Software for e series broadband services routers quality of service configuration guide (376 pages)
Summary of Contents for Juniper JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010
Page 1
JUNOSe Software for E Series Broadband Services Routers Broadband Access Configuration Guide Release 11.1.x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 408-745-2000 www.juniper.net Published: 2010-04-06...
Page 2
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
Page 4
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 http://www.gnu.org/licenses/gpl.html...
Page 5
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein.
Page 7
Abbreviated Table of Contents About the Documentation xxxvii Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Chapter 2 Monitoring and Troubleshooting Remote Access Part 2 Managing RADIUS and TACACS+ Chapter 3 Configuring RADIUS Attributes Chapter 4 Configuring RADIUS Dynamic-Request Server Chapter 5 Configuring RADIUS Relay Server Chapter 6...
Page 8
JUNOSe 11.1.x Broadband Access Configuration Guide Part 5 Managing the Subscriber Environment Chapter 23 Configuring Subscriber Management Chapter 24 Monitoring Subscriber Management Chapter 25 Configuring Subscriber Interfaces Chapter 26 Monitoring Subscriber Interfaces Part 6 Managing Subscriber Services Chapter 27 Configuring Service Manager Chapter 28 Monitoring Service Manager Part 7...
Table of Contents About the Documentation xxxvii E Series and JUNOSe Documentation and Release Notes ......xxxvii Audience ....................xxxvii E Series and JUNOSe Text and Syntax Conventions .........xxxvii Obtaining Documentation ................xxxix Documentation Feedback .................xxxix Requesting Technical Support ..............xxxix Self-Help Online Tools and Resources ............xl Opening a Case with JTAC ...............xl Part 1 Managing Remote Access...
Page 10
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring RADIUS Authentication and Accounting Servers ......18 Server Access ..................18 Server Request Processing Limit .............19 Authentication and Accounting Methods ..........19 Supporting Exchange of Extensible Authentication Protocol Messages ..................20 Immediate Accounting Updates ..............21 Duplicate and Broadcast Accounting ............21 Configuring AAA Duplicate Accounting ..........22 Configuring AAA Broadcast Accounting ..........22 Overriding AAA Accounting NAS Information ........22...
Page 11
Table of Contents Using RADIUS Route-Download Server to Distribute Routes ......71 Format of Downloaded Routes ...............71 Framed-Route (RADIUS attribute 22) ..........72 Cisco-AVPair (Cisco VSA 26-1) ............72 How the Route-Download Server Downloads Routes ......72 Configuring the Route-Download Server to Download Routes ....72 Using the AAA Logical Line Identifier to Track Subscribers ......76 How the Router Obtains and Uses the LLID ..........76 RADIUS Attributes in Preauthentication Request ........77...
Page 12
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Domain and Realm Name Delimiters ........119 Monitoring Mapping Between User Domains and Virtual Routers ....119 Monitoring Tunnel Subscriber Authentication ..........121 Monitoring Routing Table Address Lookup ..........122 Monitoring the AAA Model ................122 Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers ....................122 Monitoring AAA Profile Configuration ............123 Monitoring Statistics about the RADIUS Route-Download Server ....124...
Page 15
Configuring RADIUS Relay Server Support ..........255 Monitoring RADIUS Relay Server ..............257 Chapter 6 RADIUS Attribute Descriptions RADIUS IETF Attributes ................259 Juniper Networks VSAs ................265 DSL Forum VSAs ..................276 Pass Through RADIUS Attributes ..............277 RADIUS Attributes References ..............278 Chapter 7 Application Terminate Reasons AAA Terminate Reasons ................279...
Page 16
JUNOSe 11.1.x Broadband Access Configuration Guide Chapter 8 Monitoring RADIUS Monitoring Override Settings of RADIUS IETF Attributes ......303 Monitoring the NAS-Port-Format RADIUS Attribute ........304 Monitoring the Calling-Station-Id RADIUS Attribute ........305 Monitoring the NAS-Identifier RADIUS Attribute ..........305 Monitoring the Format of the Remote-Circuit-ID for RADIUS .......306 Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS ..306 Monitoring the Acct-Session-Id RADIUS Attribute ........306 Monitoring the DSL-Port-Type RADIUS Attribute .........307...
Page 17
Table of Contents Part 3 Managing L2TP Chapter 11 L2TP Overview L2TP Overview ....................335 L2TP Terminology ..................336 Implementing L2TP ..................337 Sequence of Events on the LAC ............337 Sequence of Events on the LNS .............338 Packet Fragmentation .................339 L2TP Platform Considerations ..............340 L2TP Module Requirements ................340 ERX7xx Models, ERX14xx Models, and the ERX310 Router ....340 E120 Router and E320 Router ..............341...
Page 18
JUNOSe 11.1.x Broadband Access Configuration Guide Managing the L2TP Destination Lockout Process .........366 Modifying the Lockout Procedure ............366 Verifying That a Locked-Out Destination Is Available ......368 Configuring a Lockout Timeout .............368 Unlocking a Destination that is Currently Locked Out ......368 Starting an Immediate Lockout Test .............369 Managing Address Changes Received from Remote Endpoints ....369 Configuring LAC Tunnel Selection Parameters ..........370...
Page 19
Table of Contents Configuration Tasks ................396 Enabling Tunnel Switching on the Router ........396 Configuring L2TP Tunnel Switch Profiles ........396 Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps ..................397 Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups ..................398 Applying Default L2TP Tunnel Switch Profiles ........399 Applying L2TP Tunnel Switch Profiles by Using RADIUS ....399 Configuring the Transmit Connect Speed Calculation Method .....400...
Page 20
JUNOSe 11.1.x Broadband Access Configuration Guide Before You Configure L2TP Dial-Out ............419 Configuring L2TP Dial-Out ................419 Monitoring L2TP Dial-Out ................421 Chapter 15 L2TP Disconnect Cause Codes L2TP Disconnect Cause Codes ..............423 Chapter 16 Monitoring L2TP and L2TP Dial-Out Monitoring the Mapping for User Domains and Virtual Routers with AAA ..428 Monitoring Configured Tunnel Groups with AAA .........430 Monitoring Configuration of Tunnel Parameters with AAA ......432 Monitoring Global Configuration Status on E Series Routers ......433...
Page 21
Table of Contents Chapter 18 DHCP Local Server Overview Embedded DHCP Local Server Overview ............469 DHCP Local Server and Client Configuration .........469 Equal-Access Mode Overview ..............470 Local Pool Selection and Address Allocation .........470 The Connection Process ................471 Standalone Mode Overview .................472 Local Pool Selection and Address Allocation .........472 Server Management Table ..............474 DHCP Local Server Prerequisites ..............474...
Page 22
JUNOSe 11.1.x Broadband Access Configuration Guide Using the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets ...................498 Interaction with Layer 2 Unicast Transmission Method ....499 Preventing DHCP Relay from Installing Host Routes by Default ....500 Configuration Example Preventing Installation of Host Routes ..500 Including Relay Agent Option Values in the PPPoE Remote Circuit ID ....................501 Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber...
Page 23
Table of Contents Configuring Interoperation with Ethernet DSLAMs ........529 Configuring the DHCP External Server to Support the Creation of Dynamic Subscriber Interfaces ................530 Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces ................532 Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay and DHCP Relay Proxy ..............533 Deleting Clients from a Virtual Router’s DHCP Binding Table ......534 Configuring DHCP External Server to Uniquely Identify Clients with Duplicate...
Page 24
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients ..577 Monitoring the Maximum Number of Available Leases .......578 Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local Server ....................579 Monitoring Status of DHCP Applications ............580 Part 5 Managing the Subscriber Environment Chapter 23...
Page 25
Table of Contents Dynamic Creation of Subscriber Interfaces ..........610 DHCP Servers ..................611 DHCP Local Server and Address Allocation ........611 DHCP External Server and Address Allocation ........611 DHCP Relay Configuration .............612 Supported Configurations ...............612 Packet Detection ...................612 Designating Traffic for the Primary IP Interface ........613 Using Framed Routes ................613 Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces ..................613...
Page 26
JUNOSe 11.1.x Broadband Access Configuration Guide Referencing QoS Configurations in Service Definitions ........651 Specifying QoS Profiles in a Service Definition ........651 Configuring a QoS Profile for Service Manager .......651 Specifying QoS Profiles in a Service Definition .......652 Specifying QoS Parameter Instances in a Service Definition ....652 Creating a Parameter Instance in a Profile ........652 Specifying QoS Parameter Instances in a Service Definition ...653 Modifying QoS Configurations with Service Manager ......654...
Page 27
Table of Contents Configuring Service Manager Statistics ............686 Setting Up the Service Definition File for Statistics Collection ....686 Enabling Statistics Collection with RADIUS ...........687 Enabling Statistics Collection with the CLI ..........688 External Parent Group Statistics Collection Setup ........689 Service Manager Performance Considerations ..........690 Service Definition Examples ................690 Tiered Service Example ................690 Video-on-Demand Service Definition Example ........691...
List of Figures Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Figure 1: Local Address Pool Hierarchy ............54 Figure 2: Shared Local Address Pools ............55 Figure 3: Single PPP Clients per ATM Subinterface ........61 Figure 4: Multiple PPP Clients per ATM Subinterface ........62 Part 2 Managing RADIUS and TACACS+ Chapter 4...
Page 30
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 15: DHCP External Server ..............585 Chapter 25 Configuring Subscriber Interfaces Figure 16: Example of a Dynamic Interface Stack ........604 Figure 17: Example of a Dynamic Subscriber Interface .......605 Figure 18: Subscriber Interfaces over Ethernet ..........606 Figure 19: Subscriber Interfaces in a Cable Modem Network .......608 Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces ..609 Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration ..612...
Page 31
List of Tables About the Documentation xxxvii Table 1: Notice Icons ................xxxviii Table 2: Text and Syntax Conventions ............xxxviii Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Table 3: Username and Domain Name Examples .........16 Table 4: Local UDP Port Ranges by RADIUS Request Type ......19 Table 5: RADIUS IETF Attributes in Preauthentication Request .....78 Table 6: VSAs That Apply to Dynamic IP Interfaces ........82 Table 7: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces ....83...
Page 33
List of Tables Table 67: show tacacs Output Fields ............331 Part 3 Managing L2TP Chapter 11 L2TP Overview Table 68: L2TP Terms .................336 Chapter 13 Configuring an L2TP LNS Table 69: L2TP-Resynch-Method RADIUS Attribute ........394 Table 70: Transmit Connect Speeds for L2TP over ATM 1483 Example ..403 Table 71: Transmit Connect Speeds for L2TP over Ethernet Example ..403 Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute ........408 Chapter 14...
Page 34
JUNOSe 11.1.x Broadband Access Configuration Guide Table 101: Router Configuration and Transmission of DHCP Reply Packets ....................499 Table 102: Effect of Commands on Option 82 Suboption Settings ....509 Chapter 22 Monitoring and Troubleshooting DHCP Table 103: show ip dhcp-local excluded Output Fields ........542 Table 104: show dhcp binding Output Fields ..........545 Table 105: show dhcp count Output Fields ..........547 Table 106: show dhcp host Output Fields ............549...
Page 35
List of Tables Table 140: Sample Modifications Using the Add and Initial-Value Keywords ....................655 Table 141: Sample Modifications Using Parameter Instances ......655 Table 142: Configuration Within a Single Service Manager Event ....656 Table 143: Modifying QoS Configurations with Other Sources .....657 Table 144: Service Manager RADIUS Attributes ...........663 Table 145: Sample RADIUS Access-Accept Packet ........664 Table 146: Using Tags .................665...
Page 36
JUNOSe 11.1.x Broadband Access Configuration Guide xxxvi List of Tables...
If the information in the latest release notes differs from the information in the documentation, follow the JUNOSe Release Notes. To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser.
CD-ROMs or DVD-ROMs, see the Offline Documentation page at http://www.juniper.net/techpubs/resources/cdrom.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Chapter 1 Configuring Remote Access This chapter describes how to configure remote access to an Juniper Networks E Series Broadband Services Router. This chapter discusses the following topics: Remote Access Overview on page 4 Remote Access Platform Considerations on page 5...
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring the SRC Client on page 94 Retrieval of DSL Line Rate Information from Access Nodes Overview on page 102 DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 103 Configuring the DHCPv6 Local Address Pools on page 107 Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links Example on page 110 Remote Access Overview...
Chapter 1: Configuring Remote Access RADIUS server Local address server DHCP proxy client and server DHCP relay agent (Bridged IP only) DHCP local server DHCP external server For information about configuring DHCP support on the E Series router, see “DHCP Overview”...
JUNOSe 11.1.x Broadband Access Configuration Guide Bridged Ethernet Layer 2 Tunneling Protocol (L2TP), both L2TP access concentrator (LAC) and L2TP network server (LNS) Remote Access References For more information about the topics covered in this chapter, see the following documents: RFC 2748 The COPS (Common Open Policy Service) Protocol (January 2000) RFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000) RFC 3084 COPS Usage for Policy Provisioning (COPS-PR) (March 2001)
Chapter 1: Configuring Remote Access Configure an authentication server on the router. (Optional) Configure UDP checksums. (Optional) Configure an accounting server on the router. (Optional) Configure Domain Name System (DNS) and Windows Internet Name Service (WINS) name server addresses. (Optional) Configure a local address pool for remote clients. (Optional) Configure one or more DHCP servers.
Use to specify the B-RAS license. The license is a unique string of up to 15 alphanumeric characters. NOTE: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative. You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000, or 48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.
Chapter 1: Configuring Remote Access Mapping User Requests Without a Configured Domain Name You can map a domain name called none to a specific virtual router so that the router can map user names that do not contain a domain name. If a user request is submitted without a domain name, the router looks for a mapping between the domain name none and a virtual router.
JUNOSe 11.1.x Broadband Access Configuration Guide To maintain flexibility, the redirection response may include idle time or session attributes that are considered as default unless the redirected authentication server overrides them. For example, if the RADIUS server returns the VR context along with an idle timeout attribute with the value set to 20 minutes, the router uses this idle timeout value unless the RADIUS server configured in the VR context returns a different value.
Page 51
Chapter 1: Configuring Remote Access Use to map a user domain name to an IP version 6 (IPv6) loopback interface. The local interface identifies the interface information to use on the local (E Series) side of the subscriber’s interface. Example host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-local-interface 2001:db8::8000 Use the no version to delete the entry.
JUNOSe 11.1.x Broadband Access Configuration Guide Setting Up Domain Name and Realm Name Usage To provide flexibility in how the router handles different types of usernames, the software lets you specify the part of a username to use as the domain name, how the domain name is designated, and how the router parses names.
Chapter 1: Configuring Remote Access host1(config)#aaa delimiter domainName @! Using Either the Domain or the Realm as the Domain Name If the username contains both a realm name and a domain name delimiter, you can use either the domain name or the realm name as the domain name. As previously mentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.
JUNOSe 11.1.x Broadband Access Configuration Guide Stripping the Domain Name The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command. By default, the domain name is the text after the last @ character.
Chapter 1: Configuring Remote Access Use the no version to return to the default: right-to-left parsing for domain names and left-to-right parsing for realm names. See aaa parse-direction aaa parse-order Use to specify which part of a username the router uses as the domain name. If a user’s name contains both a realm name and a domain name, you can configure the router to use either name as the domain name.
JUNOSe 11.1.x Broadband Access Configuration Guide username: usEast/userjohn@abc.com@xyz.com The router is configured with the following commands: host1(config)#aaa delimiter domainName @! host1(config)#aaa delimiter realmName / Table 3 on page 16 shows the username and domain name that result from the parsing action of the various commands. Table 3: Username and Domain Name Examples Resulting Domain Command...
Page 57
Chapter 1: Configuring Remote Access For example, if the domain name is xyz.com and you specify the password xyz_domain, the router associates the username xyz.com and the password xyz_domain with all users from xyz.com. Substitute one new username for each username and one new password for each existing password.
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring RADIUS Authentication and Accounting Servers The number of RADIUS servers you can configure depends on available memory. The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients. Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server.
Chapter 1: Configuring Remote Access Server Request Processing Limit You can configure RADIUS authentication servers and accounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.rs.
JUNOSe 11.1.x Broadband Access Configuration Guide if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JUNOSe software currently supports radius and none as accounting methods and radius, none, and local as authentication methods.
Chapter 1: Configuring Remote Access Framed-MTU (attribute 12) Used if AAA passes an MTU value to the internal RADIUS client State (attribute 24) Used in Challenge-Response messages from the external server and returned to the external server on the subsequent Access-Request Session-Timeout (attribute 27) Used in Challenge-Response messages from the external server EAP-Message (attribute 79) Used to fragment EAP strings into 253-byte...
JUNOSe 11.1.x Broadband Access Configuration Guide Broadcast accounting Sends the accounting information to a group of virtual routers. An accounting virtual router group can contain up to four virtual routers and the E Series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.
Chapter 1: Configuring Remote Access host1:vrXyz1(config)#virtual-router vrXyz2 host1:vrXyz2(config)#radius override nas-info host1:vrXyz3(config)#exit host1(config)# UDP Checksums Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums. Collecting Accounting Statistics You can use the aaa accounting statistics command to specify how the AAA server collects statistics on the sessions it manages.
Page 64
JUNOSe 11.1.x Broadband Access Configuration Guide Specify an authentication or accounting server secret. host1(config-radius)#key gismo (Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server. host1(config-radius)#retransmit 2 (Optional) Specify the number of seconds between retries. host1(config-radius)#timeout 5 (Optional) Specify the maximum number of outstanding requests.
Page 65
Chapter 1: Configuring Remote Access (Optional) Specify the default authentication and accounting methods for the subscribers. host1(config)#aaa authentication ppp default radius none (Optional) Disable UDP checksums on virtual routers you configure for B-RAS. host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable aaa accounting broadcast Use to enable AAA broadcast accounting on a virtual router.
Page 66
JUNOSe 11.1.x Broadband Access Configuration Guide radius RADIUS accounting for the specified subscribers. none No accounting is done for the specified subscribers. radius none Multiple types of accounting; used in the order specified. For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.
Page 67
Chapter 1: Configuring Remote Access Use to specify the default interval between updates for user and service interim accounting. NOTE: This command is deprecated and might be removed completely in a future release. Use the aaa user accounting interval command to specify the default interval for user accounting.
Page 68
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to delete the accounting virtual router group. See aaa accounting vr-group aaa authentication default Use to specify the authentication method used for a particular type of subscriber. Specify one of the following types of subscribers: atm1483 tunnel radius-relay...
Page 69
Chapter 1: Configuring Remote Access host1(config)#aaa duplicate-address-check enable There is no no version. See aaa duplicate-address-check aaa user accounting interval Use to specify the default interval between user accounting updates. The router uses the default interval when no value is specified in the RADIUS Acct-Interim-Interval attribute (RADIUS attribute 85).
Page 70
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version of the command with the indexInteger parameter to delete a specific virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router. See aaa virtual-router deadtime Use to configure the amount of time (0–1440 minutes) that a server is marked...
Page 71
Chapter 1: Configuring Remote Access Use to issue an administrative reset to the user’s connection to disconnect the user. From Privileged Exec mode, you can log out all subscribers, or log out subscribers by username, domain, virtual-router, port, or icr-partition. This command applies to PPP users, as well as to non-PPP DHCP users.
Page 72
JUNOSe 11.1.x Broadband Access Configuration Guide radius accounting server Use to specify the IP address of authentication and accounting servers. Example host1(config)#radius authentication server 10.10.10.1 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30 Use the no version to delete the instance of the RADIUS server.
Page 73
Chapter 1: Configuring Remote Access Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information. See radius override nas-info radius rollover-on-reject Use to specify whether the router rolls over to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
Page 74
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#radius update-source-addr 192.168.40.23 Use the no version to delete the parameter so that the router uses the router ID. See radius update-source-addr retransmit Use to set the maximum number of times (0–100) that the router retransmits a RADIUS packet to an authentication or accounting server.
Page 75
Chapter 1: Configuring Remote Access Use to set the number of seconds (1–1000) before the router retransmits a RADIUS packet to an authentication or accounting server. If the interval is reached and there is no response from the primary RADIUS authentication or accounting server, the router attempts another retry.
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to set the port number to the default value. See udp-port SNMP Traps and System Log Messages The router can send Simple Network Management Protocol (SNMP) traps to alert network managers when: A RADIUS server fails to respond to a request.
Chapter 1: Configuring Remote Access System Log Messages You do not need to configure system log messages. The router automatically sends them when individual servers do not respond to RADIUS requests and when all servers on a VR fail to respond to requests. The following are the formats of the warning level system log messages: RADIUS [ authentication | accounting ] server serverAddress unavailable in VR virtualRouterName [;...
Page 78
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#snmp-server community admin view everything rw host1(config)#snmp-server community private view user rw host1(config)#snmp-server community public view everything ro Specify the interface whose IP address is the source address for SNMP traps. host1(config)#snmp-server trap-source fastEthernet 0/0 Configure the host that should receive the SNMP traps.
Page 79
Chapter 1: Configuring Remote Access Use to enable or disable SNMP traps when a RADIUS authentication server fails to respond to a RADIUS Access-Request message. The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable. Example host1(config)#radius trap auth-server-not-responding enable Use the no version to return to the default setting, disabled. See radius trap auth-server-not-responding radius trap auth-server-responding Use to enable RADIUS to send SNMP traps when a RADIUS authentication server...
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring Local Authentication Servers The AAA local authentication server enables the E Series router to provide local PAP and CHAP user authentication for subscribers. The router also provides limited authorization, using the IP address, IP address pool, and operational virtual router parameters.
Chapter 1: Configuring Remote Access Username Name associated with the subscriber. Passwords and secrets Single words that can be encrypted or unencrypted. Passwords use two-way encryption, and secrets use one-way encryption. Both passwords and secrets can be used with PAP authentication; however, only passwords can be used with CHAP authentication.
JUNOSe 11.1.x Broadband Access Configuration Guide (Optional) Specify the type of encryption algorithm and the password or secret that the subscriber must use to connect to the router. A subscriber can be assigned either a password or a secret, but not both. For example: host1(config-local-user)#password 8 iTtakes2% (Optional) Specify the IP address to assign to the subscriber.
Chapter 1: Configuring Remote Access Configuration Commands Use the following commands to configure the local authentication server. aaa authentication default Use to specify that the local authentication method is used to authenticate PPP subscribers on the default virtual router or on the selected virtual router. NOTE: You can specify multiple authentication methods;...
Page 84
JUNOSe 11.1.x Broadband Access Configuration Guide aaa local username Use to configure a user entry in the specified local user database and to enter Local User Configuration mode. The username must be unique within a particular database; however, the same username can be used in different databases.
Page 85
Chapter 1: Configuring Remote Access Use to specify the virtual router parameter for a user entry in the local user database. The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication. If authentication is performed by a non-default virtual router, then the subscriber is assigned to the same virtual router that performs authentication, regardless of this parameter setting.
Page 86
JUNOSe 11.1.x Broadband Access Configuration Guide Use to add a secret to a user entry in the local user database. The secret is used to authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm. NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption.
Chapter 1: Configuring Remote Access host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z Use the no version to delete the username entry from the default local user database. See user-name Local Authentication Example This example creates a sample local authentication environment. The steps in this example: Create a named local user database (westfordLocal40).
Page 88
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 89
! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Chapter 1: Configuring Remote Access The tunnel-subscriber authentication command has no effect on subscribers in a domain with no tunnel configuration. When a AAA domain map has no tunnel configuration, subscribers in the domain are authenticated by the authentication server. If the server grants access, then the subscribers get their tunnel settings only from the authentication server.
JUNOSe 11.1.x Broadband Access Configuration Guide DNS Primary and Secondary NMS Configuration To configure the DNS primary and secondary name server addresses: Specify the IP address of the DNS primary name server. host1(config)#aaa dns primary 10.10.10.5 or, for IPv6, host1(config)#aaa ipv6-dns primary 2001:db8::8001 Specify the IP address of the DNS secondary name server.
Chapter 1: Configuring Remote Access Use the no version to set the corresponding address to 0 (or ::). See aaa ipv6-dns aaa ipv6-dns secondary Use to specify the IPv6 address of the DNS secondary name server. Example host1(config)#aaa ipv6-dns secondary 2001:db8::8002 Use the no version to set the corresponding address to 0 (or ::).
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring Local Address Servers The local address server allocates IP addresses from a pool of addresses stored locally on the router. You can optionally configure shared local address pools to obtain addresses from a DHCP local address pool that is in the same virtual router. Addresses are provided automatically to client sessions requiring an IP address from a virtual router that is configured to use a local address pool.
Chapter 1: Configuring Remote Access Local Address Pool Aliases An alias is an alternate name for an existing local address pool. It comprises an alias name and a pool name. When the AAA server requests an IP address from a specific local address pool, the local address server first verifies whether an alias exists for the requested pool.
JUNOSe 11.1.x Broadband Access Configuration Guide The DHCP attributes do not apply to shared local address pools; for example, the lease time for shared local address pools is infinite. When you delete the referenced DHCP address pool, DHCP notifies the local address server and logs out all subscribers that are using addresses from the deleted pool.
Page 97
Chapter 1: Configuring Remote Access host1(config-domain-map)#backup-address-pool-name backup_poolB (Optional) Map the domain name to the IPv6 local address pool, which is used for prefix delegation. If the authentication server returns the prefix pool name in the Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this value overrides the IPv6 local pool configured using the ipv6-prefix-pool-name command.
Page 98
JUNOSe 11.1.x Broadband Access Configuration Guide Use to specify the name of the backup local address pool from which the router allocates addresses for the domain that you are configuring, if the primary local address pool is fully allocated. The backup local address pool takes effect only if you configured a valid primary local address pool.
Page 99
Chapter 1: Configuring Remote Access You can modify an existing alias with a different local address pool name. When a local address pool is deleted, all aliases with the matching pool name are also deleted. Example host1(config)#ip local alias groupB pool-name addrpool_10 Use the no version to remove the alias name.
JUNOSe 11.1.x Broadband Access Configuration Guide Example host1(config)#ip local shared-pool sharedPool11 dhcpPool6 Use the no version to delete a specific local shared address pool. See ip local shared-pool ipv6-prefix-pool-name Use to specify the name of the IPv6 local address pool from which the delegating router allocates prefixes to the requesting routers for the domain that you are configuring.
Chapter 1: Configuring Remote Access DHCP relay proxy DHCP local server DHCP external server For more information about DHCP, see “DHCP Overview Information” on page 461. Creating an IP Interface You can configure IP interfaces that support the following configurations: A single PPP client per ATM or Frame Relay subinterface Multiple PPP clients per ATM subinterface Single Clients per ATM Subinterface...
JUNOSe 11.1.x Broadband Access Configuration Guide Configure PAP or CHAP authentication. host1((config-if))#ppp authentication chap Assign a profile to the PPP interface. host1(config-subif)#profile foo Multiple Clients per ATM Subinterface Figure 4 on page 62 shows how PPPoE supports multiplexing of multiple PPP sessions per ATM subinterface.
Chapter 1: Configuring Remote Access host1(config-if)#encapsulation ppp Configure PAP or CHAP authentication. host1((config-if))#ppp authentication chap Apply the profile to the PPP interface. host1(config-subif)#profile foo2 Configure the subinterface for a second PPP client. host1(config-if)#interface atm 0/1.20.2 Configure PPP encapsulation. host1(config-if)#encapsulation ppp Configure PAP or CHAP authentication.
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: There are two domain names with special meaning. The domain name none indicates that there is no domain name present in the subscriber’s name. For more information about none, see the section “Mapping User Requests Without a Valid Domain Name”...
