Download Print this page

Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual

For e series broadband services routers - broadband access configuration

Hide thumbs Also See for JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010:

Configuration manual (712 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

Enlarged version

JUNOSe

Software

for E Series

Broadband Services Routers

Broadband Access

Configuration Guide

Release 11.0.x

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Published: 2010-01-04

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010

Page 1 JUNOSe Software for E Series Broadband Services Routers Broadband Access Configuration Guide Release 11.0.x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 408-745-2000 www.juniper.net Published: 2010-01-04...
Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
Page 4 (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 http://www.gnu.org/licenses/gpl.html...
Page 5 agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein.
Page 7 Abbreviated Table of Contents About the Documentation xxxvii Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Chapter 2 Monitoring and Troubleshooting Remote Access Part 2 Managing RADIUS and TACACS+ Chapter 3 Configuring RADIUS Attributes Chapter 4 Configuring RADIUS Dynamic-Request Server Chapter 5 Configuring RADIUS Relay Server Chapter 6...
Page 8 JUNOSe 11.0.x Broadband Access Configuration Guide Part 5 Managing the Subscriber Environment Chapter 23 Configuring Subscriber Management Chapter 24 Monitoring Subscriber Management Chapter 25 Configuring Subscriber Interfaces Chapter 26 Monitoring Subscriber Interfaces Part 6 Managing Subscriber Services Chapter 27 Configuring Service Manager Chapter 28 Monitoring Service Manager Part 7...
Page 9: Table Of Contents
Table of Contents About the Documentation xxxvii E Series and JUNOSe Documentation and Release Notes ......xxxvii Audience ....................xxxvii E Series and JUNOSe Text and Syntax Conventions .........xxxvii Obtaining Documentation ................xxxix Documentation Feedback .................xxxix Requesting Technical Support ..............xxxix Self-Help Online Tools and Resources ............xl Opening a Case with JTAC ...............xl Part 1 Managing Remote Access...
Page 10 JUNOSe 11.0.x Broadband Access Configuration Guide Configuring RADIUS Authentication and Accounting Servers ......18 Server Access ..................18 Server Request Processing Limit .............19 Authentication and Accounting Methods ..........19 Supporting Exchange of Extensible Authentication Protocol Messages ..................20 Immediate Accounting Updates ..............21 Duplicate and Broadcast Accounting ............21 Configuring AAA Duplicate Accounting ..........22 Configuring AAA Broadcast Accounting ..........22 Overriding AAA Accounting NAS Information ........22...
Page 11 Table of Contents Using RADIUS Route-Download Server to Distribute Routes ......71 Format of Downloaded Routes ...............71 Framed-Route (RADIUS attribute 22) ..........72 Cisco-AVPair (Cisco VSA 26-1) ............72 How the Route-Download Server Downloads Routes ......72 Configuring the Route-Download Server to Download Routes ....72 Using the AAA Logical Line Identifier to Track Subscribers ......76 How the Router Obtains and Uses the LLID ..........76 RADIUS Attributes in Preauthentication Request ........77...
Page 12 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Mapping Between User Domains and Virtual Routers ....115 Monitoring Tunnel Subscriber Authentication ..........117 Monitoring Routing Table Address Lookup ..........118 Monitoring the AAA Model ................118 Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers ....................118 Monitoring AAA Profile Configuration ............119 Monitoring Statistics about the RADIUS Route-Download Server ....120...
Page 13 RADIUS Platform Considerations ..............166 RADIUS References ..................167 Subscriber AAA Access Messages ..............167 Supported RADIUS IETF Attributes ............168 Supported Juniper Networks VSAs ............170 Subscriber AAA Accounting Messages ............175 Supported RADIUS IETF Attributes ............175 Supported Juniper Networks VSAs ............178 Tunnel Accounting Messages ..............181 DSL Forum VSAs in AAA Access and Accounting Messages ......182...
Page 14 [97] Framed-Ipv6-Prefix ..............211 [99] Framed-Ipv6-Route ..............211 [100] Framed-Ipv6-Pool ..............212 [123] Delegated-Ipv6-Prefix ............212 [188] Ascend-Num-In-Multilink ............213 All Tunnel Server Attributes ............213 Juniper Networks Vendor-Specific Attributes .........214 [26-1] Virtual-Router ...............214 [26-10] Ingress-Policy-Name ............214 [26-11] Egress-Policy-Name ............215 [26-14] Service-Category ..............216 [26-15] PCR ..................216 [26-16] SCR ..................217...
Page 15 Configuring RADIUS Relay Server Support ..........249 Monitoring RADIUS Relay Server ..............251 Chapter 6 RADIUS Attribute Descriptions RADIUS IETF Attributes ................253 Juniper Networks VSAs ................259 DSL Forum VSAs ..................270 Pass Through RADIUS Attributes ..............271 RADIUS Attributes References ..............272 Chapter 7 Application Terminate Reasons AAA Terminate Reasons ................273...
Page 16 JUNOSe 11.0.x Broadband Access Configuration Guide Chapter 8 Monitoring RADIUS Monitoring Override Settings of RADIUS IETF Attributes ......297 Monitoring the NAS-Port-Format RADIUS Attribute ........298 Monitoring the Calling-Station-Id RADIUS Attribute ........299 Monitoring the NAS-Identifier RADIUS Attribute ..........299 Monitoring the Format of the Remote-Circuit-ID for RADIUS .......300 Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS ..300 Monitoring the Acct-Session-Id RADIUS Attribute ........300 Monitoring the DSL-Port-Type RADIUS Attribute .........301...
Page 17 Table of Contents Part 3 Managing L2TP Chapter 11 L2TP Overview L2TP Overview ....................329 L2TP Terminology ..................330 Implementing L2TP ..................331 Sequence of Events on the LAC ............331 Sequence of Events on the LNS .............332 Packet Fragmentation .................333 L2TP Platform Considerations ..............334 L2TP Module Requirements ................334 ERX7xx Models, ERX14xx Models, and the ERX310 Router ....334 E120 Router and E320 Router ..............335...
Page 18 JUNOSe 11.0.x Broadband Access Configuration Guide Managing the L2TP Destination Lockout Process .........360 Modifying the Lockout Procedure ............360 Verifying That a Locked-Out Destination Is Available ......362 Configuring a Lockout Timeout .............362 Unlocking a Destination that is Currently Locked Out ......362 Starting an Immediate Lockout Test .............363 Managing Address Changes Received from Remote Endpoints ....363 Configuring LAC Tunnel Selection Parameters ..........364...
Page 19 Table of Contents Configuration Tasks ................390 Enabling Tunnel Switching on the Router ........390 Configuring L2TP Tunnel Switch Profiles ........390 Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps ..................391 Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups ..................392 Applying Default L2TP Tunnel Switch Profiles ........393 Applying L2TP Tunnel Switch Profiles by Using RADIUS ....393 Configuring the Transmit Connect Speed Calculation Method .....394...
Page 20 JUNOSe 11.0.x Broadband Access Configuration Guide Before You Configure L2TP Dial-Out ............413 Configuring L2TP Dial-Out ................413 Monitoring L2TP Dial-Out ................415 Chapter 15 L2TP Disconnect Cause Codes L2TP Disconnect Cause Codes ..............417 Chapter 16 Monitoring L2TP and L2TP Dial-Out Monitoring the Mapping for User Domains and Virtual Routers with AAA ..422 Monitoring Configured Tunnel Groups with AAA .........424 Monitoring Configuration of Tunnel Parameters with AAA ......426 Monitoring Global Configuration Status on E Series Routers ......427...
Page 21 Table of Contents Chapter 18 DHCP Local Server Overview Embedded DHCP Local Server Overview ............463 DHCP Local Server and Client Configuration .........463 Equal-Access Mode Overview ..............464 Local Pool Selection and Address Allocation .........464 The Connection Process ................465 Standalone Mode Overview .................466 Local Pool Selection and Address Allocation .........466 Server Management Table ..............468 DHCP Local Server Prerequisites ..............468...
Page 22 JUNOSe 11.0.x Broadband Access Configuration Guide Using the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets ...................492 Interaction with Layer 2 Unicast Transmission Method ....493 Preventing DHCP Relay from Installing Host Routes by Default ....494 Configuration Example Preventing Installation of Host Routes ..494 Including Relay Agent Option Values in the PPPoE Remote Circuit ID ....................495 Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber...
Page 23 Table of Contents Configuring Interoperation with Ethernet DSLAMs ........523 Configuring the DHCP External Server to Support the Creation of Dynamic Subscriber Interfaces ................524 Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces ................526 Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay and DHCP Relay Proxy ..............527 Deleting Clients from a Virtual Router’s DHCP Binding Table ......528 Configuring DHCP External Server to Uniquely Identify Clients with Duplicate...
Page 24 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients ..571 Monitoring the Maximum Number of Available Leases .......572 Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local Server ....................573 Monitoring Status of DHCP Applications ............574 Part 5 Managing the Subscriber Environment Chapter 23...
Page 25 Table of Contents Dynamic Creation of Subscriber Interfaces ..........604 DHCP Servers ..................605 DHCP Local Server and Address Allocation ........605 DHCP External Server and Address Allocation ........605 DHCP Relay Configuration .............606 Supported Configurations ...............606 Packet Detection ...................606 Designating Traffic for the Primary IP Interface ........607 Using Framed Routes ................607 Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces ..................607...
Page 26 JUNOSe 11.0.x Broadband Access Configuration Guide Referencing QoS Configurations in Service Definitions ........645 Specifying QoS Profiles in a Service Definition ........645 Configuring a QoS Profile for Service Manager .......645 Specifying QoS Profiles in a Service Definition .......646 Specifying QoS Parameter Instances in a Service Definition ....646 Creating a Parameter Instance in a Profile ........646 Specifying QoS Parameter Instances in a Service Definition ...647 Modifying QoS Configurations with Service Manager ......648...
Page 27 Table of Contents Configuring Service Manager Statistics ............680 Setting Up the Service Definition File for Statistics Collection ....680 Enabling Statistics Collection with RADIUS ...........681 Enabling Statistics Collection with the CLI ..........682 External Parent Group Statistics Collection Setup ........683 Service Manager Performance Considerations ..........684 Service Definition Examples ................684 Tiered Service Example ................684 Video-on-Demand Service Definition Example ........685...
Page 28 JUNOSe 11.0.x Broadband Access Configuration Guide xxviii Table of Contents...
Page 29: List Of Figures
List of Figures Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Figure 1: Local Address Pool Hierarchy ............54 Figure 2: Shared Local Address Pools ............55 Figure 3: Single PPP Clients per ATM Subinterface ........61 Figure 4: Multiple PPP Clients per ATM Subinterface ........62 Part 2 Managing RADIUS and TACACS+ Chapter 4...
Page 30 JUNOSe 11.0.x Broadband Access Configuration Guide Figure 15: DHCP External Server ..............579 Chapter 25 Configuring Subscriber Interfaces Figure 16: Example of a Dynamic Interface Stack ........598 Figure 17: Example of a Dynamic Subscriber Interface .......599 Figure 18: Subscriber Interfaces over Ethernet ..........600 Figure 19: Subscriber Interfaces in a Cable Modem Network .......602 Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces ..603 Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration ..606...
Page 31 List of Tables About the Documentation xxxvii Table 1: Notice Icons ................xxxviii Table 2: Text and Syntax Conventions ............xxxviii Part 1 Managing Remote Access Chapter 1 Configuring Remote Access Table 3: Username and Domain Name Examples .........16 Table 4: Local UDP Port Ranges by RADIUS Request Type ......19 Table 5: RADIUS IETF Attributes in Preauthentication Request .....78 Table 6: VSAs That Apply to Dynamic IP Interfaces ........82 Table 7: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces ....83...
Page 32 Chapter 3 Configuring RADIUS Attributes Table 37: AAA Access Message RADIUS IETF Attributes Supported .....168 Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported .....................170 Table 39: AAA Accounting Message RADIUS IETF Attributes Supported ..176 Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported .....................179...
Page 33 List of Tables Table 67: show tacacs Output Fields ............325 Part 3 Managing L2TP Chapter 11 L2TP Overview Table 68: L2TP Terms .................330 Chapter 13 Configuring an L2TP LNS Table 69: L2TP-Resynch-Method RADIUS Attribute ........388 Table 70: Transmit Connect Speeds for L2TP over ATM 1483 Example ..397 Table 71: Transmit Connect Speeds for L2TP over Ethernet Example ..397 Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute ........402 Chapter 14...
Page 34 JUNOSe 11.0.x Broadband Access Configuration Guide Table 101: Router Configuration and Transmission of DHCP Reply Packets ....................493 Table 102: Effect of Commands on Option 82 Suboption Settings ....503 Chapter 22 Monitoring and Troubleshooting DHCP Table 103: show ip dhcp-local excluded Output Fields ........536 Table 104: show dhcp binding Output Fields ..........539 Table 105: show dhcp count Output Fields ..........541 Table 106: show dhcp host Output Fields ............543...
Page 35 List of Tables Table 140: Sample Modifications Using the Add and Initial-Value Keywords ....................649 Table 141: Sample Modifications Using Parameter Instances ......649 Table 142: Configuration Within a Single Service Manager Event ....650 Table 143: Modifying QoS Configurations with Other Sources .....651 Table 144: Service Manager RADIUS Attributes ...........657 Table 145: Sample RADIUS Access-Accept Packet ........658 Table 146: Using Tags .................659...
Page 36 JUNOSe 11.0.x Broadband Access Configuration Guide xxxvi List of Tables...
Page 37: About The Documentation
If the information in the latest release notes differs from the information in the documentation, follow the JUNOSe Release Notes. To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/...
Page 38: Table 1: Notice Icons
JUNOSe 11.0.x Broadband Access Configuration Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser.
Page 39: About The Documentation
{ permit | deny } { in | out } { clusterId | ipAddress } Obtaining Documentation To obtain the most current version of all Juniper Networks technical documentation, see the products documentation page on the Juniper Networks Web site at http://www.juniper.net/...
Page 40: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 41: Managing Remote Access
Part 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 109 Managing Remote Access...
Page 42: Managing Remote Access
JUNOSe 11.0.x Broadband Access Configuration Guide Managing Remote Access...
Page 43: Configuring Remote Access
Chapter 1 Configuring Remote Access This chapter describes how to configure remote access to an Juniper Networks E Series Broadband Services Router. This chapter discusses the following topics: Remote Access Overview on page 4 Remote Access Platform Considerations on page 5...
Page 44: Remote Access Overview
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring the SRC Client on page 94 DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 101 Configuring the DHCPv6 Local Address Pools on page 104 Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links Example on page 107 Remote Access Overview Broadband Remote Access Server (B-RAS) is an application running on your router...
Page 45: Aaa Overview
Chapter 1: Configuring Remote Access DHCP proxy client and server DHCP relay agent (Bridged IP only) DHCP local server DHCP external server For information about configuring DHCP support on the E Series router, see “DHCP Overview” on page 455. For information about how to configure a RADIUS server, see your RADIUS server documentation.
Page 46: Remote Access References
