Network Router User Manual

ManualsBrandsBlack Box ManualsNetwork RouterLR1114A-T1/E1

Black Box LR11xx Series Router Configurations

CUSTOMER

SUPPORT

INFORMATION

Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX

FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746

Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018

Web site: www.blackbox.com • E-mail: info@blackbox.com

May 2004

LR1102A-T1/E1

LR1104A-T1/E1

LR1112A-T1/E1

LR1114A-T1/E1

Summary of content (142 pages)

PAGE 1
May 2004 LR1102A-T1/E1 LR1104A-T1/E1 LR1112A-T1/E1 LR1114A-T1/E1 Black Box LR11xx Series Router Configurations CUSTOMER SUPPORT INFORMATION Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.blackbox.com • E-mail: info@blackbox.
PAGE 2
Black Box LR11xx Series Router Configurations Guide FEDERAL COMMUNICATIONS COMMISSION AND CANADIAN DEPARTMENT OF COMMUNICATIONS RADIO FREQUENCY INTERFERENCE STATEMENTS This equipment generates, uses, and can radiate radio frequency energy and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
PAGE 3
Normas Oficiales Mexicanas (NOM) Electrical Safety Statement INSTRUCCIONES DE SEGURIDAD 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4. Todas las instrucciones de operación y uso deben ser seguidas. 5.
PAGE 4
Black Box LR11xx Series Router Configurations Guide 16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo. 17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación. 18.
PAGE 5
Contents Contents DHCP RELAY ........................................................................................13 DHCP Relay ......................................................................................13 Feature Overview ...........................................................................13 Functionality ..................................................................................13 BOOTP Requests ...........................................................................
PAGE 6
Black Box LR11xx Series Router Configurations Guide Box Security Gateways ..................................................................... 28 Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways .................................................. 33 Example 4: IPSec remote access to corporate LAN using user group method ....................................................................................
PAGE 7
Contents NAT Configuration Examples ...........................................................74 Dynamic NAT (many to many) .....................................................75 Static NAT (one to one) .................................................................76 Port Address Translation (Many to one) ........................................77 MULTIPATH MULTICAST CONFIGURATIONS .......................................79 Multipath Multicast ...........................................................
PAGE 8
Black Box LR11xx Series Router Configurations Guide Configuring the host name ............................................................ 99 Configuring interface ethernet 0 ................................................... 99 Configuring interface bundle Dallas ............................................. 99 Configuring ospf ........................................................................... 100 Configuring ospf interface parameters ..........................................
PAGE 9
Contents VIRTUAL LAN TAGGING .......................................................................125 Managing Traffic with VLAN Tagging ............................................125 Reston configuration: Black Box LR1104A ..................................126 Configure interface bundle balt1 ....................................................126 Configure interface balt1 pvc 100 ..................................................126 Configure interface bundle dc1 ......................................
PAGE 10
Black Box LR11xx Series Router Configurations Guide Configure the LR1104A LR1104A at Site 1 ................................. 141 Configure the LR1104A ................................................................ 141 Configure the LR1104A LR1114A at Site 2 ................................. 142 Configure the LR1104A ................................................................
PAGE 11
1 DHCP RELAY 1.1DHCP Relay This application describes the functionality of the DHCP relay feature and includes CLI command examples. 1.1.1 Feature Overview Black Box DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be relayed to a single remote DHCP server. Black Box’s implementation of DHCP relay is based on RFC 1532. BOOTP/DHCP messages are relayed (vs. forwarded) between the server and client.
PAGE 12
Black Box LR11xx Series Router Configurations Guide Figure 2 BOOTP Requests Unicast BOOTREQUEST Broadcast BOOTREQUEST Tasman 1400 DHCP Relay Agent DHCP Client DHCP Server 1.1.2.2 BOOTP Replies BOOTP replies are messages from the server to the client. Reply messages include DHCP OFFER, DHCP ACK, DHCP NAK, etc. The relay agent looks up the MAC address and either sends the packet to the client or broadcasts it on the LAN.
PAGE 13
DHCP Relay Blackbox> configure terminal Blackbox/configure> interface ethernet 0 Blackbox/configure/interface/ethernet 0> dhcp server_address 20.1.1.1 1.1.4.2 Disabling DHCP Relay Blackbox/configure/interface/ethernet 0> no dhcp server_address 20.1.1.1 1.1.4.3 Configuring the Gateway Address field when NAT is enabled Blackbox/configure/interface/ethernet 0> dhcp gateway_address 192.168.20.1 1.1.
PAGE 14
Black Box LR11xx Series Router Configurations Guide Figure 7 Displaying Ethernet Interface Statistics > show interface ethernet 1 ethernet 1 ipaddr netmask description status configured speed mode actual speed mode mtu 192.168.120.1 255.255.255.0 down, operationally down auto 100 half_duplex 1500 ethernet1 (unit number 1) Type: ETHERNET (802.3) Flags: (0x807c203) UP, MULTICAST-ROUTE Internet Address: 192.168.120.1 Internet Netmask: 255.255.255.0 Internet Broadcast: 192.168.120.
PAGE 15
2 CONFIGURING INTERNET GROUP MANAGEMENT PROTOCOL 2.1IGMP Configuration Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic. IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of which they are members by multicasting IGMP Group Membership Reports. When multicast routers listen for these reports, they can exchange group membership information with other multicast routers.
PAGE 16
Black Box LR11xx Series Router Configurations Guide 2.1.
