1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE...
  6. Configuration manual

Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010 Configuration Manual

Software for e series broadband services routers broadband access configuration guide
Hide thumbs
1
2
3
4
5
6
7
8
Table Of Contents
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
Table of Contents

Advertisement

Quick Links

Download this manual
JunosE™ Software
for E Series™ Broadband
Services Routers
Broadband Access
Configuration Guide
Release
11.2.x
Published: 2010-07-20
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010

Summary of Contents for Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010

  • Page 1 JunosE™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide Release 11.2.x Published: 2010-07-20 Copyright © 2010, Juniper Networks, Inc.
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
  • Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
  • Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
  • Page 6 Copyright © 2010, Juniper Networks, Inc.
  • Page 7 Configuring Subscriber Management ....... 567 Copyright © 2010, Juniper Networks, Inc.
  • Page 8 Index ............715 viii Copyright © 2010, Juniper Networks, Inc.

  • Page 9: Table Of Contents

    Authentication and Accounting Methods ......19 Copyright © 2010, Juniper Networks, Inc.
  • Page 10 Cisco-AVPair (Cisco VSA 26-1) ....... . . 68 How the Route-Download Server Downloads Routes ....69 Copyright © 2010, Juniper Networks, Inc.
  • Page 11 Monitoring Mapping Between User Domains and Virtual Routers ... . 115 Monitoring Tunnel Subscriber Authentication ......117 Copyright © 2010, Juniper Networks, Inc.
  • Page 12 Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name ..158 Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation ... . 160 Copyright © 2010, Juniper Networks, Inc.
  • Page 13 Supported RADIUS IETF Attributes ....... . 166 Supported Juniper Networks VSAs ....... . . 169 Subscriber AAA Accounting Messages .
  • Page 14 [26-159] DHCP-Option 82 ........225 ANCP-Related Juniper Networks VSAs ......225 DSL Forum Vendor-Specific Attributes .
  • Page 15 Juniper Networks VSAs ........
  • Page 16 Sessions and Tunnels Supported ........335 Copyright © 2010, Juniper Networks, Inc.
  • Page 17 Creating an L2TP Host Profile ......... 371 Copyright © 2010, Juniper Networks, Inc.
  • Page 18 Session Termination for Dynamic Speed Timeout ....394 Advisory Speed Precedence for VLANs over Bridged Ethernet ..394 xviii Copyright © 2010, Juniper Networks, Inc.
  • Page 19 Monitoring Detailed Configuration Information about Specified Tunnels ..434 Monitoring Configured and Operational Status of All Tunnels ....436 Copyright © 2010, Juniper Networks, Inc.
  • Page 20 Deleting DHCPv6 Client Bindings ........478 Configuring the Router to Work with the SRC Software ....479 Copyright © 2010, Juniper Networks, Inc.
  • Page 21 Selecting the DHCP Server Response ......509 Behavior for Bound Clients and Address Renewals ....509 Copyright © 2010, Juniper Networks, Inc.
  • Page 22 Monitoring DHCP Option 60 Information ....... 548 xxii Copyright © 2010, Juniper Networks, Inc.
  • Page 23 Policies and QoS ..........589 Copyright © 2010, Juniper Networks, Inc.
  • Page 24 Referencing Policies in Service Definitions ......632 xxiv Copyright © 2010, Juniper Networks, Inc.
  • Page 25 Gracefully Deactivating Subscriber Service Sessions ....665 Forcing Immediate Deactivation of Subscriber Service Sessions ..666 Using Service Session Profiles to Deactivate Service Sessions ..666 Copyright © 2010, Juniper Networks, Inc.
  • Page 26 Index ............715 xxvi Copyright © 2010, Juniper Networks, Inc.
  • Page 27 Configuring Subscriber Management ....... 567 Copyright © 2010, Juniper Networks, Inc.
  • Page 28 Group for a Combined IPv4/IPv6 Service ......683 xxviii Copyright © 2010, Juniper Networks, Inc.
  • Page 29 Table 32: show subscribers Output Fields ....... 155 Copyright © 2010, Juniper Networks, Inc.
  • Page 30 Table 49: RADIUS IETF Attributes Supported by JunosE Software ... 249 Table 50: Juniper Networks (Vendor ID 4874) VSA Formats ....256 Table 51: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats .
  • Page 31 DHCP Local Server Overview ........457 Table 98: Local Pool Selection in Equal-Access Mode ....459 Copyright © 2010, Juniper Networks, Inc. xxxi...
  • Page 32 Table 136: show ip demux interface Output Fields ......617 xxxii Copyright © 2010, Juniper Networks, Inc.
  • Page 33 Table 164: show service-management subscriber-session Output Fields ..709 Table 165: show service-management summary Output Fields ....711 Copyright © 2010, Juniper Networks, Inc. xxxiii...
  • Page 34 JunosE 11.2.x Broadband Access Configuration Guide xxxiv Copyright © 2010, Juniper Networks, Inc.

  • Page 35: About The Documentation

    Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxxvi defines notice icons used in this documentation.

  • Page 36: Table 1: Notice Icons

    Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxxvi Copyright © 2010, Juniper Networks, Inc.

  • Page 37: Obtaining Documentation

    CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...

  • Page 38: Self-Help Online Tools And Resources

    7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...

  • Page 39: Managing Remote Access

    PART 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 109 Copyright © 2010, Juniper Networks, Inc.
  • Page 40 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 41: Configuring Remote Access

    CHAPTER 1 Configuring Remote Access This chapter describes how to configure remote access to an Juniper Networks E Series Broadband Services Router. This chapter discusses the following topics: Remote Access Overview on page 4 Remote Access Platform Considerations on page 5...

  • Page 42: Remote Access Overview

    Provide user accounting via RADIUS. NOTE: For information about configuring RADIUS attributes see “Configuring RADIUS Attributes” on page 163. Configuring IP Addresses for Remote Clients A remote client can obtain an IP address from one of the following: Copyright © 2010, Juniper Networks, Inc.

  • Page 43: Aaa Overview

    See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. B-RAS Protocol Support...

  • Page 44: Remote Access References

    (Optional) Map a user domain name to a virtual router. By default, all requests go through a default router. (Optional) Set up domain name and realm name usage. (Optional) Specify a single name for users from a domain. Copyright © 2010, Juniper Networks, Inc.

  • Page 45: Configuring A B-Ras License

    IP, LAC, and bridged Ethernet interfaces: 4000 8000 16,000 32,000 48,000 NOTE: To use a B-RAS license for 16,000 or more interfaces, each of your SRP modules must have 1 gigabyte (GB) of memory. license b-ras Copyright © 2010, Juniper Networks, Inc.

  • Page 46: Mapping A User Domain Name To A Virtual Router

    Use to specify the B-RAS license. The license is a unique string of up to 15 alphanumeric characters. NOTE: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative. You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000, or 48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.

  • Page 47: Mapping User Requests Without A Configured Domain Name

    To maintain flexibility, the redirection response may include idle time or session attributes that are considered as default unless the redirected authentication server overrides them. For example, if the RADIUS server returns the VR context along with an idle timeout Copyright © 2010, Juniper Networks, Inc.

  • Page 48: Ip Hinting

    Use to map a user domain name to an IP version 6 (IPv6) loopback interface. The local interface identifies the interface information to use on the local (E Series) side of the subscriber’s interface. Example host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-local-interface 2001:db8::8000 Copyright © 2010, Juniper Networks, Inc.

  • Page 49: Setting Up Domain Name And Realm Name Usage

    It also allows you to set whether or not the router strips the domain name from the username before it sends the username to the RADIUS server. By default, the router parses usernames as follows: realmName/personalName@domainName Copyright © 2010, Juniper Networks, Inc.

  • Page 50: Using The Realm Name As The Domain Name

    If you set the parse order to: domain-first—The router searches for a domain name first. For example, for username usEast/lori@abc.com, the domain name is abc.com. Copyright © 2010, Juniper Networks, Inc.

  • Page 51: Specifying The Domain Name Or Realm Name Parse Direction

    The default realm name delimiter is NULL (no character). In this case, realm parsing is disabled (having no delimiter disables realm parsing). You can specify up to eight delimiters each for domain name and realm name. Copyright © 2010, Juniper Networks, Inc.
  • Page 52 For example, if the username is usEast/lori@abc.com, the domain name is usEast. If no realm name is found, the router searches for a domain name. Example host1(config)#aaa parse-order domain-first Copyright © 2010, Juniper Networks, Inc.

  • Page 53: Domain Name And Realm Name Examples

    Table 3: Username and Domain Name Examples Resulting Domain Command Resulting Username Name aaa parse-order realm-first userjohn@abc.com@xyz.com usEast aaa parse-order domain-first userjohn@abc.com xyz.com aaa parse-direction domainName userjohn@abc.com xyz.com right-to-left aaa parse-direction domainName userjohn abc.com@xyz.com left-to-right Copyright © 2010, Juniper Networks, Inc.

  • Page 54: Specifying A Single Name For Users From A Domain

    To use a single username and a single password for all users from a domain: Access Domain Map Configuration mode using the aaa domain-map command. Specify the new username and password using the override-user command. aaa domain-map Copyright © 2010, Juniper Networks, Inc.

  • Page 55: Configuring Radius Authentication And Accounting Servers

    If the connection attempt fails for the secondary RADIUS server, the router submits the request to the tertiary server and so on until it either is granted access on behalf of the client or there are no more configured servers. Copyright © 2010, Juniper Networks, Inc.

  • Page 56: Server Access

    Table 4 on page 19 lists the range of UDP ports the router uses for each type of RADIUS request. Copyright © 2010, Juniper Networks, Inc.

  • Page 57: Authentication And Accounting Methods

    Tunnels (for example, L2TP tunnels) RADIUS relay server IP subscriber management interfaces NOTE: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature. Copyright © 2010, Juniper Networks, Inc.

  • Page 58: Supporting Exchange Of Extensible Authentication Protocol Messages

    Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message. This feature is disabled by default. Use the enable keyword to enable immediate updates and the disable keyword to halt them. Copyright © 2010, Juniper Networks, Inc.

  • Page 59: Duplicate And Broadcast Accounting

    Add up to four virtual routers to the group. The accounting information will be sent to all virtual routers in the group. host1(vr-group-config)#aaa virtual-router 1 vrXyz1 host1(vr-group-config)#aaa virtual-router 2 vrXyz2 host1(vr-group-config)#aaa virtual-router 3 vrXyz3 host1(vr-group-config)#exit host1(config)# Copyright © 2010, Juniper Networks, Inc.

  • Page 60: Overriding Aaa Accounting Nas Information

    In this configuration, the username and password on the remote end are not authenticated and can be set to any value. You must assign an IP address to a RADIUS authentication or accounting server to configure it. Copyright © 2010, Juniper Networks, Inc.
  • Page 61 (Optional) Enter the correct virtual router context, and specify the virtual router group to which broadcast accounting records are sent. host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit Copyright © 2010, Juniper Networks, Inc.
  • Page 62 Use to specify the accounting method used for a particular type of subscriber. Specify one of the following types of subscribers: atm1483; this keyword is not supported tunnel radius-relay ipsec ip (IP subscriber management interfaces) Copyright © 2010, Juniper Networks, Inc.
  • Page 63 Use the enable keyword to enable immediate updates. Use the disable keyword to disable immediate updates. Immediate updates are disabled by default. Example host1(config)#aaa accounting immediate-update enable Use the no version to restore the default condition, disabling immediate updates. See aaa accounting immediate-update aaa accounting interval Copyright © 2010, Juniper Networks, Inc.
  • Page 64 When creating a virtual router group, you must add at least one virtual router to the group; otherwise, the group is not created. A virtual router group can be used in any virtual router context, not just the context in which it is created. Example host1(config)#aaa accounting vr-group westVrGroup38 Copyright © 2010, Juniper Networks, Inc.
  • Page 65 The router checks the routing table for returned addresses for PPP users. If the address existed, then the user was denied access. You can disable this routing table address lookup or duplicate address check with the aaa duplicate-address-check command. Copyright © 2010, Juniper Networks, Inc.
  • Page 66 The virtual router names in the group must be unique. An error message appears if you enter a duplicate name. Example 1 host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#aaa virtual-router 1 vrWestA host1(config-vr-group)#aaa virtual-router 2 vrWestB host1(config-vr-group)#aaa virtual-router 4 vrSouth1 Example 2 host1(config-vr-group)#no aaa virtual-router 2 Copyright © 2010, Juniper Networks, Inc.
  • Page 67 Use to issue an administrative reset to the user’s connection to disconnect the user. From Privileged Exec mode, you can log out all subscribers, or log out subscribers by username, domain, virtual-router, port, or icr-partition. Copyright © 2010, Juniper Networks, Inc.
  • Page 68 There is no affirmative version of this command; there is only a no version. See no radius client radius accounting server Use to specify the IP address of authentication and accounting servers. Example host1(config)#radius authentication server 10.10.10.1 Copyright © 2010, Juniper Networks, Inc.
  • Page 69 Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information. See radius override nas-info radius rollover-on-reject Copyright © 2010, Juniper Networks, Inc.
  • Page 70 Use to specify an alternate source IP address for the router to use rather than the default router ID. Example host1(config)#radius update-source-addr 192.168.40.23 Use the no version to delete the parameter so that the router uses the router ID. See radius update-source-addr retransmit Copyright © 2010, Juniper Networks, Inc.
  • Page 71 When the retry limit is reached, the client sends the request to the secondary server. When the retry limit for the secondary server is reached, the router attempts to reach the tertiary server, and so on. Copyright © 2010, Juniper Networks, Inc.

  • Page 72: Snmp Traps And System Log Messages

    Use the no version to set the port number to the default value. See udp-port SNMP Traps and System Log Messages The router can send Simple Network Management Protocol (SNMP) traps to alert network managers when: Copyright © 2010, Juniper Networks, Inc.

  • Page 73: Snmp Traps

    RADIUS [ authentication | accounting ] server serverAddress unavailable in VR virtualRouterName [; trying nextServerAddress] RADIUS no [ authentication | accounting ] servers responding in VR virtualRouterName RADIUS [ authentication | accounting ] server serverAddress available in VR virtualRouterName Copyright © 2010, Juniper Networks, Inc.

  • Page 74: Configuring Snmp Traps

    Configure the host that should receive the SNMP traps. host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius Enable the SNMP router agent to receive and forward RADIUS traps. host1(config)#snmp-server enable traps radius Enable the SNMP on the router. host1(config)#snmp-server Copyright © 2010, Juniper Networks, Inc.
  • Page 75 Use to enable RADIUS to send SNMP traps when a RADIUS authentication server returns to service after being marked as unavailable. The associated SNMP object is rsRadiusClientTrapOnAuthServerAvailable. This command affects only the current VR context. Example Copyright © 2010, Juniper Networks, Inc.

  • Page 76: Configuring Local Authentication Servers

    Assign a local user database to the virtual router—Specify the database that the virtual router will use to authenticate subscribers. Enable local authentication on the virtual router—Specify the local method as an AAA authentication method used by the virtual router. Copyright © 2010, Juniper Networks, Inc.

  • Page 77: Creating Local User Databases

    However, after the user is added to the default local user database, you can use the aaa local username command with a database name default to enter Local User Configuration mode and add the additional parameters. Copyright © 2010, Juniper Networks, Inc.

  • Page 78: Using The Aaa Local Username Command

    E Series router. Use the following commands in Global Configuration mode: NOTE: If you do not specify a local user database, the virtual router selects the default database by default. This applies to all virtual routers. Specify the virtual router name. Copyright © 2010, Juniper Networks, Inc.

  • Page 79: Enabling Local Authentication On The Virtual Router

    Use to create a local user database. Use the database name default to specify the default local user database, or enter a name for the specific local user database. Example host1(config)#aaa local database westLocal40 Copyright © 2010, Juniper Networks, Inc.
  • Page 80 Example host1(config-local-user)#ip-address 192.168.42.6 Use the no version to delete the IP address parameter from the user entry in the local user database. See ip address ip address-pool Copyright © 2010, Juniper Networks, Inc.
  • Page 81 The new password replaces any current password or secret. Specify one of the following encryption algorithms, followed by the password: 0—An unencrypted password; this is the default 8—A two-way encrypted password Example host1(config-local-user)#password 0 myPassword Copyright © 2010, Juniper Networks, Inc.
  • Page 82 8—A two-way encrypted password Specify one of the following encryption algorithms, followed by the secret: 0—An unencrypted secret; this is the default 5—An MD5-encrypted secret Use the nopassword keyword to remove the password or secret Copyright © 2010, Juniper Networks, Inc.

  • Page 83: Local Authentication Example

    0 dav1sSecret99 host1(config-local-user)#ip-address 192.168.20.106 host1(config-local-user)#operational-virtual-router boston1 host1(config-local-user)#exit host1(config)#username cksmith password 0 yourPassword1 host1(config)#aaa local username cksmith database default host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 Copyright © 2010, Juniper Networks, Inc.
  • Page 84 ! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
  • Page 85 ! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.

  • Page 86: Configuring Tunnel Subscriber Authentication

    ! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.

  • Page 87: Configuring Name Server Addresses

    This section contains procedures for configuring the DNS and WINS primary and secondary name server addresses. DNS Primary and Secondary NMS Configuration To configure the DNS primary and secondary name server addresses: Specify the IP address of the DNS primary name server. Copyright © 2010, Juniper Networks, Inc.
  • Page 88 Use the no version to set the corresponding address to 0 (or ::). See aaa ipv6-dns aaa ipv6-dns secondary Use to specify the IPv6 address of the DNS secondary name server. Example host1(config)#aaa ipv6-dns secondary 2001:db8::8002 Copyright © 2010, Juniper Networks, Inc.

  • Page 89: Wins Primary And Secondary Nms Configuration

    A local address server is defined in the context of a virtual router. You create a local address server when you configure the first local pool. Local address servers exist as long as the virtual router exists or until you remove them by deleting all configured pools. Copyright © 2010, Juniper Networks, Inc.

  • Page 90: Local Address Pool Ranges

    Shared Local Address Pools Typically, the local address server allocates IP addresses from a pool of addresses that is stored locally on the router. However, shared local address pools enable a local address Copyright © 2010, Juniper Networks, Inc.

  • Page 91: Figure 2: Shared Local Address Pools

    Example This following commands create the shared address pools in Figure 2 on page 53: host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1 host1(config)#ip local shared-pool Shared_LAS_Pool_B DHCP_Pool_1 host1(config)#ip local shared-pool Shared_LAS_Pool_C DHCP_Pool_3 Copyright © 2010, Juniper Networks, Inc.

  • Page 92: Snmp Thresholds

    NOTE: If a pool or range is deleted and addresses are outstanding, the AAA server logs out the clients using the addresses. Create a shared local address pool. host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1 Delete a shared local address pool. host1(config)#no ip local shared-pool Shared_LAS_Pool_C Copyright © 2010, Juniper Networks, Inc.
  • Page 93 The backup pool name is a character string up to 16 characters long. Example host1(config)#aaa domain-map westford.com host1(config-domain-map)#backup-address-pool-name backup_poolB Use the no version to remove the backup address pool name. See backup-address-pool-name. ip address-pool Copyright © 2010, Juniper Networks, Inc.
  • Page 94 192.168.56.10 192.168.56.15 Use the no version to remove the local pool (all ranges), or the specified range. See ip local pool ip local pool snmpTrap Use to enable SNMP pool utilization traps. Example Copyright © 2010, Juniper Networks, Inc.
  • Page 95 If the pool name or prefix is not present in the RADIUS-Access-Accept message, the IPv6 local address pool name configured using the ipv6-prefix-pool-name command is used to delegate prefixes to requesting DHCPv6 clients. The IPv6 local pool name is a character string up to 16 characters long. Copyright © 2010, Juniper Networks, Inc.

  • Page 96: Configuring Dhcp Features

    Multiple PPP clients per ATM subinterface Single Clients per ATM Subinterface Figure 3 on page 58 shows a conceptual view of the configuration of a single PPP client per ATM subinterface. Figure 3: Single PPP Clients per ATM Subinterface Copyright © 2010, Juniper Networks, Inc.

  • Page 97: Multiple Clients Per Atm Subinterface

    Configure an ATM interface by entering Configuration mode and performing the following tasks. For more information about configuring ATM interfaces, see JunosE Link Layer Configuration Guide. Configure a physical interface. host1(config)#interface atm 0/1 Configure the subinterface. host1(config-if)#interface atm 0/1.20 Copyright © 2010, Juniper Networks, Inc.

  • Page 98: Configuring Aaa Profiles

    An AAA profile contains a set of commands to control access for the incoming PPP subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and domain name are not changed as a result of an AAA profile mapping. Copyright © 2010, Juniper Networks, Inc.

  • Page 99: Allowing Or Denying Domain Names

    Determines that the AAA profile restrictToABC is valid. Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match. Searches restrictToABC for a match on the domain name default. Finds a match and denies the user access. Copyright © 2010, Juniper Networks, Inc.

  • Page 100: Using Domain Name Aliases

    Searches forwardToXyz for a match on the PPP subscriber’s domain name and finds no match. Searches forwardToXyz for a match on the domain name default. Finds a match and continues as normal using the domain name xyz.com. Copyright © 2010, Juniper Networks, Inc.
  • Page 101 Parses the domain name abc1.com and examines the specified AAA profile toAbc Determines that the AAA profile toAbc is valid Searches toAbc for a match on the PPP subscriber’s domain name and finds a match Continues as normal using the domain name abc.com Copyright © 2010, Juniper Networks, Inc.
  • Page 102 See allow deny Use to specify the domain name(s) that you want to be denied access to AAA authentication. Example host1(config-aaa-profile)#deny xyz.com Use the no version to negate the command. See deny ppp aaa-profile Copyright © 2010, Juniper Networks, Inc.

  • Page 103: Manually Setting Nas-Port-Type Attribute

    ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection. To set the NAS-Port-Type attribute for ATM or Ethernet interfaces: Create an AAA profile. Copyright © 2010, Juniper Networks, Inc.
  • Page 104 (CDMA) wireless-other wireless-umts—Wireless universal mobile telecommunications system (UMTS) xdsl—DSL of unknown type Example host1(config-aaa-profile)#nas-port-type atm wireless-80211 Use the no version to remove the NAS-Port-Type setting for ATM interfaces. See nas-port-type atm Copyright © 2010, Juniper Networks, Inc.

  • Page 105: Service-Description Attribute

    Set the Service-Description attribute. host1(config-aaa-profile)#service-description bos-xyzcorp aaa profile Use to create and configure a AAA profile. Example host1(config)#aaa profile xyzCorpPro2 Use the no version to delete the AAA profile. See aaa profile service-description Copyright © 2010, Juniper Networks, Inc.

  • Page 106: Using Radius Route-Download Server To Distribute Routes

    NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User cisco-avpair = “ip:route = 192.168.3.0 255.255.255.0 null0” cisco-avpair = “ip:route = vrf vrfboston 192.168.1.0/24 null 0 0 tag 6” cisco-avpair = “ip:route = vir host1 vrf vrfsunny 192.168.0.0/16 null0 0 tag 8” Copyright © 2010, Juniper Networks, Inc.

  • Page 107: How The Route-Download Server Downloads Routes

    (Optional) Specify the UDP port used for RADIUS route-download server requests. host1(config-radius)#udp-port 1812 host1(config-radius)#exit host1(config)# Enable the route-download feature and optionally modify default parameters as needed. host1(config)#aaa route-download 1200 retry-interval 25 password dl1456atl synchronization 03:45:00 (Optional) Verify your route-download configuration: Copyright © 2010, Juniper Networks, Inc.
  • Page 108 You can specify a tag in the range 1–4294967295. The default tag is 0. base-user-name—The virtual router that is used for route-download requests. The default name is the router hostname. Copyright © 2010, Juniper Networks, Inc.
  • Page 109 Use to synchronize downloaded access routes and the routes that are installed in the routing tables of virtual routers. Use the following options to synchronize downloaded routes for a specific virtual router: Copyright © 2010, Juniper Networks, Inc.
  • Page 110 RADIUS route-download server. You can configure a single instance of the route downloader on the router. Example host1(config)#radius route-download server 10.10.5.10 host1(config-radius)# Copyright © 2010, Juniper Networks, Inc.

  • Page 111: Using The Aaa Logical Line Identifier To Track Subscribers

    This step is referred to as the preauthentication request because it occurs before user authentication and authorization. The preauthentication server returns the LLID to the router in the Calling-Station-Id (RADIUS attribute 31) of an Access-Accept message. Copyright © 2010, Juniper Networks, Inc.

  • Page 112: Radius Attributes In Preauthentication Request

    Type of service the user has requested or the type of service to be provided; for example, framed [61] NAS-Port-Type Type of physical port the NAS is using to authenticate the user [77] Connect-Info Actual user name; for example, jdoe@xyzcorp.east.com Copyright © 2010, Juniper Networks, Inc.

  • Page 113: Considerations For Using The Llid

    For information, see “radius rollover-on-reject” on page 32. Configuring the Router to Obtain the LLID for a Subscriber To configure the router to obtain the LLID for a subscriber: Create an AAA profile that supports subscriber preauthentication. host1(config)#aaa profile preAuthLlid Copyright © 2010, Juniper Networks, Inc.
  • Page 114 To display a count of preauthentication requests and responses, use the show aaa statistics command. For information, see “Setting Baselines for Remote Access” on page 110. aaa profile Use to configure a new AAA profile. Example host1(config)#aaa profile boston123 Copyright © 2010, Juniper Networks, Inc.
  • Page 115 LLID for a subscriber. In response, the preauthentication server returns the LLID in the RADIUS Calling-Station-Id [31] attribute of an Access-Accept message. Example host1(config-aaa-profile)#pre-authenticate Use the no version to remove preauthentication support from the AAA profile. See pre-authenticate Copyright © 2010, Juniper Networks, Inc.

  • Page 116: Troubleshooting Subscriber Preauthentication

    (ingress) policy Egress-Policy-Name Specifies the sublen string: name of the output-policy-name output (egress) policy Ingress-Statistics Indicates integer: 0 – disable, whether 1 – enable statistics are collected on input Copyright © 2010, Juniper Networks, Inc.

  • Page 117: Traffic Shaping For Ppp Over Atm Interfaces

    Traffic Shaping for PPP over ATM Interfaces The router supports the configuration of traffic shaping parameters for PPP over ATM (PPPoA) via domain-based profiles and RADIUS. In connection with this feature, Table Copyright © 2010, Juniper Networks, Inc.