JUNOSe 11.0.x Broadband Access Configuration Guide Bridged Ethernet Layer 2 Tunneling Protocol (L2TP), both L2TP access concentrator (LAC) and L2TP network server (LNS) Remote Access References For more information about the topics covered in this chapter, see the following documents: RFC 2748 The COPS (Common Open Policy Service) Protocol (January 2000) RFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000) RFC 3084 COPS Usage for Policy Provisioning (COPS-PR) (March 2001)
Page 47: Configuring A B-Ras License
Chapter 1: Configuring Remote Access Configure an authentication server on the router. (Optional) Configure UDP checksums. (Optional) Configure an accounting server on the router. (Optional) Configure Domain Name System (DNS) and Windows Internet Name Service (WINS) name server addresses. (Optional) Configure a local address pool for remote clients. (Optional) Configure one or more DHCP servers.
Page 48: Mapping A User Domain Name To A Virtual Router
Use to specify the B-RAS license. The license is a unique string of up to 15 alphanumeric characters. NOTE: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative. You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000, or 48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.
Page 49: Mapping User Requests Without A Configured Domain Name
Chapter 1: Configuring Remote Access Mapping User Requests Without a Configured Domain Name You can map a domain name called none to a specific virtual router so that the router can map user names that do not contain a domain name. If a user request is submitted without a domain name, the router looks for a mapping between the domain name none and a virtual router.
Page 50: Ip Hinting
JUNOSe 11.0.x Broadband Access Configuration Guide To maintain flexibility, the redirection response may include idle time or session attributes that are considered as default unless the redirected authentication server overrides them. For example, if the RADIUS server returns the VR context along with an idle timeout attribute with the value set to 20 minutes, the router uses this idle timeout value unless the RADIUS server configured in the VR context returns a different value.
Page 51 Chapter 1: Configuring Remote Access Use to map a user domain name to an IP version 6 (IPv6) loopback interface. The local interface identifies the interface information to use on the local (E Series) side of the subscriber’s interface. Example host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-local-interface 2001:db8::8000 Use the no version to delete the entry.
Page 52: Setting Up Domain Name And Realm Name Usage
JUNOSe 11.0.x Broadband Access Configuration Guide Setting Up Domain Name and Realm Name Usage To provide flexibility in how the router handles different types of usernames, the software lets you specify the part of a username to use as the domain name, how the domain name is designated, and how the router parses names.
Page 53: Using Either The Domain Or The Realm As The Domain Name
Chapter 1: Configuring Remote Access host1(config)#aaa delimiter domainName @! Using Either the Domain or the Realm as the Domain Name If the username contains both a realm name and a domain name delimiter, you can use either the domain name or the realm name as the domain name. As previously mentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.
Page 54: Stripping The Domain Name
JUNOSe 11.0.x Broadband Access Configuration Guide Stripping the Domain Name The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command. By default, the domain name is the text after the last @ character.
Page 55: Domain Name And Realm Name Examples
Chapter 1: Configuring Remote Access Use the no version to return to the default: right-to-left parsing for domain names and left-to-right parsing for realm names. See aaa parse-direction aaa parse-order Use to specify which part of a username the router uses as the domain name. If a user’s name contains both a realm name and a domain name, you can configure the router to use either name as the domain name.
Page 56: Specifying A Single Name For Users From A Domain
JUNOSe 11.0.x Broadband Access Configuration Guide username: usEast/userjohn@abc.com@xyz.com The router is configured with the following commands: host1(config)#aaa delimiter domainName @! host1(config)#aaa delimiter realmName / Table 3 on page 16 shows the username and domain name that result from the parsing action of the various commands. Table 3: Username and Domain Name Examples Resulting Domain Command...
Page 57 Chapter 1: Configuring Remote Access For example, if the domain name is xyz.com and you specify the password xyz_domain, the router associates the username xyz.com and the password xyz_domain with all users from xyz.com. Substitute one new username for each username and one new password for each existing password.
Page 58: Configuring Radius Authentication And Accounting Servers
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring RADIUS Authentication and Accounting Servers The number of RADIUS servers you can configure depends on available memory. The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients. Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server.
Page 59: Server Request Processing Limit
Chapter 1: Configuring Remote Access Server Request Processing Limit You can configure RADIUS authentication servers and accounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.rs.
Page 60: Supporting Exchange Of Extensible Authentication Protocol Messages
JUNOSe 11.0.x Broadband Access Configuration Guide if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JUNOSe software currently supports radius and none as accounting methods and radius, none, and local as authentication methods.
Page 61: Immediate Accounting Updates
Chapter 1: Configuring Remote Access Framed-MTU (attribute 12) Used if AAA passes an MTU value to the internal RADIUS client State (attribute 24) Used in Challenge-Response messages from the external server and returned to the external server on the subsequent Access-Request Session-Timeout (attribute 27) Used in Challenge-Response messages from the external server EAP-Message (attribute 79) Used to fragment EAP strings into 253-byte...
Page 62: Configuring Aaa Duplicate Accounting
JUNOSe 11.0.x Broadband Access Configuration Guide Broadcast accounting Sends the accounting information to a group of virtual routers. An accounting virtual router group can contain up to four virtual routers and the E Series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.
Page 63: Udp Checksums
Chapter 1: Configuring Remote Access host1:vrXyz1(config)#virtual-router vrXyz2 host1:vrXyz2(config)#radius override nas-info host1:vrXyz3(config)#exit host1(config)# UDP Checksums Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums. Collecting Accounting Statistics You can use the aaa accounting statistics command to specify how the AAA server collects statistics on the sessions it manages.
Page 64 JUNOSe 11.0.x Broadband Access Configuration Guide Specify an authentication or accounting server secret. host1(config-radius)#key gismo (Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server. host1(config-radius)#retransmit 2 (Optional) Specify the number of seconds between retries. host1(config-radius)#timeout 5 (Optional) Specify the maximum number of outstanding requests.
Page 65 Chapter 1: Configuring Remote Access (Optional) Specify the default authentication and accounting methods for the subscribers. host1(config)#aaa authentication ppp default radius none (Optional) Disable UDP checksums on virtual routers you configure for B-RAS. host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable aaa accounting broadcast Use to enable AAA broadcast accounting on a virtual router.
Page 66 JUNOSe 11.0.x Broadband Access Configuration Guide radius RADIUS accounting for the specified subscribers. none No accounting is done for the specified subscribers. radius none Multiple types of accounting; used in the order specified. For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.
Page 67 Chapter 1: Configuring Remote Access Use to specify the default interval between updates for user and service interim accounting. NOTE: This command is deprecated and might be removed completely in a future release. Use the aaa user accounting interval command to specify the default interval for user accounting.
Page 68 JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to delete the accounting virtual router group. See aaa accounting vr-group aaa authentication default Use to specify the authentication method used for a particular type of subscriber. Specify one of the following types of subscribers: atm1483 tunnel radius-relay...
Page 69 Chapter 1: Configuring Remote Access host1(config)#aaa duplicate-address-check enable There is no no version. See aaa duplicate-address-check aaa user accounting interval Use to specify the default interval between user accounting updates. The router uses the default interval when no value is specified in the RADIUS Acct-Interim-Interval attribute (RADIUS attribute 85).
Page 70 JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version of the command with the indexInteger parameter to delete a specific virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router. See aaa virtual-router deadtime Use to configure the amount of time (0–1440 minutes) that a server is marked...
Page 71 Chapter 1: Configuring Remote Access Use to issue an administrative reset to the user’s connection to disconnect the user. From Privileged Exec mode, you can log out all subscribers, or log out subscribers by username, domain, virtual-router, port, or icr-partition. This command applies to PPP users, as well as to non-PPP DHCP users.
Page 72 JUNOSe 11.0.x Broadband Access Configuration Guide radius accounting server Use to specify the IP address of authentication and accounting servers. Example host1(config)#radius authentication server 10.10.10.1 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30 Use the no version to delete the instance of the RADIUS server.
Page 73 Chapter 1: Configuring Remote Access Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information. See radius override nas-info radius rollover-on-reject Use to specify whether the router rolls over to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
Page 74 JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#radius update-source-addr 192.168.40.23 Use the no version to delete the parameter so that the router uses the router ID. See radius update-source-addr retransmit Use to set the maximum number of times (0–100) that the router retransmits a RADIUS packet to an authentication or accounting server.
Page 75 Chapter 1: Configuring Remote Access Use to set the number of seconds (1–1000) before the router retransmits a RADIUS packet to an authentication or accounting server. If the interval is reached and there is no response from the primary RADIUS authentication or accounting server, the router attempts another retry.
Page 76: Snmp Traps And System Log Messages
JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to set the port number to the default value. See udp-port SNMP Traps and System Log Messages The router can send Simple Network Management Protocol (SNMP) traps to alert network managers when: A RADIUS server fails to respond to a request.
Page 77: System Log Messages
Chapter 1: Configuring Remote Access System Log Messages You do not need to configure system log messages. The router automatically sends them when individual servers do not respond to RADIUS requests and when all servers on a VR fail to respond to requests. The following are the formats of the warning level system log messages: RADIUS [ authentication | accounting ] server serverAddress unavailable in VR virtualRouterName [;...
Page 78 JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#snmp-server community admin view everything rw host1(config)#snmp-server community private view user rw host1(config)#snmp-server community public view everything ro Specify the interface whose IP address is the source address for SNMP traps. host1(config)#snmp-server trap-source fastEthernet 0/0 Configure the host that should receive the SNMP traps.
Page 79 Chapter 1: Configuring Remote Access Use to enable or disable SNMP traps when a RADIUS authentication server fails to respond to a RADIUS Access-Request message. The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable. Example host1(config)#radius trap auth-server-not-responding enable Use the no version to return to the default setting, disabled. See radius trap auth-server-not-responding radius trap auth-server-responding Use to enable RADIUS to send SNMP traps when a RADIUS authentication server...
Page 80: Configuring Local Authentication Servers
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring Local Authentication Servers The AAA local authentication server enables the E Series router to provide local PAP and CHAP user authentication for subscribers. The router also provides limited authorization, using the IP address, IP address pool, and operational virtual router parameters.
Page 81: Using The Username Command
Chapter 1: Configuring Remote Access Username Name associated with the subscriber. Passwords and secrets Single words that can be encrypted or unencrypted. Passwords use two-way encryption, and secrets use one-way encryption. Both passwords and secrets can be used with PAP authentication; however, only passwords can be used with CHAP authentication.
Page 82: Assigning A Local User Database To A Virtual Router
JUNOSe 11.0.x Broadband Access Configuration Guide (Optional) Specify the type of encryption algorithm and the password or secret that the subscriber must use to connect to the router. A subscriber can be assigned either a password or a secret, but not both. For example: host1(config-local-user)#password 8 iTtakes2% (Optional) Specify the IP address to assign to the subscriber.
Page 83: Configuration Commands
Chapter 1: Configuring Remote Access Configuration Commands Use the following commands to configure the local authentication server. aaa authentication default Use to specify that the local authentication method is used to authenticate PPP subscribers on the default virtual router or on the selected virtual router. NOTE: You can specify multiple authentication methods;...
Page 84 JUNOSe 11.0.x Broadband Access Configuration Guide aaa local username Use to configure a user entry in the specified local user database and to enter Local User Configuration mode. The username must be unique within a particular database; however, the same username can be used in different databases.
Page 85 Chapter 1: Configuring Remote Access Use to specify the virtual router parameter for a user entry in the local user database. The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication. If authentication is performed by a non-default virtual router, then the subscriber is assigned to the same virtual router that performs authentication, regardless of this parameter setting.
Page 86 JUNOSe 11.0.x Broadband Access Configuration Guide Use to add a secret to a user entry in the local user database. The secret is used to authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm. NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption.
Page 87: Local Authentication Example
Chapter 1: Configuring Remote Access host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z Use the no version to delete the username entry from the default local user database. See user-name Local Authentication Example This example creates a sample local authentication environment. The steps in this example: Create a named local user database (westfordLocal40).
Page 88 ! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 89 ! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 90: Configuring Tunnel Subscriber Authentication
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 91: Configuring Name Server Addresses
Chapter 1: Configuring Remote Access The tunnel-subscriber authentication command has no effect on subscribers in a domain with no tunnel configuration. When a AAA domain map has no tunnel configuration, subscribers in the domain are authenticated by the authentication server. If the server grants access, then the subscribers get their tunnel settings only from the authentication server.
Page 92: Dns Primary And Secondary Nms Configuration
JUNOSe 11.0.x Broadband Access Configuration Guide DNS Primary and Secondary NMS Configuration To configure the DNS primary and secondary name server addresses: Specify the IP address of the DNS primary name server. host1(config)#aaa dns primary 10.10.10.5 or, for IPv6, host1(config)#aaa ipv6-dns primary 2001:db8::8001 Specify the IP address of the DNS secondary name server.
Page 93: Wins Primary And Secondary Nms Configuration
Chapter 1: Configuring Remote Access Use the no version to set the corresponding address to 0 (or ::). See aaa ipv6-dns aaa ipv6-dns secondary Use to specify the IPv6 address of the DNS secondary name server. Example host1(config)#aaa ipv6-dns secondary 2001:db8::8002 Use the no version to set the corresponding address to 0 (or ::).
Page 94: Configuring Local Address Servers
