Справочник ПользователяСодержаниеContents5DHCP Relay111.1 DHCP Relay111.1.1 Feature Overview111.1.2 Functionality111.1.2.1 BOOTP Requests111.1.2.2 BOOTP Replies121.1.3 Using DHCP Relay with NAT121.1.4 Command Line Interface121.1.4.1 Enabling DHCP Relay121.1.4.2 Disabling DHCP Relay131.1.4.3 Configuring the Gateway Address field when NAT is enabled131.1.5 Displaying DHCP Configuration131.1.6 Displaying Statistics131.1.7 DHCP Limitations14Configuring Internet Group Management Protocol152.1 IGMP Configuration152.1.1 IGMP Commands162.1.2 IGMP Configuration Examples162.1.2.1 Example 1162.1.2.2 Example 2162.1.2.3 Example 3162.1.2.4 Example 4162.1.2.5 Example 5172.1.2.6 Example 6172.1.2.7 Example 7172.1.2.8 Example 8172.1.2.9 Example 9172.1.2.10 Example 10172.1.2.11 Example 11172.1.2.12 Example 12172.1.2.13 Example 1317Filtering IP Traffic193.1 IP Packet Filter Lists193.1.1 Example1193.1.1.1 Configure the Black Box LR1104A.193.1.2 Example 2203.1.2.1 Configure the Black Box LR1104A203.1.3 Example 3203.1.3.1 Configure the Black Box LR1104A20Configuring Security214.1 IPSec Configurations214.2 Example 1: Managing the Black Box LR1104A Securely Over an IPSec Tunnel22Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (appl...24Step 10.2: Configure firewall policies to allow desired services through untrusted interface to m...24Step 10.3: Display firewall policies in the internet map (applicable only if firewall license is ...24Step 10.4: Display firewall policies in the internet map in detail (applicable only if firewall l...244.3 Example 2: Single Proposal: Tunnel Mode Between Two Black Box Security Gateways26Step 8.1: Configure firewall policies to allow IKE negotiation through untrusted interface (appli...28Step 8.2: Display firewall policies in the internet map (applicable only if firewall license is e...28Step 8.3: Display firewall policies in the internet map in detail (applicable only if firewall li...28Step 8.4: Configure firewall policies to allow transit traffic from remote LAN to the local LAN (...29Step 8.5: Display firewall policies in the corp map (applicable only if firewall license is enabled)29Step 8.6: Display firewall policies in the corp map in detail (applicable only if firewall licens...294.4 Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways314.5 Example 4: IPSec remote access to corporate LAN using user group method33Step 1: As in Step1 of Example 133Step 2: As in Step2 of Example 134Step 3: As in Step3 of Example 134Step 4: Configure dynamic IKE policy for a group of mobile users34Step 5: Display dynamic IKE policies34Step 6: Display dynamic IKE policies in detail34Step 7: Configure dynamic IPSec policy for a group of mobile users34Step 8: Display dynamic IPSec policies35Step 9: Display dynamic IPSec policies in detail35Step 10: Configure radius server (applicable only if client authentication is configured in dynam...36Step 11: Configure firewall policies to allow IKE negotiation through untrusted interface (applic...36Step 12: Display firewall policies in the internet map (applicable only if firewall license is en...37Step 13: Display firewall policies in the internet map in detail (applicable only if firewall lic...37Step 14: Configure firewall policies for a group of mobile users to allow access to the local LAN...37Step 15: Display firewall policies in the corp map (applicable only if firewall license is enabled)37Step 16: Display firewall policies in the corp map in detail (applicable only if firewall license...384.1 Example 5: IPSec remote access to corporate LAN using mode configuration method38Step 1: As in Step1 of Example 139Step 2: As in Step2 of Example 139Step 3: As in Step3 of Example 139Step 4: Configure dynamic IKE policy for a group of mobile users39Step 5: Display dynamic IKE policies39Step 6: Display dynamic IKE policies in detail40Step 7: Configure dynamic IPSec policy for a group of mobile users40Step 8: Display dynamic IPSec policies40Step 9: Display dynamic IPSec policies in detail40Step 10: Configure firewall