  • Page 118: Table 7: Traffic-Shaping Vsas That Apply To Dynamic Ip Interfaces

    Example host1(config)#aaa domain-map atmTraffic host1(config-domain-map)#atm rtvbr 3897832145 3597861230 4294967295 Use the no version to remove the traffic-shaping configuration. See atm Copyright © 2010, Juniper Networks, Inc.

  • Page 119: Mapping Application Terminate Reasons To Radius Terminate Codes

    NAS detected an error (other than on the port) that required ending the session NAS Request NAS ended the session for a non-error reason NAS Reboot NAS ended the session due to a non-administrative reboot Copyright © 2010, Juniper Networks, Inc.

  • Page 120: Configuration Example

    (Optional) Display the current PPP terminate-cause mappings. host1(config)# run show terminate-code ppp Radius Apps Terminate Reason Description Code --------- -------------------------- -------------------------- ------ authenticate-authenticator authenticate authenticator -timeout timeout authenticate-challenge-tim authenticate challenge tim eout eout authenticate-chap-no-resou authenticate chap no resou rces rces Copyright © 2010, Juniper Networks, Inc.
  • Page 121 --More-- radius include Use to include the Acct-Terminate-Cause attribute (RADIUS attribute 49) in RADIUS Acct-Off messages. You control inclusion of the Acct-Terminate-Cause attribute by enabling or disabling this command. Copyright © 2010, Juniper Networks, Inc.

  • Page 122: Configuring Timeout

    PPP session. If there is no activity in either direction on the interfaces for more than the configured idle timeout period, the router terminates the PPP session. Copyright © 2010, Juniper Networks, Inc.
  • Page 123 Example 1—Sets the idle timeout to 1200 seconds, and enables the router to monitor only ingress traffic for this idle timeout period to determine whether to disconnect the inactive PPP session. host1(config)#aaa timeout idle 1200 host1(config)#aaa timeout idle ingress-only Copyright © 2010, Juniper Networks, Inc.

  • Page 124: Limiting Active Subscribers

    RADIUS server to free the address, you can set up the router to send an Acct-Stop message if a user fails AAA. aaa accounting acct-stop on-aaa-failure Use to cause the router to send an Acct-Stop message if a user fails AAA, but RADIUS grants access. Example Copyright © 2010, Juniper Networks, Inc.

  • Page 125: Configuring Standard Radius Ipv6 Attributes For Ipv6 Neighbor Discovery Router Advertisements And Dhcpv6 Prefix Delegation

    In this release, you can control the RADIUS IETF attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements and DHCPv6 Prefix Delegation by using aaa ipv6-nd-ra-prefix framed-ipv6-prefix and aaa dhcpv6-delegated-prefix delegated-ipv6-prefix commands, respectively, in Global Configuration mode on each virtual router. Copyright © 2010, Juniper Networks, Inc.

  • Page 126: Duplicate Ipv6 Prefix Check Overview

    You can configure AAA service to detect duplicates of IPv6 Neighbor Discovery router advertisement prefixes and DHCPv6 delegated prefixes. If a non-unique IPv6 prefix is detected by AAA, the subscriber session corresponding to the duplicate prefix is terminated. Copyright © 2010, Juniper Networks, Inc.

  • Page 127: Configuring Duplicate Ipv6 Prefix Check

    Nas-Port-Type, Nas-Port-Id, Nas-Port, and Calling-Station-Id attributes and send them to the RADIUS server in the Access-Request, Acct-Start, and Acct-Stop messages. The RADIUS client uses one of the following LAG interface ID formats: lag lag-name [.subinterface [:vlan]] Copyright © 2010, Juniper Networks, Inc.
  • Page 128 Calling-Station-Id attribute. For example, a subscriber with the default AAA or RADIUS configuration who is connected over a LAG interface lag1, with subinterface-1, VLAN ID 10, S-VLAN ID 1, and router named Copyright © 2010, Juniper Networks, Inc.

  • Page 129: Configuring The Src Client

    Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 474 show subscribers Configuring the SRC Client The JunosE Software has an embedded client that interacts with the Juniper Networks SRC software, enabling the SRC software to manage the router’s policy and QoS configuration.
  • Page 130 PEP requests provisioning of an interface from the PDP. PDP determines policies and sends provisioning data to the PEP. PEP provisions the policies. PDP requests policy provisioning PDP determines new policies and sends provisioning data to the PEP. PEP provisions the policies. Copyright © 2010, Juniper Networks, Inc.
  • Page 131 The proprietary PIB provides the Policy Manager and QoS Manager functionality shown in the following lists. Policy Manager Committed access rate Packet filtering Policy routing QoS classification and marking Rate limiting Traffic class QoS Manager Copyright © 2010, Juniper Networks, Inc.
  • Page 132 The JunosE-IP-PIB file is updated with each JunosE release. Since the PIB is implemented by both Juniper Networks SRC and JunosE devices, distribution of the PIB file to customers is not necessary. Customers can access the proprietary PIB file, on approval from Juniper Networks, through Juniper support.
  • Page 133 IPv6 interfaces. The IPv6 support is in addition to the default IPv4 support. Example host1(config)#sscc protocol ipv6 Use the no version to disable IPv6 support on the SRC client. See sscc protocol ipv6 sscc protocol lac Copyright © 2010, Juniper Networks, Inc.
  • Page 134 SRC software, which requests full synchronization, which restores correct policies and QoS provisioning. Using this option consumes more time because the command enables the router to clear the existing PIB structures in addition to performing the synchronization. Copyright © 2010, Juniper Networks, Inc.
  • Page 135 If you do not specify a source interface, the TCP/COPS connection is not bound to a specific source (that is, local) interface. Example host1(config)#sscc sourceInterface atm 3/0 Copyright © 2010, Juniper Networks, Inc.
  • Page 136 COPS details. Therefore, this feature of retrieval of updated line rate parameters from ANCP by the SRC client is backward compatible with older versions of SRC software. Copyright © 2010, Juniper Networks, Inc.

  • Page 137: Retrieval Of Dsl Line Rate Information From Access Nodes Overview

    COPS server or SRC server. A COPS server processes the following topology parameters that it receives from the SRC client in the updated COPS messages: JunosEIpInterfaceMode JunosEIpInterfaceUpstreamRate JunosEIpInterfaceDownstreamRate JunosEIpInterfaceMinimumDataRateUpstream JunosEIpInterfaceMinimumDataRateDownstream JunosEIpInterfaceAttainableDataRateUpstream JunosEIpInterfaceAttainableDataRateDownstream Copyright © 2010, Juniper Networks, Inc.

  • Page 138: Dhcpv6 Local Address Pools For Allocation Of Ipv6 Prefixes Overview

    IPv6 prefixes to DHCPv6 clients. In this release, you can configure IPv6 local address pools to allocate IPv6 prefixes to clients in networks that use DHCPv6. These pools can be used to assign prefixes from a delegating router, which is an E Series router configured Copyright © 2010, Juniper Networks, Inc.
  • Page 139 You can configure the IPv6 addresses of a primary and secondary DNS server in an IPv6 local pool. The DNS server addresses are returned to the client in DHCPv6 responses as part of the DNS Recursive Name Server option. Copyright © 2010, Juniper Networks, Inc.

  • Page 140: Dhcpv6 Prefix Delegation Example

    /64 (usually of length, /48) from PE1. CPE1 is connected to the home network. CPE1 divides the single delegated prefix that it received from PE1 into multiple /64 prefixes and assigns one /64 prefix to each of the Copyright © 2010, Juniper Networks, Inc.

  • Page 141: Prefixes

    If any of the first three attributes are returned, then the prefix contained in those attributes is used and the pool name in the Framed-IPv6-Pool attribute is ignored. For example, if both the Delegated-IPv6-Prefix or Framed-IPv6-Prefix, and Framed-IPv6-Pool attributes are returned from the RADIUS server, the DHCPv6 Copyright © 2010, Juniper Networks, Inc.

  • Page 142: Configuring The Dhcpv6 Local Address Pools

    In this example, the start of the range is 2002:2002::/48 and the end of the range is 2002:2002:ffff::/48. All prefixes assigned from this range have 48 as the prefix length. Alternatively, configure the prefix range by specifying the starting and ending IPv6 prefixes of the range. Copyright © 2010, Juniper Networks, Inc.
  • Page 143 DNS resolution. You can specify a maximum of four DNS domains for an IPv6 local pool’s search list. host1(config-v6-local)#dns-domain-search test1.com host1(config-v6-local)#dns-domain-search test2.com You can configure one domain name per line. Enter the command on separate lines to configure additional domain names. Copyright © 2010, Juniper Networks, Inc.

  • Page 144: Limitation On The Number Of Prefixes Used By Clients

    Preferred Valid Start Exclude Util Lifetime Lifetime ------------------------- ------- ---- ---------- ---------- 3003:3003::/64 1 day 1 day host1#show ipv6 local pool IPv6 Local Address Pools ------------------------ Pool Start ---------------- ------------------------- ------------------------- largePrefixRange 3003:3003::/64 3003:3003:ffff:ffff::/64 Copyright © 2010, Juniper Networks, Inc.

  • Page 145: Example

    ! Create a VLAN subinterface, assign a loopback address to it, and enable ! IPv6 Neighbor Discovery. Exit the Interface Configuration mode. host1(config)#interface gigabitEthernet 2/1/4.100 host1(config-if)#vlan id 100 host1(config-if)#ipv6 unnumbered loopback 1 host1(config-if)#ipv6 nd Copyright © 2010, Juniper Networks, Inc.
  • Page 146 Ethernet interface 2/1/4.100, prefixes are allocated to the client from the example local pool. In this example, the local pool to use for allocation of prefixes is selected based on the IPv6 address of the interface over which the request is received. Copyright © 2010, Juniper Networks, Inc.

  • Page 147: Monitoring And Troubleshooting Remote Access

    Monitoring Interim Accounting for Users on the Virtual Router on page 127 Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting on page 127 Monitoring Configuration Information for AAA Local Authentication on page 128 Copyright © 2010, Juniper Networks, Inc.

  • Page 148: Setting Baselines For Remote Access

    You can set baseline statistics using the baseline commands. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline when you retrieve baseline-relative statistics. Copyright © 2010, Juniper Networks, Inc.

  • Page 149: Setting A Baseline For Aaa Statistics

    Setting a Baseline for Local Address Pool Statistics Purpose Set a baseline for local address pool statistics. Action Issue the show local pool statistics command: host1#show local pool statistics There is no no version. Copyright © 2010, Juniper Networks, Inc.

  • Page 150: Setting A Baseline For Radius Statistics

    Accounting duplication set to router vrXyz25 Broadcast accounting uses group groupXyzCompany20 send acct-stop on AAA access deny is enabled send acct-stop on authentication server access deny is disabled acct-interval (for PPP Clients) 0 Copyright © 2010, Juniper Networks, Inc.

  • Page 151: Monitoring Aaa Accounting Default

    Action To display the default AAA accounting method: host1#show aaa accounting tunnel default radius Related Topics show aaa accounting default Monitoring Accounting Interval Purpose Display the accounting interval. Action To display the accounting interval: Copyright © 2010, Juniper Networks, Inc.

  • Page 152: Monitoring Specific Virtual Router Groups

    Related Topics show aaa authentication default Monitoring Domain and Realm Name Delimiters Purpose Display the domain and realm name delimiters, parse order, and parse direction configured on the router. Copyright © 2010, Juniper Networks, Inc.

  • Page 153: Monitoring Mapping Between User Domains And Virtual Routers

    Table 13: show aaa domain-map Output Fields Field Name Field Description Domain Name of the domain router-name Virtual router to which user domain name is mapped tunnel-group Name of the tunnel group assigned to the domain Copyright © 2010, Juniper Networks, Inc.
  • Page 154 Maximum number of sessions allowed on a tunnel Tunnel RWS L2TP receive window size (RWS) for a tunnel on the LAC; displays either the configured value or the default behavior, which is indicated by system chooses Copyright © 2010, Juniper Networks, Inc.

  • Page 155: Monitoring Tunnel Subscriber Authentication

    To display whether the routing table address lookup or duplicate address check is enabled or disabled: host1#show aaa duplicate-address-check enabled Related Topics show aaa duplicate-address-check Monitoring the AAA Model Purpose Display the AAA model. Copyright © 2010, Juniper Networks, Inc.

  • Page 156: Servers

    Table 14: show aaa profile Output Fields Field Name Field Description atm nas-port-type Configuration of NAS-Port-Type attribute for ATM interfaces ethernet nas-port-type Configuration of NAS-Port-Type attribute for Ethernet interfaces profile-service-description Description configured in the Service-Description attribute Copyright © 2010, Juniper Networks, Inc.

  • Page 157: Monitoring Statistics About The Radius Route-Download Server

    Total Download Attempts: 2 Successful Downloads: Downloaded Fragments: 3756 Downloaded Routes: 192000 IP Updates: Updated Routes: 96000 Cleared Route Intervals: 0 Meaning Table 15 on page 120 lists the show aaa route-download command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 158: Table 15: Show Aaa Route-Download Output Fields

    Number of downloads attempted Successful Downloads Number of successful download operations Downloaded Fragments Number of downloaded fragments Downloaded Routes Number of downloaded routes IP Updates Number of IP updates Updated Routes Number of updated routes Copyright © 2010, Juniper Networks, Inc.

  • Page 159: Monitoring Routes Downloaded By The Radius Route-Download Server

    IP address prefix and mask information for downloaded routes Type Type of downloaded routes; Access-P indicates routes downloaded from the RADIUS route-download server NextHop IP address of the next hop Dst/Met Administrative distance and number of hops for the route Copyright © 2010, Juniper Networks, Inc.

  • Page 160: Servers

    VRF a2 in virtual router aaa. Action To display chassis-wide information about routes that are downloaded by RADIUS route-download servers: host1#show aaa route-download routes global Number Virtual Router Present Routes --------------- --------------- ------- ------ default default Copyright © 2010, Juniper Networks, Inc.

  • Page 161: Table 17: Show Aaa Route-Download Routes Global Output Fields

    Number of current downloaded routes Prefix/Length IP address prefix and mask information for downloaded routes Type Type of downloaded routes; Access-P indicates routes downloaded from the RADIUS route-download server NextHop IP address of the next hop Copyright © 2010, Juniper Networks, Inc.

  • Page 162: Monitoring Authentication, Authorization, And Accounting Statistics

    Table 18 on page 124 lists the show aaa statistics command output fields. Table 18: show aaa statistics Output Fields Field Name Field Description incoming initiate requests Number of incoming AAA requests (from other E Series applications) for user connect services Copyright © 2010, Juniper Networks, Inc.
  • Page 163 AAA to the accounting task incoming Broadcast Acct Number of broadcast accounting responses (starts, responses updates, stops) from the accounting task to AAA outgoing Address requests Number of address allocation/release requests from AAA to address allocation task Copyright © 2010, Juniper Networks, Inc.

  • Page 164: Monitoring The Number Of Active Subscribers Per Port

    Monitoring Session Timeouts Purpose Display idle and session timeouts. Action To display idle and session timeouts: host1#show aaa timeout idle timeout 1200 seconds monitor ingress only session timeout 3600 seconds Related Topics show aaa timeout Copyright © 2010, Juniper Networks, Inc.

  • Page 165: Monitoring Interim Accounting For Users On The Virtual Router

    ! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC ! Juniper Edge Routing Switch ERX1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.

  • Page 166: Monitoring Configuration Information For Aaa Local Authentication

    ! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.

  • Page 167: Monitoring Aaa Server Attributes

    ! Juniper Edge Routing Switch ERX1440 ! Version: 11.2.0 beta-1.1 [BuildId 12073] (April 22, 2010 11:46) ! Copyright (c) 1999-2010 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.

  • Page 168: Table 21: Show Configuration Category Aaa Server-Attributes Include-Defaults

    Virtual router used for duplicate accounting aaa accounting broadcast Virtual router group used for broadcast accounting aaa duplicate-address-check Enabled, disabled aaa accounting acct-stop Enabled, disabled on-aaa-failure aaa accounting acct-stop Enabled, disabled on-access-deny aaa subscriber limit per-vr Enabled, disabled Copyright © 2010, Juniper Networks, Inc.

  • Page 169: Monitoring The Cops Layer Over Src Connection

    Keep Alive Sent: 12 Session Information Remote Ip Address: 10.10.0.223 Remote TCP Port: 4001 Client Type: 16384 Bytes Received: 2224 Packets Received: 5 Bytes Sent: Packets Sent: REQ Sent: DEC Rcv: RPT Sent: DRQ Sent: Copyright © 2010, Juniper Networks, Inc.

  • Page 170: Table 22: Show Cops Info Output Fields

    Number of packets sent on this COPS session REQ Sent Number of Request packets sent on this COPS session DEC Rcv Number of Decision packets received on this COPS session RPT Sent Number of Report packets sent on this COPS session Copyright © 2010, Juniper Networks, Inc.

  • Page 171: Monitoring Statistics About The Cops Layer

    Session Information: Client Type: 24754 Bytes Received: 2539032 Packets Received: 20388 Bytes Sent: 4386648 Packets Sent: 51337 REQ Sent: 21203 DEC Rcv: 20388 RPT Sent: 20391 DRQ Sent: 9743 SSQ Rcv: OPN Sent: CAT Rcv: Copyright © 2010, Juniper Networks, Inc.

  • Page 172: Table 23: Show Cops Statistics Output Fields

    Number of Report packets sent on this COPS session DRQ Sent Number of Delete Requests sent on this COPS session SSQ Rcv Number of Synch Requests received on this COPS session OPN Sent Number of Open messages sent on this COPS session Copyright © 2010, Juniper Networks, Inc.

  • Page 173: Monitoring Local Address Pool Aliases

    Monitoring Local Address Pools Purpose Display information about the local address pools configured on your router. If you do not specify the name of a local address pool, the router displays all local address pools. Copyright © 2010, Juniper Networks, Inc.

  • Page 174: Table 25: Show Ip Local Pool Output Fields

    Meaning Table 25 on page 136 lists the show ip local pool command output fields. Table 25: show ip local pool Output Fields Field Name Field Description Pool User-specified name of the address pool Copyright © 2010, Juniper Networks, Inc.

  • Page 175: Monitoring Local Address Pool Statistics

    Shared Pool In Use Dhcp Pool ----------- ------ --------- shared_poolA dhcp_pool_25 shared_poolB dhcp_pool_25 shared_poolC dhcp_pool_17 Meaning Table 26 on page 138 lists the show ip local shared-pool command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 176: Monitoring The Routing Table

    Configuration Guide for additional information about the show ip route command. Related Topics show ip route Monitoring the B-RAS License Purpose Display the B-RAS license. Action To display the B-RAS license: host1#show license b-ras K4bZ16Lr Related Topics show license b-ras Copyright © 2010, Juniper Networks, Inc.

  • Page 177: Monitoring The Radius Server Algorithm

    Monitoring the RADIUS Rollover Configuration Purpose Display the configuration of the RADIUS rollover-on-reject feature. Action To display the RADIUS rollover configuration: host1#show radius rollover-on-reject rollover-on-reject enabled Meaning RADIUS rollover-on-reject is enabled. Related Topics show radius rollover-on-reject Copyright © 2010, Juniper Networks, Inc.

  • Page 178: Monitoring Radius Server Information

    RADIUS Authentication Configuration ----------------------------------- Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret Status ------------- ---- ----- ------- -------- ---- ------ ------ RADIUS Accounting Configuration ------------------------------- Copyright © 2010, Juniper Networks, Inc.

  • Page 179: Table 28: Show Radius Servers Output Fields

    The status of none of the servers if the server is accessed using the round-robin algorithm. Related Topics show radius servers Copyright © 2010, Juniper Networks, Inc.

  • Page 180: Monitoring Radius Services Statistics

    Start Responses Interim Responses Stop Responses Reject Responses Malformed Responses Bad Authenticators Requests Pending Request Timeouts Unknown Responses Packets Dropped To display RADIUS pre-authentication statistics: host1#show radius pre-authentication statistics RADIUS Pre-Authentication Statistics ------------------------------------ Statistic 172.28.30.117 Copyright © 2010, Juniper Networks, Inc.

  • Page 181: Table 29: Show Radius Statistics Output Fields

    Round Trip Time Hundreds of seconds from request to response Access Requests Number of access requests sent to server Rollover Requests Number of requests coming into server as a result of the previous server timing out Copyright © 2010, Juniper Networks, Inc.
  • Page 182 Interim Requests Number of interim accounting requests Stop Requests Number of accounting stop requests sent; includes Acct-Off, Acct-Stop, Acct-Link-Stop, and Acct-Tunnel-Stop requests Reject Requests Number of accounting reject requests sent; includes Acct-Link-Reject and Acct-Tunnel-Reject requests Copyright © 2010, Juniper Networks, Inc.

  • Page 183: Monitoring Radius Snmp Traps

    Monitoring RADIUS Accounting for L2TP Tunnels Purpose Display the status for RADIUS accounting for L2TP tunnels. Action To display RADIUS accounting for L2TP tunnels: host1#show radius tunnel-accounting disabled Meaning RADIUS accounting is either enabled or disabled. Copyright © 2010, Juniper Networks, Inc.

  • Page 184: Monitoring Radius Udp Checksums

    Purpose Display the RADIUS attribute used for DHCPv6 Prefix Delegation. Action To display the RADIUS attribute used for DHCPv6 Prefix Delegation: host1#show aaa dhcpv6-delegated-prefix DHCPv6 Delegated Prefix : Framed-IPv6-Prefix Related Topics show aaa dhcpv6-delegated-prefix Copyright © 2010, Juniper Networks, Inc.

  • Page 185: Monitoring Duplicate Ipv6 Prefixes

    Delete Interfaces sent Active IP Interfaces IP Interface Transitions Synchronizes received Synchronize Complete sent Internal Errors Communication Errors Tokens Seen Active Tokens Token Transitions Token Creates Sent Token Deletes Sent Active Addresses Address Transitions Copyright © 2010, Juniper Networks, Inc.

  • Page 186: Table 30: Show Sscc Info Output Fields

    ANCP and transfers the details to the COPS server with other COPS messages, enabled or disabled The connection state is Current state of the TCP/COPS connection Copyright © 2010, Juniper Networks, Inc.

  • Page 187: Monitoring Src Client Connection Statistics

    Display statistics about connection between the SRC client and SAE. The command output refers to the SRC client by its former name, SSC client. Action To display statistics for the SRC client connection: host1#show sscc statistics SSC Client Statistics: Copyright © 2010, Juniper Networks, Inc.

  • Page 188: Table 31: Show Sscc Statistics Output Fields

    Number of connections the SRC client has tried to open with a remote SAE Connection Open completed Number of connections successfully open to the SAE Connection Closed sent Number of connections the SRC client has closed Copyright © 2010, Juniper Networks, Inc.

  • Page 189: Monitoring The Src Client Version Number

    When you issue the command in the default VR, all users are displayed. When you issue the command in a nondefault VR, only those users attached to that VR are displayed. The following list describes keywords that you can use with the show subscribers command: Copyright © 2010, Juniper Networks, Inc.
  • Page 190 You can use the icr-partition keyword to display the active subscribers for a particular ICR partition configured on a chassis. You can use the summary keyword to display only summary information about active subscribers. Action To display general subscriber information: host1# show subscribers Copyright © 2010, Juniper Networks, Inc.
  • Page 191 ------------------------ ------------ 4101DHCPCLIENT@CT.NET lag lag2.1:1-1 User Name Login Time Circuit Id ------------------------ ------------------- ---------------- 4101DHCPCLIENT@CT.NET 09/10/29 02:07:51 User Name Remote Id ------------------------ ---------------- 4101DHCPCLIENT@CT.NET To display detailed information for subscribers on the specified slot: Copyright © 2010, Juniper Networks, Inc.
  • Page 192 -------------------- ----- ATM 3/2.1 ETHERNET 5/2.1 LAG lag1.100 Total Subscribers: 4 (chassis-wide total) Peak Subscribers: 8 (chassis-wide total) To display the number of subscribers by slot: host1#show subscribers summary slot Slot Count -------- ----- Copyright © 2010, Juniper Networks, Inc.

  • Page 193: Table 32: Show Subscribers Output Fields

    Number of subscribers; the sum of the Ppp and Ip fields Number of PPPoA and PPPoE users, combined Number of DHCP and IP subscriber manager users, combined Number of users tunneled to an LNS Copyright © 2010, Juniper Networks, Inc.

  • Page 194: Monitoring Application Terminate Reason Mappings

    To display all terminate reasons that are mapped to a specific terminate code: This example uses the radius keyword and a RADIUS Acct-Terminate-Cause code (radius 4) to display all terminate reasons mapped to the specified terminate code. Copyright © 2010, Juniper Networks, Inc.

  • Page 195: Table 33: Show Terminate-Code Output Fields

    The application generating the terminate reason; AAA, L2TP, PPP, or RADIUS client Terminate Reason The application’s terminate reason Description The terminate reason Radius Code The RADIUS Acct-Terminate-Cause code to which the application’s terminate reason is mapped Copyright © 2010, Juniper Networks, Inc.

  • Page 196: Pools

    Purpose Display prefix delegation details for an IPv6 local address pool configured on a virtual router. Action To display prefix delegation information for a specific IPv6 local address pool: host1#show ipv6 local pool example Copyright © 2010, Juniper Networks, Inc.

  • Page 197: Table 35: Show Ipv6 Local Pool Poolname Output Fields

    Exclude Prefix length or prefix range excluded from allocation to the requesting router Util Percentage of prefixes currently allocated to clients from a particular prefix range in the pool Copyright © 2010, Juniper Networks, Inc.

  • Page 198: Monitoring Ipv6 Local Pool Statistics For Dhcp Prefix Delegation

    Releases Number of prefixes released back to the pool Release Errors Number of errors encountered during the process of release of previously assigned prefixes by the requesting router Related Topics show ipv6 local pool Copyright © 2010, Juniper Networks, Inc.

  • Page 199: Managing Radius And Tacacs

    Configuring RADIUS Relay Server on page 241 RADIUS Attribute Descriptions on page 249 Application Terminate Reasons on page 271 Monitoring RADIUS on page 297 Configuring TACACS+ on page 311 Monitoring TACACS+ on page 323 Copyright © 2010, Juniper Networks, Inc.
  • Page 200 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 201: Chapter 3 Configuring Radius Attributes

    RADIUS Overview RADIUS is a distributed client/server that protects networks against unauthorized access. RADIUS clients running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server. You can access the RADIUS server through either a subscriber line or the CLI.