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring Local Address Servers The local address server allocates IP addresses from a pool of addresses stored locally on the router. You can optionally configure shared local address pools to obtain addresses from a DHCP local address pool that is in the same virtual router. Addresses are provided automatically to client sessions requiring an IP address from a virtual router that is configured to use a local address pool.
Page 95: Local Address Pool Aliases
Chapter 1: Configuring Remote Access Local Address Pool Aliases An alias is an alternate name for an existing local address pool. It comprises an alias name and a pool name. When the AAA server requests an IP address from a specific local address pool, the local address server first verifies whether an alias exists for the requested pool.
Page 96: Snmp Thresholds
JUNOSe 11.0.x Broadband Access Configuration Guide The DHCP attributes do not apply to shared local address pools; for example, the lease time for shared local address pools is infinite. When you delete the referenced DHCP address pool, DHCP notifies the local address server and logs out all subscribers that are using addresses from the deleted pool.
Page 97 Chapter 1: Configuring Remote Access host1(config-domain-map)#backup-address-pool-name backup_poolB (Optional) Map the domain name to the IPv6 local address pool, which is used for prefix delegation. If the authentication server returns the prefix pool name in the Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this value overrides the IPv6 local pool configured using the ipv6-prefix-pool-name command.
Page 98 JUNOSe 11.0.x Broadband Access Configuration Guide Use to specify the name of the backup local address pool from which the router allocates addresses for the domain that you are configuring, if the primary local address pool is fully allocated. The backup local address pool takes effect only if you configured a valid primary local address pool.
Page 99 Chapter 1: Configuring Remote Access You can modify an existing alias with a different local address pool name. When a local address pool is deleted, all aliases with the matching pool name are also deleted. Example host1(config)#ip local alias groupB pool-name addrpool_10 Use the no version to remove the alias name.
Page 100: Configuring Dhcp Features
JUNOSe 11.0.x Broadband Access Configuration Guide Example host1(config)#ip local shared-pool sharedPool11 dhcpPool6 Use the no version to delete a specific local shared address pool. See ip local shared-pool ipv6-prefix-pool-name Use to specify the name of the IPv6 local address pool from which the delegating router allocates prefixes to the requesting routers for the domain that you are configuring.
Page 101: Creating An Ip Interface
Chapter 1: Configuring Remote Access DHCP relay proxy DHCP local server DHCP external server For more information about DHCP, see “DHCP Overview Information” on page 455. Creating an IP Interface You can configure IP interfaces that support the following configurations: A single PPP client per ATM or Frame Relay subinterface Multiple PPP clients per ATM subinterface Single Clients per ATM Subinterface...
Page 102: Multiple Clients Per Atm Subinterface
JUNOSe 11.0.x Broadband Access Configuration Guide Configure PAP or CHAP authentication. host1((config-if))#ppp authentication chap Assign a profile to the PPP interface. host1(config-subif)#profile foo Multiple Clients per ATM Subinterface Figure 4 on page 62 shows how PPPoE supports multiplexing of multiple PPP sessions per ATM subinterface.
Page 103: Configuring Aaa Profiles
Chapter 1: Configuring Remote Access host1(config-if)#encapsulation ppp Configure PAP or CHAP authentication. host1((config-if))#ppp authentication chap Apply the profile to the PPP interface. host1(config-subif)#profile foo2 Configure the subinterface for a second PPP client. host1(config-if)#interface atm 0/1.20.2 Configure PPP encapsulation. host1(config-if)#encapsulation ppp Configure PAP or CHAP authentication.
Page 104: Allowing Or Denying Domain Names
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: There are two domain names with special meaning. The domain name none indicates that there is no domain name present in the subscriber’s name. For more information about none, see the section “Mapping User Requests Without a Valid Domain Name”...
Page 105: Using Domain Name Aliases
Chapter 1: Configuring Remote Access Searches restrictToABC for a match on the domain name default. Finds a match and denies the user access. Using Domain Name Aliases You can translate an original domain name to a new domain name via the translate command.
Page 106 JUNOSe 11.0.x Broadband Access Configuration Guide Searches forwardToXyz for a match on the domain name default. Finds a match and continues as normal using the domain name xyz.com. NOTE: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.
Page 107 Chapter 1: Configuring Remote Access Searches toAbc for a match on the PPP subscriber’s domain name and finds a match Continues as normal using the domain name abc.com NOTE: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.
Page 108 JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to negate the command. See deny ppp aaa-profile Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces. The PPP application associates the AAA profile with the interface and passes the AAA profile to AAA for authentication.
Page 109: Manually Setting Nas-Port-Type Attribute
Chapter 1: Configuring Remote Access Manually Setting NAS-Port-Type Attribute You can manually configure the NAS-Port-Type RADIUS attribute (attribute 61) in AAA profiles for ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection. To set the NAS-Port-Type attribute for ATM or Ethernet interfaces: Create an AAA profile.
Page 110: Service-Description Attribute
JUNOSe 11.0.x Broadband Access Configuration Guide wireless-other wireless-umts Wireless universal mobile telecommunications system (UMTS) xdsl DSL of unknown type Example host1(config-aaa-profile)#nas-port-type atm wireless-80211 Use the no version to remove the NAS-Port-Type setting for ATM interfaces. See nas-port-type atm nas-port-type ethernet Use to specify the RADIUS NAS-Port-Type attribute (61) for Ethernet interfaces.
Page 111: Using Radius Route-Download Server To Distribute Routes
Chapter 1: Configuring Remote Access host1(config-aaa-profile)#service-description bos-xyzcorp aaa profile Use to create and configure a AAA profile. Example host1(config)#aaa profile xyzCorpPro2 Use the no version to delete the AAA profile. See aaa profile service-description Use to specify a description that is associated with the AAA profile. The description can be transmitted to RADIUS in the Service-Description attribute (26-53) The service description can be a maximum of 64 characters.
Page 112: Framed-Route (Radius Attribute 22)
JUNOSe 11.0.x Broadband Access Configuration Guide The route-download server accepts downloaded routes in either the Framed-Route attribute (RADIUS attribute 22) or the Cisco-AVpair attribute (Cisco VSA 26-1). Downloaded Route Format Examples Framed-Route (RADIUS attribute 22) NAS-1 Password = 14raddlsvr” User-Service-Type = Outbound-User Framed-Route = 192.168.3.0 255.255.255.0 null0”...
Page 113 Chapter 1: Configuring Remote Access to start the download process each day, how often to downloaded routes, and how long to wait after a download error before retrying the process. To configure a RADIUS route-download server: Specify the IP address and the key of the RADIUS server that you want to download routes.
Page 114 JUNOSe 11.0.x Broadband Access Configuration Guide download interval The amount of time the route-download server waits between route download operations. The newly created server downloads routes as soon as the IP protocol is active on the virtual router that performs the route download operation, and then repeats the download operation every 720 minutes by default.
Page 115 Chapter 1: Configuring Remote Access Example host1#aaa route-download now force adjust-scheduler There is no no version. See aaa route-download now aaa route-download suspend Use to temporarily suspend the RADIUS route-download server operation. Example host1#aaa route-download suspend Use the no version to restore the route download operation. See aaa route-download suspend clear ip routes download Use to synchronize downloaded access routes and the routes that are installed...
Page 116: Using The Aaa Logical Line Identifier To Track Subscribers
JUNOSe 11.0.x Broadband Access Configuration Guide host1#clear ip routes download all There is no no version. See clear ip routes download radius route-download server Use to configure a RADIUS route-download server and enter RADIUS Configuration mode. Specify the IP address of the RADIUS server that you want to download access routes.
Page 117: Radius Attributes In Preauthentication Request
Chapter 1: Configuring Remote Access Create an AAA profile that supports preauthentication (by using the pre-authenticate command in AAA Profile Configuration mode). Specify the IP address of a RADIUS preauthentication server (by using the radius pre-authentication server command in Global Configuration mode) and of an authentication server (by using the radius authentication server command in Global Configuration mode).
Page 118: Considerations For Using The Llid
JUNOSe 11.0.x Broadband Access Configuration Guide Table 5: RADIUS IETF Attributes in Preauthentication Request Attribute Number Attribute Name Description User-Name Name of the user associated with the LLID, in the format: NAS-Port:<NAS-IP-Address>:<Nas-Port-Id> For example, nas-port:172.28.30.117:atm 4/1.104:2.104 User-Password Password of the user to be authenticated; always set to “ juniper”...
Page 119: Configuring The Router To Obtain The Llid For A Subscriber
Chapter 1: Configuring Remote Access The router ignores any RADIUS attributes other than the Calling-Station-Id that are returned in the preauthentication Access-Accept message. If a preauthentication request fails due to misconfiguration of the preauthentication server, timeout of the preauthentication server, or rejection of the preauthentication request by the preauthentication server, the authentication process continues normally and the preauthentication request is ignored.
Page 120 JUNOSe 11.0.x Broadband Access Configuration Guide host1(config-subif)#run show radius pre-authentication servers RADIUS Pre-Authentication Configuration --------------------------------------- Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret ------------- ---- ----- ------- -------- ---- ------ 10.10.10.1 1812 radius You can also display configuration information for preauthentication servers by using the show radius servers command.
Page 121: Troubleshooting Subscriber Preauthentication
Chapter 1: Configuring Remote Access ppp aaa-profile Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces. For more information about how to use this command, see “ppp aaa-profile” on page 68. Example host1(config-if)#ppp aaa-profile preAuth Use the no version to remove the AAA profile assignment.
Page 122: Using Vsas For Dynamic Ip Interfaces
JUNOSe 11.0.x Broadband Access Configuration Guide For more information, see “Configuring SNMP Traps” on page 37. Using VSAs for Dynamic IP Interfaces Table 6 on page 82 describes the VSAs that apply to dynamic IP interfaces and are supported on a per-user basis from RADIUS. For details, see JUNOSe Link Layer Configuration Guide.
Page 123: Traffic Shaping For Ppp Over Atm Interfaces
Chapter 1: Configuring Remote Access When a dynamic interface is created according to a profile, the router checks with RADIUS to determine whether an input or output policy or a QoS profile must be applied to the interface. The VSA, if present, provides the name, enabling policy or QoS profile lookup.
Page 124: Mapping Application Terminate Reasons To Radius Terminate Codes
JUNOSe 11.0.x Broadband Access Configuration Guide To configure traffic-shaping parameters for PPPoA via domain maps, use the atm command in Domain Map Configuration mode. Use to configure traffic-shaping parameters for PPPoA. Use one of the following keywords to select the traffic category to configure: ubr Unspecified bit rate ubrpcr—Unspecified bit rate with peak cell rate nrtvbr Non–real time variable bit rate...
Page 125 Chapter 1: Configuring Remote Access Table 8: Supported RADIUS Acct-Terminate-Cause Codes (continued) Code Name Description Lost Carrier DCD was dropped on the port Lost Service Service can no longer be provided; for example, the user’s connection to a host was interrupted Idle Timeout Idle timer expired Session Timeout...
Page 126: Configuration Example
JUNOSe 11.0.x Broadband Access Configuration Guide Configuration Example This example describes a sample configuration procedure that creates custom mappings for PPP terminate reasons. Configure the router to include the Acct-Terminate-Cause attribute in RADIUS Acct-Off messages. host1(config)#radius include acct-terminate-cause acct-off enable (Optional) Display the current PPP terminate-cause mappings.
Page 127 Chapter 1: Configuring Remote Access host1(config)#run show terminate-code ppp Radius Apps Terminate Reason Description Code --------- -------------------------- -------------------------- ------ authenticate-authenticator authenticate authenticator -timeout timeout authenticate-challenge-tim authenticate challenge tim eout eout authenticate-chap-no-resou authenticate chap no resou rces rces authenticate-chap-peer-aut authenticate chap peer aut henticator-timeout henticator timeout authenticate-deny-by-peer...
Page 128: Configuring Timeout
JUNOSe 11.0.x Broadband Access Configuration Guide application’s terminate reason. See Table 8 on page 84 for a list of supported RADIUS codes. Example host1(config)#terminate-code ppp authenticate-challenge-timeout radius 4 Use the no version to restore a default mapping, which are listed in “AAA Terminate Reasons”...
Page 129: Limiting Active Subscribers
Chapter 1: Configuring Remote Access The range in seconds for a session timeout is a minimum of 1 minute (60 seconds) through a maximum of 366 days (31622400 seconds). These values can also be set by RADIUS, where the range is not enforceable. PPP and L2TP will round the timeout values from RADIUS as follows: If the session timeout is less than the minimum (60 seconds), that value is used.
Page 130: Notifying Radius Of Aaa Failure
JUNOSe 11.0.x Broadband Access Configuration Guide Use to limit the number of active subscribers permitted on a virtual router. Because profiles are applied to subscribers after the PPP authentication phase, subscribers that have their VR context specified by profiles are not denied access. Instead, when IP notifies AAA of the subscribers VR context, AAA checks limits.
Page 131 Chapter 1: Configuring Remote Access protocol process first starts on the server router, the server sends router advertisement packets every few seconds. Then, the server sends these packets less frequently. The server responds to route solicitation packets it receives from a client. The response is sent unicast, unless a router advertisement packet is due to be sent out momentarily.
Page 132: Propagation Of Lag Subscriber Information To Aaa And Radius
JUNOSe 11.0.x Broadband Access Configuration Guide See aaa ipv6-nd-ra-prefix framed-ipv6-prefix. aaa dhcpv6-delegated-prefix delegated-ipv6-prefix Use to set the Delegated-IPv6-Prefix RADIUS attribute to be used for DHCPv6 Prefix Delegation. If you used the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command to set the Framed-IPv6-Prefix RADIUS attribute to be used for IPv6 Neighbor Discovery router advertisements, you must also issue the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command after you issue the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command to enable the use of the Delegated-IPv6-Prefix...
Page 133: Table 9: Radius Attributes Specifying Lag Interface
Chapter 1: Configuring Remote Access The RADIUS application sends the LAG interface ID to the RADIUS server only when the subscribers in DHCP standalone authenticate mode are initialized. When other subscribers such as PPP subscribers and DHCP equal-access mode subscribers initialize over a LAG interface, the RADIUS application sends only the name of the first Ethernet interface in the LAG bundle, and not the LAG interface ID.
Page 134: Configuring The Src Client
481 show subscribers Configuring the SRC Client The JUNOSe software has an embedded client that interacts with the Juniper Networks SRC software, enabling the SRC software to manage the router’s policy and QoS configuration. The connection between the router and the SRC software uses the Common Open Policy Service (COPS) protocol and is fully compliant with the COPS usage for policy provisioning (COPS-PR) specification.
Page 135 Chapter 1: Configuring Remote Access The JUNOSe Software COPS-PR implementation uses the outsourcing model that is described in RFC 3084. In this model, the PEP delegates responsibility to the PDP to make provisioning decisions on the PEP’s behalf. NOTE: When you upgrade from an earlier JUNOSe release, the software removes the instance of SSCC that was configured with XDR.
