals to form an IP security tunnel  
to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.  
IKE Proposal offered by both Black Box1 and Black Box2:  
Phase 1: 3DES and SHA1  
IPSec Proposals offered by Black Box1:  
Phase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1  
Phase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1  
IPSec Proposal offered by Black Box2:  
Phase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1  
In this example, the Black Box1 router offers two IPSec proposals to the peer while the Black Box2 router offers only one  
proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal,  
which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.  
Figure 10 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals  
172.16.0.1  
172.16.0.2  
TRUSTED  
TRUSTED  
IPSec ESP  
Network  
10.0.2.0/24  
BlackBox 2  
UNTRUSTED  
Network  
10.0.1.0/24  
BlackBox 1
Step 1: Configure a WAN bundle of network type untrusted  
Black Box1/configure/interface/bundle wan1> link t1 1  
Black Box1/configure/interface/bundle wan1> encapsulation ppp  
Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24  
Black Box1/configure/interface/bundle wan1> crypto untrusted  
Black Box1/configure/interface/bundle wan1> exit  
Step 2: Configure the Ethernet interface with trusted network type  
Black Box1/configure> interface ethernet 0  
message: Configuring existing Ethernet interface  
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24  
Black Box1/configure/interface/ethernet 0> crypto trusted  
Black Box1/configure/interface/ethernet 0> exit  
Step 3: Display the crypto interfaces  
33  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
Blackbox> show crypto interfaces  
Interface  
Name  
Network  
Type  
---------  
wan1  
ethernet0  
-------  
Untrusted  
trusted  
Blackbox>  
Step 4: Add route to peer LAN  
Black Box1/configure> ip route 10.0.2.0 24 wan1  
Step 5: Configure IKE to the peer gateway  
Black Box1/configure> crypto ike policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ike/policy/Black Box2 172.16.0.2> local-address 172.16.0.1  
message: Default proposal created with priority1-des-sha-pre_shared-g1.  
message: Key String has to be configured by the user.  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm  
3des-cbc  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> exit  
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit  
Black Box1/configure/crypto> exit  
Black Box1/configure>  
Step 6: Display IKE policies  
Blackbox> show crypto ike policy all  
Policy  
------  
Peer  
----  
Mode  
----  
Transform  
---------  
Black Box 172.14.0.2  
Main  
P1 pre-g1-3des-sha  
Blackbox>  
Step 7: Configure IPSec tunnel to the remote host  
Black Box1/configure>crypto ipsec policy Black Box2 172.16.0.2  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24  
10.0.2.0 24  
message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1>  
encryption-algorithm des-cbc  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 2  
message: Proposal added with priority2-esp-3des-sha1-tunnel.  
34  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 4: IPSec remote access  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2>  
encryption_algorithm aes256-cbc  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> exit  
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit  
Black Box1/configure/crypto> exit  
Black Box1/configure>  
Step 8: Display the IPSec policies  
Use the show crypto ipsec policy all command.  
Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing bi-directional traffic.  
Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 network to the  
10.0.2.0 network  
Step 11: After traffic is passed through the tunnel, display the IKE and IPSec SA tables.  
Use the show crypto ike sa alland show crypto ipsec sa allcommands.  
4.5 Example 4: IPSec remote access to corporate LAN  
using user group method  
The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using user group  
method with extended authentication (XAUTH) for remote VPN clients. The client could be any standard IPSec VPN client.  
In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The security  
requirements are as follows:  
Phase 1: 3DES with SHA1, Xauth (Radius PAP)  
Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1  
VPN Client 1  
Local Address: Dynamic  
Local ID:  
blackbox.com  
david@t
blackabsmoxa1 #1  
VPN Server  
172.16.0.1  
Corporate  
Headquarters  
10.0.1.0/24  
VPN Client 2  
Local Address: Dynamic  
Local ID:  
blackbox.com  
mike@t
Step 1: As in Step1 of Example 1  
35  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
Step 2: As in Step2 of Example 1  
Step 3: As in Step3 of Example 1  
Step 4: Configure dynamic IKE policy for a group of mobile users  
Black Box1/configure> crypto  
Black Box1/configure/crypto> dynamic  
Black Box1/configure/crypto/dynamic> ike policy sales  
Black Box1/configure/crypto/dynamic/ike/policy sales> local-address 172.16.0.1  
Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email-id [email protected]  
david  
A new user david is added to the group sales. The default proposal created with priority1-des-sha1-pre_shared-g1 and the Key  
String has to be configured by the user.  
Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email-id [email protected]  
New user mike is added to the group sales  
Black Box1/configure/crypto/dynamic/ike/policy sales> key secretkeyforsalesusers  
Black Box1/configure/crypto/dynamic/ike/policy sales> proposal 1  
Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> encryption-algorithm  
3des-cbc  
Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> exit  
Black Box1/configure/crypto/dynamic/ike/policy sales> client authentication radius pap  
Black Box1/configure/crypto/dynamic/ike/policy sales> exit  
Black Box1/configure/crypto/dynamic>  
Step 5: Display dynamic IKE policies  
Black Box1> show crypto dynamic ike policy all  
Policy  
------  
sales  
Remote-id  
---------  
Mode  
----  
Transform  
---------  
Address-Pool  
------------  
U david@Blackbox... Aggressive P1 pre-g1-3des-sha1  
Step 6: Display dynamic IKE policies in detail  
Black Box1> show crypto dynamic ike policy all detail  
Policy name sales, User group name sales  
Aggressive mode, Response Only, PFS is not enabled, Shared Key is *****  
Client authentication is Radius(PAP)  
Local addr: 172.16.0.1, Local ident 172.16.0.1 (ip-address)  
Remote idents are [email protected] (email-id), [email protected] (  
email-id)  
Proposal of priority 1  
Encryption algorithm: 3des  
Hash Algorithm: sha1  
Authentication Mode: pre-shared-key  
DH Group: group1  
Lifetime in seconds: 86400  
Lifetime in kilobytes: unlimited  
Step 7: Configure dynamic IPSec policy for a group of mobile users  
36  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 4: IPSec remote access  
Black Box1/configure/crypto/dynamic> ipsec policy sales  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> match address 10.0.1.0 24  
Default proposal created with priority1-esp-3des-sha1-tunnel and activated.  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> proposal 1  
Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> encryption-algorithm  
aes256-cbc  
Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> exit  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> exit  
Black Box1/configure/crypto/dynamic>  
Step 8: Display dynamic IPSec policies  
Black Box1> show crypto dynamic ipsec policy all  
Policy  
------  
sales  
Match  
-----  
S 10.0.1.0/24/any  
D any/any/any  
S any/any/any  
D 10.0.1.0/24/any  
Proto Transform  
----- ---------  
Any P1 esp-aes-sha1-tunl  
INsales  
Any P1 esp-aes-sha1-tunl  
Step 9: Display dynamic IPSec policies in detail  
37  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1> show crypto dynamic ipsec policy all detail  
Policy sales is enabled, User group name sales  
Direction is outbound, Action is Apply  
Key Management is Automatic  
PFS Group is disabled  
Match Address:  
Protocol is Any  
Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)  
Destination ip address (ip/mask/port): (any/any/any)  
Proposal of priority 1  
Protocol: esp  
Mode: tunnel  
Encryption Algorithm: aes256(key length=256 bits)  
Hash Algorithm: sha1  
Lifetime in seconds: 3600  
Lifetime in Kilobytes: 4608000  
Policy INsales is enabled, User group name sales  
Direction is inbound, Action is Apply  
Key Management is Automatic  
PFS Group is disabled  
Match Address:  
Protocol is Any  
Source ip address (ip/mask/port): (any/any/any)  
Destination ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)  
Proposal of priority 1  
Protocol: esp  
Mode: tunnel  
Encryption Algorithm: aes256(key length=256 bits)  
Hash Algorithm: sha1  
Lifetime in seconds: 3600  
Lifetime in Kilobytes: 4608000  
Step 10: Configure radius server (applicable only if client authentication is configured in dynamic IKE policy)  
Black Box1/configure> aaa  
Black Box1/configure/aaa> radius  
Black Box1/configure/aaa/radius> primary_server 172.168.2.1  
Primary Radius server configured.  
Black Box1/configure/aaa/radius> secondary_server 192.168.2.1  
Secondary Radius server configured.  
Black Box1/configure/aaa/radius> exit  
Black Box1/configure/aaa> exit  
Step 11: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also  
enabled)  
38  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 4: IPSec remote access  
Black Box1/configure> firewall internet  
Black Box1/configure/firewall internet> policy 1000 in service ike self  
Black Box1/configure/firewall internet/policy 1000 in> exit  
Black Box1/configure/firewall internet> exit  
Step 12: Display firewall policies in the internet map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy internet  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in any  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
any  
any  
ike  
PERMIT SE  
1024 out any  
any any any PERMIT SE  
Step 13: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)  
Black Box1> show firewall policy internet detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is ike  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Step 14: Configure firewall policies for a group of mobile users to allow access to the local LAN (applicable only if firewall license is  
enabled)  
Black Box1/configure/firewall corp>  
Black Box1/configure/firewall corp> policy 1000 in user-group sales address any any 10.0.1.0  
24  
Black Box1/configure/firewall corp/policy 1000 in  
>exit  
Black Box1/configure/firewall corp>  
Step 15: Display firewall policies in the corp map (applicable only if firewall license is enabled)  
39  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1> show firewall policy corp  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in any  
1022 out any  
1023 in any  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
10.0.1.0/24  
any any any PERMIT E  
any any any PERMIT SE  
any any any PERMIT SE  
any  
any  
1024 out any  
any  
any  
any  
any  
PERMIT E  
Step 16: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)  
4.1Example 5: IPSec remote access to corporate LAN  
using mode configuration method  
The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using  
mode-configuration method. The client could be any standard mode configuration enabled IPSec VPN client.  
In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The server has a  
pool of ip addresses from 20.1.1.100 through 20.1.1.150 to be allocated for mode configuration enabled VPN clients. The  
assigned IP address will be used by the VPN client as the source address in the inner IP header. The outer IP header will carry  
the dynamic IP address assigned by the Internet Service Provider as the source address. The security requirements are as  
follows:  
Phase 1: 3DES with SHA1, Mode Configuration  
Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1  
40  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Example 5: IPSec remote access  
VPN Client 1  
Local Outer Address:  
Dynamic  
Local Inner Assigned  
Address: 10.0.1.100/32  
Local ID:  
blackbox.com
VPN Client 2  
Local Outer Address:  
Dynamic  
Local Inner Assigned  
Address: 10.0.1.101/32  
Black Box 1  
Tasman #1  
VPN Server  
172.16.0.1  
Mode Config IP  
Pool:  
Corporate  
Headquarters  
10.0.1.0/24  
10.0.1.100-  
10.0.1.150  
Local ID:  
blackbox.com  
Step 1: As in Step1 of Example 1  
Step 2: As in Step2 of Example 1  
Step 3: As in Step3 of Example 1  
Step 4: Configure dynamic IKE policy for a group of mobile users  
Black Box1/configure> crypto  
Black Box1/configure/crypto> dynamic  
Black Box1/configure/crypto/dynamic> ike policy sales modecfg-group  
Black Box1/configure/crypto/dynamic/ike/policy sales> local-address 192.168.55.52  
Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email [email protected]  
The default proposal is created with priority1-des-sha1-pre_shared-g1, the Key String has to be configured by the user, and the  
default IPSec proposal 'sales' added with priority1-3des-sha1-tunnel.  
Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email [email protected]  
Black Box1/configure/crypto/dynamic/ike/policy sales> key secretkeyforsales  
Black Box1/configure/crypto/dynamic/ike/policy sales> proposal 1  
Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> encryption-algorithm  
3des-cbc  
Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> exit  
Black Box1/configure/crypto/dynamic/ike/policy sales> client configuration  
Black Box1/configure/crypto/dynamic/ike/policy sales/client/configuration> address-  
pool 1 20.1.1.100 20.1.1.150  
Black Box1/configure/crypto/dynamic/ike/policy sales/client/configuration> exit  
Black Box1/configure/crypto/dynamic/ike/policy sales> exit  
Black Box1/configure/crypto/dynamic> exit  
Step 5: Display dynamic IKE policies  
41  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1> show crypto dynamic ike policy all  
Policy  
------  
sales  
Remote-id  
---------  
Mode  
----  
Transform  
---------  
Address-Pool  
------------  
U david@BlackBox... Aggressive P1 pre-g1-3des-sha1 1 S 20.1.1.100  
E20.1.1.150  
Step 6: Display dynamic IKE policies in detail  
Black Box1> show crypto dynamic ike policy all detail  
Policy name sales, Modeconfig group  
Aggressive mode, Response Only, PFS is not enabled, Shared Key is *****  
Local addr: 192.168.55.52, Local ident 192.168.55.52 (ip-address)  
Remote idents are [email protected] (email-id), [email protected] (email-id)  
Address Pool:  
Pool# 1: 20.1.1.100 to 20.1.1.150  
Proposal of priority 1  
Encryption algorithm: 3des  
Hash Algorithm: sha1  
Authentication Mode: pre-shared-key  
DH Group: group1  
Lifetime in seconds: 86400  
Lifetime in kilobytes: unlimited  
Step 7: Configure dynamic IPSec policy for a group of mobile users  
Black Box1/configure/crypto>  
Black Box1/configure/crypto> dynamic  
Black Box1/configure/crypto/dynamic> ipsec policy sales modecfg-group  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> match address 10.0.1.0 24  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> proposal 1  
Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> encryption-algorithm  
aes256-cbc  
Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> exit  
Black Box1/configure/crypto/dynamic/ipsec/policy sales> exit  
Black Box1/configure/crypto/dynamic> exit  
Step 8: Display dynamic IPSec policies  
Black Box1> show crypto dynamic ipsec policy all  
Policy  
------  
sales  
Match  
-----  
S 10.0.1.0/24/any  
Proto Transform  
----- ---------  
Any P1 esp-aes-sha1-tunl  
D any/any/any  
Step 9: Display dynamic IPSec policies in detail  
42  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 5: IPSec remote access  
Black Box1> show crypto dynamic ipsec policy all detail  
Policy sales is enabled, Modeconfig Group  
Action is Apply  
Key Management is Automatic  
PFS Group is disabled  
Match Address:  
Protocol is Any  
Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)  
Destination ip address (ip/mask/port): (any/any/any)  
Proposal of priority 1  
Protocol: esp  
Mode: Tunnel  
Encryption Algorithm: aes256(key length=256 bits)  
Hash Algorithm: sha1  
Lifetime in seconds: 3600  
Lifetime in Kilobytes: 4608000  
Step 10: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also  
enabled)  
Black Box1/configure> firewall internet  
Black Box1/configure/firewall internet> policy 1000 in service ike self  
Black Box1/configure/firewall internet/policy 1000 in> exit  
Black Box1/configure/firewall internet> exit  
Step 11: Display firewall policies in the internet map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy internet  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in any  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
any  
any  
ike  
PERMIT SE  
1024 out any  
any any any PERMIT SE  
Step 12: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)  
43  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Black Box1> show firewall policy internet detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Service Name is ike  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Step 13: Configure firewall policies for a group of mobile users to allow access to the local LAN (applicable only if firewall license is  
enabled)  
Black Box1/configure> firewall corp  
Black Box1/configure/firewall corp> policy 1000 in address 20.1.1.100 20.1.1.150  
10.0.1.0 24  
Black Box1/configure/firewall corp/policy 1000 in  
>exit  
Step 14: Display firewall policies in the corp map (applicable only if firewall license is enabled)  
Black Box1> show firewall policy corp  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1000 in 20.1.1.100  
20.1.1.150  
Destination Addr Sport Dport Proto Action Advanced  
---------------- ----------------- ------ --------  
10.0.1.0/24  
any any any PERMIT E  
1022 out any  
1023 in any  
1024 out any  
any  
any  
any  
any any any PERMIT SE  
any any any PERMIT SE  
any any any PERMIT E  
Step 15: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)  
44  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Example 5: IPSec remote access  
Black Box1> show firewall policy corp detail  
Policy with Priority 1000 is enabled, Direction is inbound  
Action permit, Traffic is transit  
Logging is disable  
Source Address is 20.1.1.100-20.1.1.150, Dest Address is 10.0.1.0/24  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Max-Connections 1024, Connection-Rate is disabled  
Policing is disabled, Bandwidth is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1022 is enabled, Direction is outbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1023 is enabled, Direction is inbound  
Action permit, Traffic is self  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Bytes In 0, Bytes Out 0  
Policy with Priority 1024 is enabled, Direction is outbound  
Action permit, Traffic is transit  
Logging is disable  
Source Address is any, Dest Address is any  
Source Port is any, Dest Port is any, any  
Schedule is disabled, Ftp-Filter is disabled  
Smtp-Filter is disabled, Http-Filter is disabled  
Rpc-Filter is disabled, Nat is disabled  
Max-Connections 1024, Connection-Rate is disabled  
Policing is disabled, Bandwidth is disabled  
Bytes In 11258, Bytes Out 5813  
45  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
46  
Download from Www.Somanuals.com. All Manuals Search And Download.  
5
IPSEC SPECIFICATIONS  
5.1IPSec Appendix  
This appendix provides information about IPSec supported protocols and modes, encryption algorithms and block  
sizes, and Black Box IPSec and IKE default values.  
IPSec Supported Protocols and Algorithms  
The following tables provide supported protocol and algorithm information.  
Table 1 IPSec Protocols Support  
Supported Security  
Protocols  
Mode  
ESP  
Tunnel  
Transport  
AH  
Tunnel  
Transport  
Table 2 Encryption Algorithms  
Encryption Algorithms for ESP  
Block Size  
Data Encryption Standard (DES)  
56-bits  
Triple Data Encryption Standard (3DES)  
168-bits  
Advanced Encryption Standard (AES-128) 128-bits  
Advanced Encryption Standard (AES-192) 192-bits  
Advanced Encryption Standard (AES-256) 256-bits  
Null Encryption  
Table 3 Authentication Algorithms  
Authentication Algorithms for  
AH/ESP  
Hash Size  
HMAC-MD5-96  
96-bits  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
HMAC-HSHA1-96  
96-bits  
Table 4 Diffie-Hellman Groups  
Diffie-Hellman Groups for  
Authentication  
Key Size  
Group 1  
Group 2  
768-bits  
1024-bits  
5.1.1 Black Box IKE and IPSec Defaults  
To minimize configuration required by the user, default IKE and IPSec values have been implemented in Black Box’s  
encryption scheme.  
5.1.1.1 IKE Defaults  
The following table lists IKE defaults. When the user creates an IKE policy specifying an IKE peer, an IKE  
proposal with priority 1 is automatically created. However, to make the IKE policy fully functional, the user must  
enter a pre-shared key.  
Figure 11 IKE Default Values  
Parameter Name  
Black Box Default  
Value  
Mode  
Main mode  
Disabled  
Perfect forward secrecy  
Hash algorithm  
Encryption algorithm  
Authentication method  
DH Group  
SHA1  
DES  
PreShared  
Group 1  
Lifetime  
86400 seconds  
Initiator and responder  
Response type  
5.1.1.2 IPSec Defaults  
The following table lists IPSec defaults. When the user creates an IPSec policy and provides the match address, an  
IPSec proposal with priority 1 is automatically created. When an outbound policy is specified, an inbound policy is  
automatically created.  
48  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
IPSec Appendix  
Figure 12 IPSec Default Values  
Parameter Name  
Black Box Default  
Value  
Key management type  
Hash algorithm  
Encryption algorithm  
Protocol  
Automatic  
SAH1  
3DES  
ESP  
Mode  
Tunnel  
3600 seconds  
Out  
Lifetime  
Direction  
Position in SPD where policy added End  
Perfect forward secrecy Disabled  
49  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
50  
Download from Www.Somanuals.com. All Manuals Search And Download.  
6
FORWARDING IP TRAFFIC  
6.1IP Multiplexing  
IP Multiplexing is a method for the transparent forwarding of IP packets between LAN and WAN interfaces. LAN to WAN  
forwarding is accomplished through a Proxy ARP process. A Black Box system maps a unique MAC address to each WAN  
link then responds with this MAC address when a device on the LAN broadcasts an ARP request for a remote device. These  
MAC addresses serve as “tags” for forwarding packets received on the LAN. WAN to LAN and WAN to WAN forwarding is  
based on configured forwarding entries.  
IP Multiplexing differs from bridging and switching in that it does not flood traffic or perform address learning. IP  
Multiplexing devices differ from routers in that they do not appear as a router hop, and they cannot be specified as a  
default router/gateway on a LAN.  