  • Page 202: Radius Services

    Any attribute number beginning with 26, such as [26-1], identifies a vendor-specific attribute. For a complete list of RADIUS attributes supported by JunosE Software, see “RADIUS IETF Attributes” on page 249. RADIUS Platform Considerations RADIUS is supported on all E Series routers. Copyright © 2010, Juniper Networks, Inc.

  • Page 203: Radius References

    See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. RADIUS References For more information about RADIUS, consult the following resources: RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)

  • Page 204: Supported Radius Ietf Attributes

    – [12] Framed-MTU – – – – (See Note 2.) [18] Reply-Message – – – (See Note 2.) [22] Framed-Route – – – – – [24] State – – – – (See Note 2.) Copyright © 2010, Juniper Networks, Inc.
  • Page 205 (See Note 1.) [67] Tunnel-Server-Endpoint – – – – (See Note 1.) [68] Acct-Tunnel-Connection – – – – – (See Note 1.) [69] Tunnel-Password – – – – – [77] Connect-Info – – – – – Copyright © 2010, Juniper Networks, Inc.
  • Page 206 Delegated-IPv6-Prefix – – – – – [135] Ascend-Primary-Dns – – – – – [136] Ascend-Secondary-Dns – – – – – [188] Ascend-Num-In-Multilink – – – – – [242] Ascend-Data-Filter – – – – – Copyright © 2010, Juniper Networks, Inc.

  • Page 207: Supported Juniper Networks Vsas

    Chapter 3: Configuring RADIUS Attributes Supported Juniper Networks VSAs Table 38 on page 169 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages. Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs...
  • Page 208 JunosE 11.2.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-25] Redirect-Vrouter-Name – – – – [26-26] Qos-Profile-Name –...
  • Page 209 Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-64] Tunnel-Group – – – – [26-65] Activate-Service –...
  • Page 210 JunosE 11.2.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-88] Mobile-IP-Access-Control-List – – – – [26-89] Mobile-IP-Lifetime –...

  • Page 211: Subscriber Aaa Accounting Messages

    Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-120] Max-Data-Rate-Dn – – – – [26-121] Min-LP-Data-Rate-Up –...

  • Page 212: Supported Radius Ietf Attributes

    For this attribute to be included, an IPv6 interface ID must be assigned to the subscriber. For this attribute to be included, at least one IPv6 prefix must be assigned to the subscriber. Copyright © 2010, Juniper Networks, Inc.

  • Page 213: Table 39: Aaa Accounting Message Radius Ietf Attributes Supported

    [42] Acct-Input-Octets – – – [43] Acct-Output-Octets – – – [44] Acct-Session-Id [45] Acct-Authentic [46] Acct-Session-Time – – – [47] Acct-Input-Packets – – – [48] Acct-Output-Packets – – – [49] Acct-Terminate-Cause – – – Copyright © 2010, Juniper Networks, Inc.
  • Page 214 (See Note 1.) [83] Tunnel-Preference (LAC only) – – [87] NAS-Port-Id – – [90] Tunnel-Client-Auth-Id – – (See Note 1.) [91] Tunnel-Server-Auth-Id – – (See Note 1.) [96] Framed-Interface-Id – – (See Note 1.) Copyright © 2010, Juniper Networks, Inc.

  • Page 215: Supported Juniper Networks Vsas

    – (See Note 3.) Supported Juniper Networks VSAs Table 40 on page 178 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Acct-Start, Acct-Stop, Interim-Acct, Acct-On, Acct-Off, Partition-Accounting-On, and Partition-Accounting-Off messages. The following notes are referred to in Table 40 on page 178: The attribute is not included in Acct-Stop messages that are sent when a user session does not get established in one of the following situations.

  • Page 216: Table 40: Aaa Accounting Message Juniper Network (Vendor Id 4874) Vsas

    – – [26-46] Ipv6-Local-Interface – – – – [26-47] Ipv6-Primary-DNS – – – – [26-48] Ipv6-Secondary-DNS – – – – [26-51] Disconnect-Cause – – – – – – [26-53] Service-Description – – – – Copyright © 2010, Juniper Networks, Inc.
  • Page 217 – – – – [26-120] Max-Data-Rate-Dn – – – – [26-121] Min-LP-Data-Rate-Up – – – – [26-122] Min-LP-Data-Rate-Dn – – – – [26-123] Max-Interlv-Delay-Up – – – – [26-124] Act-Interlv-Delay-Up – – – – Copyright © 2010, Juniper Networks, Inc.

  • Page 218: Tunnel Accounting Messages

    [26-159] DHCP-Option 82 – – – – (See Note 1.) Tunnel Accounting Messages Table 41 on page 181 lists RADIUS attributes supported by the following tunnel-related accounting messages: Acct-Tunnel-Start Acct-Tunnel-Stop Acct-Tunnel-Reject Acct-Tunnel-Link-Start Acct-Tunnel-Link-Stop Acct-Tunnel-Link-Reject Copyright © 2010, Juniper Networks, Inc.

  • Page 219: Table 41: Aaa Accounting Tunnel Message Radius Attributes Supported

    Event-Timestamp [64] Tunnel-Type [65] Tunnel-Medium-Type [66] Tunnel-Client-Endpoint [67] Tunnel-Server-Endpoint [68] Acct-Tunnel- Connection [82] Tunnel-Assignment-Id (LAC only) [83] Tunnel-Preference – – – (LAC only) [86] Acct-Tunnel-Packets- – – – – Lost [90] Tunnel-Client-Auth-Id [91] Tunnel-Server-Auth-Id Copyright © 2010, Juniper Networks, Inc.

  • Page 220: Dsl Forum Vsas In Aaa Access And Accounting Messages

    VSA is available in the information that the router receives from the digital subscriber line access multiplexer (DSLAM). NOTE: JunosE Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “Juniper Networks VSAs” on page 255 .

  • Page 221: Cli Aaa Messages

    Table 43 on page 183 lists the RADIUS attributes supported for CLI AAA messages. Table 43: CLI AAA Access Message RADIUS Attributes Supported Attribute Number Attribute Name Access-Request Access-Accept Access-Challenge Access-Reject User-Name – – – User Password – – – Copyright © 2010, Juniper Networks, Inc.

  • Page 222: Cli Commands Used To Modify Radius Attributes

    CLI Commands Used to Modify RADIUS Attributes This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands. For many attributes, you can configure the router to include the attribute in RADIUS messages.

  • Page 223: Nas-Ip-Address

    Monitoring Override Settings of RADIUS IETF Attributes on page 297 [5] NAS-Port Use the following commands to manage and display information for the NAS-Port RADIUS attribute: radius include nas-port radius nas-port-format radius nas-port-format extended radius pppoe nas-port-format unique radius vlan nas-port-format stacked Copyright © 2010, Juniper Networks, Inc.
  • Page 224 The format attribute set using the radius nas-port-format command does not accommodate the number of bits required by the ATM interface specifier (slot/adapter/port/vpi/vci) or the Gigabit Ethernet and 10-Gigabit Ethernet interface specifier [ slot/adapter/port ] [ .vlanSubinterface ]. Issuing this command enables you Copyright © 2010, Juniper Networks, Inc.
  • Page 225 Example 2—Sets the field widths for Gigabit Ethernet and 10-Gigabit Ethernet interfaces host1(config)#radius nas-port-format extended ethernet field-widths slot 4 adapter 1 port 3 vlan 12 Use the no version to restore the default behavior of the radius nas-port-format command. Copyright © 2010, Juniper Networks, Inc.

  • Page 226: Framed-Ip-Address

    For RADIUS to include this attribute, an IP address must be assigned to the subscriber. See radius include Example host1(config)#radius include framed-ip-addr acct-start enable Use the no version to restore the default, enable. [9] Framed-Ip-Netmask Use the following commands to manage the Framed-IP-Netmask RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.

  • Page 227: [13] Framed-Compression

    Use to include the Framed-Compression attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include framed-compression acct-start disable Use the no version to restore the default, enable. Copyright © 2010, Juniper Networks, Inc.

  • Page 228: [25] Class

    Use the no version to restore the default, enable. [31] Calling-Station-Id Use the following commands to manage information for the Calling-Station-Id RADIUS attribute. radius calling-station-format radius calling-station-delimiter radius include calling-station-id radius override calling-station-id remote-circuit-id Copyright © 2010, Juniper Networks, Inc.
  • Page 229 <system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]> Format for Ethernet interfaces: <system name [4]> <slot [2]> <port [1]> <VLAN [8]> Format for serial interfaces: <system name [4]> <slot [2]> <port [1]> <0 [8]> Copyright © 2010, Juniper Networks, Inc.
  • Page 230 ERX310 routers, <adapter> is always shown as 0 (zero). Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field according to the following translation: Slot ASCII Slot ASCII Number Character Number Character – – Copyright © 2010, Juniper Networks, Inc.
  • Page 231 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect. Format for Ethernet interfaces that use fixed-format stacked: <system name [4]> <slot [2]> <port [1] <S-VLAN [4] <VLAN [4]> Format for Ethernet interfaces that use fixed-format-adapter-embedded stacked: Copyright © 2010, Juniper Networks, Inc.
  • Page 232 Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8, and VLAN ID 12, the virtual router displays the format in ASCII as ‘west’ ‘04’ ‘1’ ‘03’ ‘0008’ ‘0012’. Use the no version to restore the default Calling-Station-Id format, delimited. See radius calling-station-format Copyright © 2010, Juniper Networks, Inc.

  • Page 233: [32] Nas-Identifier

    Monitoring Override Settings of RADIUS IETF Attributes on page 297 Monitoring the Calling-Station-Id RADIUS Attribute on page 299 [32] NAS-Identifier Use the following commands to manage and display information for the NAS-Identifier RADIUS attribute. radius nas-identifier radius include nas-identifier radius override nas-info Copyright © 2010, Juniper Networks, Inc.
  • Page 234 You can format the PPPoE remote circuit ID value to include either or both of the agent-circuit-ID (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option (option 82) or the PPPoE intermediate agent tags. Copyright © 2010, Juniper Networks, Inc.

  • Page 235: [41] Acct-Delay-Time

    Monitoring the Format of the Remote-Circuit-ID for RADIUS on page 299 Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS on page 300 [41] Acct-Delay-Time Use the following commands to manage and display information for the Acct-Delay-Timer RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.

  • Page 236: [44] Acct-Session-Id

    Use the no version to restore the default, enable. radius acct-session-id-format Use to set the Acct-Session-Id attribute format. Two formats are supported: description—Configures RADIUS client to use the generic format: erx <interface identifier>:<hex number>. For example: erx atm 12/1:0.3:0000ef1 Copyright © 2010, Juniper Networks, Inc.

  • Page 237: [45] Acct-Authentic

    Use to include the Acct-Terminate-Cause attribute in Acct-Off messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include. Example host1(config)#radius include acct-terminate-cause acct-off disable Use the no version to restore the default, enable. Copyright © 2010, Juniper Networks, Inc.

  • Page 238: [50] Acct-Multi-Session-Id

    Use the following command to manage the Acct-Input-Gigawords RADIUS attribute. radius include input-gigawords radius include input-gigawords Use to include the Acct-Input-Gigawords attribute in Acct-Stop messages. You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 239: [53] Output-Gigawords

    Use the no version to restore the default, enable. [61] NAS-Port-Type Use the following commands to manage and display information for the NAS-Port-Type RADIUS attribute. radius dsl-port-type radius ethernet-port-type radius include nas-port-type Copyright © 2010, Juniper Networks, Inc.
  • Page 240 Use the no version to restore the default, ethernet. radius include nas-port-type Use to include the NAS-Port-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 241: [64] Tunnel-Type

    See radius include Example host1(config)#radius include tunnel-medium-type acct-start enable Use the no version to restore the default, enable. [66] Tunnel-Client-Endpoint Use the following command to manage the Tunnel-Client-Endpoint RADIUS attribute. radius include tunnel-client-endpoint radius include tunnel-client-endpoint Copyright © 2010, Juniper Networks, Inc.

  • Page 242: [67] Tunnel-Server-Endpoint

    Acct-Stop messages. You can control inclusion of the Acct-Tunnel-Connection attribute by enabling or disabling this command. See radius include Example host1(config)#radius include acct-tunnel-connection acct-stop enable Use the no version to restore the default, enable. Copyright © 2010, Juniper Networks, Inc.

  • Page 243: [77] Connect-Info

    Use to include the Connect-Info attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Connect-Info attribute by enabling or disabling this command. See radius include Example host1(config)#radius include connect-info access-request disable Use the no version to restore the default, enable. Copyright © 2010, Juniper Networks, Inc.

  • Page 244: [82] Tunnel-Assignment-Id

    Use the no version to restore the default, enable. [87] NAS-Port-Id Use the following commands to manage and show information for the NAS-Port-Id RADIUS attribute. aaa intf-desc-format include radius include nas-port-id radius override nas-port-id remote-circuit-id Copyright © 2010, Juniper Networks, Inc.
  • Page 245 Use the no version to restore the default NAS-Port-ID value, which is the physical interface of the NAS that is authenticating the user. Related Topics Monitoring Override Settings of RADIUS IETF Attributes on page 297 Monitoring the NAS-Port-ID RADIUS Attribute on page 301 Copyright © 2010, Juniper Networks, Inc.

  • Page 246: [90] Tunnel-Client-Auth-Id

    Use the following command to manage the Framed-Interface-Id RADIUS attribute. radius include framed-interface-id radius include framed-interface-id Use to include the Framed-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Framed-Interface-Id attribute by enabling or disabling this command. Copyright © 2010, Juniper Networks, Inc.

  • Page 247: [97] Framed-Ipv6-Prefix

    When the Framed-Ipv6-Route attribute is not returned from the RADIUS server in the Access-Accept message, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute. See radius include Example Copyright © 2010, Juniper Networks, Inc.

  • Page 248: [100] Framed-Ipv6-Pool

    RADIUS server in the Delegated-Ipv6-Prefix attribute in the immediate accounting, Acct-Stop, or Interim-Acct messages. When the prefix to be delegated to clients is allocated from the IPv6 local address server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is not Copyright © 2010, Juniper Networks, Inc.

  • Page 249: [188] Ascend-Num-In-Multilink

    When the router functions as an LNS with a terminating PPP, then the LAC tunnel attributes are included. You can control inclusion of all tunnel server attributes by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 250: Juniper Networks Vendor-Specific Attributes

    Use the no version to restore the default, disable. Juniper Networks Vendor-Specific Attributes This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.

  • Page 251: [26-11] Egress-Policy-Name

    Use the following command to manage the Service-Category RADIUS attribute. radius ignore atm-service-category radius ignore atm-service-category Use to cause the Service-Category attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Copyright © 2010, Juniper Networks, Inc.

  • Page 252: [26-15] Pcr

    Use the following command to manage the MBS RADIUS attribute. radius ignore atm-mbs radius ignore atm-mbs Use to cause the MBS attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example Copyright © 2010, Juniper Networks, Inc.

  • Page 253: [26-24] Pppoe-Description

    Use the following command to manage the Acct-Output-Gigapackets RADIUS attribute. radius include output-gigapkts radius include output-gigapkts Use to include the Acct-Output-Gigapackets attribute in Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 254: [26-44] Tunnel-Interface-Id

    If the IPv6 virtual router context is configured from the profile, it is reported in the immediate-update message for DHCPv6 prefix delegation. See radius include Example host1(config)#radius include ipv6-virtual-router acct-start enable Use the no version to restore the default, disable. Copyright © 2010, Juniper Networks, Inc.

  • Page 255: [26-46] Ipv6-Local-Interface

    AAA domain map. See radius include Example host1(config)#radius include ipv6-primary-dns acct-start enable Use the no version to restore the default, disable. [26-48] Ipv6-Secondary-DNS Use the following command to manage the Ipv6-Secondary-DNS RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.

  • Page 256: [26-51] Disconnect-Cause

    Use to include the Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example Copyright © 2010, Juniper Networks, Inc.

  • Page 257: [26-55] Dhcp-Options

    Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 258: [26-62] Mlppp-Bundle-Name

    Interim-Acct messages when the attribute is enabled for Acct-Stop messages. See radius include Example host1(config)#radius include interface-description acct-start enable Use the no version to restore the default, disable. Copyright © 2010, Juniper Networks, Inc.

  • Page 259: [26-81] L2C-Information

    Use to include the L2C-Down-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the L2C-Down-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default. Example host1(config)#radius include l2c-downstream-data access-request enable Copyright © 2010, Juniper Networks, Inc.

  • Page 260: [26-129] Ipv6-Ndra-Prefix

    You can control inclusion of the Downstream-Calculated-Qos-Rate attribute by enabling or disabling this command. Inclusion is disabled by default. Example host1(config)#radius include downstream-calculated-qos-rate access-request enable Use the no version to restore the default, disable. See radius include Copyright © 2010, Juniper Networks, Inc.

  • Page 261: [26-142] Upstream-Calculated-Qos-Rate

    You can control this behavior by enabling or disabling this command. Ignoring the Max-Clients-Per-Interface attribute is enabled by default. Example 1—Ignores the Max-Clients-Per-Interface attribute returned by the RADIUS server; this is the default behavior host1(config)#radius ignore pppoe-max-session enable Copyright © 2010, Juniper Networks, Inc.

  • Page 262: [26-150] Icr-Partition-Id

    You can configure ICR partition accounting per virtual router. Example host1(config)#radius icr-partition-accounting enable Use the no version to restore the default, disable. All IPv6 Accounting Attributes Use the following command to manage all IPv6 accounting attributes: radius include ipv6-accounting radius include ipv6-accounting Copyright © 2010, Juniper Networks, Inc.

  • Page 263: Dhcp-Option 82

    Acct-Stop messages, the router includes ANCP information in Interim-Acct messages that the router sends to RADIUS. By default, the router does not include the ANCP-related information provided by the Juniper Networks VSAs in RADIUS messages. Copyright © 2010, Juniper Networks, Inc.

  • Page 264: Table 44: Ancp (L2C)-Related Keywords For Radius Include Command

    JunosE 11.2.x Broadband Access Configuration Guide These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006 expiration). radius include l2cd-keyword Use to include ANCP-related Juniper Networks VSAs in Access-Request, Acct-Start, and Acct-Stop messages that the router sends to RADIUS.

  • Page 265: Dsl Forum Vendor-Specific Attributes

    DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection. NOTE: JunosE Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “ANCP-Related Juniper Networks VSAs” on page 225 and “Juniper Networks VSAs”...
  • Page 266 VSAs in Acct-Stop messages, the router also includes the VSAs in Interim-Acct messages. You can control inclusion of the DSL Forum VSAs in the specified message type by enabling or disabling this command. Inclusion is disabled by default. Copyright © 2010, Juniper Networks, Inc.

  • Page 267: Including Or Excluding Attributes In Radius Messages

    Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute. Examples host1(config)#radius ignore atm-scr enable host1(config)#radius ignore framed-ip-netmask disable Use the no version to restore the default, enable. See radius include Copyright © 2010, Juniper Networks, Inc.
  • Page 268 JunosE 11.2.x Broadband Access Configuration Guide Related Topics To see the list of attributes that the router uses or ignores, see Monitoring Ignored RADIUS Attributes on page 303 Copyright © 2010, Juniper Networks, Inc.

  • Page 269: Configuring Radius Dynamic-Request Server

    RADIUS servers to centrally manage user sessions. The RADIUS dynamic-request server enables the router to receive the following types of messages from RADIUS servers: Disconnect messages—Immediately terminate specific user sessions. Change-of-Authorization (CoA) messages—Dynamically modify session authorization attributes, such as data filters. Copyright © 2010, Juniper Networks, Inc.

  • Page 270: Radius Dynamic-Request Server Platform Considerations

    See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the E120 and E320 Broadband Services Routers. Copyright © 2010, Juniper Networks, Inc.

  • Page 271: Radius Dynamic-Request Server References

    User Datagram Protocol (UDP). The Disconnect-Request message sent by the RADIUS server has the same format as the CoA-Request packet that is sent for a change of authorization operation. The disconnect response is either a Disconnect-ACK or a Disconnect-NAK message: Copyright © 2010, Juniper Networks, Inc.

  • Page 272: Supported Error-Cause Codes (Radius Attribute 101)

    If the User-Name (1) attribute is also present in the request, the username and session ID are used to perform the disconnection. Authentication, authorization, and accounting (AAA) services handle the actual request. Copyright © 2010, Juniper Networks, Inc.

  • Page 273: Security/Authentication

    CoA messages are used by the E Series router’s RADIUS-initiated packet mirroring feature, which is described in the Configuring RADIUS-Based Mirroring chapter in JunosE Policy Management Configuration Guide, and by Service Manager, which is described in “Configuring Service Manager” on page 623 of this guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 274: Change-Of-Authorization Messages

    Some other aspect of the request is invalid, such as if one or more attributes (for example, the packet mirroring Mirror Identifier value) are not formatted properly. Session context not The session context identified in the request does not exist on the found NAS. Copyright © 2010, Juniper Networks, Inc.

  • Page 275: Qualifications For Change Of Authorization

    Accounting-Request in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator. The response authenticator is calculated as specified for an Accounting-Response message in RFC 2866. Copyright © 2010, Juniper Networks, Inc.

  • Page 276: Configuring Radius-Initiated Change Of Authorization

    RADIUS dynamic-request server and the RADIUS server. If no key is specified, the router drops all requests from the RADIUS server. Example host1(config-radius)#key Secret3Clientkey Use the no version to set the default, no Authenticator. See key Copyright © 2010, Juniper Networks, Inc.
  • Page 277 NOTE: This command and the RADIUS dynamic-request server feature replace the radius disconnect client command, which may be removed completely in a future release. The RADIUS Disconnect Configuration mode is also deprecated. See subscriber disconnect udp-port Copyright © 2010, Juniper Networks, Inc.

  • Page 278: Monitoring Radius Dynamic-Request Servers

    To monitor RADIUS dynamic-request servers, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 304 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 304 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 305 Copyright © 2010, Juniper Networks, Inc.

  • Page 279: Configuring Radius Relay Server

    Dynamic Host Configuration Protocol (DHCP) local or external server. The RADIUS relay server can also use the RADIUS server or the optional Session and Resource Control (SRC) software (formerly the SDX software), to provide the accounting support. Copyright © 2010, Juniper Networks, Inc.

  • Page 280: Radius Relay Server Platform Considerations

    EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware. Copyright © 2010, Juniper Networks, Inc.

  • Page 281: Authentication And Addressing

    The VSA indicates the RADIUS relay server’s IP address. For information about using the SRC software with the RADIUS relay server to provide accounting, see “RADIUS Relay Server and the SRC Software” on page 244. Copyright © 2010, Juniper Networks, Inc.

  • Page 282: Terminating The Wireless Subscriber's Connection

    The second domain is created for the connection between the E Series router and the SRC software. If you want to continue to use the SRC software’s user session and problem-tracking features, you should not configure the SRC software to generate RADIUS accounting Copyright © 2010, Juniper Networks, Inc.

  • Page 283: Configuring Radius Relay Server Support

    --------------- --------- 10.10.15.0 255.255.255.0 secret 10.10.8.15 255.255.255.255 newsecret 192.168.25.9 255.255.255.255 mysecret 192.168.102.5 255.255.255.255 999Y2K Udp Port: 1812 RADIUS Relay Accounting Server Configuration -------------------------------------------- IP Address IP Mask Secret ------------- --------------- ------- 10.10.1.0 255.255.255.0 NO8pxq Copyright © 2010, Juniper Networks, Inc.

  • Page 284: Monitoring Radius Relay Server

    1850 Use the no version to return to the default, port 1812 for authentication servers or port 1813 for accounting servers. See udp-port Monitoring RADIUS Relay Server To monitor RADIUS relay server, see: Copyright © 2010, Juniper Networks, Inc.
  • Page 285 Chapter 5: Configuring RADIUS Relay Server “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 304 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 304 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 305 Copyright © 2010, Juniper Networks, Inc.
  • Page 286 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 287: Radius Attribute Descriptions

    This chapter lists the RADIUS attributes that are supported by JunosE Software. Table 49 on page 249 describes the supported RADIUS IETF attributes. Table 50 on page 256 describes the supported Juniper Networks vendor-specific attributes (VSAs). Table 51 on page 267 describes the DSL Forum VSA formats supported by JunosE Software. Table 52 on page 268 describes RADIUS attributes that are simply passed to their destination by the router.
  • Page 288 <addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>] [24] State An arbitrary value that the router includes in new Access-Request packets from the previous Accept-Challenge Applicable for CLI, telnet, or EAP message exchange Copyright © 2010, Juniper Networks, Inc.
  • Page 289 Unique accounting identifier that makes it easy to match start and stop records in a log file See the radius acct-session-id-format and the radius include acct-session-id access-request commands in “Configuring RADIUS Attributes” on page 163. Copyright © 2010, Juniper Networks, Inc.
  • Page 290 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB Copyright © 2010, Juniper Networks, Inc.
  • Page 291 Must be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge messages that include EAP-Message attributes [82] Tunnel-Assignment-Id Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned Copyright © 2010, Juniper Networks, Inc.
  • Page 292 Name used by the tunnel initiator during the authentication phase of tunnel establishment [91] Tunnel-Server-Auth-Id Name used by the tunnel terminator during the authentication phase of tunnel establishment [96] Framed-Interface-Id IPv6 interface identifier configured by the user Copyright © 2010, Juniper Networks, Inc.

  • Page 293: Juniper Networks Vsas

    Juniper Networks VSAs Table 50 on page 256 lists Juniper Networks VSA formats for RADIUS. JunosE Software uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned Numbers Authority (IANA). Copyright © 2010, Juniper Networks, Inc.