Page 136 QoS classification and marking Rate limiting Traffic class QoS Manager Queues Schedulers Traffic classes The JUNOSE-IP-PIB file is updated with each JUNOSe release. Since the PIB is implemented by both Juniper Networks SRC and JUNOSe devices, distribution of the Configuring the SRC Client...
Page 137 Chapter 1: Configuring Remote Access PIB file to customers is not necessary. Customers can access the proprietary PIB file, on approval from Juniper Networks, through Juniper support. You can configure SRC clients on a per-virtual-router basis. To configure the SRC client: Enable the SRC client.
Page 138 JUNOSe 11.0.x Broadband Access Configuration Guide Use to configure the SRC client with the IP addresses of the SAEs and the ports on which the SAEs listen for activity. You can specify primary, secondary, and tertiary SAEs, and the port numbers on which each listens for activity.
Page 139 Chapter 1: Configuring Remote Access Access Node Control Protocol (ANCP), also known as Layer 2 Control (L2C) rate report, which contains the a QoS adjustment factor to be applied to the upstream data rate and downstream data rate reported by ANCP for a DSL type, for L2TP LAC interfaces is not supported.
Page 140 JUNOSe 11.0.x Broadband Access Configuration Guide Use to specify the delay period (in the range 5–300 seconds) during which the SRC client waits for a response from the SAE. If only a primary SAE is configured, the client resends the request to the primary SAE.
Page 141: Dhcpv6 Local Address Pools For Allocation Of Ipv6 Prefixes Overview
Chapter 1: Configuring Remote Access Use to specify on which router the TCP/COPS connection is to be established. The router can be the same as or different from the router the SRC client session is created in and associated with. If you do not specify the transport router for an SRC client session, the transport router defaults to the router associated with the session.
Page 142 JUNOSe 11.0.x Broadband Access Configuration Guide Keep the following points in mind when you configure IPv6 local address pools to assign prefixes to requesting routers: You must enable the IPv6 local address pool feature to be able to configure IPv6 local address pools.
Page 143: Dhcpv6 Prefix Delegation Example
Chapter 1: Configuring Remote Access a prefix from the subsequent prefix ranges. These ranges could have the same prefix length as the first one or a higher length. NOTE: Although you can configure an IPv6 local pool with the assigned prefix length as /128, which implies a full IPv6 address, this assignment is not useful for the DHCPv6 prefix delegation feature because it assigns a prefix with a length of only /64 or less.
Page 144: Order Of Preference In Allocating Prefixes And Assigning Dns Addresses To Requesting Routers
JUNOSe 11.0.x Broadband Access Configuration Guide If the interface address matches with any of the prefix ranges configured in the IPv6 local address pool on the router, that pool is used to delegate the prefix to the client. Order of Preference in Allocating Prefixes and Assigning DNS Addresses to Requesting Routers Prefix delegation can be configured at the interface level and at the router level.
Page 145 Chapter 1: Configuring Remote Access prefixes to requesting routers. If you configured an interface for prefix delegation, the prefix assigned to that interface takes precedence over the prefix or range of prefixes configured at the router level in an IPv6 local pool. To configure an IPv6 local address pool to be used for DHCPv6 prefix delegation: Enable the IPv6 local address pool to assign prefixes to the requesting router.
Page 146 JUNOSe 11.0.x Broadband Access Configuration Guide Specify the number of days and, optionally, the number of hours, minutes, and seconds. You cannot specify a lifetime of zero (that is, you cannot set the days, hours, minutes, and seconds fields all to zero). host1(config-v6-local)#prefix 5005:5005::/32 48 preferred 1 2 3 4 In this example, the preferred lifetime is set to 1 day, 2 hours, 3 minutes, and 4 seconds.
Page 147: Limitation On The Number Of Prefixes Used By Clients
Chapter 1: Configuring Remote Access host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool For more information about mapping domain names to the IPv6 local address pool, see ipv6-prefix-pool-name. Limitation on the Number of Prefixes Used by Clients If you a configure a very large prefix range in an IPv6 local address pool, the number of prefixes that can be used from that range by DHCPv6 clients is limited to 1048576.
Page 148 JUNOSe 11.0.x Broadband Access Configuration Guide used to determine the IPV6 local address pool to be used for DHCPv6 Prefix Delegation to the CPE: The pool name returned by the RADIUS server in the Framed-IPv6-Pool attribute The pool name configured in the AAA domain map However, for a CPE that is connected to the PE router using a non-PPP link, such as Ethernet, VLAN, or S-VLAN, the method for authentication of clients for DHCPv6 Prefix Delegation is not available in JUNOSe Release 10.1.x.
Page 149: Monitoring And Troubleshooting Remote Access
Chapter 2 Monitoring and Troubleshooting Remote Access Use the commands in this chapter to set baselines for and to monitor remote access. Setting Baselines for Remote Access on page 110 How to Monitor PPP Interfaces on page 112 Monitoring AAA Accounting Configuration on page 112 Monitoring AAA Accounting Default on page 113 Monitoring Accounting Interval on page 114 Monitoring Specific Virtual Router Groups on page 114...
Page 150: Setting Baselines For Remote Access
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Configuration Information for AAA Local Authentication on page 129 Monitoring AAA Server Attributes on page 130 Monitoring the COPS Layer Over SRC Connection on page 132 Monitoring Statistics About the COPS Layer on page 134 Monitoring Local Address Pool Aliases on page 136 Monitoring Local Address Pools on page 136 Monitoring Local Address Pool Statistics on page 138...
Page 151: Setting A Baseline For Aaa Statistics
Chapter 2: Monitoring and Troubleshooting Remote Access Issue the delta keyword with the show aaa statistics command to show baselined statistics. 1. Setting a Baseline for AAA Statistics on page 111 2. Setting a Baseline for AAA Route Downloads on page 111 3.
Page 152: Setting A Baseline For Radius Statistics
JUNOSe 11.0.x Broadband Access Configuration Guide There is no no version. Setting a Baseline for RADIUS Statistics Set a baseline for RADIUS statistics. Purpose Issue the show radius statistics command: Action host1#show radius statistics There is no no version. Setting the Baseline for SRC Statistics Set a baseline for SRC statistics.
Page 153: Monitoring Aaa Accounting Default
Chapter 2: Monitoring and Troubleshooting Remote Access To display the show aaa accounting command: Action host1:vrXyz7#show aaa accounting Accounting duplication set to router vrXyz25 Broadcast accounting uses group groupXyzCompany20 send acct-stop on AAA access deny is enabled send acct-stop on authentication server access deny is disabled acct-interval (for PPP Clients) 0 service-acct-interval 0 send immediate-update is enabled...
Page 154: Monitoring Accounting Interval
JUNOSe 11.0.x Broadband Access Configuration Guide host1#show aaa accounting tunnel default radius show aaa accounting default Related Topics Monitoring Accounting Interval Display the accounting interval. Purpose To display the accounting interval: Action host1#show aaa accounting interval acct-interval (for PPP Clients) 10 show aaa accounting interval Related Topics Monitoring Specific Virtual Router Groups...
Page 155: Monitoring The Default Aaa Authentication Method List
Chapter 2: Monitoring and Troubleshooting Remote Access Monitoring the Default AAA Authentication Method List Display the default AAA authentication method list for a subscriber type. You can Purpose view the method list used for ATM 1483 subscribers, IPSec subscribers, IP subscriber management interfaces, PPP subscribers, RADIUS relay subscribers, and tunnel subscribers.
Page 156: Table 13: Show Aaa Domain-Map Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide To display the mapping between user domains and virtual routers: Action host1#show aaa domain-map Domain: lac-tunnel; router-name: lac; ipv6-router-name: default Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Peer Source Type Medium Password Tunnel Id ------ ----------- ------ ------...
Page 157: Monitoring Tunnel Subscriber Authentication
Chapter 2: Monitoring and Troubleshooting Remote Access Table 13: show aaa domain-map Output Fields (continued) Field Name Field Description Tunnel Source Source address of the tunnel Tunnel Type L2TP Tunnel Medium Type of medium for the tunnel; only IPv4 is supported Tunnel Password Password for the tunnel Tunnel Id...
Page 158: Monitoring Routing Table Address Lookup
JUNOSe 11.0.x Broadband Access Configuration Guide host1#show aaa domain-map Domain: tunnel.com; router-name: default; ipv6-router-name: default; tunnel-subscriber authentication: enable Authentication is enabled. Meaning show aaa domain-map Related Topics Monitoring Routing Table Address Lookup Display whether the routing table address lookup or duplicate address check is Purpose enabled or disabled.
Page 159: Monitoring Aaa Profile Configuration
Chapter 2: Monitoring and Troubleshooting Remote Access The IP addresses of DNS and WINS name servers are displayed. Meaning show aaa name-servers Related Topics Monitoring AAA Profile Configuration Display the configuration of all AAA profiles or of a specific profile. Purpose To display the configuration of all AAA profiles or of a specific profile: Action...
Page 160: Monitoring Statistics About The Radius Route-Download Server
JUNOSe 11.0.x Broadband Access Configuration Guide show aaa profile Related Topics Monitoring Statistics about the RADIUS Route-Download Server Display statistics about the RADIUS route-download server configuration. Purpose Use the optional statistics keyword to display information about the RADIUS route download server operation. Use the optional delta keyword to show baselined statistics.
Page 161 Chapter 2: Monitoring and Troubleshooting Remote Access Table 15: show aaa route-download Output Fields (continued) Field Name Field Description Default Cost Default cost of downloaded routes Default Tag Default tag for downloaded routes Base User Name Virtual router used for route-download requests; either <HOSTNAME>...
Page 162: Monitoring Routes Downloaded By The Radius Route-Download Server
JUNOSe 11.0.x Broadband Access Configuration Guide show aaa route-download Related Topics Monitoring Routes Downloaded by the RADIUS Route-Download Server Display information about the routes that are downloaded by the RADIUS Purpose route-download server. Use the optional detail keyword to display more detailed information about the downloaded routes.
Page 163: Monitoring Chassis-Wide Routes Downloaded By Radius Route-Download Servers
Chapter 2: Monitoring and Troubleshooting Remote Access show aaa route-download routes Related Topics Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download Servers Display chassis-wide information about routes that are downloaded by RADIUS Purpose route-download servers. Use the optional detail keyword to display more detailed information about the downloaded routes.
Page 164: Table 17: Show Aaa Route-Download Routes Global Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide To display more detailed information about the downloaded routes: host1# show aaa route-download routes global detail Virtual Router Present Prefix/Length Type NextHop Dst/Met Intf --------------- ------- --------------- -------- --------------- ------- ----- 192.168.1.1/32 Access-P 255.255.255.255 null0 192.168.1.2/32 Access-P...
Page 165: Monitoring Authentication, Authorization, And Accounting Statistics
Chapter 2: Monitoring and Troubleshooting Remote Access Table 17: show aaa route-download routes global Output Fields (continued) Field Name Field Description Dst/Met Administrative distance and number of hops for the route Tag assigned to downloaded routes Intf Interface type and specifier show aaa route-download routes global Related Topics Monitoring Authentication, Authorization, and Accounting Statistics...
Page 166: Table 18: Show Aaa Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 18: show aaa statistics Output Fields Field Name Field Description incoming initiate requests Number of incoming AAA requests (from other E Series applications) for user connect services incoming disconnect requests Number of incoming AAA requests (from other E Series applications) for user disconnect services outgoing grant (tunnel) responses Number of outgoing tunnel grant responses to AAA...
Page 167: Monitoring The Number Of Active Subscribers Per Port
Chapter 2: Monitoring and Troubleshooting Remote Access Table 18: show aaa statistics Output Fields (continued) Field Name Field Description incoming Address responses Number of address allocation/release responses from the address allocation task to AAA show aaa statistics Related Topics Monitoring the Number of Active Subscribers Per Port Display the maximum number of active subscribers configured per port.
Page 168: Monitoring Interim Accounting For Users On The Virtual Router
! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 169: Monitoring Configuration Information For Aaa Local Authentication
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 170: Monitoring Aaa Server Attributes
Configuration script being generated on MON JAN 10 2005 15:12:02 UTC ! Juniper Edge Routing Switch ERX-1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 171: Table 21: Show Configuration Category Aaa Server-Attributes Include-Defaults Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access ! The category displayed is: aaa server-attributes virtual-router default aaa accounting duplication lac aaa accounting broadcast group1 aaa duplicate-address-check enable aaa accounting acct-stop on-aaa-failure enable aaa accounting acct-stop on-access-deny disable aaa subscriber limit per-vr 0 aaa intf-desc-format include sub-intf enable aaa intf-desc-format include adapter enable aaa accounting immediate-update disable...
Page 172: Monitoring The Cops Layer Over Src Connection
JUNOSe 11.0.x Broadband Access Configuration Guide Table 21: show configuration category aaa server-attributes include-defaults Output Fields (continued) Field Name Field Description aaa accounting acct-stop Enabled, disabled on-access-deny aaa subscriber limit per-vr Enabled, disabled aaa intf-desc-format include Enabled, disabled sub-intf aaa intf-desc-format include Enabled, disabled adapter aaa accounting immediate-update...
Page 173: Table 22: Show Cops Info Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access CAT Rcv: CC Sent: CC Rcv: SSC Sent: Table 22 on page 133 lists the show cops info command output fields. Meaning Table 22: show cops info Output Fields Field Name Field Description Session Created Number of COPS sessions created Sessions Deleted...
Page 174: Monitoring Statistics About The Cops Layer
JUNOSe 11.0.x Broadband Access Configuration Guide Table 22: show cops info Output Fields (continued) Field Name Field Description CAT Rcv Number of Client Accepts packets received on this COPS session CC Sent Number of Client Closes packets sent on this COPS session CC Rcv Number of Client Closes packets received on this...
Page 175: Table 23: Show Cops Statistics Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access Table 23 on page 135 lists the show cops statistics command output fields. Meaning Table 23: show cops statistics Output Fields Field Name Field Description Session Created Number of COPS sessions created Sessions Deleted Number of COPS sessions deleted Current Sessions Number of current COPS sessions...
Page 176: Monitoring Local Address Pool Aliases
JUNOSe 11.0.x Broadband Access Configuration Guide Table 23: show cops statistics Output Fields (continued) Field Name Field Description SSC Sent Number of Sync Complete packets sent on this COPS session show cops statistics Related Topics Monitoring Local Address Pool Aliases Display information about aliases for the local address pools configured on your Purpose router.
Page 177: Table 25: Show Ip Local Pool Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access To display information about local address pools: Action host1#show ip local pool High Abated Pool Thresh Thresh Trap Group ----- ------ ------ ---- ----- poolA Aliases ------- alias1 Begin Free -------- --------- ---- 10.1.1.1 10.1.1.10 10.1.2.1...
Page 178: Monitoring Local Address Pool Statistics
JUNOSe 11.0.x Broadband Access Configuration Guide Table 25: show ip local pool Output Fields (continued) Field Name Field Description High Thresh High utilization threshold value Abated Thresh Abated utilization threshold value Trap Enable SNMP pool utilization traps: Y (yes) or N (no) Aliases Aliases for the local address pool Begin...
Page 179: Monitoring The Routing Table
Chapter 2: Monitoring and Troubleshooting Remote Access shared_poolA dhcp_pool_25 shared_poolB dhcp_pool_25 shared_poolC dhcp_pool_17 Table 26 on page 139 lists the show ip local shared-pool command output fields. Meaning Table 26: show ip local shared-pool Output Fields Field Name Field Description Shared Pool Name of the shared local address pool In Use...