PAGE 17
IGMP Configuration Blackbox/configure/ip/igmp/interface ethernet0> ip igmp ignore-v2-messages Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure> 2.1.2.5 Example 5 The following example configures the Last Member Query Count to be 4 on ethernet 0. Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 4 2.1.2.6 Example 6 In the following example for interface ethernet 0, the Robustness is configured to be 4. The Last Member Query count is configured to be 5.
PAGE 18
Black Box LR11xx Series Router Configurations Guide 20
PAGE 19
3w FILTERING IP TRAFFIC 3.1IP Packet Filter Lists Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces: Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box system) or OUT (packets going out of the Black Box system).
PAGE 20
Black Box LR11xx Series Router Configurations Guide Blackbox/configure/ip> apply_filter ether0 filtera in Blackbox/configure/ip> apply_filter WAN1 filtera in Blackbox/configure/ip> exit Blackbox/configure> exit Blackbox> save local 3.1.2 Example 2 Consider the same network addressing as in example 1. The network administrator has a slightly different requirement - he wishes to permit FTP sessions from all networks to the internal FTP server (222.199.19.
PAGE 21
4 CONFIGURING SECURITY 4.1IPSec Configurations This guide provides information and examples on how to configure IPSec. There are three licenses that control access to the features: Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router. Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management. Advanced VPN and firewall (vpn_plus_firewall)—Allows users to manage remote LANs. Also includes Basic VPN and Firewall licenses.
PAGE 22
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> system licenses vpn_plus_firewall Enter Security Upgrade License key: 024f3bc296b4ea7265 4.2 Example 1: Managing the Black Box LR1104A Securely Over an IPSec Tunnel The following example demonstrates how to manage a Black Box router through an IP security tunnel.
PAGE 23
Example 1: Managing the Black Blackbox> show crypto interfaces Interface Name --------wan1 ethernet0 Network Type ------Untrusted trusted Blackbox> Step 4: Add route to peer LAN Black Box1/configure> ip route 10.0.2.0 24 wan1 Step 5: Configure IKE to the peer gateway Black Box1/configure> crypto ike policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1 message: Default proposal created with priority1-des-sha1-pre_shared-g1.
PAGE 24
Black Box LR11xx Series Router Configurations Guide Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also enabled) Black Black Black Black Box1/configure> firewall internet Box1/configure/firewall internet> policy 1000 in service ike self Box1/configure/firewall internet/policy 1000 in> exit Box1/configure/firewall internet> exit Step 10.
PAGE 25
Example 1: Managing the Black Black Box1> show firewall policy internet detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0 Policy with Priority 1001 is enabled, Direction is inbound Action permit, Traffic
PAGE 26
Black Box LR11xx Series Router Configurations Guide Black Black Black Black Box1/configure/crypto/> exit Box1/configure> snmp Box1/configure/snmp> community public rw Box1/configure/snmp> exit Step 12: Display SNMP communities Blackbox>show snmp communities Community = public, privileges=rw Blackbox> Step 13: Repeat steps 1 - 10 with suitable modifications on Black Box2 prior to managing Black Box1 from Black Box2’s LAN side Step 14: Test the IPSec tunnel for managing the Black Box1 router from a host o
PAGE 27
Example 2: Single Proposal: Tun- Black Black Black Black Black Box1/configure/interface/bundle Box1/configure/interface/bundle Box1/configure/interface/bundle Box1/configure/interface/bundle Box1/configure/interface/bundle wan1> wan1> wan1> wan1> wan1> link t1 1 encapsulation ppp ip address 172.16.0.
PAGE 28
Black Box LR11xx Series Router Configurations Guide For IPSec only – when you create an outbound tunnel, an inbound tunnel is automatically created. The inbound tunnel applies the name that you provide for the outbound tunnel and adds the prefix “IN” to the name. message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
PAGE 29
Example 2: Single Proposal: Tun- Black Box1> show firewall policy internet detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0 Policy with Priority 1024 is enabled, Direction is outbound Action permit, Traf
PAGE 30
Black Box LR11xx Series Router Configurations Guide Black Box1> show firewall policy corp detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is transit Logging is disable Source Address is 10.0.2.0/24, Dest Address is 10.0.1.
PAGE 31
Example 3: Multiple IPSec Pro- Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables. Use the show crypto ike sa all and show crypto ipsec sa all commands. 4.4 Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways The following example demonstrates how a security gateway can use multiple ipsec (phase2) proposals to form an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.
PAGE 32
Black Box LR11xx Series Router Configurations Guide Blackbox> show crypto interfaces Interface Name --------wan1 ethernet0 Network Type ------Untrusted trusted Blackbox> Step 4: Add route to peer LAN Black Box1/configure> ip route 10.0.2.0 24 wan1 Step 5: Configure IKE to the peer gateway Black Box1/configure> crypto ike policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ike/policy/Black Box2 172.16.0.2> local-address 172.16.0.
PAGE 33
Example 4: IPSec remote access Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> encryption_algorithm aes256-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit Black Box1/configure/crypto> exit Black Box1/configure> Step 8: Display the IPSec policies Use the show crypto ipsec policy all command.
PAGE 34
Black Box LR11xx Series Router Configurations Guide Step 2: As in Step2 of Example 1 Step 3: As in Step3 of Example 1 Step 4: Configure dynamic IKE policy for a group of mobile users Black Black Black Black Black david Box1/configure> crypto Box1/configure/crypto> dynamic Box1/configure/crypto/dynamic> ike policy sales Box1/configure/crypto/dynamic/ike/policy sales> local-address 172.16.0.1 Box1/configure/crypto/dynamic/ike/policy sales> remote-id email-id david@BlackBox.
PAGE 35
Example 4: IPSec remote access Black Box1/configure/crypto/dynamic> ipsec policy sales Black Box1/configure/crypto/dynamic/ipsec/policy sales> match address 10.0.1.0 24 Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