6.1.1 Packet Forwarding Modes  
There are two modes for WAN to LAN and WAN to WAN packet forwarding  
IP Routes – Forwarding based on routing statements, both specific and default.  
Source Forwarding – Forwards all traffic arriving on a specified WAN bundle to a specified device on the LAN.  
The following table provides information about applications and a suggested forwarding mode for each.  
Table 5 Applications and Suggested Forwarding Modes  
Application  
Suggested Forwarding Mode  
Forwarding traffic from different WAN links to separate  
routers on the LAN  
Source Forwarding  
Forwarding all WAN traffic to a single router on the LAN  
Forwarding to both LAN and WAN router  
Default IPMux Routes  
Specific IPMux Routes  
6.1.2 Proxy ARP and Packet Forwarding  
In the simple network example below, router 1, router 2, and both Black Box Ethernets are on a single 29-bit IP subnet.  
Consider the sequence that occurs when router 1 pings router 2.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Figure 13 Proxy ARP and Packet Forwarding  
wan  
Router 2  
e0: 200.1.1.1/29  
Router 1  
e0: 200.1.1.4/29  
Black Box 2  
e0: 200.1.1.2/29  
Black Box 1  
e0: 200.1.1.3/29  
1
2
Router 1 broadcasts an ARP request for 200.1.1.1.  
Black Box 1 recognizes that router 200.1.1.1 is reachable via its WAN interface, based on a configured IP  
route.  
3
4
5
6
7
Black Box 1 Proxy ARPs, responding with the MAC address mapped to bundle WAN1.  
Router 1 unicasts the ping echo request to that MAC address.  
Black Box 1 forwards the echo request for 200.1.1.1 through the WAN1 bundle.  
Black Box 2 receives a packet on WAN2 and forwards it to directly connected router 2.  
The echo reply from router 2 to router 1 is returned in the same manner.  
6.1.3 Addressing in IP Multiplexing Networks  
IP addressing in an IP Multiplexing design must take into account the fact that the router on the LAN must see the remote  
router as residing on the same LAN or IP network. There are a number of addressing schemes that can fulfill this  
requirement, including:  
Single subnet  
Split subnet  
Secondary addressing  
Consider the following network, consisting of three remote sites. Two remote sites utilize Black Box equipment,  
while the third is a simple router/dsu combination. Five IP addressing schemes are provided below, all refer to the  
following network.  
Figure 14 Addressing in IP Multiplexing Networks  
e0  
wan 1  
e0  
e1  
Black Box 1  
Router 1  
e0  
e0  
e0  
wan 2  
POP Router  
e0  
e1  
POP
Black Box 2  
Router 2  
e0  
s0  
wan 3  
Router/DSU  
52  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IP Multiplexing  
6.1.4 Single Subnet  
The emphasis in the single subnet approach is that all seven devices have interfaces in a single 28-bit subnet 192.1.1.0 / 28. The  
WAN addressing utilizes reserved address space.  
Table 6 Single Subnet Addressing  
POP Router  
e0:  
192.1.1.1/28  
POP Black Box  
e0:  
192.1.1.2/28  
10.1.1.1/30  
10.1.1.5/30  
10.1.1.9/30  
wan1:  
wan2:  
wan3:  
Black Box 1  
e0:  
wan1:  
192.1.1.3/28  
10.1.1.2/30  
Router 1  
e0:  
192.1.1.4/28  
Black Box 2  
e0:  
wan1:  
192.1.1.5/28  
10.1.1.6/30  
Router 2  
e0:  
s0:  
192.1.1.6/28  
192.1.1.7/28  
Router/DSU  
6.1.5 Split Subnet  
This is similar to the single subnet scheme in that all four routers are in the same 28-bit subnet, but the Black Box products are on  
smaller, 30-bit subnets.  
Table 7 Split Subnet Addressing  
POP Router  
e0:  
192.1.1.1/28  
POP Black Box  
e0:  
192.1.1.2/30  
10.1.1.1/30  
10.1.1.5/30  
10.1.1.9/30  
wan1:  
wan2:  
wan3:  
Black Box 1  
e0:  
wan1:  
192.1.1.5/30  
10.1.1.2/30  
Router 1  
e0:  
192.1.1.6/28  
Black Box 2  
e0:  
wan1:  
192.1.1.9/30  
10.1.1.6/30  
Router 2  
e0:  
s0:  
192.1.1.10/28  
192.1.1.14/28  
Router/DSU  
53  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
6.1.6 Secondary Addressing – POP Only  
Secondary addressing approaches rely on configuring the POP router with a secondary Ethernet address for each remote site. The  
POP-only approach uses secondary addresses at the POP while the remote router utilizes only a primary address.  
Table 8 POP Only Secondary Addressing  
POP Router  
e0:  
200.1.1.1/30 primary  
199.1.1.1/29 secondary  
199.1.1.9/29 secondary  
199.1.1.17/29 secondary  
POP Black Box  
Black Box 1  
e0:  
200.1.1.2/30  
10.1.1.1/24  
10.1.2.1/24  
10.1.3.1/24  
wan1:  
wan2:  
wan3:  
e0:  
wan1:  
199.1.1.2/29  
10.1.1.2/24  
Router 1  
e0:  
199.1.1.3/29  
Black Box 2  
e0:  
wan1:  
199.1.1.10/29  
10.1.2.2/24  
Router 2  
e0:  
s0:  
199.1.1.11/29  
199.1.1.18/29  
Router/DSU  
6.1.7 Secondary Addressing – 30 Bit  
This approach relies on configuring the POP router with a secondary Ethernet address for each remote site. The remote router is also  
configured with a secondary address in that same subnet. The 30-bit approach uses reserved addresses for bundle addressing. The  
router primary and the directly connected Black Box reside in a different 30-bit subnet.  
Table 9 30-Bit Secondary Addressing  
POP Router  
e0:  
200.1.1.1/30 primary  
199.1.1.1/30 secondary  
199.1.1.5/30 secondary  
199.1.1.9/30 secondary  
POP Black Box  
e0:  
200.1.1.1/30  
10.1.1.1/30  
10.1.1.5/30  
10.1.1.9/30  
wan1:  
wan2:  
wan3:  
Black Box 1  
Router 1  
e0:  
wan1:  
201.1.1.2/30  
10.1.1.2/30  
e0:  
201.1.1.1/30 primary  
199.1.1.2/30 secondary  
Black Box 2  
Router 2  
e0:  
wan1:  
202.1.1.2/30  
10.1.1.6/30  
e0:  
202.1.1.1/30 primary  
199.1.1.6/30 secondary  
Router/DSU  
s0:  
199.1.1.10/30  
54  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
IP Multiplexing  
6.1.8 Secondary Addressing – 29 Bit  
This approach utilizes a 29-bit subnet for each remote connection. Within each 29-bit subnet is the POP router secondary, the Black  
Box WAN addressing, and the remote router secondary.  
POP Router  
e0:  
200.1.1.1/30 primary  
199.1.1.1/29 secondary  
199.1.1.9/29 secondary  
199.1.1.17/29 secondary  
POP Black Box  
e0:  
200.1.1.2/30  
199.1.1.2/29  
199.1.1.10/29  
199.1.1.18/29  
wan1:  
wan2:  
wan3:  
Black Box 1  
Router 1  
e0:  
wan  
201.1.1.2/30  
199.1.1.3/29  
e0:  
201.1.1.1/30 primary  
199.1.1.4/29 secondary  
Black Box 2  
Router 2  
e0:  
wan1:  
202.1.1.2/30  
199.1.1.11/29  
e0:  
202.1.1.1/30 primary  
199.1.1.12/29 secondary  
Router/DSU  
s0:  
199.1.1.19/29  
6.1.9 Pros and Cons of Different IP Addressing Schemes  
The following table provides information about addressing scheme pros and cons.  
Table 10 Addressing Schemes: Pros and Cons  
Approach  
Pros  
Cons  
Single Subnet  
Minimizes consumption of IP  
address space  
POP Black Box requires two route statements  
per remote connection.  
Split Subnet  
Less routes required in Black  
Box  
Consumes 29-bit subnet per remote site.  
Secondary Addressing  
Easily Scalable  
Consumes 29-or 30-bit subnet per remote. Not  
transparent to certain routing protocols.  
6.1.10 Routing Considerations for IP Multiplexing  
RIP / RIP2 / IGRP –Turn off split horizons to enable routing updates through secondary addresses, if used.  
EIGRP – Updates are sourced only from primary addresses, although routers will listen to updates arriving on primary and  
secondary.  
OSPF – For Cisco and other routers, routing updates are sourced and detected only on primary addresses, therefore  
secondary addressing schemes are not usable.  
BGP4 – Routing updates are fully functional over primary and secondary addresses.  
55  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
56  
Download from Www.Somanuals.com. All Manuals Search And Download.  
7
IP MULTIPLEXING HDLC  
CONFIGURATIONS  
7.1Connecting a Black Box Router to a Router/CSU  
via HDLC  
The following diagram details a single T1 connection between a Black Box and a remote router/CSU combination.  
Secondary IP addressing is used for IP multiplexing.  
Figure 15 IP Multiplexing Application  
10.1.1.2/24  
Router/  
T1 CSU  
10.1.1.3/24  
Telco  
CT3  
T1  
LR1104A  
192.5.75.1/24  
129.1.1.2/24  
192.5.75.0/24  
Primary: 129.1.1.1/24  
Secondary: 10.1.1.1/24  
Router  
SITE 2  
SITE 1  
The two sites communicate over a single T1 channel. The Site 2 WAN bundle, named “ToSite1”, consists of a single T1  
channel coming in via a CT3 circuit. Site 1 router's default route is directed to the Site 2 router: 0.0.0.0/0 10.1.1.1  
The Site 2 router is configured with: primary ethernet address: 129.1.1.1/24, secondary ethernet addr on the WAN  
subnet: 10.1.1.1/24, and route to the Site 1 router: 192.5.75.0/24 10.1.1.3.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuration Guide  
7.1.1 Configure the Black Box LR1104A at Site 2  
Site2-LR1104A> configure term  
Site2-LR1104A/configure> interface ethernet 0  
Site2-LR1104A/configure/interface/ethernet> ip addr 129.1.1.2 255.255.255.0  
Site2-LR1104A/configure/interface/ethernet> exit  
Site2-LR1104A/configure> interface bundle toSite1  
Site2-LR1104A/configure/interface/bundle> link ct3 1 1  
Site2-LR1104A/configure/interface/bundle> encap hdlc  
Site2-LR1104A/configure/interface/bundle> ip addr 10.1.1.2 255.255.255.0  
Site2-LR1104A/configure/interface/bundle> ipmux source_forwarding 129.1.1.1  
Site2-LR1104A/configure/interface/bundle> exit  
58  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
8
IP MULTIPLEXING PPP AND MLPPP  
CONFIGURATIONS  
8.1Configuring Multiple PPP and MLPPP Bundles  
The following figure shows a Black Box LR1104A at the main site communicating with three remote sites. Site 1  
utilizes a Black Box LR1114A communicating over a 4 x T1 WAN bundle. Site 2 utilizes a Black Box LR1114A  
communicating over a 2 x T1 WAN bundle. Site 3 utilizes a router/T1 CSU combination to communicate over a single  
T1.  
This example focuses on the main site Black Box LR1104A - refer to other configuration examples for details on  
remote site configurations. Secondary IP addressing is used for IP multiplexing in this example.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
Figure 16 IP Multiplexing Application  
Router  
SITE 1  
201.1.1.1/24: Primary  
10.1.1.1/24: Secondary  
201.1.1.2/24  
Bundle: To Site 1: 10.1.1.3/24: 4 x T1  
Bundle: To Site 2: 10.1.2.3/24: 2 x T1  
Bundle: To Site 3: 10.1.3.3/24: 1 x T1  
10.1.1.2/24  
0  
LR1114A  
Router  
4 x T1  
CT3  
Telco  
SITE 2  
202.1.1.1/24: Primary  
10.1.2.1/24: Secondary  
10.1.2.2/24  
200.1.1.2/24  
Primary: 200.1.1.1/24  
Secondary: 10.1.1.4/24  
Secondary: 10.1.2.4/24  
Secondary: 10.1.3.4/24  
LR1104A  
2 x T1  
T1  
LR1114A  
MAIN SITE  
Router / T1 CSU  
10.1.3.1/24  
Router  
SITE 3  
203.1.1.1/24  
The main site Black Box LR1104A is configured with three WAN bundles. Each bundle has a unique name and an  
IP address from a unique WAN subnet associated with it. The main site router is configured with the following IP  
routes: To Site 1 201.1.1.0/24 10.1.1.1, To Site 2 202.1.1.0/24 10.1.2.1, and To Site 3 203.1.1.0/24 10.1.3.1.  
60  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuring Multiple PPP and  
8.1.1 Configure the Black Box LR1104A at the Main Site  
MainLR1104A/configure> interface ethernet 0  
MainLR1104A/configure/interface/ethernet> ip addr 200.1.1.2 255.255.255.0  
MainLR1104A/configure/interface/ethernet> exit  
MainLR1104A/configure> module ct3 1  
MainLR1104A/configure/module/ct3> t1 1-4 esf b8zs line gen_det description "4 x T1 to Site 1"  
MainLR1104A/configure/module/ct3>exit  
MainLR1104A/configure> interface bundle toSite1  
MainLR1104A/configure/interface/bundle> link ct3 1 1-4  
MainLR1104A/configure/interface/bundle> encap ppp  
MainLR1104A/configure/interface/bundle> ip addr 10.1.1.3 255.255.255.0  
MainLR1104A/configure/interface/bundle> ipmux source_forwarding 200.1.1.1  
MainLR1104A/configure/interface/bundle> exit  
MainLR1104A/configure> module ct3 1  
MainLR1104A/configure/module/ct3> t1 5-6 esf b8zs line gen_det description "2 x T1 to Site 2"  
MainLR1104A/configure/module/ct3>exit  
MainLR1104A/configure> interface bundle toSite2  
MainLR1104A/configure/interface/bundle> link ct3 1 5-6  
MainLR1104A/configure/interface/bundle> encap ppp  
MainLR1104A/configure/interface/bundle> ip addr 10.1.2.3 255.255.255.0  
MainLR1104A/configure/interface/bundle> ipmux source_forwarding 200.1.1.1  
MainLR1104A/configure/interface/bundle> exit  
MainLR1104A/configure> module ct3 1  
MainLR1104A/configure/module/ct3> t1 7 esf b8zs line gen_det description "T1 to Site 3"  
MainLR1104A/configure/module/ct3> exit  
MainLR1104A/configure> interface bundle toSite3  
MainLR1104A/configure/interface/bundle> link ct3 1 7  
MainLR1104A/configure/interface/bundle> encap ppp  
MainLR1104A/configure/interface/bundle> ip addr 10.1.3.3 255.255.255.0  
MainLR1104A/configure/interface/bundle> ipmux source_forwarding 200.1.1.1  
MainLR1104A/configure/interface/bundle> exit  
61  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
62  
Download from Www.Somanuals.com. All Manuals Search And Download.  
9
CONFIGURING PPP, MLPPP, AND  
HDLC  
9.1Layer Two Configurations: PPP, MLPPP, and  
HDLC  
Black Box systems may be configured for a variety of Layer 2 protocols. This document outlines High-level Data Link  
Control (HDLC), Point to Point Protocol (PPP), and Multilink PPP (MLPPP) configurations. Other Black Box  
documents outline Frame Relay and Multilink Frame Relay configuration.  
Black Box LR1104A systems are often used at POPs to aggregate data for WAN transmission. The following figure  
details PPP and multilink PPP connections from two CPE sites to a main site.  
Figure 17 PPP/MLPPP Application  
LR1114A  
SITE 1  
4 x T1  
(MLPPP)  
LR1104A  
CT3  
WAN  
Router/DSU  
SITE 2  
Site 1 uses a Black Box LR1114A system to establish a 6 Mbps MLPPP connection (four T1 lines) to the main site. In  
this example, MLPPP segmentation is configured lower than the default setting of 512 bytes, and the differential delay  
tolerance is tighter than the default 128 milliseconds.  
Site 2 connects to the main site over a single T1 link with PPP encapsulation. The LR1104A system PPP parameters  
(i.e., the maximum transmit and receive byte sizes) are adjusted to comply with the Site 1 router configuration.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
9.1.1 MLPPP Configuration  
9.1.1.1 Configure the Black Box LR1114A System at Site 1  
Blackbox> configure term  
Blackbox/configure> interface bundle ToMain  
Blackbox/configure/interface/bundle> link t1 1-4  
NOTE  
MLPPP is not explicitly configured via the encapsulation command. Instead, multilink PPP is automatically invoked when a bundle  
with PPP encapsulation has two or more T1 links.  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> mlppp seg_threshold LR1114A differential_delay  
50  
Blackbox/configure/interface/bundle> ip addr 192.168.1.2 255.255.255.0  
Blackbox/configure/interface/bundle> exit  
9.1.2 PPP and MLPPP Configuration  
9.1.2.1 Configure the Black Box LR1104A System at the Main Site  
Blackbox/configure> interface bundle ToSite1  
Blackbox/configure/interface/bundle> link ct3 1 5-8  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> mlppp seg_threshold LR1114A differential_delay  
50  
Blackbox/configure/interface/bundle> ip addr 192.168.1.1 255.255.255.0  
Blackbox/configure/interface/bundle> exit  
Blackbox/configure> interface bundle ToSite2  
Blackbox/configure/interface/bundle> link ct3 1 9  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> ppp mtu 100-250-1000 mru 100-250-1000  
Blackbox/configure/interface/bundle> ip addr 192.168.2.1 255.255.255.0  
Blackbox/configure/interface/bundle> exit  
9.1.3 HDLC Configuration  
HDLC encapsulation may be substituted for PPP between the main site and site 2  
9.1.3.1 Configure the Black Box LR1104A System at the Main Site  
Blackbox/configure> interface bundle ToSite2  
Blackbox/configure/interface/bundle> link ct3 1 9  
Blackbox/configure/interface/bundle> encap hdlc  
Blackbox/configure/interface/bundle> hdlc keepalive 20  
Blackbox/configure/interface/bundle> ip addr 192.168.2.1 255.255.255.0  
Blackbox/configure/interface/bundle> exit  
NOTE  
In the above command sequence, the HDLC keepalive time interval was changed from its default setting of 10 seconds to 20  
seconds  
64  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
10  
CONFIGURING FIREWALLS  
10.1Firewalls  
Configuring firewalls allows administrators to adapt network protection policies to meet ever-changing hacker and  
intruder threats. Just as virus protection software requires updates to protect against the latest intrusion attacks, firewalls  
must be updated. In this release of Black Box software, administrators are able to filter traffic on specific ports, protect  
against Denial of Services attacks, enable IP packet reassembly, and so forth.  
There are three licenses that control access to the features:  
Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router.  
Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management.  
Advanced VPN and firewall (vpn_plus_firewall)—Allows users to manage remote LANs. Also includes  
Basic VPN and Firewall licenses.  
To see the licenses available in this release, enter:  
Blackbox/configure> system licenses ?  
NAME  
licenses - Configure feature upgrade licenses  
SYNTAX  
licenses license_type <cr>  
DESCRIPTION  
license_type  
-- Specifies the type of feature upgrade license  
The parameter may have any of the following values:  
enable_1_port -- Enable 1 port  
enable_2_ports-- Enable 2 ports  
enable_3_ports-- Enable 3 ports  
enable_4_ports-- Enable 4 ports  
BGP4  
-- BGP4 routing  
vpn_mgmt  
firewall  
-- Enable VPN Mgmt License  
-- Enable Firewall and VPN Mgmt License  
vpn_plus_firewall-- Enable Advance VPN and Firewall License  
To install the advanced VPN and firewall license and use all the security features available in this release, enter:  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure> system licenses vpn_plus_firewall  
Enter Security Upgrade License key: 024f3bc296b4ea7265  
10.2 Firewall Configuration Examples  
10.2.1 Basic Firewall Configuration  
Figure 18 illustrates the basic elements of a firewall. Refer to this illustration in the configuration example below.  
Figure 18 Basic Firewall Configuration  
www.yahoo.com  
Remote  
Web server  
User  
Internet  
Forward PAT  
Reverse NAT  
10.2.1.0/24  
CORP  
DMZ  
10.3.1.0/24  
FTP Server  
A typical and basic firewall implementation is one which protects traffic to and from a network, a server farm, and  
the Internet. In this example, the firewall features in the Black Box router will protect the CORP network and the  
server farm in the DMZ from unauthorized access from the Internet.  