Page 180: Monitoring The B-Ras License
JUNOSe 11.0.x Broadband Access Configuration Guide show ip route Related Topics Monitoring the B-RAS License Display the B-RAS license. Purpose To display the B-RAS license: Action host1#show license b-ras K4bZ16Lr show license b-ras Related Topics Monitoring the RADIUS Server Algorithm Display information about the currently configured RADIUS server algorithm.
Page 181: Monitoring The Radius Rollover Configuration
Chapter 2: Monitoring and Troubleshooting Remote Access Table 27: show radius override Output Fields (continued) Field Name Field Description nas-info Either the NAS-IP-Address [4] and NAS-Identifier [32] attributes of the virtual router generating the accounting information are used, or they are overridden with the respective attributes of the authentication virtual router.
Page 182: Table 28: Show Radius Servers Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide ------------- ---- ----- ------- -------- ---- ------ ------ 172.28.30.117 1813 radius dead 172.28.30.118 1813 radius active 172.28.30.119 1813 radius alive RADIUS Pre-Authentication Configuration --------------------------------------- Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret Status -------------...
Page 183: Monitoring Radius Services Statistics
Chapter 2: Monitoring and Troubleshooting Remote Access Table 28: show radius servers Output Fields (continued) Field Name Field Description Status Status of the configured RADIUS server: dead-The status displayed if the server does not respond within the configured number of retransmit counts, and if Dead Time is configured to a non-zero value.
Page 184 JUNOSe 11.0.x Broadband Access Configuration Guide Unknown Responses Packets Dropped RADIUS Accounting Statistics ---------------------------- Statistic 10.10.121.128 ------------------- ------------- UDP Port 1646 Round Trip Time Requests Start Requests Interim Requests Stop Requests Reject Requests Rollover Requests Retransmissions Responses Start Responses Interim Responses Stop Responses Reject Responses Malformed Responses...
Page 185: Table 29: Show Radius Statistics Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access Access Accepts 1612 Access Rejects Access Challenges Malformed Responses Bad Authenticators Requests Pending Request Timeouts Unknown Responses Packets Dropped Table 29 on page 145 lists the show radius statistics command output fields. Meaning NOTE: All descriptions apply to the primary, secondary, and tertiary RADIUS authentication and accounting servers.
Page 186: Monitoring Radius Snmp Traps
JUNOSe 11.0.x Broadband Access Configuration Guide Table 29: show radius statistics Output Fields (continued) Field Name Field Description Packets Dropped Number of packets dropped either because they are too short or the E Series router receives a response for which there is no corresponding request. For example, if the router sends a request and the request times out, the router removes the request from the list and sends a new request.
Page 187: Monitoring Radius Accounting For L2Tp Tunnels
Chapter 2: Monitoring and Troubleshooting Remote Access To display RADIUS SNMP traps configuration information: Action host1#show radius trap trap for auth-server-not-responding enabled trap for no-auth-server-responding disabled trap for auth-server-responding enabled trap for acct-server-not-responding enabled trap for no-acct-server-responding disabled trap for acct-server-responding disabled A list of the configured RADIUS-related SNMP traps is displayed.
Page 188: Advertisements
JUNOSe 11.0.x Broadband Access Configuration Guide To display the RADIUS server IP address: Action host1#show radius update-source-address 192.168.1.228 show radius update-source-addr Related Topics Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router Advertisements Display the RADIUS attribute used for IPv6 Neighbor Discovery router advertisements. Purpose To display the RADIUS attribute used for IPv6 Neighbor Discovery router Action...
Page 189: Table 30: Show Sscc Info Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access Local Source: FastEthernet 0/0, Local Source Address: 10.13.5.61 The configured transport router is: default The configured retry timer is (seconds): 90 The connection state is: NoConnection SSC Client Statistics: Policy Commands received Policy Commands(List) Policy Commands(Acct) Bad Policy Cmds received Error Policy Cmds received 0...
Page 190: Monitoring Src Client Connection Statistics
JUNOSe 11.0.x Broadband Access Configuration Guide Table 30: show sscc info Output Fields (continued) Field Name Field Description SSC Client Statistics Statistics about the connection between the SRC client and SAE Policy Commands received Number of policy commands received on the SRC client connection Policy Commands(List) Number of Policy Commands with subtype List Policy Commands(Acct) Number of Policy Commands with...
Page 191: Table 31: Show Sscc Statistics Output Fields
Chapter 2: Monitoring and Troubleshooting Remote Access To display statistics for the SRC client connection: Action host1#show sscc statistics SSC Client Statistics: Policy Commands received Policy Commands(List) Policy Commands(Acct) Bad Policy Cmds received Error Policy Cmds received 0 Policy Reports sent Connection attempts Connection Open requests Connection Open completed...
Page 192: Monitoring The Src Client Version Number
JUNOSe 11.0.x Broadband Access Configuration Guide Table 31: show sscc statistics Output Fields (continued) Field Name Field Description Connection Closed sent Number of connections the SRC client has closed Connection Closed remotely Number of connections that were closed by the remote SAE Create Interfaces sent Number of create interface indications sent to the...
Page 193 Chapter 2: Monitoring and Troubleshooting Remote Access all users are displayed. When you issue the command in a nondefault VR, only those users attached to that VR are displayed. The following list describes keywords that you can use with the show subscribers command: You can use the domain, interface, port, slot, username, or virtual-router keywords on all routers to filter the results.
Page 194 JUNOSe 11.0.x Broadband Access Configuration Guide To display general subscriber information: Action host1# show subscribers Subscriber List ---------------- Virtual User Name Type Addr|Endpt Router ----------------------- ----- -------------------- ------------ fred 10.10.65.86/radius default bert 192.168.10.3/user default User Name Interface ----------------------- -------------------------------- fred atm 2/1.42:100.104 bert FastEthernet 5/2.4...
Page 195 Chapter 2: Monitoring and Troubleshooting Remote Access 4101DHCPCLIENT@CT.NET 09/10/29 02:07:51 User Name Remote Id ------------------------ ---------------- 4101DHCPCLIENT@CT.NET To display detailed information for subscribers on the specified slot: host1# show subscribers slot 5 Subscriber List --------------- Virtual User Name Type Addr|Endpt Router ------------------------ -----...
Page 196: Table 32: Show Subscribers Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Interface Count -------------------- ----- ATM 3/2.1 ETHERNET 5/2.1 LAG lag1.100 Total Subscribers: 4 (chassis-wide total) Peak Subscribers: 8 (chassis-wide total) To display the number of subscribers by slot: host1#show subscribers summary slot Slot Count -------- ----- Total Subscribers : 5 (chassis-wide total)
Page 197: Monitoring Application Terminate Reason Mappings
Chapter 2: Monitoring and Troubleshooting Remote Access Table 32: show subscribers Output Fields (continued) Field Name Field Description Peak Subscribers Maximum value of the Total Subscriber field during the time the router has been active, chassis-wide Subscribers Number of subscribers; the sum of the Ppp and Ip fields Number of PPPoA and PPPoE users, combined Number of DHCP and IP subscriber manager users,...
Page 198 JUNOSe 11.0.x Broadband Access Configuration Guide eout eout authenticate-chap-no-resou authenticate chap no resou rces rces authenticate-chap-peer-aut authenticate chap peer aut henticator-timeout henticator timeout authenticate-deny-by-peer authenticate deny by peer authenticate-inactivity-ti authenticate inactivity ti meout meout authenticate-max-requests authenticate max requests --More-- To display all terminate reasons that are mapped to a specific terminate code: This example uses the radius keyword and a RADIUS Acct-Terminate-Cause code (radius 4) to display all terminate reasons mapped to the specified terminate code.
Page 199: Monitoring Ipv6 Local Pools For Dhcp Prefix Delegation By All Configured Pools
Chapter 2: Monitoring and Troubleshooting Remote Access Table 33 on page 159 lists the show terminate-code command output fields. Meaning Table 33: show terminate-code Output Fields Field Name Field Description Apps The application generating the terminate reason; AAA, L2TP, PPP, or RADIUS client Terminate Reason The application’s terminate reason Description...
Page 200: Monitoring Ipv6 Local Pools For Dhcp Prefix Delegation By Pool Name
JUNOSe 11.0.x Broadband Access Configuration Guide Table 34: show ipv6 local pool Output Fields (continued) Field Name Field Description Ending prefix of the range of prefixes configured in a particular pool Total Number of prefixes available for allocation to clients from a particular pool In Use Number of prefixes in a pool that are currently used by DHCPv6 clients...
Page 201: Monitoring Ipv6 Local Pool Statistics For Dhcp Prefix Delegation
Chapter 2: Monitoring and Troubleshooting Remote Access Table 35: show ipv6 local pool poolName Output Fields (continued) Field Name Field Description Utilization Percentage of IPv6 prefixes currently allocated to clients from the local address pool Start Starting prefix of the range of prefixes configured in a particular pool Ending prefix of the range of prefixes configured in a particular pool...
Page 202: Table 36: Show Ipv6 Local Pool Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Allocation Errors Releases Release Errors Table 36 on page 162 lists the show ipv6 local pool statistics command output fields. Meaning Table 36: show ipv6 local pool statistics Output Fields Field Name Field Description Allocations Number of prefixes allocated to DHCPv6 clients from the local address pool...
Page 203: Part 2 Managing Radius And Tacacs
Part 2 Managing RADIUS and TACACS+ Configuring RADIUS Attributes on page 165 Configuring RADIUS Dynamic-Request Server on page 235 Configuring RADIUS Relay Server on page 245 RADIUS Attribute Descriptions on page 253 Application Terminate Reasons on page 273 Monitoring RADIUS on page 297 Configuring TACACS+ on page 311 Monitoring TACACS+ on page 323 Managing RADIUS and TACACS+...
Page 204 JUNOSe 11.0.x Broadband Access Configuration Guide Managing RADIUS and TACACS+...
Page 205: Chapter 3 Configuring Radius Attributes
RADIUS Overview RADIUS is a distributed client/server that protects networks against unauthorized access. RADIUS clients running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server. You can access the RADIUS server through either a subscriber line or the CLI.
Page 206: Radius Services
JUNOSe 11.0.x Broadband Access Configuration Guide The E Series RADIUS client uses the IP address in the router ID unless you explicitly set an IP address by using the radius update-source-addr command. See “Configuring RADIUS Authentication and Accounting Servers” on page 18. To explicitly set the source address, perform the following tasks: Configure the RADIUS update-source address.
Page 207: Configuring Radius Attributes
Chapter 3: Configuring RADIUS Attributes See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. RADIUS References For more information about RADIUS, consult the following resources: RFC 2865 Remote Authentication Dial In User Service (RADIUS) (June 2000)
Page 208: Supported Radius Ietf Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide Supported RADIUS IETF Attributes Table 37 on page 168 lists the Access-Request, Access-Accept, Access-Reject, Access-Challenge, CoA, and Disconnect-Request attributes supported by JUNOSe software. The following notes are referenced in Table 37 on page 168: Attribute is used by Access-Request messages when terminating a PPP connection at the LNS or the initiating LAC.
Page 209 Chapter 3: Configuring RADIUS Attributes Table 37: AAA Access Message RADIUS IETF Attributes Supported (continued) Attribute Access- Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Challenge Request Request [27] Session-Timeout – – – (See Note 2.) (See Note 3.) [28] Idle-Timeout –...
Page 210: Supported Juniper Networks Vsas
– – Supported Juniper Networks VSAs Table 38 on page 170 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages. Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported...
Page 211 Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-5] Secondary-DNS – – – – [26-6] Primary-WINS (NBNS) –...
Page 212 JUNOSe 11.0.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-48] Ipv6-Secondary-DNS – – – – [26-52] RADIUS-Client-Address –...
Page 213 Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-77] MLD-Version – – – – [26-78] IGMP-Version –...
Page 214 JUNOSe 11.0.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-113] Act-Data-Rate-Up – – – – [26-114] Act-Data-Rate-Dn –...
Page 215: Subscriber Aaa Accounting Messages
Chapter 3: Configuring RADIUS Attributes Subscriber AAA Accounting Messages Accounting messages identify service provisions and use on a per-user or per-tunnel basis. These messages keep track of when a particular service is initiated and terminated for a specific user. JUNOSe software supports the Acct-On message on startup or configuration of the first accounting server.
Page 216: Table 39: Aaa Accounting Message Radius Ietf Attributes Supported
JUNOSe 11.0.x Broadband Access Configuration Guide For this attribute to be included, an IPv6 interface ID must be assigned to the subscriber. For this attribute to be included, at least one IPv6 prefix must be assigned to the subscriber. Table 39: AAA Accounting Message RADIUS IETF Attributes Supported Attribute Number Attribute Name...
Page 217 Chapter 3: Configuring RADIUS Attributes Table 39: AAA Accounting Message RADIUS IETF Attributes Supported (continued) Attribute Number Attribute Name Acct-Start Acct-Stop Interim-Acct Acct-On Acct-Off [50] Acct-Multi-Session-Id – – (See Note 3.) [51] Acct-Link-Count – – (See Note 3.) [52] Acct-Input-Gigawords –...
Page 218: Supported Juniper Networks Vsas
– (See Note 3.) Supported Juniper Networks VSAs Table 40 on page 179 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Acct-Start, Acct-Stop, Interim-Acct, Acct-On, Acct-Off, Partition-Accounting-On, and Partition-Accounting-Off messages. The following notes are referred to in Table 40 on page 179: The attribute is not included in Acct-Stop messages that are sent when a user session does not get established in one of the following situations.
Page 219: Table 40: Aaa Accounting Message Juniper Network (Vendor Id 4874) Vsas
Chapter 3: Configuring RADIUS Attributes value as the Accounting-On message, but also contains the ICR-Partition-Id VSA, which specifies the ICR partition to which this message corresponds. Partition-Accounting-Off Sent to the RADIUS server when the partition changes from the master state to the backup state. However, in the event of a complete chassis failure, the Partition-Accounting-Off message is not sent.
Page 220 JUNOSe 11.0.x Broadband Access Configuration Guide Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued) Attribute Partition- Partition- Number Attribute Name Acct-Start Acct-Stop Interim-Acct Acct-On Acct-Off Accounting- O n Accounting-Off [26-63] Interface-Description – – – – [26-92] L2C-Up-Stream-Data –...
Page 221: Tunnel Accounting Messages
Chapter 3: Configuring RADIUS Attributes Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued) Attribute Partition- Partition- Number Attribute Name Acct-Start Acct-Stop Interim-Acct Acct-On Acct-Off Accounting- O n Accounting-Off [26-152] Ipv6-Acct-Output-Octets – – – – – (See Note 2.) [26-153] Ipv6-Acct-Input-Packets...
Page 222: Dsl Forum Vsas In Aaa Access And Accounting Messages
JUNOSe 11.0.x Broadband Access Configuration Guide Table 41: AAA Accounting Tunnel Message RADIUS Attributes Supported (continued) Attribute Acct-Tunnel- Acct-Tunnel- Acct-Tunnel- Acct-Tunnel- Acct-Tunnel- Acct-Tunnel- Number Attribute Name Start Stop Reject Link-Start Link-Stop Link-Reject [49] Acct-Terminate-Cause – – [55] Event-Timestamp [64] Tunnel-Type [65] Tunnel-Medium-Type [66]...
Page 223: Table 42: Dsl Forum (Vendor Id 3561) Vsas Supported In Aaa Access And Accounting Messages
NOTE: JUNOSe software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “Juniper Networks VSAs” on page 259 . Table 42 on page 183 lists the DSL Forum VSAs supported by JUNOSe software in Access-Request, Acct-Start, Acct-Stop, and (if Acct-Stop is specified) Interim-Acct messages.
Page 224: Cli Aaa Messages
– [26-25] Redirect-Vrouter-Name – – – CLI Commands Used to Modify RADIUS Attributes This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands. CLI AAA Messages...