PAGE 36
Black Box LR11xx Series Router Configurations Guide Black Box1> show crypto dynamic ipsec policy all detail Policy sales is enabled, User group name sales Direction is outbound, Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (10.0.1.0/255.255.255.
PAGE 37
Example 4: IPSec remote access Black Black Black Black Box1/configure> firewall internet Box1/configure/firewall internet> policy 1000 in service ike self Box1/configure/firewall internet/policy 1000 in> exit Box1/configure/firewall internet> exit Step 12: Display firewall policies in the internet map (applicable only if firewall license is enabled) Black Box1> Advanced: S R E Pri --1000 1024 Dir --in out show firewall policy internet - Self Traffic, F - Ftp-Filter, H - Http-Filter, - Rpc-Filter, N - N
PAGE 38
Black Box LR11xx Series Router Configurations Guide Black Box1> Advanced: S R E Pri --1000 1022 1023 Dir --in out in show firewall policy corp - Self Traffic, F - Ftp-Filter, H - Http-Filter, - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, - Policy Enabled, M - Smtp-Filter Source Addr ----------any any any 1024 out any Destination Addr ---------------10.0.1.
PAGE 39
Example 5: IPSec remote access VPN Client 1 Local Outer Address: Dynamic Local Inner Assigned Address: 10.0.1.100/32 Local ID: blackbox.com david@tasmannetworks. com NN EL IP SEC TU Black Box 1 Corporate Headquarters 10.0.1.0/24 Tasman #1 VPN Server 172.16.0.1 Mode Config IP Pool: 10.0.1.10010.0.1.150 IPSEC TU NN EL VPN Client 2 Local Outer Address: Dynamic Local Inner Assigned Address: 10.0.1.101/32 Local ID: blackbox.com mike@tasmannetworks.
PAGE 40
Black Box LR11xx Series Router Configurations Guide Black Box1> show crypto dynamic ike policy all Policy -----sales Remote-id Mode Transform Address-Pool ------------------------------U david@BlackBox... Aggressive P1 pre-g1-3des-sha1 1 S 20.1.1.100 E20.1.1.150 Step 6: Display dynamic IKE policies in detail Black Box1> show crypto dynamic ike policy all detail Policy name sales, Modeconfig group Aggressive mode, Response Only, PFS is not enabled, Shared Key is ***** Local addr: 192.168.55.
PAGE 41
Example 5: IPSec remote access Black Box1> show crypto dynamic ipsec policy all detail Policy sales is enabled, Modeconfig Group Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (10.0.1.0/255.255.255.
PAGE 42
Black Box LR11xx Series Router Configurations Guide Black Box1> show firewall policy internet detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0 Policy with Priority 1024 is enabled, Direction is outbound
PAGE 43
Example 5: IPSec remote access Black Box1> show firewall policy corp detail Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is transit Logging is disable Source Address is 20.1.1.100-20.1.1.150, Dest Address is 10.0.1.
PAGE 44
Black Box LR11xx Series Router Configurations Guide 46
PAGE 45
5 IPSEC SPECIFICATIONS 5.1IPSec Appendix This appendix provides information about IPSec supported protocols and modes, encryption algorithms and block sizes, and Black Box IPSec and IKE default values. IPSec Supported Protocols and Algorithms The following tables provide supported protocol and algorithm information.
PAGE 46
Black Box LR11xx Series Router Configurations Guide HMAC-HSHA1-96 96-bits Table 4 Diffie-Hellman Groups Diffie-Hellman Groups for Authentication Key Size Group 1 768-bits Group 2 1024-bits 5.1.1 Black Box IKE and IPSec Defaults To minimize configuration required by the user, default IKE and IPSec values have been implemented in Black Box’s encryption scheme. 5.1.1.1 IKE Defaults The following table lists IKE defaults.
PAGE 47
IPSec Appendix Figure 12 IPSec Default Values Parameter Name Black Box Default Value Key management type Automatic Hash algorithm SAH1 Encryption algorithm 3DES Protocol ESP Mode Tunnel Lifetime 3600 seconds Direction Out Position in SPD where policy added End Perfect forward secrecy Disabled 49
PAGE 48
Black Box LR11xx Series Router Configurations Guide 50
PAGE 49
6 FORWARDING IP TRAFFIC 6.1IP Multiplexing IP Multiplexing is a method for the transparent forwarding of IP packets between LAN and WAN interfaces. LAN to WAN forwarding is accomplished through a Proxy ARP process. A Black Box system maps a unique MAC address to each WAN link then responds with this MAC address when a device on the LAN broadcasts an ARP request for a remote device. These MAC addresses serve as “tags” for forwarding packets received on the LAN.
PAGE 50
Black Box LR11xx Series Router Configurations Guide Figure 13 Proxy ARP and Packet Forwarding wan Router 1 e0: 200.1.1.4/29 Black Tasman 1 Box e0: 200.1.1.3/29 Router 2 e0: 200.1.1.1/29 Black Box Tasman 2 e0: 200.1.1.2/29 1 2 1 Router 1 broadcasts an ARP request for 200.1.1.1. 2 Black Box 1 recognizes that router 200.1.1.1 is reachable via its WAN interface, based on a configured IP route. 3 Black Box 1 Proxy ARPs, responding with the MAC address mapped to bundle WAN1.
PAGE 51
IP Multiplexing 6.1.4 Single Subnet The emphasis in the single subnet approach is that all seven devices have interfaces in a single 28-bit subnet 192.1.1.0 / 28. The WAN addressing utilizes reserved address space. Table 6 Single Subnet Addressing POP Router e0: 192.1.1.1/28 POP Black Box e0: wan1: wan2: wan3: 192.1.1.2/28 10.1.1.1/30 10.1.1.5/30 10.1.1.9/30 Black Box 1 e0: wan1: 192.1.1.3/28 10.1.1.2/30 Router 1 e0: 192.1.1.4/28 Black Box 2 e0: wan1: 192.1.1.5/28 10.1.1.
PAGE 52
Black Box LR11xx Series Router Configurations Guide 6.1.6 Secondary Addressing – POP Only Secondary addressing approaches rely on configuring the POP router with a secondary Ethernet address for each remote site. The POP-only approach uses secondary addresses at the POP while the remote router utilizes only a primary address. Table 8 POP Only Secondary Addressing POP Router e0: 200.1.1.1/30 primary 199.1.1.1/29 secondary 199.1.1.9/29 secondary 199.1.1.
PAGE 53
IP Multiplexing 6.1.8 Secondary Addressing – 29 Bit This approach utilizes a 29-bit subnet for each remote connection. Within each 29-bit subnet is the POP router secondary, the Black Box WAN addressing, and the remote router secondary. POP Router e0: 200.1.1.1/30 primary 199.1.1.1/29 secondary 199.1.1.9/29 secondary 199.1.1.17/29 secondary POP Black Box e0: wan1: wan2: wan3: 200.1.1.2/30 199.1.1.2/29 199.1.1.10/29 199.1.1.18/29 Black Box 1 e0: wan 201.1.1.2/30 199.1.1.3/29 Router 1 e0: 201.1.
PAGE 54
Black Box LR11xx Series Router Configurations Guide 56