  • Page 294: Table 50: Juniper Networks (Vendor Id 4874) Vsa Formats

    JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats Attribute Subtype Number Attribute Name Description Length Length Value [26-1] Virtual-Router Virtual router name for the Broadband sublen string: Remote Access Server (B-RAS) user’s virtual-router-name IP interface.
  • Page 295 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-10] Ingress-Policy-Name Input policy name to apply to B-RAS user’s sublen string: interface input-policy-name [26-11] Egress-Policy-Name...
  • Page 296 JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-22] Sa-Validate Enable or disable source address sublen integer: 0 = disable, validation on a user’s interface...
  • Page 297 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-39] Tunnel-Min-Bps Minimum line speed for L2TP dial-out integer [26-40] Tunnel-Max-Bps Maximum line speed for L2TP dial-out...
  • Page 298 JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-56] DHCP-MAC-Address Client’s MAC address sublen string:mac-address [26-57] DHCP-GI-Address DHCP relay agent’s IP address integer:4-octet...
  • Page 299 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-71] IGMP-Access-Name Access List to use for the group (G) filter sublen string:32-octet [26-72] IGMP-Access-Src-Name Access List to use for the source-group...
  • Page 300 JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-82] Qos-Parameters Name of the QoS parameter instance to sublen string: format is create on the user’s interface, followed by parameter name the value of the parameter.
  • Page 301 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-92] L2C-Up-Stream-Data Actual upstream rate access loop sublen string: actual parameter (ASCII encoded) as defined in...
  • Page 302 JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-111] Acc-Aggr-Cir-Id-Bin Unique identification of the DSL line sublen integer: 8-octet [26-112] Acc-Aggr-Cir-Id-Asc Identification of the uplink on the access...
  • Page 303 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-126] Act-Interlv-Delay-Dn Subscriber’s actual one-way downstream integer: 4-octet interleaving delay [26-127] DSL-Line-State State of the DSL line...
  • Page 304 JunosE 11.2.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-147] Backup-Address-Pool Name of the backup local address pool that sublen string: can be used to assign addresses to users...

  • Page 305: Dsl Forum Vsas

    [26-138] Minimum-Data-Rate- Minimum downstream data rate in low integer: 4-octet Downstream-Low-Power power state configured for the subscriber [26-139] Maximum-Interleaving- Maximum one-way upstream interleaving integer: 4-octet Delay-Upstream delay configured for the subscriber Copyright © 2010, Juniper Networks, Inc.

  • Page 306: Pass Through Radius Attributes

    RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000) RFC 2866—RADIUS Accounting (June 2000) RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support (June 2000) RFC 2868—RADIUS Attributes for Tunnel Protocol Support (June 2000) RFC 2869—RADIUS Extensions (June 2000) Copyright © 2010, Juniper Networks, Inc.
  • Page 307 NOTE: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts. Copyright © 2010, Juniper Networks, Inc.
  • Page 308 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 309: Application Terminate Reasons

    Code Description deny address allocation failure user error deny address assignment failure user error deny application error user error deny authentication denied user error deny authentication failure user error deny authorization failure user error Copyright © 2010, Juniper Networks, Inc.

  • Page 310: L2Tp Terminate Reasons

    L2TP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 54: Default L2TP Mappings L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session access interface down port error session admin close admin reset Copyright © 2010, Juniper Networks, Inc.
  • Page 311 Copyright © 2010, Juniper Networks, Inc.
  • Page 312 Copyright © 2010, Juniper Networks, Inc.
  • Page 313 Copyright © 2010, Juniper Networks, Inc.
  • Page 314 Copyright © 2010, Juniper Networks, Inc.
  • Page 315 Copyright © 2010, Juniper Networks, Inc.
  • Page 316 Copyright © 2010, Juniper Networks, Inc.
  • Page 317 Copyright © 2010, Juniper Networks, Inc.
  • Page 318 Copyright © 2010, Juniper Networks, Inc.
  • Page 319 Copyright © 2010, Juniper Networks, Inc.
  • Page 320 Copyright © 2010, Juniper Networks, Inc.
  • Page 321 Copyright © 2010, Juniper Networks, Inc.
  • Page 322 Copyright © 2010, Juniper Networks, Inc.
  • Page 323 Copyright © 2010, Juniper Networks, Inc.
  • Page 324 Copyright © 2010, Juniper Networks, Inc.
  • Page 325 Copyright © 2010, Juniper Networks, Inc.

  • Page 326: Ppp Terminate Reasons

    PPP Terminate Reasons Table 55 on page 289 lists the default PPP terminate mappings. The table indicates the supported PPP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Copyright © 2010, Juniper Networks, Inc.

  • Page 327: Table 55: Default Ppp Mappings

    Copyright © 2010, Juniper Networks, Inc.
  • Page 328 Copyright © 2010, Juniper Networks, Inc.
  • Page 329 Copyright © 2010, Juniper Networks, Inc.
  • Page 330 Copyright © 2010, Juniper Networks, Inc.
  • Page 331 Copyright © 2010, Juniper Networks, Inc.
  • Page 332 Copyright © 2010, Juniper Networks, Inc.

  • Page 333: Radius Client Terminate Reasons

    RADIUS client terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 56: Default RADIUS Client Mappings RADIUS Client Terminate Reason RADIUS Acct-Terminate-Cause Code Description no-acct-server nas request system-reboot nas request virtual-router-deletion nas request Copyright © 2010, Juniper Networks, Inc.
  • Page 334 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 335: Monitoring Radius

    Monitoring the Status of ICR Partition Accounting on page 309 Monitoring Override Settings of RADIUS IETF Attributes Purpose Display the current override setting for RADIUS IETF attributes. You can monitor the NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] attributes. Copyright © 2010, Juniper Networks, Inc.

  • Page 336: Monitoring The Nas-Port-Format Radius Attribute

    To display information about the NAS-Port attribute on an ATM interface on an E320 Broadband Services Router: host1#show radius nas-port-format extended atm extended atm field-width slot 5 adapter 0 port 4 vpi 4 vci 12 To display the status of NAS-Port attribute settings for PPPoE interfaces: Copyright © 2010, Juniper Networks, Inc.

  • Page 337: Monitoring The Calling-Station-Id Radius Attribute

    The default format is agent-circuit-ID. If the PPPoE remote circuit ID value is configured to include any or all of the agent-circuit-id, agent-remote-id, and nas-identifier components, the display lists the components included and the order in which they appear. Copyright © 2010, Juniper Networks, Inc.

  • Page 338: Monitoring The Delimiter Character In The Remote-Circuit-Id For Radius

    To display the DSL port type for NAS-Port-Type attribute for ATM users: host1#show radius dsl-port-type xdsl To display the NAS-Port-Type attribute for Ethernet interfaces: host1#show radius ethernet-port-type virtual Related Topics show radius dsl-port-type show radius ethernet-port-type Copyright © 2010, Juniper Networks, Inc.

  • Page 339: Monitoring The Connect-Info Radius Attribute

    Copyright © 2010, Juniper Networks, Inc.
  • Page 340 Copyright © 2010, Juniper Networks, Inc.

  • Page 341: Monitoring Ignored Radius Attributes

    (vsa) accepted from RADIUS server attribute egress-policy-name (vsa) accepted from RADIUS server attribute ingress-policy-name (vsa) accepted from RADIUS server attribute virtual-router (vsa) accepted from RADIUS server attribute pppoe-max-session (vsa) ignored from RADIUS server Related Topics show radius attributes-ignored Copyright © 2010, Juniper Networks, Inc.

  • Page 342: Setting The Baseline For Radius Dynamic-Request Server Statistics

    Table 59: show radius dynamic-request statistics Output Fields Field Name Field Description Udp Port Port on which the router listens for RADIUS server Disconnect or CoA Requests RADIUS-initiated disconnect or CoA requests received Copyright © 2010, Juniper Networks, Inc.

  • Page 343: Monitoring The Configuration Of The Radius Dynamic-Request Server

    Port Disconnect Authorization Secret ------------- ---- ---------- ------------- ------ 192.168.2.3 1700 disabled disabled <NULL> 10.10.120.104 1700 disabled disabled mysecret Meaning Table 60 on page 306 lists the show radius dynamic-request servers command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 344: Setting A Baseline For Radius Relay Statistics

    RADIUS Relay Authentication Server Statistics --------------------------------------------- Statistic Total ------------------ ----- Access Requests 1000 Access Accepts 1000 Access Challenges Access Rejects Pending Requests Duplicate Requests Malformed Requests Bad Authenticators Unknown Requests Copyright © 2010, Juniper Networks, Inc.

  • Page 345: Table 61: Show Radius Relay Statistics Output Fields

    RADIUS relay server and the WAP does not match Unknown Requests Packets received from nonconfigured clients Dropped Packets Packets dropped because of queue overflow Invalid Requests Number of invalid requests received Copyright © 2010, Juniper Networks, Inc.

  • Page 346: Monitoring The Configuration Of The Radius Relay Server

    Mask of the RADIUS relay server Secret Secret used for exchanges between the RADIUS relay server and client Udp Port Router’s port on which the RADIUS relay server listens Related Topics show radius relay servers Copyright © 2010, Juniper Networks, Inc.

  • Page 347: Monitoring The Status Of Radius Relay Udp Checksums

    Display the status of ICR partition accounting. Action To display the status of ICR partition accounting: host1#show radius icr-partition-accounting enabled Meaning ICR partition accounting status is either enabled or disabled. Related Topics show radius icr-partition-accounting Copyright © 2010, Juniper Networks, Inc.
  • Page 348 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 349: Configuring Tacacs

    TACACS+ provides security by encrypting all traffic between the NAS and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process. Table 64 on page 312 describes terms that are frequently used in this chapter. Copyright © 2010, Juniper Networks, Inc.

  • Page 350: Aaa Overview

    TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user. Copyright © 2010, Juniper Networks, Inc.

  • Page 351: Privilege Authentication

    TACACS+ accounting is disabled. Default method list—Configuration used by consoles and lines when no named method list is assigned. You enable TACACS+ accounting by defining default accounting method lists for each service type. Copyright © 2010, Juniper Networks, Inc.

  • Page 352: Table 65: Tacacs+ Accounting Information

    Name of user running the Exec session or CLI command port Packet body NAS port used by the Exec session or CLI command rem-addr Packet body User’s remote location; either an IP address or the caller service User’s primary service: Shell Copyright © 2010, Juniper Networks, Inc.

  • Page 353: Tacacs+ Platform Considerations

    Please refer to the IETF Web site at http://www.ietf.org for the latest drafts. Before You Configure TACACS+ Before you begin to configure TACACS+, you must determine the following for the TACACS+ authentication and accounting servers: IP addresses TCP port numbers Secret keys Copyright © 2010, Juniper Networks, Inc.

  • Page 354: Configuring Tacacs+ Support

    Apply an authentication list to the vty lines you specified on your router. host1(config-line)#login authentication tac Configuring Accounting Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting. Perform the following steps: Copyright © 2010, Juniper Networks, Inc.
  • Page 355 Specify stop-only to send a stop accounting notice at the end of a process and tacacs+ as the accounting protocol. Example host1(config)#aaa accounting commands 12 listX stop-only tacacs+ Use the no version to delete the accounting method list. See aaa accounting commands aaa accounting exec Copyright © 2010, Juniper Networks, Inc.
  • Page 356 If the authentication method list is empty, the local enable password is used. Example host1(config)#aaa authentication enable default tacacs+ radius Use the no version to empty the list. See aaa authentication enable default aaa authentication login Copyright © 2010, Juniper Networks, Inc.
  • Page 357 If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line. Example host1(config)#aaa new-model Use the no version to restore simple authentication (login and password). See aaa new-model accounting Copyright © 2010, Juniper Networks, Inc.
  • Page 358 Use to add or delete a host to or from the list of TACACS+ servers. You can optionally specify a nondefault port number, a host-specific key, a single connection and a timeout interval. Use the primary keyword to assign the host as the primary host. Copyright © 2010, Juniper Networks, Inc.
  • Page 359 TACACS+ servers that do not have a server-specific timeout set up by tacacs-server host command. The timeout interval is between 1 and 300. The default is 5 seconds. Example Copyright © 2010, Juniper Networks, Inc.
  • Page 360 JunosE 11.2.x Broadband Access Configuration Guide host1(config)#tacacs-server timeout 15 Use the no version to reset the timeout to the default. See tacacs-server timeout Copyright © 2010, Juniper Networks, Inc.

  • Page 361: Monitoring Tacacs

    To display TACACS+ statistics: host1#show statistics tacacs TACACSPLUS Statistics --------------------- Statistic 10.5.0.174 10.5.1.199 --------------- ---------- ---------- Search Order TCP Port 3049 4049 Auth Requests Auth Replies Auth Pending Auth Timeouts Author Requests 6399 Author Replies 6301 Copyright © 2010, Juniper Networks, Inc.

  • Page 362: Table 66: Show Statistics Tacacs Output Fields

    Number of accounting replies received from the host Acct Pending Number of expected but not received accounting replies from the host Acct Timeouts Number of accounting timeouts for the host Related Topics show statistics tacacs Copyright © 2010, Juniper Networks, Inc.

  • Page 363: Monitoring Tacacs+ Information

    This IP address’s primary host; options: y = yes, n = Authentication and encryption key for this IP address Search Order The order in which requests are sent to hosts until a response is received Copyright © 2010, Juniper Networks, Inc.
  • Page 364 JunosE 11.2.x Broadband Access Configuration Guide Related Topics show tacacs Copyright © 2010, Juniper Networks, Inc.

  • Page 365: Managing L2Tp

    Configuring an L2TP LAC on page 337 Configuring an L2TP LNS on page 367 Configuring L2TP Dial-Out on page 401 L2TP Disconnect Cause Codes on page 413 Monitoring L2TP and L2TP Dial-Out on page 417 Copyright © 2010, Juniper Networks, Inc.
  • Page 366 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 367: L2Tp Overview

    Layer 2 Tunneling Protocol (L2TP) is a client-server protocol that allows Point-to-Point Protocol (PPP) to be tunneled across a network. This chapter includes the following topics that provide information for configuring L2TP on the Juniper Networks E Series Broadband Services Routers.

  • Page 368: L2Tp Terminology

    L2TP network server (LNS)—a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC. Copyright © 2010, Juniper Networks, Inc.

  • Page 369: Implementing L2Tp

    The client initiates a PPP connection with the router. The router and the client exchange Link Control Protocol (LCP) packets. For details about negotiating PPP connections, see the Configuring Point-to-Point Protocol chapter in JunosE Link Layer Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 370: Sequence Of Events On The Lns

    The E Series PPP processes the proxy authentication data, if it is present, and passes the data to AAA for verification. (If the data is not present, E Series PPP requests the data from the remote system.) The router passes the authentication results to the remote system. Copyright © 2010, Juniper Networks, Inc.

  • Page 371: Packet Fragmentation

    For information about modules that support LNS and LAC on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.

  • Page 372: L2Tp Module Requirements

    ES2 4G LM and the ES2 require the ES2-S1 Service IOA to condition it to receive and transmit data to other line modules. The ES2-S1 Service IOA also does not have ingress or egress ports. Copyright © 2010, Juniper Networks, Inc.

  • Page 373: Sessions And Tunnels Supported

    The reported license limit is 60,000. The show license l2tp-session command also still appears in the CLI. To obtain the maximum number of ingress and egress policy attachments supported for L2TP sessions, see JunosE Release Notes, Appendix A, System Maximums. Copyright © 2010, Juniper Networks, Inc.

  • Page 374: L2Tp References

    For information about how to secure Layer 2 Tunneling Protocol (L2TP) tunnels with IP Security (IPSec) on your E Series router, see the Securing L2TP and IP Tunnels with IPSec chapterin JunosE IP Services Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 375: Configuring An L2Tp Lac

    Managing Address Changes Received from Remote Endpoints on page 361 Configuring LAC Tunnel Selection Parameters on page 362 LAC Configuration Prerequisites Before you begin configuring the router as a LAC, perform the following steps: Create a virtual router. host1(config)#virtual-router west Copyright © 2010, Juniper Networks, Inc.
  • Page 376 NOTE: The previous two operations also apply to an LNS, however there is no default configuration that enables the LNS. When the router is established as an LAC or LNS and is creating destinations, tunnels, and sessions, you can manage them as follows: Copyright © 2010, Juniper Networks, Inc.

  • Page 377: Generating Udp Checksums In Packets To L2Tp Peers

    The router uses a timeout of 600 seconds by default. This command facilitates debugging and other analysis by saving underlying memory structures after the destination, tunnel, or session is terminated. Copyright © 2010, Juniper Networks, Inc.

  • Page 378: Preventing Creation Of New Destinations, Tunnels, And Sessions

    You use the l2tp drain destination command to prevent the creation of new tunnels and sessions at a specific destination. The l2tp drain destination command and the l2tp shutdown destination command both affect the administrative state of L2TP for the destination. Although each command Copyright © 2010, Juniper Networks, Inc.

  • Page 379: Preventing Creation Of New Sessions For A Tunnel

    The l2tp shutdown command and the l2tp drain command both affect the administrative state of L2TP on the router. Although each command has a different effect, the no version Copyright © 2010, Juniper Networks, Inc.

  • Page 380: Closing Existing And Preventing New Tunnels And Sessions For A

    If you do not include a keyword, the router applies the retry count to both established and nonestablished tunnels. Copyright © 2010, Juniper Networks, Inc.

  • Page 381: Configuring Calling Number Avp Formats

    AVP to use a fixed format of up to 15 characters consisting of all ASCII fields, as follows (the maximum number of characters for each field is shown in brackets): Copyright © 2010, Juniper Networks, Inc.
  • Page 382 0. Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field according to the following translation: Slot ASCII Slot ASCII Number Character Number Character Copyright © 2010, Juniper Networks, Inc.
  • Page 383 ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘14’ ‘1’ ‘02’ ‘003’ ‘00004’. Copyright © 2010, Juniper Networks, Inc.
  • Page 384 Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8, and VLAN ID 12, the virtual router displays the format in ASCII as ‘west’ ‘04’ ‘1’ ‘03’ ‘0008’ ‘0012’. Copyright © 2010, Juniper Networks, Inc.

  • Page 385: Calling Number Avp 22 Configuration Tasks

    Calling Number Format Fallback Trigger agent-circuit-id agent-circuit-id is empty agent-circuit-id include-agent-remote-id Both agent-circuit-id and agent-remote-id are empty. agent-remote-id agent-remote-id is empty descriptive include-agent-circuit-id agent-circuit-id is empty descriptive include-agent-circuit-id Both agent-circuit-id and include-agent-remote-id agent-remote-id are empty. Copyright © 2010, Juniper Networks, Inc.
  • Page 386 (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) VLAN (8 bytes) Fallback format for serial interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) 0 (8 bytes) Copyright © 2010, Juniper Networks, Inc.
  • Page 387 (up to 4 bytes) slot (2 bytes) adapter (1 byte) port (2 bytes) VPI (3 bytes) VCI (5 bytes) Fallback format for Ethernet interfaces: systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte) port (2 bytes) VLAN (8 bytes) Copyright © 2010, Juniper Networks, Inc.
  • Page 388 For example, when you configure this fallback format on an E320 router for an Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8, Copyright © 2010, Juniper Networks, Inc.

  • Page 389: Disabling The Calling Number Avp

    For information about setting up RADIUS to provide this mapping, see “Configuring Remote Access” on page 3. For a given domain map, you can choose one of two methods to map the domain to an L2TP tunnel locally on the router: Copyright © 2010, Juniper Networks, Inc.

  • Page 390: Mode

    (Optional) Assign a tunnel group to the domain map. You can assign a tunnel group only when no tunnels are currently defined for the domain map from AAA Domain Map Tunnel mode. host1(config-domain-map)#tunnel group storm Specify a preference for the tunnel. Copyright © 2010, Juniper Networks, Inc.
  • Page 391 This occurs only when both the destination (virtual router, IP address) and the ID are the same. Specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type). Currently, the only supported value is L2TP. Copyright © 2010, Juniper Networks, Inc.
  • Page 392 (Optional) Disable the generation of authentication challenges by the local tunnel, so that the tunnel does not send a challenge during negotiation. However, the tunnel does accept and respond to challenges it receives from the peer. Copyright © 2010, Juniper Networks, Inc.
  • Page 393 Copyright © 2010, Juniper Networks, Inc.

  • Page 394: Mode

    The hostname can be up to 64 characters (no spaces). host1(config-tunnel-group-tunnel)#client-name host4. NOTE: If the LNS does not accept tunnels from unknown hosts, and if no hostname is specified, the LAC uses the router name as the hostname. Copyright © 2010, Juniper Networks, Inc.
  • Page 395 Tunnel password is 3&92k%b#q4 Tunnel client-name is <NULL> Tunnel nas-port-method is none Tunnel nas-port ignore disabled Tunnel nas-port-type ignore disabled tunnel assignmentId format is assignmentId aaa tunnel calling number format is descriptive Copyright © 2010, Juniper Networks, Inc.

  • Page 396: Configuring The Rx Speed On The Lac

    Specify that the RX Speed AVP is always generated. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed. host1(config)#l2tp rx-connect-speed-when-equal Related Topics atm atm1483 advisory-rx-speed l2tp rx-connect-speed-when-equal command Copyright © 2010, Juniper Networks, Inc.

  • Page 397: Managing The L2Tp Destination Lockout Process

    Figure 9 on page 360 shows how locked-out destinations transition from a locked-out state to available status when using the default lockout configuration, a configuration Copyright © 2010, Juniper Networks, Inc.

  • Page 398: Verifying That A Locked-Out Destination Is Available

    (in seconds) between when an L2TP destination is found to be unavailable and when it is eligible for unlocking. When the timeout period expires, L2TP either begins the lockout test procedure (if configured to do so) or immediately returns the destination to available state. Copyright © 2010, Juniper Networks, Inc.

  • Page 399: Unlocking A Destination That Is Currently Locked Out

    A remote endpoint can use the Start-Control-Connection-Reply (SCCRP) packets that it sends to the E Series LAC to change the address that the LAC uses to communicate with the endpoint. By default, the LAC accepts the change and uses the new address to Copyright © 2010, Juniper Networks, Inc.

  • Page 400: Configuring Lac Tunnel Selection Parameters

    Up to 31 destinations for a single preference level. For information about setting up destinations and preference levels for a domain, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 351. Copyright © 2010, Juniper Networks, Inc.

  • Page 401: Configuring The Failover Between Preference Levels Method

    B, as well as destination A, and attempts to connect to destination C, the only destination available with preference 2. The router has had an opportunity to connect to every destination available for the domain. Copyright © 2010, Juniper Networks, Inc.

  • Page 402: Configuring The Failover Within A Preference Level Method

    This process is consistent, regardless of which fail-over scheme is currently running on the router. A tunnel without a configured maximum sessions value has no upper limit on the number of sessions it can support. Copyright © 2010, Juniper Networks, Inc.

  • Page 403: Configuring The Weighted Load Balancing Method

    The router uses a round-robin tunnel selection method by default. To configure the router to base tunnel selection within a preference level on the maximum sessions per tunnel. host1(config)#l2tp weighted-load-balancing Copyright © 2010, Juniper Networks, Inc.
  • Page 404 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 405: Configuring An L2Tp Lns

    Configuring the Transmit Connect Speed Calculation Method on page 391 PPP Accounting Statistics on page 398 LNS Configuration Prerequisites Before you begin configuring the router as an LNS, perform the following steps: Create a virtual router. Copyright © 2010, Juniper Networks, Inc.

  • Page 406: Configuring An Lns

    See virtual-router for additional information about the tunnel-server command and shared tunnel-server ports. To configure an LNS, perform the following steps: Copyright © 2010, Juniper Networks, Inc.
  • Page 407 For example, the MLPPP interface is created if the LAC does not send the initial received or last received LCP configuration request. If full LCP proxy data is available, this command is ignored. host1:boston(config-l2tp-dest-profile-host)#default-upper-type mlppp Copyright © 2010, Juniper Networks, Inc.

  • Page 408: Creating An L2Tp Destination Profile

    You use the l2tp destination profile command to create the destination profile that defines the location of the LAC, and to access L2TP Destination Profile Configuration mode. If no virtual router is specified with the command, the current virtual router context is used. Copyright © 2010, Juniper Networks, Inc.

  • Page 409: Creating An L2Tp Host Profile

    Use the no version to remove the L2TP host profile. NOTE: If you modify any attributes of a host profile, all tunnels and sessions using that profile will be dropped. Related Topics Creating an L2TP Destination Profile on page 370 l2tp destination profile Copyright © 2010, Juniper Networks, Inc.

  • Page 410: Configuring The Maximum Number Of Lns Sessions

    [ /rx-speed ] The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command. Copyright © 2010, Juniper Networks, Inc.

  • Page 411: Overriding Lns Out-Of-Resource Result Codes 4 And 5

    Displaying the Current Override Setting You can view the current override setting for the LNS result codes in the L2TP destination profile. To display the current override setting: ERX(config)#show l2tp destination profile boston L2TP destination profile boston Copyright © 2010, Juniper Networks, Inc.

  • Page 412: Selecting Service Modules For Lns Sessions Using Mlppp

    L2TP session. This can happen even when other service modules installed in the router have available space. For more information about endpoint discriminators, see the Configuring Multilink PPP chapter in JunosE Link Layer Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 413: Assigning Bundled Group Identifiers

    SM when a PPP client incorrectly specifies different endpoint discriminators for links in the same bundle. To configure the router to ignore the value of all endpoint discriminators: host1:boston(config-l2tp-dest-profile-host)#bundled-group-id-overrides-mlppp-ed Copyright © 2010, Juniper Networks, Inc.

  • Page 414: Enabling Tunnel Switching

    This command supports tunnel initiation: incoming calls on the LAC; outgoing calls on the LNS. The command does not support tunnel respondent: outgoing calls on the LAC; incoming calls on the LNS. To test a tunnel configuration: Copyright © 2010, Juniper Networks, Inc.

  • Page 415: Managing L2Tp Destinations, Tunnels, And Sessions

    LAC does send the AVP to an E Series LNS, the LNS discards the AVP. 1. Generating the Disconnect Cause AVP Globally on page 378 2. Generating the Disconnect Cause AVP with a Host Profile on page 378 Copyright © 2010, Juniper Networks, Inc.

  • Page 416: Generating The Disconnect Cause Avp Globally

    At the LAC, this accounting reports remotely generated disconnect cause information received from the LNS. At the LNS, the accounting reports locally generated disconnect cause information. To enable disconnect cause accounting: host1(config)#radius include l2tp-ppp-disconnect-cause acct-stop enable Copyright © 2010, Juniper Networks, Inc.

  • Page 417: Displaying Disconnect Cause Statistics

    The only supported value is 4. To configure the default RWS setting: From Global Configuration mode, set the L2TP default RWS. The only value supported for the default RWS is 4. host1(config)#l2tp tunnel default-receive-window 4 Copyright © 2010, Juniper Networks, Inc.

