Sign In
Upload
Manuals
Brands
Juniper Manuals
Software
JUNOSE 11.2.X IP SERVICES
Juniper JUNOSE 11.2.X IP SERVICES Manuals
Manuals and User Guides for Juniper JUNOSE 11.2.X IP SERVICES. We have
1
Juniper JUNOSE 11.2.X IP SERVICES manual available for free PDF download: Configuration Manual
Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual (356 pages)
for E Series Broadband Services Routers - IP Services Configuration
Brand:
Juniper
| Category:
Software
| Size: 5.23 MB
Table of Contents
Table of Contents
7
List of Figures
19
About the Documentation
23
Audience
23
E Series and Junose Documentation and Release Notes
23
E Series and Junose Text and Syntax Conventions
23
Table 1: Notice Icons
24
Table 2: Text and Syntax Conventions
24
About the Documentation
25
Documentation Feedback
25
Obtaining Documentation
25
Requesting Technical Support
25
Opening a Case with JTAC
26
Self-Help Online Tools and Resources
26
Chapters
27
Configuring Routing Policy
29
Overview
29
Platform Considerations
30
References
30
Route Maps
30
Route Map Configuration Example
31
Multiple Values in a Match Entry
32
Figure 1: Applying Route Maps to Routes
32
Chapter 1 Configuring Routing Policy
33
Negating Match Clauses
33
Matching a Community List Exactly
34
Removing Community Lists from a Route Map
34
Matching a Policy List
35
Redistributing Access Routes
35
Setting Multicast Bandwidths
35
Match Policy Lists
45
Access Lists
46
Filtering Prefixes
46
Configuration Example 1
47
Configuration Example 2
47
Configuration Example 3
48
Figure 2: Filtering with Access Lists
48
Figure 3: Filtering with AS-Path Access Lists
49
Figure 4: Route Map Filtering
50
Using Access Lists for PIM Join Filters
55
Clearing Access List Counters
56
Creating Table Maps
56
Table 3: Match and Set Policy Values
56
Prefix Lists
58
Using the Null Interface
58
Configuration Example 1
50
Using Access Lists in a Route Map
50
Filtering as Paths
48
Configuration Example 1
49
Using a Prefix List
59
Prefix Trees
61
Using a Prefix Tree
61
Community Lists
63
Table 4: Action Based on Well-Known Community Membership
63
Figure 5: Community Lists
64
Table 5: Supported Regular Expression Metacharacters
69
Regular Expression Examples
70
Using Metacharacters as Literal Tokens
70
Table 6: Sample Regular Expressions
71
Managing the Routing Table
73
Troubleshooting Routing Policy
73
Monitoring Routing Policy
74
Configuring NAT
87
Overview
87
Module Requirements
88
Platform Considerations
88
References
88
Basic NAT
89
Configuring NAT
89
Napt
89
NAT Configurations
89
Traditional NAT
89
Bidirectional NAT
90
Network and Address Terms
90
Twice NAT
90
Extended Community Lists
66
AS-Path Lists
68
Using Regular Expressions
68
Community Lists
69
Community Numbers
69
Metacharacters
69
Chapter 2 Configuring NAT
91
Inside Global Addresses
91
Inside Local Addresses
91
Inside Source Translation
91
Outside Global Addresses
91
Outside Local Addresses
91
Outside Source Translation
91
Understanding Address Translation
91
Address Assignment Methods
92
Dynamic Translations
92
Inside-To-Outside Translation
92
Order of Operations
92
Static Translations
92
Outside-To-Inside Translation
93
PPTP and GRE Tunneling through NAT
93
Before You Begin
94
Configuring a NAT License
94
Packet Discard Rules
94
Defining Static Address Translations
95
Limiting Translation Entries
95
Specifying Inside and Outside Interfaces
95
Creating Static Inside Source Translations
96
Creating Static Outside Source Translations
96
Creating Access List Rules
97
Defining Dynamic Translations
97
Defining Address Pools
98
Defining Dynamic Translation Rules
99
Creating Dynamic Inside Source Translation Rules
100
Creating Dynamic Outside Source Translation Rules
100
Defining Translation Timeouts
101
Clearing Dynamic Translations
102
NAPT Example
102
NAT Configuration Examples
102
Figure 6: NAPT Example
103
Figure 7: Bidirectional NAT Example
104
Figure 8: Twice NAT Example
106
Cross-VRF Example
107
Figure 9: Cross-VRF Example