PAGE 55
7 IP MULTIPLEXING HDLC CONFIGURATIONS 7.1Connecting a Black Box Router to a Router/CSU via HDLC The following diagram details a single T1 connection between a Black Box and a remote router/CSU combination. Secondary IP addressing is used for IP multiplexing. Figure 15 IP Multiplexing Application 10.1.1.2/24 Router/ T1 CSU 10.1.1.3/24 T1 192.5.75.1/24 Telco CT3 LR1104A Tasman 6300 129.1.1.2/24 192.5.75.0/24 Primary: 129.1.1.1/24 Secondary: 10.1.1.
PAGE 56
Configuration Guide 7.1.1 Configure the Black Box LR1104A at Site 2 Site2-LR1104A> configure term Site2-LR1104A/configure> interface ethernet 0 Site2-LR1104A/configure/interface/ethernet> ip addr 129.1.1.2 255.255.255.
PAGE 57
8 IP MULTIPLEXING PPP AND MLPPP CONFIGURATIONS 8.1Configuring Multiple PPP and MLPPP Bundles The following figure shows a Black Box LR1104A at the main site communicating with three remote sites. Site 1 utilizes a Black Box LR1114A communicating over a 4 x T1 WAN bundle. Site 2 utilizes a Black Box LR1114A communicating over a 2 x T1 WAN bundle. Site 3 utilizes a router/T1 CSU combination to communicate over a single T1.
PAGE 58
Black Box LR11xx Series Router Configurations Guide Figure 16 IP Multiplexing Application Router SITE 1 201.1.1.1/24: Primary 10.1.1.1/24: Secondary 201.1.1.2/24 Bundle: To Site 1: 10.1.1.3/24: 4 x T1 Bundle: To Site 2: 10.1.2.3/24: 2 x T1 Bundle: To Site 3: 10.1.3.3/24: 1 x T1 10.1.1.2/24 Tasman 1400 LR1114A Router 4 x T1 Telco SITE 2 202.1.1.1/24: Primary 10.1.2.1/24: Secondary 10.1.2.2/24 CT3 Tasman 6300 LR1104A 2 x T1 200.1.1.2/24 Primary: 200.1.1.1/24 Secondary: 10.1.1.4/24 Secondary: 10.
PAGE 59
Configuring Multiple PPP and 8.1.1 Configure the Black Box LR1104A at the Main Site MainLR1104A/configure> interface ethernet 0 MainLR1104A/configure/interface/ethernet> ip addr 200.1.1.2 255.255.255.
PAGE 60
Black Box LR11xx Series Router Configurations Guide 62
PAGE 61
9 CONFIGURING PPP, MLPPP, AND HDLC 9.1Layer Two Configurations: PPP, MLPPP, and HDLC Black Box systems may be configured for a variety of Layer 2 protocols. This document outlines High-level Data Link Control (HDLC), Point to Point Protocol (PPP), and Multilink PPP (MLPPP) configurations. Other Black Box documents outline Frame Relay and Multilink Frame Relay configuration. Black Box LR1104A systems are often used at POPs to aggregate data for WAN transmission.
PAGE 62
Black Box LR11xx Series Router Configurations Guide 9.1.1 MLPPP Configuration 9.1.1.1 Configure the Black Box LR1114A System at Site 1 Blackbox> configure term Blackbox/configure> interface bundle ToMain Blackbox/configure/interface/bundle> link t1 1-4 NOTE MLPPP is not explicitly configured via the encapsulation command. Instead, multilink PPP is automatically invoked when a bundle with PPP encapsulation has two or more T1 links.
PAGE 63
10 CONFIGURING FIREWALLS 10.1Firewalls Configuring firewalls allows administrators to adapt network protection policies to meet ever-changing hacker and intruder threats. Just as virus protection software requires updates to protect against the latest intrusion attacks, firewalls must be updated. In this release of Black Box software, administrators are able to filter traffic on specific ports, protect against Denial of Services attacks, enable IP packet reassembly, and so forth.
PAGE 64
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> system licenses vpn_plus_firewall Enter Security Upgrade License key: 024f3bc296b4ea7265 10.2 Firewall Configuration Examples 10.2.1 Basic Firewall Configuration Figure 18 illustrates the basic elements of a firewall. Refer to this illustration in the configuration example below. Figure 18 Basic Firewall Configuration www.yahoo.com Web server Remote User Forward PAT Internet Reverse NAT 10.2.1.0/24 CORP DMZ 10.3.1.
PAGE 65
Firewall Configuration Ex- Blackbox/configure> interface ethernet 0 Configuring existing Ethernet interface Blackbox/configure/interface/ethernet 0> ip address 10.2.1.1 24 Blackbox/configure/interface/ethernet 0> exit Blackbox/configure> interface ethernet 1 Configuring existing Ethernet interface Blackbox/configure/interface/ethernet 1> ip address 10.3.1.
PAGE 66
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall Blackbox/configure/firewall *.java Blackbox/configure/firewall Blackbox/configure/firewall 193.168.94.
PAGE 67
Firewall Configuration Ex- Blackbox/configure> firewall dmz Blackbox/configure/firewall dmz> object Blackbox/configure/firewall dmz/object> ftp-filter putdeny deny put mkdir Blackbox/configure/firewall dmz/object> nat-pool ftpsrvr static 10.3.1.100 Blackbox/configure/firewall dmz/object> exit Blackbox/configure/firewall dmz> policy 100 in address any any 193.168.94.
PAGE 68
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> show configuration running Please wait...
PAGE 69
Firewall Configuration Ex- qos exit qos vrrp_mode 0 aaa exit aaa crypto trusted exit ethernet interface ethernet 1 ip address 10.3.1.1 255.255.255.0 ip multicast mode ospfrip2 exit multicast mtu 4000 icmp exit icmp qos exit qos vrrp_mode 0 aaa exit aaa crypto trusted exit ethernet interface bundle wan link t1 1 encapsulation ppp ip address 193.168.94.220 255.255.255.
PAGE 70
Black Box LR11xx Series Router Configurations Guide multicast exit multicast route 0.0.0.0 0.0.0.0 wan 1 exit ip policy community_list exit community_list crypto exit crypto firewall global exit firewall firewall internet interface wan policy 1024 out self exit policy exit firewall firewall corp interface ethernet0 object http-filter javadeny deny *.java exit object policy 1021 in deny exit policy policy 1022 out self exit policy policy 1023 in self exit policy policy 1024 out nat-ip 193.168.94.
PAGE 71
Firewall Configuration Ex- 10.2.1 Stopping DoS Attacks The following commands show how to configure the firewall to defend against Denial of Service (DoS) attacks. Black Box provides protection against FTP bounce, ICMP error checks, IP sequence number checks, unaligned timestamps, MIME flooding, source routing checks, SYN flooding, and WIN nuke attacks.
PAGE 72
Black Box LR11xx Series Router Configurations Guide 10.2.
PAGE 73
NAT Configuration Examples 10.4.1 Dynamic NAT (many to many) In dynamic (many-to-many) NAT type, multiple source IP addresses in the corporate network will be mapped to multiple NAT IP addresses (not necessarily of equal number). For a set of local IP address from 10.1.1.1 to 10.1.1.4 there will be a set of NAT IP address from 60.1.1.1 to 60.1.1.2. In case of many-to-many NAT, only IP address translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.