To create this basic three-armed firewall configuration, complete these steps:  
Step 1:Configure the Ethernet interfaces and the WAN interfaces with IP addresses:  
66  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Firewall Configuration Ex-  
Blackbox/configure> interface ethernet 0  
Configuring existing Ethernet interface  
Blackbox/configure/interface/ethernet 0> ip address 10.2.1.1 24  
Blackbox/configure/interface/ethernet 0> exit  
Blackbox/configure> interface ethernet 1  
Configuring existing Ethernet interface  
Blackbox/configure/interface/ethernet 1> ip address 10.3.1.1 24  
Blackbox/configure/interface/ethernet 1> exit  
Blackbox/configure> interface bundle wan  
Blackbox/configure/interface/bundle wan> link t1 1  
Blackbox/configure/interface/bundle wan> encapsulation p  
Blackbox/configure/interface/bundle wan> ip address 193.168.94.220 24  
Blackbox/configure/interface/bundle wan> exit  
Step 2: Create the security zones CORP and DMZ and attach interfaces:  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> interface ethernet0  
Blackbox/configure/firewall corp> exit  
Blackbox/configure> firewall dmz  
Blackbox/configure/firewall dmz> interface ethernet1  
Blackbox/configure/firewall dmz> exit  
Blackbox/configure> firewall internet  
Blackbox/configure/firewall internet> interface wan  
Blackbox/configure/firewall internet> exit 2  
Step 3: Verify that the interfaces are attached to the security zones:  
Blackbox/configure> show firewall interface all  
Interface  
---------  
ethernet0  
ethernet1  
wan  
Map Name  
--------  
corp  
dmz  
internet  
Step 4: Create policies for Security Zone CORP that:  
Allow all outgoing traffic (with firewall policy priority 1024)  
Deny all incoming traffic (with firewall policy priority 1021)  
Create an object of type http-filter to block java traffic  
Modify policy 1024 to pat all outgoing traffic using public IP 193.168.94.220  
Modify policy 1024 to add a java HTTP filter.  
67  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure>  
Blackbox/configure/firewall corp>  
Blackbox/configure/firewall corp>  
Blackbox/configure/firewall corp> policy 1024 out  
Blackbox/configure/firewall corp/policy 1024 out> exit  
Blackbox/configure/firewall corp> policy 1021 in deny  
Blackbox/configure/firewall corp/policy 1021 in> exit  
Blackbox/configure/firewall corp> object  
Blackbox/configure/firewall corp/object> http-filter javadeny deny  
*.java  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 1024 out nat-ip  
193.168.94.220  
Blackbox/configure/firewall corp/policy 1024 out> apply-object  
http-filter javadeny  
Blackbox/configure/firewall corp/policy 1024 out> exit  
Step 5: Verify the firewall policy for Security Zone CORP:  
Blackbox/configure> show firewall policy corp  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
1021 in any  
1022 out any  
1023 in any  
Destination Addr  
----------------  
any  
any  
any  
any  
Sport Dport Proto Action Advanced  
----------------- ------ --------  
any  
any  
any  
any  
any  
any  
any  
any  
any  
any  
any  
any  
DENY  
E
PERMIT SE  
PERMIT SE  
PERMIT HNE  
1024 out any  
Step 6: Verify that the HTTP filter object in Security Zone CORP is created as configured.  
Blackbox/configure> show firewall object http-filter corp  
Object Name  
-----------  
javadeny  
Action Log File Extensions  
------ --- ---------------  
deny no *.java  
Blackbox/configure>  
Step 7: Create policies for Security Zone DMZ that:  
Create an object of type nat-pool with private IP address of FTP server  
Create an object of type ftp-filter to deny put and mkdir commands  
Create a firewall policy to allow inbound traffic to FTP server public IP address (193.168.94.221) of priority 100  
Modify policy 100 to add NAT pool object to translate incoming traffic for FTP server from public IP to private IP.  
Modify policy 100 to add an FTP filter.  
68  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Firewall Configuration Ex-  
Blackbox/configure> firewall dmz  
Blackbox/configure/firewall dmz> object  
Blackbox/configure/firewall dmz/object> ftp-filter putdeny deny put  
mkdir  
Blackbox/configure/firewall dmz/object> nat-pool ftpsrvr static  
10.3.1.100  
Blackbox/configure/firewall dmz/object> exit  
Blackbox/configure/firewall dmz> policy 100 in address any any  
193.168.94.221 32  
Blackbox/configure/firewall dmz/policy 100 in> apply-object nat-pool  
ftpsrvr  
Blackbox/configure/firewall dmz/policy 100 in> apply-object  
ftp-filter putdeny  
Blackbox/configure/firewall dmz/policy 100 in> exit  
Blackbox/configure/firewall dmz> exit  
Step 8:Verify the firewall policy for Security Zone DMZ  
Blackbox/configure> show firewall policy dmz  
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,  
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,  
E - Policy Enabled, M - Smtp-Filter  
Pri Dir Source Addr  
--- --- -----------  
100 in any  
1022 out any  
1023 in any  
Destination Addr  
----------------  
193.168.94.221/32 any  
any  
any  
any  
Sport Dport Proto Action Advanced  
----------------- ------ --------  
any  
any  
any  
any  
PERMIT FNE  
PERMIT SE  
PERMIT SE  
PERMIT E  
any  
any  
any  
any  
any  
any  
any  
1024 out any  
Step 9: Verify that the FTP filter objects for Security Zone DMZ are created as configured:  
Blackbox/configure> show firewall object ftp-filter dmz  
Object Name  
-----------  
putdeny  
Action Log Commands  
------ --- --------  
deny no put mkdir  
Blackbox/configure>  
Step 10: Create a default route out of the WAN  
Blackbox/configure> ip route 0.0.0.0 0 wan  
Blackbox/configure>  
Step 11:Verify the system configuration by displaying the running configuration.  
69  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure> show configuration running  
Please wait... (up to a minute)  
terminal  
exit terminal  
qos  
exit qos  
module t1 1  
alarms  
thresholds  
exit thresholds  
exit alarms  
linemode  
exit linemode  
exit t1  
module t1 2  
alarms  
thresholds  
exit thresholds  
exit alarms  
linemode  
exit linemode  
exit t1  
module t1 3  
alarms  
thresholds  
exit thresholds  
exit alarms  
linemode  
exit linemode  
exit t1  
module t1 4  
alarms  
thresholds  
exit thresholds  
exit alarms  
linemode  
exit linemode  
exit t1  
aaa  
tacacs  
retries 2  
time_out 5  
server_port 49  
exit tacacs  
radius  
exit radius  
exit aaa  
interface ethernet 0  
ip address 10.2.1.1 255.255.255.0  
ip multicast  
mode ospfrip2  
exit multicast  
mtu 4000  
icmp  
exit icmp  
70  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Firewall Configuration Ex-  
qos  
exit qos  
vrrp_mode 0  
aaa  
exit aaa  
crypto trusted  
exit ethernet  
interface ethernet 1  
ip address 10.3.1.1 255.255.255.0  
ip multicast  
mode ospfrip2  
exit multicast  
mtu 4000  
icmp  
exit icmp  
qos  
exit qos  
vrrp_mode 0  
aaa  
exit aaa  
crypto trusted  
exit ethernet  
interface bundle wan  
link t1 1  
encapsulation ppp  
ip address 193.168.94.220 255.255.255.0  
ip multicast ospfrip2  
red  
exit red  
icmp  
exit icmp  
qos  
exit qos  
aaa  
exit aaa  
crypto untrusted  
exit bundle  
interface console  
aaa  
exit aaa  
exit console  
snmp  
system_id Black Box  
enable_trap  
exit enable_trap  
exit snmp  
hostname Black Box  
log utc  
telnet_banner  
exit telnet_banner  
event  
exit event  
system logging  
no console  
syslog  
host_ipaddr 193.168.94.35  
exit syslog  
exit logging  
ip  
load_balance per_flow  
71  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
multicast  
exit multicast  
route 0.0.0.0 0.0.0.0 wan 1  
exit ip  
policy community_list  
exit community_list  
crypto  
exit crypto  
firewall global  
exit firewall  
firewall internet  
interface wan  
policy 1024 out self  
exit policy  
exit firewall  
firewall corp  
interface ethernet0  
object  
http-filter javadeny deny *.java  
exit object  
policy 1021 in deny  
exit policy  
policy 1022 out self  
exit policy  
policy 1023 in self  
exit policy  
policy 1024 out nat-ip 193.168.94.220  
apply-object http-filter javadeny  
exit policy  
exit firewall  
firewall dmz  
interface ethernet1  
object  
nat-pool ftpsrvr static 10.3.1.100 10.3.1.100  
ftp-filter putdeny deny put mkdir  
exit object  
policy 100 in address any any 193.168.94.221 32  
apply-object ftp-filter putdeny  
apply-object nat-pool ftpsrvr  
exit policy  
policy 1022 out self  
exit policy  
policy 1023 in self  
exit policy  
policy 1024 out  
exit policy  
exit firewall  
Blackbox/configure>  
72  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Firewall Configuration Ex-  
10.2.1 Stopping DoS Attacks  
The following commands show how to configure the firewall to defend against Denial of Service (DoS) attacks. Black Box  
provides protection against FTP bounce, ICMP error checks, IP sequence number checks, unaligned timestamps, MIME  
flooding, source routing checks, SYN flooding, and WIN nuke attacks. To configure the firewall for protection against all of  
these attacks, enter:  
Blackbox> config term  
Blackbox/configure> firewall global  
Blackbox/configure/firewall global> dos-protect  
Blackbox/configure/firewall global/dos-protect> enable-all  
Blackbox/configure/firewall global/dos-protect> exit 2  
Blackbox/configure>  
73  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
10.2.2 Packet Reassembly  
To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter:  
Blackbox> config term  
Blackbox/configure> firewall global  
Blackbox/configure/firewall global> ip-reassembly  
Blackbox/configure/firewall global/ip-reassembly> fragment-count  
100  
Blackbox/configure/firewall global/ip-reassembly> fragment-size  
56  
Blackbox/configure/firewall global/ip-reassembly> packet-size  
2048  
Blackbox/configure/firewall global/ip-reassembly> timeout 20  
10.3 NAT Configurations  
Network Address Translation (NAT) was defined to serve two purposes:  
Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls  
Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway  
with a very large pool of NAT addresses behind it.  
In the most common NAT application (which is to provide secure networking behind a firewall), the device (Black Box  
system) that connects the user LAN to the Internet will have two IP addresses:  
A private IP address on the LAN side for the RFC 1918 address range  
A public address, routable over the Internet, on the WAN side  
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet  
together with the destination IP address and port. When the packet arrives at the Black Box system it will be de-encapsulated,  
modified, and re-encapsulated. The re-encapsulated packet sent by the Black Box system destined for the Internet contains the  
Black Box system’s public IP address, a source port allocated from its list of available ports, and the same destination IP  
address and port number generated by the PC. The Black Box system also adds an entry into a table it keeps, which maps the  
internal address and source port number that the PC generated against the port number it allocated to this session. Therefore,  
when some.server.com sends a reply packet to the PC, the Black Box system can quickly determine how it needs to re-write  
the packet before transmitting it back on to the LAN.  
Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP address  
assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to the Internet  
from inside a LAN which requires the use of static NAT. Static NAT also requires a public address from the upstream service  
provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access to other PCs within the  
LAN. The Black Box system is configured with static mapping, which maps the internal RFC 1918 IP addresses for each PC  
to the appropriate public IP address. When traffic is sent to the public address listed in the static mapping, the Black Box  
system forwards the packets to the correct PC within the LAN, according to the mapping relationship established.  
10.4 NAT Configuration Examples  
74  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
NAT Configuration Examples  
10.4.1 Dynamic NAT (many to many)  
In dynamic (many-to-many) NAT type, multiple source IP addresses in the corporate network will be mapped to multiple NAT  
IP addresses (not necessarily of equal number). For a set of local IP address from 10.1.1.1 to 10.1.1.4 there will be a set of  
NAT IP address from 60.1.1.1 to 60.1.1.2. In case of many-to-many NAT, only IP address translation takes place, i.e., if a  
packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the source address in the IP header with one of  
the NAT IP address and the source port will be the same as the original. If traffic emanates from the same client to any other  
server, the same NAT IP address is assigned. The advantage is that the NAT IP addresses are utilized in a better and optimum  
manner dynamically.  
If a NAT IP address cannot be allocated dynamically at the connection creation time, the packet would be dropped.  
Figure 19 Dynamic NAT  
10.1.1.1  
INTERNET  
60.1.1.1-60.1.1.2  
10.1.1.2  
10.1.1.3  
10.1.1.4  
The dynamic NAT configuration shown in Figure 19 includes:  
Private network addresses:10.1.1.1—10.1.1.4  
Public (NAT) IP address range: 60.1.1.1—60.1.1.2  
To create NAT pool with type dynamic, specify the IP address and the NAT ending IP address.Then add a policy with the  
source IP address range, and attach the NAT pool to the policy.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolDyna  
dynamic 60.1.1.1 60.1.1.2  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 8 out address 10.1.1.1  
10.1.1.4 any any  
Blackbox/configure/firewall corp/policy 8 out> apply-object  
nat-pool addresspoolDyna  
Blackbox/configure/firewall corp/policy 8 out> exit 2  
Blackbox/configure>  
75  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
10.4.2 Static NAT (one to one)  
Figure 20 Static NAT  
10.1.1.1  
INTERNET  
50.1.1.1-50.1.1.3  
10.1.1.2  
10.1.1.3  
In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example,  
for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3. In case of  
one-to-one NAT, only IP address translation takes place, that is, if a packet travels from 10.1.1.1 to yahoo.com, the Black  
Box-Firewall only substitutes the source address in the IP header with the NAT IP address. The source port will be the same as  
the original.  
The static NAT configuration shown in Figure 20 includes:  
Private network address:10.1.1.1—10.1.1.3  
Public (NAT) IP address range: 50.1.1.1—50.1.1.3  
To create NAT pool with type static, specify the IP address and the ending NAT IP address. Add a policy with source IP  
address range and attach NAT pool to the policy.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolStat  
static 50.1.1.1 50.1.1.3  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 7 out address 10.1.1.1  
10.1.1.3 any any  
Blackbox/configure/firewall corp/policy 7 out> apply-object  
nat-pool addresspoolStat  
Blackbox/configure/firewall corp/policy 7 out> exit 2  
Blackbox/configure>  
76  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
NAT Configuration Examples  
10.4.3Port Address Translation (Many to one)  
Figure 21 Mapping Multiple NAT Addresses to One Public IP Address  
10.1.1.1  
INTERNET  
10.1.1.2  
10.1.1.3  
50.1.1.5  
NAT allows multiple IP addresses to be mapped to one address.  
There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the  
IP address to the nat-ip parameter in the policycommand. In the second method, create a pool of type PAT and then  
attach it to the policy.  
In PAT, multiple hosts can share the same IP address.  
The PAT configuration shown in Figure 21 includes:  
Private network address: 10.1.1.1—10.1.1.3  
PAT address: 50.1.1.5  
Method:1 – Specifying NAT address with the policy command  
To configure this method of PAT, add the policy with the source IP address range, then specify the nat-ip address in the  
policycommand:  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1  
10.1.1.3 any any nat-ip 50.1.1.5  
Blackbox/configure/firewall corp/policy 2 out> exit 2  
Blackbox/configure>  
Method:2 – Attaching nat pool to the policy  
To configure the second type of NAT, create a NAT pool with type patand specify the IP address. Then add the policy with  
the source IP address range. Finally, attach the NAT pool to the policy.  
77  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolPat  
pat 50.1.1.5  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1  
10.1.1.3 any any  
Blackbox/configure/firewall corp/policy 2 out> apply-object  
nat-pool addresspoolPat  
Blackbox/configure/firewall corp/policy 2 out> exit 2  
Blackbox/configure>  
78  
Download from Www.Somanuals.com. All Manuals Search And Download.  
11  
MULTIPATH MULTICAST  
CONFIGURATIONS  
11.1Multipath Multicast  
The multicast multipath feature allows load balancing on multicast traffic across equal cost paths. Equal cost multipath  
routing is useful when multiple equal cost routes to the same destination exist. These routes can be discovered and be  
used to provide load balancing among redundant paths. Commonly used methods for multipath forwarding are  
Round-Robin and Random. While these methods do provide a form of load balancing, but variable path MTUs,  
variable latencies, and debugging can limit the effectiveness of these methods.  
The following methods have been developed to deal with the load balancing limitations of the Round-Robin and Ran-  
dom methods:  
Modulo-N Hash —To select a next-hop from the list of N next-hops, the router performs a modulo-N hash over  
the packet header fields that identify a flow.”  
Hash-Threshold—The router first selects a key by performing a hash over the packet header fields that identify  
the flow. The N next-hops have been assigned unique regions in the hash functions output space. By comparing  
the hash value against region boundaries the router can determine which region the hash value belongs to and  
thus which next-hop to use.  
Highest Random Weight (HRW)—The router computes a key for each next-hop by performing a hash over the  
packet header fields that identify the flow, as well as over the address of the next-hop. The router then chooses  
the next-hop with the highest resulting key value.  
The Round-Robin and Random methods are disruptive by design (that is, if there is no change to the set of next-hops,  
the path a flow takes changes every time). Modulo-N, Hash Threshold, and HRW are not disruptive.  
RFC 2991 recommends to use HRW method to select the next-hop for multicast packet forwarding. or this reason,  
Black Box-only scenarios apply the HRW method as the default. This is similar to the Cisco Systems IPv6 multicast  
multipath implementation.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
11.2Multipath Commands  
The following table lists the multipath commands:  
Task  
Command  
Enabling HRW method  
Enabling Cisco method  
Disabling Multipath  
Blackbox/configure/ip/multicast> multipath  
Blackbox/configure/ip/multicast> multipath cisco  
Blackbox/configure/ip/multicast> no multipath  
Blackbox/configure/ip/multicast> no multipath cisco  
Display RPF selection  
Blackbox>show ip rpf <addr>  
<addr> - source or RP address  
When multipath is disabled, Black Box selects the nexthop address with lowest ip address. For equal cost routes the  
nexthops are stored in the increasing (ascending) order of IP address. show ip rpf command displays the selected  
path, based on the configured multipath method and the nexthops of the best route to the IP address passed.  
11.2.1Multipath Examples  
The following examples illustrate how the multicast commands are used:  
The following command enables compatibility between the Black Box router and equipment running Cisco IOS.  
Blackbox/configure/ip/multicast> multipath mode cisco  
Blackbox/configure/ip/multicast>  
The following command enables HRW compatibility.  
Blackbox/configure/ip/multicast> multipath  
Blackbox/configure/ip/multicast>  
The following example shows how to see the reverse path forwarding information for the RP at 201.1.1.99:  
Blackbox> show ip rpf 201.1.1.99  
80  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
12  
CONFIGURING NAT  
12.1Network Address Translation  
Network Address Translation (RFC 1631) is commonly known as NAT. This application discusses NAT and provides a  
technical explanation and configuration examples.  
Features:  
Dynamic Address/Port Translation  
Static Address/Port Translation  
Forward and Reverse NAT  
Non-Translated Address Pass Through  
In the most common NAT application, the device (Black Box system) that connects the user LAN to the Internet will  
have two IP addresses:  
A private IP address on the LAN side for the RFC 1918 address range  
A public address, routable over the Internet, on the WAN side  
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the  
packet together with the destination IP address and port. When the packet arrives at the Black Box system it will be  
de-encapsulated, modified, and re-encapsulated. The re-encapsulated packet sent by the Black Box system destined for  
the Internet contains the Black Box system’s public IP address, a source port allocated from its list of available ports,  
and the same destination IP address and port number generated by the PC. The Black Box system also adds an entry  
into a table it keeps, which maps the internal address and source port number that the PC generated against the port  
number it allocated to this session. Therefore, when some.server.com sends a reply packet to the PC, the Black Box  
system can quickly determine how it needs to re-write the packet before transmitting it back on to the LAN.  
12.1.1 Dynamic NAT  
Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP  
address assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to  
the Internet from inside a LAN. In these instances, static NAT is used.  
