May 2004
LR1102A-T1/E1
LR1104A-T1/E1
LR1112A-T1/E1
LR1114A-T1/E1
Black Box LR11xx Series Router Configurations
CUSTOMER
SUPPORT
INFORMATION
Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX
FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Web site: www.blackbox.com • E-mail: info@blackbox.com
Black Box LR11xx Series Router Configurations Guide
FEDERAL COMMUNICATIONS COMMISSION
AND
CANADIAN DEPARTMENT OF COMMUNICATIONS
RADIO FREQUENCY INTERFERENCE STATEMENTS
This equipment generates, uses, and can radiate radio frequency energy and
if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication. It
has been tested and found to comply with the limits for a Class A computing
device in accordance with the specifications in Subpart B of Part 15 of FCC
rules, which are designed to provide reasonable protection against such
interference when the equipme nt is operated in a commercial environment .
Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take
whatever measures may be necessary to correct the interference.
Changes or modifications not expressly approved by the party responsible
for compliance could void the user’s authority to operate the equip ment.
This digital apparatus does not exceed the Class A limits for radio noise
emission from digital apparatus set out in the Radio Interference Regulation
of the Canadian Depar tm e nt of Com m un i c at ion s .
Le présent appareil numérique n’émet pas de bruits radioélectriqu es dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par le
ministère des Communications du Canada.
2
Normas Oficiales Mexicanas (NOM)
Electrical Safety Statement
INSTRUCCIONES DE SEGURIDAD
1.Todas las instrucciones de seguridad y operación deberán ser leídas antes de que
el aparato eléctrico sea operado.
2.Las instrucciones de seguridad y operación deberán ser guardadas para referencia
futura.
3.Todas las adve rtencias en el aparato eléctrico y en sus instrucciones de operación
deben ser respetadas.
4.Todas las instrucciones de operación y uso deben ser seguidas.
5.El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la
tina de baño, lavabo, sótano mojado o cerca de una alberca, e tc.
6.El aparato eléctrico debe ser usado únic amente con carritos o pedestales que sean
recomendados por el f a bricante.
7.El aparato eléctrico debe ser mo ntado a la pared o al techo sólo como sea
recomendado por el fabricante.
8.Servicio—El usuario no deb e intentar dar servic io al equipo eléctric o más allá a lo
descrito en las instrucciones de operació n. Todo otro servicio deberá ser referido a
personal de servicio calificado.
9.El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su
uso. La colocación del aparato eléctrico sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes que impida n el flujo de aire por los or ificios de ventilación.
10.El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como
radiadores, registros de calor, estufas u otros aparatos (incluyendo amplificadores) que producen calor.
11.El aparato eléctrico deberá ser connectado a una fuente de pode r sól o del tipo
descrito en el instructivo de operación, o como se indique en el aparato.
12.Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del
equipo no sea eliminada.
13.Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados sobre o contra ellos, poniendo particular
atención a los contactos y receptáculos donde salen del aparato.
14.El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante.
15.En caso de existir, una antena externa deberá ser localizada lejos de las lineas de
energia.
3
Black Box LR11xx Series Router Configurations Guide
16.El cable de corriente deberá ser desconectado del cuando el equipo no sea usado
por un largo periodo de tiempo.
17.Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados
sobre la cubierta u orificios de ventilación.
18.Servicio por pers onal calificado de berá ser provisto cuando:
A: El cable de poder o el contacto ha sido dañado; o
B: Objectos han caído o líquido ha sido derramado dentro del aparato ; o
C: El aparato ha sido expuesto a la llu via ; o
D: El aparato parece no operar normalmente o muestra un cambio en su desem-
peño; o
E: El aparato ha sido tira do o su cubierta ha sido dañada.
Black Box LR11xx Series Router Configurations Guide
Configure the LR1104A LR1104A at Site 1 ................................. 141
Configure the LR1104A ................................................................ 141
Configure the LR1104A LR1114A at Site 2 ................................. 142
Configure the LR1104A ................................................................ 142
10
1
r
DHCP R
ELAY
1.1DHCP Relay
This application describes the functionality of the DHCP relay feature and includes CLI command examples.