PAGE 74
Black Box LR11xx Series Router Configurations Guide 10.4.2 Static NAT (one to one) Figure 20 Static NAT 10.1.1.1 OPAL INTERNET 10.1.1.2 50.1.1.1-50.1.1.3 10.1.1.3 In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example, for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3.
PAGE 75
NAT Configuration Examples 10.4.3Port Address Translation (Many to one) Figure 21 Mapping Multiple NAT Addresses to One Public IP Address 10.1.1.1 OPAL INTERNET 10.1.1.2 50.1.1.5 10.1.1.3 NAT allows multiple IP addresses to be mapped to one address. There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the IP address to the nat-ip parameter in the policy command.
PAGE 76
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> firewall corp Blackbox/configure/firewall corp> object Blackbox/configure/firewall corp/object> nat-pool addresspoolPat pat 50.1.1.5 Blackbox/configure/firewall corp/object> exit Blackbox/configure/firewall corp> policy 2 out address 10.1.1.1 10.1.1.
PAGE 77
11 MULTIPATH MULTICAST CONFIGURATIONS 11.1Multipath Multicast The multicast multipath feature allows load balancing on multicast traffic across equal cost paths. Equal cost multipath routing is useful when multiple equal cost routes to the same destination exist. These routes can be discovered and be used to provide load balancing among redundant paths. Commonly used methods for multipath forwarding are Round-Robin and Random.
PAGE 78
Black Box LR11xx Series Router Configurations Guide 11.
PAGE 79
12 CONFIGURING NAT 12.1Network Address Translation Network Address Translation (RFC 1631) is commonly known as NAT. This application discusses NAT and provides a technical explanation and configuration examples.
PAGE 80
Black Box LR11xx Series Router Configurations Guide Figure 22 illustrates dynamic and static NAT. The static translation between 192.168.1.6 and 100.1.1.6 automatically matches the port addresses, thus a request destined for 100.1.1.6 tcp port 25 is translated to 192.168.1.6 tcp port 25 and so on. Figure 22 Dynamic and Static NAT Internet 100.1.1.1/29 192.168.1.254/24 FTP, SMTP, HTTP Server 192.168.1.6/24 10/100 BaseT Ethernet Workstation 192.168.1.1/24 Workstation 192.168.1.2/24 Workstation 192.168.
PAGE 81
Network Address Translation Figure 23 provides an example of static port mapping. TCP port 81 of the web server at private address 192.168.1.6 is mapped to the same TCP port of the public address. Figure 23 Mapping Ports Internet 100.1.1.1/29 192.168.1.254/24 www server is running on TCP port 81 FTP, SMTP, HTTP Server 192.168.1.6/24 10/100 BaseT Ethernet Workstation 192.168.1.1/24 Workstation 192.168.1.2/24 Workstation 192.168.1.3/24 Workstation 192.168.1.5/24 12.1.
PAGE 82
Black Box LR11xx Series Router Configurations Guide Figure 24 Reverse NAT Internet 100.1.1.1/29 Ethernet 1 199.7.3.2/24 FTP, SMTP, HTTP Server 199.7.3.2/24 Ethernet 0 192.168.1.254/24 www server is running on TCP port 81 FTP, SMTP, HTTP Server 192.168.1.6/24 10/100 BaseT Ethernet Workstation 192.168.1.1/24 Workstation 192.168.1.2/24 Workstation 192.168.1.3/24 Workstation 192.168.1.5/24 12.1.
PAGE 83
13 NAT CONFIGURATION EXAMPLES 13.1 NAT Configurations Network Address Translation (NAT) was defined to serve two purposes: Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway with a very large pool of NAT addresses behind it.
PAGE 84
Black Box LR11xx Series Router Configurations Guide translation takes place, i.e., if a packet travels from 10.1.1.1 to yahoo.com, Black Box-Firewall only substitutes the source address in the IP header with one of the NAT IP address and the source port will be the same as the original. If traffic emanates from the same client to any other server, the same NAT IP address is assigned. The advantage is that the NAT IP addresses are utilized in a better and optimum manner dynamically.
PAGE 85
NAT Configuration Examples 13.1.2Static NAT (one to one) Figure 26 Static NAT 10.1.1.1 OPAL INTERNET 10.1.1.2 50.1.1.1-50.1.1.3 10.1.1.3 In static (one-to-one) NAT type, for each IP address in the corporate network, one NAT IP address will be used. For example, for the three IP addresses from 10.1.1.1 to 10.1.1.3, there is a set of three NAT IP address from 50.1.1.1 to 50.1.1.3. In case of one-to-one NAT, only IP address translation takes place, that is, if a packet travels from 10.1.1.1 to yahoo.
PAGE 86
Black Box LR11xx Series Router Configurations Guide 13.1.3Port Address Translation (Many to one) Figure 27 Mapping Multiple NAT Addresses to One Public IP Address 10.1.1.1 OPAL INTERNET 10.1.1.2 50.1.1.5 10.1.1.3 NAT allows multiple IP addresses to be mapped to one address. There are two methods to configure Port Address Translation (PAT) on the Black Box gateway. In the first method, specify the IP address to the nat-ip parameter in the policy command.
PAGE 87
14 REMOTE ACCESS VPNS 14.1 Secure Remote Access Using IPSec VPN The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment closets. Increasingly, companies have a need to provide remote access to their corporate resources for the employees on the move. Traditionally, remote users could access the corporate LAN through dial-up and ISDN lines which were terminated in the corporate remote access servers.
PAGE 88
Black Box LR11xx Series Router Configurations Guide 14.2.2 Remote Access: Mode Configuration The other method to achieve IPSec remote access in Black Box is the mode configuration method. This method makes the VPN client an extension of the LAN being accessed by the VPN client. The remote client appears as a network accessing some resource behind the VPN server.
PAGE 89
IPSec Remote Access User Figure 28 User Group Remote Access Configuration IPSE C TU NN EL VPN Client 2 Local Outer Address: Dynamic Black Box #1 Tasman VPN Server 172.16.0.1 Local ID: blackbox.com admin@tasmannetworks .com To create the user group configuration enter: Blackbox>configure term Blackbox/configure>interface bundle Blackbox/configure/interface/bundle Blackbox/configure/interface/bundle Blackbox/configure/interface/bundle wan wan>link t1 1-2 wan>ip address 172.16.0.
PAGE 90
Black Box LR11xx Series Router Configurations Guide 14.5 IPSec Remote Access Mode Configuration Group Method The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using mode-configuration method. The client could be any standard mode config enabled IPSec VPN client. In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The server has a pool of IP addresses from 20.1.1.100 through 20.1.1.