policies to allow IKE negotiation through untrusted interface (applic...41Step 11: Display firewall policies in the internet map (applicable only if firewall license is en...41Step 12: Display firewall policies in the internet map in detail (applicable only if firewall lic...41Step 13: Configure firewall policies for a group of mobile users to allow access to the local LAN...42Step 14: Display firewall policies in the corp map (applicable only if firewall license is enabled)42Step 15: Display firewall policies in the corp map in detail (applicable only if firewall license...42IPSec Specifications455.1 IPSec Appendix455.1.1 Black Box IKE and IPSec Defaults465.1.1.1 IKE Defaults465.1.1.2 IPSec Defaults46Forwarding IP Traffic496.1 IP Multiplexing496.1.1 Packet Forwarding Modes496.1.2 Proxy ARP and Packet Forwarding496.1.3 Addressing in IP Multiplexing Networks506.1.4 Single Subnet516.1.5 Split Subnet516.1.6 Secondary Addressing – POP Only526.1.7 Secondary Addressing – 30 Bit526.1.8 Secondary Addressing – 29 Bit536.1.9 Pros and Cons of Different IP Addressing Schemes536.1.10 Routing Considerations for IP Multiplexing53IP Multiplexing HDLC Configurations557.1 Connecting a Black Box Router to a Router/CSU via HDLC557.1.1 Configure the Black Box LR1104A at Site 256IP Multiplexing PPP and MLPPP Configurations578.1 Configuring Multiple PPP and MLPPP Bundles578.1.1 Configure the Black Box LR1104A at the Main Site59Configuring PPP, MLPPP, and HDLC619.1 Layer Two Configurations: PPP, MLPPP, and HDLC619.1.1 MLPPP Configuration629.1.1.1 Configure the Black Box LR1114A System at Site 1629.1.2 PPP and MLPPP Configuration629.1.2.1 Configure the Black Box LR1104A System at the Main Site629.1.3 HDLC Configuration629.1.3.1 Configure the Black Box LR1104A System at the Main Site62Configuring Firewalls6310.1 Firewalls6310.2 Firewall Configuration Examples6410.2.1 Basic Firewall Configuration64Step 1:Configure the Ethernet interfaces and the WAN interfaces with IP addresses:64Step 2: Create the security zones CORP and DMZ and attach interfaces:65Step 3: Verify that the interfaces are attached to the security zones:65Step 4: Create policies for Security Zone CORP that:65Step 5: Verify the firewall policy for Security Zone CORP:66Step 6: Verify that the HTTP filter object in Security Zone CORP is created as configured.66Step 7: Create policies for Security Zone DMZ that:66Step 8:Verify the firewall policy for Security Zone DMZ67Step 9: Verify that the FTP filter objects for Security Zone DMZ are created as configured:67Step 10: Create a default route out of the WAN67Step 11:Verify the system configuration by displaying the running configuration.6710.2.1 Stopping DoS Attacks7110.2.2 Packet Reassembly7210.3 NAT Configurations7210.4 NAT Configuration Examples7210.4.1 Dynamic NAT (many to many)7310.4.2 Static NAT (one to one)7410.4.3 Port Address Translation (Many to one)75Method:1 – Specifying NAT address with the policy command75Method:2 – Attaching nat pool to the policy75Multipath Multicast Configurations7711.1 Multipath Multicast7711.2 Multipath Commands7811.2.1 Multipath Examples78Configuring NAT7912.1 Network Address Translation7912.1.1 Dynamic NAT7912.1.2 Static NAT7912.1.3 Configuration for Figure 18012.1.4 Configuration for Figure 28112.1.5 Reverse NAT8112.1.6 Configuration for Figure 382NAT Configuration Examples8313.1 NAT Configurations8313.1 NAT Configuration Examples8313.1.1 Dynamic NAT (many to many)8313.1.2 Static NAT (one to one)8513.1.3 Port Address Translation (Many to one)86Method:1 – Specifying NAT address with the policy command86Method:2 – Attaching nat pool to the policy86Remote Access VPNs8714.1 Secure Remote Access Using IPSec VPN8714.2 Access Methods8714.2.1 Remote Access: User Group8714.2.2 Remote Access: Mode Configuration8814.3 Configuration Examples8814.4 IPSec Remote Access User Group Method – Single Proposal, Pre-shared Key Authentication8814.5 IPSec Remote Access Mode Configuration Group Method90Networking with Routing Information Protocol9315.1 