1.1.1 Feature Overview
Black Box DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be
relayed to a single remote DHCP server. Black Box’s implementation of DHCP relay is based on RFC 1532.
BOOTP/DHCP messages are relayed (vs. forwarded) between the server and client.
Figure 1 DHCP Relay Overview
LAN
Tasman 1400
DHCP Relay Agent
LAN
LAN
LR1114A
Tasman 1400
DHCP Relay Agent
Tasman 1400
DHCP Relay Agent
WAN
Tasman 6300
LR1104A
DHCP Serve
1.1.2 Functionality
The DHCP relay feature uses BOOTP requests and replies to negotiate packet delivery between the DHCP client and server.
1.1.2.1 BOOTP Requests
BOOTP requests are messages from client to server. Request messages include DHCP DISCOVER, DHCP REQUEST,
DHCP RELEASE, etc. The relay agent modifies the packet header by adding relay information to the DHCP gateway address
(giaddr) field. The server replies to the gateway address specified in the packet’s giaddr field.
Black Box LR11xx Series Router Configurations Guide
r
r
r
1
N
Figure 2 BOOTP Requests
Broadcast BOOTREQUEST
Tasman 1400
DHCP ClientDHCP Serve
DHCP Relay Agent
Unicast BOOTREQUEST
1.1.2.2 BOOTP Replies
BOOTP replies are messages from the server to the client. Reply messages include DHCP OFFER, DHCP ACK, DHCP
NAK, etc. The relay agent looks up the MAC address and either sends the packet to the client or broadcasts it on the
LAN.
Figure 3 BOOTP Replies
Unicast/Broadcast
BOOTREPLY
Tasman 1400
DHCP ClientDHCP Serve
DHCP Relay Agent
Unicast
BOOTREPLY
1.1.3 Using DHCP Relay with NAT
When NAT is enabled, the DHCP server may discard packets because the giaddr does not match the source of the packet.
Additionally, it may not know how to route the packet back to the client. See Figure 4. The solution is that the gateway
address (giaddr) field needs to have IP add ress 192. 168.2 0.1 (in this ex ample). The DHCP serv er config urati on shoul d be
able to give 10.1.1.x addresses for packets from 192.168.20.1. However, there may be a limitation that the DHCP server
does not allow configuration using IP addresses from a different subnet, although this is mentioned in the RFC.
Figure 4 A Typical Scenario
Network Address Translation
PRIVATEPUBLIC
192.168.20.1
Tasman 1400
DHCP Relay Agent
Router
DHCP Serve
0.1.1.x
etwork
DHCP Client
10.1.1.1
DHCP Client
DHCP Client
1.1.4 Command Line Interface
The following are examples of command strings relevant to DHCP relay:
The following screen captures show the displayed results of issuing show commands relevant to DHCP relay, with and without
gateway addresses configur ed.
Figure 5 show dhcp_relay Command
> show dhcp_relay
DHCP RELAY CONFIGURATION
--------------------------Ethernet 0: Disabled
Ethernet 1: Enabled: DHCP Server 10.1.1.1
Black Box LR11xx Series Router Configurations Guide
Figure 7 Displaying Ethernet Interface Statistics
> show interface ethernet 1
ethernet 1
ipaddr 192.168.120.1
netmask 255.255.255.0
description status down, operationally down
configured auto
speed mode actual
speed 100
mode half_duplex
mtu 1500
ethernet1 (unit number 1)
Type: ETHERNET (802.3)
Flags: (0x807c203) UP, MULTICAST-ROUTE
Internet Address: 192.168.120.1
Internet Netmask: 255.255.255.0
Internet Broadcast: 192.168.120.255
Maximum Transfer Unit: 1500 bytes
Mac Address: 00:00:23:00:60:01
port counters since last boot/clear
Bytes Rx 0 Bytes Tx 0
Packets Rx 0 Packets Tx 0
Runts Rx 0 Collisions 0
Babbels Rx 0 Late Collisions 0
Err Packets Rx 0 Up/Down States (Phys) 0
Up/Down States (Admin) 2
port counters for the last five minutes
Bytes Rx 0 Bytes Tx 0
Packets Rx 0 Packets Tx 0
Runts Rx 0 Collisions 0
Babbels Rx 0 Late Collisions 0
1.1.7 DHCP Limitations
There are limitations when using DHCP relay on a Black Box system. Only one DHCP server can be specified per interface. DHCP
can be enabled only on Ethernet interfaces (not on bundles). And last, DHCP can be enabled in IP routing (static and dynamic) mode,
but not in IP Mux mode.