12.1.2 Static NAT  
Static NAT also requires a public address from the upstream service provider. Individual PCs within a LAN are  
assigned RFC 1918 reserved IP addresses to enable access to other PCs within the LAN. The Black Box system is  
configured with static mapping, which maps the internal RFC 1918 IP addresses for each PC to the appropriate public  
IP address. Then when traffic is sent to the public address listed in the static mapping, the Black Box system forwards  
the packets to the correct PC within the LAN, according to the mapping relationship established.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Figure 22 illustrates dynamic and static NAT. The static translation between 192.168.1.6 and 100.1.1.6  
automatically matches the port addresses, thus a request destined for 100.1.1.6 tcp port 25 is translated to  
192.168.1.6 tcp port 25 and so on.  
Figure 22 Dynamic and Static NAT  
Internet  
100.1.1.1/29  
192.168.1.254/24  
FTP, SMTP, HTTP Server  
192.168.1.6/24  
10/100 BaseT Ethernet  
Workstation  
Workstation  
Workstation  
Workstation  
192.168.1.1/24  
192.168.1.2/24  
192.168.1.3/24  
192.168.1.5/24  
12.1.3 Configuration for Figure 1  
Blackbox> configure terminal  
Blackbox/configure> interface bundle Trenton  
Blackbox/configure/interface/bundle Trenton> nat  
Blackbox/configure/interface/bundle Trenton/nat> enable dynamic  
Blackbox/configure/interface/bundle Trenton/nat> enable static  
Blackbox/configure/interface/bundle Trenton/nat> address 192.168.1.6 100.1.1.6  
82  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Network Address Translation  
Figure 23 provides an example of static port mapping. TCP port 81 of the web server at private address 192.168.1.6 is mapped  
to the same TCP port of the public address.  
Figure 23 Mapping Ports  
Internet  
100.1.1.1/29  
192.168.1.254/24  
www server is running  
on TCP port 81  
FTP, SMTP, HTTP Server  
192.168.1.6/24  
10/100 BaseT Ethernet  
Workstation  
Workstation  
Workstation  
Workstation  
192.168.1.1/24  
192.168.1.2/24  
192.168.1.3/24  
192.168.1.5/24  
12.1.4Configuration for Figure 2  
Blackbox> configure terminal  
Blackbox/configure> interface bundle Trenton  
Blackbox/configure/interface/bundle Trenton> nat  
Blackbox/configure/interface/bundle Trenton/nat> enable dynamic  
Blackbox/configure/interface/bundle Trenton/nat> enable static  
Blackbox/configure/interface/bundle Trenton/nat> address 192.168.1.6 81 100.1.1.6 81  
12.1.5 Reverse NAT  
Reverse NAT could be used in a situation where one LAN is using private RFC 1918 IP addresses and a second LAN is using  
“real” Internet routable IP addresses. Figure 24 illustrates how reverse NAT would be applied.  
83  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
Figure 24 Reverse NAT  
Internet  
100.1.1.1/29  
FTP, SMTP, HTTP Server  
Ethernet 1  
199.7.3.2/24  
199.7.3.2/24  
Ethernet 0  
www server is running  
192.168.1.254/24  
on TCP port 81  
FTP, SMTP, HTTP Server  
192.168.1.6/24  
10/100 BaseT Ethernet  
Workstation  
Workstation  
Workstation  
Workstation  
192.168.1.1/24  
192.168.1.2/24  
192.168.1.3/24  
192.168.1.5/24  
12.1.6 Configuration for Figure 3  
Blackbox> configure terminal  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/interface/ethernet0> nat  
Blackbox/configure/interface/ethernet0/nat> reverse  
Blackbox/configure/interface/ethernet0/nat> ip 100.1.1.1  
Blackbox/configure/interface/ethernet0/nat> enable dynamic  
Blackbox/configure/interface/ethernet0/nat> enable static  
Blackbox/configure/interface/ethernet0/nat> port tcp 100.1.1.6 25 192.168.1.6 25  
Blackbox/configure/interface/ethernet0/nat> port tcp 100.1.1.6 81 192.168.1.6 81  
Blackbox/configure/interface/ethernet0/nat> port tcp 100.1.1.6 21 192.168.1.6 21  
84  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
13  
NAT CONFIGURATION EXAMPLES  
13.1 NAT Configurations  
Network Address Translation (NAT) was defined to serve two purposes:  
Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls  
Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway  
with a very large pool of NAT addresses behind it.  
In the most common NAT application (which is to provide secure networking behind a firewall), the device (Black Box  
system) that connects the user LAN to the Internet will have two IP addresses:  
A private IP address on the LAN side for the RFC 1918 address range  
A public address, routable over the Internet, on the WAN side  
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the  
packet together with the destination IP address and port. When the packet arrives at the Black Box system it will be  
de-encapsulated, modified, and re-encapsulated. The re-encapsulated packet sent by the Black Box system destined for  
the Internet contains the Black Box system’s public IP address, a source port allocated from its list of available ports,  
and the same destination IP address and port number generated by the PC. The Black Box system also adds an entry  
into a table it keeps, which maps the internal address and source port number that the PC generated against the port  
number it allocated to this session. Therefore, when some.server.com sends a reply packet to the PC, the Black Box  
system can quickly determine how it needs to re-write the packet before transmitting it back on to the LAN.  
Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP  
address assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to  
the Internet from inside a LAN which requires the use of static NAT. Static NAT also requires a public address from the  
upstream service provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access  
to other PCs within the LAN. The Black Box system is configured with static mapping, which maps the internal RFC  
1918 IP addresses for each PC to the appropriate public IP address. When traffic is sent to the public address listed in  
the static mapping, the Black Box system forwards the packets to the correct PC within the LAN, according to the  
mapping relationship established.  
13.1 NAT Configuration Examples  
13.1.1Dynamic NAT (many to many)  
In dynamic (many-to-many) NAT type, multiple source IP addresses in the corporate network will be mapped to  
multiple NAT IP addresses (not necessarily of equal number). For a set of local IP address from 10.1.1.1 to 10.1.1.4  
there will be a set of NAT IP address from 60.1.1.1 to 60.1.1.2. In case of many-to-many NAT, only IP address  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the  
source address in the IP header with one of the NAT IP address and the source port will be the same as the original.  
If traffic emanates from the same client to any other server, the same NAT IP address is assigned. The advantage is  
that the NAT IP addresses are utilized in a better and optimum manner dynamically.  
If a NAT IP address cannot be allocated dynamically at the connection creation time, the packet would be dropped.  
Figure 25 Dynamic NAT  
10.1.1.1  
INTERNET  
60.1.1.1-60.1.1.2  
10.1.1.2  
10.1.1.3  
10.1.1.4  
The dynamic NAT configuration shown in Figure 25 includes:  
Private network addresses:10.1.1.1—10.1.1.4  
Public (NAT) IP address range: 60.1.1.1—60.1.1.2  
To create NAT pool with type dynamic, specify the IP address and the NAT ending IP address.Then add a policy  
with the source IP address range, and attach the NAT pool to the policy.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolDyna dynamic  
60.1.1.1 60.1.1.2  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 8 out address 10.1.1.1 10.1.1.4 any any  
Blackbox/configure/firewall corp/policy 8 out> apply-object nat-pool  
addresspoolDyna  
Blackbox/configure/firewall corp/policy 8 out> exit 2  
Blackbox/configure>  
86  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
NAT Configuration Examples  
13.1.2Static NAT (one to one)  
Figure 26 Static NAT  
10.1.1.1  
INTERNET  
50.1.1.1-50.1.1.3  
10.1.1.2  
10.1.1.3  
In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example,  
for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3. In case of  
one-to-one NAT, only IP address translation takes place, that is, if a packet travels from 10.1.1.1 to yahoo.com, the Black  
Box-Firewall only substitutes the source address in the IP header with the NAT IP address. The source port will be the same as  
the original.  
The static NAT configuration shown in Figure 26 includes:  
Private network address:10.1.1.1—10.1.1.3  
Public (NAT) IP address range: 50.1.1.1—50.1.1.3  
To create NAT pool with type static, specify the IP address and the ending NAT IP address. Add a policy with source IP  
address range and attach NAT pool to the policy.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolStat static 50.1.1.1  
50.1.1.3  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 7 out address 10.1.1.1 10.1.1.3 any any  
Blackbox/configure/firewall corp/policy 7 out> apply-object nat-pool addresspoolStat  
Blackbox/configure/firewall corp/policy 7 out> exit 2  
Blackbox/configure>  
87  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
13.1.3Port Address Translation (Many to one)  
Figure 27 Mapping Multiple NAT Addresses to One Public IP Address  
10.1.1.1  
INTERNET  
10.1.1.2  
10.1.1.3  
50.1.1.5  
NAT allows multiple IP addresses to be mapped to one address.  
There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the  
IP address to the nat-ip parameter in the policycommand. In the second method, create a pool of type PAT and then  
attach it to the policy.  
In PAT, multiple hosts can share the same IP address.  
The PAT configuration shown in Figure 27 includes:  
Private network address: 10.1.1.1—10.1.1.3  
PAT address: 50.1.1.5  
Method:1 – Specifying NAT address with the policy command  
To configure this method of PAT, add the policy with the source IP address range, then specify the nat-ip address in the  
policycommand.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1 10.1.1.3 any any nat-ip  
50.1.1.5  
Blackbox/configure/firewall corp/policy 2 out> exit 2  
Blackbox/configure>  
Method:2 – Attaching nat pool to the policy  
To configure the second type of NAT, create a NAT pool with type patand specify the IP address. Then add the policy with  
the source IP address range. Finally, attach the NAT pool to the policy.  
Blackbox/configure> firewall corp  
Blackbox/configure/firewall corp> object  
Blackbox/configure/firewall corp/object> nat-pool addresspoolPat pat 50.1.1.5  
Blackbox/configure/firewall corp/object> exit  
Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1 10.1.1.3 any any  
Blackbox/configure/firewall corp/policy 2 out> apply-object nat-pool addresspoolPat  
Blackbox/configure/firewall corp/policy 2 out> exit 2  
Blackbox/configure>  
88  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
14  
REMOTE ACCESS VPNS  
14.1 Secure Remote Access Using IPSec VPN  
The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment closets.  
Increasingly, companies have a need to provide remote access to their corporate resources for the employees on the move.  
Traditionally, remote users could access the corporate LAN through dial-up and ISDN lines which were terminated in  
the corporate remote access servers. However, these point-to-point connection technologies do not scale well to the  
growing number of remote users and the corresponding increase in the infrastructure investments and maintenance  
costs.  
A solution to meeting the needs of increasing numbers of remote users and for controlling access costs is to provide  
remote access through the Internet using firewalls and a Virtual Private Network (VPN). Internet Protocol Security  
(IPSec) keeps the connection safe from unauthorized users.  
In a typical IPSec remote access scenario, the mobile user has connectivity to Internet and an IPSec VPN client loaded  
on their PC. The remote user connects to the Internet through their Internet service provider and then initiates a VPN  
connection to the IPSec security gateway (the VPN server) of the corporate office, which is typically an always-on  
Internet connection.  
One of the main limitations in providing remote access is the typical remote user connects with a dynamically assigned  
IP address provided by the ISP. IPSec uses the IP address of users as an index to apply the Internet Key Exchange (IKE)  
and IPSec policies to be used for negotiation with each peer. When the VPN client has a dynamic IP address, the VPN  
server cannot access the policies based on the IP address of the client. Instead, the VPN server uses the identity of the  
VPN client to access the policies.  
14.2 Access Methods  
Black Box supports two types of IPSec remote access using VPNs.  
14.2.1 Remote Access: User Group  
One of the methods to achieve IPSec remote access in Black Box is the user group method. In this method, the  
administrator creates an IKE policy for a logical group of users such as a department in an organization. Each user in  
the group is identified with unique information that is uniquely configured in the IKE policy. Also, an IPSec template is  
attached to the user group.  
Once the VPN user is authenticated using IKE, the users dynamically-assigned IP address is added to the destination  
address field in the IPSec template attached to the user group. The VPN user now has the required IPSec policy that  
allows access through the gateway to the corporate LAN.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
14.2.2 Remote Access: Mode Configuration  
The other method to achieve IPSec remote access in Black Box is the mode configuration method.  
This method makes the VPN client an extension of the LAN being accessed by the VPN client. The remote client  
appears as a network accessing some resource behind the VPN server.  
The VPN client is allocated a private IP address by the VPN server and the client uses this as the source IP address  
in the inner IP header in tunnel mode.  
In tunnel mode, at each IKE end point, the IP traffic to be protected is completely encapsulated with another IP  
packet. In this, the inner IP header remains the same as seen in the original traffic to be protected. In the outer IP  
header, the source and destination addresses are the addresses of the tunnel end points.  
Typically, for a remote user, the source address of the outer IP header is the dynamic public IP address provided by  
the ISP. When mode configuration is enabled, the source address of the inner IP header is the private address  
allocated by the VPN server to the VPN client.  
As in the case of user group method, the administrator creates an IKE policy for a logical group of users such as a  
department in an organization. The identity information used to identify each user uniquely is configured in the  
IKE policy. The IKE policy is attached to a mode configuration record. The mode configuration record contains an  
IPSec policy template to be used for creating dynamic IPSec policy. Also, the record contains one or more pools of  
private IP addresses to be used for allocating the addresses to the VPN clients. Besides the private IP address, the  
VPN server can also provide WINS and DNS server addresses.  
Upon successful IKE authentication of a VPN client, the server checks whether the IKE policy used to authenticate  
the VPN client is enabled for mode configuration. If so, the server allocates a private IP address from one of the IP  
pools in the mode configuration record to the VPN client. The destination address field in the IPSec template  
attached to the user group is filled in with the private IP address allocated to the VPN client and this is installed as  
an IPSec policy.  
14.3 Configuration Examples  
The following examples illustrate configurations for creating secure remote VPN access to:  
An individual SNMP user managing the gateway (user group method)  
The corporate LAN for multiple users (mode configuration method)  
14.4 IPSec Remote Access User Group Method –  
Single Proposal, Pre-shared Key Authentication  
The following example demonstrates how to manage the Black Box gateway from a secure VPN management host.  
An application would look like a host in a remote site is interested in managing Black Box router using SNMP. But  
the remote host is interested in doing securely. The SNMP response that is generated in Black Box router for a  
request from the management host is called self-generated traffic.  
The Black Box gateway provides a map called Self for self-generated traffic. This map is created automatically  
when the gateway comes up.  
The security requirements for the management tunnel are:  
3DES with SHA1,Pre-shared key authentication, XAuth  
IPSec ESP with AES128 and HMAC-SHA1  
90  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
IPSec Remote Access User  
Figure 28 User Group Remote Access Configuration  
VPN Client 2  
Local Outer Address:  
Dynamic  
BlackBox#1  
VPN Server  
172.16.0.1  
Local ID:  
blackbox.com  
admin@
To create the user group configuration enter:  
Blackbox>configure term  
Blackbox/configure>interface bundle wan  
Blackbox/configure/interface/bundle wan>link t1 1-2  
1
Blackbox/configure/interface/bundle wan>ip address 172.16.0.1 32  
Blackbox/configure/interface/bundle wan>crypto internet  
To configure the IKE policy for negotiating with the remote VPN client needing access (note that the IKE and IPSec policies  
for management (self) tunnel need to be defined in the “Self” map):  
Blackbox/configure>crypto Self  
Blackbox/configure/crypto>dynamic  
Blackbox/configure/crypto/dynamic>ike policy admin user-group  
Blackbox/configure/crypto/dynamic/ike/policy admin>local-address 172.16.0.1  
Blackbox/configure/crypto/dynamic/ike/policy admin>remote-id email-id sampledata Black  
Boxuser  
Blackbox/configure/crypto/dynamic/ike/policy admin>key pskforadminuser  
Blackbox/configure/crypto/dynamic/ike/policy admin>proposal 1  
Blackbox/configure/crypto/dynamic/ike/policy admin/proposal 1>encryption-algorithm  
3des-cbc  
Blackbox/configure/crypto/dynamic/ike/policy admin/proposal 1>client authentication  
radius  
To configure the IPSec policy for negotiating with VPN client needing access to the security gateway.  
Blackbox/configure/crypto/dynamic>ipsec policy admin user-group  
Blackbox/configure/crypto/dynamic/ipsec/policy admin>match address 172.16.0.1 32  
Blackbox/configure/crypto/dynamic/ipsec/policy admin> proposal 1  
Blackbox/configure/crypto/dynamic/ipsec/policy admin/proposal 1>encryption-algorithm  
aes128-cbc  
1.  
error message saying Bundle is not yet encapped.  
91  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
14.5 IPSec Remote Access Mode Configuration Group  
Method  
The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using  
mode-configuration method. The client could be any standard mode config enabled IPSec VPN client.  
In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The server has a  
pool of IP addresses from 20.1.1.100 through 20.1.1.150 to be allocated for mode config enabled VPN clients. The assigned IP  
address is used by the VPN client as the source address in the inner IP header. The outer IP header will carry the dynamic IP  
address assigned by the Internet Service Provider as the source address. The security requirements are as follows:  
3DES with SHA1, Mode Config  
IPSec ESP tunnel with AES256 and HMAC-SHA1  
Figure 29 Configuration Mode Remote Access Configuration  
VPN Client 1  
Local Outer Address:  
Dynamic  
Local Inner Assigned  
Address: 10.0.1.100/32  
Local ID:  
VPN Client 2  
Local Outer Address:  
Blackbox1  
VPN Server  
Dynamic  
172.16.0.1  
Corporate  
Local Inner Assigned  
Mode Config IP  
Headquarters  
Address: 10.0.1.101/32  
Pool:  
10.0.1.100-  
10.0.1.150  
10.0.1.0/24  
Local ID:  
To configure the VPN gateway:  
Blackbox>configure term  
Blackbox/configure>interface ethernet 1  
Blackbox/configure/interface/ethernet 1>ip address 10.0.1.1 24  
Blackbox/configure/interface/ethernet 1>crypto corp  
Blackbox/configure> interface bundle wan  
Blackbox/configure/interface/bundle wan>link t1 1-2  
1
Blackbox/configure/interface/bundle wan>ip address 172.16.0.1 32  
Blackbox/configure/interface/bundle wan>crypto internet  
92  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec Remote Access Mode Con-  
To configure the IKE policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0.  
Blackbox/configure>crypto corp  
Blackbox/configure/crypto>dynamic  
Blackbox/configure/crypto/dynamic>ike policy IDCsales modecfg-group  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>modeconfig-group  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>local-address 172.16.0.1  
To configure the user name (optional) for remote-id:  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>remote-id email-id sampledata  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>remote-id email-id sampledata  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>key pskforsalesusers  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>proposal 1  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>encryption-algorithm 3des-cbc  
Blackbox/configure/crypto/dynamic/ike/policy IDCsales>exit  
Blackbox/configure/crypto/dynamic>client configuration  
# configure address pool for modecfg client  
address-pool 1 20.1.1.100 20.1.1.150  
To configure the IPSec policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0.  
Blackbox/configure/crypto/dynamic>ipsec policy IDCsales  
Blackbox/configure/crypto/dynamic/ipsec/policy IDCSales>match address 10.0.1.0 24  
Blackbox/configure/crypto/dynamic/ipsec/policy IDCSales>proposal 1  
Blackbox/configure/crypto/dynamic/ipsec/policy IDCSales/proposal 1>encryption-algorithm  
aes256-cbc  
1.  
Bundle must be encapsulated first steps TBC.  
93  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
94  
Download from Www.Somanuals.com. All Manuals Search And Download.  
15  
NETWORKING WITH ROUTING  
INFORMATION PROTOCOL  
15.1Routing Information Protocol  
15.1.1Configuring RIP for Ethernet 0 and WAN 1 Interfaces  
LR1114A> configure terminal  
LR1114A/configure> router rip  
LR1114A/configure/router rip> interface ethernet0  
LR1114A/configure/router rip/interface ethernet0> exit  
LR1114A/configure/router rip> interface wan1  
LR1114A/configure/router rip> exit  
15.1.2Displaying RIP Configuration  
Execute show ip rip global to display RIP configuration information  
Figure 30 show ip rip global Command  
> show ip rip global  
Router RIP is enabled  
Mode: RIP 2  
Distance: 100  
Default Metric: 1  
Timers:  
Update: 30 seconds  
Holddown: 120 seconds  
Flush: 180 seconds  
15.1.3Displaying All Configured RIP Interfaces  
Execute show ip rip interface all to display information about all configured RIP interfaces.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Black Box LR11xx Series Router Configurations Guide  
Figure 31 show ip rip interface all Command  
> show ip rip interface all  
RIP is configured for interface <ethernet0>  
Mode: RIP 2  
Metric: 5  
Authentication: None  
Split Horizon: Poison  
Routers : None  
Interface state: Broadcast Multicast Active  
96  
Download from Www.Somanuals.com. All Manuals Search And Download.  