Chapter 1: Configuring Remote Access Searches restrictToABC for a match on the domain name default. Finds a match and denies the user access. Using Domain Name Aliases You can translate an original domain name to a new domain name via the translate command.
Page 106
JUNOSe 11.1.x Broadband Access Configuration Guide Searches forwardToXyz for a match on the domain name default. Finds a match and continues as normal using the domain name xyz.com. NOTE: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.
Page 107
Chapter 1: Configuring Remote Access Searches toAbc for a match on the PPP subscriber’s domain name and finds a match Continues as normal using the domain name abc.com NOTE: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.
Page 108
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to negate the command. See deny ppp aaa-profile Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces. The PPP application associates the AAA profile with the interface and passes the AAA profile to AAA for authentication.
Chapter 1: Configuring Remote Access Manually Setting NAS-Port-Type Attribute You can manually configure the NAS-Port-Type RADIUS attribute (attribute 61) in AAA profiles for ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection. To set the NAS-Port-Type attribute for ATM or Ethernet interfaces: Create an AAA profile.
JUNOSe 11.1.x Broadband Access Configuration Guide wireless-other wireless-umts Wireless universal mobile telecommunications system (UMTS) xdsl DSL of unknown type Example host1(config-aaa-profile)#nas-port-type atm wireless-80211 Use the no version to remove the NAS-Port-Type setting for ATM interfaces. See nas-port-type atm nas-port-type ethernet Use to specify the RADIUS NAS-Port-Type attribute (61) for Ethernet interfaces.
Chapter 1: Configuring Remote Access host1(config-aaa-profile)#service-description bos-xyzcorp aaa profile Use to create and configure a AAA profile. Example host1(config)#aaa profile xyzCorpPro2 Use the no version to delete the AAA profile. See aaa profile service-description Use to specify a description that is associated with the AAA profile. The description can be transmitted to RADIUS in the Service-Description attribute (26-53) The service description can be a maximum of 64 characters.
JUNOSe 11.1.x Broadband Access Configuration Guide The route-download server accepts downloaded routes in either the Framed-Route attribute (RADIUS attribute 22) or the Cisco-AVpair attribute (Cisco VSA 26-1). Downloaded Route Format Examples Framed-Route (RADIUS attribute 22) NAS-1 Password = 14raddlsvr” User-Service-Type = Outbound-User Framed-Route = 192.168.3.0 255.255.255.0 null0”...
Page 113
Chapter 1: Configuring Remote Access to start the download process each day, how often to downloaded routes, and how long to wait after a download error before retrying the process. To configure a RADIUS route-download server: Specify the IP address and the key of the RADIUS server that you want to download routes.
Page 114
JUNOSe 11.1.x Broadband Access Configuration Guide download interval The amount of time the route-download server waits between route download operations. The newly created server downloads routes as soon as the IP protocol is active on the virtual router that performs the route download operation, and then repeats the download operation every 720 minutes by default.
Page 115
Chapter 1: Configuring Remote Access Example host1#aaa route-download now force adjust-scheduler There is no no version. See aaa route-download now aaa route-download suspend Use to temporarily suspend the RADIUS route-download server operation. Example host1#aaa route-download suspend Use the no version to restore the route download operation. See aaa route-download suspend clear ip routes download Use to synchronize downloaded access routes and the routes that are installed...
JUNOSe 11.1.x Broadband Access Configuration Guide host1#clear ip routes download all There is no no version. See clear ip routes download radius route-download server Use to configure a RADIUS route-download server and enter RADIUS Configuration mode. Specify the IP address of the RADIUS server that you want to download access routes.
Chapter 1: Configuring Remote Access Create an AAA profile that supports preauthentication (by using the pre-authenticate command in AAA Profile Configuration mode). Specify the IP address of a RADIUS preauthentication server (by using the radius pre-authentication server command in Global Configuration mode) and of an authentication server (by using the radius authentication server command in Global Configuration mode).
JUNOSe 11.1.x Broadband Access Configuration Guide Table 5: RADIUS IETF Attributes in Preauthentication Request Attribute Number Attribute Name Description User-Name Name of the user associated with the LLID, in the format: NAS-Port:<NAS-IP-Address>:<Nas-Port-Id> For example, nas-port:172.28.30.117:atm 4/1.104:2.104 User-Password Password of the user to be authenticated; always set to “ juniper”...
Chapter 1: Configuring Remote Access The router ignores any RADIUS attributes other than the Calling-Station-Id that are returned in the preauthentication Access-Accept message. If a preauthentication request fails due to misconfiguration of the preauthentication server, timeout of the preauthentication server, or rejection of the preauthentication request by the preauthentication server, the authentication process continues normally and the preauthentication request is ignored.
Page 120
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config-subif)#run show radius pre-authentication servers RADIUS Pre-Authentication Configuration --------------------------------------- Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret ------------- ---- ----- ------- -------- ---- ------ 10.10.10.1 1812 radius You can also display configuration information for preauthentication servers by using the show radius servers command.
Chapter 1: Configuring Remote Access ppp aaa-profile Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces. For more information about how to use this command, see “ppp aaa-profile” on page 68. Example host1(config-if)#ppp aaa-profile preAuth Use the no version to remove the AAA profile assignment.
JUNOSe 11.1.x Broadband Access Configuration Guide For more information, see “Configuring SNMP Traps” on page 37. Using VSAs for Dynamic IP Interfaces Table 6 on page 82 describes the VSAs that apply to dynamic IP interfaces and are supported on a per-user basis from RADIUS. For details, see JUNOSe Link Layer Configuration Guide.
Chapter 1: Configuring Remote Access When a dynamic interface is created according to a profile, the router checks with RADIUS to determine whether an input or output policy or a QoS profile must be applied to the interface. The VSA, if present, provides the name, enabling policy or QoS profile lookup.
JUNOSe 11.1.x Broadband Access Configuration Guide To configure traffic-shaping parameters for PPPoA via domain maps, use the atm command in Domain Map Configuration mode. Use to configure traffic-shaping parameters for PPPoA. Use one of the following keywords to select the traffic category to configure: ubr Unspecified bit rate ubrpcr—Unspecified bit rate with peak cell rate nrtvbr Non–real time variable bit rate...
Page 125
Chapter 1: Configuring Remote Access Table 8: Supported RADIUS Acct-Terminate-Cause Codes (continued) Code Name Description Lost Carrier DCD was dropped on the port Lost Service Service can no longer be provided; for example, the user’s connection to a host was interrupted Idle Timeout Idle timer expired Session Timeout...
JUNOSe 11.1.x Broadband Access Configuration Guide Configuration Example This example describes a sample configuration procedure that creates custom mappings for PPP terminate reasons. Configure the router to include the Acct-Terminate-Cause attribute in RADIUS Acct-Off messages. host1(config)#radius include acct-terminate-cause acct-off enable (Optional) Display the current PPP terminate-cause mappings.
Page 127
Chapter 1: Configuring Remote Access host1(config)#run show terminate-code ppp Radius Apps Terminate Reason Description Code --------- -------------------------- -------------------------- ------ authenticate-authenticator authenticate authenticator -timeout timeout authenticate-challenge-tim authenticate challenge tim eout eout authenticate-chap-no-resou authenticate chap no resou rces rces authenticate-chap-peer-aut authenticate chap peer aut henticator-timeout henticator timeout authenticate-deny-by-peer...
JUNOSe 11.1.x Broadband Access Configuration Guide application’s terminate reason. See Table 8 on page 84 for a list of supported RADIUS codes. Example host1(config)#terminate-code ppp authenticate-challenge-timeout radius 4 Use the no version to restore a default mapping, which are listed in “AAA Terminate Reasons”...
Chapter 1: Configuring Remote Access The range in seconds for a session timeout is a minimum of 1 minute (60 seconds) through a maximum of 366 days (31622400 seconds). These values can also be set by RADIUS, where the range is not enforceable. PPP and L2TP will round the timeout values from RADIUS as follows: If the session timeout is less than the minimum (60 seconds), that value is used.
JUNOSe 11.1.x Broadband Access Configuration Guide Use to limit the number of active subscribers permitted on a virtual router. Because profiles are applied to subscribers after the PPP authentication phase, subscribers that have their VR context specified by profiles are not denied access. Instead, when IP notifies AAA of the subscribers VR context, AAA checks limits.
Page 131
Chapter 1: Configuring Remote Access protocol process first starts on the server router, the server sends router advertisement packets every few seconds. Then, the server sends these packets less frequently. The server responds to route solicitation packets it receives from a client. The response is sent unicast, unless a router advertisement packet is due to be sent out momentarily.
JUNOSe 11.1.x Broadband Access Configuration Guide See aaa ipv6-nd-ra-prefix framed-ipv6-prefix. aaa dhcpv6-delegated-prefix delegated-ipv6-prefix Use to set the Delegated-IPv6-Prefix RADIUS attribute to be used for DHCPv6 Prefix Delegation. If you used the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command to set the Framed-IPv6-Prefix RADIUS attribute to be used for IPv6 Neighbor Discovery router advertisements, you must also issue the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command after you issue the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command to enable the use of the Delegated-IPv6-Prefix...
Chapter 1: Configuring Remote Access The RADIUS application sends the LAG interface ID to the RADIUS server only when the subscribers in DHCP standalone authenticate mode are initialized. When other subscribers such as PPP subscribers and DHCP equal-access mode subscribers initialize over a LAG interface, the RADIUS application sends only the name of the first Ethernet interface in the LAG bundle, and not the LAG interface ID.
487 show subscribers Configuring the SRC Client The JUNOSe software has an embedded client that interacts with the Juniper Networks SRC software, enabling the SRC software to manage the router’s policy and QoS configuration. The connection between the router and the SRC software uses the Common Open Policy Service (COPS) protocol and is fully compliant with the COPS usage for policy provisioning (COPS-PR) specification.
Page 135
Chapter 1: Configuring Remote Access The JUNOSe Software COPS-PR implementation uses the outsourcing model that is described in RFC 3084. In this model, the PEP delegates responsibility to the PDP to make provisioning decisions on the PEP’s behalf. NOTE: When you upgrade from an earlier JUNOSe release, the software removes the instance of SSCC that was configured with XDR.
Page 136
QoS classification and marking Rate limiting Traffic class QoS Manager Queues Schedulers Traffic classes The JUNOSE-IP-PIB file is updated with each JUNOSe release. Since the PIB is implemented by both Juniper Networks SRC and JUNOSe devices, distribution of the Configuring the SRC Client...
Page 137
Chapter 1: Configuring Remote Access PIB file to customers is not necessary. Customers can access the proprietary PIB file, on approval from Juniper Networks, through Juniper support. You can configure SRC clients on a per-virtual-router basis. To configure the SRC client: Enable the SRC client.
Page 138
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#sscc update-policy-request enable (Optional) Restart a COPS connection to, and resynchronize with, a PDP. host1#sscc restart sscc address Use to configure the SRC client with the IP addresses of the SAEs and the ports on which the SAEs listen for activity.
Page 139
Chapter 1: Configuring Remote Access Such messages contain the necessary details about the newly created and removed LAC interfaces that enable the SRC software or the COPS server to determine the policy and QoS management for these interfaces Observe the following guidelines when you configure the policy and QoS settings support for L2TP LAC interfaces: Access Node Control Protocol (ANCP), also known as Layer 2 Control (L2C) rate report, which contains the a QoS adjustment factor to be applied to the...
Page 140
JUNOSe 11.1.x Broadband Access Configuration Guide sscc retryTimer Use to specify the delay period (in the range 5–300 seconds) during which the SRC client waits for a response from the SAE. If only a primary SAE is configured, the client resends the request to the primary SAE.
Page 141
Chapter 1: Configuring Remote Access Use to specify on which router the TCP/COPS connection is to be established. The router can be the same as or different from the router the SRC client session is created in and associated with. If you do not specify the transport router for an SRC client session, the transport router defaults to the router associated with the session.
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#sscc update-policy-request enable Use the no version to restore the default behavior, which disables updated line rate parameters to be sent to the COPS server. See sscc update-policy-request enable Retrieval of DSL Line Rate Information from Access Nodes Overview You can retrieve updated DSL line rate information from the Access Node Control Protocol (ANCP) and report this information to the SRC software with corresponding COPS messages.
Chapter 1: Configuring Remote Access junoseIpInterfaceMaximumInterleavingDelayUpstream junoseIpInterfaceActualInterleavingDelayUpstream junoseIpInterfaceMaximumInterleavingDelayDownstream junoseIpInterfaceActualInterleavingDelayDownstream junoseIpInterfaceDSLlinestate A COPS server that runs an SRC software release earlier than Release 3.0.0 does not support and process the preceding topology parameters that are appended to the COPS messages. Such COPS servers analyze the information, other than the parameters that describe updated DSL line rate details, that they receive in the COPS messages for policy management.
Page 144
JUNOSe 11.1.x Broadband Access Configuration Guide customer edge device or requesting router is located. In such cases, the delegating router requires only the identity of the requesting router to choose a prefix for delegation. An IPv6 local pool is configured on the delegating router, which contains information about the prefixes, their validity periods, and other parameters to control their assignment to the requesting routers.
Chapter 1: Configuring Remote Access You cannot delete a pool or a prefix range from which prefixes have been allocated to requesting routers or DHCPv6 clients. However, you can forcibly delete such a pool or prefix range by using the force keyword in the ipv6 local pool poolName and prefix commands.
JUNOSe 11.1.x Broadband Access Configuration Guide Order of Preference in Determining the Local Address Pool for Allocating Prefixes You can configure multiple local address pools on a virtual router. When multiple pools are configured, the pool that is used to allocate the prefix to the requesting router is selected using the following order of preference: If a pool name is returned by the RADIUS server in the Framed-IPv6-Pool attribute, that pool is used to delegate the prefix to the client.
Chapter 1: Configuring Remote Access If you configured a list of IPv6 DNS servers and a string of domain names in the IPv6 local address pool, the order of preference in returning the DNS server address or domain name to the requesting client in the DHCPv6 response is as follows: Information returned from the RADIUS server for DNS servers only Information from the pool Locally configured DNS attributes...
Page 148
JUNOSe 11.1.x Broadband Access Configuration Guide have 56 as the prefix length. When you specify the prefix range in this way, you must ensure that the starting and ending prefixes are of the same length. Specify the time period when the requesting router can use the prefix. You can configure a preferred lifetime or a valid lifetime for the requesting router to use when you configure the prefix range.
Chapter 1: Configuring Remote Access host1(config-v6-local)#exclude-prefix 5005:5005:2::/48 5005:5005:a::/48 In this example, all prefixes between the starting prefix of the range, 5005:5005:2::/48, and the ending prefix of the range, 5005:5005:a::/48 are excluded from allocation to clients. Map the domain name to the IPv6 local address pool, which is used for prefix delegation.
JUNOSe 11.1.x Broadband Access Configuration Guide Pool Total In Use ---------------- ------- ------- largePrefixRange 1048576 Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links Example When a customer premises equipment (CPE) or requesting router and the provider edge (PE) router are connected using a PPP link, one of the following pool names is used to determine the IPV6 local address pool to be used for DHCPv6 Prefix Delegation to the CPE: The pool name returned by the RADIUS server in the Framed-IPv6-Pool attribute...
Page 151
Chapter 1: Configuring Remote Access host1(config-if)#ipv6 nd host1(config-if)#exit When the PE router receives a request for DHCPv6 Prefix Delegation over the gigabit Ethernet interface 2/1/4.100, prefixes are allocated to the client from the example local pool. In this example, the local pool to use for allocation of prefixes is selected based on the IPv6 address of the interface over which the request is received.
Page 152
JUNOSe 11.1.x Broadband Access Configuration Guide Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links Example...
Chapter 2 Monitoring and Troubleshooting Remote Access Use the commands in this chapter to set baselines for and to monitor remote access. Setting Baselines for Remote Access on page 114 How to Monitor PPP Interfaces on page 116 Monitoring AAA Accounting Configuration on page 116 Monitoring AAA Accounting Default on page 117 Monitoring Accounting Interval on page 118 Monitoring Specific Virtual Router Groups on page 118...
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Configuration Information for AAA Local Authentication on page 133 Monitoring AAA Server Attributes on page 134 Monitoring the COPS Layer Over SRC Connection on page 136 Monitoring Statistics About the COPS Layer on page 138 Monitoring Local Address Pool Aliases on page 140 Monitoring Local Address Pools on page 140 Monitoring Local Address Pool Statistics on page 142...
Chapter 2: Monitoring and Troubleshooting Remote Access Issue the delta keyword with the show aaa statistics command to show baselined statistics. 1. Setting a Baseline for AAA Statistics on page 115 2. Setting a Baseline for AAA Route Downloads on page 115 3.
JUNOSe 11.1.x Broadband Access Configuration Guide There is no no version. Setting a Baseline for RADIUS Statistics Set a baseline for RADIUS statistics. Purpose Issue the show radius statistics command: Action host1#show radius statistics There is no no version. Setting the Baseline for SRC Statistics Set a baseline for SRC statistics.
Chapter 2: Monitoring and Troubleshooting Remote Access To display the show aaa accounting command: Action host1:vrXyz7#show aaa accounting Accounting duplication set to router vrXyz25 Broadcast accounting uses group groupXyzCompany20 send acct-stop on AAA access deny is enabled send acct-stop on authentication server access deny is disabled acct-interval (for PPP Clients) 0 service-acct-interval 0 send immediate-update is enabled...
Chapter 2: Monitoring and Troubleshooting Remote Access Monitoring the Default AAA Authentication Method List Display the default AAA authentication method list for a subscriber type. You can Purpose view the method list used for ATM 1483 subscribers, IPSec subscribers, IP subscriber management interfaces, PPP subscribers, RADIUS relay subscribers, and tunnel subscribers.
Chapter 2: Monitoring and Troubleshooting Remote Access Table 13: show aaa domain-map Output Fields (continued) Field Name Field Description Tunnel Source Source address of the tunnel Tunnel Type L2TP Tunnel Medium Type of medium for the tunnel; only IPv4 is supported Tunnel Password Password for the tunnel Tunnel Id...
Chapter 2: Monitoring and Troubleshooting Remote Access The IP addresses of DNS and WINS name servers are displayed. Meaning show aaa name-servers Related Topics Monitoring AAA Profile Configuration Display the configuration of all AAA profiles or of a specific profile. Purpose To display the configuration of all AAA profiles or of a specific profile: Action...
JUNOSe 11.1.x Broadband Access Configuration Guide show aaa profile Related Topics Monitoring Statistics about the RADIUS Route-Download Server Display statistics about the RADIUS route-download server configuration. Purpose Use the optional statistics keyword to display information about the RADIUS route download server operation. Use the optional delta keyword to show baselined statistics.
Page 165
Chapter 2: Monitoring and Troubleshooting Remote Access Table 15: show aaa route-download Output Fields (continued) Field Name Field Description Default Cost Default cost of downloaded routes Default Tag Default tag for downloaded routes Base User Name Virtual router used for route-download requests; either <HOSTNAME>...
JUNOSe 11.1.x Broadband Access Configuration Guide show aaa route-download Related Topics Monitoring Routes Downloaded by the RADIUS Route-Download Server Display information about the routes that are downloaded by the RADIUS Purpose route-download server. Use the optional detail keyword to display more detailed information about the downloaded routes.
Chapter 2: Monitoring and Troubleshooting Remote Access show aaa route-download routes Related Topics Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download Servers Display chassis-wide information about routes that are downloaded by RADIUS Purpose route-download servers. Use the optional detail keyword to display more detailed information about the downloaded routes.
Chapter 2: Monitoring and Troubleshooting Remote Access Table 17: show aaa route-download routes global Output Fields (continued) Field Name Field Description Dst/Met Administrative distance and number of hops for the route Tag assigned to downloaded routes Intf Interface type and specifier show aaa route-download routes global Related Topics Monitoring Authentication, Authorization, and Accounting Statistics...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 18: show aaa statistics Output Fields Field Name Field Description incoming initiate requests Number of incoming AAA requests (from other E Series applications) for user connect services incoming disconnect requests Number of incoming AAA requests (from other E Series applications) for user disconnect services outgoing grant (tunnel) responses Number of outgoing tunnel grant responses to AAA...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 18: show aaa statistics Output Fields (continued) Field Name Field Description incoming Address responses Number of address allocation/release responses from the address allocation task to AAA show aaa statistics Related Topics Monitoring the Number of Active Subscribers Per Port Display the maximum number of active subscribers configured per port.
! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Configuration script being generated on MON JAN 10 2005 15:12:02 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Chapter 2: Monitoring and Troubleshooting Remote Access CAT Rcv: CC Sent: CC Rcv: SSC Sent: Table 22 on page 137 lists the show cops info command output fields. Meaning Table 22: show cops info Output Fields Field Name Field Description Session Created Number of COPS sessions created Sessions Deleted...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 22: show cops info Output Fields (continued) Field Name Field Description CAT Rcv Number of Client Accepts packets received on this COPS session CC Sent Number of Client Closes packets sent on this COPS session CC Rcv Number of Client Closes packets received on this...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 23 on page 139 lists the show cops statistics command output fields. Meaning Table 23: show cops statistics Output Fields Field Name Field Description Session Created Number of COPS sessions created Sessions Deleted Number of COPS sessions deleted Current Sessions Number of current COPS sessions...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 23: show cops statistics Output Fields (continued) Field Name Field Description SSC Sent Number of Sync Complete packets sent on this COPS session show cops statistics Related Topics Monitoring Local Address Pool Aliases Display information about aliases for the local address pools configured on your Purpose router.
Chapter 2: Monitoring and Troubleshooting Remote Access To display information about local address pools: Action host1#show ip local pool High Abated Pool Thresh Thresh Trap Group ----- ------ ------ ---- ----- poolA Aliases ------- alias1 Begin Free -------- --------- ---- 10.1.1.1 10.1.1.10 10.1.2.1...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 25: show ip local pool Output Fields (continued) Field Name Field Description High Thresh High utilization threshold value Abated Thresh Abated utilization threshold value Trap Enable SNMP pool utilization traps: Y (yes) or N (no) Aliases Aliases for the local address pool Begin...
Chapter 2: Monitoring and Troubleshooting Remote Access shared_poolA dhcp_pool_25 shared_poolB dhcp_pool_25 shared_poolC dhcp_pool_17 Table 26 on page 143 lists the show ip local shared-pool command output fields. Meaning Table 26: show ip local shared-pool Output Fields Field Name Field Description Shared Pool Name of the shared local address pool In Use...
JUNOSe 11.1.x Broadband Access Configuration Guide show ip route Related Topics Monitoring the B-RAS License Display the B-RAS license. Purpose To display the B-RAS license: Action host1#show license b-ras K4bZ16Lr show license b-ras Related Topics Monitoring the RADIUS Server Algorithm Display information about the currently configured RADIUS server algorithm.
Chapter 2: Monitoring and Troubleshooting Remote Access Table 27: show radius override Output Fields (continued) Field Name Field Description nas-info Either the NAS-IP-Address [4] and NAS-Identifier [32] attributes of the virtual router generating the accounting information are used, or they are overridden with the respective attributes of the authentication virtual router.
Chapter 2: Monitoring and Troubleshooting Remote Access Table 28: show radius servers Output Fields (continued) Field Name Field Description Udp Port Number of the UDP port of the RADIUS server Retry Count Maximum number of times that the router retransmits a RADIUS packet to the RADIUS server Timeout Interval (in seconds) before the router retransmits a...
Page 190
JUNOSe 11.1.x Broadband Access Configuration Guide Table 29: show radius statistics Output Fields (continued) Field Name Field Description Malformed Responses Number of responses with attributes having an invalid length or unexpected attributes (such as two attributes when the response is required to have at most one) Bad Authenticators Number of responses in which the authenticator is...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 29: show radius statistics Output Fields (continued) Field Name Field Description Reject Responses Number of accounting reject responses received; includes Acct-Link-Reject and Acct-Tunnel-Reject responses show radius statistics Related Topics Monitoring RADIUS SNMP Traps Display the configuration of RADIUS SNMP traps.
JUNOSe 11.1.x Broadband Access Configuration Guide show radius tunnel-accounting Related Topics Monitoring RADIUS UDP Checksums Display information about UDP checksums. Purpose To display the status of RADIUS UDP checksums: Action host1#show radius udp-checksum enabled RADIUS checksums status is either enabled or disabled. Meaning show radius udp-checksum Related Topics...
Chapter 2: Monitoring and Troubleshooting Remote Access show aaa ipv6-nd-ra-prefix Related Topics Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation Display the RADIUS attribute used for DHCPv6 Prefix Delegation. Purpose To display the RADIUS attribute used for DHCPv6 Prefix Delegation: Action host1#show aaa dhcpv6-delegated-prefix DHCPv6 Delegated Prefix : Framed-IPv6-Prefix...
JUNOSe 11.1.x Broadband Access Configuration Guide Tokens Seen Active Tokens Token Transitions Token Creates Sent Token Deletes Sent Active Addresses Address Transitions Create Addresses Sent Delete Addresses Sent Authentication Successes Authentication Failures Table 30 on page 154 lists the show sscc info command output fields. Meaning Table 30: show sscc info Output Fields Field Name...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 30: show sscc info Output Fields (continued) Field Name Field Description SSC Client Statistics Statistics about the connection between the SRC client and SAE Policy Commands received Number of policy commands received on the SRC client connection Policy Commands(List) Number of Policy Commands with subtype List Policy Commands(Acct) Number of Policy Commands with...
JUNOSe 11.1.x Broadband Access Configuration Guide To display statistics for the SRC client connection: Action host1#show sscc statistics SSC Client Statistics: Policy Commands received Policy Commands(List) Policy Commands(Acct) Bad Policy Cmds received Error Policy Cmds received 0 Policy Reports sent Connection attempts Connection Open requests Connection Open completed...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 31: show sscc statistics Output Fields (continued) Field Name Field Description Connection Closed sent Number of connections the SRC client has closed Connection Closed remotely Number of connections that were closed by the remote SAE Create Interfaces sent Number of create interface indications sent to the...
Page 198
JUNOSe 11.1.x Broadband Access Configuration Guide all users are displayed. When you issue the command in a nondefault VR, only those users attached to that VR are displayed. The following list describes keywords that you can use with the show subscribers command: You can use the domain, interface, port, slot, username, or virtual-router keywords on all routers to filter the results.
Page 199
Chapter 2: Monitoring and Troubleshooting Remote Access To display general subscriber information: Action host1# show subscribers Subscriber List ---------------- Virtual User Name Type Addr|Endpt Router ----------------------- ----- -------------------- ------------ fred 10.10.65.86/radius default bert 192.168.10.3/user default User Name Interface ----------------------- -------------------------------- fred atm 2/1.42:100.104 bert...
Page 200
JUNOSe 11.1.x Broadband Access Configuration Guide 4101DHCPCLIENT@CT.NET 09/10/29 02:07:51 User Name Remote Id ------------------------ ---------------- 4101DHCPCLIENT@CT.NET To display detailed information for subscribers on the specified slot: host1# show subscribers slot 5 Subscriber List --------------- Virtual User Name Type Addr|Endpt Router ------------------------ ----- --------------------...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 32: show subscribers Output Fields (continued) Field Name Field Description Peak Subscribers Maximum value of the Total Subscriber field during the time the router has been active, chassis-wide Subscribers Number of subscribers; the sum of the Ppp and Ip fields Number of PPPoA and PPPoE users, combined Number of DHCP and IP subscriber manager users,...