16
2
C
ONFIGURING INTERNET
M
ANAGEMENT
2.1IGMP Configuration
Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic.
IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of
which they are members by multicasting IGMP Group Membership Reports. When multicast routers listen for these
reports, they can exchange group membership information with other multicast routers. This reporting system allows
distribution trees to be formed to deliver multicast datagrams. The original version of IGMP was defined in RFC 1112,
Host Extensions for IP Multicasting. Extensions to IGMP, known as IGMP version 2.
IGMPv2 improves performance and supports the following message types:
IGMP Query: IGMP Query is sent by the router to know which groups have members on the attached network.
IGMP Reports: IGMP reports are sent as a response to the query by hosts to announce their group membership.
Reports can be sent “unsolicited” when the hosts come up.
IGMP Leaves: IGMP Leaves are sent by the host when it relinquishes membership of a group.
The latest extension to the IGMP standard is Version 3, which includes interoperability with version 2 and version 1
hosts, also provides support for source filtering. Source filtering enables a multicast receiver host to signal to a router
which groups it wants to receive multicast traffic from, and from which source(s) this traffic is expected. This
membership information enables the router to forward traffic only from those sources from which receivers requested
the traffic.
IGMPv3 supports applications that explicitly signal sources from which they want to receive traffic. With IGMPv3,
receivers signal membership to a multicast host group in the following two modes:
INCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP
addresses (the INCLUDE list) from which it wants to receive traffic.
EXCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP
addresses (the EXCLUDE list) from which it does not want to receive traffic. This indicates that the host wants
to receive traffic only from other sources whose IP addresses are not listed in the EXCLUDE list. To receive
traffic from all sources, like in the case o f the In ternet S t an dard Multicast (ISM) s erv ice mod el, a h os t exp resses
EXCLUDE mode membership with an empty EXCLUDE list.
IGMPv3 is used by the hosts to express their desire to be a part of the source-specific multicast (SSM) which is an
emerging standard used by routers to direct multicast traffic to the host only if its is from a specific source.
P
G
ROUP
ROTOCOL
Black Box LR11xx Series Router Configurations Guide
2.1.1 IGMP Commands
The IGMP commands are:
ip igmp
ignore-v1-messages
ignore-v2-messages
last-member-query-count
last-member-query-interval
query-interval
query-response-interval
require-router-alert
robustness
send-router-alert
startup-query-count
startup-query-interval
group filter
version
debug ip igmp
debug ip igmp state
debug ip igmp normal
debug ip igmp packet query
debug ip igmp packet report
debug ip igmp packet leave
show ip igmp groups
show ip igmp interface
clear ip igmp groups
2.1.2 IGMP Configuration Examples
Use the examples shown in this section to use IGMP in multicast configurations.
2.1.2.1 Exampl e 1
The following example enables IGMP.
Blackbox/configure> ip igmp
2.1.2.2 Exampl e 2
With the command line still in Interface Configuration Mode, the following example disables IGMP.
Blackbox/configure> no ip igmp
2.1.2.3 Exampl e 3
In the following example, the ignor e-v 1-messag es command is used to disable processing of IGMPv1 messages on
interface ethernet 0.
The following example configures the default Robustness to be 3 for interface ethernet 0.
Blackbox/configure/ip/igmp/interface ethernet0> ip igmp robustness 3
2.1.2.12Example 12
The following example turns the send-router-alert option off for interface ethernet 1.
Blackbox/configure/ip/igmp/interface ethernet1> no send-router-alert
2.1.2.13Example 13
The following example configures IGMP version 2 to run on interface ethernet 0.