16  
CONFIGURING STATIC ROUTES  
16.1 Static Routing Configuration  
All Black Box systems support IP routing utilizing static routes. The following diagram shows a remote Black Box “A”  
connected over an MLPPP bundle to the main Black Box “B”. Black Box B in turn routes to the customer router.  
Figure 32 IP Routing  
LR1114A  
Tasman 1400 "B"  
200.1.1.1/24  
Internet  
E0  
200.1.1.2/24  
E0  
10.1.1.2/30  
2 x T1 MLPPP  
Bundle "WAN1"  
WAN  
10.1.1.1/30  
198.1.1.1/24  
"A"  
LR1114A  
The customer router Ethernet 0 IP address is 200.1.1.1 255.255.255.0, and the IP route is 198.1.1.0 255.255.255.0  
200.1.1.2 2.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
16.1.1Configure the Router at Site “A”  
Blackbox> configure term  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/interface/ethernet> ip addr 198.1.1.1 255.255.255.0  
Blackbox/configure/interface/ethernet> exit  
Blackbox/configure> interface bundle wan1  
Blackbox/configure/interface/bundle> link t1 1-2  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> ip addr 10.1.1.1 255.255.255.252  
Blackbox/configure/interface/bundle> exit  
Blackbox/configure> ip routing  
Blackbox/configure> ip route 0.0.0.0 0.0.0.0 10.1.1.2 1  
16.1.2Configure the Router at site “B”  
Blackbox> configure term  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/interface/ethernet> ip addr 200.1.1.2 255.255.255.0  
Blackbox/configure/interface/ethernet> exit  
Blackbox/configure> interface bundle wan 1  
Blackbox/configure/interface/bundle> link t1 1-2  
Blackbox/configure/interface/bundle> encapp ppp  
Blackbox/configure/interface/bundle> ip addr 10.1.1.2 255.255.255.252  
Blackbox/configure/interface/bundle> exit  
Blackbox/configure> ip routing  
Blackbox/configure> ip route 198.1.1.0 255.255.255.0 10.1.1.1 1  
Blackbox/configure> ip route 0.0.0.0 0.0.0.0 200.1.1.1 1  
Blackbox/configure> exit  
98  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
17  
CONFIGURING OPEN SHORTEST PATH  
FIRST ROUTING  
17.1 OSPF Routing Protocol  
The following example shows a Black Box LR1114A connected to a router over a single T1 link. IP addresses 10.10.10.0,  
20.20.20.0, and 30.30.30.0 are assigned to area 760.  
Figure 33 Configuring OSPF Between a Black Box LR1114A System and a Router  
10.10.10.0/24  
30.30.30.0/24  
.1  
.1  
T1 PPP  
.1  
.2  
20.20.20.0/24  
Router  
LR1114A  
Area 760  
17.1.1Configuring the host name  
Blackbox> configure terminal  
Blackbox/configure> hostname LR1114A  
17.1.2Configuring interface ethernet 0  
LR1114A/configure> interface ethernet 0  
LR1114A/configure/interface/ethernet 0> ip address 10.10.10.1 24  
LR1114A/configure/interface/ethernet 0> exit  
17.1.3Configuring interface bundle Dallas  
LR1114A/configure> interface bundle Dallas  
LR1114A/configure/interface/bundle Dallas> link t1 1  
LR1114A/configure/interface/bundle Dallas> encapsulation ppp  
LR1114A/configure/interface/bundle Dallas> ip address 20.20.20.1 24  
LR1114A/configure/interface/bundle Dallas> exit  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Black Box LR11xx Series Router Configurations Guide  
17.1.4Configuring ospf  
LR1114A/configure> router routerid 10.10.10.1  
LR1114A/configure> router ospf  
LR1114A/configure/router/ospf> area 760  
LR1114A/configure/router/ospf/area 760> exit  
17.1.5Configuring ospf interface parameters  
LR1114A/configure/router/ospf> interface Dallas area_id 760  
LR1114A/configure/router/ospf/interface Dallas> exit  
LR1114A/configure/router/ospf> interface ethernet0 area_id 760  
LR1114A/configure/router/ospf/interface ethernet0> exit 3  
17.1.6Displaying neighbors  
Note that “display” and “show” can be used interchangeably in the CLI tree hierarchy.  
Execute show ip ospf neighbor list on the Black Box LR1114A to display the neighbor information. In this example, the  
state is in FULL adjacency with the router.  
Figure 34 show ip ospf neighbor list Command  
LR1114A> show ip ospf neighbor list  
Neighbor ID PRI State  
----------- --- -----  
Dead Time Address  
--------- -------  
Interface  
---------  
TMan1  
30.30.30.1  
1
FULL/ - 00:00:30 20.20.20.2  
17.1.7Displaying ospf routes  
Execute show ip ospf routes on the Black Box LR1114A to display the OSPF routes learned from neighbors. The  
following display shows the route 30.30.30.0/24, which was learned through OSPF from the router advertisements.  
Figure 35 show ip ospf routes Command  
LR1114A> show ip ospf routes  
OSFP ROUTE TABLE  
Codes: A - OSPF intra area IA - OSPF inter area,  
E1 - OSPF external type 1, E2 - OSPF external type 2  
Destination  
Preference  
-----------  
----------  
Gateway  
-------  
Interface Protocol Type Metric  
--------- -------- ---- ------  
The metric shows a value of 2. By default, Black Box assigns a cost value of 1 to all interfaces. The cost can be  
changed by entering it under the appropriate interface in the OSPF command tree structure. For example:  
LR1114A/configure> router ospf  
LR1114A/configure/router/ospf> interface Dallas area_id 760  
LR1114A/configure/router/ospf/interface/Dallas> cost 10  
LR1114A/configure/router/ospf/interface/Dallas> exit 3  
This would change the cost of bundle link Dallas from default (1) to 10. If the interface is already configured, then  
entering area_id 760 is optional.  
17.1.8Displaying IP routes  
Execute show ip routes to display all the active routes in the routing table.  
100  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
18  
CONFIGURING GENERIC ROUTING  
ENCAPSULATION  
18.1 Configuring GRE  
Generic Routing Encapsulation (GRE) is a standards-based (RFC1701, RFC2784) tunneling protocol that can  
encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between  
routers at remote points over an IP network. A tunnel is a logical interface that provides a way to encapsulate passenger  
packets inside a transport protocol. By connecting multiprotocol subnetworks in a single-protocol backbone  
environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.  
IPSec and GRE complement each other well, while IPSec provides a secure method of transporting data across the  
internet GRE provides the capability to transport routing protocols (for example: OSPF) that use broadcast and  
multicast.  
18.2 Installing Licenses  
There are three licenses that control access to the features:  
Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router.  
Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management.  
Advanced VPN and firewall (vpn_plus_firewall)—Allows users to manage remote LANs. Also includes  
Basic VPN and Firewall licenses. Use this license to access the GRE features in this release.  
To see the licenses available in this release, enter:  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
Blackbox/configure> system licenses ?  
NAME  
licenses - Configure feature upgrade licenses  
SYNTAX  
licenses license_type <cr>  
DESCRIPTION  
license_type  
-- Specifies the type of feature upgrade license  
The parameter may have any of the following values:  
enable_1_port -- Enable 1 port  
enable_2_ports-- Enable 2 ports  
enable_3_ports-- Enable 3 ports  
enable_4_ports-- Enable 4 ports  
BGP4  
-- BGP4 routing  
vpn_mgmt  
firewall  
-- Enable VPN Mgmt License  
-- Enable Firewall and VPN Mgmt License  
vpn_plus_firewall-- Enable Advance VPN and Firewall License  
To install the advanced VPN and firewall license and use all the security features available in this release, enter:  
Blackbox/configure> system licenses vpn_plus_firewall  
Enter Security Upgrade License key: 024f3bc296b4ea7265  
18.3 GRE Configuration Examples  
This example explains how to configure a basic GRE tunnel as shown in Figure 36.  
102  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
GRE Configuration Examples  
Figure 36 Fig 2 Simple GRE configuration  
40.1.1.0  
10.3.1.0  
192.168.94.220  
192.168.55.75  
18.3.1Configuring Site to Site Tunnel  
To configure GRE in a site to site tunnel configuration:  
Step 1: Configure the interface.  
Blackbox> configure terminal  
Blackbox/configure> interface bundle wan1  
Blackbox/configure/interface/bundle wan1> link t1 1  
Blackbox/configure/interface/bundle wan1> encapsulation ppp  
Blackbox/configure/interface/bundle wan1> ip address 192.168.94.220  
255.255.255.0  
Blackbox/configure/interface/bundle wan1> exit  
Step 2: Configure the tunnel.  
Blackbox/configure> interface tunnel t0  
Blackbox/configure/interface/tunnel t0> ip 103.1.1.2 24  
Blackbox/configure/interface/tunnel t0> tunnel source 192.168.94.220  
Blackbox/configure/interface/tunnel t0> tunnel destination  
192.168.55.75  
Blackbox/configure/interface/tunnel t0> exit  
Step 3: Configure the IP routes.  
Blackbox/configure> ip route 0.0.0.0 0.0.0.0 192.168.94.254  
Blackbox/configure> ip route 40.1.1.0 24 t0  
103  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
NOTE  
The peer of a local WAN interface cannot be used as a tunnel destination.  
Step 4: Verify that the tunnel is up and running. (If it is not, check the Gateway and Source Address fields.)  
Blackbox> show ip interface t0  
t0 (unit number 5)  
Type: TUNNEL  
Flags: (0x74243) UP, RUNNING, MULTICAST-ROUTE  
Internet Address: 103.1.1.2  
Internet Netmask: 255.255.255.0  
Internet Broadcast: 103.1.1.255  
Maximum Transfer Unit: 1476 bytes  
Source Address: 192.168.94.220  
Destination Address: 192.168.55.75  
Gateway: wan1  
Protocol: GRE  
Mac Address 00:50:52:60:00:00  
For more information enter:  
Blackbox> show interface tunnel t0  
Tunnel: t0 Status: up  
Internet Address: 103.1.1.2 Internet Netmask: 255.255.255.0  
Source Address: 192.168.94.220 Destination Address: 192.168.55.75  
MTU: 1476 bytes  
Protocol: GRE  
ICMP unreachable: will be sent  
Crypto Snet: not set  
TTL: 30  
ICMP redirect: will be sent  
Protection: policy grecisco key ****  
Keepalive: disabled  
TOS: not set  
Key Value: not set  
Sequence Datagrams: disabled  
Path MTU discovery: disabled  
Checksum: disabled  
Tunnel Statistics:  
Bytes Rx  
95112  
860  
0
Bytes Tx  
Packets Tx  
Output Errs  
60016  
499  
0
Packets Rx  
Err Packets Rx  
104  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuring GRE Site to Site with  
Step 5: Configure the Cisco side:  
cisco > config t  
cisco(config)#interface Ethernet2/0  
cisco(config-if)#ip address 192.168.55.75255.255.255.0  
cisco(config-if)#exit  
cisco(config)#interface Tunnel 0  
cisco(config-if)#ip address 103.1.1.1 255.255.255.0  
cisco(config-if)#tunnel source 192.168.55.75  
cisco(config-if)#tunnel destination 192.168.94.220  
cisco(config-if)#exit  
cisco(config)#ip route 0.0.0.0 0.0.0.0 192.168.55.254  
cisco(config)#ip route 10.3.1.0 255.255.255.0 Tunnel0  
18.4 Configuring GRE Site to Site with IPSec  
This example extends the first example by adding encryption to the tunnel.  
Step 1:Prepare the WAN link:  
Blackbox> configure terminal  
Blackbox/ configure> interface bundle wan1  
Blackbox/ configure/interface/bundle wan1> link t1 1  
Blackbox/ configure/interface/bundle wan1> encapsulation ppp  
Blackbox/ configure/interface/bundle wan1> ip address 192.168.94.220 255.255.255.0  
Blackbox/ configure/interface/bundle wan1> crypto untrusted  
Blackbox/ configure/interface/bundle wan1> exit  
Step 2: Configure the tunnel:  
Blackbox/ configure> interface tunnel t0  
Blackbox/ configure/interface/tunnel t0> ip address 103.1.1.2 24  
Blackbox/ configure/interface/tunnel t0> tunnel source 192.168.94.220  
Blackbox/ configure/interface/tunnel t0> tunnel destination 192.168.55.75  
Blackbox/ configure/interface/tunnel t0> tunnel protection grecisco secretkeyfortest  
Blackbox/ configure/interface/tunnel t0> crypto untrusted  
Blackbox/ configure/interface/tunnel t0> exit  
Step 3: Configure the routes:  
Blackbox/ configure> ip route 0.0.0.0 0.0.0.0 192.168.94.254  
Blackbox/ configure> ip route 40.1.1.0 24 t0  
Step 4: Define the policy:  
105  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
Blackbox/ configure > firewall internet  
Blackbox/configure/firewall internet> policy 100 in proto gre self  
Blackbox/configure/firewall internet/policy 100 in> exit  
Blackbox/configure/firewall internet> policy 101 in service ike self  
Blackbox/configure/firewall internet/policy 101 in> exit 2  
Black Box configure> firewall corp  
Blackbox/configure/firewall corp> policy 100 in self  
Step 5: Check the status of the tunnel by entering:  
Blackbox> show ip interface tunnel t0  
Step 6:Validate the tunnel configuration by entering:  
Blackbox> show crypto ipsec policy all  
Or enter:  
Blackbox> show crypto ike policy all  
18.5 Configuring GRE Site to Site with IPSec and OSPF  
This example extends the previous IPSec configuration example by enabling Open Shortest Path First (OSPF) protocol which  
provides redundant paths for the tunnel.  
Step 1: To enable OSPF, add to the Black Box configuration above:  
Blackbox> configure terminal  
Blackbox/configure> router routerid 2.2.2.2  
Blackbox/configure> router ospf  
Blackbox/configure/router/ospf> interface t0 area 0  
Blackbox/configure/router/ospf> exit  
Step 2: Add to the Cisco configuration above  
cisco > config t  
cisco(config)#router ospf 1  
cisco(config-router)# network 103.1.1.0 0.0.0.255 area 0  
Step 3: To verify the OSPF configuration, enter:  
Blackbox> show ip ospf interface all  
NOTE  
Using the redistribute connected command adds a recursive route to the tunnel destination. This will cause the tunnel to shut down. To prevent  
this, add a 32-bit static route for the tunnel destination.  
106  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
19  
CONFIGURING OSPF AND FRAME  
RELAY  
19.1 OSPF - Frame Relay  
The following example shows OSPF running between a Black Box LR1112A and a router over a serial T1 link with  
back-to-back Frame Relay.  
Figure 37 OSPF Over a Single T1 with Frame Relay  
.1  
10 x T1 MLPPP  
10.10.10.0/24  
.1  
.1  
.2  
30.30.30.0/24  
20.20.20.0/24  
LR1104A  
Router  
Area 760  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
19.1.1Configuring the host name  
LR1112A> configure terminal  
LR1112A/configure> hostname LR1112A  
19.1.2Configuring interface ethernet 0  
LR1112A/configure> interface ethernet 0  
LR1112A/configure/interface/ethernet0> ip address 10.10.10.1 24  
LR1112A/configure/interface/ethernet0> exit  
19.1.3Configuring interface bundle Dallas  
LR1112A/configure> interface bundle Dallas  
LR1112A/configure/interface/bundle Dallas> link t1 1  
LR1112A/configure/interface/bundle Dallas> encapsulation frelay  
LR1112A/configure/interface/bundle Dallas> fr  
LR1112A/configure/interface/bundle Dallas/fr> intf_type dce  
LR1112A/configure/interface/bundle Dallas/fr> pvc 16  
LR1112A/configure/interface/bundle Dallas/fr/pvc 16> ip address 20.20.20.1  
255.255.255.0  
LR1112A/configure/interface/bundle Dallas/fr/pvc 16> exit 3  
19.1.4Configuring OSPF  
LR1112A/configure> router routerid 10.10.10.1  
LR1112A/configure> router ospf  
LR1112A/configure/router/ospf> area 760  
LR1112A/configure/router/ospf/area 760> exit  
19.1.5Configuring interface Dallas parameters  
LR1112A/configure/router/ospf> interface Dallas dlci 16 area_id 760  
LR1112A/configure/router/ospf/interface Dallas> cost 10  
LR1112A/configure/router/ospf/interface Dallas> exit  
19.1.6Configuring interface ethernet 0 parameters  
LR1112A/configure/router/ospf> interface ethernet0 area_id 760  
LR1112A/configure/router/ospf/interface ethernet0> cost 10  
LR1112A/configure/router/ospf/interface ethernet0> exit 3  
19.1.7Displaying OSPF parameters  
Execute show ip ospf int bundle to display interface specific OPSPF parameters.  
108  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
20  
CONFIGURING PROTOCOL  
INDEPENDENT MULTICASTING  
ROUTING  
20.1 PIM Configuration  
Protocol Independent Multicast (PIM) protocols route multicast packets to multicast groups. PIM is protocol  
independent because it can leverage whichever unicast routing protocol is used to populate unicast routing table. There  
are two modes of PIM protocol – Dense mode (DM) and Sparse mode (SM). Black Box supports SM only.  
PIM-DM floods multicast traffic throughout the network initially and then generates prune messages as required.  
PIM-SM attempts to send multicast data only to networks which have active receivers. This is achieved by having a  
common Rendezvous Point (RP) known to the senders and receivers and by forming shared trees from the RP to the  
receivers.  
PIM-SM is described in RFC 2362.  
20.1.1PIM Commands  
The general PIM commands supported in this release are:  
Global parameters  
Enable PIM  
Blackbox/configure/ip> pim  
Configure PIM mode  
Blackbox/configure/ip/pim> mode [sparse | dense]  
Configure Assert Holdtime Blackbox/configure/ip/pim>assert-holdtime <time>  
Configure Hello Interval  
Configure Hello Holdtime  
Configure Hello priority  
Blackbox/configure/ip/pim>hello-interval <time>  
Blackbox/configure/ip/pim>hello-holdtime <time>  
Blackbox/configure/ip/pim>hello-priority <value>  
Blackbox/configure/ip/pim>join-prune-holdtime <time>  
Configure Join/Prune  
Holdtime  
Configure Join /Prune  
Interval  
Blackbox/configure/ip/pim>join-prune-interval <time>  
Blackbox/configure/ip/pim>mrt-period <time>  
Configure MRT Period  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
Configure MRT Stale  
Multiplier  
Blackbox/configure/ip/pim>mrt-stale-mult <number>  
Configure MRT SPT  
Multiplier  
Blackbox/configure/ip/pim>mrt-spt-multiplier <number>  
Configure Probe Period  
Blackbox/configure/ip/pim>probe-period <time>  
Configure Registration  
suppression timeout  
Blackbox/configure/ip/pim>register-suppress-timeout  
<time>  
Configure DR to switch  
immediate  
Blackbox/configure/ip/pim>dr-switch-immediate  
Configure RP to switch  
immediate  
Blackbox/configure/ip/pim>rp-switch-immediate  
Configure Threshold for DR Blackbox/configure/ip/pim>threshold-dr <bps>  
Configure Threshold for RP Blackbox/configure/ip/pim>threshold-rp <bps>  
Configure to calculate  
whole packet checksum  
(for cisco interop)  
Blackbox/configure/ip/pim>whole-packet-checksum  
Bootstrap Router related  
Commands  
Configure as candidate  
BSR  
Blackbox/configure/ip/pim/cbsr> address <address>  
Blackbox/configure/ip/pim/cbsr> period <time>  
Configure CBSR period  
Configure CBSR holdtime Blackbox/configure/ip/pim/cbsr>holdtime <time>  
Configure CBSR priority  
Blackbox/configure/ip/pim/cbsr>priority <value>  
RP commands  
Configure as candidate RP Blackbox/configure/ip/pim>crp  
Configure as candidate RP Blackbox/configure/ip/pim/crp> address <ipaddress>  
address  
Configure candidate RP  
group for advertisement  
Blackbox/configure/ip/pim/crp> group-add <address>  
[mask] [priority]  
Configure as candidate RP Blackbox/configure/ip/pim/crp>holdtime <time>  
holdtime  
Configure as candidate RP Blackbox/configure/ip/pim/crp>period <time>  
period  
Configure as candidate RP Blackbox/configure/ip/pim/crp>priority <value>  
priority  
Configure a static RP  
address  
Blackbox/configure/ip/pim/> rp <address> <gaddress>  
[mask]  
Inteface based  
parameters  
Configure PIM for an  
interface  
Blackbox/configure/ip/pim>interface  
<interface_name>[:dlci_no]  
Configure PIM mode for an Blackbox/configure/ip/pim/interface wan1> mode [sparse |  
interface  
dense | ssm | sparse-ssm ]  
110  
Download from Www.Somanuals.com. All Manuals Search And Download.  