Page 225: Radius Ietf Attributes
Chapter 3: Configuring RADIUS Attributes For many attributes, you can configure the router to include the attribute in RADIUS messages. For more information, see “Including or Excluding Attributes in RADIUS Messages” on page 232. You can also configure the router to ignore many attributes that it receives in Access-Accept messages.
Page 226: Nas-Port
JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to restore standard use of the NAS-IP-Address and NAS-Identifier attributes. See radius override nas-info Monitoring Override Settings of RADIUS IETF Attributes on page 297 Related Topics [5] NAS-Port Use the following commands to manage and display information for the NAS-Port RADIUS attribute: radius include nas-port radius nas-port-format...
Page 227 Chapter 3: Configuring RADIUS Attributes Use to set the NAS-Port format attribute for ATM and Ethernet only to either 0ssssppp or ssss0ppp. The format is a 4-octet integer. The remaining bits are not changed (8 bits VPI and 16 bits VCI; or 12 bits S-VLAN and 12 bits VLAN). The s indicates a bit used to represent the slot;...
Page 228 JUNOSe 11.0.x Broadband Access Configuration Guide Port 3 bits VLAN 12 bits S-VLAN 12 bits To set valid S-VLAN widths on Gigabit Ethernet and 10-Gigabit Ethernet interfaces, you must include S-VLAN IDs in the NAS-Port attribute by issuing the radius vlan nas-port-format stacked command. The total number of bits for all fields cannot exceed 32.
Page 229: Framed-Ip-Address
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius vlan nas-port-format stacked Use the no version to return to the default, in which the S-VLAN ID is not included. Monitoring the NAS-Port-Format RADIUS Attribute on page 298 Related Topics [8] Framed-IP-Address Use the following command to manage the Framed-IP-Address RADIUS attribute. radius include framed-ip-addr radius include framed-ip-addr Use to include the Framed-IP-Address attribute in Acct-Start and Acct-Stop...
Page 230: Framed-Compression
JUNOSe 11.0.x Broadband Access Configuration Guide radius ignore framed-ip-netmask Use to cause the Framed-Ip-Netmask attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. If the subnet mask is specified by the Frame-Ip-Netmask attribute in the RADIUS user profile, the router passes the mask and IP address to the CPE during IPCP negotiations.
Page 231: Called-Station-Id
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius include class acct-start disable Use the no version to restore the default, enable. [30] Called-Station-Id Use the following command to manage the Called-Station-Id RADIUS attribute. radius include called-station-id radius include called-station-id Use to include the Called-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
Page 232 JUNOSe 11.0.x Broadband Access Configuration Guide radius calling-station-format Use to specify the format of the Calling-Station-Id [31] attribute on a virtual router. For each field in angle brackets (<>) in the Calling-Station-Id formats, the virtual router supplies the actual value for your configuration, unless otherwise specified. To specify that the RADIUS client use the delimited format when the PPP user is terminated at the non-LNS E Series router, use the delimited keyword.
Page 233 Chapter 3: Configuring RADIUS Attributes <VLAN [8]> Format for serial interfaces: <system name [4]> <slot [1]> <adapter [1]> <port [1]> <0 [8]> Where the final 8-byte field is always 0 (zero). For E120 and E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 (representing the right IOA bay on the E120 router or the upper IOA bay on the E320 router) or 1 (representing the left IOA bay on the E120 router or the lower IOA bay on the E320 router).
Page 234 JUNOSe 11.0.x Broadband Access Configuration Guide Format for ATM interfaces: <system name [4]> <slot [2]> <adapter [1]> <port [2]> <VPI [3]> <VCI [5]> Format for Ethernet interfaces: <system name [4]> <slot [2]> <adapter [1]> <port [2]> <VLAN [8]> Format for serial interfaces: <system name [4]>...
Page 235 Chapter 3: Configuring RADIUS Attributes You do not specify the optional stacked keyword. You specify the optional stacked keyword but the Ethernet interface does not have an S-VLAN ID. Attribute 31, Calling-Station-Id, is used with Attribute 30, Called-Station-Id, in a standard way when the router is the LNS and the LAC is a dial-up LAC (not an E Series router).
Page 236: Nas-Identifier
JUNOSe 11.0.x Broadband Access Configuration Guide Example host1(config)#radius calling-station-delimiter & Use the no version to remove the delimiter. radius include calling-station-id Use to include the Calling-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include calling-station-id acct-start disable...
Page 237 Chapter 3: Configuring RADIUS Attributes Use to set a value for the NAS-Identifier attribute. This value is used in the NAS-Identifier attribute for authentication and accounting requests. Example host1(config)#radius nas-identifier fox Use the no version to delete the NAS-Identifier. See radius nas-identifier radius include nas-identifier Use to include the NAS-Identifier attribute in Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages.
Page 238: Acct-Delay-Time
JUNOSe 11.0.x Broadband Access Configuration Guide You can use this command to configure the following nondefault formats for the PPPoE remote circuit ID value: Include either or both of the agent-circuit-id and agent-remote-id suboptions, with or without the NAS-Identifier [32] RADIUS attribute Append the agent-circuit-id suboption value to an interface specifier that is consistent with the recommended format in the DSL Forum Technical Report (TR)-101 Migration to Ethernet-Based DSL Aggregation (April 2006).
Page 239: Acct-Session-Id
Chapter 3: Configuring RADIUS Attributes radius include acct-delay-time radius include acct-delay-time Use to include the Acct-Delay-Time attribute in Acct-On or Acct-Off messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include acct-delay-time acct-on enable Use the no version to restore the default, enable.
Page 240: Acct-Authentic
JUNOSe 11.0.x Broadband Access Configuration Guide Use to set the Acct-Session-Id attribute format. Two formats are supported: description Configures RADIUS client to use the generic format: erx <interface identifier>:<hex number>. For example: erx atm 12/1:0.3:0000ef1 NOTE: For subscribes connected over the LAG interface in DHCP standalone authenticate mode, the LAG interface ID is used as the interface identifier.
Page 241: Acct-Multi-Session-Id
Chapter 3: Configuring RADIUS Attributes You can control inclusion of the attribute by enabling or disabling this command. See radius include. Example host1(config)#radius include acct-terminate-cause acct-off disable Use the no version to restore the default, enable. [50] Acct-Multi-Session-Id Use the following command to manage the Acct-Multi-Session-Id RADIUS attribute. radius include acct-multi-session-id radius include acct-multi-session-id Use to include the Acct-Multi-Session-Id attribute in Access-Request, Acct-Start,...
Page 242: Acct-Input-Gigawords
JUNOSe 11.0.x Broadband Access Configuration Guide [52] Acct-Input-Gigawords Use the following command to manage the Acct-Input-Gigawords RADIUS attribute. radius include input-gigawords radius include input-gigawords Use to include the Acct-Input-Gigawords attribute in Acct-Stop messages. You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.
Page 243: Nas-Port-Type
Chapter 3: Configuring RADIUS Attributes You can control inclusion of the Event-Timestamp attribute by enabling or disabling this command. See radius include Example host1(config)#radius include event-timestamp acct-on enable Use the no version to restore the default, enable. [61] NAS-Port-Type Use the following commands to manage and display information for the NAS-Port-Type RADIUS attribute.
Page 244: Tunnel-Type
JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to restore the default, xdsl. See radius dsl-port-type radius ethernet-port-type Use to set the NAS-Port-Type attribute for Ethernet interfaces to ethernet or virtual. See radius ethernet-port-type Example host1(config)#radius ethernet-port-type virtual Use the no version to restore the default, ethernet.
Page 245: Tunnel-Medium-Type
Chapter 3: Configuring RADIUS Attributes Use the no version to restore the default, enable. [65] Tunnel-Medium-Type Use the following command to manage the Tunnel-Type-Medium RADIUS attribute. radius include tunnel-medium-type radius include tunnel-medium-type Use to include the Tunnel-Medium-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
Page 246: Acct-Tunnel-Connection
JUNOSe 11.0.x Broadband Access Configuration Guide Use to include the Tunnel-Server-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the Tunnel-Server-Endpoint attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-server-endpoint acct-stop disable Use the no version to restore the default, enable.
Page 247: Tunnel-Assignment-Id
Chapter 3: Configuring RADIUS Attributes tx-speed [ /rx-speed ] The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command. Use the l2tp-connect-speed keyword to specify that the RX speed is only included when it is not zero and differs from the TX speed.
Page 248: Tunnel-Preference
JUNOSe 11.0.x Broadband Access Configuration Guide You can control inclusion of the Tunnel-Assignment-Id attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-assignment-id acct-stop enable Use the no version to restore the default, enable. [83] Tunnel-Preference Use the following command to manage the Tunnel-Preference RADIUS attribute.
Page 249: Tunnel-Client-Auth-Id
Chapter 3: Configuring RADIUS Attributes Use to specify whether the router includes the subinterface number or adapter in the interface description it passes to RADIUS for inclusion in the NAS-Port-Id attribute. By default, the subinterface and adapter are sent (the commands are enabled).
Page 250: Tunnel-Server-Auth-Id
JUNOSe 11.0.x Broadband Access Configuration Guide radius include tunnel-client-auth-id radius include tunnel-client-auth-id Use to include the Tunnel-Client-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Tunnel-Client-Auth-Id attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-client-auth-id access-request disable Use the no version to restore the default, enable.
Page 251: Framed-Ipv6-Prefix
Chapter 3: Configuring RADIUS Attributes For RADIUS to include this attribute, an IPv6 interface ID must be assigned to the subscriber. See radius include Example host1(config)#radius include framed-interface-id acct-start enable Use the no version to restore the default, disable. [97] Framed-Ipv6-Prefix Use the following command to manage the Framed-Ipv6-Prefix RADIUS attribute.
Page 252: Framed-Ipv6-Pool
JUNOSe 11.0.x Broadband Access Configuration Guide When the Framed-Ipv6-Route attribute is not returned from the RADIUS server in the Access-Accept message, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute. See radius include Example host1(config)#radius include framed- ipv6-route acct-start enable Use the no version to restore the default, disable.
Page 253: Ascend-Num-In-Multilink
Chapter 3: Configuring RADIUS Attributes When prefix delegation occurs, an immediate-update (if enabled) message, which contains the delegated prefix information, is sent to the RADIUS server. When the prefix to be delegated to clients is obtained from the IPv6 local address server than the RADIUS server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is configured, the delegated prefix is sent to the RADIUS server in the Delegated-Ipv6-Prefix attribute in the immediate...
Page 254: Juniper Networks Vendor-Specific Attributes
Use the no version to restore the default, disable. Juniper Networks Vendor-Specific Attributes This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.
Page 255: Egress-Policy-Name
Chapter 3: Configuring RADIUS Attributes radius include ingress-policy-name Use to include the Ingress-Policy-Name attribute in Acct-Start or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include ingress-policy-name acct-start enable Use the no version to restore the default.
Page 256: Service-Category
JUNOSe 11.0.x Broadband Access Configuration Guide Use to cause the Egress-Policy-Name attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example host1(config)#radius ignore egress-policy-name enable Use the no version to restore the default, disable. [26-14] Service-Category Use the following command to manage the Service-Category RADIUS attribute.
Page 257: Scr
Chapter 3: Configuring RADIUS Attributes [26-16] SCR Use the following command to manage the SCR RADIUS attribute. radius ignore atm-scr radius ignore atm-scr Use to cause the SCR attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example host1(config)#radius ignore atm-scr enable...
Page 258: Acct-Input-Gigapackets
JUNOSe 11.0.x Broadband Access Configuration Guide Example host1(config)#radius include pppoe-description acct-start enable Use the no version to restore the default, enable. [26-35] Acct-Input-Gigapackets Use the following command to manage the Acct-Input-Gigapackets RADIUS attribute. radius include input-gigapkts radius include input-gigapkts Use to include Acct-Input-Gigapackets in Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command.
Page 259: Ipv6-Virtual-Router
Chapter 3: Configuring RADIUS Attributes Use to include the Tunnel-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-interface-id enable Use the no version to restore the default, disable. [26-45] Ipv6-Virtual-Router Use the following command to manage the IPv6-Virtual-Router RADIUS attribute.
Page 260: Ipv6-Primary-Dns
JUNOSe 11.0.x Broadband Access Configuration Guide Use to include the Ipv6-Local-Interface attribute in Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
Page 261: Disconnect-Cause
Chapter 3: Configuring RADIUS Attributes Use to include the Ipv6-Secondary-DNS attribute in Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
Page 262: Dhcp-Options
JUNOSe 11.0.x Broadband Access Configuration Guide Example host1(config)#radius include profile-service-description acct-stop enable Use the no version to restore the default, disable. [26-55] DHCP-Options Use the following command to manage the DHCP-Options RADIUS attribute. radius include dhcp-options radius include dhcp-options Use to include the DHCP-Options attribute in Access-Request, Acct-Start, and Acct-Stop messages.
Page 263: Mlppp-Bundle-Name
Chapter 3: Configuring RADIUS Attributes radius include dhcp-gi-address radius include dhcp-gi-address Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example host1(config)#radius include dhcp-gi-address acct-stop enable Use the no version to restore the default, disable.
Page 264: L2C-Information
JUNOSe 11.0.x Broadband Access Configuration Guide Use to include the Interface-Desc attribute, with the subscriber’s access interface description, in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages. You can control inclusion of the Interface-Desc attribute by enabling or disabling this command. Inclusion is disabled by default. There is no explicit command to include the Interface-Desc attribute in Interim-Acct messages;...
Page 265: L2C-Down-Stream-Data
Chapter 3: Configuring RADIUS Attributes Example host1(config)#radius include l2c-upstream-data access-request enable Use the no version to restore the default, disable. [26-93] L2C-Down-Stream-Data Use the following command to manage the L2C-Down-Stream-Data RADIUS attribute. radius include l2c-downstream-data radius include l2c-downstream-data Use to include the L2C-Down-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages.
Page 266: Downstream-Calculated-Qos-Rate
JUNOSe 11.0.x Broadband Access Configuration Guide [26-141] Downstream-Calculated-Qos-Rate The Downstream-Calculated-Qos-Rate RADIUS attribute enables RADIUS to receive calculated QoS rates from ANCP. Use the following command to manage the Downstream-Calculated-Qos-Rate RADIUS attribute. radius include downstream-calculated-qos-rate access-request radius include downstream calculated-qos-rate acct-start radius include downstream-calculated-qos-rate acct-stop radius include downstream-calculated-qos-rate Use to include the Downstream-Calculated-Qos-Rate attribute in Access-Request,...
Page 267: Max-Clients-Per-Interface
Chapter 3: Configuring RADIUS Attributes Use the no version to restore the default, disable. See radius include [26-143] Max-Clients-Per-Interface The Max-Clients-Per-Interface RADIUS attribute is the maximum number of PPPoE client sessions supported per interface. For DHCP clients, this value is the maximum number of PPPoE sessions per logical interface.
Page 268: All Ipv6 Accounting Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide Use to include the ICR-Partition-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. Example host1(config)#radius include icr-partition-id acct-start enable Use the no version to restore the default, disable. radius icr-partition-accounting Use to enable or disable sending of the ICR Partition-Accounting-On or Partition-Accounting-Off messages to the RADIUS servers...
Page 269: Ancp-Related Juniper Networks Vsas