  • Page 418: Configuring The Receive Window Size On The Lac

    From Domain Map Tunnel Configuration mode, set the tunnel RWS. The only value supported for the tunnel RWS is 4, and it must be the same for all users of the same tunnel. host1(config-domain-map-tunnel)#receive-window 4 Copyright © 2010, Juniper Networks, Inc.

  • Page 419: Configuring The Receive Window Size On The Lns

    (Optional) Use the show l2tp destination profile command to verify the RWS configuration. host1:fms02#show l2tp destination profile fms02 L2TP destination profile fms02 Destination address Transport ipUdp Virtual router fms02 Peer address 192.168.5.61 Host profile attributes Copyright © 2010, Juniper Networks, Inc.

  • Page 420: Configuring Peer Resynchronization

    NOTE: L2TP silent failover is not supported on E3 ATM and CT1 line modules in peer-facing configurations. Copyright © 2010, Juniper Networks, Inc.

  • Page 421: Configuring Peer Resynchronization For L2Tp Host Profiles And Aaa Domain

    Use the show l2tp destination profile command to display a host profile’s peer resynchronization configuration and the show aaa domain-map command to display a domain map’s configuration. To configure peer resynchronization for an L2TP host profile: host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2 host1(config-l2tp-dest-profile)#remote host lac-host Copyright © 2010, Juniper Networks, Inc.

  • Page 422: Configuring The Global L2Tp Peer Resynchronization Method

    To restore the global default setting, which uses the failover-protocol-fallback-to-silent-failover method: host1(config)#default l2tp failover-resync To disable peer resynchronization, use the no version of the command—this is the same as using the disable keyword: host1(config)#no l2tp failover-resync Copyright © 2010, Juniper Networks, Inc.

  • Page 423: Using Radius To Configure Peer Resynchronization

    If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile. Copyright © 2010, Juniper Networks, Inc.

  • Page 424: Configuration Guidelines

    AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session. Configuration Tasks To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network: Copyright © 2010, Juniper Networks, Inc.

  • Page 425: Enabling Tunnel Switching On The Router

    You can use any of the following keywords to specify the AVPs for the router to relay: bearer-type—L2TP Bearer Type AVP 18; by default, the router regenerates this AVP at the outbound LAC session, based on the local policy in effect Copyright © 2010, Juniper Networks, Inc.

  • Page 426: Applying L2Tp Tunnel Switch Profiles By Using Aaa Domain Maps

    (Optional) Use the show aaa domain-map command to verify application of the tunnel switch profile. host1(config-domain-map-tunnel)#run show aaa domain-map Domain: westford.com; router-name: default; ipv6-router-name: default Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Client Peer Source Type Medium Password Name Copyright © 2010, Juniper Networks, Inc.

  • Page 427: Applying L2Tp Tunnel Switch Profiles By Using Aaa Tunnel Groups

    The default L2TP tunnel switch profile applies to a specific virtual router. You can apply a different default tunnel switch profile to each virtual router configured. Copyright © 2010, Juniper Networks, Inc.

  • Page 428: Applying L2Tp Tunnel Switch Profiles By Using Radius

    Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups on page 389 Applying Default L2TP Tunnel Switch Profiles on page 389 Applying L2TP Tunnel Switch Profiles by Using RADIUS on page 390 aaa tunnel switch-profile l2tp switch-profile l2tp tunnel-switching Copyright © 2010, Juniper Networks, Inc.

  • Page 429: Configuring The Transmit Connect Speed Calculation Method

    Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method” on page 396. RADIUS Include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. For instructions, see “Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method”...

  • Page 430: Static Layer 2

    For those logical interfaces that do not have a QoS-configured rate, QoS reports the speed of the underlying physical port as the transmit connect speed. Copyright © 2010, Juniper Networks, Inc.

  • Page 431: Actual

    RADIUS. 5 Mbps L2TP reports the transmit connect speed calculated by QoS. Actual 5 Mbps L2TP reports the lesser of the dynamic layer 2 speed (10 Mbps) or the QoS speed (5 Mbps). Copyright © 2010, Juniper Networks, Inc.

  • Page 432: Example 2: L2Tp Session Over Ethernet Vlan Interface

    Advisory Speed Precedence for VLANs over Bridged Ethernet For interface columns that consist of an L2TP session over an Ethernet VLAN subinterface over a bridged Ethernet interface, the advisory transmit speed of the VLAN subinterface, Copyright © 2010, Juniper Networks, Inc.

  • Page 433: Using Aaa Domain Maps To Configure The Transmit Connect Speed Calculation Method

    Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation Method To configure the transmit connect speed calculation method for a tunneled L2TP session associated with an AAA tunnel group: Access Tunnel Group Tunnel Configuration mode. host1(config)#aaa tunnel-group boston host1(config-tunnel-group)#tunnel 3 host1(config-tunnel-group-tunnel)# Copyright © 2010, Juniper Networks, Inc.

  • Page 434: Using Aaa Default Tunnel Parameters To Configure The Transmit Connect Speed Calculation Method

    To configure the transmit connect speed calculation method for all tunneled L2TP sessions associated with a particular virtual router: Create the virtual router for which you want to configure the transmit connect speed calculation method. host1(config)#virtual-router north Copyright © 2010, Juniper Networks, Inc.

  • Page 435: Method

    To use RADIUS to configure the transmit connect speed calculation method for a subscriber’s access interface, you can configure RADIUS to include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. Table 72 on page 398 describes the Tunnel-Tx-Speed-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS Attributes”...

  • Page 436: Ppp Accounting Statistics

    CHAP success packets, and PAP acknowledgment packets. Accounting ends when L2TP has been notified to terminate the session. The statistics are reported in the following RADIUS attributes: Attribute Number Attribute Name Acct-Input-Octets Acct-Output-Octets Acct-Input-Packets Acct-Output-Packets Copyright © 2010, Juniper Networks, Inc.
  • Page 437 L2TP session. These statistics exclude L2TP control traffic and L2TP hello messages. For information on accounting statistics for terminated PPP sessions, see the PPP Accounting Statistics section in JunosE Link Layer Configuration Guide . Copyright © 2010, Juniper Networks, Inc.
  • Page 438 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 439: Configuring L2Tp Dial-Out

    Figure 10 on page 402 shows the dial-out model in which the LNS initiates L2TP sessions and provides enough information to the narrowband LAC so that it can complete the dial-out from the home site to the remote site. Copyright © 2010, Juniper Networks, Inc.

  • Page 440: Terms

    The route includes a dial-out target (the virtual router context and the IP address of the remote site). When the router receives a packet destined for the target, it triggers a dial-out session to the target. The route is associated with a Copyright © 2010, Juniper Networks, Inc.

  • Page 441: Dial-Out Process

    IP flow. The dial-out state machine has four levels of control: the router chassis, virtual router, targets, and sessions. This section describes the operational states of each of these levels. Chassis Table 74 on page 404 describes the operational states of the chassis. Copyright © 2010, Juniper Networks, Inc.

  • Page 442: Virtual Router

    Note that sessions within a down target that are already in the process of connecting or are in the inService state are not affected by this condition. Sessions Table 77 on page 405 describes operational states of the sessions. Copyright © 2010, Juniper Networks, Inc.

  • Page 443: Table 77: Session Operational States

    Receipt of a new trigger packet transitions the session to the authenticating state. If the dormant timer expires, the session is deleted. The dormant state exists to allow analysis of a dial-out session before it is deleted. Copyright © 2010, Juniper Networks, Inc.

  • Page 444: Outgoing Call Setup Details

    The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 78 on page 407. If tunnel attributes are excluded from the Access-Accept message or the returned Service-Type attribute is not set to outbound, the dial-out session is denied. Copyright © 2010, Juniper Networks, Inc.

  • Page 445: Outgoing Call

    Both the L2TP session and the PPP interface exist on a Service module, identical to the LNS operation for incoming calls. Once the PPP interface is created, Link Control Protocol (LCP) and IPCP are negotiated. Copyright © 2010, Juniper Networks, Inc.

  • Page 446: Mutual Authentication

    Create a profile that the router uses to create the dynamic PPP and IP interfaces on the LNS. The profile specifies parameters that are common to all dial-out sessions that use the profile. The following is an example of a typical profile configuration. Create a profile. host1(config)#profile dialOut host1(config-profile)# Copyright © 2010, Juniper Networks, Inc.

  • Page 447: Configuring L2Tp Dial-Out

    If the session fails to be established before the connecting timer expires, subsequent attempts to establish the dial-out session to the same destination are inhibited temporarily. The range is 30–3600 seconds. Example host1(config)#l2tp dial-out connecting-timer-value 30 Copyright © 2010, Juniper Networks, Inc.
  • Page 448 Use to force the dial-out session to the dormant state where it remains until the dormant timer expires or it receives a new trigger. Closes any L2TP outgoing call associated with the dial-out session. Example Copyright © 2010, Juniper Networks, Inc.

  • Page 449: Monitoring L2Tp Dial-Out

    “Monitoring Chassis-wide Configuration for L2TP Dial-out” on page 437 “Monitoring Status of Dial-out Sessions” on page 442 “Monitoring Dial-out Targets within the Current VR Context” on page 443 “Monitoring Operational Status within the Current VR Context” on page 444 Copyright © 2010, Juniper Networks, Inc.
  • Page 450 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 451: L2Tp Disconnect Cause Codes

    Authentication failures not covered by any of the authentication-related codes (codes 13-16), such as: Authentication denial of the local LCP by the peer Local authentication failure due to no resources Local authentication failure due to no authenticator Copyright © 2010, Juniper Networks, Inc.
  • Page 452 MLPPP bundling supported for MLPPP/L2TP, uses the endpoint discriminator discriminator as part of the key for bundle selection. Therefore, there mismatch will never be an unexpected endpoint discriminator for an existing MLPPP bundle. Copyright © 2010, Juniper Networks, Inc.
  • Page 453 LCP fails (that is, the authenticator received a PAP NAK or CHAP Failure packet). Note that there are a variety of causes for authentication failures, including bad credentials (bad name, password or secret) and resource problems. Copyright © 2010, Juniper Networks, Inc.
  • Page 454 NCP because the required network-layer parameters were not available as a result of the authentication stage. Code 20 with direction 1 is never generated; the NCPs are never enabled if there is no non-null local address. Copyright © 2010, Juniper Networks, Inc.

  • Page 455: Monitoring L2Tp And L2Tp Dial-Out

    Monitoring Operational Status within the Current VR Context on page 444 Monitoring the Mapping for User Domains and Virtual Routers with AAA Purpose Display the mapping between user domains and virtual routers. Action To display the mapping between user domains and virtual routers: Copyright © 2010, Juniper Networks, Inc.

  • Page 456: Table 80: Show Aaa Domain-Map Output Fields

    Single password used for all users from a domain in place of the values received from the remote client Tunnel Tag Tag that identifies the tunnel Copyright © 2010, Juniper Networks, Inc.

  • Page 457: Monitoring Configured Tunnel Groups With Aaa

    Related Topics show aaa domain-map Monitoring Configured Tunnel Groups with AAA Purpose Display the currently configured tunnel groups. Action To display information about currently configured tunnel groups: Copyright © 2010, Juniper Networks, Inc.

  • Page 458: Table 81: Show Aaa Tunnel-Group Output Fields

    Single password used for all users from a domain in place of the values received from the remote client Tunnel Tag Tag that identifies the tunnel Copyright © 2010, Juniper Networks, Inc.
  • Page 459 The information displayed is almost identical to the tunnel information displayed using the show aaa domain-map command. See Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 417. Copyright © 2010, Juniper Networks, Inc.

  • Page 460: Monitoring Configuration Of Tunnel Parameters With Aaa

    Format configured for L2TP Calling Number AVP 22 generated by the LAC Tunnel calling number format Fallback format configured for L2TP Calling Number fallback AVP 22 generated by the LAC Related Topics show aaa tunnel-parameters Copyright © 2010, Juniper Networks, Inc.

  • Page 461: Monitoring Global Configuration Status On E Series Routers

    Data packet checksums Status of checking data integrity via UDP; enabled or disabled Receive data sequencing Whether the router processes or ignores sequence numbers in incoming data packets Copyright © 2010, Juniper Networks, Inc.
  • Page 462 Status of the L2TP destination lockout test, enabled or disabled Failover resync Global L2TP peer resynchronization configuration Sub-interfaces Sub-interface information about L2TP total Number of destinations, tunnels, and sessions that the router created active Number of operational destinations, tunnels, and sessions Copyright © 2010, Juniper Networks, Inc.

  • Page 463: Monitoring Detailed Configuration Information For Specified Destinations

    Data tx 68383456 68383456 Meaning Table 84 on page 425 lists the show l2tp destination command output fields. Table 84: show l2tp destination Output Fields Field Name Field Description Configuration Configured status of the destination Copyright © 2010, Juniper Networks, Inc.
  • Page 464 Number of requests that did not reach an operational state for this destination auth-errors Number of requests that failed because the tunnel password was invalid for this destination Statistics Information about the traffic sent and received Related Topics show l2tp destination Copyright © 2010, Juniper Networks, Inc.

  • Page 465: Monitoring Locked Out Destinations

    L2TP destination profile westford Configuration Destination address Transport ipUdp Virtual router lns Peer address 192.168.1.99 Destination profile maximum sessions is 5000 Statistics Copyright © 2010, Juniper Networks, Inc.

  • Page 466: Table 86: Show L2Tp Destination Profile Output Fields

    Table 86: show l2tp destination profile Output Fields Field Name Field Description Destination profile attributes Destination profile attributes of L2TP destination Transport Method used to transfer traffic Virtual Router Method used to transfer traffic Peer address IP address of the LAC Copyright © 2010, Juniper Networks, Inc.

  • Page 467: Monitoring Configured And Operational Status Of All Destinations

    Number of current sessions for the host profile Related Topics show l2tp destination profile Monitoring Configured and Operational Status of all Destinations Purpose Display summary of the configured and operational status of all L2TP destinations. Copyright © 2010, Juniper Networks, Inc.

  • Page 468: Monitoring Statistics On The Cause Of A Session Disconnection

    (0) admin disconnect (1) renegotiation disabled (2) normal disconnect (3) compulsory encryption refused (4) lcp failed to converge (5) lcp peer silent (6) lcp magic number error (7) lcp keepalive failure (8) Copyright © 2010, Juniper Networks, Inc.

  • Page 469: Monitoring Detailed Configuration Information About Specified Sessions

    Local session id is 25959, peer session id is 2 Statistics packets octets discards errors Data rx Data tx Session operational configuration User name is 't1.s1@local' Tunneling PPP interface atm 0/0.1 Call type is lacIncoming Call serial number is 0 Copyright © 2010, Juniper Networks, Inc.

  • Page 470: Monitoring Configured And Operational Summary Status

    Display a summary of the configured and operational status of all L2TP sessions. Action To display a summary of the configured and operational status of all L2TP sessions: host1#show l2tp session summary Administrative status enabled disabled Copyright © 2010, Juniper Networks, Inc.

  • Page 471: Monitoring Configured Switch Profiles On Router

    Field Description L2TP tunnel switch profile Name of the L2TP tunnel switch profile AVP actionType action is Indicates the tunnel switching behavior or action type (for example, relay) configured for the specified L2TP AVP type Copyright © 2010, Juniper Networks, Inc.

  • Page 472: Monitoring Detailed Configuration Information About Specified Tunnels

    Peer protocol version is 1.1 Peer firmware revision is 0x1120 Peer bearer capabilities are digital and analog Peer framing capabilities are sync and async Meaning Table 92 on page 435 lists the show l2tp tunnel command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 473: Table 92: Show L2Tp Tunnel Output Fields

    State Status of the enabled tunnel: idle connecting established disconnecting Local and peer tunnel id Names the router used to identify the tunnel locally and remotely Copyright © 2010, Juniper Networks, Inc.

  • Page 474: Monitoring Configured And Operational Status Of All Tunnels

    Display a summary of the configured and operational status of all L2TP tunnels. Action To display a summary of the configured and operational status of all L2TP tunnels: host1#show l2tp tunnel summary Administrative status enabled drain disabled Copyright © 2010, Juniper Networks, Inc.

  • Page 475: Monitoring Chassis-Wide Configuration For L2Tp Dial-Out

    To display detailed chassis-wide configuration information: host1#show l2tp dial-out detail Dial-out Chassis Configuration and Operational Status Chassis operational status : inService Dormant timeout 30 seconds Connecting timeout 30 seconds Dial-out Chassis Statistics Current sessions: Copyright © 2010, Juniper Networks, Inc.
  • Page 476 To display summary information for chassis-wide configuration: host1#show l2tp dial-out summary Virtual routers in init pending state : Virtual routers in init failed state Virtual routers in down state Virtual routers in inService state Copyright © 2010, Juniper Networks, Inc.

  • Page 477: Table 94: Show L2Tp Dial-Out Output Fields

    Targets currently in the inhibited state Maximum targets inhibited Highest value of targets recorded in the inhibited state since the last router restart Authentication grant for Number of authentication requests granted to nonexistent session nonexistent sessions Copyright © 2010, Juniper Networks, Inc.
  • Page 478 Sessions on the VR that are in the postInhibited state Sessions in failed state Sessions on the VR that are in the failed state Dial-out target statistics Statistics at the route target level Targets active Current active targets Targets created All targets created Copyright © 2010, Juniper Networks, Inc.
  • Page 479 Authentication grants Authentication requests granted Authentication Denies Authentication requests denied Dial-outs requested Outgoing calls requested for sessions Dial-outs rejected Outgoing call requests that were rejected Dial-outs established Successful outgoing calls before the connecting timer expired Copyright © 2010, Juniper Networks, Inc.

  • Page 480: Monitoring Status Of Dial-Out Sessions

    NOTE: The level of a user’s permission determines the use of the allVirtualRouters option. For example, if you have permission to view only the current virtual router, then that is all that is displayed when you enter a command. Copyright © 2010, Juniper Networks, Inc.

  • Page 481: Monitoring Dial-Out Targets Within The Current Vr Context

    To display detailed configuration, state, and statistics: host1:dialout#show l2tp dial-out target detail To display information about the operational or administrative state: host1:dialout#show l2tp dial-out target state inService To displays dial-out information across all virtual routers: Copyright © 2010, Juniper Networks, Inc.

  • Page 482: Monitoring Operational Status Within The Current Vr Context

    Dial-out Virtual Router Configuration and Operational Status Virtual router host1: Virtual router operational status: inService Maximum trigger buffers per session: 0 To display aggregate counts for dial-out state machines in each of the possible operational and administrative states: Copyright © 2010, Juniper Networks, Inc.

  • Page 483: Table 97: Show L2Tp Dial-Out Virtual-Router Output Fields

    Maximum number of trigger packets held in buffer session while the dial-out session is being established Related Topics For detailed information about operational states, see Dial-Out Operational States on page 403 show l2tp dial-out virtual-router Copyright © 2010, Juniper Networks, Inc.
  • Page 484 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 485: Managing Dhcp

    DHCP Local Server Overview on page 457 Configuring DHCP Local Server on page 465 Configuring DHCP Relay on page 483 Configuring the DHCP External Server Application on page 511 Monitoring and Troubleshooting DHCP on page 525 Copyright © 2010, Juniper Networks, Inc.
  • Page 486 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 487: Dhcp Overview

    DHCP clients can be reliably and dynamically configured with parameters appropriate to the current network architecture. You can configure the E Series router to support the following DHCP features: DHCP access model DHCP proxy client DHCP relay DHCP relay proxy Copyright © 2010, Juniper Networks, Inc.

  • Page 488: Session And Resource Control Software

    Session and Resource Control Software The Session and Resource Control (SRC) software, formerly the Service Deployment System (SDX) software is a component of Juniper Networks management products. The SRC software provides a Web-based interface that allows subscribers to access services, such as the Internet, an intranet, or an extranet.

  • Page 489: Dhcp References

    DHCP proxy client support enables the router to obtain an IP address from a DHCP server for a remote PPP client. Each virtual router (acting as a DHCP proxy client) can query up to five DHCP servers. Copyright © 2010, Juniper Networks, Inc.
  • Page 490 You can specify a maximum of five DHCP servers. host1(config)#ip dhcp-server 10.6.128.10 Direct the router to request IP addresses for remote users from the DHCP server(s). host1(config)#ip address-pool dhcp Related Topics ip address-pool ip dhcp-server Copyright © 2010, Juniper Networks, Inc.

  • Page 491: Logging Dhcp Packet Information

    The following commands enable you to view information about current DHCP client bindings: To display information and track lease times and status for specified DHCP client bindings, with results arranged in ascending order by binding ID, use the show dhcp binding command. Copyright © 2010, Juniper Networks, Inc.
  • Page 492 (address and subnetwork mask) of the DHCP client local—DHCP local server bindings that meet the deletion criteria Copyright © 2010, Juniper Networks, Inc.
  • Page 493 To specify nonprintable byte codes in the circuit ID string or remote ID string, you can use the string \\xab, where ab is a hex code of the byte. This dhcp delete-binding command uses the string \\xe3 to represent byte E3 in the circuit ID string. This Copyright © 2010, Juniper Networks, Inc.
  • Page 494 JunosE 11.2.x Broadband Access Configuration Guide command deletes DHCP client bindings on virtual router vr3 with the specified circuit ID string. Related Topics dhcp delete-binding show dhcp binding show dhcp count show dhcp host Copyright © 2010, Juniper Networks, Inc.

  • Page 495: Dhcp Local Server Overview

    For information about configuring the DHCPv6 local server, see “Configuring the DHCPv6 Local Server” on page 477. In equal-access mode, the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service.

  • Page 496: Equal-Access Mode Overview

    DHCP pools in the order presented in Table 98 on page 459. When the router finds a match, it selects a pool based on the match and does not examine other parameters. Copyright © 2010, Juniper Networks, Inc.

  • Page 497: The Connection Process

    The router maintains a host route that maps the IP address to the router’s interface associated with the subscriber’s computer. The subscriber’s computer retains the IP address until the subscriber turns off the computer. Copyright © 2010, Juniper Networks, Inc.

  • Page 498: Standalone Mode Overview

    DHCP pools in the order presented in Table 99 on page 461. When the router finds a match, it selects a pool based on the match and does not examine other parameters. Copyright © 2010, Juniper Networks, Inc.

  • Page 499: Authentication

    DHCP local server receives the domain name from the AAA server. If the client’s domain name does not match the name of the DHCP local pool, the router attempts to match the client’s domain name to the domain name field within the pool. Copyright © 2010, Juniper Networks, Inc.

  • Page 500: Server Management Table

    Configure an unnumbered IP address associated with the loopback interface on the ATM or Ethernet interface. For information about defining IP addresses, see the Configuring IP chapter in JunosE IP, IPv6, and IGP Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 501: Dhcp Local Server Configuration Tasks

    474 for a sample configuration. For non-PPP equal access, configure the router to work with the SRC software. See “Configuring the Router to Work with the SRC Software” on page 479 for a sample configuration. Copyright © 2010, Juniper Networks, Inc.
  • Page 502 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 503: Configuring Dhcp Local Server

    If you do not use SRC for managing subscribers, use standalone mode. SRC contributes to the address pool selection and so when you use standalone mode, SRC is not used for address allocation. Copyright © 2010, Juniper Networks, Inc.

  • Page 504: Limiting The Number Of Ip Addresses Supplied By Dhcp Local Server

    You can specify the maximum number of IP addresses that the DHCP local server can supply to each VPI/VCI, VLAN, Ethernet subnetwork, or POS access interface type, or to a particular interface or subinterface. Copyright © 2010, Juniper Networks, Inc.

  • Page 505: Excluding Ip Addresses From Address Pools

    DHCP local server to support the creation of dynamic subscriber interfaces built over dynamic VLANs that are based on the agent-circuit-id option (suboption 1) of the option 82 field in DHCP messages. Use this command within a specific virtual router context. Copyright © 2010, Juniper Networks, Inc.

  • Page 506: Address

    Identical IDs or Addresses Clients On different subinterfaces in the By unique subinterface same subnet On the same subinterface in different By unique subnet subnets On different subinterfaces in By unique subinterface and unique subnet different subnets Copyright © 2010, Juniper Networks, Inc.

  • Page 507: Logging Out Dhcp Local Server Subscribers

    The function provided by this command has been replaced by the dhcp delete-binding command. You can use the clear ip dhcp-local binding command to force the removal of a connected user's IP address lease and associated route configuration. Using this command enables you to: Copyright © 2010, Juniper Networks, Inc.

  • Page 508: Using Snmp Traps To Monitor Dhcp Local Server Events

    MAC address detection dhcpLocalGeneral—DHCP local server infrastructure-related events and number of client threshold events NOTE: The dhcpLocalGeneral category replaces the dhcpLocalServerGeneral category. dhcpLocalHighAvailability—DHCP high availability events Copyright © 2010, Juniper Networks, Inc.

  • Page 509: Configuring Dhcp Local Address Pools

    Basic Configuration of DHCP Local Address Pools on page 471 Linking Local Address Pools on page 473 Setting Grace Periods for Address Leases on page 474 Basic Configuration of DHCP Local Address Pools To configure the DHCP local address pool: Copyright © 2010, Juniper Networks, Inc.
  • Page 510 Specify the IP address of a primary server and, optionally, the address of a secondary server. (Optional) Specify NetBIOS node type. host1(config-dhcp-local)#netbios-node-type b-node Specify one of the following types of NetBIOS nodes. By default, the node type is unspecified. b-node—Broadcast p-node—Peer-to-peer Copyright © 2010, Juniper Networks, Inc.

  • Page 511: Linking Local Address Pools

    The linked pool serves as a backup pool. If no addresses are available in a pool, the DHCP local server attempts to allocate an address from the linked pool. The address pools that are linked are viewed as a group. Copyright © 2010, Juniper Networks, Inc.

  • Page 512: Setting Grace Periods For Address Leases

    By default, clients are not authenticated in standalone mode. Typically, an incoming DHCP client does not provide a username—therefore, the DHCP local server constructs a username based on the user’s attachment parameters and Copyright © 2010, Juniper Networks, Inc.
  • Page 513 Specify the domain for a username that is locally configured for a DHCP standalone mode client. The locally configured username is presented to AAA in an authentication request. Copyright © 2010, Juniper Networks, Inc.
  • Page 514 : included MAC Address : excluded Option 82 : excluded Related Topics ip dhcp-local auth domain command ip dhcp-local auth include command ip dhcp-local auth password command ip dhcp-local auth user-prefix service dhcp-local authenticate Copyright © 2010, Juniper Networks, Inc.