PIM Configuration  
Configure PIM interface  
assert holdtime  
Blackbox/configure/ip/pim/interface wan1>assert-holdtime  
<time>  
Configure PIM interface  
hello holdtime  
Blackbox/configure/ip/pim/interface wan1>hello-holdtime  
<time>  
Configure PIM interface  
hello interval  
Blackbox/configure/ip/pim/interface wan1>hello-interval  
<time>  
Configure PIM interface  
Blackbox/configure/ip/pim/interface  
Join/Prune Delay Timeout wan1>join-prune-timeout <time>  
Configure PIM interface  
Join/Prune Interval  
Blackbox/configure/ip/pim/interface  
wan1>join-prune-interval <time>  
Configure PIM interface  
Join/Prune holdtime  
Blackbox/configure/ip/pim/interface  
wan1>join-prune-holdtime <time>  
Configure PIM interface as Blackbox/configure/ip/pim/interface wan1>boundary  
border of PIM domain  
PIM SSM  
Configure the SSM range  
Blackbox/configure/ip/pim> ssm-range <group-address>  
<group-mask  
The show and debug PIM commands are:  
Display PIM global  
configuration  
Blackbox>show ip pim global  
Display PIMC timers  
Display PIM interfaces  
Display PIM neighbors  
Blackbox>show ip pim timers  
Blackbox>show ip pim interfaces  
Blackbox>show ip pim neighbors  
Blackbox>show ip pim bsr-info  
Display PIM Bootstrap  
info  
Display PIM Candidate  
RP info  
Blackbox>show ip pim crp-info  
Display PIM statistics  
Display PIM RP set  
Display PIM Static RP  
Blackbox>show ip pim statistics  
Blackbox>show ip pim rp-set  
Blackbox>show ip pim rp  
Trace PIM packets  
Blackbox> debug ip pim packet <pkt_type> <direction>  
[interface_name ] [ dlci ]  
Trace PIM state changes Blackbox> debug ip pim state  
Trace PIM routes  
Trace PIM detail  
Trace PIM debug  
All Traces  
Blackbox> debug ip pim route  
Blackbox> debug ip pim detail  
Blackbox> debug ip pim debug  
Blackbox>debug ip pim all  
111  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
20.1.2PIM Configuration Examples  
This section shows examples of how the PIM commands are used.  
To access PIM mode, enter:  
Blackbox/configure/ip> pim  
Blackbox/configure/ip/pim>  
The following example enters the BSR mode.  
Blackbox/configure/ip/pim> cbsr  
Blackbox/configure/ip/pim/cbsr>  
The following command sets Ethernet1 as the BSR interface.  
Blackbox/configure/ip/pim/cbsr> interface ethernet1  
The following example sets the holdtime to 33 seconds.  
Blackbox/configure/ip/pim/cbsr> holdtime 33  
Blackbox/configure/ip/pim/cbsr>  
To configure the DLCI for Ethernet0 to 100, enter:  
Blackbox/configure/ip/pim/cbsr> interface ethernet0 dlci 100  
To set the CBSR priority to 45, enter:  
Blackbox/configure/ip/pim/cbsr> priority 45  
To enter the candidate Rendezvous Point mode, enter:  
Blackbox/configure/ip/pim> crp  
Blackbox/configure/ip/pim/crp>  
To set the group IP address for CRP advertisements to 224.1.1.0, enter:  
Blackbox/configure/ip/pim/crp> group-add 224.1.1.0  
To set the flag at the DR to switch to the SPT on receiving the first packet (default on), enter:  
Blackbox/configure/ip/pim> dr-switch-immediate  
The following example configures the MRT SPT Mult value to be 25.  
Blackbox/configure/ip/pim> mrt-spt-mult 25  
The following example configures the probe period to 30 seconds.  
Blackbox/configure/ip/pim> probe-period 30  
Blackbox/configure/ip/pim>  
The following example configures the Register Suppression Timeout to be 70 seconds.  
Blackbox/configure/ip/pim> register-suppress-timeout 70  
To set the RP static IP address to 10.10.1.1, enter:  
Blackbox/configure/ip/pim> rp 10.10.1.1  
To set the flag for the RP to switch to the SPT for (S,G) upon receipt of the first Register message (default: on). To turn on this  
feature, enter:  
Blackbox/configure/ip/pim> rp-switch-immediate  
The following example configures this feature.  
Blackbox/configure/ip/pim> rp-switch-immediate  
To configure the router such that the data from S addressed to G must exceed an average of 1024 KBytes per second before an  
SPT switch is initiated, enter:  
Blackbox/configure/ip/pim> threshold-dr 1024  
112  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
PIM Configuration  
To configure the threshold-dr option such that the data from S addressed to G must exceed an average of 1500 KBytes per  
second before an SPT switch is initiated. If this router is a DR for the pair (S,G), then the same data must exceed an average of  
1500 KBytes per second before an SPT switch is initiated. The period over which the average will be calculated will be the  
mrt-period times the mrt-spt-mult, or 60 seconds.  
Blackbox/configure/ip/pim> threshold-rp 1500  
To specify that the message checksum will be calculated over the entire encapsulated packet, rather than just over the Register  
message header, enter:  
Blackbox/configure/ip/pim> whole-packet-checksum  
The following example configures a global assert-holdtime value of 600.  
Blackbox/configure/ip/pim> assert-holdtime 600  
To set the holdtime to 60 seconds, enter:  
Blackbox/configure/ip/pim> hello-holdtime 60  
To set the hello interval time to 145 seconds, enter:  
Blackbox/configure/ip/pim> hello-interval 145  
To set the priority to 15, enter:  
Blackbox/configure/ip/pim> hello-priority 15  
To set the holdtime to 30 seconds, enter:  
Blackbox/configure/ip/pim> join-prune-holdtime 30  
To send messages every five minutes, enter:  
Blackbox/configure/ip/pim> join-prune-interval 300  
To check the router table every 15 seconds, enter:  
Blackbox/configure/ip/pim> mrt-period 15  
To set the mrt-spt-mult value to be ten times that of the mrt-period value, enter:  
Blackbox/configure/ip/pim> mrt-spt-mult 10  
To set the time out (S, G) entries at 5 times the mrt-period value, enter:  
Blackbox/configure/ip/pim> mrt-stale-mult 5  
To display PIM global configuration settings, enter:  
Blackbox/configure> display ip pim global  
PIM: Enabled  
Mode: Sparse  
Timers:  
Hello Interval: 145  
Hello Hold Time: 60  
Hello Priority: 15  
Join/Prune Interval: 300  
Join/Prune Hold Time: 30  
Assert Hold Time: 200  
Probe Period: 15  
Register Suppress Timeout: 90  
MRT Interval: 15  
MRT SPT Multiplier : 10  
MRT Stale Multiplier: 5  
Thresholds:  
Threshold DR: 2400  
Threshold RP: 1500  
RP Switch Immediate: enabled  
DR Switch Immediate: enabled  
Whole packet checksum: enabled  
SSM Range: 224.20.12.1 24  
Blackbox/configure>  
113  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
To display information for all interfaces, enter:  
Blackbox/configure> display ip pim interface all  
To see all IP PIM interface information for Ethernet1, enter:  
Blackbox/configure/ip/pim/interface ethernet1> display ip pim interface ethernet1  
To display IP PIM statistics for ethernet1, enter:  
Blackbox/configure/ip/pim/interface ethernet1> display ip pim statistics  
PIM Statistics:  
Total PIM msgs recvd 0 (0 bytes)  
Recvd msgs too short 0  
Recvd msgs bad checksum 0  
Recvd msgsg bad version 0  
Recvd register msgs 0 (0 bytes)  
Recvd registers wrong iif 0  
Recvd bad registers 0  
Sent register msgs 0 (0 bytes)  
Blackbox/configure/ip/pim/interface ethernet1>  
To display information on PIM neighbors, enter:  
Blackbox/configure> display ip pim neighbors  
Neighbor  
Interface  
Uptime  
Expires  
Hello Priority  
--------------- ------------- -------- ---------------- --------------  
Blackbox/configure>  
To display RP information, enter:  
Blackbox/configure> display ip pim rp  
Group/Mask  
RP  
------------------ ---------------  
224.0.0.0/4  
10.10.1.1  
Blackbox/configure>  
To view RP-set information, enter:  
Blackbox/configure> display ip pim rp-set  
Group/mask  
----------  
224/4  
Src/RP  
------  
10.10.1.1  
None  
Pri Uptime  
--- ------  
1 Static RP  
Expires  
-------  
Dependencies:  
Blackbox/configure>  
To view PIM counters, enter:  
Blackbox/configure> display ip pim statistics  
PIM Statistics:  
Total PIM msgs recvd 0 (0 bytes)  
Recvd msgs too short 0  
Recvd msgs bad checksum 0  
Recvd msgsg bad version 0  
Recvd register msgs 0 (0 bytes)  
Recvd registers wrong iif 0  
Recvd bad registers 0  
Sent register msgs 0 (0 bytes)  
Blackbox/configure>  
To display PIM timer information, enter:  
114  
Download from Www.Somanuals.com. All Manuals Search And Download.  
PIM Configuration  
Blackbox/configure> display ip pim timers  
PIM Timers:  
Hello Interval: 145  
Hello Hold Time: 60  
Hello Priority: 15  
Join/Prune Interval: 300  
Join/Prune Hold Time: 30  
Assert Hold Time: 200  
Probe Period: 15  
Register Suppress Timeout: 90  
MRT Interval: 15  
MRT SPT Multiplier : 10  
MRT Stale Multiplier: 5  
Blackbox/configure>  
To examine PIM BSR statistics, enter:  
Blackbox/configure/ip/pim> display ip pim bsr-info  
Candidate BSR Information  
-----------------------  
Candidate BSR Status: Disabled  
Candidate BSR Interface: NOT CONFIGURED  
Candidate BSR Priority: 45  
Candidate BSR Period: 30  
Candidate BSR Hold Time: 2048  
Candidate BSR Admin Scope: Disabled  
No BSR's  
Blackbox/configure/ip/pim>  
To reset PIM counters, enter:  
Blackbox> clear ip pim statistics  
115  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Black Box LR11xx Series Router Configurations Guide  
116  
Download from Www.Somanuals.com. All Manuals Search And Download.  
21  
MTRACE CONFIGURATION  
21.1 Multicast Traceroute Facility  
With multicast distribution trees, tracing from a source to a multicast destination is difficult, since the branch of the  
multicast tree on which the destination lies is unknown. The technique used by the traceroute tool to trace unicast  
network paths will not work for IP multicast because traceroute (ICMP) responses are specifically forbidden for  
multicast traffic. Thus, you have to flood the whole tree to find the path from one source to one destination. However,  
walking up the tree from destination to source is easy, as most existing multicast routing protocols know the previous  
hop for each source. Tracing from destination to source involves only routers on the direct path.  
To request a traceroute (which does not have to be the source or the destination), send a traceroute query packet to the  
last-hop multicast router for the given destination. The last-hop router turns the query into a request packet by adding a  
response data block containing its interface addresses and packet statistics, and then forwards the request packet using  
unicast to the router that it believes is the proper previous hop for the given source and group. Each hop adds its  
response data to the end of the request packet, then unicast forwards it to the previous hop. The first hop router (the  
router that believes that packets from the source originate on one of its directly connected networks) changes the packet  
type to indicate a response packet and sends the completed response to the response destination address. The response  
may be returned before reaching the first hop router if a fatal error condition such as “no route” is encountered along the  
path.  
Multicast traceroute uses any information available to it in the router to try to determine a previous hop to forward the  
trace towards. Multicast routing protocols vary in the type and amount of state they keep; multicast traceroute tries to  
work with all of them by using whatever is available. For example, if a DVMRP router has no active state for a  
particular source but does have a DVMRP route, it chooses the parent of the DVMRP route as the previous hop. If a  
PIM-SM router is on the (*,G) tree, it chooses the parent towards the RP as the previous hop. In these cases, no  
source/group-specific state is available, but the path may still be traced.  
Black Box supports the following PIM related feature—a “traceroute” facility for IP multicast, as defined in  
draft-ietf-idmr-traceroute-ipm-05.  
The mtrace command for multicast traffic is similar to the traceroute command used for unicast traffic. Unlike  
traceroute, however, mtrace traces traffic backwards, from the receiver to the source. mtrace uses other unicast  
routing tables for RPF. For these, mtrace relies on Black Box Networks’ implementation of the mtrace protocol is  
manageable through the CLI and can be executed from any command sub-tree of the Black Box CLI.  
21.1.1mtrace Command  
mtrace  
21.1.2 Restrictions  
In this release, configuring Maximum Hops & TTL is not permitted.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Maximum hops is set to 32 and TTL is set to 127 in all mtrace packets as default.  
For mtrace to work:  
IGMP must be enabled in the router  
IGMP should be enabled on at least one interface.  
21.1.2 mtrace Example  
Traceroute using mtrace from 192.168.0.0 to 192.168.2.22 through group 225.254.254.254  
Blackbox> mtrace 192.168.0.0 192.168.2.22 239.254.254.254  
mtrace from 192.168.2.0 to 192.168.2.22 through group 225.254.254.254  
Querying full reverse path...  
1 192.168.2.15 PIM thresh^ 0 0 ms  
2 192.168.2.7 PIM thresh^ 0 2 ms  
3 192.168.2.5 PIM thresh^ 0 674 ms  
4 192.168.2.3 PIM thresh^ 0 673 ms  
5 192.168.2.2 PIM thresh^ 0 674 ms  
6 192.168.2.1 PIM thresh^ 0 673 ms  
Where in the line 4 192.168.2.3 PIM thresh^ 0 673 ms:  
192.168.2.3 is the intermediate router 4 hops away from the destination.  
Multicast Protocol in use on this hop and TTL Threshold.  
673 ms is the time taken to trace to be forwarded between hops.  
118  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
22  
CONFIGURING QUALITY OF SERVICE  
ROUTING  
22.1 Configuring QoS  
Black Box QoS ensures bandwidth guarantees throughout the system by implementing Random Early Detection (RED) to  
address congestion and Class Based Queuing (CBQ) to address traffic policing. This document discusses the CBQ features.  
Black Box’s bandwidth management capability allows multiple agencies or customers to share access bandwidth on a  
WAN link in a controlled fashion to effectively and efficiently utilize available bandwidth. Even during times of  
congestion, each customer is guaranteed a share of the access bandwidth and is allowed to borrow unused bandwidth  
from other customers. This bandwidth management capability allows service providers to offer their customers Internet  
access based on the amount of guaranteed bandwidth-committed rate (CR) and the amount of bandwidth-borrowed  
burst rate (BR). Similarly, an organization can share its access bandwidth among its different departments.  
22.1.1Features  
The network administrator manages bundle bandwidth across various customers by defining traffic classes. Each traffic class  
is assigned the desired committed bandwidth as well as the burst bandwidth. The sum of the CRs of all classes must be less  
than or equal to the total bundle bandwidth. CBQ can be deployed in both the WAN outbound and WAN inbound directions.  
A traffic class is characterized by the following parameters:  
Class name  
Parent class  
Committed rate (CR)  
Burst rate (BR)  
Classification type based on:  
Application level  
Application ports (TCP or UDP)  
Network level  
Source or destination IP addresses, address ranges, or subnets  
Ethernet MAC level  
VLAN identifiers  
Traffic classes are arranged in a hierarchical manner. A class has a parent class and can have one or more child classes.  
The root class has no parent and is identified as root-out or root-in. There is no theoretical limit to the number of classes  
that can be created. The only limitation that can arise is due to available memory in the Black Box system.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
22.1.2Definitions  
Committed Rate  
Each traffic class can be assigned a CR parameter in Kbps. This is the amount of bandwidth that the class or  
flow is guaranteed at all times, even during congestion. The sum of the CRs for all classes in a given direction  
cannot exceed the access bandwidth of their parent class. By maintaining a moving average of the bandwidth  
for each class, the class is not “strictly” policed at CR Kbps, and momentary bursts in the flow are permitted.  
The goal is that each class with sufficient demand will be able to receive roughly its allocated bandwidth over  
some interval of time.  
Burst Rate  
Every traffic class can be configured with a burst parameter, which is the bandwidth that can be offered to that  
class if unused bandwidth is available from other classes. This provides for very efficient bandwidth utilization.  
A class can also be configured to borrow whatever bandwidth is available from its parent class up to the BR  
limit set for that class. To prevent a class from borrowing, set the CR equal to the BR. Also, note that a class  
cannot borrow more than the bundle bandwidth.  
22.1.3Classification Types  
The example in Figure 1 reserves the largest CR (1536 Kbps) for two servers, 10.1.1.1 and 10.1.1.2, which are members  
of the SrcOne class. The remainder of the 10.1.1.0/24 subnet is assigned to the SrcTwo class and is configured with a CR  
of 1024 Kbps. Additionally, the SrcTwo class is further divided into application port classes. All other hosts in Figure 1,  
the default class, are configured for a CR of 512 Kbps.  
The classification type must be the same across a given level of traffic class. Note in Figure 1, that the classification type  
at the first level traffic class is the source IP address; for the second level, the classification type is the application port.  
Because bandwidth limitations are evaluated from most specific to least specific, 10.1.1.1/32 falls within the SrcOne  
class.  
Figure 38 Assigning Classification Types  
Interface Bundle AppTest  
2 x T1  
Bandwidth = 3072 Kbps  
SrcOne  
SrcTwo  
SrcDef  
Traffic Classes  
Src IP = 10.1.1.1/32  
Src IP = 10.1.1.2/32  
CR = 1536 Kbps  
Src IP = 10.1.1.0/24  
CR = 1024 Kbps  
BR = 3072 Kbps  
Src IP = default  
CR = 512 Kbps  
BR= 1024 Kbps  
BR = 3072 Kbps  
Traffic Classes  
AppHTML  
AppDef  
AppSMTP  
Port = 80  
CR = 512 Kbps  
BR = 3072 Kbps  
Port = 25  
CR = 384 Kbps  
BR = 3072 Kbps  
Port = default  
CR = 128 Kbps  
BR = 3072 Kbps  
120  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring QoS  
Configuration for the example in Figure 38:  
22.1.3.1 Create bundle AppTest  
LR1104A/configure> interface bundle AppTest  
LR1104A/configure/interface/bundle AppTest> link ct3 1 18-19  
LR1104A/configure/interface/bundle AppTest> encap ppp  
LR1104A/configure/interface/bundle AppTest> ip addr 199.1.1.1 255.255.255.252  
22.1.3.2 Create traffic classes  
LR1104A/configure/interface/bundle AppTest> qos  
LR1104A/configure/interface/bundle AppTest/qos> add_class SrcOne root-out cr 1536 br 3072  
LR1104A/configure/interface/bundle AppTest/qos> add_class SrcTwo root-out cr 1024 br 3072  
LR1104A/configure/interface/bundle AppTest/qos> add_class SrcDef root-out cr 512 br 1024  
LR1104A/configure/interface/bundle AppTest/qos> add_class AppHTML SrcTwo cr 512 br 3072  
LR1104A/configure/interface/bundle AppTest/qos> add_class AppSMTP SrcTwo cr 384 br 3072  
LR1104A/configure/interface/bundle AppTest/qos> add_class AppDef SrcTwo cr 128 br 3072  
22.1.3.3 Assign classification types  
LR1104A/configure/interface/bundle AppTest/qos> class SrcOne  
LR1104A/configure/interface/bundle AppTest/qos/class SrcOne> add_src_ip 10.1.1.1  
255.255.255.255  
LR1104A/configure/interface/bundle AppTest/qos/class SrcOne> add_src_ip 10.1.1.2  
255.255.255.255  
LR1104A/configure/interface/bundle AppTest/qos/class SrcOne> exit  
LR1104A/configure/interface/bundle AppTest/qos> class SrcTwo  
LR1104A/configure/interface/bundle AppTest/qos/class SrcTwo> add_src_ip 10.1.1.0  
255.255.255.0  
LR1104A/configure/interface/bundle AppTest/qos/class SrcTwo> exit  
LR1104A/configure/interface/bundle AppTest/qos> class SrcDef  
LR1104A/configure/interface/bundle AppTest/qos/class SrcDef> add_src_ip default  
LR1104A/configure/interface/bundle AppTest/qos/class SrcDef> exit  
LR1104A/configure/interface/bundle AppTest/qos> class AppHTML  
LR1104A/configure/interface/bundle AppTest/qos/class AppHTML> add_port 80  
LR1104A/configure/interface/bundle AppTest/qos/class AppHTML> exit  
LR1104A/configure/interface/bundle AppTest/qos> class AppSMTP  
LR1104A/configure/interface/bundle AppTest/qos/class AppSMTP> add_port 25  
LR1104A/configure/interface/bundle AppTest/qos/class AppSMTP> exit  
LR1104A/configure/interface/bundle AppTest/qos> class AppDef  
LR1104A/configure/interface/bundle AppTest/qos/class AppDef> add_port default  
LR1104A/configure/interface/bundle AppTest/qos/class AppDef> exit  
LR1104A/configure/interface/bundle AppTest/qos> enable  
LR1104A/configure/interface/bundle AppTest/qos> exit 3  
22.1.4 VLAN Identifiers  
Figure 2 illustrates the classification based on VLAN identifiers. Note that these classes are leaf classes and do not have child classes.  