107
Clients on an Inside Network
109
Clients on an Outside Network
109
Figure 10: PPTP Tunnels on an Inside Network
109
Tunnel Configuration through NAT Examples
109
Displaying the NAT License Key
110
Figure 11: PPTP Tunnels on an Outside Network
110
GRE Flows through NAT
110
Monitoring NAT
110
Displaying Translation Statistics
111
Displaying Translation Entries
112
Displaying Address Pool Information
114
Displaying Inside and Outside Rule Settings
115
Twice NAT Example
105
Bidirectional NAT Example
104
Chapter 3 Configuring J-Flow Statistics
117
Interface Sampling
117
Overview
117
Aggregation Caches
118
Flow Collection
118
Main Flow Cache Contents
118
Configuring J-Flow Statistics
119
Cache Flow Export
119
Aging Flows
119
Operation with NAT
119
Operation with High Availability
120
Platform Considerations
120
Before You Configure J-Flow Statistics
120
Configuring Flow-Based Statistics Collection
120
Enabling Flow-Based Statistics
121
Enabling Flow-Based Statistics on an Interface
121
Defining a Sampling Interval
121
Setting Cache Size
123
Defining Aging Timers
123
Specifying the Activity Timer
123
Specifying the Inactivity Timer
123
Specifying Flow Export
124
Configuring Aggregation Flow Caches
124
Monitoring J-Flow Statistics
127
Clearing J-Flow Statistics
127
J-Flow Show Commands
127
Chapter 4 Configuring BFD
133
How BFD Works
134
Negotiation of the BFD Liveness Detection Interval
134
Configuring BFD
135
BFD Platform Considerations
136
BFD References
136
Configuring a BFD License
136
BFD Version Support
137
Table 7: Determining BFD Versions
137
Configuring BFD
138
Managing BFD Adaptive Timer Intervals
138
Clearing BFD Sessions
139
Monitoring BFD
140
System Event Logs
140
Viewing BFD Information
141
Configuring Ipsec
145
Ipsec Terms and Acronyms
145
Overview
145
Configuring BFD
133
Bidirectional Forwarding Detection Overview
133
Table 8: Ipsec Terms and Abbreviations
145
Chapter 5 Configuring Ipsec
147
Platform Considerations
147
References
147
Ipsec Concepts
148
Secure IP Interfaces
148
Figure 12: Ipsec Tunneling Stack
149
Ipsec Protocol Stack
149
RFC 2401 Compliance
149
Figure 13: Ipsec Tunneling Packet Encapsulation
150
Security Parameters
150
Table 9: Security Parameters Used on Secure IP Interfaces
150
Figure 14: Ipsec Security Parameters in Relation to the Secure IP Interface
151
Manual Versus Signaled Interfaces
151
Operational Virtual Router
152
Table 10: Security Parameters Per Ipsec Policy Type
152
Transport Virtual Router
152
Perfect Forward Secrecy
153
Lifetime
154
Inbound and Outbound Sas
155
Transform Sets
155
Table 11: Supported Transforms
156
Table 12: Supported Security Transform Combinations
157
Table 13: Initiator Proposals and Policy Rules
161
Authentication Mode
162
Encryption
162
Hash Function
162
Priority
162
Diffie-Hellman Group
163
Generating Private and Public Key Pairs
163
IKE SA Negotiation
163
Lifetime
163
Configuration Tasks
164
Configuring an Ipsec License
164
Configuring Ipsec Parameters
165
Creating an Ipsec Tunnel
168
Configuring DPD and Ipsec Tunnel Failover
173
Defining an IKE Policy
174
Refreshing Sas
177
Configuration Examples
178
Configuration Notes
178
Enabling Notification of Invalid Cookies
178
Figure 15: Customer A's Corporate Frame Relay Network
179
Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the
179
Figure 17: Connecting Customers Who Use Similar Address Schemes
182
AH Processing
158
ESP Processing
158
IP Security Policies
158
Other Security Features
158
DPD and Ipsec Tunnel Failover
159
Ipsec Maximums Supported
159
Tunnel Failover
159
IKE Overview
160
Main Mode and Aggressive Mode
160
Aggressive Mode Negotiations
161
IKE Policies
161
Monitoring Ipsec
186
Show Commands
186
System Event Logs
186
Chapter 6 Configuring Dynamic Ipsec Subscribers
195
Dynamic Connection Setup
195
Overview
195
Dynamic Connection Teardown
196
Dynamic Ipsec Subscriber Recognition
196
Licensing Requirements
196
Configuring Dynamic Ipsec Subscribers
197