Acct-Stop messages, the router includes ANCP information in Interim-Acct messages that the router sends to RADIUS. By default, the router does not include the ANCP-related information provided by the Juniper Networks VSAs in RADIUS messages. These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006...
Page 270 JUNOSe 11.0.x Broadband Access Configuration Guide Table 44: ANCP (L2C)-Related Keywords for radius include Command (continued) Juniper Networks Juniper Networks ANCP ANCP Command Keyword VSA Number VSA Name Type Subtype l2cd-min-data-rate-up [26-115] Min-Data-Rate-Up l2cd-min-data-rate-dn [26-116] Min-Data-Rate-Dn l2cd-att-data-rate-up [26-117] Att-Data-Rate-Up l2cd-att-data-rate-dn...
Page 271: Dsl Forum Vendor-Specific Attributes
DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection. NOTE: JUNOSe software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “ANCP-Related Juniper Networks VSAs”...
Page 272: Including Or Excluding Attributes In Radius Messages
JUNOSe 11.0.x Broadband Access Configuration Guide For information about enabling the QoS downstream rate application to obtain downstream rates from the Actual-Data-Rate-Downstream [26-130] DSL Forum VSA, see the Configuring the Downstream Rate Using QoS Parameters chapter in JUNOSe Quality of Service Configuration Guide. For a more detailed description of the DSL Forum VSAs, see “DSL Forum VSAs”...
Page 273: Ignoring Attributes When Receiving Access-Accept Messages
Chapter 3: Configuring RADIUS Attributes To see a list of the attributes that you can include or exclude, see Monitoring Related Topics Included RADIUS Attributes on page 302 Ignoring Attributes When Receiving Access-Accept Messages You can configure the router to ignore or use many attributes that it receives in Access-Accept messages.
Page 274 JUNOSe 11.0.x Broadband Access Configuration Guide CLI Commands Used to Modify RADIUS Attributes...
Page 275: Configuring Radius Dynamic-Request Server
Chapter 4 Configuring RADIUS Dynamic-Request Server This chapter describes the RADIUS dynamic-request server feature on E Series routers. The following topics describe this feature: RADIUS Dynamic-Request Server Overview on page 235 RADIUS Dynamic-Request Server Platform Considerations on page 236 RADIUS Dynamic-Request Server References on page 236 How RADIUS Dynamic-Request Server Works on page 237 RADIUS-Initiated Disconnect on page 237 Message Exchange on page 237...
Page 276: Radius Dynamic-Request Server Platform Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide For example, you might use the RADIUS dynamic-request server to terminate specific user sessions. Without the RADIUS dynamic-request server, the only way to disconnect a RADIUS user is from the E Series router. This disconnect method is cumbersome when a network has many systems.
Page 277: How Radius Dynamic-Request Server Works
Chapter 4: Configuring RADIUS Dynamic-Request Server RFC 5176 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) (January 2008) How RADIUS Dynamic-Request Server Works In a typical client-server RADIUS environment, the E Series router functions as the client and the RADIUS server functions as the server. However, when using the RADIUS dynamic-request server feature, the roles are reversed.
Page 278: Table 45: Error-Cause Codes (Radius Attribute 101)
JUNOSe 11.0.x Broadband Access Configuration Guide Supported Error-Cause Codes (RADIUS Attribute 101) When a disconnect request fails, the RADIUS dynamic-request server includes an error-cause attribute (RADIUS attribute 101) in the Disconnect-NAK message that it sends back to the RADIUS server. If the detected error does not map to one of the supported error-cause attributes, the router sends the Disconnect-NAK without an error-cause attribute.
Page 279: Security/Authentication
Chapter 4: Configuring RADIUS Dynamic-Request Server Security/Authentication The RADIUS server (the disconnect client) must calculate the authenticator as specified for an Accounting-Request message in RFC 2866. The router’s RADIUS dynamic-request server verifies the request using authenticator calculation as specified for an Accounting-Request message in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator.
Page 280: Message Exchange
JUNOSe 11.0.x Broadband Access Configuration Guide CoA-ACK (44) CoA-NAK (45) Message Exchange The RADIUS server and the router’s RADIUS dynamic-request server exchange messages using UDP. The CoA-Request message sent by the RADIUS server has the same format as the Disconnect-Request packet that is sent for a disconnect operation. The response is either a CoA-ACK or a CoA-NAK message: If AAA successfully changes the authorization, the response is a RADIUS-formatted packet with a CoA-ACK message, and the data filter is applied to the session.
Page 281: Qualifications For Change Of Authorization
Chapter 4: Configuring RADIUS Dynamic-Request Server Qualifications for Change of Authorization To complete the change of authorization for a user, the CoA-Request must contain one of the following RADIUS attributes or pairs of attributes. AAA services handle the actual request. User-Name [attribute 1] with Virtual-Router [attribute 26–1] to identify the user per virtual router context Framed-IP-Address [attribute 8] with Virtual-Router [attribute 26–1] to identify...
Page 282: Radius Dynamic-Request Server Commands
JUNOSe 11.0.x Broadband Access Configuration Guide (Optional) Specify the UDP port on which the router listens for messages from the RADIUS server. The default is 1700. host1(config-radius)#udp-port 1770 RADIUS Dynamic-Request Server Commands This section describes commands used to configure RADIUS dynamic-request servers. authorization change Use to enable the RADIUS dynamic-request server to receive CoA messages, such as packet mirroring attributes and Service Manager attributes, from the...
Page 283 Chapter 4: Configuring RADIUS Dynamic-Request Server NOTE: The function of this command has been replaced by a combination of the RADIUS dynamic-request server feature and the subscriber disconnect command. This command might be removed completely in a future release. See radius disconnect client radius dynamic-request server Use to configure a RADIUS dynamic-request server and enter RADIUS Configuration mode.
Page 284: Monitoring Radius Dynamic-Request Servers
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring RADIUS Dynamic-Request Servers To monitor RADIUS dynamic-request servers, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 304 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 305 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 306 Monitoring RADIUS Dynamic-Request Servers...
Page 285: Chapter 5 Configuring Radius Relay Server
Chapter 5 Configuring RADIUS Relay Server This chapter describes the E Series router’s RADIUS relay server feature. The RADIUS relay server provides authentication, authorization, accounting, and addressing services to wireless subscribers in public areas, such as airports and coffee shops. This chapter has the following sections: RADIUS Relay Server Overview on page 245 RADIUS Relay Server Platform Considerations on page 246...
Page 286: Radius Relay Server Platform Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 6: RADIUS Relay Server E Series router RADIUS Relay Server Platform Considerations RADIUS relay is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router.
Page 287: Table 47: Required Radius Access-Request Attributes
Chapter 5: Configuring RADIUS Relay Server You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier.
Page 288: Table 48: Required Radius Accounting Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide For information about using the SRC software with the RADIUS relay server to provide accounting, see “RADIUS Relay Server and the SRC Software” on page 248. Table 48 on page 248 shows the RADIUS attributes that must be included in accounting requests.
Page 289: Configuring Radius Relay Server Support
Chapter 5: Configuring RADIUS Relay Server the subscriber is authenticated. The second domain is created for the connection between the E Series router and the SRC software. If you want to continue to use the SRC software’s user session and problem-tracking features, you should not configure the SRC software to generate RADIUS accounting records.
Page 290 JUNOSe 11.0.x Broadband Access Configuration Guide 10.10.15.0 255.255.255.0 secret 10.10.8.15 255.255.255.255 newsecret 192.168.25.9 255.255.255.255 mysecret 192.168.102.5 255.255.255.255 999Y2K Udp Port: 1812 RADIUS Relay Accounting Server Configuration -------------------------------------------- IP Address IP Mask Secret ------------- --------------- ------- 10.10.1.0 255.255.255.0 NO8pxq 192.168.102.5 255.255.255.255 12BE$56 Udp Port: 1813 Use to enter the IP address and mask of the network that will use the RADIUS...
Page 291: Monitoring Radius Relay Server
Chapter 5: Configuring RADIUS Relay Server host1(config-radius-relay)#udp-port 1850 Use the no version to return to the default, port 1812 for authentication servers or port 1813 for accounting servers. See udp-port Monitoring RADIUS Relay Server To monitor RADIUS relay server, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics”...
Page 292 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring RADIUS Relay Server...
Page 293: Table 49: Radius Ietf Attributes Supported By Junose Software
This chapter lists the RADIUS attributes that are supported by JUNOSe software. Table 49 on page 253 describes the supported RADIUS IETF attributes. Table 50 on page 259 describes the supported Juniper Networks vendor-specific attributes (VSAs). Table 51 on page 270 describes the DSL Forum VSA formats supported by JUNOSe software.
Page 294 Applicable for CLI, telnet, or EAP message exchange [25] Class An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server [26] Vendor-Specific Juniper Networks Enterprise number 0x0000130A RADIUS IETF Attributes...
Page 295 Chapter 6: RADIUS Attribute Descriptions Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [27] Session-Timeout Maximum number of consecutive seconds of service to be provided to the user before termination of the session [28] Idle-Timeout Maximum number of consecutive seconds of idle connection provided to the user...
Page 296 JUNOSe 11.0.x Broadband Access Configuration Guide Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [46] Acct-Session-Time Indicates how long in seconds that the user has received service [47] Acct-Input-Packets Indicates how many packets have been received from the port during the time this service has been provided to a framed user IP subscriber manager Statistics are reported PPP Statistics are counted according to the rules of the generic interface...
Page 297 Chapter 6: RADIUS Attribute Descriptions Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [53] Acct-Output-Gigawords Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager Statistics are reported...
Page 298 JUNOSe 11.0.x Broadband Access Configuration Guide Table 49: RADIUS IETF Attributes Supported by JUNOSe Software (continued) Attribute Number Attribute Name Description [83] Tunnel-Preference If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.
Page 299: Table 50: Juniper Networks (Vendor Id 4874) Vsa Formats
Juniper Networks VSAs Table 50 on page 259 lists Juniper Networks VSA formats for RADIUS. JUNOSe software uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned Numbers Authority (IANA).
Page 300 JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-2] Local-Address-Pool Name of an assigned address pool sublen string: that should be used to assign an...
Page 301 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-14] Service-Category ATM service category to apply to B-RAS integer: 1= UBR, user’s interface 2 = UBR PCR,...
Page 302 JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-24] Pppoe-Description The string pppoe <mac addr> sent to the sublen string: pppoe<mac RADIUS server supplied by PPPoE addr>...
Page 303 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-44] Tunnel-Interface-Id Tunnel interface selector that AAA caches sublen string: tunnel selector as part of the tunnel-session profile and the user’s profile.
Page 304 JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-60] Med-Ip-Address IP address of analyzer device to which sublen Salt encrypted IP mirrored packets are forwarded...
Page 305 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-78] IGMP-Version IGMP Protocol Version (IGMP Version 1=1; integer:1-octet IGMP Version 2 = 2; IGMP Version 3 = 3)
Page 306 JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-89] Mobile-IP-Lifetime Registration lifetime for Mobile IP integer: 4-octet registration [26-90] L2TP-Resynch-Method L2TP peer resynchronization method integer: 0 = disabled;...
Page 307 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-97] IGMP-Immediate-Leave IGMP Immediate Leave 4-octet integer: 0 = disabled 1 = enabled [26-98] MLD-Query-Interval MLD Query Interval...
Page 308 JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-122] Min-LP-Data-Rate-Dn Minimum downstream data rate in low integer: 4-octet power state configured for the subscriber...
Page 309 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-143] Max-Clients-Per-Interface Maximum number of PPPoE client sessions integer: 4-octet supported per interface. For DHCP clients, this value is the maximum number of PPPoE sessions per logical interface.
Page 310: Table 51: Junose Software Dsl Forum (Vendor Id 3561) Vsa Formats
JUNOSe 11.0.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26–154] Ipv6-Acct-Output-Packets Number of times that IPv6 packets have 4–octet integer been sent to the port in the course of delivering this service to a framed user [26–155]...
Page 311: Pass Through Radius Attributes
Chapter 6: RADIUS Attribute Descriptions Table 51: JUNOSe Software DSL Forum (Vendor ID 3561) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-133] Attainable-Data-Rate- Upstream data rate that the subscriber integer: 4-octet Upstream can attain [26-134] Attainable-Data-Rate- Downstream data rate that the subscriber integer: 4-octet...
Page 312: Table 52: Radius Attribute Passed Through By Junose Software
JUNOSe 11.0.x Broadband Access Configuration Guide Table 52: RADIUS Attribute Passed Through by JUNOSe Software Standard Number Attribute Name Description [79] EAP-Message Used by RADIUS relay servers Passed through to the RADIUS server RADIUS Attributes References For more information about RADIUS attributes, see the following RFCs: RFC 2661 Layer Two Tunneling Protocol “...
Page 313: Table 53: Default Aaa Mappings
Chapter 7 Application Terminate Reasons This chapter lists the default mappings for application terminate reasons to RADIUS Acct-Terminate-Cause attributes. Table 53 on page 273 lists the default mappings for AAA, Table 54 on page 274 lists default mappings for L2TP, Table 55 on page 289 lists the default mappings for PPP, and Table 56 on page 295 lists default mappings for RADIUS client.
Page 314: Table 54: Default L2Tp Mappings
JUNOSe 11.0.x Broadband Access Configuration Guide Table 53: Default AAA Mappings (continued) AAA Shutdown or Deny Reason RADIUS Acct-Terminate-Cause Code Description deny invalid tunnel configuration user error deny limit exceeded user error deny mixed user types nas request deny no access challenge support user error deny no address allocation resources user error...
Page 315 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session create failed limit reached nas error session create failed no resources nas error session create failed single shot tunnel already fired nas error session create failed too busy nas error...
Page 316 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx iccn avp missing mandatory connect speed nas request session rx iccn avp missing mandatory framing type nas request session rx iccn avp missing mandatory proxy authen nas request challenge session rx iccn avp missing mandatory proxy authen id...
Page 317 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx icrq avp bad value assigned session id nas request session rx icrq avp bad value bearer type nas request session rx icrq avp bad value cisco nas port nas request session rx icrq avp duplicate value assigned session id nas request...
Page 318 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx ocrp avp duplicate value assigned session id nas request session rx ocrp avp malformed bad length nas request session rx ocrp avp malformed truncated nas request session rx ocrp avp missing mandatory assigned session id nas request...
Page 319 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx ocrq avp missing secret nas request session rx ocrq avp unknown nas request session rx ocrq no resources nas request session rx ocrq unexpected nas request session rx ocrq unsupported...
Page 320 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session rx wen no resources nas request session timeout connection nas request session timeout inactivity idle timeout session timeout session session timeout session timeout upper create nas error session transmit speed unavailable...