121  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
Figure 39 Assigning VLAN Identifiers  
Interface Bundle VLANTest  
4 x T1  
Bandwidth = 6144 Kbps  
JonesInc  
SmithInc  
Default  
Traffic Classes  
VLAN ID = 24  
CR = 3072 Kbps  
BR = 6144 Kbps  
VLAN ID = 25-29  
CR = 2048 Kbps  
BR = 6144 Kbps  
VLAN ID = default  
CR = 1024 Kbps  
BR = 2048 Kbps  
Configuration for Figure 39:  
22.1.4.1 Create bundle VLANtest  
LR1104A> conf t  
LR1104A/configure> interface bundle VLANtest  
LR1104A/configure/interface/bundle VLANtest> link ct3 1 20-23  
LR1104A/configure/interface/bundle VLANtest> encap ppp  
LR1104A/configure/interface/bundle VLANtest> ip addr 200.1.1.1 255.255.255.252  
22.1.4.2 Create traffic classes and assign classifications  
LR1104A/configure/interface/bundle VLANtest> qos  
LR1104A/configure/interface/bundle VLANtest/qos> add_class JonesInc root-out cr 3072 br 6144  
LR1104A/configure/interface/bundle VLANtest/qos> add_class SmithInc root-out cr 2048 br 6144  
LR1104A/configure/interface/bundle VLANtest/qos> add_class Default root-out cr 1024 br 2048  
LR1104A/configure/interface/bundle VLANtest/qos> class JonesInc  
LR1104A/configure/interface/bundle VLANtest/qos/class JonesInc> add_vlan_id 24  
LR1104A/configure/interface/bundle VLANtest/qos/class JonesInc> exit  
LR1104A/configure/interface/bundle VLANtest/qos> class SmithInc  
LR1104A/configure/interface/bundle VLANtest/qos/class SmithInc> add_vlan_id 25-29  
LR1104A/configure/interface/bundle VLANtest/qos/class SmithInc> exit  
LR1104A/configure/interface/bundle VLANtest/qos> class Default  
LR1104A/configure/interface/bundle VLANtest/qos/class Default> add_vlan_id default  
LR1104A/configure/interface/bundle VLANtest/qos/class Default> exit  
LR1104A/configure/interface/bundle VLANtest/qos> enable  
LR1104A/configure/interface/bundle VLANtest/qos> exit 4  
22.1.5Bulk Statistics  
The Bulk statistics command enables users to collect statistics for every N hours (N <4 hours) and upload the statistics for every class  
to an FTP server. The data is sent in an ASCII format file with three sections. The first section includes the upload time, system IP  
address, sample interval in minutes, and the upload interval in minutes. The second section includes class-based statistics for all  
bundles configured and enabled with QoS. The third section includes class-based statistics. Empty lines and header lines in the file  
start with the “#” character. The bundle statistics start with the character “B,” and class statistics start with the character “C.” These  
designations allow easier parsing of the file.  
122  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Configuring QoS  
22.1.5.1 Configuring bulk statistics  
LR1104A/configure/.../qos> bulk_stats_ftp  
Primary FTP server: 10.1.3.1  
Secondary FTP server: 10.1.18.1  
FTP user name: bjones  
FTP password: xxxxxxxx  
LR1104A/configure/.../qos> bulk_statistics sample_interval 5 upload_interval 1  
LR1104A/configure/.../qos> show qos bulkstats_config  
Figure 40 Screen Display for show qos bulkstats_config Command  
Bulk Statistics Configuration  
-----------------------------  
status  
: ENABLED  
Primary FTP server : 10.10.1.1  
Secondary FTP server : 10.2.2.1  
FTP user name  
FTP password  
Upload interval  
Sample interval  
: joeuser  
: ******  
: 1 hrs  
: 5 mins  
123  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Black Box LR11xx Series Router Configurations Guide  
124  
Download from Www.Somanuals.com. All Manuals Search And Download.  
23  
VIRTUAL LAN TAGGING  
23.1 Managing Traffic with VLAN Tagging  
Figure 41 Aggregation Using VLAN Tagging  
Aggregation /IP  
Services Router  
Baltimore  
To Internet  
POP  
Router  
T1  
Local  
Loop  
Reston VA  
CT3  
DC  
NxT1  
LR1104A  
Tasman 6300  
LR1114A  
The illustration above shows two customers connected to an aggregation/IP services router using a Black Box  
LR1104A. All packets coming into the Black Box LR1104A on the single T1 bundle are tagged with VLAN ID 5. All  
packets coming across the 4 T1 bundle from DC are tagged with a VLAN tag of 10.  
In this example, the VLAN tags are only relevant from the Black Box LR1104A to the VLAN-enabled POP router. The  
tags are removed in the reverse direction. Black Box’s IP multiplexing technology enables both remote customers to  
operate as if they are directly connected to the POP router residing on a tagged VLAN. In this scenario, the provider can  
offer HDLC, PPP, MLPPP, frame relay, and MFR connections. (The sample configurations in this document assume  
Baltimore uses frame relay and DC uses MLPPP.) Upgrading customer service by adding T1s to a Black Box product  
can be accomplished remotely (for example, at DC) after the T1 cable has been connected. Thus, deploying a technician  
to reconfigure the unit is not necessary.  
By connecting the Black Box LR1104A using a VLAN switch, additional LR1104As and POP routers can be easily  
added. If additional LR1104As are desired, the appropriate uplink from the VLAN switch is Gigabit Ethernet.  
Redundancy for the POP routers can be provided using either the second fast Ethernet port on the LR1104A, in  
conjunction with Black Box’s failover feature, or using HSRP/VRRP between the two routers. In the latter case, a  
VLAN switch is required.  
Special configuration is not required at the CPE for this application. At the POP, traffic from each bundle or frame relay  
PVC is tagged and forwarded to a VLAN trunk port on the Ethernet interface. In the other direction, the Black Box  
LR1104A proxies for the CPE routers after learning their IP addresses via link control protocol or inverse ARP. Routing  
between customer VLANs, firewall functions, and traffic management can be provided by the POP router  
sub-interfaces so there is only one location to monitor customer traffic.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
In this example application, the POP router is configured with the following three sub-interfaces:  
205.1.1.1  
205.1.1.5  
10.1.1.5  
23.1.1 Reston configuration: Black Box LR1104A  
LR1104A/configure> hostname reston  
reston/configure> no ftp_server  
reston/configure> no autoconf  
23.1.1.1 Configure interface bundle balt1  
reston/configure> interface bundle balt1  
reston/configure/interface/balt1> link ct3 1 1  
reston/configure/interface/balt1> encapsulation fr  
reston/configure/interface/balt1> fr  
reston/configure/interface/balt1/fr> intf_type dce  
23.1.1.2 Configure interface balt1 pvc 100  
reston/configure/interface/balt1/fr> pvc 100  
reston/configure/interface/balt1/fr/pvc 100> policing cir 1536000 bc 1536000 be  
1536000  
reston/configure/interface/balt1/fr/pvc 100> shaping cir 1536000 bcmax 1536000 bcmin  
1536000 be 1536000  
# The Baltimore router is 205.1.1.2/30.  
# The PVC uses a private address on the Reston end.  
reston/configure/interface/balt1/fr/pvc 100> ip addr 10.1.1.1 255.255.255.252  
# The POP router is 205.1.1.1/30  
reston/configure/interface/balt1/fr/pvc 100> ip source_forwarding 205.1.1.1  
reston/configure/interface/balt1/fr/pvc 100> vlan  
reston/configure/interface/balt1/fr/pvc 100/vlan> vlanid 5  
reston/configure/interface/balt1/fr/pvc 100/vlan> exit 4  
23.1.1.3 Configure interface bundle dc1  
reston/configure> interface bundle dc1  
reston/configure/interface/bundle dc1> link ct3 1 2-5  
reston/configure/interface/bundle dc1> encapsulation ppp  
reston/configure/interface/bundle dc1> ip unnumbered ethernet0  
# DC is 205.1.1.6/30.  
reston/configure/interface/bundle dc1> ip source_forwarding 205.1.1.5  
reston/configure/interface/bundle dc1> vlan  
reston/configure/interface/bundle dc1>/vlan> vlanid 10  
reston/configure/interface/bundle dc1>/vlan> exit 2  
23.1.1.4 Configure interface ethernet 0  
reston/configure> interface ethernet 0  
reston/configure/interface/ethernet0> speed 100 full_duplex  
reston/configure/interface/ethernet0> ip address 10.1.1.6 255.255.255.252  
reston/configure/interface/ethernet0> exit  
126  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Managing Traffic with VLAN Tag-  
23.1.1.5 Configure ip routing  
reston/configure> ip  
reston/configure/ip> route 205.1.1.0 255.255.255.0 ethernet0 1  
reston/configure/ip> route 0.0.0.0 0.0.0.0 10.1.1.5 1  
reston/configure/ip> exit  
# The above route summarizes the customer access subnets.  
23.1.2 DC configuration: Black Box LR1114A  
Blackbox> configure terminal  
Blackbox/configure> hostname dc1  
dc1/configure>  
23.1.2.1 Configure interface ethernet 0  
dc1/configure> interface ethernet 0  
dc1/configure/interface/ethernet0> ip addr 205.100.1.1 255.255.255.0  
dc1/configure/interface/ethernet0> exit  
23.1.2.2 Configure interface bundle mip  
dc1/configure> interface bundle mlp  
dc1/configure/interface/bundle mlp> link t1 1-4  
dc1/configure/interface/bundle mlp> encapsulation ppp  
dc1/configure/interface/bundle mlp> ip addr 205.1.1.6 255.255.255.252  
dc1/configure/interface/bundle mlp> exit  
23.1.2.3 Configure ip routing  
dc1/configure> ip  
dc1/configure/ip> routing  
dc1/configure/ip> route 0.0.0.0 0.0.0.0 205.1.1.5 1  
dc1/configure/ip> exit  
dc1/configure>  
127  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Black Box LR11xx Series Router Configurations Guide  
128  
Download from Www.Somanuals.com. All Manuals Search And Download.  
24  
MANAGING REDUNDANT  
CONNECTIONS  
24.1 Trunk Group/Failover  
Redundant connections are often required between Black Box systems and the switches to which they connect. The following  
diagram illustrates Ethernet redundancy between a Black Box LR1114A and a Layer 3 switch using failover on the Black Box  
and a trunk group configuration on the switch.  
Figure 42 Trunk Group/Failover Configuration  
E1: 199.1.1.1/30  
Layer 3 Switch  
E2: 199.1.1.5/30  
WAN: 200.1.1.1/30  
Trunk Group  
Layer 3 Switch  
w/Trunk Group  
E2  
E1  
E1  
E0  
E0: 199.1.1.2/30  
E1: 199.1.1.6/30  
WAN: 10.1.1.1/30  
Failover  
WAN  
WAN: 200.1.1.2/30  
Router  
LR1114A  
Router  
24.1.1Configuration Details  
Black Box Ethernet 0 and 1 are connected to ports 1 and 2 of a trunk group configured switch.  
The trunk group is configured with three IP addresses and a single MAC address. One IP address is utilized for  
WAN connectivity; the second address provides for communication between the switch and Black Box Ethernet 0.  
For this configuration, a third IP address is utilized for the failover path.  
The Black Box LR1114A is configured for failover on E0. When E0 loses link conectivity, it will failover to E1 and  
continue to pass traffic. When E0 recovers, traffic will be switched back.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
The Black Box LR1114A is connected to a router via a bundle “WAN” (T1 PPP bundle) in IPMux mode.  
To manage the Black Box LR1114A from the switch during normal mode, ping, telnet, or snmp to the Ethernet  
0 IP address; during failover mode, ping, telnet, or snmp to the Ethernet 1 IP address.  
24.1.1.1 Configure the Black Box LR1114A for Failover Operation  
Blackbox> configure term  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/interface/ethernet> ip address 199.1.1.2 255.255.255.252  
Blackbox/configure/interface/ethernet> failover  
Blackbox/configure/interface/ethernet> exit  
Blackbox/configure> interface ethernet 1  
Blackbox/configure/interface/ethernet> ip address 199.1.1.1.6 255.255.255.252  
Blackbox/configure/interface/ethernet> exit  
Blackbox/configure> interface bundle wan  
Blackbox/configure/interface/bundle> link t1 1  
Blackbox/configure/interface/bundle> enc ppp  
Blackbox/configure/interface/bundle> ip address 10.1.1.1 255.255.255.252  
Blackbox/configure/interface/bundle> ipmux source_forwarding 199.1.1.1  
Blackbox/configure/interface/bundle> exit  
130  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
25  
WAN INTERFACE CONFIGURATIONS  
25.1 T1 Interface Configuration  
Black Box systems are available with T1 WAN interfaces. Consult the Black Box System Installation Guide for details  
on WAN interface types, cabling, and pinouts.  
This document outlines the configuration of module parameters (Layer 1) and, to a lesser degree, the configuration of  
bundle parameters (Layer 2). The bundle configuration examples demonstrate linking of physical interfaces (modules)  
to logical interfaces (bundles). Module configuration occurs within the configure module tree of the Black Box CLI,  
and bundle configuration occurs within the configure interface bundle tree.  
Black Box T1 interfaces support logical interfaces made up of fractional T1, single T1, and multi-link T1connections.  
25.1.1Module Configuration  
25.1.1.1 T1  
The following example configures the operational and descriptive parameters for T1 number 6.  
Configure T1 Parameters  
Blackbox/configure> module t1 6  
Blackbox/configure/module/t1> circuitId X1234567890  
Blackbox/configure/module/t1> contactInfo George_Anderson  
Blackbox/configure/module/t1> description T1_to_Troy  
Blackbox/configure/module/t1> framing esf  
Blackbox/configure/module/t1> linecode b8zs  
Blackbox/configure/module/t1> clock_source line  
Blackbox/configure/module/t1> exit  
25.1.2 Bundle Configuration  
Configuration of an interface bundle is required for use of any of the Black Box system WAN interfaces. Multiple physical  
interfaces may be linked to a single interface bundle; multi-link protocols, including MLPPP and Multilink Frame Relay,  
make use of NxT1 interfaces to create single logical interfaces.  
The interface bundle specifies the physical connection(s) to be linked, an encapsulation protocol (Layer 2) and, optionally,  
Layer 3 parameters.  
25.1.2.1 Fractional T1  
The following example creates a 384 Kbps fractional T1 bundle utilizing DS0s 1-3 and 8-10 of T1 number 3.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Black Box LR11xx Series Router Configurations Guide  
Configure a Fractional T1 HDLC Bundle  
Blackbox/configure> interface bundle demo1  
Blackbox/configure/interface/bundle> link t1 3:1-3,8-10  
Blackbox/configure/interface/bundle> encap hdlc  
Blackbox/configure/interface/bundle> ip addr 10.1.1.1 255.255.255.252  
Blackbox/configure/interface/bundle> exit  
27.1.3 T1  
The following example creates a 1536 Kbps T1 bundle utilizing T1 number 4. This bundle uses IP unnumbered.  
Configure a T1 PPP Bundle  
Blackbox/configure> interface bundle demo2  
Blackbox/configure/interface/bundle> link t1 4  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> ip unnumbered ethernet0  
Blackbox/configure/interface/bundle> exit  
27.1.4 NxT1  
The following example creates a 4.5 Mbps N x T1 bundle utilizing T1s 6-8. MLPPP is not explicitly specified, a PPP  
bundle with two or more linked T1s uses the multi-link protocol by definition.  
Configure an N x T1 MLPPP Bundle  
Blackbox/configure> interface bundle demo3  
Blackbox/configure/interface/bundle> link t1 6-8  
Blackbox/configure/interface/bundle> encap ppp  
Blackbox/configure/interface/bundle> ip addr 10.1.1.5 255.255.255.252  
Blackbox/configure/interface/bundle> exit  
132  
Download from Www.Somanuals.com. All Manuals Search And Download.  
26  
VIRTUAL LAN FORWARDING  
26.1 Managing VLAN Traffic  
Figure 43 VLAN Forwarding: Multi-Tenant Internet Access  
Untagged Customer LANs  
LR1104A  
Ethernet  
Switch  
Channelized T3  
Gigabit  
Ethernet  
Telco  
Ethernet  
Switch  
Internet  
Tagged VLAN  
Trunk  
POP Router  
Tasmn 140  
LR1114A  
Multi-Tenant Building  
The example above shows each multi-tenant customer represented as a separate VLAN on the Ethernet switch. The  
connection in the customer office can be routed or bridged, depending on whether the provider will be hosting customer  
applications at the POP. The Ethernet switch passes a VLAN trunk to the Black Box LR1114A that forwards traffic,  
based on the VLAN tags, from this interface to the multilink bundle.  
At the POP, tagged traffic is forwarded to a VLAN trunk port on the Ethernet switch. Routing between customer  
VLANs is provided by the POP router using sub-interfaces on the Gigabit Ethernet VLAN trunk. The customer LAN  
subnet is extended all the way to the POP router making remote management of LAN services (e.g., DHCP, file servers.  
SMTP) possible.  
The VLAN forwarding feature has the added benefit of being able to support non-IP traffic since all traffic is forwarded  
based only on the Layer 2 VLAN tag. Although Black Box products do not communicate using non-IP Layer 3  
protocols, Black Box systems can forward these protocols.  
The management VLAN feature provides in-band communication with the Black Box systems as well as the Ethernet  
switches while remaining separate from customer traffic. The Black Box systems will examine the destination IP  
address of any packets received on the management VLAN. If the destination is the Black Box, the address of the  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Black Box LR11xx Series Router Configurations Guide  
packet will be forwarded to the IP layer for local processing. If the address does not match the address of the Black  
Box system, the packet will be forwarded to all interfaces configured for the management VLAN with the  
exception of the interface where it was received. This allows all transmission equipment to be managed in a single,  
flat VLAN.  
When the Black Box system generates traffic on to the management VLAN, an ARP request is generated in the  
direction of the VLAN’s default route. If no default is configured, the ARP request will be generated in all possible  
directions, and the interface receiving the response will be cached with the reply. The source MAC address used by  
the Black Box will be associated with the Ethernet port associated with the management VLAN.  
In a multi-tenant unit (MTU) where customer Internet access is through the Ethernet interface, some form of  
bandwidth control is necessary to prevent a high bandwidth customer from blocking others since the uplink out of  
the building will typically be less than 10 Mbps. Black Box provides QoS support to limit customer bandwidth  
using a committed rate and burst rate, ensuring that customers get consistent bandwidth performance as other  
customers are activated. Black Box’s QoS can be configured based on VLAN IDs, in increments of 64 kbps  
providing greater control than what is normally available in Ethernet switches.  