Page 203
Chapter 2: Monitoring and Troubleshooting Remote Access eout eout authenticate-chap-no-resou authenticate chap no resou rces rces authenticate-chap-peer-aut authenticate chap peer aut henticator-timeout henticator timeout authenticate-deny-by-peer authenticate deny by peer authenticate-inactivity-ti authenticate inactivity ti meout meout authenticate-max-requests authenticate max requests --More-- To display all terminate reasons that are mapped to a specific terminate code: This example uses the radius keyword and a RADIUS Acct-Terminate-Cause code (radius 4) to display all terminate reasons mapped to the specified terminate code.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 33 on page 164 lists the show terminate-code command output fields. Meaning Table 33: show terminate-code Output Fields Field Name Field Description Apps The application generating the terminate reason; AAA, L2TP, PPP, or RADIUS client Terminate Reason The application’s terminate reason Description...
Chapter 2: Monitoring and Troubleshooting Remote Access Table 34: show ipv6 local pool Output Fields (continued) Field Name Field Description Ending prefix of the range of prefixes configured in a particular pool Total Number of prefixes available for allocation to clients from a particular pool In Use Number of prefixes in a pool that are currently...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 35: show ipv6 local pool poolName Output Fields (continued) Field Name Field Description Utilization Percentage of IPv6 prefixes currently allocated to clients from the local address pool Start Starting prefix of the range of prefixes configured in a particular pool Ending prefix of the range of prefixes configured in a particular pool...
Chapter 2: Monitoring and Troubleshooting Remote Access Allocation Errors Releases Release Errors Table 36 on page 167 lists the show ipv6 local pool statistics command output fields. Meaning Table 36: show ipv6 local pool statistics Output Fields Field Name Field Description Allocations Number of prefixes allocated to DHCPv6 clients from the local address pool...
Page 208
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation...
Part 2 Managing RADIUS and TACACS+ Configuring RADIUS Attributes on page 171 Configuring RADIUS Dynamic-Request Server on page 241 Configuring RADIUS Relay Server on page 251 RADIUS Attribute Descriptions on page 259 Application Terminate Reasons on page 279 Monitoring RADIUS on page 303 Configuring TACACS+ on page 317 Monitoring TACACS+ on page 329 Managing RADIUS and TACACS+...
RADIUS Overview RADIUS is a distributed client/server that protects networks against unauthorized access. RADIUS clients running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server. You can access the RADIUS server through either a subscriber line or the CLI.
JUNOSe 11.1.x Broadband Access Configuration Guide The E Series RADIUS client uses the IP address in the router ID unless you explicitly set an IP address by using the radius update-source-addr command. See “Configuring RADIUS Authentication and Accounting Servers” on page 18. To explicitly set the source address, perform the following tasks: Configure the RADIUS update-source address.
Chapter 3: Configuring RADIUS Attributes See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. RADIUS References For more information about RADIUS, consult the following resources: RFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000)
JUNOSe 11.1.x Broadband Access Configuration Guide Supported RADIUS IETF Attributes Table 37 on page 174 lists the Access-Request, Access-Accept, Access-Reject, Access-Challenge, CoA, and Disconnect-Request attributes supported by JUNOSe software. The following notes are referenced in Table 37 on page 174: Attribute is used by Access-Request messages when terminating a PPP connection at the LNS or the initiating LAC.
Chapter 3: Configuring RADIUS Attributes Subscriber AAA Accounting Messages Accounting messages identify service provisions and use on a per-user or per-tunnel basis. These messages keep track of when a particular service is initiated and terminated for a specific user. JUNOSe software supports the Acct-On message on startup or configuration of the first accounting server.
JUNOSe 11.1.x Broadband Access Configuration Guide For this attribute to be included, an IPv6 interface ID must be assigned to the subscriber. For this attribute to be included, at least one IPv6 prefix must be assigned to the subscriber. Table 39: AAA Accounting Message RADIUS IETF Attributes Supported Attribute Number Attribute Name...
– (See Note 3.) Supported Juniper Networks VSAs Table 40 on page 185 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Acct-Start, Acct-Stop, Interim-Acct, Acct-On, Acct-Off, Partition-Accounting-On, and Partition-Accounting-Off messages. The following notes are referred to in Table 40 on page 185: The attribute is not included in Acct-Stop messages that are sent when a user session does not get established in one of the following situations.
Chapter 3: Configuring RADIUS Attributes value as the Accounting-On message, but also contains the ICR-Partition-Id VSA, which specifies the ICR partition to which this message corresponds. Partition-Accounting-Off Sent to the RADIUS server when the partition changes from the master state to the backup state. However, in the event of a complete chassis failure, the Partition-Accounting-Off message is not sent.
Page 226
JUNOSe 11.1.x Broadband Access Configuration Guide Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued) Attribute Partition- Partition- Number Attribute Name Acct-Start Acct-Stop Interim-Acct Acct-On Acct-Off Accounting- O n Accounting-Off [26-63] Interface-Description – – – – [26-92] L2C-Up-Stream-Data –...
NOTE: JUNOSe Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “Juniper Networks VSAs” on page 265 . Table 42 on page 189 lists the DSL Forum VSAs supported by JUNOSe Software in Access-Request, Acct-Start, Acct-Stop, (if Acct-Stop is specified) Interim-Acct, and CoA-Request messages.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 42: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access and Accounting Messages (continued) Attribute Number Attribute Name Access-Request Acct-Start Acct-Stop Interim-Acct CoA-Request [26-142] Actual-Interleaving-Delay-Downstream – [26-144] Access-Loop-Encapsulation – [26-254] IWF-Session – CLI AAA Messages There are four types of AAA messages used by CLI users to gain administrative access to the router.
CLI Commands Used to Modify RADIUS Attributes This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands. For many attributes, you can configure the router to include the attribute in RADIUS messages.
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to restore the default address. radius override nas-info Use in the correct virtual router context to override standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.
Page 233
Chapter 3: Configuring RADIUS Attributes Use to include the NAS-Port attribute in Access-Request, Acct-Start, and Acct-Stop messages. You control inclusion of the attribute by enabling or disabling this command. Example host1(config)#radius include nas-port acct-start enable Use the no version to restore the default, enable. See radius include radius nas-port-format Use to set the NAS-Port format attribute for ATM and Ethernet only to either...
Page 234
JUNOSe 11.1.x Broadband Access Configuration Guide Slot 5 bits Adapter 0 bits Port 3 bits VPI 8 bits VCI 16 bits The default number of bits for each field in the interface specifier for Gigabit Ethernet and 10-Gigabit Ethernet interfaces are: Slot 5 bits Adapter 0 bits Port 3 bits...
Chapter 3: Configuring RADIUS Attributes Use the no version to return to the default, in which the value is determined by the interface. radius vlan nas-port-format stacked Use to include the S-VLAN ID, in addition to the VLAN ID, in the NAS-Port attribute for subscribers on Ethernet interfaces.
JUNOSe 11.1.x Broadband Access Configuration Guide radius include framed-ip-netmask Use to include the Framed-Ip-Netmask attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include framed-ip-netmask acct-start enable Use the no version to restore the default, enable.
Chapter 3: Configuring RADIUS Attributes [25] Class Use the following command to manage the Class RADIUS attribute. radius include class radius include class Use to include the Class attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include class acct-start disable...
Page 238
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: For subscribers connected over the LAG interface in DHCP standalone authenticate mode, The radius override calling-station-id remote-circuit-id command enables RADIUS to use the PPPoE remote circuit ID for the Calling-Station-Id attribute. By default, RADIUS uses a delimited format for the interface description. The radius calling-station-format command does not affect the value of the Calling-Station-Id attribute.
Page 239
Chapter 3: Configuring RADIUS Attributes Where the final 8-byte field is always 0 (zero). In the case of PPP terminated at the LNS, the Calling-Station-Id attribute is based on the received L2TP calling number AVP. To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte adapter field, and 1-byte port field, use the fixed-format-adapter-embedded keyword.
Page 240
JUNOSe 11.1.x Broadband Access Configuration Guide To specify that the RADIUS client use a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte adapter field, and 2-byte port field, use the fixed-format-adapter-new-field keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
Page 241
Chapter 3: Configuring RADIUS Attributes Format for Ethernet interfaces that use fixed-format-adapter-new-field stacked: <system name [4]> <slot [2]> <adapter [1]><port [2] <S-VLAN [4] <VLAN [4]> By default, these formats do not include the S-VLAN ID unless you specify the optional stacked keyword. If you include the stacked keyword, the S-VLAN ID is displayed in decimal format in the range 0–4095.
Page 242
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to restore the default Calling-Station-Id format, delimited. See radius calling-station-format radius calling-station-delimiter Use to specify the Calling-Station-Id attribute’s delimiter for DSL PPP users. The delimiter is one special character you select to set off items in the Calling-Station-Id’s definition (for example, # or %).
Chapter 3: Configuring RADIUS Attributes [32] NAS-Identifier Use the following commands to manage and display information for the NAS-Identifier RADIUS attribute. radius nas-identifier radius include nas-identifier radius override nas-info radius remote-circuit-id-format radius remote-circuit-id-delimiter radius nas-identifier Use to set a value for the NAS-Identifier attribute. This value is used in the NAS-Identifier attribute for authentication and accounting requests.
Page 244
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to restore the standard use of the NAS-IP-Address and NAS-Identification attributes. radius remote-circuit-id-format Use to configure the format of the PPPoE remote circuit ID value captured from a DSLAM. You can format the PPPoE remote circuit ID value to include either or both of the agent-circuit-ID (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option (option 82) or the PPPoE intermediate agent tags.
Chapter 3: Configuring RADIUS Attributes Monitoring Override Settings of RADIUS IETF Attributes on page 303 Related Topics Monitoring the NAS-Identifier RADIUS Attribute on page 305 Monitoring the Format of the Remote-Circuit-ID for RADIUS on page 306 Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS on page 306 [41] Acct-Delay-Time Use the following commands to manage and display information for the...
JUNOSe 11.1.x Broadband Access Configuration Guide Use to include the Acct-Session-Id attribute in Access-Request, Acct-On, or Acct-Off messages. You can control inclusion of the Acct-Session-Id attribute by enabling or disabling this command. See radius include Example host1(config)#radius include acct-session-id access-request disable Use the no version to restore the default, enable.
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius include acct-authentic acct-on enable Use the no version to restore the default, enable. [49] Acct-Terminate-Cause Use the following command to manage the Acct-Terminate-Cause RADIUS attribute. radius include acct-terminate-cause radius include acct-terminate-cause Use to include the Acct-Terminate-Cause attribute in Acct-Off messages. You can control inclusion of the attribute by enabling or disabling this command.
JUNOSe 11.1.x Broadband Access Configuration Guide radius include acct-link-count radius include acct-link-count Use to include the Acct-Link-Count attribute in Acct-Start and Acct-Stop messages. You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command. See radius include Example host1(config)#radius include acct-link-count acct-stop disable Use the no version to restore the default, enable.
Chapter 3: Configuring RADIUS Attributes host1(config)#radius include output-gigawords acct-stop enable Use the no version to restore the default, enable. [55] Event-Timestamp Use the following command to manage the Acct-Output-Gigawords RADIUS attribute. radius include event-timestamp radius include event-timestamp Use to include the Event-Timestamp attribute in Acct-Start, Acct-Stop, Acct-On, or Acct-Off messages.
JUNOSe 11.1.x Broadband Access Configuration Guide adsl-cap Asymmetric DSL, carrierless amplitude phase (CAP) modulation adsl-dmt Asymmetric DSL, discrete multitone (DMT) idsl ISDN DSL sdsl Symmetric DSL virtual Virtual xdsl DSL of unknown type Example host1(config)#radius dsl-port-type xdsl Use the no version to restore the default, xdsl. See radius dsl-port-type radius ethernet-port-type Use to set the NAS-Port-Type attribute for Ethernet interfaces to ethernet or...
Chapter 3: Configuring RADIUS Attributes radius include tunnel-type radius include tunnel-type Use to include the Tunnel-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the Tunnel-Type attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-type access-request enable Use the no version to restore the default, enable.
JUNOSe 11.1.x Broadband Access Configuration Guide Example host1(config)#radius include tunnel-client-endpoint acct-start enable Use the no version to restore the default, enable. [67] Tunnel-Server-Endpoint Use the following command to manage the Tunnel-Server-Endpoint RADIUS attribute. radius include tunnel-server-endpoint radius include tunnel-server-endpoint Use to include the Tunnel-Server-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.
Page 253
Chapter 3: Configuring RADIUS Attributes radius connect-info-format l2tp-connect-speed radius include connect-info radius connect-info-format Use on the LNS to enable the generation of the RADIUS Connect-Info attribute and to specify the attribute’s format. The attribute is based on the L2TP connect-speed AVPs for received (RX) speed (AVP 38) and transmit (TX) speed (AVP 24).
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring the Connect-Info RADIUS Attribute on page 307 Related Topics [82] Tunnel-Assignment-Id Use the following command to manage the Tunnel-Assignment-Id RADIUS attribute. radius include tunnel-assignment-id radius include tunnel-assignment-id Use to include the Tunnel-Assignment-Id attribute in Acct-Start or Acct-Stop messages.
Page 255
Chapter 3: Configuring RADIUS Attributes radius override nas-port-id remote-circuit-id NOTE: For subscribes connected over the LAG interface in DHCP standalone authenticate mode, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute. For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see “Propagation of LAG Subscriber Information to AAA and RADIUS”...
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to restore the default NAS-Port-ID value, which is the physical interface of the NAS that is authenticating the user. Monitoring Override Settings of RADIUS IETF Attributes on page 303 Related Topics Monitoring the NAS-Port-ID RADIUS Attribute on page 307 [90] Tunnel-Client-Auth-Id Use the following command to manage the Tunnel-Client-Auth-Id RADIUS attribute.
Chapter 3: Configuring RADIUS Attributes [96] Framed-Interface-Id Use the following command to manage the Framed-Interface-Id RADIUS attribute. radius include framed-interface-id radius include framed-interface-id Use to include the Framed-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Framed-Interface-Id attribute by enabling or disabling this command.
JUNOSe 11.1.x Broadband Access Configuration Guide radius include framed-ipv6-route radius include framed-ipv6-route Use to include the Framed-Ipv6-Route attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the Framed-Ipv6-Route attribute by enabling or disabling this command. For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
Chapter 3: Configuring RADIUS Attributes radius include delegated-ipv6-prefix radius include delegated-ipv6-prefix Use to include the Delegated-Ipv6-Prefix attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the Delegated-Ipv6-Prefix attribute by enabling or disabling this command. For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
Use the no version to restore the default, disable. Juniper Networks Vendor-Specific Attributes This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius ignore virtual-router enable Use the no version to restore the default, disable. [26-10] Ingress-Policy-Name Use the following commands to manage the Ingress-Policy-Name RADIUS attribute. radius include ingress-policy-name radius ignore ingress-policy-name radius include ingress-policy-name Use to include the Ingress-Policy-Name attribute in Acct-Start or Acct-Stop messages.
JUNOSe 11.1.x Broadband Access Configuration Guide Use to include the Egress-Policy-Name attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include egress-policy-name acct-start enable Use the no version to restore the default, enable. radius ignore egress-policy-name Use to cause the Egress-Policy-Name attribute to be ignored in Access-Accept messages.
Chapter 3: Configuring RADIUS Attributes radius ignore atm-pcr radius ignore atm-pcr Use to cause the PCR attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example host1(config)#radius ignore atm-pcr enable Use the no version to restore the default, disable.
JUNOSe 11.1.x Broadband Access Configuration Guide [26-24] Pppoe-Description Use the following command to manage the Pppoe-Description RADIUS attribute. radius include pppoe-description radius include pppoe-description Use to include the Pppoe-Description attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Pppoe-Description attribute by enabling or disabling this command.
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius include output-gigapkts acct-stop disable Use the no version to restore the default, enable. [26-44] Tunnel-Interface-Id Use the following command to manage the Tunnel-Interface-Id RADIUS attribute. radius include tunnel-interface-id radius include tunnel-interface-id Use to include the Tunnel-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
JUNOSe 11.1.x Broadband Access Configuration Guide Example host1(config)#radius include ipv6-virtual-router acct-start enable Use the no version to restore the default, disable. [26-46] Ipv6-Local-Interface Use the following command to manage the Ipv6-Local-Interface RADIUS attribute. radius include ipv6-local-interface radius include ipv6-local-interface Use to include the Ipv6-Local-Interface attribute in Acct-Start, or Acct-Stop messages.
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius include ipv6-primary-dns acct-start enable Use the no version to restore the default, disable. [26-48] Ipv6-Secondary-DNS Use the following command to manage the Ipv6-Secondary-DNS RADIUS attribute. radius include ipv6-secondary-dns radius include ipv6-secondary-dns Use to include the Ipv6-Secondary-DNS attribute in Acct-Start, or Acct-Stop messages.
JUNOSe 11.1.x Broadband Access Configuration Guide [26-53] Service-Description Use the following command to manage the Service-Description RADIUS attribute. radius include profile-service-description radius include profile-service-description Use to include the Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include profile-service-description acct-stop enable...
Chapter 3: Configuring RADIUS Attributes See radius include Example host1(config)#radius include dhcp-mac-address acct-stop enable Use the no version to restore the default, disable. [26-57] DHCP-GI-Address Use the following command to manage the DHCP-GI-Address RADIUS attribute. radius include dhcp-gi-address radius include dhcp-gi-address Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.
JUNOSe 11.1.x Broadband Access Configuration Guide [26-63] Interface-Desc Use the following command to manage the Interface-Desc RADIUS attribute. radius include interface-description radius include interface-description Use to include the Interface-Desc attribute, with the subscriber’s access interface description, in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages. You can control inclusion of the Interface-Desc attribute by enabling or disabling this command.
Chapter 3: Configuring RADIUS Attributes Use to include the L2C-Up-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the L2C-Up-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default. See radius include Example host1(config)#radius include l2c-upstream-data access-request enable Use the no version to restore the default, disable.
JUNOSe 11.1.x Broadband Access Configuration Guide Example host1(config)#radius include ipv6-nd-ra-prefix acct-start enable Use the no version to restore the default, disable. [26-141] Downstream-Calculated-Qos-Rate The Downstream-Calculated-Qos-Rate RADIUS attribute enables RADIUS to receive calculated QoS rates from ANCP. Use the following command to manage the Downstream-Calculated-Qos-Rate RADIUS attribute.
Chapter 3: Configuring RADIUS Attributes Use to include the Upstream-Calculated-Qos-Rate attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the Upstream-Calculated-Qos-Rate attribute by enabling or disabling this command. Inclusion is disabled by default. Example host1(config)#radius include upstream-calculated-qos-rate access-request enable Use the no version to restore the default, disable.
JUNOSe 11.1.x Broadband Access Configuration Guide [26-150] ICR-Partition-Id Use the following commands to manage the ICR-Partition-Id RADIUS attribute. radius include icr-partition-id radius icr-partition-accounting radius include icr-partition-id Use to include the ICR-Partition-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. Example host1(config)#radius include icr-partition-id acct-start enable Use the no version to restore the default, disable.
Acct-Stop messages, the router includes ANCP information in Interim-Acct messages that the router sends to RADIUS. By default, the router does not include the ANCP-related information provided by the Juniper Networks VSAs in RADIUS messages. These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006...
Table 44 on page 236 lists the ANCP (L2C)-related keywords that you can use in the radius include command and the associated Juniper Networks VSAs. The table also indicates the mappings between ANCP parameters and the VSAs. Table 44: ANCP (L2C)-Related Keywords for radius include Command...
DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection. NOTE: JUNOSe software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “ANCP-Related Juniper Networks VSAs”...
JUNOSe 11.1.x Broadband Access Configuration Guide Agent-Remote-Id [26-2] Minimum-Data-Rate-Upstream-Low-Power [26-137] Actual-Data-Rate-Upstream [26-129] Minimum-Data-Rate-Downstream-Low-Power [26-138] Actual-Data-Rate-Downstream [26-130] Maximum-Interleaving-Delay-Upstream [26-139] Minimum-Data-Rate-Upstream [26-131] Actual-Interleaving-Delay-Upstream [26-140] Minimum-Data-Rate-Downstream [26-132] Maximum-Interleaving-Delay-Downstream [26-141] Attainable-Data-Rate-Upstream [26-133] Actual-Interleaving-Delay-Downstream [26-142] Attainable-Data-Rate-Downstream [26-134] Access-Loop-Encapsulation [26-144] Maximum-Data-Rate-Upstream [26-135] IWF-Session [26-254] For information about enabling the QoS downstream rate application to obtain downstream rates from the Actual-Data-Rate-Downstream [26-130] DSL Forum VSA, see the Configuring the Downstream Rate Using QoS Parameters chapter in JUNOSe Quality of Service Configuration Guide.
Chapter 3: Configuring RADIUS Attributes Use to enable or disable the inclusion of RADIUS attributes in Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages. Examples host1(config)#radius include ingress-policy-name acct-start enable host1(config)#radius include tunnel-type access-request disable Use the no version to restore the default, disable. See radius include To see a list of the attributes that you can include or exclude, see Monitoring Related Topics...
Page 280
JUNOSe 11.1.x Broadband Access Configuration Guide CLI Commands Used to Modify RADIUS Attributes...
Chapter 4 Configuring RADIUS Dynamic-Request Server This chapter describes the RADIUS dynamic-request server feature on E Series routers. The following topics describe this feature: RADIUS Dynamic-Request Server Overview on page 241 RADIUS Dynamic-Request Server Platform Considerations on page 242 RADIUS Dynamic-Request Server References on page 242 How RADIUS Dynamic-Request Server Works on page 243 RADIUS-Initiated Disconnect on page 243 Message Exchange on page 243...
JUNOSe 11.1.x Broadband Access Configuration Guide For example, you might use the RADIUS dynamic-request server to terminate specific user sessions. Without the RADIUS dynamic-request server, the only way to disconnect a RADIUS user is from the E Series router. This disconnect method is cumbersome when a network has many systems.
Chapter 4: Configuring RADIUS Dynamic-Request Server RFC 5176 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (January 2008) How RADIUS Dynamic-Request Server Works In a typical client-server RADIUS environment, the E Series router functions as the client and the RADIUS server functions as the server. However, when using the RADIUS dynamic-request server feature, the roles are reversed.
JUNOSe 11.1.x Broadband Access Configuration Guide Supported Error-Cause Codes (RADIUS Attribute 101) When a disconnect request fails, the RADIUS dynamic-request server includes an error-cause attribute (RADIUS attribute 101) in the Disconnect-NAK message that it sends back to the RADIUS server. If the detected error does not map to one of the supported error-cause attributes, the router sends the Disconnect-NAK without an error-cause attribute.
Chapter 4: Configuring RADIUS Dynamic-Request Server Security/Authentication The RADIUS server (the disconnect client) must calculate the authenticator as specified for an Accounting-Request message in RFC 2866. The router’s RADIUS dynamic-request server verifies the request using authenticator calculation as specified for an Accounting-Request message in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator.
JUNOSe 11.1.x Broadband Access Configuration Guide CoA-ACK (44) CoA-NAK (45) Message Exchange The RADIUS server and the router’s RADIUS dynamic-request server exchange messages using UDP. The CoA-Request message sent by the RADIUS server has the same format as the Disconnect-Request packet that is sent for a disconnect operation. The response is either a CoA-ACK or a CoA-NAK message: If AAA successfully changes the authorization, the response is a RADIUS-formatted packet with a CoA-ACK message, and the data filter is applied to the session.
Chapter 4: Configuring RADIUS Dynamic-Request Server Qualifications for Change of Authorization To complete the change of authorization for a user, the CoA-Request must contain one of the following RADIUS attributes or pairs of attributes. AAA services handle the actual request. User-Name [attribute 1] with Virtual-Router [attribute 26–1] to identify the user per virtual router context Framed-IP-Address [attribute 8] with Virtual-Router [attribute 26–1] to identify...
JUNOSe 11.1.x Broadband Access Configuration Guide Define the key (secret) used in the RADIUS Authenticator field during exchanges between the RADIUS dynamic-request server and the RADIUS server. host1(config-radius)#key Secret21Clientkey (Optional) Specify the UDP port on which the router listens for messages from the RADIUS server.
Page 289
Chapter 4: Configuring RADIUS Dynamic-Request Server Use the no version to remove the RADIUS disconnect client. NOTE: The function of this command has been replaced by a combination of the RADIUS dynamic-request server feature and the subscriber disconnect command. This command might be removed completely in a future release. See radius disconnect client radius dynamic-request server Use to configure a RADIUS dynamic-request server and enter RADIUS...
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring RADIUS Dynamic-Request Servers To monitor RADIUS dynamic-request servers, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 310 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 311 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 312 Monitoring RADIUS Dynamic-Request Servers...
Chapter 5 Configuring RADIUS Relay Server This chapter describes the E Series router’s RADIUS relay server feature. The RADIUS relay server provides authentication, authorization, accounting, and addressing services to wireless subscribers in public areas, such as airports and coffee shops. This chapter has the following sections: RADIUS Relay Server Overview on page 251 RADIUS Relay Server Platform Considerations on page 252...
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 6: RADIUS Relay Server E Series router RADIUS Relay Server Platform Considerations RADIUS relay is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router.
Chapter 5: Configuring RADIUS Relay Server You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier.
JUNOSe 11.1.x Broadband Access Configuration Guide For information about using the SRC software with the RADIUS relay server to provide accounting, see “RADIUS Relay Server and the SRC Software” on page 254. Table 48 on page 254 shows the RADIUS attributes that must be included in accounting requests.
Chapter 5: Configuring RADIUS Relay Server the subscriber is authenticated. The second domain is created for the connection between the E Series router and the SRC software. If you want to continue to use the SRC software’s user session and problem-tracking features, you should not configure the SRC software to generate RADIUS accounting records.
Page 296
JUNOSe 11.1.x Broadband Access Configuration Guide 10.10.15.0 255.255.255.0 secret 10.10.8.15 255.255.255.255 newsecret 192.168.25.9 255.255.255.255 mysecret 192.168.102.5 255.255.255.255 999Y2K Udp Port: 1812 RADIUS Relay Accounting Server Configuration -------------------------------------------- IP Address IP Mask Secret ------------- --------------- ------- 10.10.1.0 255.255.255.0 NO8pxq 192.168.102.5 255.255.255.255 12BE$56 Udp Port: 1813 Use to enter the IP address and mask of the network that will use the RADIUS...
Chapter 5: Configuring RADIUS Relay Server host1(config-radius-relay)#udp-port 1850 Use the no version to return to the default, port 1812 for authentication servers or port 1813 for accounting servers. See udp-port Monitoring RADIUS Relay Server To monitor RADIUS relay server, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics”...
This chapter lists the RADIUS attributes that are supported by JUNOSe software. Table 49 on page 259 describes the supported RADIUS IETF attributes. Table 50 on page 265 describes the supported Juniper Networks vendor-specific attributes (VSAs). Table 51 on page 276 describes the DSL Forum VSA formats supported by JUNOSe software.
Page 300
Applicable for CLI, telnet, or EAP message exchange [25] Class An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server [26] Vendor-Specific Juniper Networks Enterprise number 0x0000130A RADIUS IETF Attributes...
Page 301
Chapter 6: RADIUS Attribute Descriptions Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [27] Session-Timeout Maximum number of consecutive seconds of service to be provided to the user before termination of the session [28] Idle-Timeout Maximum number of consecutive seconds of idle connection provided to the user...
Page 302
JUNOSe 11.1.x Broadband Access Configuration Guide Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [46] Acct-Session-Time Indicates how long in seconds that the user has received service [47] Acct-Input-Packets Indicates how many packets have been received from the port during the time this service has been provided to a framed user IP subscriber manager Statistics are reported PPP Statistics are counted according to the rules of the generic interface...