Inherited Subscriber Functionality
197
Using Ipsec Tunnel Profiles
197
Platform Considerations
198
Relocating Tunnel Interfaces
198
User Authentication
198
Configuring Digital Certificates
199
Creating an Ipsec Tunnel Profile
199
References
199
Configuring Ipsec Tunnel Profiles
200
Limiting Interface Instantiations on each Profile
200
Setting the IKE Local Identity
200
Specifying IKE Settings
200
Appending a Domain Suffix to a Username
201
Setting the IKE Peer Identity
201
Overriding Ipsec Local and Peer Identities for SA Negotiations
202
Specifying an IP Profile for IP Interface Instantiations
202
Defining the Server IP Address
203
Specifying Local Networks
203
Defining Ipsec Security Association Lifetime Parameters
204
Defining User Reauthentication Protocol Values
204
Specifying Ipsec Security Association PFS and DH Group Parameters
205
Specifying Ipsec Security Association Transforms
205
Defining IKE Policy Rules for Ipsec Tunnels
206
Defining the Tunnel MTU
206
Specifying a Virtual Router for an IKE Policy Rule
206
Defining Aggressive Mode for an IKE Policy Rule
207
Monitoring Ipsec Tunnel Profiles
207
Show Commands
208
System Event Logs
208
Chapter 7 Configuring ANCP
211
Access Topology Discovery
212
Line Configuration
212
Transactional Multicast
212
Configuring ANCP
211
Overview
211
Configuring ANCP
213
Learning the Partition ID from an Access Node
213
Oam
213
Platform Considerations
213
Retrieval of DSL Line Rate Parameters
213
Accessing L2C Configuration Mode for ANCP
214
Configuring ANCP
214
Creating a Listening TCP Socket for ANCP
214
References
214
Configuring ANCP Interfaces
215
Defining the ANCP Session Timeout
215
Learning the Access Node Partition ID
215
Accessing L2C Neighbor Configuration Mode for ANCP
216
Configuring ANCP Neighbors
216
Defining an ANCP Neighbor
217
Limiting Discovery Table Entries
217
Clearing ANCP Neighbors
218
Configuring ANCP for Qos Adaptive Mode
218
Configuring Topology Discovery
218
Triggering ANCP Line Configuration
219
Adjusting the Data Rate Reported by ANCP for DSL Lines
220
Configuring Transactional Multicast for IGMP
220
ANCP IGMP Configuration Example
221
Creating an IGMP Session for ANCP
221
Figure 18: Using ANCP with an Access Node
221
Table 14: Digital Certificate Terms and Acronyms
231
Platform Considerations
232
References
232
Complete Configuration Example
222
Monitoring ANCP
223
Triggering ANCP OAM
223
Configuring Digital Certificates
231
Digital Certificate Terms and Acronyms
231
Overview
231
Chapter 8 Configuring Digital Certificates
233
IKE Authentication with Digital Certificates
233
Signature Authentication
233
Generating Public/Private Key Pairs
234
Obtaining a Root CA Certificate
234
Obtaining a Public Key Certificate
235
Offline Certificate Enrollment
235
Online Certificate Enrollment
235
Authenticating the Peer
236
Verifying Crls
236
Certificate Chains
237
File Extensions
237
Table 15: Outcome of IKE Phase 1 Negotiations
237
Table 16: File Extensions (Offline Configuration)
237
Configuration Tasks
238
IKE Authentication Using Public Keys Without Digital Certificates
238
Public Key Format
238
Configuring Digital Certificates Using the Offline Method
239
Configuring Digital Certificates Using the Online Method
245
Configuring Peer Public Keys Without Digital Certificates
250
Monitoring Digital Certificates and Public Keys
254
Chapter 9 Configuring IP Tunnels
263
DVMRP Tunnels
264
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
264
Module Requirements
264
Platform Considerations
264
E120 Router and E320 Router
265
Redundancy and Tunnel Distribution
265
References
265
Configuration Tasks
266
Configuration Example
268
Configuring IP Tunnels to Forward IP Frames
269
Preventing Recursive Tunnels
269
Creating Multicast Vpns Using GRE Tunnels
270
Figure 20: Transport and Tunnel Networks Using Different Routing Protocols
270
Monitoring IP Tunnels
270
Configuring Dynamic IP Tunnels
277
Dynamic IP Tunnel Overview
277