134  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Managing VLAN Traffic  
26.1.1POP configuration: Black Box LR1104A  
LR1104A/configure> hostname POP-LR1104A  
POP-LR1104A/configure> no ftp_server  
POP-LR1104A/configure> no autoconf  
26.1.1.1 Configure mlppp bundle interface  
POP-LR1104A/configure> interface bundle bldg1  
POP-LR1104A/configure/interface/bundle bldg1> link ct3 1 1-4  
POP-LR1104A/configure/interface/bundle bldg1> encapsulation ppp  
POP-LR1104A/configure/interface/bundle bldg1> ip unnumbered ethernet0  
POP-LR1104A/configure/interface/bundle bldg1> exit  
26.1.1.2 Configure interface ethernet 0  
POP-LR1104A/configure> interface ethernet 0  
POP-LR1104A/configure/interface/ethernet0> speed 100 full_duplex  
POP-LR1104A/configure/interface/ethernet0> ip address 10.1.1.2 255.255.255.0  
POP-LR1104A/configure/interface/ethernet0> exit  
26.1.1.3 Configure in-band vlan forwarding table  
POP-LR1104A/configure> vlanfwd  
POP-LR1104A/configure/vlanfwd > add vlanid 4092 ethernet0  
POP-LR1104A/configure/vlanfwd > add vlanid 4092 bldg1  
POP-LR1104A/configure/vlanfwd > add vlanid 11-18 ethernet0  
POP-LR1104A/configure/vlanfwd > add vlanid 11-18 bldg1  
POP-LR1104A/configure/vlanfwd > management  
POP-LR1104A/configure/vlanfwd/management> vlanid 4092  
POP-LR1104A/configure/vlanfwd/management> disable_ipfwd  
POP-LR1104A/configure/vlanfwd/management> default_route 10.1.1.1 ethernet0  
POP-LR1104A/configure/vlanfwd/management> exit 2  
26.1.1.4 Configure rate limiting for vlans  
POP-LR1104A/configure> interface bundle bldg1  
POP-LR1104A/configure/interface bundle bldg1> no enable_cbq  
POP-LR1104A/configure/interface bundle bldg1> add_class mgmt-vlan root-out vlan_id 4092 cr 10  
be 3072  
POP-LR1104A/configure/interface bundle bldg1> add_class custA root-out vlan_id 11 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custB root-out vlan_id 12 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custC root-out vlan_id 13 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custD root-out vlan_id 14 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custE root-out vlan_id 15 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custF root-out vlan_id 16 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custG root-out vlan_id 17 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> add_class custH root-out vlan_id 18 cr 128 br  
1024  
POP-LR1104A/configure/interface bundle bldg1> enable_cbq  
POP-LR1104A/configure/interface bundle bldg1> exit  
26.1.2Bldg1 configuration: Black Box LR1114A  
LR1114A/configure> hostname bldg1-LR1114A  
bldg1-LR1114A/configure> interface ethernet 0  
bldg1-LR1114A/configure/interface/ethernet0 > ip addr 10.1.1.3 255.255.255.0  
bldg1-LR1114A/configure> interface ethernet0> exit  
135  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Black Box LR11xx Series Router Configurations Guide  
26.1.2.1 Configure interface bundle uplink  
bldg1-LR1114A/configure> interface bundle uplink  
bldg1-LR1114A/configure/interface/bundle uplink> link t1 1-4  
bldg1-LR1114A/configure/interface/bundle uplink> encapsulation ppp  
bldg1-LR1114A/configure/interface/bundle uplink> ip unnumbered ethernet0  
bldg1-LR1114A/configure/interface/bundle uplink> exit  
26.1.2.2 Configure inband VLAN forwarding table  
bldg1-LR1114A/configure/interface> vlanfwd  
bldg1-LR1114A/configure/interface/vlanfwd> add vlanid 4092 ethernet0  
bldg1-LR1114A/configure/interface/vlanfwd> add vlanid 4092 uplink  
bldg1-LR1114A/configure/interface/vlanfwd> add vlanid 11-18 ethernet0  
bldg1-LR1114A/configure/interface/vlanfwd> add vlanid 11-18 uplink  
bldg1-LR1114A/configure/interface/vlanfwd> management  
bldg1-LR1114A/configure/interface/vlanfwd/management> vlanid 4092  
bldg1-LR1114A/configure/interface/vlanfwd> disable_ipfwd  
bldg1-LR1114A/configure/interface/vlanfwd> default_route 10.1.1.1 uplink  
bldg1-LR1114A/configure/interface/vlanfwd> exit 2  
26.1.2.3 Configure rate limiting for VLANs  
bldg1-LR1114A/configure> interface bundle uplink  
bldg1-LR1114A/configure/interface/bundle uplink> qos  
bldg1-LR1114A/configure/interface/bundle uplink> no enable_cbq  
bldg1-LR1114A/configure/interface/bundle uplink> add_class mgmt-vlan root-out vlan_id 4092 cr  
10 br 3072  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custA root-out vlan_id 11 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custB root-out vlan_id 12 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custC root-out vlan_id 13 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custD root-out vlan_id 14 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custE root-out vlan_id 15 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custF root-out vlan_id 16 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custG root-out vlan_id 17 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> add_class custH root-out vlan_id 18 cr 128 br  
1024  
bldg1-LR1114A/configure/interface/bundle uplink> enable_cbq  
bldg1-LR1114A/configure/interface/bundle uplink> exit  
26.1.2.4 Configure SNMP  
bldg1-LR1114A/configure> snmp  
bldg1-LR1114A/configure/snmp> community public ro  
bldg1-LR1114A/configure/snmp> system_id bldg1-LR1114A  
bldg1-LR1114A/configure/snmp> trap_host 10.2.1.1 public  
bldg1-LR1114A/configure/snmp> exit  
136  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
27  
MUTLILINK FRAME RELAY  
27.1Multilink Frame Relay FRF.15 and FRF.16  
Multilink Frame Relay (MFR) is actually composed of two standards: FRF.15 and FRF.16. The latter is more common  
and defines UNI/NNI interfaces for implementing MFR. FRF.16 is used for multiplexing dedicated T1s in the local  
loop and requires compatible equipment at the carrier POP. FRF.15, or DTE-to-DTE MFR is used for multiplexing  
frame relay T1s between end points without impacting POP equipment. As a result, FRF.15 can be implemented across  
multiple frame relay carriers to provide additional redundancy. This application discusses considerations for using this  
standard. All Black Box products support FRF.15 and FRF.16.  
27.1.1 Features  
Low cost way of providing added bandwidth to private networks  
Can be done without the knowledge of the Frame Relay provider  
Scalable bandwidth using MFR for customers based on T1 access  
Traffic can be routed or switched using Frame Relay at the end points  
A customer desiring to implement DTE-to-DTE MFR can use the architecture illustrated in Figure 1. The normal  
ordering process can be used to obtain the fame relay T1s. From the perspective of the CPE, the Black Box LR1114As  
combine those different frame relay PVCs into a consolidated, larger pipe.  
FRF.15 uses an aggregated virtual circuit (AVC) for the combined interface. The AVC is composed of constituent  
virtual circuits (CVC) that represent the frame relay T1s ordered from the carrier(s). In this example, the Black Box  
LR1114As are configured with DTE LMI; the carrier frame switches are DCE.  
Figure 44 MFR Using FRF.15  
LR1114A  
LR1114A  
Tasman 1400  
Tasman 1400  
avc frf15  
avc frf15  
DLCI 100  
DLCI 100  
ip addr 11.1.1.1/30  
ip addr 11.1.1.2/30  
T1 Bundle DLCI  
T1 Bundle DLCI  
1
2
3
cvc1  
cvc2  
cvc3  
101  
102  
103  
1
2
3
cvc1  
cvc2  
cvc3  
101  
102  
103  
Frame Relay  
Backbone  
Frame  
Switch  
Frame  
Switch  
In Black Box systems, CVCs are configured using the bundle construct normally used for a non-ethernet interface.  
After the CVCs are configured, they can be assigned to the AVC. The AVC, frf15 in this case, is assigned a DLCI of  
100 on both ends and an IP address in the 11.1.1.0/30 subnet. The AVC names and DLCI numbers can be different on  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
each end if necessary. The frame switches are configured for DLCIs 101, 102, and 103 on the respective T1s. In  
this example, the Black Box LR1114A configurations are almost identical. The primary difference is the IP address  
assigned to the AVC. The configuration for the left LR1114A is shown below.  
27.1.1.1 # Configure Ethernet interface  
Blackbox/configure> interface ethernet 0  
Blackbox/configure/ethernet0> ip addr 192.168.1.1 255.255.255.0  
Blackbox/configure/ethernet0> exit  
27.1.1.2 # Configure CVC1  
Blackbox/configure> interface bundle cvc1  
Blackbox/configure/interface/bundle cvc1> link t1 1  
Blackbox/configure/interface/bundle cvc1> encapsulation frelay  
Blackbox/configure/interface/bundle cvc1> fr  
Blackbox/configure/interface/bundle cvc1/fr> intf_type dte  
Blackbox/configure/interface/bundle cvc1/fr> pvc 101  
Blackbox/configure/interface/bundle cvc1/fr> exit 3  
27.1.1.3 # Congfigure CVC2  
Blackbox/configure> interface bundle cvc2  
Blackbox/configure/interface/bundle cvc2> link t1 2  
Blackbox/configure/interface/bundle cvc2> encapsulation frelay  
Blackbox/configure/interface/bundle cvc2> fr  
Blackbox/configure/interface/bundle cvc2/fr> intf_type dte  
Blackbox/configure/interface/bundle cvc2/fr> pvc 102  
Blackbox/configure/interface/bundle cvc2/fr> exit 3  
27.1.1.4 # Configure CVC3  
Blackbox/configure> interface bundle cvc3  
Blackbox/configure/interface/bundle cvc3> link t1 2  
Blackbox/configure/interface/bundle cvc3> encapsulation frelay  
Blackbox/configure/interface/bundle cvc3> fr  
Blackbox/configure/interface/bundle cvc3/fr> intf_type dte  
Blackbox/configure/interface/bundle cvc3/fr> pvc 103  
Blackbox/configure/interface/bundle cvc3/fr> exit 3  
27.1.1.5 #Configure AVC  
Blackbox/configure> interface avc frf15 100  
Blackbox/configure/interface/avc frf15 100> cvc 101 cvc1  
Blackbox/configure/interface/avc frf15 100> cvc 102 cvc2  
Blackbox/configure/interface/avc frf15 100> cvc 103 cvc 3  
Blackbox/configure/interface/avc frf15 100> ip address 11.1.1.1 255.255.255.252  
Blackbox/configure/interface/avc frf15 100> exit  
Blackbox> configure  
The above configuration does not include statements for policing and traffic shaping, so all PVCs are given the full  
CIR for the interface. Once the AVC is configured, the Black Box systems can be configured for transparent IP  
multiplexing or for static routing. These details are omitted.  
The primary advantage of FRF.15 is that no support is required on the POP side of the network. That fact makes  
this standard ideal for companies that need increased bandwidth for their frame relay based private network.  
FRF.15 is more susceptible to differential delay because the multiplexed links extend well beyond the local loop.  
Fortunately, differential delay encountered within the United States is typically small enough to have little to no  
impact on actual traffic flow.  
138  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
28  
CONFIGURING FRAME RELAY AND  
MULTILINK FRAME RELAY  
28.1 Layer Two Configurations  
FR and MFR  
Figure 45 outlines a Multilink Frame Relay (MFR) configuration with three sites. PVC 16 connects Site 1 to Site 3,  
while PVC 31 connects Site 2 to Site 3. The Frame Relay switching equipment is represented simply as a Frame cloud.  
Figure 45 MFT Configuration  
LR1114A  
SITE 1  
HSSI  
PVC 16  
Router  
PVC 16  
4 x T1  
Router  
PVC 16  
PVC 31  
Frame  
Cloud  
100 Base-T  
Router  
2 x T1  
PVC 31  
SITE 3  
SITE 2  
LR1114A  
Figure 46 provides greater detail, including the use of a LR1104A inside the cloud as a Frame Relay switching device,  
and LR1114A series units at the CPE sites 1 and 2.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Black Box LR11xx Series Router Configurations Guide  
Figure 46 MFR Configuration Detail  
LR1114A  
SITE 1  
HSSI  
DCE  
DTE  
PVC 16  
NNI  
Router  
4 x T1  
PVC 16  
Tasman 7030  
Router  
NNI  
NNI  
DS3  
NNI  
PVC 16  
PVC 31  
DCE  
100 Base-T  
Frame  
Switch  
Router  
SITE 3  
2 x T1  
PVC 31  
DTE  
100 Base-T  
Frame  
Cloud  
SITE 2  
LR1114A  
28.1.1 FR Configuration  
A LR1104A LR1104A at Site 1 provides Frame Relay switching between a HSSI interface, connecting to the local router,  
and a 4 x T1 MFR bundle, connecting to the LR1104A. Continuity of PVC 16 is maintained through the LR1104A  
LR1104A, though this is not required.  
The HSSI connection between the router and the LR1104A is defined as type UNI. The LR1104A serves as Frame  
Relay DCE and the router as the Frame Relay DTE. Note that the Frame Relay (Layer 2) interface type is  
independent of, and not necessarily the same as, the HSSI (Layer 1) interface type.  
28.1.1.1 Configure the HSSI Bundle at Site 1  
Blackbox/configure> interface bundle toRouter  
Blackbox/configure/interface/bundle> link ussi 1  
Blackbox/configure/interface/bundle> description "hssi link to router"  
Blackbox/configure/interface/bundle> encap fr  
Blackbox/configure/interface/bundle> fr  
Blackbox/configure/interface/bundle/fr> intf_type dce  
Blackbox/configure/interface/bundle/fr> lmi ansi  
Blackbox/configure/interface/bundle/fr/lmi> exit  
Blackbox/configure/interface/bundle/fr> pvc 16  
/* pvc's default cir set to 52000000 bps */  
Blackbox/configure/interface/bundle/fr/pvc> shaping cir 6144000 bcmax 6144000 bcmin  
3072000  
Blackbox/configure/interface/bundle/fr/pvc> exit  
The BlackBox serves as a Frame Relay switch, connecting PVCs 16 and 31 through to another Frame Switch via a  
Clear Channel DS-3 interface. Note that the Bcmin setting of 3.072 Mbps is maintained across all PVC 16  
configurations, to correspond to the Class C setting of the MFR portion of the PVC.  
140  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Layer Two Configurations FR  
28.1.1.2 Configure the Clear Channel Bundle on the LR1104A  
Blackbox/configure> int bundle toFRSwit  
Blackbox/configure/interface/bundle> link t3 1  
Blackbox/configure/interface/bundle> description "DS-3 bundle to FR Switch"  
Blackbox/configure/interface/bundle> encap fr  
Blackbox/configure/interface/bundle> fr  
Blackbox/configure/interface/bundle/fr> intf_type nni  
Blackbox/configure/interface/bundle/fr> lmi ansi  
Blackbox/configure/interface/bundle/fr/lmi> exit  
Blackbox/configure/interface/bundle/fr> pvc 16  
Blackbox/configure/interface/bundle/fr/pvc> shaping cir 6144000 bcmax 6144000 bcmin 3072000  
Blackbox/configure/interface/bundle/fr/pvc> switch 16 toBlackBox  
Blackbox/configure/interface/bundle/fr/pvc> exit  
Blackbox/configure/interface/bundle/fr> pvc 31  
Blackbox/configure/interface/bundle/fr/pvc> shaping cir 3072000 bcmax 3072000 bcmin 1536000  
Blackbox/configure/interface/bundle/fr/pvc> switch 31 toLR1114A  
28.1.2 MFR Configuration  
The 4 x T1 MFR bundle between the LR1104A and the Black Box connects two Frame Relay switches, therefore it represents an  
NNI interface. The sample configuration defines the 4 x T1 bundle to be of Class C; that is, a minimum of 2 T1 links are required to  
be up in order to keep the bundle up. Settings for Bcmin on the MFR bundle are set to correspond with the Class C configuration; that  
is, the minimum anticipated bandwidth will be 2 x T1.  
28.1.2.1 Configure the LR1104A LR1104A at Site 1  
Blackbox/configure> int bundle wan1  
Blackbox/configure/interface/bundle> link t1 5-8  
Blackbox/configure/interface/bundle> description "6 Mbps MFR"  
Blackbox/configure/interface/bundle> encap fr  
Blackbox/configure/interface/bundle> fr  
Blackbox/configure/interface/bundle/fr> intf_type nni  
Blackbox/configure/interface/bundle/fr> mfr class C 2  
/* specifies that the bundle remain up as long as two T1s are up */  
Blackbox/configure/interface/bundle/fr> lmi ansi  
Blackbox/configure/interface/bundle/fr/lmi> keepalive 8  
Blackbox/configure/interface/bundle/fr/lmi> exit  
Blackbox/configure/interface/bundle/fr> pvc 16  
/* pvc's default cir set to 6144000 bps */  
Blackbox/configure/interface/bundle/fr/pvc> shaping cir 6144000 bcmax 6144000 bcmin 3072000  
/* Bcmin consistent with minimum possible bundle bandwidth of two T1s */  
Blackbox/configure/interface/bundle/fr/pvc> switch 16 toRouter  
/* switch between wan1:16 and toRouter:16 established */  
Blackbox/configure/interface/bundle/fr> exit  
28.1.2.2 Configure the LR1104A  
Blackbox/configure> int bundle toBlackBox  
Blackbox/configure/interface/bundle> link ct3 1 1-4  
Blackbox/configure/interface/bundle> description "6Mbps MFR to LR1104A"  
Blackbox/configure/interface/bundle> encap fr  
Blackbox/configure/interface/bundle> fr  
Blackbox/configure/interface/bundle/fr> intf_type nni  
Blackbox/configure/interface/bundle/fr> mfr class C 2  
Blackbox/configure/interface/bundle/fr> lmi ansi  
Blackbox/configure/interface/bundle/fr/lmi> keepalive 10  
Blackbox/configure/interface/bundle/fr/lmi> exit  
Blackbox/configure/interface/bundle/fr> pvc 16  
Blackbox/configure/interface/bundle/fr/pvc> shaping cir 6144000 bcmax 6144000 bcmin 3072000  
Blackbox/configure/interface/bundle/fr/pvc> exit  
Blackbox/configure/interface/bundle/fr> exit 2  
141  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Black Box LR11xx Series Router Configurations Guide  
A LR1104A LR1114A at Site 2 serves as the Frame Relay termination point, connecting the Site 2 IP network to the  
LR1104A. This MFR bundle utilizes 2 T1 links for an approximate 3 Mbps bandwidth. Since it is the Frame Relay terminating  
point and is defined as a DTE frame relay interface, an IP address is assigned to the WAN bundle.  
28.1.2.3 Configure the LR1104A LR1114A at Site 2  
LR1114A/configure> int bundle frame1  
LR1114A/configure/interface/bundle> link t1 1-2  
LR1114A/configure/interface/bundle> description "3 Mbps to the Internet"  
LR1114A/configure/interface/bundle> encap fr  
LR1114A/configure/interface/bundle> fr  
LR1114A/configure/interface/bundle/fr> intf_type dte /* this is default */  
LR1114A/configure/interface/bundle/fr> mfr class A /* this is default */  
LR1114A/configure/interface/bundle/fr> lmi ansi  
LR1114A/configure/interface/bundle/fr/lmi> keepalive 10  
LR1114A/configure/interface/bundle/fr/lmi> exit  
LR1114A/configure/interface/bundle/fr> pvc 31  
/* pvc's default cir set to 3072000 bps */  
LR1114A/configure/interface/bundle/fr/pvc> ip addr 10.0.2.1 255.255.255.252  
LR1114A/configure/interface/bundle/fr/pvc> enable  
LR1114A/configure/interface/bundle/fr/pvc> exit  
28.1.2.4 Configure the LR1104A  
Blackbox/configure> int bundle toLR1114A  
Blackbox/configure/interface/bundle> link ct3 1 5-6  
Blackbox/configure/interface/bundle> description "3Mbps MFR to LR1114A"  
Blackbox/configure/interface/bundle> encap fr  
Blackbox/configure/interface/bundle> fr  
Blackbox/configure/interface/bundle/fr> intf_type dce  
Blackbox/configure/interface/bundle/fr> lmi ansi  
Blackbox/configure/interface/bundle/fr/lmi> keepalive 10  
Blackbox/configure/interface/bundle/fr/lmi> exit  
Blackbox/configure/interface/bundle/fr> pvc 31  
Blackbox/configure/interface/bundle/fr/pvc> exit 3  
142  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
© Copyright 2004. Black Box Corporation. All rights reserved.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Download from Www.Somanuals.com. All Manuals Search And Download.  

Bel Canto Design Stereo Amplifier PRe2TM PRe2PTM User Manual
Blackberry Cell Phone 9300 Version 50 User Manual
Bosch Power Tools Router 0 601 617 061 User Manual
Bravetti Mixer EP545 User Manual
Cable Electronics MP3 Player CAT5TX RX User Manual
Califone MP3 Player 1500AV BL User Manual
Campbell Hausfeld Pressure Washer PW2570 User Manual
Canon Printer 475D User Manual
Cary Audio Design DJ Equipment Cinema 11a User Manual
Cisco Systems Automobile Parts 6500 Series User Manual