Page 303
Chapter 6: RADIUS Attribute Descriptions Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [53] Acct-Output-Gigawords Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager Statistics are reported...
Page 304
JUNOSe 11.1.x Broadband Access Configuration Guide Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [83] Tunnel-Preference If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.
Juniper Networks VSAs Table 50 on page 265 lists Juniper Networks VSA formats for RADIUS. JUNOSe software uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned Numbers Authority (IANA).
Page 306
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-2] Local-Address-Pool Name of an assigned address pool sublen string: that should be used to assign an...
Page 307
Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-14] Service-Category ATM service category to apply to B-RAS integer: 1= UBR, user’s interface 2 = UBR PCR,...
Page 308
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-24] Pppoe-Description The string pppoe <mac addr> sent to the sublen string: pppoe<mac RADIUS server supplied by PPPoE addr>...
Page 309
Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-44] Tunnel-Interface-Id Tunnel interface selector that AAA caches sublen string: tunnel selector as part of the tunnel-session profile and the user’s profile.
Page 310
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-60] Med-Ip-Address IP address of analyzer device to which sublen Salt encrypted IP mirrored packets are forwarded...
Page 311
Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-78] IGMP-Version IGMP Protocol Version (IGMP Version 1=1; integer:1-octet IGMP Version 2 = 2; IGMP Version 3 = 3)
Page 312
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-89] Mobile-IP-Lifetime Registration lifetime for Mobile IP integer: 4-octet registration [26-90] L2TP-Resynch-Method L2TP peer resynchronization method integer: 0 = disabled;...
Page 313
Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-97] IGMP-Immediate-Leave IGMP Immediate Leave 4-octet integer: 0 = disabled 1 = enabled [26-98] MLD-Query-Interval MLD Query Interval...
Page 314
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-122] Min-LP-Data-Rate-Dn Minimum downstream data rate in low integer: 4-octet power state configured for the subscriber...
Page 315
Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-143] Max-Clients-Per-Interface Maximum number of PPPoE client sessions integer: 4-octet supported per interface. For DHCP clients, this value is the maximum number of PPPoE sessions per logical interface.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26–154] Ipv6-Acct-Output-Packets Number of times that IPv6 packets have 4–octet integer been sent to the port in the course of delivering this service to a framed user [26–155]...
Chapter 6: RADIUS Attribute Descriptions Table 51: JUNOSe Software DSL Forum (Vendor ID 3561) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-133] Attainable-Data-Rate- Upstream data rate that the subscriber integer: 4-octet Upstream can attain [26-134] Attainable-Data-Rate- Downstream data rate that the subscriber integer: 4-octet...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 52: RADIUS Attribute Passed Through by JUNOSe Software Standard Number Attribute Name Description [79] EAP-Message Used by RADIUS relay servers Passed through to the RADIUS server RADIUS Attributes References For more information about RADIUS attributes, see the following RFCs: RFC 2661 Layer Two Tunneling Protocol “...
Chapter 7 Application Terminate Reasons This chapter lists the default mappings for application terminate reasons to RADIUS Acct-Terminate-Cause attributes. Table 53 on page 279 lists the default mappings for AAA, Table 54 on page 280 lists default mappings for L2TP, Table 55 on page 295 lists the default mappings for PPP, and Table 56 on page 301 lists default mappings for RADIUS client.
Page 323
Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx icrq avp bad value assigned session id nas request session rx icrq avp bad value bearer type nas request session rx icrq avp bad value cisco nas port nas request session rx icrq avp duplicate value assigned session id nas request...
Page 324
JUNOSe 11.1.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx ocrp avp duplicate value assigned session id nas request session rx ocrp avp malformed bad length nas request session rx ocrp avp malformed truncated nas request session rx ocrp avp missing mandatory assigned session id nas request...
Page 327
Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel failover protocol recovery control channel failed service unavailable tunnel failover protocol recovery tunnel failed service unavailable tunnel failover protocol recovery tunnel finished user request tunnel failover protocol recovery tunnel primary down user request...
Page 328
JUNOSe 11.1.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx sccrp avp bad value challenge response service unavailable tunnel rx sccrp avp bad value failover capability service unavailable tunnel rx sccrp avp bad value framing capabilities service unavailable tunnel rx sccrp avp bad value protocol version service unavailable...
Page 329
Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx sccrq avp bad value challenge service unavailable tunnel rx sccrq avp bad value failover capability service unavailable tunnel rx sccrq avp bad value framing capabilities service unavailable tunnel rx sccrq avp bad value protocol version service unavailable...
Page 330
JUNOSe 11.1.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx stopccn avp malformed truncated service unavailable tunnel rx stopccn avp missing mandatory assigned tunnel service unavailable tunnel rx stopccn avp missing mandatory result code service unavailable tunnel rx stopccn avp missing random vector service unavailable...
Page 331
Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx unexpected packet service unavailable tunnel rx unexpected packet for session service unavailable tunnel rx unknown packet message type indecipherable service unavailable tunnel rx unknown packet message type unrecognized service unavailable tunnel rx recovery scccn authenticate failed challenge...
Page 332
JUNOSe 11.1.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery sccrp avp duplicate value assigned service unavailable tunnel id tunnel rx recovery sccrp avp malformed bad length service unavailable tunnel rx recovery sccrp avp malformed truncated service unavailable tunnel rx recovery sccrp avp mismatched host name...
Page 333
Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery sccrq avp bad value receive window size service unavailable tunnel rx recovery sccrq avp bad value tunnel recovery service unavailable tunnel rx recovery sccrq avp duplicate value assigned tunnel service unavailable tunnel rx recovery sccrq avp duplicate value tie breaker...
Page 334
JUNOSe 11.1.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery stopccn avp duplicate value assigned service unavailable tunnel id tunnel rx recovery stopccn avp malformed bad length service unavailable tunnel rx recovery stopccn avp malformed truncated service unavailable tunnel rx recovery stopccn avp missing mandatory assigned...
Chapter 7: Application Terminate Reasons PPP Terminate Reasons Table 55 on page 295 lists the default PPP terminate mappings. The table indicates the supported PPP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 55: Default PPP Mappings PPP Terminate Reason RADIUS Acct-Terminate-Cause Code...
Page 336
JUNOSe 11.1.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description bundle fail local mrru mismatch nas request bundle fail local mru mismatch nas request bundle fail peer mrru mismatch nas request bundle fail reassembly location nas request bundle fail reassembly mismatch...
Page 337
Chapter 7: Application Terminate Reasons Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description ip no peer secondary dns address nas request ip no peer secondary nbns address nas request ip no service nas request ip peer renegotiate rx conf ack nas request ip peer renegotiate rx conf nak nas request...
Page 338
JUNOSe 11.1.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description ipv6 peer terminate term req nas request ipv6 service disable nas request ipv6 stale stacking nas request lcp authenticate terminate hold nas request lcp configured mrru too small nas request...
Page 339
Chapter 7: Application Terminate Reasons Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description lcp no peer magicnumber nas request lcp no peer mrru nas request lcp no peer mru nas request lcp no peer pfc nas request lcp peer terminate code rej user request...
Page 340
JUNOSe 11.1.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description mpls peer terminate term ack nas request mpls peer terminate term req nas request mpls service disable nas request mpls stale stacking nas request network interface admin disable admin reset...
Chapter 8 Monitoring RADIUS This chapter describes how to monitor the RADIUS attributes, RADIUS dynamic-request server, and RADIUS relay. RADIUS topics are described in the following sections: Monitoring Override Settings of RADIUS IETF Attributes on page 303 Monitoring the NAS-Port-Format RADIUS Attribute on page 304 Monitoring the Calling-Station-Id RADIUS Attribute on page 305 Monitoring the NAS-Identifier RADIUS Attribute on page 305 Monitoring the Format of the Remote-Circuit-ID for RADIUS on page 306...
JUNOSe 11.1.x Broadband Access Configuration Guide To display the current setting for all configured RADIUS attributes: Action host1#show radius override nas-ip-addr: nas-ip-addr nas-port-id: nas-port-id calling-station-id: calling-station-id nas-info: from current virtual router host1#show radius override nas-ip-addr: nas-ip-addr nas-info: from authentication virtual router Table 57 on page 304 lists the show radius override command output fields.
Chapter 8: Monitoring RADIUS To display information about the NAS-Port attribute on an ATM interface on an E320 Broadband Services Router: host1#show radius nas-port-format extended atm extended atm field-width slot 5 adapter 0 port 4 vpi 4 vci 12 To display the status of NAS-Port attribute settings for PPPoE interfaces: host1#show radius pppoe nas-port-format unique To display the status of the S-VLAN ID setting for the NAS-Port attribute for VLAN...
JUNOSe 11.1.x Broadband Access Configuration Guide host1#show radius nas-identifier show radius nas-identifier Related Topics Monitoring the Format of the Remote-Circuit-ID for RADIUS Display the format configured for the PPPoE remote circuit ID value captured from Purpose a DSLAM. The default format is agent-circuit-ID. If the PPPoE remote circuit ID value is configured to include any or all of the agent-circuit-id, agent-remote-id, and nas-identifier components, the display lists the components included and the order in which they appear.
Chapter 8: Monitoring RADIUS To display the format used for the Acct-Session-Id attribute: Action host1#show radius acct-session-id-format decimal show radius acct-session-id-format Related Topics Monitoring the DSL-Port-Type RADIUS Attribute Display the DSL port type for NAS-Port-Type attribute for ATM and Ethernet users. Purpose To display the DSL port type for NAS-Port-Type attribute for ATM users: Action...
JUNOSe 11.1.x Broadband Access Configuration Guide host1#show aaa intf-desc-format exclude sub-interface include adapter show aaa intf-desc-format Related Topics Monitoring Included RADIUS Attributes Display the RADIUS attributes that are included in and excluded from Acct-On, Purpose Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages. To display the list of included RADIUS attributes: Action host1# show radius attributes-included...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 58: show radius attributes-included Output Fields (continued) Field Name Field Description Account On Include status of the attribute in Acct-On messages: enabled, disabled, not configurable (n/c) Account Off Include status of the attribute in Acct-Off messages: enabled, disabled, n/c Access Request Include status of the attribute in Access Request...
Chapter 8: Monitoring RADIUS host1#baseline radius dynamic-request There is no no version. Monitoring RADIUS Dynamic-Request Server Statistics on page 311 Related Topics baseline radius dynamic-request Monitoring RADIUS Dynamic-Request Server Statistics Display RADIUS dynamic-request server statistics. Purpose To display RADIUS dynamic-request statistics: Action host1#show radius dynamic-request statistics RADIUS Request Statistics...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 59: show radius dynamic-request statistics Output Fields (continued) Field Name Field Description Disconnect or CoA No Session ID RADIUS-initiated disconnect or CoA messages rejected because the request did not include a session ID attribute Disconnect or CoA Bad RADIUS-initiated disconnect or CoA messages Authenticators...
Chapter 8: Monitoring RADIUS Table 60: show radius dynamic-request servers Output Fields (continued) Field Name Field Description Udp Port Port on which the router listens for RADIUS server Disconnect Status of RADIUS-initiated disconnect feature Change of Authorization Status of change of authorization feature Secret Secret used to connect to RADIUS server show radius servers...
Chapter 8: Monitoring RADIUS Table 61: show radius relay statistics Output Fields (continued) Field Name Field Description Accounting Requests Number of accounting requests received, broken down by type of request Accounting Responses Number of accounting responses, broken down by type of request Setting a Baseline for RADIUS Relay Statistics on page 313 Related Topics show radius relay statistics...
JUNOSe 11.1.x Broadband Access Configuration Guide show radius relay servers Related Topics Monitoring the Status of RADIUS Relay UDP Checksums Display status of RADIUS relay UDP checksums. Purpose To display the status of UDP checksums: Action host1(config)#show radius relay udp-checksum udp-checksums enabled Table 63 on page 316 lists the show radius relay udp-checksum command output Meaning...
Chapter 9 Configuring TACACS+ This chapter explains how to enable and configure TACACS+ in your E Series router. It has the following sections: TACACS+ Overview on page 317 TACACS+ Platform Considerations on page 321 TACACS+ References on page 321 Before You Configure TACACS+ on page 322 Configuring TACACS+ Support on page 322 TACACS+ Overview With the increased use of remote access, the need for managing more network access...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 64: TACACS-Related Terms Term Description Network access server. A device that provides connections to a single user, to a network or subnetwork, and to interconnected networks. In reference to TACACS+, the NAS is the E Series router. TACACS+ process A program or software running on a security server that provides AAA services using the TACACS+ protocol.
Chapter 9: Configuring TACACS+ TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user. TACACS+ might challenge the user to provide username, password, passcode, or other information.
JUNOSe 11.1.x Broadband Access Configuration Guide Method list A specified configuration that defines how the NAS performs the AAA accounting service. A service type can be configured with multiple method lists with different names, and a method list name can be used for different service types.
Chapter 9: Configuring TACACS+ Table 65: TACACS+ Accounting Information (continued) Field/Attribute Location Description user Packet body Name of user running the Exec session or CLI command port Packet body NAS port used by the Exec session or CLI command rem-addr Packet body User’s remote location;...
JUNOSe 11.1.x Broadband Access Configuration Guide Before You Configure TACACS+ Before you begin to configure TACACS+, you must determine the following for the TACACS+ authentication and accounting servers: IP addresses TCP port numbers Secret keys Configuring TACACS+ Support To use TACACS+, you must enable AAA. To configure your router to support TACACS+, perform the following tasks.
Chapter 9: Configuring TACACS+ host1(config)#aaa authentication login tac tacacs+ radius enable Specify the privilege level by defining a methods list that uses TACACS+ for authentication. host1(config)#aaa authentication enable default tacacs+ radius enable Configure vty lines. host1(config)#line vty 0 4 Apply an authentication list to the vty lines you specified on your router. host1(config-line)#login authentication tac Configuring Accounting Once TACACS+ support is enabled on the router, you can configure TACACS+...
Page 364
JUNOSe 11.1.x Broadband Access Configuration Guide Use to enable TACACS+ accounting and capture accounting information for a specific JUNOSe privilege level on the router and to create accounting method lists. Specify the JUNOSe privilege level (0 through 15) for which to capture accounting information.
Page 365
Chapter 9: Configuring TACACS+ Use to allow privilege determination to be authenticated through the TACACS+ server. This command specifies a list of authentication methods that are used to determine whether a user is granted access to the privilege command level. The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
Page 366
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to remove the authentication list from your configuration. See aaa authentication login aaa new-model Use to specify AAA new model as the authentication method for the vty lines on your router. If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line.
Page 367
Chapter 9: Configuring TACACS+ example, no line vty 6 causes the router to remove lines 6 through 19. You cannot remove lines 0 through 4. See line login authentication Use to apply an authentication list to the vty lines you specified on your router. Example host1(config-line)#login authentication my_auth_list Use the no version to specify that the router should use the default authentication...
Page 368
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#tacacs-server key &# 889khj Use the no version to reset a key value shared by all TACACS+ servers. See tacacs-server key tacacs-server source-address Use to set or reset an alternative source address to be used for TACACS+ server communications.
Chapter 10 Monitoring TACACS+ This chapter describes how to monitor the current TACACS+ configurations. TACACS+ topics are described in the following sections: Setting Baseline TACACS+ Statistics on page 329 Monitoring TACACS+ Statistics on page 329 Monitoring TACACS+ Information on page 331 Setting Baseline TACACS+ Statistics You can set a baseline for TACACS+ statistics.
Chapter 10: Monitoring TACACS+ show statistics tacacs Related Topics Monitoring TACACS+ Information Display TACACS+ information. Purpose To display TACACS+ information. Action host1#show tacacs Key = hippo Timeout = <NOTSET>, built-in timeout of 5 will be used Source-address = <NOTSET> TACACS+ Configuration, (*) denotes inherited -------------------------------------------- Search IP Address...
Page 372
JUNOSe 11.1.x Broadband Access Configuration Guide Table 67: show tacacs Output Fields (continued) Field Name Field Description Search Order The order in which requests are sent to hosts until a response is received show tacacs Related Topics Monitoring TACACS+ Information...
Part 3 Managing L2TP L2TP Overview on page 335 Configuring an L2TP LAC on page 343 Configuring an L2TP LNS on page 375 Configuring L2TP Dial-Out on page 411 L2TP Disconnect Cause Codes on page 423 Monitoring L2TP and L2TP Dial-Out on page 427 Managing L2TP...
Layer 2 Tunneling Protocol (L2TP) is a client-server protocol that allows Point-to-Point Protocol (PPP) to be tunneled across a network. This chapter includes the following topics that provide information for configuring L2TP on the Juniper Networks E Series Broadband Services Routers.
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 7: Using the E Series Router as an LAC Figure 8: Using the E Series Router as an LNS NOTE: The E Series router does not support terminating both ends of a tunnel or session in the same router.
Chapter 11: L2TP Overview Table 68: L2TP Terms (continued) Term Description L2TP network server (LNS) a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC.
JUNOSe 11.1.x Broadband Access Configuration Guide The client initiates a PPP connection with the router. The router and the client exchange Link Control Protocol (LCP) packets. For details about negotiating PPP connections, see the Configuring Point-to-Point Protocol chapter in JUNOSe Link Layer Configuration Guide. By using either a local database related to the domain name or RADIUS authentication, the router determines either to terminate or to tunnel the PPP connection.
Chapter 11: L2TP Overview The E Series PPP processes the proxy authentication data, if it is present, and passes the data to AAA for verification. (If the data is not present, E Series PPP requests the data from the remote system.) The router passes the authentication results to the remote system.
JUNOSe 11.1.x Broadband Access Configuration Guide L2TP Platform Considerations For information about modules that support LNS and LAC on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications.
Chapter 11: L2TP Overview E120 Router and E320 Router To use an LNS on an E120 router or an E320 router, you must install an ES2 4G line module (LM) with an ES2-S1 Service I/O adapter (IOA), or an IOA that supports the use of shared tunnel-server ports.
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: In previous releases, the JUNOSe software required that you use the license l2tp-session command to configure a license to enable support for the maximum allowable L2TP sessions on ERX1440 routers, E120 routers, and E320 routers. The license l2tp-session command still appears in the CLI, but it has no effect on the actual enforced limit.
Chapter 12 Configuring an L2TP LAC An L2TP access concentrator (LAC) receives packets from a remote client and forwards them to an L2TP network server (LNS), on a remote network. You can configure your E Series router to function as an LAC. This chapter includes the following topics that provide information for configuring an L2TP LAC on the E Series router: LAC Configuration Prerequisites on page 343...
JUNOSe 11.1.x Broadband Access Configuration Guide Assign a router ID IP address, such as that for a loopback interface, to the virtual router. This address must be reachable by the L2TP peer. host1:west(config)#ip router-id 10.10.45.3 CAUTION: You must explicitly assign a router ID to a virtual router rather than using a dynamically assigned router ID.
Chapter 12: Configuring an L2TP LAC When the router is established as an LAC or LNS and is creating destinations, tunnels, and sessions, you can manage them as follows: Prevent the creation of new sessions, tunnels, and destinations. Close and reopen all or selected destinations, tunnels, and sessions. Configure drain timeout operations, which control the amount of time a disconnected LAC tunnel waits before restarting after receiving a restart request.
JUNOSe 11.1.x Broadband Access Configuration Guide (1 hour), for which the router attempts to maintain dynamic destinations, tunnels, and sessions after they have been destroyed. The router uses a timeout of 600 seconds by default. This command facilitates debugging and other analysis by saving underlying memory structures after the destination, tunnel, or session is terminated.
Chapter 12: Configuring an L2TP LAC host1(config)#l2tp drain Preventing Creation of New Tunnels and Sessions at a Destination You use the l2tp drain destination command to prevent the creation of new tunnels and sessions at a specific destination. The l2tp drain destination command and the l2tp shutdown destination command both affect the administrative state of L2TP for the destination.
JUNOSe 11.1.x Broadband Access Configuration Guide Shutting Down Destinations, Tunnels, and Sessions You can configure how the router shuts down L2TP destinations, tunnels, and sessions. You can specify the following shut down methods, which also prevent the creation of new tunnels: 1.
Chapter 12: Configuring an L2TP LAC The l2tp shutdown tunnel command and the l2tp drain tunnel command both affect the administrative state of L2TP for the tunnel. Although each command has a different effect, the no version of each command is equivalent. Each command’s no version leaves L2TP in the enabled state.
Page 390
JUNOSe 11.1.x Broadband Access Configuration Guide You use the aaa tunnel calling-number-format command to configure the router to generate AVP 22 in any of the following formats. Agent-circuit-id is suboption 1 of the tags supplied by the PPPoE intermediate agent from the DSLAM. Agent-remote-id is suboption 2.
Page 391
Chapter 12: Configuring an L2TP LAC Format for ATM interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) VPI (3 bytes) VCI (5 bytes) Format for Ethernet interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) VLAN (8 bytes) Format for serial interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
Page 392
JUNOSe 11.1.x Broadband Access Configuration Guide adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’. fixed-adapter-new-field If you set up the router to generate the L2TP Calling Number AVP in fixed–adapter-embedded-new-field format, the router formats the AVP to use a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte adapter field, and 2-byte port field:...
Chapter 12: Configuring an L2TP LAC NOTE: The use of the stacked keyword is not supported for VLAN subinterfaces based on agent-circuit-identifier information, otherwise known as ACI VLANs. When you issue the aaa tunnel calling-number-format fixed stacked, aaa tunnel calling-number-format fixed-adapter-embedded stacked, or aaa tunnel calling-number-format fixed-adapter-new-field stacked command for an ACI VLAN, the values that appear in the 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect.
JUNOSe 11.1.x Broadband Access Configuration Guide Set the format of the RADIUS Calling-Station-Id to fixed-format, and specify the optional stacked keyword to include the S-VLAN ID. host1(config)#radius calling-station-format fixed-format stacked If you use a RADIUS server to authenticate the L2TP tunnel parameters, you must configure the format for both the L2TP Calling Number AVP 22 (by using the aaa tunnel calling-number-format command) and the RADIUS Calling-Station-ID [31] attribute (by using the radius calling-station-format command).
Page 395
Chapter 12: Configuring an L2TP LAC fixed format, the router formats the AVP to use a fixed format of up to 15 characters consisting of all ASCII fields, as follows (the maximum number of characters for each field is shown in brackets): Fallback format for ATM interfaces: <system name [4]>...
Page 396
JUNOSe 11.1.x Broadband Access Configuration Guide Slot ASCII Slot ASCII Number Character Number Character – – For example, slot 16 is shown as the ASCII character uppercase G. Example The following command configures the fallback AVP 22 in fixed-adapter-embedded format: host1(config)#aaa tunnel calling-number-format-fallback fixed-adapter-embedded For example, when you configure this fallback format on an E320 router for...
Chapter 12: Configuring an L2TP LAC For example, when you configure this fallback format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘14’...
JUNOSe 11.1.x Broadband Access Configuration Guide To prevent the LAC from sending the Calling Number AVP: host1(config)#l2tp disable calling-number-avp For more information about setting up the router to generate Calling Number AVP 22 in a format that includes either or both of the agent-circuit-id and agent-remote-id suboptions of the tags supplied by the PPPoE intermediate agent, see Configuring PPPoE Remote Circuit ID Capture in the JUNOSe Link Layer Configuration Guide .
Chapter 12: Configuring an L2TP LAC After configuring a tunnel group and the attributes for its tunnels, you can assign the tunnel group to the domain map from Domain Map mode. The tunnel group reference in the domain map is used instead of tunnel definitions configured from Domain Map Tunnel configuration mode.
Page 400
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config-domain-map-tunnel)#preference 5 (Optional) Specify an authentication password for the tunnel. host1(config-domain-map-tunnel)#password temporary NOTE: If you specify a password for the LAC, the router requires that the peer (the LNS) authenticate itself to the router. In this case, if the peer fails to authenticate itself, the tunnel terminates.
Page 401
Chapter 12: Configuring an L2TP LAC Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].) host1(config-domain-map-tunnel)#medium ipv4 (Optional) Specify a default tunnel client name. host1(config-domain-map-tunnel)#exit host1(config-domain-map)#exit host1(config)#aaa tunnel client-name boxford If the tunnel client name is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default name.
Page 402
JUNOSe 11.1.x Broadband Access Configuration Guide (Optional) Disable the generation of authentication challenges by the local tunnel, so that the tunnel does not send a challenge during negotiation. However, the tunnel does accept and respond to challenges it receives from the peer. host1(config)#l2tp disable challenge Verify the L2TP tunnel configuration.
Chapter 12: Configuring an L2TP LAC server-name source-address tunnel tunnel group type Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode To map a domain to an L2TP tunnel locally on the router from Tunnel Group Tunnel Configuration mode, perform the following steps: Specify an AAA tunnel group and change the mode to Tunnel Group Tunnel Configuration mode.
Page 404
JUNOSe 11.1.x Broadband Access Configuration Guide The LAC sends the hostname to the LNS when communicating to the LNS about the tunnel. The hostname can be up to 64 characters (no spaces). host1(config-tunnel-group-tunnel)#client-name host4. NOTE: If the LNS does not accept tunnels from unknown hosts, and if no hostname is specified, the LAC uses the router name as the hostname.
JUNOSe 11.1.x Broadband Access Configuration Guide Specify that the RX Speed AVP is always generated. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed. host1(config)#l2tp rx-connect-speed-when-equal atm atm1483 advisory-rx-speed Related Topics l2tp rx-connect-speed-when-equal command...
Chapter 12: Configuring an L2TP LAC NOTE: Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described in “Specifying a Destruct Timeout for L2TP Tunnels and Sessions” on page 345) overrides the lockout timeout when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination’s lockout timeout and the requirement to run a lockout test prior to returning the destination to service.
JUNOSe 11.1.x Broadband Access Configuration Guide Verifying That a Locked-Out Destination Is Available You can use the l2tp destination lockout-test command to configure L2TP to test locked-out destinations; this verifies that a previously locked-out destination is available before the router changes the destination’s status. To verify the availability of locked out destinations: host1(config)#l2tp destination lockout-test Configuring a Lockout Timeout...
Chapter 12: Configuring an L2TP LAC Starting an Immediate Lockout Test You use the l2tp unlock-test destination command to force L2TP to immediately start the lockout test for the specified destination any remaining lockout time for the destination is ignored. You must be at privilege level 10 or higher to use this command.
JUNOSe 11.1.x Broadband Access Configuration Guide The router accepts a change in receive address only once, during the tunnel establishment phase, and only on an SCCRP packet. Subsequent changes result in the router dropping packets. Any changes do not affect established tunnels. Use the show l2tp command to display the SCCRP address change configuration.
Chapter 12: Configuring an L2TP LAC the process. The router makes up to eight attempts to connect to a destination for a domain one attempt for each preference level. If all destinations at a preference level are marked as unreachable, the router chooses the destination that failed first and tries to make a connection.
JUNOSe 11.1.x Broadband Access Configuration Guide A and B at preference 0 C and D at preference 1 When the router attempts to connect to the domain, suppose it randomly selects tunnel B from preference 0. If it fails to connect to tunnel B, the router excludes tunnel B for five minutes and attempts to connect to tunnel A.
Page 413
Chapter 12: Configuring an L2TP LAC host1(config)#l2tp weighted-load-balancing Configuring the Weighted Load Balancing Method...
Chapter 13 Configuring an L2TP LNS An L2TP network server (LNS) is a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC.