Data MDT for Multicast Vpns and Dynamic IP Tunnels
278
Mobile IP and Dynamic IP Tunnels
278
Configuring IP Tunnels
263
Overview
263
GRE Tunnels
263
Figure 19: IP Tunneling
263
Chapter 10 Configuring Dynamic IP Tunnels
279
Combining Dynamic and Static IP Tunnels in the same Chassis
279
Changing and Removing Existing Dynamic IP Tunnels
279
Platform Considerations
279
Module Requirements
280
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
280
E120 Router and E320 Router
280
Redundancy and Tunnel Distribution
281
References
281
Configuring a Destination Profile for Dynamic IP Tunnels
281
Modifying the Default Destination Profile
281
Modifying the Configuration of the Default Destination Profile
282
Configuring a Destination Profile for GRE Tunnels
282
Creating a Destination Profile for DVMRP Tunnels
282
Monitoring Dynamic IP Tunnels
285
Chapter 11 IP Reassembly for Tunnels
295
Overview
295
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
296
Figure 21: Tunneling through an IP Network that Fragments Packets
296
Module Requirements
296
Platform Considerations
296
Configuring IP Reassembly
297
E120 Router and E320 Router
297
Displaying Statistics
298
Monitoring IP Reassembly
298
Setting Statistics Baselines
298
Overview
301
Securing L2TP and IP Tunnels with Ipsec
301
Tunnel Creation
301
Chapter 12 Securing L2TP and IP Tunnels with Ipsec
301
Ipsec Secured-Tunnel Maximums
302
Platform Considerations
302
Module Requirements
302
References
302
Securing L2TP and IP Tunnels with Ipsec
303
L2Tp/Ipsec Tunnels
303
Figure 22: L2TP with Ipsec Application
304
Figure 24: L2TP Control Frame Encapsulated by Ipsec
305
Figure 25: L2TP Data Frame Encapsulated by Ipsec
305
Group Preshared Key
306
LNS Change of Port
306
NAT Passthrough Mode
306
NAT Traversal
306
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation
307
How NAT-T Works
307
UDP Encapsulation
307
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation
308
NAT Keepalive Messages
308
UDP Statistics
308
Configuring and Monitoring NAT-T
309
Single-Shot Tunnels
309
Table 17: Configuration and Monitoring Tasks for NAT-T
309
Configuration Tasks for Client PC
310
Configuration Tasks for E Series Routers
310
Table 18: Differences in Handling Timeout Periods for L2Tp/Ipsec Tunnels
310
Enabling Ipsec Support for L2TP
311
Configuring NAT-T
312
Configuring Single-Shot Tunnels
313
Configuration Tasks
314
Gre/Ipsec and Dvmrp/Ipsec Tunnels
314
Setting up the Secure GRE or DVMRP Connection
314
Configuring Ipsec Transport Profiles
315
Enabling Ipsec Support for GRE and DVMRP Tunnels
315
Monitoring Dvmrp/Ipsec, Gre/Ipsec, and L2Tp/Ipsec Tunnels
320
Show Commands
320
System Event Logs
320
Configuring the Mobile IP Home Agent
329
Mobile IP Overview
329
Home Address Assignment
330
Mobile IP Agent Discovery
330
Mobile IP Registration
330
Figure 23: L2Tp/Ipsec Connection
304
L2TP with Ipsec Control and Data Frames
304
Setting up the Secure L2TP Connection
304
Client Software Supported
305
Compatibility and Requirements
305
Interaction between Ipsec and PPP
305
Interactions with NAT
305
Chapter 13 Configuring the Mobile IP Home Agent
331
Authentication
331
Aaa
331
Subscriber Management
332
Mobile IP Routing and Forwarding
332
Mobile IP Platform Considerations
333
Mobile IP References
333
Before You Configure the Mobile IP Home Agent
333
Configuring the Mobile IP Home Agent
334
Monitoring the Mobile IP Home Agent
339
Index
345
Index
347
Advertisement
Advertisement
Related Products
Juniper JUNOSE 11.2.X MULTICAST ROUTING
Juniper JUNOSE 11.2.X BGP AND MPLS
Juniper JUNOSE 11.2
Juniper JUNOSE 11.1.X BGP AND MPLS
Juniper JUNOSE 11.1.X IP SERVICES
Juniper JUNOSE 11.0.X IP SERVICES
Juniper JUNOSE 11.1.X MULTICAST ROUTING
Juniper JUNOSe 11.1
Juniper JUNOSE 11.0
Juniper JUNOSe 11.0.1
Juniper Categories
Network Router
Switch
Gateway
Software
Network Hardware
More Juniper Manuals
Login
Sign In
OR
Sign in with Facebook
Sign in with Google
Upload manual
Upload from disk
Upload from URL