Blackbox/configure/ip/igmp/interface ethernet0> version 2
Blackbox/configure/ip/igmp/interface ethernet0> exit 3
Blackbox/configure>
19
Black Box LR11xx Series Router Configurations Guide
20
3w
F
ILTERING
3.1IP Packet Filter Lists
Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets
that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces:
Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box
system) or OUT (packets going out of the Black Box system).
IP packet filtering capability can be used to restrict access to the Black Box system from untrusted, external networks or
from specific, internal networks. An example would be a filter that prohibits external users from establishing Telnet
sessions to the Black Box system, and allows only specific internal users Telnet access to the system.
At the end of every rule list is an implied “deny all traffic” statement. Therefore, all packets not explicitly permitted
by filtering rules, are denied. This effectively means that once you enter a “deny” statement in your filter list, you
are implicitly denying all packets from crossing the interface. Therefore, it is important that each filter list contain at
least one “permit” statement.
The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the
Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule
statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is
passed since no further rules are checked.
The Black Box OS permits easy re-ordering of filter commands through filter_list insert and delete commands.
IP T
RAFFIC
3.1.1 Example1
Consider a Black Box connected via a bundle “WAN1” (wan IP address 200.1.1.1) to an ISP, with Ethernet 0 (IP
address 222.199.19.3) connected to the internal network. The network administrator wants to completely block Telnet
access to the Black Box from all external networks as well as from all internal networks except 222.199.19.0/28. All
other TCP/IP traffic, such as FTP, Ping, and HTTP, is to flow unrestricted through the Black Box system.
3.1.1.1 Configu re the Black Box LR1104A.
Blackbox> configure term
Blackbox/configure> ip
Blackbox/configure/ip> filter_list filtera (gives the list a name)
Blackbox/configure/ip/filter_list> add deny tcp any 200.1.1.1 dport =23
Blackbox/configure/ip/filter_list> add permit tcp 222.199.19.0/28 222.199.19.3 dport =23
Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.3 dport =23
Blackbox/configure/ip/filter_list> add permit ip any any
Blackbox/configure/ip/filter_list> exit
Black Box LR11xx Series Router Configurations Guide
Blackbox/configure/ip> apply_filter ether0 filtera in
Blackbox/configure/ip> apply_filter WAN1 filtera in
Blackbox/configure/ip> exit
Blackbox/configure> exit
Blackbox> save local
3.1.2 Exa mple 2
Consider the same network addressing as in example 1. The network administrator has a slightly different
requirement - he wishes to permit FTP sessions from all networks to the internal FTP server (222.199.19.12), deny
FTP sessions to all other addresses, and permit all other traffic to flow through the Black Box unit.
3.1.2.1 Config ure the Black Box LR1104A
Blackbox> configure terminal
Blackbox/configure> ip
Blackbox/configure/ip> filter_list filterb (gives the list a name)
Blackbox/configure/ip/filter_list> add permit tcp any 222.199.19.12 dport =21
Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.0 dport =21
Blackbox/configure/ip/filter_list> add permit ip any any
Blackbox/configure/ip/filter_list> exit
Blackbox/configure/ip> apply_filter WAN1 filterb in
Blackbox/configure/ip> exit
Blackbox/configure> exit
Blackbox> save local
3.1.3 Exa mple 3
Example 3 focuses on a filter list where the network administrator is specifically denying all traffic from a specific
external network (197.100.200.0/24) access through the Black Box unit.
3.1.3.1 Config ure the Black Box LR1104A
Blackbox> configure terminal
Blackbox/configure> ip
Blackbox/configure/ip> filter_list filterc (gives the list a name)
Blackbox/configure/ip/filter_list> add deny ip 197.100.200.0/24 any
Blackbox/configure/ip/filter_list> add permit ip any any
Blackbox/configure/ip/filter_list> exit
Blackbox/configure/ip> apply_filter WAN1 filterc in
Blackbox/configure/ip> exit
Blackbox/configure> exit
Blackbox> save local
22
C
ONFIGURING
S
ECURITY
4.1IPSec Configurations
This guide provides information and examples on how to configure IPSec.