JUNOSe 11.1.x Broadband Access Configuration Guide Assign a router ID IP address, such as that for a loopback interface, to the virtual router. This address must be reachable by the L2TP peer. host1:west(config)#ip router-id 10.10.45.3 CAUTION: You must explicitly assign a router ID to a virtual router rather than using a dynamically assigned router ID.
Chapter 13: Configuring an L2TP LNS To configure an LNS, perform the following steps: Create a destination profile that defines the location of the LAC, and access L2TP Destination Profile Configuration mode. See “Creating an L2TP Destination Profile” on page 378 . host1:boston(config)#l2tp destination profile boston4 ip address 192.168.76.20 host1:boston(config-l2tp-dest-profile)# Define the L2TP host profile and enter L2TP Destination Profile Host Configuration...
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: When acting as the LNS, the E Series router supports dialed number identification service (DNIS). With DNIS, if users have a called number associated with them, the router searches the domain map for the called number. If it finds a match, the router uses the matching domain map entry information to authenticate the user.
Chapter 13: Configuring an L2TP LNS If the destination address is 0.0.0.0, then any LAC that can be reached via the specified virtual router is allowed to access the LNS. If the destination address is nonzero, then it must be a host-specific IP address. To create a destination profile: host1:boston(config)#l2tp destination profile boston ip address 10.10.76.12 host1:boston(config-l2tp-dest-profile)#...
JUNOSe 11.1.x Broadband Access Configuration Guide Creating an L2TP Destination Profile on page 378 Related Topics l2tp destination profile Configuring the Maximum Number of LNS Sessions You can use the max-sessions command in both L2TP Destination Profile Configuration mode and L2TP Destination Profile Host Configuration mode to configure the number of sessions allowed by the L2TP network server (LNS).
Chapter 13: Configuring an L2TP LNS of the Connect-Info attribute is as follows, where the TX speed and RX speed are equal to the respective L2TP AVPs: tx-speed [ /rx-speed ] The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command.
JUNOSe 11.1.x Broadband Access Configuration Guide To override result codes 4 and 5: host1:boston(config-l2tp-dest-profile-host)#session-out-of-resource-result-code-override Displaying the Current Override Setting You can view the current override setting for the LNS result codes in the L2TP destination profile. To display the current override setting: ERX(config)#show l2tp destination profile boston L2TP destination profile boston Configuration...
Chapter 13: Configuring an L2TP LNS For example, an ERX1440 Broadband Services Router has service modules installed in slots 4, 9, and 12. Using the load-balancing mechanism, the router determines that the SM in slot 4 can accommodate the first bundled session for MLPPP bundle A, and places it there.
JUNOSe 11.1.x Broadband Access Configuration Guide Overriding All Endpoint Discriminators NOTE: We strongly recommend that you use this feature only with the support of JTAC. You can also configure the router to ignore the value of all endpoint discriminators when it selects a SM and to use only the bundled group identifier that you assigned by issuing the bundled-group-overrides-mlppp-ed command.
Chapter 13: Configuring an L2TP LNS l2tp tunnel-switching Related Topics Creating Persistent Tunnels The E Series router supports persistent tunnels. A persistent tunnel is one that is configured to remain available. Persistent tunnels have only local significance; that is, they apply only to the end of the tunnel where they are set. If the other end of the tunnel chooses to terminate the tunnel, the tunnel is removed.
JUNOSe 11.1.x Broadband Access Configuration Guide Configure drain timeout operations, which control the amount of time a disconnected LAC tunnel waits before restarting after receiving a restart request. Configure how many times the router retries a transmission if the initial attempt is unsuccessful.
Chapter 13: Configuring an L2TP LNS NOTE: Sessions for which the AVP generation is enabled by the host-profile-specific disconnect-cause command continue to generate the AVP. Generating the Disconnect Cause AVP with a Host Profile You use the disconnect-cause command in L2TP Destination Profile Host Configuration mode to specify that the E Series LNS generate PPP Disconnect Cause Code AVPs.
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring the Receive Window Size You can configure the L2TP receive window size (RWS) for an L2TP tunnel. L2TP uses the RWS to implement a sliding window mechanism for the transmission of control messages. When you configure the RWS, you specify the number of packets that the L2TP peer can transmit without receiving an acknowledgment from the router.
Chapter 13: Configuring an L2TP LNS Receive data sequencing is not ignored Tunnel switching is disabled Retransmission retries for established tunnels is 5 Retransmission retries for not-established tunnels is 5 Tunnel idle timeout is 60 seconds Failover within a preference level is disabled Weighted load balancing is disabled Tunnel authentication challenge is enabled Calling number avp is enabled...
Chapter 13: Configuring an L2TP LNS Configuring Peer Resynchronization The JUNOSe software enables you to configure the peer resynchronization method you want the router to use. Peer resynchronization enables L2TP to recover from a router warm start and to allow an L2TP failed endpoint to resynchronize with its peer non-failed endpoint.
JUNOSe 11.1.x Broadband Access Configuration Guide You can use the CLI or RADIUS to configure the resynchronization method for your router. 1. Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels on page 392 2. Configuring the Global L2TP Peer Resynchronization Method on page 393 3.
Chapter 13: Configuring an L2TP LNS host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2 host1(config-l2tp-dest-profile)#remote host lac-host host1(config-l2tp-dest-host-profile-host)#failover-resync silent-failover To configure peer resynchronization for an AAA domain map tunnel: host1(config)#aaa domain-map lac-tunnel host1(config-domain-map)#tunnel 10 host1(config-domain-map-tunnel)#failover-resync silent-failover Configuring the Global L2TP Peer Resynchronization Method You can configure the peer resynchronization method globally, or for L2TP host profiles or domain map tunnels a host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#default l2tp failover-resync To disable peer resynchronization, use the no version of the command this is the same as using the disable keyword: host1(config)#no l2tp failover-resync Using RADIUS to Configure Peer Resynchronization The JUNOSe software supports the use of RADIUS to configure the L2TP peer resynchronization method used by your L2TP tunnels.
Chapter 13: Configuring an L2TP LNS AAA tunnel groups RADIUS Access-Accept messages If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile.
JUNOSe 11.1.x Broadband Access Configuration Guide When you configure any of these AVP types for relay in an L2TP tunnel-switched network, the router preserves the value of an incoming AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session. Configuration Tasks To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:...
Chapter 13: Configuring an L2TP LNS host1(config)#l2tp switch-profile concord host1(config-l2tp-tunnel-switch-profile)# Configure the L2TP tunnel switching behavior for the interfaces to which this profile is assigned. Use the avp command with the relay keyword to cause the router to preserve the value of an incoming AVP of this type when packets are switched between an inbound LNS session and an outbound LAC session.
JUNOSe 11.1.x Broadband Access Configuration Guide For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 358 . From Domain Map Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this domain map.
JUNOSe 11.1.x Broadband Access Configuration Guide session, you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS Attributes” on page 171. For more information about the Tunnel-Switch-Profile attribute, see “RADIUS IETF Attributes”...
“Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method” on page 406. RADIUS Include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. For instructions, see “Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method”...
JUNOSe 11.1.x Broadband Access Configuration Guide If there is no explicit static configuration for the layer 2 interface, L2TP reports the speed of the underlying physical port as the transmit connect speed. Dynamic Layer 2 The dynamic layer 2 method calculates the transmit connect speed of the subscriber’s access interface based on the dynamically configured settings for the underlying layer 2 interface.
Chapter 13: Configuring an L2TP LNS A transmit connect speed of 10 Mbps is provided dynamically from a RADIUS authentication server when the subscriber logs in. The transmit connect speed calculated by QoS is 5 Mbps. Based on these characteristics, Table 70 on page 403 lists the transmit connect speed value reported in L2TP Transmit (TX) Speed AVP 24 for each calculation method, and the reason why L2TP reports this value.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 71: Transmit Connect Speeds for L2TP over Ethernet Example (continued) Transmit Connect Calculation Speed Reported in Method AVP 24 Reason Dynamic layer 2 100 Mbps L2TP reports the static layer 2 value because the dynamic layer 2 setting does not apply to a VLAN subinterface.
Chapter 13: Configuring an L2TP LNS For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 358 . From Domain Map Tunnel Configuration mode, configure the calculation method for the transmit connect speed of the subscriber’s access interface.
To use RADIUS to configure the transmit connect speed calculation method for a subscriber’s access interface, you can configure RADIUS to include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. Table 72 on page 408 describes the Tunnel-Tx-Speed-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute Attribute Subtype Number Attribute Name Description Length Length Value [26-94] Tunnel-Tx-Speed-Method The method that the router integer: uses to calculate the transmit 1 = static-layer2; TX speed connect speed of the based on static layer 2 subscriber’s access interface settings...
Page 449
Chapter 13: Configuring an L2TP LNS Attribute Number Attribute Name Acct-Input-Packets Acct-Output-Packets Termination of a tunneled session can result from PPP termination, L2TP shutdown, subscriber logout, or lower layer down events. When the session is terminated through PPP, the software counts both the PPP terminate-request and the PPP terminate-acknowledgement packets.
Chapter 14 Configuring L2TP Dial-Out This chapter describes the Layer 2 Tunneling Protocol (L2TP) dial-out feature on your E Series router. This chapter includes the following sections: L2TP Dial-Out Overview on page 411 L2TP Dial-Out Platform Considerations on page 418 L2TP Dial-Out References on page 418 Before You Configure L2TP Dial-Out on page 419 Configuring L2TP Dial-Out on page 419...
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 10: Network Model for Dial-Out NOTE: The dial-out feature exists in the LNS only. It does not exist in the LAC. Terms Table 73 on page 412 describes key terms used in L2TP dial-out. Table 73: L2TP Dial-Out Terms Term Description...
Chapter 14: Configuring L2TP Dial-Out the router to start a dial-out operation. The route includes a dial-out target (the virtual router context and the IP address of the remote site). When the router receives a packet destined for the target, it triggers a dial-out session to the target. The route is associated with a profile that holds parameters for the interface stack that the router builds as a result of the dial-out.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 74: Chassis Operational States State Description inService Dial-out service is operational at the chassis level. initializationFailed Dial-out service could not obtain enough system resources for basic operation. All configuration commands fail, and the dial-out service does not function.
Chapter 14: Configuring L2TP Dial-Out Sessions Table 77 on page 415 describes operational states of the sessions. Table 77: Session Operational States State Description authenticating New sessions start in the authenticating state. In this state, the dial-out state machine has received a valid trigger and is waiting for authentication, authorization, and accounting (AAA) to complete the initial authentication.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 77: Session Operational States (continued) State Description dormant A session enters the dormant state after completion of a postInhibited state. The dormant timer is initialized to the chassis-wide dormant timer value, minus the time the session spent in the postInhibited state. Receipt of a new trigger packet transitions the session to the authenticating state.
Chapter 14: Configuring L2TP Dial-Out the E Series RADIUS client. The RADIUS authentication request is consistent with other requests, except that the Service-Type attribute is set to outbound (value of 5). Access-Accept Message The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 78 on page 417.
JUNOSe 11.1.x Broadband Access Configuration Guide After an outgoing call is successfully signaled, the router dynamically creates a PPP interface. The profile in the dial-out route definition specifies any PPP configuration options. Both the L2TP session and the PPP interface exist on a Service module, identical to the LNS operation for incoming calls.
Chapter 14: Configuring L2TP Dial-Out Before You Configure L2TP Dial-Out Create a profile that the router uses to create the dynamic PPP and IP interfaces on the LNS. The profile specifies parameters that are common to all dial-out sessions that use the profile. The following is an example of a typical profile configuration. Create a profile.
Page 460
JUNOSe 11.1.x Broadband Access Configuration Guide Reset a dial-out session by forcing it to the dormant state. host1#l2tp dial-out session reset 10.10.0.0 l2tp dial-out connecting-timer-value Use to set the maximum time allowed for attempts to establish L2TP dial-out sessions. If the session fails to be established before the connecting timer expires, subsequent attempts to establish the dial-out session to the same destination are inhibited temporarily.
Chapter 14: Configuring L2TP Dial-Out l2tp dial-out session delete Use to delete a dial-out session. Closes any L2TP outgoing call associated with the dial-out session. Example host1#l2tp dial-out session delete 10.10.0.0 There is no no version. See l2tp dial-out session delete l2tp dial-out session reset Use to force the dial-out session to the dormant state where it remains until the dormant timer expires or it receives a new trigger.
Page 462
JUNOSe 11.1.x Broadband Access Configuration Guide “Monitoring Chassis-wide Configuration for L2TP Dial-out” on page 448 “Monitoring Status of Dial-out Sessions” on page 453 “Monitoring Dial-out Targets within the Current VR Context” on page 454 “Monitoring Operational Status within the Current VR Context” on page 456 Monitoring L2TP Dial-Out...
Chapter 15 L2TP Disconnect Cause Codes L2TP Disconnect Cause Codes on page 423 L2TP Disconnect Cause Codes Table 79 on page 423 describes the Point-to-Point Protocol (PPP) disconnect cause codes that are displayed by the show l2tp received-disconnect-cause-summary command, sorted by code number. For additional information, see RFC 3145. Table 79: PPP Disconnect Cause Codes Code Name...
Page 464
JUNOSe 11.1.x Broadband Access Configuration Guide Table 79: PPP Disconnect Cause Codes (continued) Code Name Description admin The disconnection was a result of direct administrative action, disconnect including: The administrator shut down the network or link interface. The administrator logged out the subscriber. renegotiation Code 2 is not used;...
Page 465
Chapter 15: L2TP Disconnect Cause Codes Table 79: PPP Disconnect Cause Codes (continued) Code Name Description lcp mlppp mrru The link attempted to join an existing MLPPP bundle whose peer not valid maximum received reconstructed unit (MRRU) did not match the peer MRRU negotiated by the link.
Page 466
JUNOSe 11.1.x Broadband Access Configuration Guide Table 79: PPP Disconnect Cause Codes (continued) Code Name Description ncp no Code 17 is generated only if an NCP configuration error has negotiation prevented NCP negotiation from converging. This occurs when the completed two peers do not agree on acceptable NCP parameters within the time allowed for upper-layer negotiation.
Chapter 16 Monitoring L2TP and L2TP Dial-Out When you have configured L2TP and L2TP dial-out on your E Series router, you can monitor the active tunnels and sessions. NOTE: All of the commands in this chapter apply to both the LAC and the LNS. L2TP and L2TP dial-out topics are described in the following sections: Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 428...
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring the Mapping for User Domains and Virtual Routers with AAA Display the mapping between user domains and virtual routers. Purpose To display the mapping between user domains and virtual routers: Action host1#show aaa domain-map Domain: lac-tunnel;...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 80: show aaa domain-map Output Fields (continued) Field Name Field Description override-username Single username used for all users from a domain in place of the values received from the remote client override-password Single password used for all users from a domain in place of the values received from the remote client Tunnel Tag...
JUNOSe 11.1.x Broadband Access Configuration Guide show aaa domain-map Related Topics Monitoring Configured Tunnel Groups with AAA Display the currently configured tunnel groups. Purpose To display information about currently configured tunnel groups: Action host1#show aaa tunnel-group Tunnel Group: boston Tunnel Tunnel Tunnel Tunnel...
Page 471
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 81: show aaa tunnel-group Output Fields (continued) Field Name Field Description strip-domain Strip domain is enabled override-username Single username used for all users from a domain in place of the values received from the remote client override-password Single password used for all users from a domain in place of the values received from the remote client...
JUNOSe 11.1.x Broadband Access Configuration Guide show aaa tunnel-group Related Topics The information displayed is almost identical to the tunnel information displayed using the show aaa domain-map command. See Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 428. Monitoring Configuration of Tunnel Parameters with AAA Display configuration of tunnel parameters used for tunnel definitions.
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 82: show aaa tunnel-parameters Output Fields (continued) Field Name Field Description Tunnel calling number format Fallback format configured for L2TP Calling Number fallback AVP 22 generated by the LAC show aaa tunnel-parameters Related Topics Monitoring Global Configuration Status on E Series Routers Display the global configuration and status for L2TP on E Series routers, including...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 83: show l2tp Output Fields Field Name Field Description Configuration Configuration and status for L2TP on E Series routers, including switched sessions L2TP administrative state Status of L2TP on the router; enabled or disabled Dynamic interface destruct Number of seconds that the router maintains dynamic timeout...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 83: show l2tp Output Fields (continued) Field Name Field Description Failover resync Global L2TP peer resynchronization configuration Sub-interfaces Sub-interface information about L2TP total Number of destinations, tunnels, and sessions that the router created active Number of operational destinations, tunnels, and sessions...
JUNOSe 11.1.x Broadband Access Configuration Guide Data rx 68383456 68383456 Data tx 68383456 68383456 Table 84 on page 436 lists the show l2tp destination command output fields. Meaning Table 84: show l2tp destination Output Fields Field Name Field Description Configuration Configured status of the destination Administrative state Administrative status of the destination:...
Chapter 16: Monitoring L2TP and L2TP Dial-Out show l2tp destination Related Topics Monitoring Locked Out Destinations Display information about the L2TP destinations that are currently locked out. Purpose To display information about the L2TP destinations that are currently locked out: Action host1#show l2tp destination lockout L2TP destination 36 is waiting for lockout timeout (45 seconds remaining)
Page 478
JUNOSe 11.1.x Broadband Access Configuration Guide If a nondefault L2TP RWS is configured for a particular host profile, to display the RWS setting as an attribute of that host profile: host1#show l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp Virtual router lns...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 86: show l2tp destination profile Output Fields Field Name Field Description Destination profile attributes Destination profile attributes of L2TP destination Transport Method used to transfer traffic Virtual Router Method used to transfer traffic Peer address IP address of the LAC Destination profile maximum...
JUNOSe 11.1.x Broadband Access Configuration Guide show l2tp destination profile Related Topics Monitoring Configured and Operational Status of all Destinations Display summary of the configured and operational status of all L2TP destinations. Purpose To display a summary of the configured and operational status of all L2TP Action destinations.: host1#show l2tp destination summary...
Chapter 16: Monitoring L2TP and L2TP Dial-Out show l2tp destination summary Related Topics Monitoring Statistics on the Cause of a Session Disconnection Display statistics for all information the LAC receives from an LNS about the cause Purpose of an L2TP session disconnection. To display statistics for all information the LAC receives from an LNS about the cause Action of an L2TP session disconnection.
JUNOSe 11.1.x Broadband Access Configuration Guide show l2tp received-disconnect-cause-summary Related Topics Monitoring Detailed Configuration Information about Specified Sessions Display detailed configuration information about specified sessions. Purpose To display detailed configuration information about specified sessions: Action To display L2TP session: host1#show l2tp session L2TP session 1/1/1 is Up 1 L2TP session found To display L2TP session details:...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 89: show l2tp session Output Fields (continued) Field Name Field Description SNMP traps Whether or not the router sends traps to Simple Network Management Protocol (SNMP) for operational state changes Session status Session status of the destination Effective administrative state Most restrictive of the following administrative states:...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 90: show l2tp session summary Output Fields Field Name Field Description Administrative status: Administrative status of the session: enabled No restrictions on the creation of sessions disabled Router disabled these sessions Operational status: Operational status of the session: up Session is available down Session is unavailable...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 91: show l2tp switch-profile Output Fields (continued) Field Name Field Description AVP actionType action is Indicates the tunnel switching behavior or action type (for example, relay) configured for the specified L2TP AVP type show l2tp switch-profile Related Topics Monitoring Detailed Configuration Information about Specified Tunnels...
JUNOSe 11.1.x Broadband Access Configuration Guide Transmit ZLB = 12 Transmit queue depth = 0 Retransmissions = 8 Tunnel operational configuration Peer host name is 'Juniper-POS' Peer vendor name is 'XYZ, Inc.' Peer protocol version is 1.1 Peer firmware revision is 0x1120 Peer bearer capabilities are digital and analog Peer framing capabilities are sync and async Table 92 on page 446 lists the show l2tp tunnel command output fields.
Page 487
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 92: show l2tp tunnel Output Fields (continued) Field Name Field Description State Status of the enabled tunnel: idle connecting established disconnecting Local and peer tunnel id Names the router used to identify the tunnel locally and remotely Sub-interfaces: Sub-interface information for the enabled tunnel:...
JUNOSe 11.1.x Broadband Access Configuration Guide show l2tp tunnel Related Topics Monitoring Configured and Operational Status of All Tunnels Display a summary of the configured and operational status of all L2TP tunnels. Purpose To display a summary of the configured and operational status of all L2TP tunnels: Action host1#show l2tp tunnel summary Administrative status...
Page 489
Chapter 16: Monitoring L2TP and L2TP Dial-Out This command displays aspects of the dial-out state machine and details about the dial-out routes themselves. This section presents sample output. The actual output on your router may differ significantly. To display chassis-wide configuration, operational state, and statistics for L2TP Action dial-out: host1#show l2tp dial-out...
JUNOSe 11.1.x Broadband Access Configuration Guide Sessions reset: Triggers received: Triggers enqueued: Triggers discarded: Triggers forwarded: Triggers max enqueued: Authentication requests: No resources for authentication: Authentication grants: Authentication Denies: Dial-outs requested: Dial-outs rejected: Dial-outs established: Dial-outs timed out: Dial-outs torn down: To display summary information for chassis-wide configuration: host1#show l2tp dial-out summary Virtual routers in init pending state :...
Page 491
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Current sessions in the process Sessions currently in the connecting state of connecting Maximum sessions connecting at Highest number of sessions recorded on the chassis one time at the same time since the last router restart Current sessions pending...
Page 492
JUNOSe 11.1.x Broadband Access Configuration Guide Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Sessions in inhibited state Sessions on the VR that are in the inhibited state Sessions in post-inhibited state Sessions on the VR that are in the postInhibited state Sessions in failed state Sessions on the VR that are in the failed state Dial-out target statistics...
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Dial-outs rejected Outgoing call requests that were rejected Dial-outs established Successful outgoing calls before the connecting timer expired Dial-outs timed out Number of times the connecting timer expired Dial-outs torn down Successful outgoing calls that were terminated...
JUNOSe 11.1.x Broadband Access Configuration Guide host1#show l2tp dial-out session detail To display information about the operational or administrative state: host1#show l2tp dial-out session state connecting To display dial-out information across all virtual routers host1#show l2tp dial-out session allVirtualRouters NOTE: The level of a user’s permission determines the use of the allVirtualRouters option.
Chapter 16: Monitoring L2TP and L2TP Dial-Out To display detailed information about a particular target, specify the target IP address and mask: host1:dialout#show l2tp dial-out target 10.1.1.0/24 Target 10.1.1.0/24 Operational status: up Active sessions: 10 Total triggers: 127 Failed sessions: 2 Connected sessions: 8 To display aggregate counts for targets in each of the possible operational and administrative states:...
JUNOSe 11.1.x Broadband Access Configuration Guide For detailed information about operational states, see Dial-Out Operational States Related Topics on page 413 show l2tp dial-out target Monitoring Operational Status within the Current VR Context Display dial-out state machine operational status and statistics within the current VR Purpose context.
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 97: show l2tp dial-out virtual-router Output Fields Field Name Field Description Virtual router Name of VR Virtual router operational status Operational status of the VR Maximum trigger buffers per Maximum number of trigger packets held in buffer session while the dial-out session is being established For detailed information about operational states, see Dial-Out Operational States...
Page 498
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Operational Status within the Current VR Context...
Part 4 Managing DHCP DHCP Overview on page 461 DHCP Local Server Overview on page 469 Configuring DHCP Local Server on page 477 Configuring DHCP Relay on page 495 Configuring the DHCP External Server Application on page 523 Monitoring and Troubleshooting DHCP on page 539 Managing DHCP...
Chapter 17 DHCP Overview The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using Transmission Control Protocol/IP (TCP/IP) can obtain protocol configuration parameters automatically from a DHCP server on the network. The following sections provide overview information for the E Series router DHCP support: DHCP Overview Information on page 461 DHCP Platform Considerations on page 462...
Session and Resource Control Software The Session and Resource Control (SRC) software, formerly the Service Deployment System (SDX) software is a component of Juniper Networks management products. The SRC software provides a Web-based interface that allows subscribers to access services, such as the Internet, an intranet, or an extranet.
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring DHCP Proxy Clients DHCP proxy client support enables the router to obtain an IP address from a DHCP server for a remote PPP client. Each virtual router (acting as a DHCP proxy client) can query up to five DHCP servers.
Chapter 17: DHCP Overview Direct the router to request IP addresses for remote users from the DHCP server(s). host1(config)#ip address-pool dhcp ip address-pool Related Topics ip dhcp-server Logging DHCP Packet Information The JUNOSe software enables you to collect and log DHCP packet information for all JUNOSe DHCP access models on a per-interface basis.
JUNOSe 11.1.x Broadband Access Configuration Guide ip dhcp-capture Related Topics Viewing and Deleting DHCP Client Bindings The JUNOSe software provides commands that enable you to manage your router’s DHCP external server, DHCP local server, and DHCP relay proxy client bindings. A client binding associates an IP address with a DHCP client, and describes both the client (for example, hardware address and state) and the IP address (for example, subnet and lease time).
Page 507
Chapter 17: DHCP Overview all-relay-proxy All DHCP relay proxy client bindings binding-id DHCP binding ID for a specific client circuit-id Agent-circuit-id suboption (suboption 1) string of the DHCP relay agent information option (option 82); the circuit ID string supports matching of both regular expression metacharacters and nonprintable ASCII characters in binary sequences external DHCP external server bindings that meet the deletion criteria...
Page 508
JUNOSe 11.1.x Broadband Access Configuration Guide To delete DHCP client bindings without a lower-layer interface: host1:vr1#dhcp delete-binding no-interface To delete DHCP client bindings with the specified interface string: host1:vr2#dhcp delete-binding interface ip71.*4 This dhcp delete-binding command uses the * (asterisk) regular expression metacharacter in the interface string to delete DHCP client bindings on virtual router vr2 with an IP address beginning with 71 and ending with 4.
For information about configuring the DHCPv6 local server, see “Configuring the DHCPv6 Local Server” on page 489. In equal-access mode, the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service.
JUNOSe 11.1.x Broadband Access Configuration Guide Wireless LANs (PWLANs). In PWLANS, a user scans for available broadband networks, then is redirected to a web-based authentication mechanism to request service. DHCP provides address assignment information for users. Authentication, authorization, and accounting are separate processes, and are up to the Internet service provider (ISP) to define.
Chapter 18: DHCP Local Server Overview Table 98: Local Pool Selection in Equal-Access Mode Field How the DHCP Local Server Uses the Field Framed IP address The client’s entry can be configured with a framed IP address, which the DHCP local server can get from the SRC software (formerly the SDX software).
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: If a DHCP client attempts to renew its address and the DHCP server receives the request on a different interface than the interface that the client originally used, the DHCP server sends a NAK message to the client, forcing the client to begin the DHCP connection process again.
Chapter 18: DHCP Local Server Overview Table 99: Local Pool Selection in Standalone Mode Without AAA Authentication Field How the DHCP Local Server Uses the Field Giaddr A giaddr, which indicates a client’s subnetwork, can be presented to the DHCP local server in the client DHCP REQUEST message.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 100: Local Pool Selection in Standalone Mode with AAA Authentication (continued) Field How the DHCP Local Server Uses the Field Giaddr A DHCP local pool is configured with a network address. A gateway IP address (giaddr), which indicates a client’s subnetwork, can be presented to the DHCP local server in the client’s DHCP request message.
Chapter 18: DHCP Local Server Overview For information about defining IP addresses, see the Configuring IP chapter in JUNOSe IP, IPv6, and IGP Configuration Guide. DHCP Local Server Configuration Tasks This section covers the configuration tasks for equal-access and standalone modes. Perform the appropriate procedure: For both equal-access and standalone modes, configure the DHCP local server.