PAGE 91
IPSec Remote Access Mode Con- To configure the IKE policy for negotiating with VPN clients needing access to the corporate private network 10.0.1.0. Blackbox/configure>crypto corp Blackbox/configure/crypto>dynamic Blackbox/configure/crypto/dynamic>ike policy IDCsales modecfg-group Blackbox/configure/crypto/dynamic/ike/policy IDCsales>modeconfig-group Blackbox/configure/crypto/dynamic/ike/policy IDCsales>local-address 172.16.0.
PAGE 92
Black Box LR11xx Series Router Configurations Guide 94
PAGE 93
15 NETWORKING WITH ROUTING INFORMATION PROTOCOL 15.1Routing Information Protocol 15.1.1Configuring RIP for Ethernet 0 and WAN 1 Interfaces LR1114A> configure terminal LR1114A/configure> router rip LR1114A/configure/router rip> interface ethernet0 LR1114A/configure/router rip/interface ethernet0> exit LR1114A/configure/router rip> interface wan1 LR1114A/configure/router rip> exit 15.1.
PAGE 94
Black Box LR11xx Series Router Configurations Guide Figure 31 show ip rip interface all Command > show ip rip interface all RIP is configured for interface Mode: RIP 2 Metric: 5 Authentication: None Split Horizon: Poison Routers : None Interface state: Broadcast Multicast Active 96
PAGE 95
16 CONFIGURING STATIC ROUTES 16.1 Static Routing Configuration All Black Box systems support IP routing utilizing static routes. The following diagram shows a remote Black Box “A” connected over an MLPPP bundle to the main Black Box “B”. Black Box B in turn routes to the customer router. Figure 32 IP Routing LR1114ATasman 1400 "B" Internet 200.1.1.1/24 E0 200.1.1.2/24 E0 10.1.1.2/30 2 x T1 MLPPP Bundle "WAN1" WAN 10.1.1.1/30 198.1.1.
PAGE 96
Black Box LR11xx Series Router Configurations Guide 16.1.1Configure the Router at Site “A” Blackbox> configure term Blackbox/configure> interface ethernet 0 Blackbox/configure/interface/ethernet> ip addr 198.1.1.1 255.255.255.0 Blackbox/configure/interface/ethernet> exit Blackbox/configure> interface bundle Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> wan1 link t1 1-2 encap ppp ip addr 10.1.1.1 255.255.
PAGE 97
17 CONFIGURING OPEN SHORTEST PATH FIRST ROUTING 17.1 OSPF Routing Protocol The following example shows a Black Box LR1114A connected to a router over a single T1 link. IP addresses 10.10.10.0, 20.20.20.0, and 30.30.30.0 are assigned to area 760. Figure 33 Configuring OSPF Between a Black Box LR1114A System and a Router 10.10.10.0/24 30.30.30.0/24 .1 .1 T1 PPP .1 .2 20.20.20.0/24 Router Tiara 1400 LR1114A Area 760 17.1.
PAGE 98
Black Box LR11xx Series Router Configurations Guide 17.1.4Configuring ospf LR1114A/configure> router routerid 10.10.10.1 LR1114A/configure> router ospf LR1114A/configure/router/ospf> area 760 LR1114A/configure/router/ospf/area 760> exit 17.1.
PAGE 99
18 CONFIGURING GENERIC ROUTING ENCAPSULATION 18.1 Configuring GRE Generic Routing Encapsulation (GRE) is a standards-based (RFC1701, RFC2784) tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between routers at remote points over an IP network. A tunnel is a logical interface that provides a way to encapsulate passenger packets inside a transport protocol.
PAGE 100
Black Box LR11xx Series Router Configurations Guide Blackbox/configure> system licenses ? NAME licenses - Configure feature upgrade licenses SYNTAX licenses license_type DESCRIPTION license_type -- Specifies the type of feature upgrade license The parameter may have any of the following values: enable_1_port -- Enable 1 port enable_2_ports-- Enable 2 ports enable_3_ports-- Enable 3 ports enable_4_ports-- Enable 4 ports BGP4 -- BGP4 routing vpn_mgmt -- Enable VPN Mgmt License firewall -- Enable Firewal
PAGE 101
GRE Configuration Examples Figure 36 Fig 2 Simple GRE configuration 40.1.1.0 10.3.1.0 192.168.94.220 192.168.55.75 18.3.1Configuring Site to Site Tunnel To configure GRE in a site to site tunnel configuration: Step 1: Configure the interface. Blackbox> configure terminal Blackbox/configure> interface bundle wan1 Blackbox/configure/interface/bundle wan1> Blackbox/configure/interface/bundle wan1> Blackbox/configure/interface/bundle wan1> 255.255.255.
PAGE 102
Black Box LR11xx Series Router Configurations Guide NOTE The peer of a local WAN interface cannot be used as a tunnel destination. Step 4: Verify that the tunnel is up and running. (If it is not, check the Gateway and Source Address fields.) Blackbox> show ip interface t0 t0 (unit number 5) Type: TUNNEL Flags: (0x74243) UP, RUNNING, MULTICAST-ROUTE Internet Address: 103.1.1.2 Internet Netmask: 255.255.255.0 Internet Broadcast: 103.1.1.255 Maximum Transfer Unit: 1476 bytes Source Address: 192.168.94.
PAGE 103
Configuring GRE Site to Site with Step 5: Configure the Cisco side: cisco > config t cisco(config)#interface Ethernet2/0 cisco(config-if)#ip address 192.168.55.75255.255.255.0 cisco(config-if)#exit cisco(config)#interface Tunnel 0 cisco(config-if)#ip address 103.1.1.1 255.255.255.0 cisco(config-if)#tunnel source 192.168.55.75 cisco(config-if)#tunnel destination 192.168.94.220 cisco(config-if)#exit cisco(config)#ip route 0.0.0.0 0.0.0.0 192.168.55.254 cisco(config)#ip route 10.3.1.0 255.255.255.
PAGE 104
Black Box LR11xx Series Router Configurations Guide Blackbox/ configure > firewall internet Blackbox/configure/firewall internet> policy 100 in proto gre self Blackbox/configure/firewall internet/policy 100 in> exit Blackbox/configure/firewall internet> policy 101 in service ike self Blackbox/configure/firewall internet/policy 101 in> exit 2 Black Box configure> firewall corp Blackbox/configure/firewall corp> policy 100 in self Step 5: Check the status of the tunnel by entering: Blackbox> show ip interfac
PAGE 105
19 CONFIGURING OSPF AND FRAME RELAY 19.1 OSPF - Frame Relay The following example shows OSPF running between a Black Box LR1112A and a router over a serial T1 link with back-to-back Frame Relay. Figure 37 OSPF Over a Single T1 with Frame Relay .1 10.10.10.0/24 10 x T1 MLPPP .1 Tasman 6300 LR1104A 20.20.20.0/24 .1 .2 Router Area 760 30.30.30.
PAGE 106
Black Box LR11xx Series Router Configurations Guide 19.1.1Configuring the host name LR1112A> configure terminal LR1112A/configure> hostname LR1112A 19.1.2Configuring interface ethernet 0 LR1112A/configure> interface ethernet 0 LR1112A/configure/interface/ethernet0> ip address 10.10.10.1 24 LR1112A/configure/interface/ethernet0> exit 19.1.
PAGE 107