There are three licenses that control access to the features:
Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router.
Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management.
Advanced VPN and firewall (vpn_plus_firewall)—Allo ws users to manage remote LANs. Also includes
Basic VPN and Firewall licenses.
To see the licenses available in this release, enter:
4
Blackbox/configure> system licenses ?
NAME
licenses - Configure feature upgrade licenses
SYNTAX
licenses license_type <cr>
DESCRIPTION
license_type -- Specifies the type of feature upgrade license
The parameter may have any of the following values:
enable_1_port -- Enable 1 port
enable_2_ports-- Enable 2 ports
enable_3_ports-- Enable 3 ports
enable_4_ports-- Enable 4 ports
BGP4 -- BGP4 routing
vpn_mgmt -- Enable VPN Mgmt License
firewall -- Enable Firewall and VPN Mgmt License
vpn_plus_firewall-- Enable Advance VPN and Firewall License
To install the advanced VPN and firewall license and use all the security features available in this release, enter:
Black Box LR11xx Series Router Configurations Guide
N
1
4
Blackbox/configure> system licenses vpn_plus_firewall
Enter Security Upgrade License key: 024f3bc296b4ea7265
4.2 Example 1: Managing the Black Box LR1104A
Securely Over an IPSec Tunnel
The following example demonstrates how to manage a Black Box router through an IP security tunnel. Steps are
presented for configuring the Black Box1 and Black Box2 routers to assist any host on the LAN side of Black
Box-2 to manage the Black Box1 router through the IP security tunnel.
The security requirements are as follows:
Phase 1: 3DES with SHA1
Phase 2: IPSec ESP with AES and HMAC-SHA1
Figure 8 T unnel Mode Between Two Black Box Security Gateways - Multiple Proposals
TRUSTED
etwork
0.0.1.0/24
Black Box 1
Tasman1
172.16.0.1
IPSec ESP
UNTRUSTED
172.16.0.2
Tasman2
Black Box 2
TRUSTED
Network
10.0.2.0/2
Step 1: Configure a WAN bundle of network type untrusted
Black Box1/configure> interface bundle wan1
message: Configuring new bundle
Black Box1/configure/interface/bundle wan1> link t1 1
Black Box1/configure/interface/bundle wan1> encapsulation ppp
Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24
Black Box1/configure/interface/bundle wan1> crypto untrusted
Black Box1/configure/interface/bundle wan1> exit
Step 2: Configure the Ethernet interface with trusted network type
Black Box1/configure> interface ethernet 0
message: Configuring existing Ethernet interface
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24
Black Box1/configure/interface/ethernet 0> crypto trusted
Black Box1/configure/interface/ethernet 0> exit
Step 3: Display the crypto interfaces
24
Example 1: Managing the Black
Blackbox> show crypto interfaces
Interface Network
Name Type
--------- ------wan1 Untrusted
ethernet0 trusted
Blackbox>
Step 4: Add route to peer LAN
Black Box1/configure> ip route 10.0.2.0 24 wan1
Step 5: Configure IKE to the peer gateway
Black Box1/configure> crypto ike policy Black Box2 172.16.0.2
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1
message: Default proposal created with priority1-des-sha1-pre_shared-g1.
message: Key String has to be configured by the user.
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm
3des-cbc
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> exit
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit
Step 6: Display IKE policies
Blackbox> show crypto ike policy all
Policy Peer Mode Transform
------ ---- ---- --------Black Box 172.14.0.2 Main P1 pre-g1-3des-sha
Blackbox>
Step 7: Display IKE policies in detail
Displays the encryption algorithm, hash algorithm, authentication mode, and other details of the IKE policies.
Step 8: Configure the IPSec tunnel to the remote host
Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 172.16.0.1 32
10.0.2.0 24
message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1>
encryption-algorithm aes128-cbc
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit
Step 9: Display IPSec policies
Displays the policy just added.
Step 10: Display IPSec policies in detail
Shows the details of the IPSec policies.