Routing Information Protocol9315.1.1 Configuring RIP for Ethernet 0 and WAN 1 Interfaces9315.1.2 Displaying RIP Configuration9315.1.3 Displaying All Configured RIP Interfaces93Configuring Static Routes9516.1 Static Routing Configuration9516.1.1 Configure the Router at Site “A”9616.1.2 Configure the Router at site “B”96Configuring Open Shortest Path First Routing9717.1 OSPF Routing Protocol9717.1.1 Configuring the host name9717.1.2 Configuring interface ethernet 09717.1.3 Configuring interface bundle Dallas9717.1.4 Configuring ospf9817.1.5 Configuring ospf interface parameters9817.1.6 Displaying neighbors9817.1.7 Displaying ospf routes9817.1.8 Displaying IP routes98Configuring Generic Routing Encapsulation9918.1 Configuring GRE9918.2 Installing Licenses9918.3 GRE Configuration Examples10018.3.1 Configuring Site to Site Tunnel10118.4 Configuring GRE Site to Site with IPSec10318.5 Configuring GRE Site to Site with IPSec and OSPF104Configuring OSPF and Frame Relay10519.1 OSPF - Frame Relay10519.1.1 Configuring the host name10619.1.2 Configuring interface ethernet 010619.1.3 Configuring interface bundle Dallas10619.1.4 Configuring OSPF10619.1.5 Configuring interface Dallas parameters10619.1.6 Configuring interface ethernet 0 parameters10619.1.7 Displaying OSPF parameters106Configuring Protocol Independent Multicasting Routing10720.1 PIM Configuration10720.1.1 PIM Commands10720.1.2 PIM Configuration Examples110mtrace Configuration11521.1 Multicast Traceroute Facility11521.1.1 mtrace Command11521.1.2 Restrictions11521.1.2 mtrace Example116Configuring Quality of Service Routing11722.1 Configuring QoS11722.1.1 Features11722.1.2 Definitions11822.1.3 Classification Types11822.1.3.1 Create bundle AppTest11922.1.3.2 Create traffic classes11922.1.3.3 Assign classification types11922.1.4 VLAN Identifiers11922.1.4.1 Create bundle VLANtest12022.1.4.2 Create traffic classes and assign classifications12022.1.5 Bulk Statistics12022.1.5.1 Configuring bulk statistics121Virtual LAN Tagging12323.1 Managing Traffic with VLAN Tagging12323.1.1 Reston configuration: Black Box LR1104A12423.1.1.1 Configure interface bundle balt112423.1.1.2 Configure interface balt1 pvc 10012423.1.1.3 Configure interface bundle dc112423.1.1.4 Configure interface ethernet 012423.1.1.5 Configure ip routing12523.1.2 DC configuration: Black Box LR1114A12523.1.2.1 Configure interface ethernet 012523.1.2.2 Configure interface bundle mip12523.1.2.3 Configure ip routing125Managing Redundant connections12724.1 Trunk Group/Failover12724.1.1 Configuration Details12724.1.1.1 Configure the Black Box LR1114A for Failover Operation128WAN Interface Configurations12925.1 T1 Interface Configuration12925.1.1 Module Configuration12925.1.1.1 T112925.1.2 Bundle Configuration12925.1.2.1 Fractional T112927.1.3 T113027.1.4 NxT1130Virtual LAN Forwarding13126.1 Managing VLAN Traffic13126.1.1 POP configuration: Black Box LR1104A13326.1.1.1 Configure mlppp bundle interface13326.1.1.2 Configure interface ethernet 013326.1.1.3 Configure in-band vlan forwarding table13326.1.1.4 Configure rate limiting for vlans13326.1.2 Bldg1 configuration: Black Box LR1114A13326.1.2.1 Configure interface bundle uplink13426.1.2.2 Configure inband VLAN forwarding table13426.1.2.3 Configure rate limiting for VLANs13426.1.2.4 Configure SNMP134Mutlilink Frame Relay13527.1 Multilink Frame Relay FRF.15 and FRF.1613527.1.1 Features13527.1.1.1 # Configure Ethernet interface13627.1.1.2 # Configure CVC113627.1.1.3 # Congfigure CVC213627.1.1.4 # Configure CVC313627.1.1.5 #Configure AVC136Configuring Frame Relay and Multilink Frame Relay13728.1 Layer Two Configurations FR and MFR13728.1.1 FR Configuration13828.1.1.1 Configure the HSSI Bundle at Site 113828.1.1.2 Configure the Clear Channel Bundle on the LR1104A13928.1.2 MFR Configuration13928.1.2.1 Configure the LR1104A LR1104A at Site 113928.1.2.2 Configure the LR1104A13928.1.2.3 Configure the LR1104A LR1114A at Site 214028.1.2.4 Configure the LR1104A140Размер: 1,6 МБСтраницы: 142Язык: EnglishПросмотреть