20 CONFIGURING PROTOCOL INDEPENDENT MULTICASTING ROUTING 20.1 PIM Configuration Protocol Independent Multicast (PIM) protocols route multicast packets to multicast groups. PIM is protocol independent because it can leverage whichever unicast routing protocol is used to populate unicast routing table. There are two modes of PIM protocol – Dense mode (DM) and Sparse mode (SM). Black Box supports SM only.
PAGE 108
Black Box LR11xx Series Router Configurations Guide Configure MRT Stale Multiplier Blackbox/configure/ip/pim>mrt-stale-mult Configure MRT SPT Multiplier Blackbox/configure/ip/pim>mrt-spt-multiplier Configure Probe Period Blackbox/configure/ip/pim>probe-period Configure Registration suppression timeout Blackbox/configure/ip/pim>register-suppress-timeout Configure DR to switch immediate Blackbox/configure/ip/pim>dr-switch-immediate Configure RP to switch immediate B
PAGE 109
PIM Configuration Configure PIM interface assert holdtime Blackbox/configure/ip/pim/interface wan1>assert-holdtime Configure PIM interface hello holdtime Blackbox/configure/ip/pim/interface wan1>hello-holdtime Configure PIM interface hello interval Blackbox/configure/ip/pim/interface wan1>hello-interval Configure PIM interface Join/Prune Delay Timeout Blackbox/configure/ip/pim/interface wan1>join-prune-timeout Configure PIM interface Join/Prune Interval Blackbox/configu
PAGE 110
Black Box LR11xx Series Router Configurations Guide 20.1.2PIM Configuration Examples This section shows examples of how the PIM commands are used. To access PIM mode, enter: Blackbox/configure/ip> pim Blackbox/configure/ip/pim> The following example enters the BSR mode. Blackbox/configure/ip/pim> cbsr Blackbox/configure/ip/pim/cbsr> The following command sets Ethernet1 as the BSR interface. Blackbox/configure/ip/pim/cbsr> interface ethernet1 The following example sets the holdtime to 33 seconds.
PAGE 111
PIM Configuration To configure the threshold-dr option such that the data from S addressed to G must exceed an average of 1500 KBytes per second before an SPT switch is initiated. If this router is a DR for the pair (S,G), then the same data must exceed an average of 1500 KBytes per second before an SPT switch is initiated. The period over which the average will be calculated will be the mrt-period times the mrt-spt-mult, or 60 seconds.
PAGE 112
Black Box LR11xx Series Router Configurations Guide To display information for all interfaces, enter: Blackbox/configure> display ip pim interface all To see all IP PIM interface information for Ethernet1, enter: Blackbox/configure/ip/pim/interface ethernet1> To display IP PIM statistics for ethernet1, enter: Blackbox/configure/ip/pim/interface ethernet1> PIM Statistics: Total PIM msgs recvd 0 (0 Recvd msgs too short 0 Recvd msgs bad checksum 0 Recvd msgsg bad version 0 Recvd register msgs 0 (0 Recvd regi
PAGE 113
PIM Configuration Blackbox/configure> display ip pim timers PIM Timers: Hello Interval: 145 Hello Hold Time: 60 Hello Priority: 15 Join/Prune Interval: 300 Join/Prune Hold Time: 30 Assert Hold Time: 200 Probe Period: 15 Register Suppress Timeout: 90 MRT Interval: 15 MRT SPT Multiplier : 10 MRT Stale Multiplier: 5 Blackbox/configure> To examine PIM BSR statistics, enter: Blackbox/configure/ip/pim> display ip pim bsr-info Candidate BSR Information ----------------------Candidate BSR Status: Disabled Candida
PAGE 114
Black Box LR11xx Series Router Configurations Guide 116
PAGE 115
21 MTRACE CONFIGURATION 21.1 Multicast Traceroute Facility With multicast distribution trees, tracing from a source to a multicast destination is difficult, since the branch of the multicast tree on which the destination lies is unknown. The technique used by the traceroute tool to trace unicast network paths will not work for IP multicast because traceroute (ICMP) responses are specifically forbidden for multicast traffic.
PAGE 116
Black Box LR11xx Series Router Configurations Guide Maximum hops is set to 32 and TTL is set to 127 in all mtrace packets as default. For mtrace to work: IGMP must be enabled in the router IGMP should be enabled on at least one interface. 21.1.2 mtrace Example Traceroute using mtrace from 192.168.0.0 to 192.168.2.22 through group 225.254.254.254 Blackbox> mtrace 192.168.0.0 192.168.2.22 239.254.254.254 mtrace from 192.168.2.0 to 192.168.2.22 through group 225.254.254.254 Querying full reverse path...
PAGE 117
22 CONFIGURING QUALITY OF SERVICE ROUTING 22.1 Configuring QoS Black Box QoS ensures bandwidth guarantees throughout the system by implementing Random Early Detection (RED) to address congestion and Class Based Queuing (CBQ) to address traffic policing. This document discusses the CBQ features. Black Box’s bandwidth management capability allows multiple agencies or customers to share access bandwidth on a WAN link in a controlled fashion to effectively and efficiently utilize available bandwidth.
PAGE 118
Black Box LR11xx Series Router Configurations Guide 22.1.2Definitions Committed Rate Each traffic class can be assigned a CR parameter in Kbps. This is the amount of bandwidth that the class or flow is guaranteed at all times, even during congestion. The sum of the CRs for all classes in a given direction cannot exceed the access bandwidth of their parent class.
PAGE 119
Configuring QoS Configuration for the example in Figure 38: 22.1.3.1 Create bundle AppTest LR1104A/configure> interface bundle AppTest LR1104A/configure/interface/bundle AppTest> link ct3 1 18-19 LR1104A/configure/interface/bundle AppTest> encap ppp LR1104A/configure/interface/bundle AppTest> ip addr 199.1.1.1 255.255.255.252 22.1.3.
PAGE 120
Black Box LR11xx Series Router Configurations Guide Figure 39 Assigning VLAN Identifiers Interface Bundle VLANTest 4 x T1 Bandwidth = 6144 Kbps JonesInc SmithInc Default VLAN ID = 24 CR = 3072 Kbps BR = 6144 Kbps VLAN ID = 25-29 CR = 2048 Kbps BR = 6144 Kbps VLAN ID = default CR = 1024 Kbps BR = 2048 Kbps Traffic Classes Configuration for Figure 39: 22.1.4.
PAGE 121
Configuring QoS 22.1.5.1 Configuring bulk statistics LR1104A/configure/.../qos> bulk_stats_ftp Primary FTP server: 10.1.3.1 Secondary FTP server: 10.1.18.1 FTP user name: bjones FTP password: xxxxxxxx LR1104A/configure/.../qos> bulk_statistics sample_interval 5 upload_interval 1 LR1104A/configure/...
PAGE 122
Black Box LR11xx Series Router Configurations Guide 124
PAGE 123