25
Black Box LR11xx Series Router Configurations Guide
Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable onl y if firewall license is also
enabled)
Black Box1/configure> firewall internet
Black Box1/configure/firewall internet> policy 1000 in service ike self
Black Box1/configure/firewall internet/policy 1000 in> exit
Black Box1/configure/firewall internet> exit
Step 10.2: Configure firewall policies to allow desired services through untrusted interface to manage the router (applicable only if
firewall license is also enabled)
Black Box1/configure> firewall internet
Black Box1/configure/firewall internet> policy 1001 in service snmp self
Black Box1/configure/firewall internet/policy 1001 in> exit
Black Box1/configure/firewall internet> policy 1002 in service telnet self
Black Box1/configure/firewall internet/policy 1002 in> exit
Black Box1/configure/firewall internet> policy 1003 in protocol icmp self
Black Box1/configure/firewall internet/policy 1003 in> exit
Black Box1/configure/firewall internet> exit
Step 10.3: Display firewall policies in the internet map (applicable only if firewall license is enabled)
Black Box1> show firewall policy internet
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
E - Policy Enabled, M - Smtp-Filter
Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
--- --- ----------- ---------------- ----------------- ------ -------1000 in any any ike PERMIT SE
1001 in any any snmp PERMIT SE
1002 in any any telnet PERMIT SE
1003 in any any any any icmp PERMIT SE
1024 out any any any any any PERMIT SE
Step 10.4: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)
26
Black Box1> show firewall policy internet detail
Policy with Priority 1000 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Service Name is ike
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1001 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Service Name is snmp
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Example 1: Managing the Black
Policy with Priority 1002 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Service Name is telnet
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1003 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, Protocol is icmp
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1024 is enabled, Direction is outbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Step 11 : Enable SNMP on the Black Box1 router
27
Black Box LR11xx Series Router Configurations Guide
N
1
4
Black Box1/configure/crypto/> exit
Black Box1/configure> snmp
Black Box1/configure/snmp> community public rw
Black Box1/configure/snmp> exit
Step 12: Display SNMP communities
Blackbox>show snmp communities
Community = public, privileges=rw
Blackbox>
Step 13: Repeat step s 1 - 10 with sui table modif icatio ns on Black Bo x2 prior t o managing Black Box1 fr om Bla ck Box2’ s LAN
side
Step 14: Test the IPSec tunnel for managing the Black Box1 router from a host on Black Box2’s LAN.
Step 15: When the SNMP manager starts managing Black Box1 from Black Box2’s LAN, display the IKE and IPSec SA
tables using:
show crypto ike sa all
show crypto ike sa all detail
show crypto ipsec sa all
show crypto ipsec sa all detail
4.3 Example 2: Single Proposal: Tunnel Mode Between
Two Black Box Security Gateways
The following example demonstrates how to form an IP security tunnel to join two private networks: 10.0.1.0/24 and
10.0.2.0/24. The security requirements are as follows:
Phase 1: 3DES with SHA1
Phase 2: IPSec ESP with AES (256-bit) and HMAC-SHA1
Figure 9 Tunnel Mode Between Two Black Box Security Gateways - Single Proposa ls
172.16.0.1
TRUSTED
etwork
0.0.1.0/24
Tasman1
BlackBox 1
IPSec ESP
UNTRUSTED
Step 1: Configure a WAN bundle of network type untrusted
28
172.16.0.2
Tasman2
BlackBox 2
TRUSTED
Network
10.0.2.0/2
Example 2: Single Proposal: Tun-
Black Box1/configure/interface/bundle wan1> link t1 1
Black Box1/configure/interface/bundle wan1> encapsulation ppp
Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24
Black Box1/configure/interface/bundle wan1> crypto untrusted
Black Box1/configure/interface/bundle wan1> exit
Step 2: Configure the Ethernet interface with trusted network type
Black Box1/configure> interface ethernet 0
message: Configuring existing Ethernet interface
Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24
Black Box1/configure/interface/ethernet 0> crypto trusted
Black Box1/configure/interface/ethernet 0> exit
Step 3: Display the crypto interfaces
Blackbox> show crypto interfaces
Interface Network
Name Type
--------- ------wan1 Untrusted
ethernet0 trusted
Blackbox>
Step 4: Add route to peer LAN
Black Box1/configure> ip route 10.0.2.0 24 wan1
Step 5: Configure IKE to the peer gateway
Black Box1/configure> crypto ike policy Black Box2 172.16.0.2
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1
message: Default proposal created with priority1-des-sha1-pre_shared-g1.
message: Key String has to be configured by the user.