  • Page 515: Configuring The Dhcpv6 Local Server

    Your can specify a maximum of four DNS servers. host1(config-if)#ipv6 dhcpv6-local dns-server 2001:db8:18:: Set the default lifetime for which a prefix delegated by this DHCPv6 local server is valid. This default is overridden by an interface-specific lifetime. Copyright © 2010, Juniper Networks, Inc.

  • Page 516: Deleting Dhcpv6 Client Bindings

    You can remove all DHCPv6 client bindings, all DHCPv6 client bindings of a particular type, or a specified DHCPv6 client binding that meets the deletion criteria you specify. Copyright © 2010, Juniper Networks, Inc.

  • Page 517: Configuring The Router To Work With The Src Software

    Configuration Example Figure 12 on page 480 shows the scenario for this example. Subscribers obtain access to ISP Boston via a router. Subscribers log in through the SRC software, and a RADIUS server provides authentication. Copyright © 2010, Juniper Networks, Inc.

  • Page 518: Figure 12: Non-Ppp Equal-Access Configuration Example

    Configure the parameters to enable the router to forward authentication requests to the RADIUS server. host1(config)#radius authentication server 10.10.1.2 host1(config)#udp-port 1645 host1(config)#key radius Specify the authentication method. host1(config)#aaa authentication ppp default radius host1(config)#aaa authentication ppp default none Copyright © 2010, Juniper Networks, Inc.
  • Page 519 10.10.2.0 255.255.255.0 host1(config-dhcp-local)#domain-name ispBoston host1(config-dhcp-local)#default-router 10.10.2.1 host1(config-dhcp-local)#lease 0 0 10 host1(config-dhcp-local)#ip dhcp-local limit atm 5 Configure the SRC client. host1(config)#sscc enable host1(config)#sscc retryTimer 200 host1(config)#sscc primary address 10.10.1.2 port 3288 Copyright © 2010, Juniper Networks, Inc.
  • Page 520 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 521: Chapter 20 Configuring Dhcp Relay

    82) to add information to the DHCP packets sent to DHCP servers—the additional information, in the form of suboptions to the option 82 value, helps you to manage the IP address and service level assignments granted to your subscribers. For example, you Copyright © 2010, Juniper Networks, Inc.

  • Page 522: Enabling Dhcp Relay

    You can use the unknown keyword with the dhcp relay discard access-routes command to remove the routing information for these interfaces. To remove access routes: host1(config)#set dhcp relay discard-access-routes Copyright © 2010, Juniper Networks, Inc.

  • Page 523: Treating All Packets As Originating At Trusted Sources

    Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in received DHCP packets is different from the local IP address on which the DHCP relay is accessed. In this situation, DHCP relay always honors the giaddr. To configure DHCP relay to override Copyright © 2010, Juniper Networks, Inc.

  • Page 524: Packets

    “Behavior for Bound Clients and Address Renewals” on page 509. To display whether support for broadcast flag replies is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 525. Copyright © 2010, Juniper Networks, Inc.

  • Page 525: Interaction With Layer 2 Unicast Transmission Method

    2 proxy use layer 2 unicast unicast and layer 3 and layer 3 broadcast broadcast transmission to transmission to send DHCP send DHCP reply packets reply packets to clients. to clients. Copyright © 2010, Juniper Networks, Inc.

  • Page 526: Preventing Dhcp Relay From Installing Host Routes By Default

    IP and saves it in NVS. Configuration Example—Preventing Installation of Host Routes This example describes a sample procedure for configuring multiple subscribers over a particular static subscriber interface (ip53001 in this example)—you might use commands Copyright © 2010, Juniper Networks, Inc.

  • Page 527: Including Relay Agent Option Values In The Pppoe Remote Circuit Id

    By default, the router formats the captured PPPoE remote circuit ID to include only the agent-circuit-id suboption (suboption 1) of the DHCP relay agent information option (option 82). You can use the radius remote-circuit-id-format command to configure the following nondefault formats for the PPPoE remote circuit ID value: Copyright © 2010, Juniper Networks, Inc.

  • Page 528: Interfaces

    “Behavior for Bound Clients and Address Renewals” on page 509. To display whether the layer 2 unicast method is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 525. Copyright © 2010, Juniper Networks, Inc.

  • Page 529: Servers

    You use the set dhcp vendor-option command to configure vendor-option (option 60) strings to control DHCP client traffic Create DHCP vendor-option servers by configuring Copyright © 2010, Juniper Networks, Inc.
  • Page 530 Client packets that have option 60 configured but have no string specified (a string of 0 length) are treated as nonmatching strings and handled accordingly. To configure an exact match: host1(config)#set dhcp vendor-option equals myword relay 192.168.7.7 Copyright © 2010, Juniper Networks, Inc.

  • Page 531: Configuration Example-Using Dhcp Relay Option 60 To Specify Traffic

    - the DHCP application is configured but has not been enabled with the vendor-option command drop - the DHCP application responsible for the action has not been configured yet therefore all packets for this application will be dropped Total 3 entries. Vendor-option Action Copyright © 2010, Juniper Networks, Inc.

  • Page 532: Relaying Dhcp Packets That Originate From A Cable Modem

    The hostname and vrname keywords are a toggle; that is, specifying either hostname or virtual router name turns off the other selection. To configure the relay agent option 82 information: host1(config)#set dhcp relay options hostname Copyright © 2010, Juniper Networks, Inc.

  • Page 533: Packets

    See the JunosE Policy Management Configuration Guide for information about layer 2 policies. The Agent Circuit ID suboption (suboption 1) and the Agent Remote ID suboption (suboption 2) are typically determined by the client network access device and depend Copyright © 2010, Juniper Networks, Inc.

  • Page 534: Table 102: Effect Of Commands On Option 82 Suboption Settings

    No change Enable No change set dhcp relay agent sub-option vendor-specific suboption-type No change No change Enable specified suboption type no set dhcp relay agent sub-option circuit-id Disable No change No change Copyright © 2010, Juniper Networks, Inc.

  • Page 535: Option 82

    4 high-order bits are 0. The data field length of a stacked VLAN is 4 bytes, with the SVLAN ID occupying the 12 low-order bits of the 2 high-order Copyright © 2010, Juniper Networks, Inc.
  • Page 536 L2 Circuit ID val: 00 7b b2 6e L2 Circuit ID len: 4 bytes L2 Circuit ID type: 1 JUNOSE data len: 9 bytes JUNOSE IANA: 13 0a subopt 9 len: 14 bytes subopt code: 9 Copyright © 2010, Juniper Networks, Inc.

  • Page 537: Suboption Support

    4/1.2:0.101 Ethernet interface [<hostname>|<vrname>:]<interface type> <slot>/<port> Examples: fastEthernet 1/2 relayVr:fastEthernet 1/2 bostonHost:fastEthernet 1/2 Ethernet interface with VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: fastEthernet 1/2.3:4 relayVr:fastEthernet 1/2:4 bostonHost:fastEthernet 1/2.3:4 Ethernet interface with Stacked VLAN Copyright © 2010, Juniper Networks, Inc.

  • Page 538: Configuration Example-Using Dhcp Relay Option 82 To Pass Ieee 802.1P Values To Dhcp Servers

    DHCP packet or message IEEE 802.1p value to the user packet class field. See the JunosE Policy Management Configuration Guide for information about layer 2 policies. Configuration Example—Using DHCP Relay Option 82 to Pass Copyright © 2010, Juniper Networks, Inc.

  • Page 539: Figure 13: Passing 802.1P Values To The Dhcp Server

    The following example describes a sample procedure that creates an environment that passes 802.1p values to the DHCP server, which then assigns an IP address that enables the desired service to the DHCP client. Copyright © 2010, Juniper Networks, Inc.
  • Page 540 0 Classifier control list: dot1p1, precedence 100 user-packet-class 1 Classifier control list: dot1p2, precedence 100 user-packet-class 2 Classifier control list: dot1p3, precedence 100 user-packet-class 3 Classifier control list: dot1p4, precedence 100 user-packet-class 4 Copyright © 2010, Juniper Networks, Inc.
  • Page 541 Preserve Option From Trusted Clients: off Circuit-ID Sub-option (1): on select - hostname select - exclude-subinterface-id Remote-ID Sub-option (2): on Vendor-Specific Sub-option (9): on select - layer2-circuit-id select - user-packet-class DHCP Server Addresses --------------------- Copyright © 2010, Juniper Networks, Inc.

  • Page 542: Using The Set Dhcp Relay Agent Command To Enable Option 82 Suboption Support

    Agent Remote ID suboption. ATM interface [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vpi>.<vci> Examples: atm 4/1.2:0.101 relayVr:atm 4/1:0.101 bostonHost:atm 4/1.2:0.101 Ethernet interface [<hostname>|<vrname>:]<interface type> <slot>/<port> Examples: fastEthernet 1/2 relayVr:fastEthernet 1/2 bostonHost:fastEthernet 1/2 Ethernet interface with VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: Copyright © 2010, Juniper Networks, Inc.
  • Page 543 The remote-id-only keyword disables support for the Agent Circuit ID suboption. If you do not explicitly specify the circuit-id-only or remote-id-only keyword, both suboptions are used. Related Topics radius remote-circuit-id-format set dhcp relay Copyright © 2010, Juniper Networks, Inc.

  • Page 544: Rate Of Dhcp Client Packets Processed By Dhcp Relay Overview

    When the uplink line module cannot handle heavy loads, packets are discarded before they reach the IC. You can set the maximum rate of client packets based on the uplink load capacity. Copyright © 2010, Juniper Networks, Inc.

  • Page 545: Configuring The Rate Of Client Packets Processed By Dhcp Relay

    Use the First Offer from a DHCP Server You can configure the DHCP relay proxy to use the first offer it receives from any configured DHCP server and send that offer to the DHCP client. By default, DHCP relay proxy sends Copyright © 2010, Juniper Networks, Inc.

  • Page 546: Set A Timeout For Dhcp Client Renewal Messages

    A major benefit of the relay proxy configuration is that the E Series router is kept informed of the status of a DHCP client’s address. When addresses are released by clients, the router removes the installed host route for that client. In the DHCP relay configuration, Copyright © 2010, Juniper Networks, Inc.

  • Page 547: Selecting The Dhcp Server Response

    “Configuring Layer 2 Unicast Transmission Method for Reply Packets to DHCP Clients” on page 490. Related Topics Managing Host Routes on page 508 set dhcp relay proxy set dhcp relay proxy send-first-offer set dhcp relay proxy timeout Copyright © 2010, Juniper Networks, Inc.
  • Page 548 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 549: Configuring The Dhcp External Server Application

    You can configure the E Series router to provide support for an external DHCP server. This enables the router, which is not running DHCP relay or DHCP proxy server, to monitor DHCP packets and to keep information for subscribers based on their IP address and Copyright © 2010, Juniper Networks, Inc.

  • Page 550: Figure 14: Dhcp External Server

    The E Series router views the subscriber as active once the subscriber sends a packet. The router then performs the following actions: Processes the subscriber’s IP address by using a route map Extracts the dynamic subscriber interface profile (optional) Copyright © 2010, Juniper Networks, Inc.

  • Page 551: Overview

    By default, the DHCP external server preserves the client’s existing dynamic subscriber interface in this situation. To configure the DHCP external server to delete and re-create the client’s dynamic subscriber interface Copyright © 2010, Juniper Networks, Inc.

  • Page 552: Overview

    MAC address and the giaddr to uniquely identify the clients connected to the router. This setting for DHCP external server is also referred to as duplicate MAC mode. Copyright © 2010, Juniper Networks, Inc.

  • Page 553: Configuration Guidelines For Using Duplicate Mac Mode

    MAC address and giaddr to uniquely identify DHCP clients, otherwise known as duplicate MAC mode: You can issue the dhcp-external duplicate-mac-address command at any time to enable duplicate MAC mode. However, you cannot issue the no dhcp-external Copyright © 2010, Juniper Networks, Inc.

  • Page 554: Dhcp External Server Configuration Requirements

    Monitoring DHCP Traffic Between Remote Clients and DHCP Servers You can configure the router to monitor DHCP packets between remote clients and specified DHCP servers. You can specify up to four DHCP servers. Copyright © 2010, Juniper Networks, Inc.

  • Page 555: Synchronizing The Dhcp External Application And The Router

    IP address as the next hop, This operation results in the subscriber-destined traffic being incorrectly sent to the Ethernet DSLAM, which cannot process the traffic. To avoid dropping the traffic in this situation, use the ip set dhcp-external disregard-giaddr-next-hop command to configure the DHCP external server application Copyright © 2010, Juniper Networks, Inc.

  • Page 556: Configuring The Dhcp External Server To Support The Creation Of Dynamic Subscriber Interfaces

    (suboption 1) that is contained in the DHCP option 82 field. For information about configuring agent-circuit-id–based dynamic VLAN subinterfaces, see the Configuring Dynamic Interfaces Using Bulk Configuration chapter in JunosE Link Layer Configuration Guide. Related Topics ip dhcp-external auto-configure Copyright © 2010, Juniper Networks, Inc.

  • Page 557: Configuring Dhcp External Server To Control Preservation Of Dynamic Subscriber

    DHCP external server, see DHCP External Server in the Known Behavior section of the JunosE Release Notes. Related Topics Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview on page 513 ip dhcp-external recreate-subscriber-interface Copyright © 2010, Juniper Networks, Inc.

  • Page 558: Configuring Dynamic Subscriber Interfaces For Interoperation With Dhcp Relay And Dhcp Relay Proxy

    DHCP client that generated the renewal request: Enable the packet detection feature on the static primary IP interface in the context of the VR in which the static primary interface resides. Copyright © 2010, Juniper Networks, Inc.

  • Page 559: Deleting Clients From A Virtual Router's Dhcp Binding Table

    To delete clients from a virtual router’s DHCP binding table, issue the dhcp-external delete-binding command in Privileged Exec configuration mode: To delete all clients: host1#dhcp-external delete-binding all To delete a specific client: host1#dhcp-external delete-binding binding-id 3972819365 Related Topics dhcp delete-binding dhcp-external delete-binding Copyright © 2010, Juniper Networks, Inc.

  • Page 560: Configuring Dhcp External Server To Uniquely Identify Clients With Duplicate

    DHCP external server application on the router, and is not issued on a per-VR basis. Related Topics DHCP External Server Identification of Clients with Duplicate MAC Addresses Overview on page 514 dhcp-external duplicate-mac-address Copyright © 2010, Juniper Networks, Inc.

  • Page 561: Configuring Dhcp External Server To Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces

    Issue the ip re-authenticate-auto-detect ip-subscriber command from Interface Configuration or Profile Configuration mode: host1:vr1(config)#ip re-authenticate-auto-detect ip-subscriber Related Topics Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview on page 513 ip dhcp-external recreate-subscriber-interface Copyright © 2010, Juniper Networks, Inc.
  • Page 562 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 563: Monitoring And Troubleshooting Dhcp

    Monitoring DHCP Server and DHCP Relay Agent Statistics on page 556 Monitoring DHCP Server and Proxy Client Information on page 557 Monitoring DHCPv6 Local Server Binding Information on page 558 Monitoring DHCPv6 Local Server DNS Search Lists on page 559 Copyright © 2010, Juniper Networks, Inc.

  • Page 564: Setting Baselines For Dhcp Statistics

    There is no no version. Setting a Baseline for DHCP External Server Statistics To set a baseline for DHCP external server statistics. Issue the baseline ip dhcp-external command: host1#baseline ip dhcp-external Copyright © 2010, Juniper Networks, Inc.

  • Page 565: Setting A Baseline For Dhcp Local Server Statistics

    Table 103: show ip dhcp-local excluded Output Fields Field Name Field Description Pool Name of the pool that contains the excluded address Low Address Excluded address or first address in a range of addresses Copyright © 2010, Juniper Networks, Inc.

  • Page 566: Monitoring Dhcp Bindings

    Action To display information about all DHCP local server bindings: host1:vr1#show dhcp binding local BindingId HwAddress Type IpSubnet IpAddress State Copyright © 2010, Juniper Networks, Inc.
  • Page 567 Type IpSubnet IpAddress State ---------- -------------- ------- -------- --------- ----- 3070230529 7000.0000.9365 relay-p 0.0.0.0 71.1.0.2 bound 3070230531 7000.0002.9365 relay-p 0.0.0.0 71.1.0.4 bound 3070230535 7000.0006.9365 relay-p 0.0.0.0 71.1.0.8 bound 3070230537 7000.0008.9365 relay-p 0.0.0.0 71.1.0.10 bound Copyright © 2010, Juniper Networks, Inc.

  • Page 568: Table 104: Show Dhcp Binding Output Fields

    For DHCP local server bindings, the subnet of the IP address assigned to the client; 0.0.0.0 for DHCP external server and DHCP relay proxy bindings IpAddress IP address assigned to client State State of the DHCP client binding Copyright © 2010, Juniper Networks, Inc.

  • Page 569: Monitoring Dhcp Binding Count Information

    -------- ------- external 0.0.0.0 relay-p 0.0.0.0 To display count information for DHCP client bindings and interfaces with the specified interface string: host1:vr2#show dhcp count interface ip71.*4 Assigned Bound Type IpSubnet Interfaces Clients Clients Clients Copyright © 2010, Juniper Networks, Inc.

  • Page 570: Table 105: Show Dhcp Count Output Fields

    Binding type; external (DHCP external server), local (DHCP local server), or relay-p (DHCP relay proxy) IpSubnet For DHCP local server bindings, the subnet of the IP address assigned to the client; 0.0.0.0 for DHCP external server and DHCP relay proxy bindings Copyright © 2010, Juniper Networks, Inc.

  • Page 571: Monitoring Dhcp Binding Host Information

    71.1.0.14 bound 3053453353 7000.0016.9365 external 0.0.0.0 71.1.0.24 bound This show dhcp host command uses the * (asterisk) regular expression metacharacter in the interface string to display information for DHCP client bindings on virtual router Copyright © 2010, Juniper Networks, Inc.

  • Page 572: Table 106: Show Dhcp Host Output Fields

    Meaning Table 106 on page 534 lists the show dhcp host command output fields. Table 106: show dhcp host Output Fields Field Name Field Description BindingId Client binding ID HwAddress MAC address of client Copyright © 2010, Juniper Networks, Inc.

  • Page 573: Monitoring Dhcp Bindings

    NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the show dhcp binding command. Action To display the DHCP IP address to MAC address bindings: Copyright © 2010, Juniper Networks, Inc.

  • Page 574: Monitoring Dhcp Bindings (Displaying Dhcp Bindings Based On Binding Id)

    Dhcp External Binding Ids ------------------------- Binding Id Hardware Giaddr IpAddress ---------- -------------- -------- --------- 3053453316 7000.0001.9365 91.3.0.1 91.3.0.2 Meaning Table 108 on page 537 lists the show ip dhcp-external binding-id command output fie Copyright © 2010, Juniper Networks, Inc.

  • Page 575: Monitoring Dhcp Bindings (Local Server Binding Information)

    (600) fastEthernet 5/0.2 expired Meaning Table 109 on page 537 lists the show ip dhcp-local binding command output fields. Table 109: show ip dhcp-local binding Output Fields Field Name Field Description Address IP address Copyright © 2010, Juniper Networks, Inc.

  • Page 576: Monitoring Dhcp External Server Configuration Information

    Table 110: show ip dhcp-external configuration Output Fields Field Name Field Description Dhcp External Enabled or disabled Auto-Configure Enabled or disabled Server-Sync Enabled or disabled Disregard-Giaddr-Next-hop Enabled or disabled Detect-Agent-Circuit-Id Enabled or disabled Copyright © 2010, Juniper Networks, Inc.

  • Page 577: Monitoring Dhcp External Server Statistics

    Number of DHCP request packets ack (request) Number of DHCP acknowledgment packets in response to DHCP requests renew Number of DHCP renew packets ack (renew) Number of DHCP acknowledgment packets in response to DHCP renewals Copyright © 2010, Juniper Networks, Inc.

  • Page 578: Monitoring Dhcp External Server Duplicate Mac Address Setting

    Display the DHCP local pool configurations. Action To display information about the local address pool: host1#show ip dhcp-local pool ***************************************** Pool Name - ispBoston Pool Id - 6 Domain Name - ispBoston Network - 10.10.0.0 Copyright © 2010, Juniper Networks, Inc.

  • Page 579: Table 113: Show Ip Dhcp-Local Pool Output Fields

    Pool Id ID of the pool Domain Name Domain name assigned to the pool Network Addresses that the DHCP local server can provide from the pool Mask Subnet mask that goes with the network address Copyright © 2010, Juniper Networks, Inc.
  • Page 580 Total Addresses Available Number of addresses in the group Total Addresses In Use Number of addresses currently being used Trap Enabled Status of utilization trap, yes or no Pools Names of pools in the group Copyright © 2010, Juniper Networks, Inc.

  • Page 581: Monitoring Dhcp Local Server Authentication Information

    Client’s circuit ID; excluded or included MAC Address Client’s MAC address; excluded or included Option 82 Status of client’s option 82 field; excluded or included auth requests Number of authorization requests received by this DHCP local server Copyright © 2010, Juniper Networks, Inc.

  • Page 582: Monitoring Dhcp Local Server Configuration

    To display information about a specific DHCP local server lease: host1#show ip dhcp-local leases 192.168.0.3 Dhcp Local Leases ----------------- Address Hardware Lease Initiated/Renewed ------------ ----------------- -------- ---------------------------- 192.168.0.3 10-06-10-00-10-33 THU SEP 08 2005 08:02:11 UTC Copyright © 2010, Juniper Networks, Inc.

  • Page 583: Table 116: Show Ip Dhcp-Local Leases Output Fields

    Infinite, or the number of seconds remaining in the lease, if any; remaining time of grace period for clients in the grace period Initial Lease Start Day, date, and time the lease was initiated Related Topics show ip dhcp-local leases Copyright © 2010, Juniper Networks, Inc.

  • Page 584: Monitoring Dhcp Local Server Statistics

    DHCP Local Server SubInterface Statistics Interface Item Count ------------------- -------------- ------------- ATM4/0.32 Receive Statistics discover request(accept) request(renew) request(rebind) request(other) decline release inform total in packet in error in discard unknown client packet Transmit Statistics offer ack(accept) Copyright © 2010, Juniper Networks, Inc.

  • Page 585: Table 117: Show Ip Dhcp-Local Statistics Output Fields

    Number of nonrequest packets that have no entry in the local server database received Transmit Statistics Statistics for packets that have been transmitted offer Number of DHCP offer messages sent ack(accept) Number of DHCP acknowledgments sent in response to accepted requests Copyright © 2010, Juniper Networks, Inc.

  • Page 586: Monitoring Dhcp Option 60 Information

    - all DHCP client packets not matching a configured vendor-string implied - the DHCP application is configured but has not been enabled with the vendor-option command drop - the DHCP application responsible for the action has not been Copyright © 2010, Juniper Networks, Inc.

  • Page 587: Monitoring Dhcp Packet Capture Settings

    Monitoring DHCP Packet Capture Settings Purpose Display the configuration for per-interface DHCP packet logging. Action To display configuration information about the DHCP packet capture feature: host1#show ip dhcp-capture Dhcp Capture Configuration -------------------------- Copyright © 2010, Juniper Networks, Inc.

  • Page 588: Monitoring Dhcp Relay Configuration Information

    Preserve Option From Trusted Clients: off Circuit-ID Sub-option (1): on select - hostname select - exclude-subinterface-id Remote-ID Sub-option (2): on Vendor-Specific Sub-option (9): on select - layer2-circuit-id select - user-packet-class DHCP Server Addresses --------------------- 30.3.7.1 Copyright © 2010, Juniper Networks, Inc.

  • Page 589: Monitoring Dhcp Relay Proxy Statistics

    On or off; when on includes a list of selected suboptions DHCP Server Addresses IP addresses of configured DHCP servers Related Topics show dhcp relay Monitoring DHCP Relay Proxy Statistics Purpose Display statistics for the DHCP relay proxy. Copyright © 2010, Juniper Networks, Inc.

  • Page 590: Table 121: Show Dhcp Relay Proxy Statistics Output Fields

    Active Clients Number of clients being maintained by the relay proxy Clients to Restore Number of host routes installed without an active client (waiting for renewal) Client Packets Total number of packets received from clients Copyright © 2010, Juniper Networks, Inc.

  • Page 591: Monitoring Dhcp Relay Statistics

    Relay Agent Option already present dropped packets with Relay Agent Option already present dropped giaddr spoof packets DHCP server statistics (standard mode only): dropped duplicate request packets packets transmitted to servers Copyright © 2010, Juniper Networks, Inc.

  • Page 592: Table 122: Show Dhcp Relay Statistics Output Fields

    (for example, offer, ack) was unknown, possibly due to corruption Packet Pacing Algorithm (standard & proxy modes) Speed up pacer Number of times the DHCP relay increased the rate of client packets processed Copyright © 2010, Juniper Networks, Inc.
  • Page 593 DHCP servers dropped unknown xid reply packets Number of DHCP relay replies received from DHCP servers that were discarded because their server address and XID do not match an outstanding DHCP server request Copyright © 2010, Juniper Networks, Inc.

  • Page 594: Monitoring Dhcp Server And Dhcp Relay Agent Statistics

    Number of leases granted by the server Offers received Number of offers sent by the server Requests sent Number of requests sent to the server Acks received Number of acknowledgments received from the server Copyright © 2010, Juniper Networks, Inc.

  • Page 595: Monitoring Dhcp Server And Proxy Client Information

    Disabled; means that the server is not accepting any new requests for addresses and has no outstanding addresses Address IP address of a DHCP server Copyright © 2010, Juniper Networks, Inc.

  • Page 596: Monitoring Dhcpv6 Local Server Binding Information

    DHCP unique ID of subscriber’s computer Lease Time for which the IPv6 address is available in seconds, or infinite Intf Router’s interface that is associated with the subscriber’s computer Related Topics show ipv6 dhcpv6-local binding Copyright © 2010, Juniper Networks, Inc.

  • Page 597: Monitoring Dhcpv6 Local Server Dns Search Lists

    DNS server IPv6 address of the DNS server Related Topics show ipv6 dhcpv6-local dns-servers Monitoring DHCPv6 Local Server Prefix Lifetime Purpose Display the DHCPv6 default prefix lifetime. Action To display the DHCPv6 default prefix lifetime: Copyright © 2010, Juniper Networks, Inc.