Page 516
JUNOSe 11.1.x Broadband Access Configuration Guide DHCP Local Server Configuration Tasks...
Chapter 19 Configuring DHCP Local Server This chapter provides information for configuring the DHCP local server on the E Series Broadband Services Routers. This chapter contains the following sections: Configuring the DHCP Local Server on page 477 Configuring DHCP Local Address Pools on page 484 Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 487 Configuring the DHCPv6 Local Server on page 489...
Page 518
JUNOSe 11.1.x Broadband Access Configuration Guide If you do not specify a mode, equal-access mode is activated, by default. When you activate equal-access mode, common open policy service usage for policy provisioning (COPS-PR) and SRC client are automatically started on the virtual router. To configure the DHCP local server: Enable the DHCP local server for either equal-access or standalone mode.
Chapter 19: Configuring DHCP Local Server Limiting the Number of IP Addresses Supplied by DHCP Local Server You can specify the maximum number of IP addresses that the DHCP local server can supply to each VPI/VCI, VLAN, Ethernet subnetwork, or POS access interface type, or to a particular interface or subinterface.
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring DHCP Local Server to Support Creation of Dynamic Subscriber Interfaces You can use the ip dhcp-local auto-configure agent-circuit-identifier command to configure the DHCP local server to support the creation of dynamic subscriber interfaces built over dynamic VLANs that are based on the agent-circuit-id option (suboption 1) of the option 82 field in DHCP messages.
Chapter 19: Configuring DHCP Local Server client. The determination is based on whether the DHCP clients exist on the same or on different subnets and subinterfaces. Location of DHCP Clients with How DHCP Local Server Differentiates Identical IDs or Addresses Clients On different subinterfaces in the By unique subinterface...
JUNOSe 11.1.x Broadband Access Configuration Guide Clearing an IP DHCP Local Server Binding NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the dhcp delete-binding command. You can use the clear ip dhcp-local binding command to force the removal of a connected user's IP address lease and associated route configuration.
Chapter 19: Configuring DHCP Local Server Using DHCP Local Server Event Logs To troubleshoot and monitor your DHCP local server, use the following system event logs: dhcpLocalClients DHCP local server client events and duplicate MAC address detection dhcpLocalGeneral DHCP local server infrastructure-related events and number of client threshold events NOTE: The dhcpLocalGeneral category replaces the dhcpLocalServerGeneral category.
JUNOSe 11.1.x Broadband Access Configuration Guide logout subscribers command service dhcp-local ipv6 local pool Configuring DHCP Local Address Pools Tasks to configure DHCP local address pool include: Basic Configuration of DHCP Local Address Pools on page 484 Linking Local Address Pools on page 486 Setting Grace Periods for Address Leases on page 486 Basic Configuration of DHCP Local Address Pools To configure the DHCP local address pool:...
Page 525
Chapter 19: Configuring DHCP Local Server Specify the number of days, and optionally, the number of hours, minutes, and seconds. Use the keyword infinite to specify a lease that does not expire. The default lease time is 30 minutes. (Optional) Link the DHCP local address pool being configured to another local address pool.
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config-dhcp-local)#snmpTrap host1(config-dhcp-local)#warning 50 40 (Optional) Configure a grace period for address leases allocated from the current DHCP local address pool. Specify the number of days and, optionally, the number of hours, minutes, and seconds in the grace period. host1(config-dhcp-local)#grace-period 0 12 This command applies only to address leases that expire.
Chapter 19: Configuring DHCP Local Server NOTE: Configuring a new grace period that is shorter than the address pool current grace period immediately terminates any existing address leases that are in the grace period state and that have already exceeded the length of the new grace period. An address continues to be counted against the address pool resources while in a grace period.
Page 528
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request. When using authentication, AAA accepts the DHCP client as a subscriber this enables you to use show commands to monitor configuration information and statistics about the client.
Chapter 19: Configuring DHCP Local Server circuit-identifier Specifies the circuit identifier of the interface on which the DHCP client’s request was received. circuit-type Specifies the circuit type of the interface on which the DHCP client’s request was received. mac-address Specifies the DHCP client’s MAC address. option82 Specifies the DHCP client’s option 82 value.
Page 530
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: You must add a vendor-specific attribute to RADIUS to enable E Series routers to retrieve IPv6 Domain Name System (DNS) addresses. Use the following steps to configure the DHCPv6 local server: Enable the DHCPv6 local server. host1(config)#service dhcpv6-local Specify the IPv6 prefix and lifetime that are to be delegated to the DHCPv6 client.
Chapter 19: Configuring DHCP Local Server ipv6 dhcpv6-local delegated-prefix ipv6 dhcpv6-local dns-domain-search ipv6 dhcpv6-local dns-server ipv6 dhcpv6-local prefix-lifetime Deleting DHCPv6 Client Bindings The JUNOSe Software enables you to manage your router’s DHCPv6 local server client bindings. The client binding associates an IPv6 prefix with a unique DHCP ID (DUID) of the subscriber client.
JUNOSe 11.1.x Broadband Access Configuration Guide host1:vr2#dhcpv6 delete-binding server4pool The router does not notify the DHCPv6 client when you use the dhcpv6 delete-binding command. To verify that the DHCPv6 client bindings have been deleted, use the show ipv6 dhcpv6–local binding command. dhcpv6 delete-binding Related Topics show ipv6 dhcpv6-local binding...
Chapter 19: Configuring DHCP Local Server Figure 12: Non-PPP Equal-Access Configuration Example The following steps describe how to configure this scenario. Configure interfaces on the router. host1(config)#interface loopback 0 host1(config-if)#ip address 10.10.1.1 255.255.255.255 host1(config-if)#ip address 10.10.2.1 255.255.255.255 secondary host1(config-if)#exit host1(config)#interface fastEthernet 2/0 host1(config-if)#ip unnumbered loopback 0 Configure the parameters to enable the router to forward authentication requests to the RADIUS server.
Page 534
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#aaa authentication ppp default none Enable the DHCP local server. host1(config)#service dhcp-local Specify the IP addresses that are in use, so that the DHCP local server cannot assign these addresses. host1(config)#ip dhcp-local excluded-address 10.10.1.1 host1(config)#ip dhcp-local excluded-address 10.10.1.2 Configure the DHCP local server to provide IP addresses to subscribers of ISP Boston.
Chapter 20 Configuring DHCP Relay The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using Transmission Control Protocol/IP (TCP/IP) can obtain protocol configuration parameters automatically from a DHCP server on the network. The following sections describe how to configure your E Series router to provide DHCP support: Configuring DHCP Relay and BOOTP Relay on page 495 Configuring DHCP Relay Proxy on page 518...
JUNOSe 11.1.x Broadband Access Configuration Guide Enabling DHCP Relay You use the set dhcp relay command to create and enable DHCP relay in the current virtual router. Include the IP address variable to enable DHCP relay and BOOTP relay and to specify an IP address for the DHCP server.
Chapter 20: Configuring DHCP Relay NOTE: When this feature is configured, the client bypasses the DHCP relay component and communicates directly with the DHCP server to request address renewal or to release the address. The DHCP relay component has no role in determining when or whether to remove the installed host route.
Page 538
JUNOSe 11.1.x Broadband Access Configuration Guide detect spoofed giaddrs. Also, DHCP relay does not detect spoofed relay agent option values. Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in received DHCP packets is different from the local IP address on which the DHCP relay is accessed.
Chapter 20: Configuring DHCP Relay To display whether support for broadcast flag replies is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 539. To troubleshoot applications that use this feature, you can use the dhcpCapture system event log category.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 101: Router Configuration and Transmission of DHCP Reply Packets (continued) Broadcast Flag Layer 2 Unicast Router Behavior if Router Behavior if Replies Replies Broadcast Flag Set Broadcast Flag Not Set Disabled (off) Disabled (off) DHCP relay and DHCP DHCP relay and DHCP relay relay proxy broadcast...
Chapter 20: Configuring DHCP Relay commands similar to the following to create demultiplexer table entries and a subnet route that points to the static subscriber interface. In the example, the host routes are associated with the primary IP interface on Gigabit Ethernet 1/0.
JUNOSe 11.1.x Broadband Access Configuration Guide option (option 82). You can use the radius remote-circuit-id-format command to configure the following nondefault formats for the PPPoE remote circuit ID value: Include either or both of the agent-circuit-id (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option, with or without the NAS-Identifier [32] RADIUS attribute.
Page 543
Chapter 20: Configuring DHCP Relay To display whether the layer 2 unicast method is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 539. The dhcpRelayGeneral logging event category uses the debug severity level to log DHCP reply packets that are transmitted to clients using a layer 2 unicast address and a layer 3 broadcast address.
Page 544
JUNOSe 11.1.x Broadband Access Configuration Guide match any strings you have configured for example, you might specify that all clients with non-matching strings be dropped. You use the set dhcp vendor-option command to configure vendor-option (option 60) strings to control DHCP client traffic Create DHCP vendor-option servers by configuring DHCP relay to match DHCP option 60 strings and to specify what action to use for the traffic.
JUNOSe 11.1.x Broadband Access Configuration Guide - the configured vendor-string is an exact-match default - all DHCP client packets not matching a configured vendor-string implied - the DHCP application is configured but has not been enabled with the vendor-option command drop - the DHCP application responsible for the action has not been configured yet therefore all packets for this application...
Chapter 20: Configuring DHCP Relay Ethernet interfaces. Use this keyword to remove the subinterface ID from the Interface-Id field. The hostname and vrname keywords are a toggle; that is, specifying either hostname or virtual router name turns off the other selection. To configure the relay agent option 82 information: host1(config)#set dhcp relay options hostname Preventing Option 82 Information from Being Stripped from Trusted Client Packets...
Page 548
JUNOSe 11.1.x Broadband Access Configuration Guide Layer 2 Circuit ID (type 1) The hexadecimal representation of the layer 2 identifier in the Agent Circuit ID (suboption 1) value (for example, the ATM VPI/VCI or Ethernet SVLAN/VLAN ID.) You can configure this suboption type without the Agent Circuit ID.
Chapter 20: Configuring DHCP Relay Table 102: Effect of Commands on Option 82 Suboption Settings Command Suboption and Status Agent Circuit ID Agent Remote ID Vendor-Specific set dhcp relay agent sub-option circuit-id Enable No change No change set dhcp relay agent sub-option remote-id No change Enable No change...
Page 550
JUNOSe 11.1.x Broadband Access Configuration Guide length field specifies the total length of all TLV tuples. The JUNOSe software enterprise number is 4874 (0x130a.) The format of the Layer 2 Circuit ID type field (type 1) is hexadecimal. The data field length of a normal non-stacked VLAN is 2 bytes, with the VLAN ID occupying the 12 low-order bits of the value;...
Chapter 20: Configuring DHCP Relay L2 Circuit ID type: 1 JUNOSe data len: 9 bytes JUNOSe IANA: 13 0a subopt 9 len: 14 bytes subopt code: 9 Using the set dhcp relay agent sub-option Command to Enable Option 82 Suboption Support NOTE: We recommend that you use the set dhcp relay agent sub-option command for new option 82 suboption configurations.
Chapter 20: Configuring DHCP Relay suboption contains a string with the username and domain name in the format: username@domainname. The Vendor-Specific suboption contains a value that includes a JUNOSe data field. You can configure the data field to support one or both of the following values: layer2-circuit-id (type 1) The hexadecimal representation of the layer 2 identifier in the Agent Circuit ID (suboption 1) value (for example, the ATM VPI/VCI or Ethernet SVLAN/VLAN ID).
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 13: Passing 802.1p Values to the DHCP Server DHCP client DHCP relay DHCP server Uses UPC in option 82 Ingress VLAN policy Relay Agent copies Sends DHCP packet vendor-specific suboption maps 802.1p UPC into option 82 with assigned 802.1p to determine the IP address (user priority) to UPC...
Page 555
Chapter 20: Configuring DHCP Relay host1(config)# run show policy-list dot1pToUpc Policy Table ------ ----- VLAN Policy dot1pToUpc Administrative state: enable Reference count: Classifier control list: dot1p0, precedence 100 user-packet-class 0 Classifier control list: dot1p1, precedence 100 user-packet-class 1 Classifier control list: dot1p2, precedence 100 user-packet-class 2 Classifier control list: dot1p3, precedence 100 user-packet-class 3...
JUNOSe 11.1.x Broadband Access Configuration Guide Restore Client Timeout: 72 Inhibit Access Route Creation: off Assign Giaddr to Source IP: off Layer 2 Unicast Replies: off Giaddr Selects Interface: off Relay Agent Information Option (82): Override Giaddr: off Override Option: on Trust All Clients: on Preserve Option From Trusted Clients: off Circuit-ID Sub-option (1): on...
JUNOSe 11.1.x Broadband Access Configuration Guide lag bundleA.1:2 relayVr:lag bundleA:2 bostonHost:lag bundleA.1:2 LAG interface with Stacked VLAN [<hostname>|<vrname>:]<interface type> <bundle name>[.<sub-if>]: <svlan id>-<vlan id> Examples: lag bundleA.1:2-3 relayVr:lag bundleA:2-3 bostonHost:lag bundleA.1:2-3 The remote-id-only keyword specifies the Agent Remote ID suboption, which contains a value only when (1) the interface is a dynamic ATM interface and (2) the subscriber command is used to configure a username and domain name for the interface.
Chapter 20: Configuring DHCP Relay NOTE: The E Series router configured as a DHCP relay proxy must be the first hop from the DHCP client. If it is not the first hop, the router defaults to the DHCP relay configuration. Enabling DHCP Relay Proxy Enable DHCP relay proxy and specify an IP address for the DHCP server.
JUNOSe 11.1.x Broadband Access Configuration Guide Removing routes when DHCP clients release their DHCP-assigned addresses or when the addresses expire When a DHCP client sends a request to an external DHCP server, the relay proxy receives the request and forwards it to the external DHCP server. The relay proxy then sends the DHCP server’s response back to the client.
Page 561
Chapter 20: Configuring DHCP Relay client regardless of the current configuration of the set dhcp relay layer2-unicast-replies command or the set dhcp relay broadcast-flag-replies command. These commands control the transmission method used for DHCP reply packets. This behavior applies only to DHCP relay proxy; it does not apply to DHCP relay because DHCP relay does not maintain a list of active clients or receive address renewal requests from clients.
Chapter 21 Configuring the DHCP External Server Application The following sections describe how to configure the DHCP external server application on the E Series router: DHCP External Server Overview on page 523 Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview on page 525 DHCP External Server Identification of Clients with Duplicate MAC Addresses Overview on page 526...
Page 564
JUNOSe 11.1.x Broadband Access Configuration Guide The services provided by integrating the E Series router’s DHCP external server application with SRC software are similar to those provided when the DHCP local server is integrated with SRC software. The router’s DHCP external application is used together with other features of the router to provide subscriber management.
Chapter 21: Configuring the DHCP External Server Application If the SRC software is configured, the router also performs the following actions: Alerts the SRC software that the dynamic subscriber interface exists Alerts the SRC software that the subscriber’s address exists and provides DHCP options The SRC software then provides its enhanced services to the subscriber.
JUNOSe 11.1.x Broadband Access Configuration Guide ip dhcp-external recreate-subscriber-interface command from Global Configuration mode. When a bound DHCP client restarts the discovery process on a different primary IP interface than the interface on which it initiated the original discovery process, the DHCP external server application always deletes and re-creates the existing dynamic subscriber interfaces for that client.
Chapter 21: Configuring the DHCP External Server Application By default, DHCP external server uses only the MAC address to uniquely identify DHCP clients. The default setting for DHCP external server is also referred to as unique MAC mode. To enable duplicate MAC mode for the DHCP external server application, you must issue the dhcp-external duplicate-mac-address command from Global Configuration mode.
JUNOSe 11.1.x Broadband Access Configuration Guide mode, if DHCP external server is configured for duplicate MAC mode and is currently managing any DHCP clients. Do not enable duplicate MAC mode for the DHCP external server application when it is configured in the same VR with either of the following: An instance of the DHCP relay application that is currently managing host routes Any instance of the DHCP relay proxy application...
Chapter 21: Configuring the DHCP External Server Application service dhcp-external Related Topics Monitoring DHCP Traffic Between Remote Clients and DHCP Servers You can configure the router to monitor DHCP packets between remote clients and specified DHCP servers. You can specify up to four DHCP servers. To monitor DHCP packets between remote clients and a DHCP server: Issue the ip dhcp-external server-address command and specify the IP address of the DHCP server:...
JUNOSe 11.1.x Broadband Access Configuration Guide The dropped traffic situation can occur because of the way some DSLAMs create the giaddr that is sent to the DHCP external server application. Some Ethernet DSLAMs use a DHCP relay implementation that inserts giaddr values and relay agent options in DHCP packets that are received from end users.
Page 571
Chapter 21: Configuring the DHCP External Server Application Issue the ip dhcp-external auto-configure command with the agent-circuit-identifier keyword from Global Configuration mode: host1(config)#ip dhcp-external auto-configure agent-circuit-identifier The use of the option 82 field enables you to stack an IP interface that is associated with a particular subscriber over a dynamically created VLAN;...
JUNOSe 11.1.x Broadband Access Configuration Guide ip dhcp-external auto-configure Related Topics Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces You can configure the DHCP external server application to delete and re-create the dynamic subscriber interface after a bound client restarts the discovery process on the its primary IP interface.
Chapter 21: Configuring the DHCP External Server Application Preservation of Dynamic Subscriber Interfaces with DHCP External Server Related Topics Overview on page 525 ip dhcp-external recreate-subscriber-interface Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay and DHCP Relay Proxy When you configure the DHCP relay application or the DHCP relay proxy application in the same virtual router (VR) as the DHCP external server application, we recommend that you define interface profiles to create the dynamic subscriber interfaces when the primary IP interface is static.
JUNOSe 11.1.x Broadband Access Configuration Guide Use the exclude-primary keyword in the ip auto-configure ip-subscriber command to specify that the primary interface cannot be assigned to a subscriber. If you have issued the ip dhcp-external server-sync command to resynchronize the DHCP external server application with the router and to support creation of subscriber state information based on lease renewals, you must do either of the following to ensure that the unicast acknowledgment (ACK) response to the renewal request has a route back to the DHCP client that generated the renewal...
Page 575
Chapter 21: Configuring the DHCP External Server Application To delete all clients: host1#dhcp-external delete-binding all To delete a specific client: host1#dhcp-external delete-binding binding-id 3972819365 dhcp delete-binding Related Topics dhcp-external delete-binding Deleting Clients from a Virtual Router’s DHCP Binding Table...
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring DHCP External Server to Uniquely Identify Clients with Duplicate MAC Addresses You can configure the DHCP external server application to use a combination of the MAC address and giaddr to uniquely identify DHCP clients attached to the router. This behavior is also referred to as duplicate MAC mode.
Chapter 21: Configuring the DHCP External Server Application Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces You can use the ip re-authenticate-auto-detect ip-subscriber command to re-authenticate the auto-detected subscribers or Dynamic Subscriber Interfaces (DSIs) created on static and dynamic primary IP interfaces, using the DHCP options when the DHCP external application manages the DSIs following a cold boot.
Page 578
JUNOSe 11.1.x Broadband Access Configuration Guide Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces...
Chapter 22 Monitoring and Troubleshooting DHCP This chapter describes the commands you can use to monitor and troubleshoot DHCP support on E Series routers. Setting Baselines for DHCP Statistics on page 540 Monitoring Addresses Excluded from DHCP Local Server Use on page 541 Monitoring DHCP Bindings on page 542 Monitoring DHCP Binding Information on page 543 Monitoring DHCP Binding Count Information on page 546...
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring DHCPv6 Local Server DNS Servers on page 575 Monitoring DHCPv6 Local Server Prefix Lifetime on page 575 Monitoring DHCPv6 Local Server Statistics on page 576 Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients on page 577 Monitoring the Maximum Number of Available Leases on page 578 Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local...
Chapter 22: Monitoring and Troubleshooting DHCP Setting a Baseline for DHCP External Server Statistics To set a baseline for DHCP external server statistics. Issue the baseline ip dhcp-external command: host1#baseline ip dhcp-external There is no no version. Setting a Baseline for DHCP Local Server Statistics To set a baseline for DHCP local server statistics: Issue the baseline ip dhcp-local command: host1#baseline ip dhcp-local...
JUNOSe 11.1.x Broadband Access Configuration Guide home.com 10.10.3.1 cable4 10.10.4.1 cable5 10.10.5.1 Table 103 on page 542 lists the show ip dhcp-local excluded command output fields. Meaning Table 103: show ip dhcp-local excluded Output Fields Field Name Field Description Pool Name of the pool that contains the excluded address Low Address Excluded address or first address in a range of addresses...
Chapter 22: Monitoring and Troubleshooting DHCP Monitoring DHCP Binding Information Display information for specified DHCP client bindings, with results arranged in Purpose ascending order by binding ID. NOTE: The show dhcp binding command replaces the show ip dhcp-external binding, show ip dhcp-external binding-id, and show ip dhcp-local binding commands, which are deprecated and might be removed completely in a future release.
Page 584
JUNOSe 11.1.x Broadband Access Configuration Guide To display binding information for DHCP clients with a specified interface string: host1:vr2#show dhcp binding interface ip71.*4 BindingId HwAddress Type IpSubnet IpAddress State ---------- -------------- -------- -------- --------- ----- 3053453315 7000.0002.9365 external 0.0.0.0 71.1.0.4 bound 3053453325 7000.000c.9365...
Chapter 22: Monitoring and Troubleshooting DHCP host1:vr1#show dhcp binding relay proxy no-interface To display binding information for DHCP clients that match the specified remote ID string: host1:vr1#show dhcp binding remote-id “remote id.*even” Filtering the display of DHCP client bindings by the circuit ID string or remote ID string is not supported for the DHCP external server application.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 104: show dhcp binding Output Fields (continued) Field Name Field Description Agent Remote Id Suboption 2 of the DHCP relay agent information option Vendor Specific Suboption 9 of the DHCP relay agent information option show dhcp binding Related Topics To compare the output of the show dhcp binding command and the show dhcp...
Chapter 22: Monitoring and Troubleshooting DHCP command displays information for the DHCP client bindings on virtual router vr3 with the specified circuit ID string, with results arranged in ascending order by binding To display count information for DHCP local server client bindings and interfaces with a specified subnet address: host1:vr1#show dhcp count local 0.0.0.0 To display count information for DHCP client bindings and interfaces with a specified...
JUNOSe 11.1.x Broadband Access Configuration Guide show dhcp count Related Topics Monitoring DHCP Binding Host Information Display information for specified DHCP client bindings, with results arranged in Purpose ascending order by IP address. The show dhcp host command displays information only for DHCP client bindings with assigned IP addresses.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 106: show dhcp host Output Fields (continued) Field Name Field Description IpSubnet For DHCP local server bindings, the subnet of the IP address assigned to the client; 0.0.0.0 for DHCP external server and DHCP relay proxy bindings IpAddress IP address assigned to client...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 108 on page 552 lists the show ip dhcp-external binding-id command output Meaning Table 108: show ip dhcp-external binding-id Field Name Field Description Binding Id DHCP client binding ID option value associated with the user Hardware MAC address of the subscriber’s computer Giaddr...
Chapter 22: Monitoring and Troubleshooting DHCP Table 109 on page 553 lists the show ip dhcp-local binding command output fields. Meaning Table 109: show ip dhcp-local binding Output Fields Field Name Field Description Address IP address Hardware MAC address of subscriber’s computer Lease Infinite, or the number of seconds in which the IP address is available;...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 110: show ip dhcp-external configuration Output Fields (continued) Field Name Field Description Auto-Configure Enabled or disabled Server-Sync Enabled or disabled Disregard-Giaddr-Next-hop Enabled or disabled Detect-Agent-Circuit-Id Enabled or disabled Recreate-Subscriber-Interface Enabled or disabled Duplicate-MAC-Address Enabled or disabled Servers DHCP servers whose traffic is monitored by the E Series router...
Chapter 22: Monitoring and Troubleshooting DHCP Table 111: show ip dhcp-external statistics Output Fields (continued) Field Name Field Description bindings Number of IP addresses currently assigned request Number of DHCP request packets ack (request) Number of DHCP acknowledgment packets in response to DHCP requests renew Number of DHCP renew packets...
JUNOSe 11.1.x Broadband Access Configuration Guide show dhcp-external Related Topics Monitoring DHCP Local Address Pools Display the DHCP local pool configurations. Purpose To display information about the local address pool: Action host1#show ip dhcp-local pool ***************************************** Pool Name - ispBoston Pool Id - 6 Domain Name - ispBoston Network - 10.10.0.0...
Chapter 22: Monitoring and Troubleshooting DHCP Table 113: show ip dhcp-local pool Output Fields Field Name Field Description Pool Name Name of the DHCP local pool Pool Id ID of the pool Domain Name Domain name assigned to the pool Network Addresses that the DHCP local server can provide from the pool Mask...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 113: show ip dhcp-local pool Output Fields (continued) Field Name Field Description Total Addresses In Use Number of addresses currently being used Trap Enabled Status of utilization trap, yes or no Pools Names of pools in the group show ip dhcp-local pool Related Topics Monitoring DHCP Local Server Authentication Information...
Chapter 22: Monitoring and Troubleshooting DHCP Table 114: show ip dhcp-local auth Output Fields (continued) Field Name Field Description Password Password used to authenticate client Virtual Router Client’s virtual router; excluded or included Circuit Type Client’s circuit type; excluded or included Circuit ID Client’s circuit ID;...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 115: show ip dhcp-local Output Fields (continued) Field Name Field Description Unique Client IDs Status of duplicate client ID and duplicate hardware address detection, enabled or disabled show ip dhcp-local Related Topics Monitoring DHCP Local Server Leases Display lease information for a specific IP address or for all DHCP local server leases.
Chapter 22: Monitoring and Troubleshooting DHCP Table 116 on page 561 lists the show ip dhcp-local leases command output fields. Meaning Table 116: show ip dhcp-local leases Output Fields Field Name Field Description Address IP address Hardware MAC address of the subscriber’s computer Lease Infinite, or the number of seconds in which the IP address is available;...
JUNOSe 11.1.x Broadband Access Configuration Guide unknown client packet --Transmit Statistics-- offer ack(accept) ack(renew) ack(rebind) nak(renew) nak(rebind) total out packet out error out discard To display DHCP local server statistics for a specific interface: host1#show ip dhcp-local statistics interface atm 4/0.32 DHCP Local Server SubInterface Statistics Interface Item...
Page 603
Chapter 22: Monitoring and Troubleshooting DHCP Table 117: show ip dhcp-local statistics output fields. (continued) Field Name Field Description request(accept) Number of DHCP requests accepted request(renew) Number of DHCP requests for renewal received request(rebind) Number of DHCP requests for rebinding received request(other) Number of DHCP unknown requests received decline...
JUNOSe 11.1.x Broadband Access Configuration Guide show ip dhcp-local statistics Related Topics Monitoring DHCP Option 60 Information Display configuration and action information for the DHCP vendor-option (option Purpose 60) feature. Use the command without additional keywords to display information for all vendor option configurations.
Chapter 22: Monitoring and Troubleshooting DHCP Table 118: show dhcp vendor-option Output Fields Field Name Field Description Vendor-option Option 60 string; an asterisk (*) indicates that the string exactly matches a configured option 60 string, default indicates the action to take when the string does not match a configured option 60 string Action Action to take for the indicated string match;...
JUNOSe 11.1.x Broadband Access Configuration Guide show ip dhcp-capture Related Topics Monitoring DHCP Relay Configuration Information Display DHCP relay configuration information and the IP addresses of the configured Purpose DHCP servers. To display information about the DHCP relay configuration and the IP address of the Action DHCP servers.