23 VIRTUAL LAN TAGGING 23.1 Managing Traffic with VLAN Tagging Figure 41 Aggregation Using VLAN Tagging Aggregation /IP Services Router Baltimore To Internet POP Router T1 Local Loop Reston VA CT3 DC NxT1 Tasman 6300 LR1104A Tasman 1400 LR1114A The illustration above shows two customers connected to an aggregation/IP services router using a Black Box LR1104A. All packets coming into the Black Box LR1104A on the single T1 bundle are tagged with VLAN ID 5.
PAGE 124
Black Box LR11xx Series Router Configurations Guide In this example application, the POP router is configured with the following three sub-interfaces: 205.1.1.1 205.1.1.5 10.1.1.5 23.1.1 Reston configuration: Black Box LR1104A LR1104A/configure> hostname reston reston/configure> no ftp_server reston/configure> no autoconf 23.1.1.
PAGE 125
Managing Traffic with VLAN Tag- 23.1.1.5 Configure ip routing reston/configure> ip reston/configure/ip> route 205.1.1.0 255.255.255.0 ethernet0 1 reston/configure/ip> route 0.0.0.0 0.0.0.0 10.1.1.5 1 reston/configure/ip> exit # The above route summarizes the customer access subnets. 23.1.2 DC configuration: Black Box LR1114A Blackbox> configure terminal Blackbox/configure> hostname dc1 dc1/configure> 23.1.2.
PAGE 126
Black Box LR11xx Series Router Configurations Guide 128
PAGE 127
24 MANAGING REDUNDANT CONNECTIONS 24.1 Trunk Group/Failover Redundant connections are often required between Black Box systems and the switches to which they connect. The following diagram illustrates Ethernet redundancy between a Black Box LR1114A and a Layer 3 switch using failover on the Black Box and a trunk group configuration on the switch. Figure 42 Trunk Group/Failover Configuration Tasman 1400 E1: 199.1.1.1/30 E2: 199.1.1.5/30 WAN: 200.1.1.
PAGE 128
Black Box LR11xx Series Router Configurations Guide The Black Box LR1114A is connected to a router via a bundle “WAN” (T1 PPP bundle) in IPMux mode. To manage the Black Box LR1114A from the switch during normal mode, ping, telnet, or snmp to the Ethernet 0 IP address; during failover mode, ping, telnet, or snmp to the Ethernet 1 IP address. 24.1.1.
PAGE 129
25 WAN INTERFACE CONFIGURATIONS 25.1 T1 Interface Configuration Black Box systems are available with T1 WAN interfaces. Consult the Black Box System Installation Guide for details on WAN interface types, cabling, and pinouts. This document outlines the configuration of module parameters (Layer 1) and, to a lesser degree, the configuration of bundle parameters (Layer 2). The bundle configuration examples demonstrate linking of physical interfaces (modules) to logical interfaces (bundles).
PAGE 130
Black Box LR11xx Series Router Configurations Guide Configure a Fractional T1 HDLC Bundle Blackbox/configure> interface bundle Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> Blackbox/configure/interface/bundle> demo1 link t1 3:1-3,8-10 encap hdlc ip addr 10.1.1.1 255.255.255.252 exit 27.1.3 T1 The following example creates a 1536 Kbps T1 bundle utilizing T1 number 4. This bundle uses IP unnumbered.
PAGE 131
26 VIRTUAL LAN FORWARDING 26.1 Managing VLAN Traffic Figure 43 VLAN Forwarding: Multi-Tenant Internet Access Untagged Customer LANs LR1104A Tasman 6300 Ethernet Switch Channelized T3 Gigabit Ethernet Ethernet Switch Telco Internet Tagged VLAN Trunk POP Router LR1114ATasman 1400 Multi-Tenant Building The example above shows each multi-tenant customer represented as a separate VLAN on the Ethernet switch.
PAGE 132
Black Box LR11xx Series Router Configurations Guide packet will be forwarded to the IP layer for local processing. If the address does not match the address of the Black Box system, the packet will be forwarded to all interfaces configured for the management VLAN with the exception of the interface where it was received. This allows all transmission equipment to be managed in a single, flat VLAN.
PAGE 133
Managing VLAN Traffic 26.1.1POP configuration: Black Box LR1104A LR1104A/configure> hostname POP-LR1104A POP-LR1104A/configure> no ftp_server POP-LR1104A/configure> no autoconf 26.1.1.
PAGE 134
Black Box LR11xx Series Router Configurations Guide 26.1.2.1 Configure interface bundle uplink bldg1-LR1114A/configure> interface bundle uplink bldg1-LR1114A/configure/interface/bundle uplink> bldg1-LR1114A/configure/interface/bundle uplink> bldg1-LR1114A/configure/interface/bundle uplink> bldg1-LR1114A/configure/interface/bundle uplink> link t1 1-4 encapsulation ppp ip unnumbered ethernet0 exit 26.1.2.
PAGE 135
27 MUTLILINK FRAME RELAY 27.1Multilink Frame Relay FRF.15 and FRF.16 Multilink Frame Relay (MFR) is actually composed of two standards: FRF.15 and FRF.16. The latter is more common and defines UNI/NNI interfaces for implementing MFR. FRF.16 is used for multiplexing dedicated T1s in the local loop and requires compatible equipment at the carrier POP. FRF.15, or DTE-to-DTE MFR is used for multiplexing frame relay T1s between end points without impacting POP equipment. As a result, FRF.
PAGE 136
Black Box LR11xx Series Router Configurations Guide each end if necessary. The frame switches are configured for DLCIs 101, 102, and 103 on the respective T1s. In this example, the Black Box LR1114A configurations are almost identical. The primary difference is the IP address assigned to the AVC. The configuration for the left LR1114A is shown below. 27.1.1.1 # Configure Ethernet interface Blackbox/configure> interface ethernet 0 Blackbox/configure/ethernet0> ip addr 192.168.1.1 255.255.255.
PAGE 137
28 CONFIGURING FRAME RELAY AND MULTILINK FRAME RELAY 28.1 Layer Two Configurations FR and MFR Figure 45 outlines a Multilink Frame Relay (MFR) configuration with three sites. PVC 16 connects Site 1 to Site 3, while PVC 31 connects Site 2 to Site 3. The Frame Relay switching equipment is represented simply as a Frame cloud.
PAGE 138
Black Box LR11xx Series Router Configurations Guide Figure 46 MFR Configuration Detail SITE 1 LR1114A Tasman 1450 DTE HSSI DCE PVC 16 NNI Router 4 x T1 PVC 16 Tasman 7030 Router NNI NNI NNI PVC 16 PVC 31 DCE 100 Base-T DS3 Frame Switch Router 2 x T1 SITE 3 PVC 31 100 Base-T DTE SITE 2 Tasman 1400 LR1114A Frame Cloud 28.1.
PAGE 139
Layer Two Configurations FR 28.1.1.
PAGE 140
Black Box LR11xx Series Router Configurations Guide A LR1104A LR1114A at Site 2 serves as the Frame Relay termination point, connecting the Site 2 IP network to the LR1104A. This MFR bundle utilizes 2 T1 links for an approximate 3 Mbps bandwidth. Since it is the Frame Relay terminating point and is defined as a DTE frame relay interface, an IP address is assigned to the WAN bundle. 28.1.2.
PAGE 142