  • Page 598: Monitoring Dhcpv6 Local Server Statistics

    Number of bytes of memory used by DHCPv6 local server bindings Number of leased IPv6 prefixes currently assigned solicit rx Number of DHCPv6 solicit messages received request(accept) rx Number of DHCPv6 request messages received Copyright © 2010, Juniper Networks, Inc.

  • Page 599: Monitoring Duplicate Mac Addresses Use By Dhcp Local Server Clients

    Interface Count Time ATM 3/0.1 Sat Sept 17, 2005 06:00:51 UTC ATM 3/0.2 Sun Sept 18, 2005 09:00:00 UTC Meaning Table 130 on page 562 lists the show ip dhcp-local duplicate-clients command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 600: Monitoring The Maximum Number Of Available Leases

    Denied Denied --------- ----- ----- ------ ------ fastEthernet0/0 atm 3/1 atm 4/2 5000 atm 5/1 5000 pos 2/1 1000 Meaning Table 131 on page 563 lists the show ip dhcp-local limits command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 601: Server

    Dhcp Reserved Addresses ----------------------- Pool Address Hardware ---------- ------------ ----------------------------------------------- cablemodem 10.44.44.100 12-34-12-34-12-34-00-00-00-00-00-00-00-00-00-00 cablemodem 10.44.44.101 22-33-22-33-22-33-00-00-00-00-00-00-00-00-00-00 Meaning Table 132 on page 564 lists the show ip dhcp-local reserved command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 602: Monitoring Status Of Dhcp Applications

    Table 133 on page 564 lists the show dhcp summary command output fields. Table 133: show dhcp summary Output Fields Field Name Field Description configured Applications that are currently configured active or inactive Current status of the application Related Topics show dhcp summary Copyright © 2010, Juniper Networks, Inc.

  • Page 603: Managing The Subscriber Environment

    PART 5 Managing the Subscriber Environment Configuring Subscriber Management on page 567 Monitoring Subscriber Management on page 581 Configuring Subscriber Interfaces on page 585 Monitoring Subscriber Interfaces on page 617 Copyright © 2010, Juniper Networks, Inc.
  • Page 604 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 605: Configuring Subscriber Management

    Multiple subscribers using the same primary interface User authentication and accounting Differentiated services for individual subscribers A subscriber management environment can include the following components: Local Dynamic Host Configuration Protocol (DHCP) server External DHCP server Copyright © 2010, Juniper Networks, Inc.

  • Page 606: Subscriber Management Platform Considerations

    Dynamic IP Subscriber Interfaces You can set up your subscriber management environment to create dynamic IP subscriber interfaces in two situations—when a DHCP event occurs or when a packet is detected. Copyright © 2010, Juniper Networks, Inc.

  • Page 607: Subscriber Management Procedure

    Figure 15: DHCP External Server In Figure 15 on page 569, the subscriber requests an address from the DHCP server. The E Series router DHCP external server application monitors all DHCP communications Copyright © 2010, Juniper Networks, Inc.

  • Page 608: Configuring Subscriber Management With An External Dhcp Server

    Figure 15 on page 569, use the following procedure on E Series routers: Enable the DHCP external server application. host1(config)#service dhcp-external Specify each DHCP server for which to monitor traffic. You can specify a maximum of four DHCP servers. Copyright © 2010, Juniper Networks, Inc.

  • Page 609: Subscriber Management Commands

    Use to clear all dynamically created demultiplexer table entries associated with the route-map processing of the set ip source-prefix command. deny—Drop addresses that appear in the source address range primary—Associate the source prefix with the primary IP interface Example host1(config-if)#clear ip demux Copyright © 2010, Juniper Networks, Inc.
  • Page 610 Use the no version to disable inclusion of the suboption in the username. See include dhcp-option 82 include hostname Use to include the router hostname in the username that is dynamically created by JunosE subscriber management. Example host1(config-service-profile)#include hostname Copyright © 2010, Juniper Networks, Inc.
  • Page 611 Use the exclude-primary keyword to specify that the primary interface cannot be used for subscribers. The primary interface is not assigned to a subscriber by default. You can issue this command from Interface Configuration mode, Subinterface Configuration mode, or Profile Configuration mode. Example Copyright © 2010, Juniper Networks, Inc.
  • Page 612 IP polls the dynamic interface at the configured interval to determine whether the interface was active during the interval. Inactive interfaces are deleted only when the period of inactivity is equal to or greater than the configured value. Copyright © 2010, Juniper Networks, Inc.
  • Page 613 Service profiles contain user and password information, and are used in route maps for subscriber management and to authenticate subscribers with RADIUS. You can specify a service profile name with up to 32 ASCII characters. Copyright © 2010, Juniper Networks, Inc.
  • Page 614 Example host1(config-if)#ip use-framed-routes ip-subscriber Use the no version to disable the use of framed routes when creating dynamic subscriber interfaces associated with this primary IP interface. See ip use-framed-routes ip-subscriber password Copyright © 2010, Juniper Networks, Inc.
  • Page 615 Use to specify the username for an IP service profile. The username is used as the dynamically created username by JunosE subscriber management. You can specify a username with up to 32 ASCII characters. Copyright © 2010, Juniper Networks, Inc.

  • Page 616: Subscriber Management Configuration Examples

    An IP policy that restricts access. host1(config)#ip policy-list restrictAccess host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit host1(config)# An interface profile that references the restrictAccess policy. host1(config)#profile atlInterfaceProfile host1(config-profile)#ip policy input restrictAccess host1(config-profile)#ip policy output restrictAccess Copyright © 2010, Juniper Networks, Inc.

  • Page 617: Username With Atm Circuit Identifier And No Circuit Type

    This example shows the steps to configure a service profile for a username that includes a VLAN circuit identifier and the circuit type. host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan prepend-circuit-type host1(config-service-profile)#exit The example generates the following username: Copyright © 2010, Juniper Networks, Inc.

  • Page 618: Username With Mac Address

    IP subscribers that have statically configured IP addresses. host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan host1(config-service-profile)#include mac-address host1(config-service-profile)#include dhcp-option 82 agent-circuit-id host1(config-service-profile)#exit host1(config)# The example generates the following username, which includes the MAC address: Copyright © 2010, Juniper Networks, Inc.

  • Page 619: Monitoring Subscriber Management

    Table 134: show ip service-profile Output Fields Field Name Field Description ip service-profile Name of profile user-name Username used to retrieve information from RADIUS for subscriber interfaces user-prefix User prefix used to retrieve information from RADIUS for subscriber interfaces Copyright © 2010, Juniper Networks, Inc.

  • Page 620: Monitoring Active Ip Subscribers Created By Subscriber Management

    Ip Address Router Interface ---------- -------------- ----------- ------- ------------- 2835349506 user1@isp1.com 192.168.0.1 default ip192.168.0.1 Profile Login Time Mac Address Handle ---------- ------------------------ -------------- -------- 2835349506 WED AUG 23 20:46:24 2006 3000.0001.9365 13631489 Interface Service Copyright © 2010, Juniper Networks, Inc.

  • Page 621: Table 135: Show Ip-Subscriber Output Fields

    AAA Option 82 DHCP relay agent information (option 82) circuit identifier that describes the physical interface location associated with the subscriber Related Topics show ip-subscriber Copyright © 2010, Juniper Networks, Inc.
  • Page 622 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 623: Configuring Subscriber Interfaces

    10-Gigabit Ethernet (with and without VLANs) IP over ATM Generic Routing Encapsulation (GRE) tunnels Dynamic subscriber interfaces Bridged Ethernet over ATM (with and without VLANs) Fast Ethernet (with and without VLANs) Gigabit Ethernet (with and without VLANs) Copyright © 2010, Juniper Networks, Inc.

  • Page 624: Dynamic Interfaces And Dynamic Subscriber Interfaces

    DSIs when there are no PPPoE, PPPoA, or PPPoEoA sessions to provide separation between layers and when subscriber management is required. For example, on an Ethernet VLAN, multiple subscribers can enter the network from a Wi-Fi hotspot, as shown in Figure 17 on page 587: Copyright © 2010, Juniper Networks, Inc.

  • Page 625: Relationship To Shared Ip Interfaces

    A subscriber interface operates only with a primary IP interface—a normal IP interface on a supported layer 2 interface, such as Ethernet. You create a primary interface by assigning an IP address to the Ethernet interface. Although you can configure a subscriber Copyright © 2010, Juniper Networks, Inc.

  • Page 626: Ethernet Interfaces And Vlans

    VLANs. Using subscriber interfaces, the router can demultiplex or separate the traffic associated with different subscribers. You can configure subscriber interfaces with VLANs. If you do so, the E Series router demultiplexes packets by using first the VLAN and then the subscriber interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 627: Moving Interfaces

    Internet Protocol (VoIP) service on network 10.11.0.0/16, or a local gaming service on network 10.12.0.0/16. Rate limits and policies on the subscriber interface customize the service level for the associated service. Copyright © 2010, Juniper Networks, Inc.

  • Page 628: Differentiating Traffic For Vpns

    (one on virtual router B and one on virtual router A), the E Series router can separate the traffic from subnets A and B. Because the E Series router is forwarding traffic in this application, the shared IP interface should demultiplex the traffic by using a source address. Copyright © 2010, Juniper Networks, Inc.

  • Page 629: Subscriber Interfaces Platform Considerations

    See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications. See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about the modules that support subscriber interfaces. Copyright © 2010, Juniper Networks, Inc.

  • Page 630: Interface Specifiers

    DHCP Servers The DHCP event that triggers dynamic creation of subscriber interfaces occurs when either a local DHCP server or external DHCP server assigns an IP address to a subscriber Copyright © 2010, Juniper Networks, Inc.

  • Page 631: Dhcp Local Server And Address Allocation

    IP address and immediately allocates the subscriber an IP address from one of the local address pools. In equal-access mode, the DHCP local server works with Juniper Networks Session and Resource Control (SRC) software and the authorization, accounting, and address assignment utility to provide an advanced subscriber configuration and management service.

  • Page 632: Packet Detection

    You can configure the period of time by issuing the ip inactivity-timer command. To configure dynamic creation of subscriber interfaces on GRE tunnel interfaces, see “Configuring Dynamic Subscriber Interfaces” on page 603. Copyright © 2010, Juniper Networks, Inc.

  • Page 633: Designating Traffic For The Primary Ip Interface

    IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, Copyright © 2010, Juniper Networks, Inc.

  • Page 634: Configuration Of Mac Address Validation State Inheritance

    Verification of MAC Address Validation State Inheritance To verify inheritance of the MAC address validation state on a dynamic subscriber interface, you can use the show ip mac-validate interface command and the show arp command. Copyright © 2010, Juniper Networks, Inc.

  • Page 635: Configuring Static Subscriber Interfaces

    In this application, a local VoIP service is on network 10.11.0.0./16, and a local gaming service is on network 10.12.0.0/16. Copyright © 2010, Juniper Networks, Inc.

  • Page 636: Figure 22: Subscriber Interfaces Using A Destination Address To Demultiplex

    Configure the primary interface to use a destination address to demultiplex traffic. (By default, a source address is used to demultiplex traffic.) host1(config-if)#ip demux-type da-prefix Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. Create the shared IP interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 637: Using A Source Address To Demultiplex Traffic

    10.12.0.0 255.255.0.0 Using a Source Address to Demultiplex Traffic Figure 23 on page 600 shows how you can use static subscriber interfaces to differentiate traffic for VPN access, based on the traffic’s source address. Copyright © 2010, Juniper Networks, Inc.

  • Page 638: Figure 23: Subscriber Interfaces Using A Source Address To Demultiplex

    Create a primary IP interface. host1(config-if)#ip address 10.1.1.1 255.255.255.0 Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. Create the shared IP interface. host1(config)#virtual-router vra Proceed with new virtual-router creation? [confirm] yes host1:vra(config)#interface ip ip1 Copyright © 2010, Juniper Networks, Inc.
  • Page 639 Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to the shared IP interface, because the shared interface can be moved. Example host1(config)#interface ip si0 Copyright © 2010, Juniper Networks, Inc.
  • Page 640 The shared interface is operationally up when the layer 2 interface is operationally up and IP is properly configured. You can create operational shared IP interfaces in the absence of a primary IP interface. Example host1(config-if)#ip share-interface atm 5/3.101 Copyright © 2010, Juniper Networks, Inc.

  • Page 641: Configuring Dynamic Subscriber Interfaces

    Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix Configuring Dynamic Subscriber Interfaces You can configure dynamic subscriber interfaces in the following configurations: Copyright © 2010, Juniper Networks, Inc.

  • Page 642: Configuring Dynamic Subscriber Interfaces Over Ethernet

    Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over VLANs To configure a dynamic subscriber interface in an IP over VLAN over Ethernet configuration by using DHCP events, perform the following steps: Copyright © 2010, Juniper Networks, Inc.

  • Page 643: Figure 25: Ip Over Vlan Over Ethernet Dynamic Subscriber Interface

    (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-if)#ip source-prefix 192.168.2.10 255.255.255.0 Figure 25 on page 605 shows the interface stack built for this configuration. Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration Copyright © 2010, Juniper Networks, Inc.

  • Page 644: Configuring Dynamic Subscriber Interfaces Over Bridged Ethernet

    (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.20 255.255.255.0 Figure 26 on page 607 shows the interface stack built for this configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 645: Configuring Dynamic Subscriber Interfaces Over Gre Tunnels

    100 (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.1 255.255.255.0 Figure 27 on page 608 shows the interface stack built for this configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 646: Dynamic Subscriber Interface Configuration Example

    10.20.0.0 255.255.192.0 Specify the router to forward traffic from the IP addresses to destinations on other subnets. host1(config-dhcp-local)#default-router 10.20.32.1 Exit DHCP Local Pool Configuration mode. host1(config-dhcp-local)#exit Configure a loopback interface. host1(config)#interface loopback 0 Copyright © 2010, Juniper Networks, Inc.
  • Page 647 Use to specify the IP address of the router for the subscriber’s computer to use for traffic destined for locations beyond the local subnet. Specify the IP address of a primary server, and optionally, specify the IP address of a secondary server. Example Copyright © 2010, Juniper Networks, Inc.
  • Page 648 Use the no version to remove the ATM interface or subinterface. See interface atm interface fastEthernet Use to select a Fast Ethernet (FE) interface on a line module or an SRP module. Example host1(config)#interface fastEthernet 1/0 Copyright © 2010, Juniper Networks, Inc.
  • Page 649 1.1.0.0/16 subnet is forwarded to the SRP module by the line module. Although the SRP module responds only to traffic destined to the 1.1.1.1 subnet and discards traffic to all other host IP addresses within that subnet (1.1.1.1/16), if no Copyright © 2010, Juniper Networks, Inc.
  • Page 650 The primary interface is not assigned to a subscriber by default. You can issue this command from Interface Configuration mode, Subinterface Configuration mode, or Profile Configuration mode. Example host1(config-if)#ip auto-configure ip-subscriber include-primary Copyright © 2010, Juniper Networks, Inc.
  • Page 651 A timer value of 0 specifies that dynamically created subscriber interfaces are never deleted by the inactivity timer. Example host1(config-if)#ip inactivity-timer 100 Use the no version to restore the default, in which inactivity timer feature is disabled. See ip inactivity-timer ip source-prefix Copyright © 2010, Juniper Networks, Inc.
  • Page 652 Use the no version to disable the use of framed routes when creating dynamic subscriber interfaces associated with this primary IP interface. See ip use-framed-routes ip-subscriber network Use to specify the IP addresses that the DHCP local server can provide from an address pool. Example host1(config-dhcp-local)#network 10.10.1.0 255.255.255.0 Copyright © 2010, Juniper Networks, Inc.
  • Page 653 Specify a VLAN ID number that is in the range 0–4095 and is unique within the Ethernet interface. Issue the vlan id command before you configure any upper-layer interfaces, such as Example host1(config-if)#vlan id 400 There is no no version. See vlan id Copyright © 2010, Juniper Networks, Inc.
  • Page 654 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 655: Monitoring Subscriber Interfaces

    Table 136 on page 617 lists the show ip demux interface command output fields. Table 136: show ip demux interface Output Fields Field Name Field Description Prefix/Length Source or destination addresses that the subscriber interface demultiplexes SA/DA Demultiplexing method for subscriber interface Copyright © 2010, Juniper Networks, Inc.

  • Page 656: Monitoring Active Ip Subscribers Created By Subscriber Management

    WED AUG 23 20:46:24 2006 3000.0001.9365 13631489 Interface Service Profile Profile Option 82 ---------- --------- --------- ---------------- 2835349506 myProfile profile22 FastEthernet 3/1 Meaning Table 137 on page 619 lists the show ip-subscriber command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 657: Table 137: Show Ip-Subscriber Output Fields

    IP service profile name used by subscriber management to authorize and configure the subscriber interface with AAA Option 82 DHCP relay agent information (option 82) circuit identifier that describes the physical interface location associated with the subscriber Related Topics show ip-subscriber Copyright © 2010, Juniper Networks, Inc.
  • Page 658 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 659: Managing Subscriber Services

    PART 6 Managing Subscriber Services Configuring Service Manager on page 623 Monitoring Service Manager on page 687 Copyright © 2010, Juniper Networks, Inc.
  • Page 660 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 661: Configuring Service Manager

    Service Manager supports two client types—RADIUS and CLI. Service Manager starts when it receives a request from a RADIUS or CLI client. For RADIUS clients, RADIUS Access-Accept messages and Change-of-Authorization-Request (CoA-Request) Copyright © 2010, Juniper Networks, Inc.

  • Page 662: Service Manager Terms And Acronyms

    A macro file that defines a named parameterized description of a service; used to create a service instance and the resulting subscriber service session; can include a combination of parameters such as policy lists, rate-limit profiles, QoS profiles, and interface profiles Copyright © 2010, Juniper Networks, Inc.

  • Page 663: Service Manager Platform Considerations

    For information about creating IPv4 interface profiles, see the Configuring IP chapter in JunosE IP, IPv6, and IGP Configuration Guide. Service Manager Configuration Tasks To use the Service Manager application to create subscriber service sessions, you perform the following tasks: Create and manage service definitions Copyright © 2010, Juniper Networks, Inc.
  • Page 664 Create and apply optional service session profiles Enable statistics collection Activate the service session Deactivate service sessions Figure 28 on page 627 shows the sequence of operations you use to create and monitor subscriber service sessions. Copyright © 2010, Juniper Networks, Inc.

  • Page 665: Service Definitions

    Interface profiles—Specify a set of characteristics that can be dynamically assigned to IP interfaces. A service definition must use at least one interface profile. Policy lists—Specify policy actions for traffic traversing an interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 666: Creating Service Definitions

    Optional Collects output statistics from policy manager Can be a list of clacls activate-profile Required Specifies the interface profile used on activation of the service Deletion of the profile is Service Manager’s responsibility Copyright © 2010, Juniper Networks, Inc.
  • Page 667 Collects output statistics associated with the external group from policy manager Both the external parent group and the corresponding hierarchical policy parameter must be specified Can be multiple pairs of external parent groups and hierarchical policy parameters Copyright © 2010, Juniper Networks, Inc.

  • Page 668: Managing Your Service Definitions

    NVS card. Install—You must install the service definition before you can use it to create a service session. During installation, Service Manager precompiles the definition and extracts Copyright © 2010, Juniper Networks, Inc.
  • Page 669 NVS, and install the updated file. All subsequent service sessions use the new service definition file. However, currently active service sessions continue to use the original definition file until the sessions are deactivated, then reactivated. Example 1—Installing Copyright © 2010, Juniper Networks, Inc.

  • Page 670: Referencing Policies In Service Definitions

    Specifying QoS Profiles in a Service Definition You can configure one QoS profile per subscriber interface. We recommend that you specify the QoS profile in the first set of services applied to the subscriber's interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 671: Configuring A Qos Profile For Service Manager

    Specifying QoS Profiles in a Service Definition After you configure a QoS profile for Service Manager, you can reference it in a service definition. For example: profile <# eastcoast ; '\n' #> qos-profile <# video; '\n' #> Copyright © 2010, Juniper Networks, Inc.

  • Page 672: Specifying Qos Parameter Instances In A Service Definition

    Use the add keyword in Profile Configuration mode to add a value to an existing parameter instance. Use the initial-value keyword to create a new instance with the specified value. Examples host1(config)#profile video host1(config-profile)#qos-parameter max-subscriber-bandwidth initial-value 15000 Copyright © 2010, Juniper Networks, Inc.

  • Page 673: Specifying Qos Parameter Instances In A Service Definition

    If it finds a parameter instance, it adds bandwidth2 (3,000,000) to the current value. If Service Manager does not find a parameter instance, it creates one with an initial value of 1,000,000 and adds 3,000,000. The final parameter instance value is 4,000,000. Copyright © 2010, Juniper Networks, Inc.

  • Page 674: Modifying Qos Configurations With Service Manager

    By the second deactivation, the parameter has a negative value (-4000000). NOTE: We recommend that you do not configure negative values for Service Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 675: Modifying Qos Configurations In A Single Service Manager Event

    Each row represents new QoS profiles and parameter instances; columns represent existing QoS profiles and parameter instances. Table 142: Configuration Within a Single Service Manager Event Profile RADIUS Service Manager Profile – – RADIUS – Service Manager Copyright © 2010, Juniper Networks, Inc.

  • Page 676: Modifying Qos Configurations Using Other Sources

    SNMP, the SRC software, and the CLI, but not those created by Service Manager. Conversely, QoS profiles and parameter instances configured through RADIUS can be overwritten by any source (SNMP, the SRC software, CLI, and Service Manager). Copyright © 2010, Juniper Networks, Inc.

  • Page 677: Removing Qos Configurations Referenced By Service Manager

    QoS profile and parameter instances, Service Manager automatically removes the following QoS configurations in the following order: QoS profiles Scheduler profiles Queue profiles Drop profiles Statistics profiles Service Manager does not automatically remove the following QoS configurations: Parameter definitions Traffic classes Copyright © 2010, Juniper Networks, Inc.

  • Page 678: Qos For Service Manager Considerations

    10 subscriber sessions when the Service Manager license is not enabled. If you disable the Service Manager license and more than 10 subscriber sessions exist, you cannot enable any new sessions—however, all existing active subscriber sessions continue to function. Copyright © 2010, Juniper Networks, Inc.

  • Page 679: Managing And Activating Service Sessions

    10 subscriber sessions. The license is a unique string of up to 15 alphanumeric characters. NOTE: Obtain the license from Juniper Networks Customer Service or your Juniper Networks sales representative.

  • Page 680: Using Radius To Activate Subscriber Service Sessions

    Access-Accept message to start Service Manager and activate the service when the subscriber logs in. For the RADIUS CoA method, the service provider uses a CoA-Request message to activate and deactivate the service for the subscriber who is already logged in. Copyright © 2010, Juniper Networks, Inc.

  • Page 681: Service Manager Radius Attributes

    Table 144 on page 644 lists the Service Manager-related attributes and indicates which are tagged VSAs. See “Using Tags with RADIUS Attributes” on page 646 for a discussion about using tagged VSAs to group attributes for a service. Copyright © 2010, Juniper Networks, Inc.

  • Page 682: Table 144: Service Manager Radius Attributes

    Acct-Start statistics are associated Acct-Stop Interim-Acct [26-140] Service-Interim-Acct- Access-Accept Number of seconds between Interval accounting updates for a service; a CoA-Request tagged VSA [31] Calling-Station-ID Access-Accept Uniquely identifies the subscriber session Copyright © 2010, Juniper Networks, Inc.

  • Page 683: Table 145: Sample Radius Access-Accept Packet

    (service-statistics value of 2). Also, accounting for the service is updated every 600 seconds (10 minutes). Table 145: Sample RADIUS Access-Accept Packet RADIUS Attribute Value username none client1@isp1.com class none (binary data) service-activation tiered(1280000, 5120000) service-timeout 18000 service-statistics service-interim-acct-interval Copyright © 2010, Juniper Networks, Inc.

  • Page 684: Using Tags With Radius Attributes

    Table 146: Using Tags RADIUS Attribute Value username none client1@isp1.com class none (binary data) service-activation tiered(1280000, 5120000) service-timeout 18000 service-statistics service-interim-acct-interval service-activation voice(100000) service-timeout 1440 service-interim-acct-interval 1200 Copyright © 2010, Juniper Networks, Inc.

  • Page 685: Using Radius To Deactivate Service Sessions

    Instead, Service Manager checks the volume in 10-second intervals and deactivates a service session at the end of the 10-second period in which the output byte count reaches the volume threshold. For example, if a threshold is Copyright © 2010, Juniper Networks, Inc.

  • Page 686: Using The Deactivate-Service Attribute

    The Service Manager mutex service feature enables you to activate and deactivate multiple services with a single CoA-Request message. A CoA-Request message can have more than one service activation request—the multiple service requests might be from Copyright © 2010, Juniper Networks, Inc.

  • Page 687: Configuring A Mutex Service

    10000 traffic-class best-effort profile <# name; '\n' #> ip policy secondary-input <# name #> statistics enabled merge ip policy output <# oname #> statistics enabled merge qos-profile triplePlayIP qos-parameter maxSubscBW <# outputBW; '\n' #> Copyright © 2010, Juniper Networks, Inc.

  • Page 688: Combined And Independent Ipv4 And Ipv6 Services In A Dual Stack Overview

    IPv6 services. In this release, the Service Manager application on the E Series router supports authentication, service selection, and service activation and deactivation to subscribers for both IPv4 and IPv6 protocols in a dual stack configuration. Copyright © 2010, Juniper Networks, Inc.
  • Page 689 To configure a service macro to be used for IPv4 and IPv6 interfaces in a dual stack, specify the following object in the macro definition file. The profile identifier returned from the activate-profile object is applied to both IPv4 and IPv6 interfaces. <# env.setResult("service-interface-type", ipv4-ipv6 ) #> Copyright © 2010, Juniper Networks, Inc.

  • Page 690: Activation And Deactivation Of Ipv4 And Ipv6 Services In A Dual Stack

    The combined service session is active if either of the two conditions is satisfied: Both the IPv4 and IPv6 interfaces are up Either the IPv4 or IPv6 interface is up Copyright © 2010, Juniper Networks, Inc.