Chapter 22: Monitoring and Troubleshooting DHCP Table 120: show dhcp relay Output Fields (continued) Field Name Field Description Layer 2 Unicast Replies On or off Giaddr Selects Interface On or off Broadcast Flag Replies On or off Override Giaddr On or off Override Option On or off Trust All Clients...
Chapter 22: Monitoring and Troubleshooting DHCP show dhcp relay proxy statistics Related Topics Monitoring DHCP Relay Statistics Display DHCP packet error and relay agent option statistics that are reported for Purpose both DHCP relay and DHCP relay proxy, and also to display DHCP server statistics related only to DHCP relay.
JUNOSe 11.1.x Broadband Access Configuration Guide Dropped unknown xids replies Dropped stale requests Table 122 on page 570 lists the show dhcp relay statistics command output fields. Meaning Table 122: show dhcp relay statistics Output Fields Field Name Field Description Packet error statistics (standard &...
Chapter 22: Monitoring and Troubleshooting DHCP Table 122: show dhcp relay statistics Output Fields (continued) Field Name Field Description dropped giaddr spoof packets Number of received DHCP relay requests that were discarded because the gateway IP address field already contained this relay agent’s IP address DHCP server statistics (standard mode only) dropped duplicate request packets...
JUNOSe 11.1.x Broadband Access Configuration Guide Naks received addresses declined addresses released Informs sent unknown messages bad messages Table 123 on page 572 lists the show dhcp server statistics command output fields Meaning Table 123: show dhcp server statistics Output Fields Field Name Field Description DHCP Server Address...
Chapter 22: Monitoring and Troubleshooting DHCP E E 10.6.128.10 E E 10.6.128.11 Table 124 on page 573 lists the show dhcp server command output fields. Meaning Table 124: show dhcp server Output Fields Field Name Field Description Read-only value that displays the operational status of the server Read/write value that displays the administrative status of the server Enabled;...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 125 on page 574 lists the show ipv6 dhcpv6-local binding command output Meaning fields. Table 125: show ipv6 dhcpv6-local binding Output Fields Field Name Field Description Prefix IPv6 address Client DUID DHCP unique ID of subscriber’s computer Lease Time for which the IPv6 address is available in seconds, or infinite Intf...
Chapter 22: Monitoring and Troubleshooting DHCP show ipv6 dhcpv6-local dns-domain-searchlist Related Topics Monitoring DHCPv6 Local Server DNS Servers Display a list of DNS servers configured on the DHCPv6 local server. Purpose To display the list of DNS servers: Action host1#show ipv6 dhcpv6-local dns-servers DNS server 1: 2001:db8:18:: DNS server 2: 2001:db8:19:: DNS server 3: 2001:db8:20::...
JUNOSe 11.1.x Broadband Access Configuration Guide show ipv6 dhcpv6-local prefix-lifetime Related Topics Monitoring DHCPv6 Local Server Statistics Display statistics for the DHCPv6 local server. Purpose To display DHCPv6 local server statistics: Action host1#show ipv6 dhcpv6-local statistics DHCPv6 Local Server Statist --------------------------- Item Count...
Chapter 22: Monitoring and Troubleshooting DHCP Table 129: show ipv6 dhcpv6-local statistics Output Fields (continued) Field Name Field Description rebind rx Number of DHCPv6 rebind messages received reconfigure tx Number of DHCPv6 reconfigure messages transmitted advertise tx Number of DHCPv6 advertise messages transmitted successful reply tx Number of reply messages transmitted with success reply code failed reply tx...
JUNOSe 11.1.x Broadband Access Configuration Guide show ip dhcp-local duplicate-clients Related Topics Monitoring the Maximum Number of Available Leases Display the maximum number of leases available for each VPI/VCI, VLAN, Ethernet Purpose subnetwork, or POS access interface type, or for a specific interface or subinterface. To display the maximum number of leases available for each interface type: Action host1(config)#show ip dhcp-local limits...
Chapter 22: Monitoring and Troubleshooting DHCP Table 131: show ip dhcp-local limits Output Fields (continued) Field Name Field Description Ethernet Limit Number of leases available for each Ethernet subnet Limit Number of leases available to the specified interface or subinterface; indicates the configured value for the interface type unless a specific lease value is configured for the particular interface...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 132: show ip dhcp-local reserved Output Fields (continued) Field Name Field Description Hardware Address for which the IP address is reserved show ip dhcp-local reserved Related Topics Monitoring Status of DHCP Applications Display which DHCP applications are configured whether they are active or Purpose inactive displays the status of DHCP relay, DHCP relay proxy, DHCP local server, and DHCP external server.
Part 5 Managing the Subscriber Environment Configuring Subscriber Management on page 583 Monitoring Subscriber Management on page 599 Configuring Subscriber Interfaces on page 603 Monitoring Subscriber Interfaces on page 635 Managing the Subscriber Environment...
Chapter 23 Configuring Subscriber Management This chapter describes how to set up subscriber management on the E Series router. Subscriber management integrates a variety of router features and enables you to manage your constantly changing subscriber environment without affecting the performance you provide to your customers.
JUNOSe 11.1.x Broadband Access Configuration Guide RADIUS server Session and Resource Control (SRC) software You employ the components you need in a variety of configurations, depending on your specific requirements. Subscriber Management Platform Considerations Subscriber management is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router.
Chapter 23: Configuring Subscriber Management In the first case, the interface is created when an external DHCP server or the DHCP local server responds to a subscriber request. In the second case, the subscriber interface is created when the router receives a packet (the packet detect feature) with a source IP address that is not in the demultiplexer table.
JUNOSe 11.1.x Broadband Access Configuration Guide In Figure 15 on page 585, the subscriber requests an address from the DHCP server. The E Series router DHCP external server application monitors all DHCP communications between the subscriber and the DHCP server. After the subscriber receives an IP address, the subscriber can access the Internet and use the value-added services provided by the SRC software.
Chapter 23: Configuring Subscriber Management Specify each DHCP server for which to monitor traffic. You can specify a maximum of four DHCP servers. host1(config)#ip dhcp-external server-address 10.10.10.1 Configure a default policy for subscribers, using a previously configured classifier group. host1(config)#ip policy-list filterAll host1(config-policy-list)#classifier-group filterGroupA host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit...
Page 628
JUNOSe 11.1.x Broadband Access Configuration Guide deny Drop addresses that appear in the source address range primary Associate the source prefix with the primary IP interface Example host1(config-if)#clear ip demux There is no no version. See clear ip demux domain Use to specify a domain for an IP service profile.
Page 629
Chapter 23: Configuring Subscriber Management Use the no version to disable inclusion of the suboption in the username. See include dhcp-option 82 include hostname Use to include the router hostname in the username that is dynamically created by JUNOSe subscriber management. Example host1(config-service-profile)#include hostname Use the no version to disable inclusion of the router hostname in the username.
Page 630
JUNOSe 11.1.x Broadband Access Configuration Guide Use to configure an IP interface to support creation of dynamic subscriber interfaces. The specified IP interface is considered the primary interface. The router creates the required dynamic subscriber interfaces when the IP address is assigned to the associated subscriber.
Page 631
Chapter 23: Configuring Subscriber Management host1(config-if)#ip destination-prefix 10.0.0.0 255.0.0.0 Use the no version to remove the association between the interface and the specified IP destination address and mask. See ip destination-prefix ip inactivity-timer Use to configure the inactivity timer value for an IP interface. A dynamically created subscriber interface is deleted if it is inactive for a period longer than the inactivity timer value.
Page 632
JUNOSe 11.1.x Broadband Access Configuration Guide Use to configure an interface to perform route-map processing, and to specify the route map that is applied to the IP interface subscriber. If no route map is specified, then all packets trigger the creation of a dynamic subscriber interface. You can issue this command from Interface Configuration mode or Profile Configuration mode.
Page 633
Chapter 23: Configuring Subscriber Management Example host1(config-if)#ip source-prefix 10.0.0.0 255.0.0.0 Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix ip use-framed-routes ip-subscriber Use to configure a static primary IP interface to use framed routes as source IP addresses when creating dynamic subscriber interfaces.
Page 634
JUNOSe 11.1.x Broadband Access Configuration Guide Use to specify the name of a subscriber’s service profile that is used in the route map. You can specify a service profile name with up to 32 ASCII characters. Example host1(config-route-map)#set ip service-profile yourServiceProfile Use the no version to remove the service profile from the route map.
Chapter 23: Configuring Subscriber Management Use to assign an IP service profile to a VLAN subinterface. Service profiles contain user and password information, and are used in route maps for subscriber management and to authenticate subscribers with RADIUS. You can specify a service profile name with up to 32 ASCII characters. Example host1(config-profile)#vlan service-profile vlanClass1Service host1(config-profile)#...
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier atm host1(config-service-profile)#exit host1(config)# The example generates the following username: The circuit identifier indicates a user at slot 2, port 3, with a virtual path identifier (VPI) of 32 and a virtual channel identifier (VCP) of 100.
Page 637
Chapter 23: Configuring Subscriber Management host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan host1(config-service-profile)#include mac-address host1(config-service-profile)#include dhcp-option 82 agent-circuit-id host1(config-service-profile)#exit host1(config)# The example generates the following username, which includes the MAC address: Subscriber Management Configuration Examples...
Chapter 24 Monitoring Subscriber Management This chapter describes how to monitor subscriber management on the E Series router. The following sections describe commands you can use to display status information and statistics for the subscriber management environment: Monitoring IP Service Profiles on page 599 Monitoring Active IP Subscribers Created by Subscriber Management on page 600 Monitoring IP Service Profiles Display information for all IP service profiles or for a specific profile.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 134: show ip service-profile Output Fields (continued) Field Name Field Description user-prefix User prefix used to retrieve information from RADIUS for subscriber interfaces domain Domain used to retrieve information from RADIUS for subscriber interfaces include ip-address IP address is included in the service profile include virtual-router-name...
Chapter 25 Configuring Subscriber Interfaces This chapter describes how to configure static and dynamic subscriber interfaces for remote access to the E Series router. This chapter contains the following sections: Subscriber Interfaces Overview on page 603 Subscriber Interfaces Platform Considerations on page 609 Subscriber Interfaces References on page 610 Dynamic Creation of Subscriber Interfaces on page 610 Configuring Static Subscriber Interfaces on page 615...
JUNOSe 11.1.x Broadband Access Configuration Guide 10-Gigabit Ethernet (with and without VLANs) GRE tunnels For information about platform support for subscriber interfaces, see “Subscriber Interfaces Platform Considerations” on page 609. Dynamic Interfaces and Dynamic Subscriber Interfaces Dynamic interfaces are created automatically and transparently in response to external events.
Chapter 25: Configuring Subscriber Interfaces For example, on an Ethernet VLAN, multiple subscribers can enter the network from a Wi-Fi hotspot, as shown in Figure 17 on page 605: Figure 17: Example of a Dynamic Subscriber Interface To other locations subscriber xyz Service selection L2 transport...
JUNOSe 11.1.x Broadband Access Configuration Guide Relationship to Primary IP Interfaces A subscriber interface operates only with a primary IP interface a normal IP interface on a supported layer 2 interface, such as Ethernet. You create a primary interface by assigning an IP address to the Ethernet interface. Although you can configure a subscriber interface directly on an Ethernet interface, the subscriber interface does not operate until you assign an IP address to the Ethernet interface.
Chapter 25: Configuring Subscriber Interfaces without VLANs. Using subscriber interfaces, the router can demultiplex or separate the traffic associated with different subscribers. You can configure subscriber interfaces with VLANs. If you do so, the E Series router demultiplexes packets by using first the VLAN and then the subscriber interface. Moving Interfaces A shared IP interface that has associated subscriber demultiplexing attributes retains these attributes when it moves.
JUNOSe 11.1.x Broadband Access Configuration Guide Directing Traffic Toward Special Local Content Figure 19 on page 608 shows an example of a cable modem network. Multiple cable modem termination systems (CMTSs) connect to multiple shared media access LANs. Many subscribers connect to each LAN. In this example, the service provider uses subscriber interfaces to direct traffic toward special local content on the network: a voice over Internet Protocol (VoIP) service on network 10.11.0.0/16, or a local gaming service on network 10.12.0.0/16.
Chapter 25: Configuring Subscriber Interfaces Differentiating Traffic for VPNs Similarly, service providers can use subscriber interfaces to differentiate traffic for VPNs. Figure 20 on page 609 shows an example of this application. Customers on subnet A need to connect to VPN A, and customers on subnet B need to connect to VPN B.
JUNOSe 11.1.x Broadband Access Configuration Guide See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications. See ERX Module Guide, Appendix A, Module Protocol Support for information about the modules that support subscriber interfaces. For information about modules that support subscriber interfaces on the E120 and E320 Broadband Services Routers: See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications.
IP address and immediately allocates the subscriber an IP address from one of the local address pools. In equal-access mode, the DHCP local server works with Juniper Networks Session and Resource Control (SRC) software and the authorization, accounting, and address assignment utility to provide an advanced subscriber configuration and management service.
JUNOSe 11.1.x Broadband Access Configuration Guide server is integrated with SRC software. For more information, see SRC-PE Getting Started Guide, Chapter 1, SRC Product Overview. DHCP Relay Configuration When you are configuring dynamic subscriber interface support, and you configure DHCP relay in the same virtual router as the dynamic subscriber interfaces, you must use the set dhcp relay inhibit-access-route-creation command to ensure that DHCP replay does not install access internal routes.
Chapter 25: Configuring Subscriber Interfaces not in the demultiplexer table. In this case, the primary IP interface must be in autoconfiguration mode. Packet detection is the only method of dynamically creating subscriber interfaces on GRE tunnel interfaces; you cannot use DHCP local server or DHCP external server. Issuing the ip auto-configure ip-subscriber command configures the primary IP address to enable dynamic configuration of subscriber interfaces.
JUNOSe 11.1.x Broadband Access Configuration Guide IP-based Ethernet interfaces, and is very useful in subscriber management applications. When MAC address validation is enabled on an interface, the router checks the entry in the MAC validation table that corresponds to the IP source address of an incoming packet.
Chapter 25: Configuring Subscriber Interfaces created from this primary IP interface after you change the MAC address validation state inherit the new MAC validation state. When you configure a dynamic subscriber interface with one or more framed routes (subnets), we recommend that you use the ip mac-validate loose command to configure MAC address validation for the static primary IP interface.
JUNOSe 11.1.x Broadband Access Configuration Guide Using a Destination Address to Demultiplex Traffic The example in Figure 22 on page 616 shows how you can use static subscriber interfaces to direct traffic toward special local content on the network, based on the traffic’s destination address.
Chapter 25: Configuring Subscriber Interfaces Configure the primary interface to use a destination address to demultiplex traffic. (By default, a source address is used to demultiplex traffic.) host1(config-if)#ip demux-type da-prefix d. Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. a.
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex Traffic E Series router To configure the static subscriber interfaces shown in Figure 23 on page 618, perform the following steps: Configure a primary IP interface on a supported layer 2 interface. a.
Page 659
Chapter 25: Configuring Subscriber Interfaces b. Associate the shared IP interface with the layer 2 interface by using one of the following methods: Static host1:vra(config-if)#ip share-interface fastEthernet 4/1 Dynamic host1:vra(config-if)#ip share-nexthop 10.1.1.2 To fully configure the shared interface, assign an address or make it unnumbered.
Page 660
JUNOSe 11.1.x Broadband Access Configuration Guide Use to create an IP interface to share a layer 2 interface. Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to the shared IP interface, because the shared interface can be moved.
Page 661
Chapter 25: Configuring Subscriber Interfaces The shared interface is operationally up when the layer 2 interface is operationally up and IP is properly configured. You can create operational shared IP interfaces in the absence of a primary IP interface. Example host1(config-if)#ip share-interface atm 5/3.101 Use the no version to remove the association between the layer 2 interface and the shared IP interface.
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix Configuring Dynamic Subscriber Interfaces You can configure dynamic subscriber interfaces in the following configurations: IP over Ethernet IP over VLAN over Ethernet IP over bridged Ethernet over ATM...
Chapter 25: Configuring Subscriber Interfaces Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over VLANs To configure a dynamic subscriber interface in an IP over VLAN over Ethernet configuration by using DHCP events, perform the following steps: Configure the DHCP server.
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over Bridged Ethernet To configure a dynamic subscriber interface in an IP over bridged Ethernet over ATM configuration by using DHCP events, perform the following steps: Configure DHCP server.
Chapter 25: Configuring Subscriber Interfaces (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.20 255.255.255.0 Figure 26 on page 625 shows the interface stack built for this configuration. Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over GRE Tunnels To configure a dynamic subscriber interface in an GRE tunnel configuration by using packet detection, perform the following steps:...
JUNOSe 11.1.x Broadband Access Configuration Guide (Optional) Specify the IP inactivity timer. host1(config-subif)#ip inactivity-timer 100 (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.1 255.255.255.0 Figure 27 on page 626 shows the interface stack built for this configuration. Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration Dynamic Subscriber Interface Configuration Example The procedure in this section shows how to configure dynamic subscriber interfaces...
Page 667
Chapter 25: Configuring Subscriber Interfaces Specify the enduring IP addresses that the DHCP local server can assign from the local address pool. host1(config-dhcp-local)#network 10.20.0.0 255.255.192.0 Specify the router to forward traffic from the IP addresses to destinations on other subnets. host1(config-dhcp-local)#default-router 10.20.32.1 Exit DHCP Local Pool Configuration mode.
Page 668
JUNOSe 11.1.x Broadband Access Configuration Guide atm pvc Use to configure a PVC on an ATM interface. Specify the VCD, the VPI, the VCI, and the encapsulation type. (For more information about these parameters, see the Creating a Basic Configuration section in JUNOSe Link Layer Configuration Guide .) Example host1(config-subif)#atm pvc 10 100 22 aal5snap...
Page 669
Chapter 25: Configuring Subscriber Interfaces interface atm Use to configure an ATM interface or subinterface type in the slot/port.subinterface format: slot Specifies router chassis slot port Specifies I/O module port subinterface Specifies subinterface number Example host1(config-if)#interface atm 9/1.1 Use the no version to remove the ATM interface or subinterface. See interface atm interface fastEthernet Use to select a Fast Ethernet (FE) interface on a line module or an SRP module.
Page 670
JUNOSe 11.1.x Broadband Access Configuration Guide Example host1(config)#interface tenGigabitEthernet 4/0/1 Use the no version to remove IP from an interface. You must issue the no version from the highest level down; you cannot remove an interface or subinterface if the one above it still exists. See interface tenGigabitEthernet interface loopback Use to access and configure a loopback interface.
Page 671
Chapter 25: Configuring Subscriber Interfaces Use the no version to remove the IP address or to disable IP processing. See ip address ip auto-configure ip-subscriber Use to configure an IP interface to support creation of dynamic subscriber interfaces. The specified IP interface is considered the primary interface. The router creates the required dynamic subscriber interfaces when the IP address is assigned to the associated subscriber.
Page 672
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to prevent the DHCP local server from supplying IP addresses from the specified pool. See ip dhcp-local pool ip inactivity-timer Use to configure the inactivity timer value. A dynamically created subscriber interface is deleted if it is inactive for a period longer than the inactivity timer value.
Page 673
Chapter 25: Configuring Subscriber Interfaces Use the no version to disable IP processing on the interface. See ip unnumbered ip use-framed-routes ip-subscriber Use to configure a static primary IP interface to use framed routes as source IP addresses when creating dynamic subscriber interfaces. The router uses the Framed-Route RADIUS attribute [22] sent in Access-Accept messages to apply framed routes to subscriber interfaces associated with the primary interface.
Page 674
JUNOSe 11.1.x Broadband Access Configuration Guide Use the noversion to restore the default in which DHCP relay builds dynamic subscriber interfaces on the IP interface that is used for DHCP server-destined messages. See set dhcp relay giaddr-selects-interface vlan id Use to configure a VLAN ID for a VLAN subinterface. Specify a VLAN ID number that is in the range 0–4095 and is unique within the Ethernet interface.
Chapter 26 Monitoring Subscriber Interfaces This chapter describes how to monitor static and dynamic subscriber interfaces for remote access to the E Series router. This chapter contains the following sections: Monitoring Subscriber Interfaces Overview on page 635 Monitoring Subscriber Interfaces on page 635 Monitoring Active IP Subscribers Created by Subscriber Management on page 636 Monitoring Subscriber Interfaces Overview The state of the subscriber interface is determined by state of the Ethernet interface...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 136: show ip demux interface Output Fields (continued) Field Name Field Description SA/DA Demultiplexing method for subscriber interface Source address Destination address Subscriber-Intf Name of shared interface on which subscriber interface is configured VR/VRF Name of virtual router (VR) or VPN routing and forwarding (VRF) instance on which the subscriber interface is configured...
Chapter 26: Monitoring Subscriber Interfaces ---------- --------- --------- ---------------- 2835349506 myProfile profile22 FastEthernet 3/1 Table 137 on page 637 lists the show ip-subscriber command output fields. Meaning Table 137: show ip-subscriber Output Fields Field Name Field Description ID of the subscriber User Name Username used to retrieve information from RADIUS for the subscriber interface...
Page 678
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Active IP Subscribers Created by Subscriber Management...
Page 679
Part 6 Managing Subscriber Services Configuring Service Manager on page 641 Monitoring Service Manager on page 707 Managing Subscriber Services...
Chapter 27 Configuring Service Manager This chapter describes how to use the Service Manager application to define, activate, and monitor networking services for your subscribers. This chapter discusses the following topics: Service Manager Overview on page 641 Service Manager Platform Considerations on page 643 Service Manager References on page 643 Service Manager Configuration Tasks on page 643 Service Definitions on page 645...
JUNOSe 11.1.x Broadband Access Configuration Guide messages can create and delete Service Manager subscriber sessions and activate and deactivate service sessions. For CLI clients, CLI commands create and delete the subscriber sessions and activate and deactivate service sessions. A subscriber’s service is based on a service definition service definitions can include profiles, policies, and quality of service (QoS) settings that define the scope of a service granted to the subscriber.
Chapter 27: Configuring Service Manager Table 138: Service Manager Terms and Acronyms (continued) Term Definition Service instance An instance that is created when you specify parameter values for a service definition to create a service session Service session A session that is created when a service instance is activated for a subscriber;...
Page 684
JUNOSe 11.1.x Broadband Access Configuration Guide Use the macro language to define service definitions Download service definition macro files to the router’s nonvolatile storage (NVS) Install service definitions on the router Uninstall service definitions Configure the Service Manager license Configure RADIUS accounting Use RADIUS login and RADIUS CoA to manage subscriber service sessions Specify the subscriber Specify optional attributes...
Chapter 27: Configuring Service Manager Figure 28: Service Manager Configuration Flowchart Service Definitions A service definition is a high-level, platform-independent template that defines a service that you want to let your subscribers use. You use the JUNOSe software’s embedded macro language on your computer to create the macro file that defines the service.
JUNOSe 11.1.x Broadband Access Configuration Guide Interface profiles Specify a set of characteristics that can be dynamically assigned to IP interfaces. A service definition must use at least one interface profile. Policy lists Specify policy actions for traffic traversing an interface. Classifier lists Specify the criteria by which the router defines a packet flow.
Page 687
Chapter 27: Configuring Service Manager Table 139: JUNOSe Objects Tracked by Service Manager (continued) Name Requirement Description output-stat-clacl Optional Collects output statistics from policy manager Can be a list of clacls activate-profile Required Specifies the interface profile used on activation of the service Deletion of the profile is Service Manager’s responsibility deactivate-profile...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 139: JUNOSe Objects Tracked by Service Manager (continued) Name Requirement Description output-stat-epg Optional Collects output statistics associated with the external group from policy manager Both the external parent group and the corresponding hierarchical policy parameter must be specified Can be multiple pairs of external parent groups and hierarchical policy parameters...
Chapter 27: Configuring Service Manager Managing Your Service Definitions After you have created the macro file for your service definition, you can perform the following operations with the service definition macro file: Copy You must copy the service definition from the local computer that you used to create the macro file to the router’s NVS card.
JUNOSe 11.1.x Broadband Access Configuration Guide During installation, Service Manager precompiles the service definition and extracts the definition file’s timestamp. After you install the service definition, you can use the definition to create service sessions for subscribers. To update an existing service definition, you make changes to the original macro file on your computer, copy the updated file to NVS, and install the updated file.
Chapter 27: Configuring Service Manager Referencing QoS Configurations in Service Definitions You can use QoS profiles and QoS parameters to define a service for a subscriber. For example, you can configure the shaping rate for traffic in a video service by using a QoS parameter instance.
JUNOSe 11.1.x Broadband Access Configuration Guide qos-profile Use to add a QoS profile command for use with Service Manager. When the service is activated, the QoS profile is created and attached to the subscriber interface. Example host1(config)#profile iptv host1(config-profile)#qos-profile video Use the no version to remove the QoS profile from the profile.
Chapter 27: Configuring Service Manager Configure the QoS parameter definition described in JUNOSe Quality of Service Configuration Guide, QoS Parameter Overview. You must configure at least one controlled-interface type and one subscriber-interface type. The range specified in the parameter definition controls the available value of the parameter instance.
JUNOSe 11.1.x Broadband Access Configuration Guide Specifying the Add and Initial-Value Keywords You can use the add keyword to add value to an existing parameter instance. For example: <# qosserviceone(bandwidth1, bandwidth2) #> profile <# profileName ; '\n' #> qos-parameter <# qosParameterName3 ; ' add ' ; bandwidth2 ; '\n' #> <# endtmpl #>...
Chapter 27: Configuring Service Manager Table 140 on page 655 lists the results of a series of activations and deactivations of parameters using the add and initial-value keywords. Table 140: Sample Modifications Using the Add and Initial-Value Keywords Action QoS Parameter Instance Result Activate qos-parameter video-bw add 5000000...
JUNOSe 11.1.x Broadband Access Configuration Guide Table 141: Sample Modifications Using Parameter Instances (continued) Action QoS Parameter Instance Result Deactivate qos-parameter video-bw add 5000000 5000000 is subtracted from parameter initial-value 0 instance video-bw for a total of -4000000 Deactivate qos-parameter video-bw 2000000 Parameter instance video-bw is removed Modifying QoS Configurations in a Single Service Manager Event...
Chapter 27: Configuring Service Manager Table 143: Modifying QoS Configurations with Other Sources QoS Profile QoS Parameter Attachment Instances Service Manager RADIUS SNMP – SRC software – The following sections describe the precedence of each source when modifying configurations. Service Manager QoS profile attachments and parameter instances created through Service Manager have precedence over all other sources.
JUNOSe 11.1.x Broadband Access Configuration Guide Conversely, QoS profiles and parameter instances configured through the CLI, SNMP, or the SRC software can be overwritten by any source. Removing QoS Configurations Referenced by Service Manager When Service Manager no longer references a QoS configuration, it must be removed from the service definition.
Chapter 27: Configuring Service Manager RADIUS or Service Manager We recommend that you choose either RADIUS or Service Manager to create a single parameter instance. If you use both RADIUS and Service Manager, parameter instances activated using Service Manager take precedence. Interoperability with Other Service Components Service Manager removes QoS profiles and parameter instances if other components in the service definition (for example, policies) cause an error.
10 subscriber sessions. The license is a unique string of up to 15 alphanumeric characters. NOTE: Obtain the license from Juniper Networks Customer Service or your Juniper Networks sales representative. Example host1(config)#license service-management 123456789 Use the no version to disable the license.