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm
3des-cbc
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1> exit
Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit
Black Box1/configure/crypto/exit
Black Box1/configure>
Step 6: Display IKE policies
Blackbox> show crypto ike policy all
Policy Peer Mode Transform
------ ---- ---- --------Black Box 172.14.0.2 Main P1 pre-g1-3des-sha
Blackbox>
Step 7: Configure IPSec tunnel to the remote host
Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24
10.0.2.0 24
NOTE
29
Black Box LR11xx Series Router Configurations Guide
For IPSec only – wh en you cr eate an ou tbound tunnel, an inbo und tun nel is au tomatica lly created . The in bound tunnel applies the name that
you provide for the outbound tunnel and adds the prefix “IN” to the name.
message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1>
encryption-algorithm aes256-cbc
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit
Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit
Step 8: Display IPSec policies
Using the show crypto ipsec policy all command.
Step 8.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also
enabled)
Black Box1/configure> firewall internet
Black Box1/configure/firewall internet> policy 1000 in service ike self
Black Box1/configure/firewall internet/policy 1000 in> exit
Black Box1/configure/firewall internet> exit
Step 8.2: Display firewall policies in the internet map (applicable only if firewall license is enabled)
Black Box1> show firewall policy internet
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
E - Policy Enabled, M - Smtp-Filter
Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
--- --- ----------- ---------------- ----------------- ------ -------1000 in any any ike PERMIT SE
1024 out any any any any any PERMIT SE
Step 8.3: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)
30
Black Box1> show firewall policy internet detail
Policy with Priority 1000 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Service Name is ike
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1024 is enabled, Direction is outbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Example 2: Single Proposal: Tun-
Step 8.4: Configure firewall policies to allow transit traffic from remote LAN to the local LAN (applicable only if firewall license is
also enabled)
Black Box1/configure> firewall corp
Black Box1/configure/firewall corp> policy 1000 in address 10.0.2.0 24 10.0.1.0 24
Black Box1/configure/firewall corp/policy 1000 in> exit
Black Box1/configure/firewall corp> exit
Step 8.5: Display firewall policies in the corp map (applicable only if firewall license is enabled)
Black Box1> show firewall policy corp
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
E - Policy Enabled, M - Smtp-Filter
Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
--- --- ----------- ---------------- ----------------- ------ -------1000 in 10.0.2.0/24 10.0.1.0/24 any any any PERMIT E
1022 out any any any any any PERMIT SE
1023 in any any any any any PERMIT SE
1024 out any any any any any PERMIT E
Step 8.6: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)
31
Black Box LR11xx Series Router Configurations Guide
Black Box1> show firewall policy corp detail
Policy with Priority 1000 is enabled, Direction is inbound
Action permit, Traffic is transit
Logging is disable
Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Max-Connections 1024, Connection-Rate is disabled
Policing is disabled, Bandwidth is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1022 is enabled, Direction is outbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1023 is enabled, Direction is inbound
Action permit, Traffic is self
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Bytes In 0, Bytes Out 0
Policy with Priority 1024 is enabled, Direction is outbound
Action permit, Traffic is transit
Logging is disable
Source Address is any, Dest Address is any
Source Port is any, Dest Port is any, any
Schedule is disabled, Ftp-Filter is disabled
Smtp-Filter is disabled, Http-Filter is disabled
Rpc-Filter is disabled, Nat is disabled
Max-Connections 1024, Connection-Rate is disabled
Policing is disabled, Bandwidth is disabled
Bytes In 11258, Bytes Out 5813
Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing traffic.
Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 to the 10.0.2.0
network
32
Loading...
+ 112 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.