  • Page 691: Performance Impact On The Router And Compatibility With Previous Releases For An Ipv4 And Ipv6 Dual Stack

    For detailed information about Service Manager statistics, see “Configuring Service Manager Statistics” on page 667. Copyright © 2010, Juniper Networks, Inc.

  • Page 692: Configuring Service Interim Accounting

    You can use the aaa service accounting interval command to specify the default service interim accounting interval. Service Manager uses this interval value for service accounting when the Service-Interim-Acct-Interval attribute is not configured. Copyright © 2010, Juniper Networks, Inc.

  • Page 693: Table 148: Determining The Service Interim Accounting Interval

    Acct-Start message for a subscriber session without any active services does not include the Service-Session attribute. Table 149: Sample Acct-Start Message for a Service Session RADIUS Attribute Sample Value acct-status-type username client1@isp1.com event-timestamp 1112191723 acct-delay-time nas-identifier ERX-01-00-06 acct-session-id erx FastEthernet 12/0:0001048580:002478 Copyright © 2010, Juniper Networks, Inc.
  • Page 694 100.20.0.1 framed-ip-netmask 0.0.0.0 ingress-policy-name (vsa) forwardAll egress-policy-name (vsa) forwardAll calling-station-id #ERX-01-00-06#E12#0 acct-input-gigawords acct-input-octets 4032 acct-output-gigawords acct-output-octets 2163 acct-input-gigapackets (vsa) acct-input-packets acct-output-gigapackets (vsa) acct-output-packets nas-port-type nas-port 3221225472 nas-port-id FastEthernet 12/0 acct-authentic acct-session-time acct-service-session tiered(1280000, 5120000) Copyright © 2010, Juniper Networks, Inc.
  • Page 695 The default interval is applied on a virtual router basis—this setting is used for all users who attach to the corresponding virtual router. Specify the user accounting interval, in the range 10–1440 minutes. The default setting is 0, which disables the feature. Example host1(config)#aaa user accounting interval 20 Copyright © 2010, Juniper Networks, Inc.

  • Page 696: Overview

    RADIUS to activate the service for your subscribers. Preprovisioning Service Manager services—preprovisioning improves performance and efficiency by freeing Service Manager from having to repeatedly create and remove a Copyright © 2010, Juniper Networks, Inc.

  • Page 697: Using The Cli To Activate Subscriber Service Sessions

    Use to activate a service for an existing subscriber by identifying the owner used to create the subscriber session and specifying the service session to use. The subscriber session must exist before you use this command. Copyright © 2010, Juniper Networks, Inc.
  • Page 698 Use the no version to deactivate service sessions based on owner information. See “Using the CLI to Deactivate Subscriber Service Sessions” on page 665 for more information about deactivating subscriber service sessions. See service-management owner-session service-management subscriber-session service-session Copyright © 2010, Juniper Networks, Inc.

  • Page 699: Preprovisioning Services

    Typically, when you use a service definition to activate a subscriber’s service session, Service Manager uses resources to build that service. However, if you later use the same service definition to activate a service session for a second subscriber, Service Copyright © 2010, Juniper Networks, Inc.

  • Page 700: Using Service Session Profiles

    NOTE: The volume and time attributes use values captured by the Service Manager statistics feature to determine when the threshold is exceeded. Service Manager collects time statistics by default—you must configure and enable volume statistics collection. See “Configuring Service Manager Statistics” on page 667. Copyright © 2010, Juniper Networks, Inc.
  • Page 701 Use the volume-time keyword to collect statistics about both the volume of traffic and the duration of the service session. Example host1(config)#service-management service-session-profile vodISP1 host1(config-service-session-profile)#statistics volume-time Use the no version to disable statistics collection. Copyright © 2010, Juniper Networks, Inc.
  • Page 702 See “Configuring Service Manager Statistics” on page 667. The range is 0–16777251MB. Example host1(config)#service-management service-session-profile vodISP1 host1(config-service-session-profile)#volume 1000000 Use the no version to delete the volume attribute from the service session profile. See volume Copyright © 2010, Juniper Networks, Inc.

  • Page 703: Using The Cli To Deactivate Subscriber Service Sessions

    This is the no version of the service-management owner-session command. See service-management owner-session no service-management subscriber-session service-session Use to gracefully deactivate service sessions for a subscriber. Use the subscriber’s username and interface, not the subscriber session ID, for graceful deactivation. Copyright © 2010, Juniper Networks, Inc.

  • Page 704: Forcing Immediate Deactivation Of Subscriber Service Sessions

    Then, you attach the service session profile when you activate the service session. When the specified threshold is reached, the service session is terminated. Copyright © 2010, Juniper Networks, Inc.

  • Page 705: Configuring Service Manager Statistics

    The format of the environment command is: <# env.setResult(“string” , “classifier-list-name” ) #> Copyright © 2010, Juniper Networks, Inc.
  • Page 706 Each time statistics are reported for this service, Service Manager uses the total of the statistics for clacl1, clacl2, and clacl3. <# env.setResult("output-stat-clacl", "clacl1 clacl2 clacl3” ) #> Copyright © 2010, Juniper Networks, Inc.

  • Page 707: Enabling Statistics Collection With Radius

    The captured statistics are now used when you use the Service Manager show service-management commands. For example: host1# show service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session User Name: client1@isp1.com, Interface: atm 4/0.1 Service : tiered(1000000,2000000) Non-volatile : False Owner : CLI Copyright © 2010, Juniper Networks, Inc.

  • Page 708: External Parent Group Statistics Collection Setup

    You can specify multiple pairs of external parent groups and hierarchical policies in the command. The policy-parameter-name variable is the name of the hierarchical Copyright © 2010, Juniper Networks, Inc.

  • Page 709: Service Manager Performance Considerations

    Capture volume statistics when needed—Repeatedly capturing volume statistics can waste resources. Service Definition Examples This section provides examples of service definition macro files. Commented text explains the parameterized values in the examples. Each example is followed by examples of Copyright © 2010, Juniper Networks, Inc.

  • Page 710: Tiered Service Example

    The following example shows a sample service definition macro file that creates a video-on-demand service—the service provides bandwidth that meets the needs of video streams. The definition creates the bandwidth towards the subscriber and parameterizes the source of the video feed. Copyright © 2010, Juniper Networks, Inc.

  • Page 711: Voice-Over-Ip Service Definition Example

    <# name #> <# protType #> any <#upDA #> 0.0.0.0 eq <# upDPort; '\n' #> policy-list <# name; '\n' #> classifier-group <# name #> precedence 2000 traffic-class voice forward classifier-list <# oname #> <# protType #> any <#downDA #> 0.0.0.0 eq <# downDPort; '\n' #> Copyright © 2010, Juniper Networks, Inc.

  • Page 712: Guided Entrance Service Example

    Or, a limited service for young children that restricts access to safe, closely monitored, age-appropriate Web sites. Figure 32 on page 675 shows the sequence of actions that take place during a guided entrance service. Copyright © 2010, Juniper Networks, Inc.

  • Page 713: Guided Entrance Service Definition Example

    <# genericName := "SM-X-" $ serviceTag $ uid #> <# genericInputName := "SM-I-" $ serviceTag $ uid #> <# genericOutputName := "SM-O-" $ serviceTag $ uid #> <# claclName := genericName #> <# profileName := genericName #> Copyright © 2010, Juniper Networks, Inc.

  • Page 714: Using Coa Messages With Guided Entrance Services

    If you configure a guided entrance service, you must also ensure that the router’s RADIUS dynamic-request server is enabled and supports CoA messages. See “Configuring RADIUS Dynamic-Request Server” on page 231, for information about the RADIUS dynamic-request server and CoA messages. Copyright © 2010, Juniper Networks, Inc.

  • Page 715: Configuring The Http Local Server To Support Guided Entrance

    IPv6 packets. However, the HTTP local server can listen for both IPv4 and IPv6 exception packets on the same port, simultaneously. To configure the HTTP local server to support guided entrance for IPv4: Copyright © 2010, Juniper Networks, Inc.
  • Page 716 (Optional) Specify a standard IP access list that defines which subscribers can connect to the HTTP local server. host1:west40(config)#ip http access-class chicagoList (Optional) Specify the port on which the HTTP local server receives connection attempts. host1:west40(config)#ipv6 http port 8080 Copyright © 2010, Juniper Networks, Inc.
  • Page 717 Use to allow only subscribers on the specified standard IP access list to connect to the HTTP local server. Example host1(config)#ip http access-class chicagoList Use the no version to remove the association between the access list and the HTTP local server. See ip http access-class ip http max-connection-time Copyright © 2010, Juniper Networks, Inc.
  • Page 718 Otherwise, the URL redirect operation will fail. Example host1(config-if)#ip http redirectUrl http://ispsite.redirect.com Use the no version to restore the default, which disables the HTTP redirect feature. See ip http redirectUrl ip http same-host-limit Copyright © 2010, Juniper Networks, Inc.
  • Page 719 However, you must first disable the HTTP local server and then modify the port. Specify a port number in the range 1–65535. Example host1(config)#ipv6 http port 8080 Use the no version to restore the default port number, 80. See ipv6 http port. ipv6 http redirectUrl Copyright © 2010, Juniper Networks, Inc.

  • Page 720: Combined Ipv4 And Ipv6 Service In A Dual Stack Example

    IPv4 and IPv6 subscribers are allocated a total of 64 Kbps. The common rate limit cannot drop voice-over-IP packets, but must limit the total flow (for IPv4 and IPv6 interfaces) to 64 Kbps. Copyright © 2010, Juniper Networks, Inc.

  • Page 721: Figure 33: Input Traffic Flow With Rate-Limit Profile On An External Parent Group

    #>-vb-in one-rate hier committed-rate <# inBw #><# '\n' #> committed-action transmit unconditional conformed-action transmit unconditional parent-group vb-v4v6-<# uid #>-in rate-limit-profile rlpv4v6-<# genericName #>-vb-in parent-group vb-v4v6-<# uid #>-out rate-limit-profile rlpv4v6-<# genericName #>-vb-out Copyright © 2010, Juniper Networks, Inc.
  • Page 722 (yellow) packets and a token bucket for committed (green) packets. The following are the attributes configured in the rate-limit profile applied to ingress and egress interfaces: The committed rate for the rate-limit profile is entered as a specified value. Copyright © 2010, Juniper Networks, Inc.
  • Page 723 The service definition macro is configured to collect input and output statistics associated with external parent groups in a hierarchical policy for IPv4 and IPv6 subscribers as follows: <# env.setResult("secondary-input-stat-epg", "vb-v4v6-"$ uid $"-in v4v6-"$ uid $"") #> <# env.setResult("output-stat-epg", "vb-v4v6-"$ uid $"-out v4v6-"$ uid $"") #> Copyright © 2010, Juniper Networks, Inc.
  • Page 724 10.0.0.1—Host IP address for IPv4 subscribers, denoted as VBG1 in the macro 2001::1—Host IP address for IPv6 subscribers, denoted as VB6G1 in the macro vlan—Interface on which the service is configured, denoted as NODE in the macro Copyright © 2010, Juniper Networks, Inc.

  • Page 725: Monitoring Service Manager

    To set a baseline: Include the baseline ip http command at the User Exec or Privilege Exec level: host1#baseline ip http There is no no version. Copyright © 2010, Juniper Networks, Inc.

  • Page 726: Monitoring The Connections To The Http Local Server

    Purpose Display information about the configuration of the HTTP local server. Action To display information about the HTTP local server: host1#show ip http server Admin status: enabled Access class: not defined Listening port: 80 Copyright © 2010, Juniper Networks, Inc.

  • Page 727: Monitoring Statistics For Connections To The Http Local Server

    Http connections terminated: 2 Http connections aged out: 1 Urls successfully served: 0 Malformed http requests: 0 Urls not found: 0 Meaning Table 154 on page 690 lists the show ip http statistics command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 728: Monitoring Profiles For The Http Local Server

    To display information about the redirect URL used by the HTTP local server: host1#show profile name guidedProfile2 Profile : guidedProfile2 Auto Detect : Disabled Auto Configure : Disabled IP FlowStats : Disabled Ip http redirect Url : myredirect.html Ipv6 http redirect Url: myredirect.html Copyright © 2010, Juniper Networks, Inc.

  • Page 729: Monitoring The Default Interval For Interim Accounting Of Services

    Display the status of the Service Manager license. Action To display the status of the Service Manager license: host1#show license service-management service management license is set Meaning Table 157 on page 692 lists the show license service-management command output fields. Copyright © 2010, Juniper Networks, Inc.

  • Page 730: Monitoring Profiles For Service Manager

    Name of output policy and whether statistics are enabled or disabled qos-parameter Name and value of the QoS parameter assigned to the profile qos-profile Name of the QoS profile assigned to the profile Related Topics show profile Copyright © 2010, Juniper Networks, Inc.

  • Page 731: Monitoring Ipv4 And Ipv6 Interfaces For Service Manager

    ND RA interval is 200 seconds, lifetime is 1800 seconds ND RA managed flag is disabled, other config flag is disabled ND RA advertising prefixes configured on interface In Received Packets 0, Bytes 0 Unicast Packets 0, Bytes 0 Copyright © 2010, Juniper Networks, Inc.

  • Page 732: Table 159: Show Ip Interface Output Fields

    Http Redirect Url: http://www.juniper.net Meaning Table 159 on page 694 lists the show ip interface command output fields. Table 159: show ip interface Output Fields Field Name Field Description interface Interface type and specifier. Copyright © 2010, Juniper Networks, Inc.
  • Page 733 Number of packets unsuccessfully fragmented IP Statistics Sent generated Number of packets generated no routes Number of packets that could not be routed discards Number of packets that could not be routed and were discarded Copyright © 2010, Juniper Networks, Inc.
  • Page 734 Source quench packets sent redirect Send packets redirect timestamp req Requests for a timestamp timestamp rpy Replies to timestamp requests addr mask req Address mask requests addr mask rpy Address mask replies Copyright © 2010, Juniper Networks, Inc.
  • Page 735 Packets discarded on a receive IP interface because eof internal fabric congestion Out Forwarded Packets, Bytes Total number of packets and bytes forwarded out of the IP interface Unicast Packets, Bytes Unicast packets and bytes forwarded out of the IP interface Copyright © 2010, Juniper Networks, Inc.

  • Page 736: Table 160: Show Ipv6 Interface Output Fields

    Link local address Local IPv6 address of this interface Network Protocols Network protocols configured on this interface IPv6 Statistics Rcvd local destination Frames with this router as destination hdr errors Number of packets containing header errors Copyright © 2010, Juniper Networks, Inc.
  • Page 737 Received packet redirects echo requests Echo request (ping) packets echo replies Echo replies received rtr solicits Number of received router solicitations rtr advertisements Number of received router advertisements neighbor solicits Number of received neighbor solicitations Copyright © 2010, Juniper Networks, Inc.
  • Page 738 Operational MTU Value of the MTU Administrative MTU Value of the MTU if it has been administratively overridden using the configuration Copyright © 2010, Juniper Networks, Inc.
  • Page 739 Unicast packets and bytes received on the IP interface; link-local received multi-cast packets (non-multicast-routed frames) are counted as unicast packets. Multicast Packets, Bytes Multicast packets and bytes received on the IP interface which are then multicast-routed are counted as multicast packets. Copyright © 2010, Juniper Networks, Inc.
  • Page 740 Packets discarded on the egress interface because of a configuration problem rather than a problem with the packet itself IPv6 policy Type (input, output, local-input) and name of policy rate-limit-profile Name of profile classifier-group entry Entry index Copyright © 2010, Juniper Networks, Inc.

  • Page 741: Monitoring Service Definitions

    Reference Count: 0 To display summary information for all service definitions: host1#show service-management service-definition brief Service Definitions ------------------- Reference Filename Service Installed Count ---------- ------------------------- --------- --------- video.mac video(inputbw, outputbw) True tiered.mac tiered(inputbw, outputbw) True Copyright © 2010, Juniper Networks, Inc.

  • Page 742: Monitoring Service Session Profiles

    Service Session Profiles ------------------------ Name Volume Time Statistics ------- ------ ---- ---------- tiered1 20000 1000 Volume-Time tiered2 20000 1000 Time video1 15000 1000 Volume-Time video4 Disabled To display information for a particular service session profile: Copyright © 2010, Juniper Networks, Inc.

  • Page 743: Monitoring Active Owner Sessions With Service Manager

    AAA 4194332 Active False CLIENT8@ISP.COM ip192.168.0.9 AAA 4194333 Active False To display information for a particular owner: host1# show service-management owner-session aaa 4194326 User Name: CLIENT1@ISP.COM, Interface: ip 192.168.0.1 Owner/Id: AAA/4194326 Non-volatile: False Copyright © 2010, Juniper Networks, Inc.

  • Page 744: Table 163: Show Service-Management Owner-Session Output Fields

    RADIUS-based service sessions are not stored in NVS Service Sessions Number of service sessions currently active for this subscriber Operation Last operation that Service Manager performed Service Name of the service, with parameter values in parentheses Copyright © 2010, Juniper Networks, Inc.
  • Page 745 Input Packets Current value of input packets that the statistics configuration is measuring Output Packets Current value of output packets that the statistics configuration is measuring Related Topics show service-management owner-session Copyright © 2010, Juniper Networks, Inc.

  • Page 746: Monitoring Active Subscriber Sessions With Service Manager

    Poll Expire : 0 Activate Time : THU MAR 02 01:21:26 2006 Time : 0 Time Expire : 0 Volume MBytes: 2 Volume Expire MBytes : 1 Input Bytes : 594 Output Bytes : 1196 Copyright © 2010, Juniper Networks, Inc.

  • Page 747: Table 164: Show Service-Management Subscriber-Session Output Fields

    Number of service sessions currently active for this subscriber Operation Last operation that Service Manager performed Service Name of the service, with parameter values in parentheses Activate Indicates whether the last operation was activate (True) or deactivate (False) Copyright © 2010, Juniper Networks, Inc.

  • Page 748: Monitoring The Number Of Active Subscriber And Service Sessions With Service Manager

    Related Topics show service-management subscriber-session Monitoring the Number of Active Subscriber and Service Sessions with Service Manager Purpose Display the total number of active subscriber and service sessions configured on your router. Copyright © 2010, Juniper Networks, Inc.

  • Page 749: Table 165: Show Service-Management Summary Output Fields

    Table 165: show service-management summary Output Fields Field Name Field Description Total Subscriber Sessions Number of active subscriber sessions on the router Total Service Sessions Number of active service sessions on the router Related Topics show service-management summary Copyright © 2010, Juniper Networks, Inc.
  • Page 750 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
  • Page 751 PART 7 Index Index on page 715 Copyright © 2010, Juniper Networks, Inc.
  • Page 752 JunosE 11.2.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 753: Index

    See also show aaa commands aaa authentication default........27, 39 AAA default tunnel parameters aaa authentication enable default....311, 316 L2TP transmit connect speed........396 aaa authentication login...........318 aaa delimiter..............11 aaa dhcpv6-delegated-prefix delegated-ipv6-prefix..........87 aaa dns primary.............49 Copyright © 2010, Juniper Networks, Inc.
  • Page 754 Prefix Delegation............57 mapping to domain name..........55 with Framed-IPv6-Prefix attribute ranges.................52 for Prefix Delegation..........87 address-pool-name command........55 with IPv6-NdRa-Prefix attribute agent circuit ID (suboption 1)..........495 for IPv6 Neighbor Discovery......87 agent remote ID (suboption 2)........495 Copyright © 2010, Juniper Networks, Inc.
  • Page 755 DHCP (Dynamic Host Configuration Protocol) description................5 proxy client and server..........4 TACACS+................311 IP hinting................9 authorization change command........238 limiting active subscribers..........86 local address server............4 manually setting NAS-Port-Type......65 mapping address pool to domain......55 mapping backup address pool to domain...55 Copyright © 2010, Juniper Networks, Inc.
  • Page 756 RADIUS Bearer Type AVP attributes..............184 relaying in L2TP tunnel-switched client-name command..........355, 358 network.............385, 387 BOOTP (bootstrap protocol)..........483 bootstrap protocol. See BOOTP Copyright © 2010, Juniper Networks, Inc.
  • Page 757 Deactivate-Service (RADIUS attribute ip dhcp-external 26-66).............644, 648, 677 re-authenticate-subscriber-interface.....523 deadtime command..............29 ip dhcp-external default domain name..............8 recreate-subscriber-interface....513, 519 default-router command..........609 ip inactivity-timer............609 default-upper-type mlppp command......370 set ip interface-profile..........576 Delegated-Ipv6-Prefix (RADIUS attribute 123)..210 Copyright © 2010, Juniper Networks, Inc.
  • Page 758 IP address....460 netbios-node-type............474 logging information............470 network................474 modes................457 reserve................474 monitoring.............537, 561 server-address..............474 overview................457 snmpTrap................474 RADIUS accounting support for......457 use-release-grace-period.........474 RADIUS accounting support for standalone warning................474 mode................89 Copyright © 2010, Juniper Networks, Inc.
  • Page 759 DNS (Domain Name System) dhcpv6 delete-binding command.........479 assigning IP addresses..........118 DHCPv6 local address pools See IPv6 local address overview................49 pools DNS addresses DHCPv6 local server order of preference IPv6..................477 in allocation to clients........103 Copyright © 2010, Juniper Networks, Inc.
  • Page 760 115, 124, 417 interoperate with DHCP relay and DHCP relay mapping user requests without domain proxy ................520 name................8, 9 configuring DHCP external server to none..................9 preserve..............513, 519 specifying single name for users.......16 Copyright © 2010, Juniper Networks, Inc.
  • Page 761 DHCPv6 prefixes include dhcp-option 82..........571 delegated to clients...........106 include hostname............571 Extensible Authentication Protocol. See EAP Copyright © 2010, Juniper Networks, Inc.
  • Page 762 594, 609 ip http same-host-limit..........677 ip auto-detect ip-subscriber........571 ip http server..............677 ip demux-type.............600 IP interfaces ip destination-prefix......574, 600, 602 creating................600 ip dhcp-local pool............609 IP interfaces that support PPP clients ip inactivity-timer............574 configuring................58 ip local alias..............56 Copyright © 2010, Juniper Networks, Inc.
  • Page 763 IPv6 services viewing..............158 in a dual stack guidelines for configuration........101 activating...............652 limitation on combined and independent number of allocated prefixes......106 configuration...........650 Copyright © 2010, Juniper Networks, Inc.
  • Page 764 L2TP access concentrator. See LAC references..............408 l2tp commands..............377 route.................402 disconnect-cause............377 session................402 failover-resync .............385 target................402 l2tp checksum..............339 trigger................402 l2tp destination lockout-test........361 l2tp destination lockout-timeout......361 Copyright © 2010, Juniper Networks, Inc.
  • Page 765 AAA domain maps....388 before configuring..........337, 367 applying through AAA tunnel groups....389 configuring..............368 applying through RADIUS........390 configuring receive window size (RWS).....379 AVP relay, configuring........385, 387 installing multiple service modules......374 configuration guidelines...........385 modules supported.............376 configuring..............387 out-of-resource result codes........373 Copyright © 2010, Juniper Networks, Inc.
  • Page 766 LNS.........373 MBS (RADIUS attribute 26-17)........214 Output-Gigawords (RADIUS attribute 53)....201 media access control addresses. See MAC override-user command..........16, 17 addresses medium ipv4 command..........355, 358 merging policies packet detection dynamic subscriber naming conventions...........632 interfaces................594 Copyright © 2010, Juniper Networks, Inc.
  • Page 767 DNS addresses for Prefix Delegation..........104 to IPv6 clients............103 primary authentication/accounting RADIUS in determining local address pool server................23, 69 for allocation of IPv6 prefixes......103 primary IP interface.............587 privilege authentication, TACACS+.........311 profile commands profile................632 Copyright © 2010, Juniper Networks, Inc.
  • Page 768 PPP over ATM radius include dhcp-gi-address......202 interfaces..............78 radius include dhcp-mac-address.......202 VSAs (vendor-specific attributes) radius include dhcp-options........202 for dynamic IP interfaces........78 radius include formats..............256 downstream-calculated-qos-rate.....221 radius include dsl-forum-attributes.....228 Copyright © 2010, Juniper Networks, Inc.
  • Page 769 DHCPv6 Prefix Delegation......87 radius include for IPv6 Neighbor Discovery......87 upstream-calculated-qos-rate......221 verifying radius includeframed-ip-netmask......196 for DHCPv6 Prefix Delegation......146 radius nas-identifier............195 for IPv6 Neighbor Discovery......146 radius nas-port-format........184, 250 Copyright © 2010, Juniper Networks, Inc.
  • Page 770 IPv6 prefixes........100 combined, deactivating........652 assigning prefixes to combined, overview..........650 using IPv6 local address pools......104 in a dual stack, activating........652 receipt of IPv6 prefixes in a dual stack, overview.........650 from delegating routers........100 independent, activating........652 retransmit command............33 Copyright © 2010, Juniper Networks, Inc.
  • Page 771 666 layer2-unicast-replies........490, 506 service-management install........630 set dhcp relay options..........506 service-management owner-session....658 set dhcp relay override..........506 service-management set dhcp relay service-session-profile.........662 preserve-trusted-client-option......506 service-management subscriber-session set dhcp relay proxy...........509 service-session............658 set dhcp relay trust-all..........506 Copyright © 2010, Juniper Networks, Inc.
  • Page 772 Copyright © 2010, Juniper Networks, Inc.
  • Page 773 See also show sscc commands show radius route-download statistics....140 standalone DHCP local server........460 Copyright © 2010, Juniper Networks, Inc.
  • Page 774 PPP over ATM........79 configuration............604 translate command...............65 monitoring...............617 transmit connect speed, L2TP. See L2TP transmit overview connect speed dynamic..............592 tunnel static...............588 defined..............329, 331 static.................597 selection, L2TP.............362 subscribers switching.................376 accounting messages..........173 authorization and authentication messages..............165 Copyright © 2010, Juniper Networks, Inc.
  • Page 775 L2TP..........352, 356 walled garden. See guided entrance UDP (User Datagram Protocol) Web access to E Series router.........449 checksums............22, 32, 146 Windows Internet Name Service. See WINS udp-port command...........34, 240, 246 Copyright © 2010, Juniper Networks, Inc.
  • Page 776 JunosE 11.2.x Broadband Access Configuration Guide WINS, assigning IP addresses........49, 118 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.2

Table of Contents