Chapter 27: Configuring Service Manager the subscriber’s RADIUS record. RADIUS then uses vendor-specific attributes (VSAs) in the Access-Accept packet to activate the service session for the subscriber. This method is useful when your subscribers are not currently logged RADIUS CoA method Supports dynamic service selection for subscribers. For example, the subscriber might have logged in without a service, or might have used the RADIUS login method to activate a service at login.
JUNOSe 11.1.x Broadband Access Configuration Guide Create the RADIUS record for the subscriber and service: For RADIUS login Create the RADIUS record for the subscriber and include the Activate-Service VSA in the record. Specify values for the parameters defined in the service template name of the definition macro file. For RADIUS CoA Format the CoA message to create the RADIUS record for the subscriber.
Chapter 27: Configuring Service Manager Table 144: Service Manager RADIUS Attributes Attribute RADIUS Message Number Attribute Name Type VSA Description User-Name (used with Access-Accept Uniquely identifies the subscriber Virtual-Router, Juniper session Networks VSA 26-1) Framed-IP-Address Access-Accept Uniquely identifies the subscriber (used with session Virtual-Router, Juniper...
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: Service Manager statistics collection is a three-part procedure. You must configure statistics information in the service definition macro file, enable statistics collection in the RADIUS record, and also enable statistics collection for the policy referenced in the service macro using the statistics enabled keyword in the command used for policy attachment in the profile.
Chapter 27: Configuring Service Manager Service-Timeout Service-Volume Service-Interim-Acct-Interval Table 146 on page 665 describes an Access-Accept packet that activates the two services, tiered and voice, for subscriber client1@isp1.com. Each service has its own unique tag, enabling you to assign attributes for one service, but not the other. For example, the two services have different timeout settings and different interim accounting intervals, and statistics are enabled only for the tiered service.
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: The Service-Timeout and Service-Volume attributes use values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. See “Configuring Service Manager Statistics”...
Chapter 27: Configuring Service Manager attribute is used by RADIUS CoA messages, such as in a guided entrance service. See “Guided Entrance Service Example” on page 693 for more information. Using Mutex Groups to Activate and Deactivate Subscriber Services Service Manager supports two methods that use RADIUS CoA-Request messages to activate and deactivate subscriber services and that can also dynamically change a service that is currently provided to a subscriber.
JUNOSe 11.1.x Broadband Access Configuration Guide services. Active services that are members of different mutex groups are unaffected. Configuring a Mutex Service To configure and enable a mutex service, you complete the following steps: Create the new service definition and configure the service as a member of a mutex group.
Chapter 27: Configuring Service Manager Use a RADIUS CoA-Request message and the new service definition to create the mutex service. The new service is considered a mutex service because it belongs to a mutex group. Service Manager activates the new service and deactivates any existing active service that is a member of the same mutex group as the new service.
JUNOSe 11.1.x Broadband Access Configuration Guide You can use the service-interface-type object in the service definition macro file to specify whether a service must be defined for IPv4 or IPv6. Configuring the service-interface-type object is not mandatory if a service is required only for IPv4 or L2TP subscribers.
Chapter 27: Configuring Service Manager called iponeV6 to be used for IPv6 traffic. Both the services defined for IPv4 and IPv6 must be configured for the subscriber on the RADIUS server. When the subscriber is authenticated using RADIUS authentication, two services, one each for IPv4 and IPv6, are created.
JUNOSe 11.1.x Broadband Access Configuration Guide number of services configured. You can view the number of service sessions currently active for a subscriber by viewing the Service Sessions field from the output of the show service-management command. If you configured a combined IP4 and IPv6 service, the memory usage is the same as that required for one subscriber service session.
Chapter 27: Configuring Service Manager Table 147 on page 673 lists the RADIUS accounting attributes used by the Service Manager application. Table 147: Service Manager RADIUS Accounting Attributes Attribute RADIUS Message Number Attribute Name Type VSA Description [26-83] Service-Session For service Name of the service (including sessions only: parameter values) with which the...
JUNOSe 11.1.x Broadband Access Configuration Guide When the Service-Interim-Acct-Interval attribute is configured for a service, Service Manager uses the guidelines shown in Table 148 on page 674 to determine the correct interim accounting interval to use for the service. Table 148: Determining the Service Interim Accounting Interval Service-Interim-Acct- Interval Value Service Manager Action...
Page 715
Chapter 27: Configuring Service Manager Table 149: Sample Acct-Start Message for a Service Session (continued) RADIUS Attribute Sample Value ingress-policy-name (vsa) forwardAll egress-policy-name (vsa) forwardAll calling-station-id #ERX-01-00-06#E12#0 acct-input-gigawords acct-input-octets 4032 acct-output-gigawords acct-output-octets 2163 acct-input-gigapackets (vsa) acct-input-packets acct-output-gigapackets (vsa) acct-output-packets nas-port-type nas-port 3221225472 nas-port-id...
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: To enable interim service accounting, the service accounting interval must be set to a non-zero value and the service statistics type must not be set to none. Example host1(config)#aaa service accounting interval 60 Use the no version to reset the accounting interval to 0, which turns off interim service accounting when no value is specified in the Service-Interim-Acct-Interval attribute (Juniper VSA 26-140).
Chapter 27: Configuring Service Manager in a dual stack. You can also obtain external parent group statistics for IPv4 and IPv6 services configured independently in a dual stack. You can retrieve either external parent group statistics or classifier statistics from policy manager.
Page 718
JUNOSe 11.1.x Broadband Access Configuration Guide Subscriber name and interface method Activates the service session based on the subscriber name and the interface that the subscriber is using for this subscriber session. host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “ tiered(1280000, 5120000)” Owner name and ID method Activates the service session based on the owner that created the subscriber session and the ID that was generated by the owner.
Page 719
Chapter 27: Configuring Service Manager session for the same subscriber, only the newest subscriber session, with its services, is used. Example 1 Activate a service session for an existing subscriber host1(config)#service-management owner-session aaa 573498 service-session “video(4500000, 192.168.10.3)” Example 2 Activate multiple service sessions for an existing subscriber host1(config)#service-management owner-session aaa 573498 service-session “video(4500000, 192.168.10.3)”...
Page 721
Chapter 27: Configuring Service Manager For example, you might assign the same video service to two subscribers, but use different service session profiles to set different time limits for each subscriber’s service. One subscriber uses the video service for 5 hours (18000 seconds) while the other subscriber’s video service is for 10 hours (36000 seconds).
Page 722
JUNOSe 11.1.x Broadband Access Configuration Guide Use to create a new service session profile or to specify the name of an existing profile you want to modify, and to enter Service Session Profile Configuration mode. In Service Session Profile Configuration mode, you specify the attributes used in the service session profile, such as the maximum volume limit for the session and the maximum time the session can be used.
Chapter 27: Configuring Service Manager host1(config)#service-management service-session-profile vodISP1 host1(config-service-session-profile)#time 6000 Use the no version to delete the time attribute from the service session profile. See time volume Use to specify the maximum amount of bandwidth that can use the service. The router immediately terminates the subscriber’s service session when the specified traffic volume is exceeded.
JUNOSe 11.1.x Broadband Access Configuration Guide Gracefully Deactivating Subscriber Service Sessions Use the following commands to gracefully deactivate subscriber’s services you can deactivate a specific service for a subscriber, or you can delete a subscriber session, which deactivates all of the subscriber’s service sessions. We recommend you use this command to deactivate subscriber service sessions.
Chapter 27: Configuring Service Manager We recommend this method if you encounter difficulty when you used the graceful deactivation method. Always use the graceful method first. no service-management subscriber-session force Use to force the immediate termination of a subscriber session and to deactivate all services for the specified subscriber session.
JUNOSe 11.1.x Broadband Access Configuration Guide host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “video(4500000, 192.168.10.3)” service-session-profile vodISP1 Configuring Service Manager Statistics The Service Manager application provides a flexible and efficient process for identifying and capturing statistics related to subscriber service sessions. Configuring Service Manager to collect statistics is a three- part process.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 150: RADIUS-Enabled Statistics (continued) RADIUS Attribute Value service-statistics When you enable statistics for a RADIUS-activated service, RADIUS accounting reports can use the statistics. Enabling Statistics Collection with the CLI You use service session profiles to enable statistics when you activate a service session with the CLI.
Chapter 27: Configuring Service Manager Input Packets : 1 Output Packets : 2 External Parent Group Statistics Collection Setup Policies for interface groups include external parent groups that are implicitly instantiated during policy attachment based on each unique interface group encountered.
JUNOSe 11.1.x Broadband Access Configuration Guide <# env.setResult("input-stat-epg", "vc-v4v6-in v4v6" ) #> <# env.setResult("output-stat-epg", "vc-v4v6-out v4v6" ) #> The <# env.setResult("secondary-input-stat-epg", "vc-v4v6-in v4v6") #> command specifies that Service Manager track statistics associated with the external parent group named vc-v4v6-in and the corresponding hierarchical policy named v4v6, and that this external parent group is associated with the policy that is attached at the input stage.
JUNOSe 11.1.x Broadband Access Configuration Guide Figure 32: Guided Entrance Service Manager requires additional configuration considerations for the guided entrance service. The <# redirectUrlName := "http://" $ serverIp $ ":" $ serverPort #> command in the service definition Specifies the HTTP local service to which the subscriber is redirected after login.
JUNOSe 11.1.x Broadband Access Configuration Guide If you configure a guided entrance service, you must also ensure that the router’s RADIUS dynamic-request server is enabled and supports CoA messages. See “Configuring RADIUS Dynamic-Request Server” on page 241, for information about the RADIUS dynamic-request server and CoA messages.
Page 737
Chapter 27: Configuring Service Manager NOTE: Currently, the HTTP local server does not support two different ports for IPv4 and IPv6 packets. However, the HTTP local server can listen for both IPv4 and IPv6 exception packets on the same port, simultaneously. To configure the HTTP local server to support guided entrance for IPv4: Access the virtual router context.
Page 738
JUNOSe 11.1.x Broadband Access Configuration Guide (Optional) Specify a standard IP access list that defines which subscribers can connect to the HTTP local server. host1:west40(config)#ip http access-class chicagoList (Optional) Specify the port on which the HTTP local server receives connection attempts.
Page 739
Chapter 27: Configuring Service Manager Use to allow only subscribers on the specified standard IP access list to connect to the HTTP local server. Example host1(config)#ip http access-class chicagoList Use the no version to remove the association between the access list and the HTTP local server.
Page 740
JUNOSe 11.1.x Broadband Access Configuration Guide NOTE: The HTTP local server must be configured and enabled in the virtual router for the interface on which you use the ip http redirectUrl command. Otherwise, the URL redirect operation will fail. Example host1(config-if)#ip http redirectUrl http://ispsite.redirect.com Use the no version to restore the default, which disables the HTTP redirect feature.
Page 741
Chapter 27: Configuring Service Manager Use to specify the port on which the HTTP local server receives connection attempts for IPv6 exception packets. NOTE: You can modify the port on which the HTTP local server receives connection attempts. However, you must first disable the HTTP local server and then modify the port.
JUNOSe 11.1.x Broadband Access Configuration Guide Use the no version to disable the HTTP local server. See ipv6 http server. Combined IPv4 and IPv6 Service in a Dual Stack Example When you configure a combined IPv4 and IPv6 service in a dual stack, the policies defined in the interface profile are attached to the appropriate interfaces based on the type of the interface.
Page 745
Chapter 27: Configuring Service Manager are applied to the secondary input stage. The IPv4 and IPv6 policies for voice-over-IP traffic leaving the IPv4 and IPv6 interfaces respectively are applied to the output stage. Statistics collection is enabled for the policies referenced in the service macro using the statistics enabled keyword in the command used for policy attachment in the profile.
Page 746
JUNOSe 11.1.x Broadband Access Configuration Guide combined_service(64000, 64000, 10.0.0.1, 2001::1, vlan) where 64000 Bandwidth for outbound traffic, denoted as outBw in the macro 64000 Bandwidth for inbound traffic, denoted as inBw in the macro 10.0.0.1 Host IP address for IPv4 subscribers, denoted as VBG1 in the macro 2001::1 Host IP address for IPv6 subscribers, denoted as VB6G1 in the macro vlan Interface on which the service is configured, denoted as NODE in the macro Service Definition Examples...
Chapter 28 Monitoring Service Manager This chapter describes how to monitor the Service Manager application. This chapter discusses the following topics: Setting a Baseline for HTTP Local Server Statistics on page 707 Monitoring the Connections to the HTTP Local Server on page 708 Monitoring the Configuration of the HTTP Local Server on page 708 Monitoring Statistics for Connections to the HTTP Local Server on page 709 Monitoring Profiles for the HTTP Local Server on page 710...
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring Statistics for Connections to the HTTP Local Server on page 709 Related Topics baseline ip http Monitoring the Connections to the HTTP Local Server Display information about the connections to the HTTP local server. Purpose To display information about the HTTP local server: Action...
Chapter 28: Monitoring Service Manager host1#show ip http server Admin status: enabled Access class: not defined Listening port: 80 Same host limit: 3 Protocol: IPv6 Table 153 on page 709 lists the show ip http server command output fields. Meaning Table 153: show ip http server Output Fields Field Name Field Description...
JUNOSe 11.1.x Broadband Access Configuration Guide Malformed http requests: 0 Urls not found: 0 Table 154 on page 710 lists the show ip http statistics command output fields. Meaning Table 154: show ip http statistics Output Fields Field Name Field Description Server enable count Total number of enabled HTTP local servers Server disable count...
Chapter 28: Monitoring Service Manager Auto Detect : Disabled Auto Configure : Disabled IP FlowStats : Disabled Ip http redirect Url : myredirect.html Ipv6 http redirect Url: myredirect.html Table 155 on page 711 lists the show profile command output fields. Meaning Table 155: show profile Output Fields Field Name...
JUNOSe 11.1.x Broadband Access Configuration Guide show aaa service accounting interval Related Topics Monitoring the Status of the Service Manager License Display the status of the Service Manager license. Purpose To display the status of the Service Manager license: Action host1#show license service-management service management license is set Table 157 on page 712 lists the show license service-management command output...
Chapter 28: Monitoring Service Manager Table 158 on page 713 lists the show profile command output fields. Meaning Table 158: show profile Output Fields Field Name Field Description Input Policy Name of input policy and whether statistics are enabled or disabled Output Policy Name of output policy and whether statistics are enabled or disabled...
Page 754
JUNOSe 11.1.x Broadband Access Configuration Guide Forwarded packets 0, bytes 0 Dropped committed packets 0, bytes 0 Dropped conformed packets 0, bytes 0 Dropped exceeded packets 0, bytes 0 Http Redirect Url: http://www.juniper.net To display information about a specific IPv6 interface. host1#show ipv6 interface FastEthernet 9/0.6 FastEthernet9/0.6 line protocol VlanSub is up, ipv6 is up Description: IPv6 interface in Virtual Router Hop6...
Page 756
JUNOSe 11.1.x Broadband Access Configuration Guide Table 159: show ip interface Output Fields (continued) Field Name Field Description reasm req Number of requests for reassembly reasm fails Number of reassembly failures frag ok Number of packets fragmented successfully frag req Number of frames requiring fragmentation frag fails Number of packets unsuccessfully fragmented...
Page 757
Chapter 28: Monitoring Service Manager Table 159: show ip interface Output Fields (continued) Field Name Field Description timestamp req Requests for a timestamp timestamp rpy Replies to timestamp requests addr mask req Address mask requests addr mask rpy Address mask replies ARP spoof checking Status of the check for spoofed ARP packets received on an IP interface.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 159: show ip interface Output Fields (continued) Field Name Field Description Out Forwarded Packets, Bytes Total number of packets and bytes forwarded out of the IP interface Unicast Packets, Bytes Unicast packets and bytes forwarded out of the IP interface Multicast Routed Packets, Bytes Multicast packets and bytes forwarded out of the IP...
Page 759
Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description local destination Frames with this router as destination hdr errors Number of packets containing header errors addr errors Number of packets containing addressing errors unkn proto Number of packets received containing unknown protocols...
Page 760
JUNOSe 11.1.x Broadband Access Configuration Guide Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description Group membership (queries, Number of queries, responses, and reduction requests responses, reductions) received from within a group to which the interface is assigned ICMPv6 Statistics Sent total Total number of received packets...
Page 761
Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description ND reachable time Amount of time (in milliseconds) that the neighbor is expected to remain reachable ND duplicate address detection Number of times that the router attempts to attempts determine a duplicate address ND neighbor solicitation...
Page 762
JUNOSe 11.1.x Broadband Access Configuration Guide Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description In Error Packets Packets discarded on a receive IP interface because of IP header errors In Discarded Packets Packets discarded on the ingress interface because of a configuration problem rather than a problem with the packet itself Out Forwarded Packets, Bytes...
Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description Dropped exceeded packets, bytes Total number of exceeded packets and bytes dropped by this interface show ip interface Related Topics show ipv6 interface Monitoring Service Definitions Display information about the service definitions configured on your router.
JUNOSe 11.1.x Broadband Access Configuration Guide Table 161: show service-management service-definition Output Fields (continued) Field Name Field Description Installed Status of definition: True installed False not installed Reference Count Number of times the service definition has been used to instantiate a unique service instance (which identifies the policy, QoS, and profile objects for a service).
Chapter 28: Monitoring Service Manager Table 162: show service-management service-session-profile Output Fields Field Name Field Description Name Name of the service session profile Volume Volume threshold, in MB, for the service session Time Time threshold, in seconds, for the service session Statistics Type of statistics that are captured: Disabled (none)
JUNOSe 11.1.x Broadband Access Configuration Guide ----------------------- ------------ tiered(2000000,3000000) False To display information for a particular owner with service session information: host1# show service-management owner-session aaa 4194326 service-session User Name: client1@isp.COM, Interface: ip192.168.0.1 Service : tiered(2000000,3000000) Non-volatile : False Owner : AAA 4194326 State : Config ApplySuccess Activate : True Statistics Type : time-based and volume-based...
Chapter 28: Monitoring Service Manager Table 163: show service-management owner-session Output Fields (continued) Field Name Field Description Statistics Type Type of statistics collected; none, time, or volume-time Statistics Complete Whether statistics have been successfully collected; True or False Poll Interval Interval, in seconds, that interim statistics reports are sent Poll Expire...
Page 768
JUNOSe 11.1.x Broadband Access Configuration Guide host1# show service-management subscriber-session brief Subscriber Sessions ------------------- Service Name Interface Owner/Id State Non-volatile Sessions ---------------- -------------- --------- ------ ------------ -------- CLIENT1@ISP.COM ip192.168.0.3 AAA 4194326 Active False CLIENT2@ISP.COM ip192.168.0.7 AAA 4194327 Active False CLIENT3@ISP.COM ip192.168.0.4 AAA 4194328 Active...
Chapter 28: Monitoring Service Manager host1#show service-management subscriber-session 20 User Name: CLIENT50@ISP.COM, Interface: ip192.168.100.33 Id: 20 Owner/Id: CLI Non-volatile: True State: Active ServiceSessions: Name mutex Owner State Operation ------------------- ----- ----- ------------------- --------- internet(5000,8000) Config ApplySuccess Activate Name Non-volatile ------------------ ------------ internet(5000,8000) True...
Page 770
JUNOSe 11.1.x Broadband Access Configuration Guide Table 164: show service-management subscriber-session Output Fields (continued) Field Name Field Description Poll Interval Interval, in seconds, that interim statistics reports are sent Poll Expire Number of seconds until the next statistics report is sent Activate Time Day, date, and time when the service session was...
Chapter 28: Monitoring Service Manager Total Service Sessions : 10 Table 165 on page 731 lists the show service-management summary command Meaning output fields. Table 165: show service-management summary Output Fields Field Name Field Description Total Subscriber Sessions Number of active subscriber sessions on the router Total Service Sessions Number of active service sessions on the router show service-management summary...
Page 772
JUNOSe 11.1.x Broadband Access Configuration Guide Monitoring the Number of Active Subscriber and Service Sessions with Service Manager...
Page 777
Index authentication, authorization, accounting. See AAA mapping user domain names to a virtual authorization router..............8 AAA overview.............317 mapping user requests description..............5 without a valid domain name......8 TACACS+............317 without configured domain name....9 authorization change command.........248 monitoring............113 AVP (attribute value pair)...........336 multiple clients per ATM subinterface....62 Bearer Type (AVP 18) overview..............4 relaying in L2TP tunnel-switched...
Page 778
JUNOSe 11.1.x Broadband Access Configuration Guide broadcast flag, DHCP example............702 controlling transmission of DHCP reply performance impact........671 packets............498 rate limiting and interaction with layer 2 unicast transmission example............702 method............499 service interim accounting........676 bundled session commands statistics collection and bundled-group-id........376, 382 external parent groups.........689 bundled-group-id-overrides-mlppp-ed..376, 382 command-line interface.
Page 779
Index overview..........60, 461, 495 local address pool group......486, 557 per-interface logging...........465 local pool selection, equal-access......470 source IP address..........495 using domain name........471 trust-all...............495 using framed IP address......471 DHCP access model using giaddr..........471 configuring............461 using pool name..........471 DHCP broadcast flag local pool selection, standalone......472 interaction with layer 2 unicast transmission using giaddr..........472 method............499...
Page 780
JUNOSe 11.1.x Broadband Access Configuration Guide netbios-name-server...........486 DHCPv6 Prefix Delegation netbios-node-type..........486 and IPv6 Neighbor Discovery network..............486 without configuring reserve..............486 Delegated-IPv6-Prefix.........90 server-address.............486 assigned prefix length of /128 snmpTrap............486 in local address pools........105 use-release-grace-period........486 enabling warning..............486 IPv6 local address pool feature....107 DHCP proxy client example for non-PPP client requests....110 configuring............464 example scenario..........105...
Page 781
Index DNS domains DSLAMs (digital subscriber line access configuring more than one multiplexers)..............4 using the CLI interface.........108 DSLs (digital subscriber lines).........4 in IPv6 local address pools dual stack processing client requests for combined IPv4 and IPv6 services resolution..........108 example of ..........702 in responses to clients IPv4 and IPv6 services Domain Search List option and....108...
Page 783
Index ip http same-host-limit........696 hinting..............9 ip http server............696 IP addresses IP interfaces assigning to name servers......51, 122 creating...............618 configuring for remote client........4 IP interfaces that support PPP clients ip commands configuring............61 clear ip demux............587 IP spoofing ip address............627 preventing............613 ip address-pool dhcp...........464 IPv4 and IPv6 services..........671 ip auto-configure ip-subscriber....587, 612, 627 combined services in a dual stack...
Page 784
JUNOSe 11.1.x Broadband Access Configuration Guide multiple configuration IPv6-NdRa-Prefix attribute on virtual router, preference order....106 used for IPv6 Neighbor Discovery name length............60 from Access-Accept messages.......90 not configured in domain map IPv6-Primary-DNS (RADIUS attribute 26-47)....226 method for determining prefix to be Ipv6-Secondary-DNS (RADIUS attribute 26-46)...227 delegated..........106 IPv6-Virtual-Router (RADIUS attribute 26-45).....225...
Page 786
JUNOSe 11.1.x Broadband Access Configuration Guide LLID (logical line identifier) manuals configuration steps..........76 comments on...........xxxix how it works............76 max-sessions command..........31 monitoring..........123, 130 MBS (RADIUS attribute 26-17)........223 preauthentication considerations......76 media access control addresses. See MAC addresses RADIUS attributes in preauthentication medium ipv4 command........362, 365 request..............76 merging policies troubleshooting.............76...
Page 787
Index packet fragmentation..........337 prefixes packet mirroring............245 allocated to clients from packets interface configuration.........106 demultiplexing............603 IPv6 local address pools.......106 transmitting............335 RADIUS Access-Accept message....106 Partition-Accounting-Off messages......181 assigned length of /128 Partition-Accounting-On messages......181 in IPv6 local address pools......105 password command........362, 365, 593 assigning to PCR (RADIUS attribute 26-15)........222 DHCPv6 clients..........107 peer................337...
Page 788
JUNOSe 11.1.x Broadband Access Configuration Guide RADIUS (Remote Authentication Dial-In User Service) radius ignore virtual-router.........209 AAA failure............90 radius include accounting methods..........18 ANCP (L2C)-related Juniper Networks attribute descriptions......18, 171, 259 VSAs............235 attributes supported..........259 radius include access-loop-parameters....209 authentication and accounting servers....18 radius include acct-authentic.......204 authentication methods........18...
Page 789
Index radius include pppoe-description......209 RADIUS IPv6 attributes radius include profile-service-description....209 configuring radius include tunnel-assignment-id....209 for DHCPv6 Prefix Delegation......90 radius include tunnel-client-auth-id.....209 for IPv6 Neighbor Discovery......90 radius include tunnel-client-endpoint....209 verifying radius include tunnel-interface-id......209 for DHCPv6 Prefix Delegation......153 radius include tunnel-medium-type.....209 for IPv6 Neighbor Discovery......152 radius include tunnel-preference......209 RADIUS relay server radius include tunnel-server-attributes....209...
Page 790
JUNOSe 11.1.x Broadband Access Configuration Guide RX speed AVP............365 overview.............641 parameter values..........664 preprovisioning services......677, 680 S-VLAN links considerations..........658 between CPE and PE routers modifying configurations of ......653 pool section for Prefix Delegation....110 referencing configurations of.......651 SCR (RADIUS attribute 26-16)........223 removing references of........653 SDX (Service Deployment System) software....137 RADIUS dynamic-request server......694 See also SRC software...
Page 791
Index Service-Timeout (RADIUS attribute 26-68)..663, 666 show aaa subscriber per-vr-limit......131 Service-Volume (RADIUS attribute 26-67)..663, 666 show aaa timeout..........131 session...............337 show aaa tunnel-group........428, 430 Session and Resource Control. See SRC software show aaa tunnel-parameters.......430, 432 session timeout show aaa user accounting interval......132 configuring............88 show radius route-download.......124 interpreting default value........88...
Page 792
JUNOSe 11.1.x Broadband Access Configuration Guide show ip dhcpv6-local commands show radius pppoe nas-port-format....304 show ip dhcpv6-local binding......573 show radius remote-circuit-id-delimiter....306 show ip dhcpv6-local dns-domain-searchlist..574 show radius remote-circuit-id-format....306 show ip dhcpv6-local dns-servers......575 show radius rollover-on-reject......145 show ip dhcpv6-local prefix-lifetime....575 show radius route-download statistics....145 show ip dhcpv6-local statistics......576 show radius servers........145, 312 show ip http commands...
Page 793
Index standard RADIUS attributes configuring TACACS+ for DHCPv6 Prefix Delegation......90 AAA services............317 for IPv6 Neighbor Discovery......90 accounting............317 IPv6 Neighbor Discovery and authentication login process.......317 configuring logging severity......90 authorization............317 warning message...........90 configuring............322 using the same values daemon............317, 318 for Neighbor Discovery and Prefix host..............318 Delegation..........90 NAS (network access server).......317, 318...
Page 794
JUNOSe 11.1.x Broadband Access Configuration Guide applying through RADIUS........399 vlan commands AVP relay, configuring........394, 396 vlan id..............627 configuration guidelines........394 VLAN links configuring............396 between CPE and PE routers how to apply............394 pool section for Prefix Delegation....110 monitoring............444 VLANs (virtual local area networks) Tunnel-Assignment-Id (RADIUS attribute 82).....214 configuring dynamic subscriber interfaces..623 Tunnel-Client-Auth-Id (RADIUS attribute 90)....216...
Need help?
Do you have a question about the JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010 and is the answer not in the manual?
Questions and answers