Page 321 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel failover protocol recovery control channel failed service unavailable tunnel failover protocol recovery tunnel failed service unavailable tunnel failover protocol recovery tunnel finished user request tunnel failover protocol recovery tunnel primary down user request...
Page 322 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx sccrp avp bad value challenge response service unavailable tunnel rx sccrp avp bad value failover capability service unavailable tunnel rx sccrp avp bad value framing capabilities service unavailable tunnel rx sccrp avp bad value protocol version service unavailable...
Page 323 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx sccrq avp bad value challenge service unavailable tunnel rx sccrq avp bad value failover capability service unavailable tunnel rx sccrq avp bad value framing capabilities service unavailable tunnel rx sccrq avp bad value protocol version service unavailable...
Page 324 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx stopccn avp malformed truncated service unavailable tunnel rx stopccn avp missing mandatory assigned tunnel service unavailable tunnel rx stopccn avp missing mandatory result code service unavailable tunnel rx stopccn avp missing random vector service unavailable...
Page 325 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx unexpected packet service unavailable tunnel rx unexpected packet for session service unavailable tunnel rx unknown packet message type indecipherable service unavailable tunnel rx unknown packet message type unrecognized service unavailable tunnel rx recovery scccn authenticate failed challenge...
Page 326 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery sccrp avp duplicate value assigned service unavailable tunnel id tunnel rx recovery sccrp avp malformed bad length service unavailable tunnel rx recovery sccrp avp malformed truncated service unavailable tunnel rx recovery sccrp avp mismatched host name...
Page 327 Chapter 7: Application Terminate Reasons Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery sccrq avp bad value receive window size service unavailable tunnel rx recovery sccrq avp bad value tunnel recovery service unavailable tunnel rx recovery sccrq avp duplicate value assigned tunnel service unavailable tunnel rx recovery sccrq avp duplicate value tie breaker...
Page 328 JUNOSe 11.0.x Broadband Access Configuration Guide Table 54: Default L2TP Mappings (continued) L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description tunnel rx recovery stopccn avp duplicate value assigned service unavailable tunnel id tunnel rx recovery stopccn avp malformed bad length service unavailable tunnel rx recovery stopccn avp malformed truncated service unavailable tunnel rx recovery stopccn avp missing mandatory assigned...
Page 329: Table 55: Default Ppp Mappings
Chapter 7: Application Terminate Reasons PPP Terminate Reasons Table 55 on page 289 lists the default PPP terminate mappings. The table indicates the supported PPP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 55: Default PPP Mappings PPP Terminate Reason RADIUS Acct-Terminate-Cause Code...
Page 330 JUNOSe 11.0.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description bundle fail local mrru mismatch nas request bundle fail local mru mismatch nas request bundle fail peer mrru mismatch nas request bundle fail reassembly location nas request bundle fail reassembly mismatch...
Page 331 Chapter 7: Application Terminate Reasons Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description ip no peer secondary dns address nas request ip no peer secondary nbns address nas request ip no service nas request ip peer renegotiate rx conf ack nas request ip peer renegotiate rx conf nak nas request...
Page 332 JUNOSe 11.0.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description ipv6 peer terminate term req nas request ipv6 service disable nas request ipv6 stale stacking nas request lcp authenticate terminate hold nas request lcp configured mrru too small nas request...
Page 333 Chapter 7: Application Terminate Reasons Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description lcp no peer magicnumber nas request lcp no peer mrru nas request lcp no peer mru nas request lcp no peer pfc nas request lcp peer terminate code rej user request...
Page 334 JUNOSe 11.0.x Broadband Access Configuration Guide Table 55: Default PPP Mappings (continued) PPP Terminate Reason RADIUS Acct-Terminate-Cause Code Description mpls peer terminate term ack nas request mpls peer terminate term req nas request mpls service disable nas request mpls stale stacking nas request network interface admin disable admin reset...
Page 335: Table 56: Default Radius Client Mappings
Chapter 7: Application Terminate Reasons RADIUS Client Terminate Reasons Table 56 on page 295 lists the default RADIUS client terminate mappings. The table indicates the supported RADIUS client terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 56: Default RADIUS Client Mappings RADIUS Client Terminate Reason RADIUS Acct-Terminate-Cause...
Page 336 JUNOSe 11.0.x Broadband Access Configuration Guide RADIUS Client Terminate Reasons...
Page 337: Chapter 8 Monitoring Radius
Chapter 8 Monitoring RADIUS This chapter describes how to monitor the RADIUS attributes, RADIUS dynamic-request server, and RADIUS relay. RADIUS topics are described in the following sections: Monitoring Override Settings of RADIUS IETF Attributes on page 297 Monitoring the NAS-Port-Format RADIUS Attribute on page 298 Monitoring the Calling-Station-Id RADIUS Attribute on page 299 Monitoring the NAS-Identifier RADIUS Attribute on page 299 Monitoring the Format of the Remote-Circuit-ID for RADIUS on page 300...
Page 338: Table 57: Show Radius Override Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide To display the current setting for all configured RADIUS attributes: Action host1#show radius override nas-ip-addr: nas-ip-addr nas-port-id: nas-port-id calling-station-id: calling-station-id nas-info: from current virtual router host1#show radius override nas-ip-addr: nas-ip-addr nas-info: from authentication virtual router Table 57 on page 298 lists the show radius override command output fields.
Page 339: Monitoring The Calling-Station-Id Radius Attribute
Chapter 8: Monitoring RADIUS To display information about the NAS-Port attribute on an ATM interface on an E320 Broadband Services Router: host1#show radius nas-port-format extended atm extended atm field-width slot 5 adapter 0 port 4 vpi 4 vci 12 To display the status of NAS-Port attribute settings for PPPoE interfaces: host1#show radius pppoe nas-port-format unique To display the status of the S-VLAN ID setting for the NAS-Port attribute for VLAN...
Page 340: Monitoring The Format Of The Remote-Circuit-Id For Radius
JUNOSe 11.0.x Broadband Access Configuration Guide host1#show radius nas-identifier show radius nas-identifier Related Topics Monitoring the Format of the Remote-Circuit-ID for RADIUS Display the format configured for the PPPoE remote circuit ID value captured from Purpose a DSLAM. The default format is agent-circuit-ID. If the PPPoE remote circuit ID value is configured to include any or all of the agent-circuit-id, agent-remote-id, and nas-identifier components, the display lists the components included and the order in which they appear.
Page 341: Monitoring The Dsl-Port-Type Radius Attribute
Chapter 8: Monitoring RADIUS To display the format used for the Acct-Session-Id attribute: Action host1#show radius acct-session-id-format decimal show radius acct-session-id-format Related Topics Monitoring the DSL-Port-Type RADIUS Attribute Display the DSL port type for NAS-Port-Type attribute for ATM and Ethernet users. Purpose To display the DSL port type for NAS-Port-Type attribute for ATM users: Action...
Page 342: Monitoring Included Radius Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide host1#show aaa intf-desc-format exclude sub-interface include adapter show aaa intf-desc-format Related Topics Monitoring Included RADIUS Attributes Display the RADIUS attributes that are included in and excluded from Acct-On, Purpose Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages. To display the list of included RADIUS attributes: Action host1# show radius attributes-included...
Page 343: Table 58: Show Radius Attributes-Included Output Fields
Chapter 8: Monitoring RADIUS ipv6-local-interface(vsa) disabled disabled ipv6-nd-ra-prefix(vsa) disabled disabled ipv6-primary-dns(vsa) disabled disabled ipv6-secondary-dns(vsa) disabled disabled ipv6-virtual-router(vsa) disabled disabled l2c-downstream-data(vsa) disabled disabled disabled l2c-upstream-data(vsa) disabled disabled disabled l2cd-acc-loop-cir-id(vsa) disabled disabled disabled l2cd-acc-aggr-cir-id-bin(vsa) disabled disabled disabled l2cd-acc-aggr-cir-id-asc(vsa) disabled disabled disabled l2cd-act-data-rate-up(vsa) disabled disabled disabled...
Page 344: Monitoring Ignored Radius Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide Table 58: show radius attributes-included Output Fields (continued) Field Name Field Description Account Off Include status of the attribute in Acct-Off messages: enabled, disabled, n/c Access Request Include status of the attribute in Access Request messages: enabled, disabled, n/c Account Start Include status of the attribute in Acct-Start messages:...
Page 345: Table 59: Show Radius Dynamic-Request Statistics Output Fields
Chapter 8: Monitoring RADIUS There is no no version. Monitoring RADIUS Dynamic-Request Server Statistics on page 305 Related Topics baseline radius dynamic-request Monitoring RADIUS Dynamic-Request Server Statistics Display RADIUS dynamic-request server statistics. Purpose To display RADIUS dynamic-request statistics: Action host1#show radius dynamic-request statistics RADIUS Request Statistics ------------------------- Statistic...
Page 346: Table 60: Show Radius Dynamic-Request Servers Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 59: show radius dynamic-request statistics Output Fields (continued) Field Name Field Description Disconnect or CoA Bad RADIUS-initiated disconnect or CoA messages Authenticators rejected because the calculated authenticator in the authenticator field of the request did not match Disconnect or CoA Packets RADIUS-initiated disconnect or CoA packets dropped Dropped...
Page 347: Setting A Baseline For Radius Relay Statistics
Chapter 8: Monitoring RADIUS Table 60: show radius dynamic-request servers Output Fields (continued) Field Name Field Description Change of Authorization Status of change of authorization feature Secret Secret used to connect to RADIUS server show radius servers Related Topics Setting a Baseline for RADIUS Relay Statistics You can set a baseline for RADIUS relay statistics.
Page 348: Table 61: Show Radius Relay Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Invalid Requests Statistics baseline set FRI APR 02 2004 19:01:52 UTC RADIUS Relay Accounting Server Statistics ----------------------------------------- Statistic Total -------------------- ----- Accounting Requests 1000 Start 1000 Stop Interim Accounting Responses 1000 Start 1000 Stop Interim Pending Requests Duplicate Requests...
Page 349: Table 62: Show Radius Relay Servers Output Fields
Chapter 8: Monitoring RADIUS Table 61: show radius relay statistics Output Fields (continued) Field Name Field Description Accounting Responses Number of accounting responses, broken down by type of request Setting a Baseline for RADIUS Relay Statistics on page 307 Related Topics show radius relay statistics Monitoring the Configuration of the RADIUS Relay Server Display information about the RADIUS relay server configuration.
Page 350: Table 63: Show Radius Relay Udp-Checksum Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show radius relay servers Related Topics Monitoring the Status of RADIUS Relay UDP Checksums Display status of RADIUS relay UDP checksums. Purpose To display the status of UDP checksums: Action host1(config)#show radius relay udp-checksum udp-checksums enabled Table 63 on page 310 lists the show radius relay udp-checksum command output Meaning...
Page 351: Chapter 9 Configuring Tacacs
Chapter 9 Configuring TACACS+ This chapter explains how to enable and configure TACACS+ in your E Series router. It has the following sections: TACACS+ Overview on page 311 TACACS+ Platform Considerations on page 315 TACACS+ References on page 315 Before You Configure TACACS+ on page 316 Configuring TACACS+ Support on page 316 TACACS+ Overview With the increased use of remote access, the need for managing more network access...
Page 352: Table 64: Tacacs-Related Terms
JUNOSe 11.0.x Broadband Access Configuration Guide Table 64: TACACS-Related Terms Term Description Network access server. A device that provides connections to a single user, to a network or subnetwork, and to interconnected networks. In reference to TACACS+, the NAS is the E Series router. TACACS+ process A program or software running on a security server that provides AAA services using the TACACS+ protocol.
Page 353: Privilege Authentication
Chapter 9: Configuring TACACS+ TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user. TACACS+ might challenge the user to provide username, password, passcode, or other information.
Page 354: Table 65: Tacacs+ Accounting Information
JUNOSe 11.0.x Broadband Access Configuration Guide Method list A specified configuration that defines how the NAS performs the AAA accounting service. A service type can be configured with multiple method lists with different names, and a method list name can be used for different service types.
Page 355: Tacacs+ Platform Considerations
Chapter 9: Configuring TACACS+ Table 65: TACACS+ Accounting Information (continued) Field/Attribute Location Description user Packet body Name of user running the Exec session or CLI command port Packet body NAS port used by the Exec session or CLI command rem-addr Packet body User’s remote location;...
Page 356: Before You Configure Tacacs
JUNOSe 11.0.x Broadband Access Configuration Guide Before You Configure TACACS+ Before you begin to configure TACACS+, you must determine the following for the TACACS+ authentication and accounting servers: IP addresses TCP port numbers Secret keys Configuring TACACS+ Support To use TACACS+, you must enable AAA. To configure your router to support TACACS+, perform the following tasks.
Page 357: Configuring Accounting
Chapter 9: Configuring TACACS+ host1(config)#aaa authentication login tac tacacs+ radius enable Specify the privilege level by defining a methods list that uses TACACS+ for authentication. host1(config)#aaa authentication enable default tacacs+ radius enable Configure vty lines. host1(config)#line vty 0 4 Apply an authentication list to the vty lines you specified on your router. host1(config-line)#login authentication tac Configuring Accounting Once TACACS+ support is enabled on the router, you can configure TACACS+...
Page 358 JUNOSe 11.0.x Broadband Access Configuration Guide Use to enable TACACS+ accounting and capture accounting information for a specific JUNOSe privilege level on the router and to create accounting method lists. Specify the JUNOSe privilege level (0 through 15) for which to capture accounting information.
Page 359 Chapter 9: Configuring TACACS+ Use to allow privilege determination to be authenticated through the TACACS+ server. This command specifies a list of authentication methods that are used to determine whether a user is granted access to the privilege command level. The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
Page 360 JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to remove the authentication list from your configuration. See aaa authentication login aaa new-model Use to specify AAA new model as the authentication method for the vty lines on your router. If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line.
Page 361 Chapter 9: Configuring TACACS+ example, no line vty 6 causes the router to remove lines 6 through 19. You cannot remove lines 0 through 4. See line login authentication Use to apply an authentication list to the vty lines you specified on your router. Example host1(config-line)#login authentication my_auth_list Use the no version to specify that the router should use the default authentication...
Page 362 JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#tacacs-server key &# 889khj Use the no version to reset a key value shared by all TACACS+ servers. See tacacs-server key tacacs-server source-address Use to set or reset an alternative source address to be used for TACACS+ server communications.
Page 363: Chapter 10 Monitoring Tacacs
Chapter 10 Monitoring TACACS+ This chapter describes how to monitor the current TACACS+ configurations. TACACS+ topics are described in the following sections: Setting Baseline TACACS+ Statistics on page 323 Monitoring TACACS+ Statistics on page 323 Monitoring TACACS+ Information on page 325 Setting Baseline TACACS+ Statistics You can set a baseline for TACACS+ statistics.
Page 364: Table 66: Show Statistics Tacacs Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Auth Timeouts Author Requests 6399 Author Replies 6301 Author Pending Author Timeouts Acct Requests 6321 Acct Replies 6280 Acct Pending Acct Timeouts Table 66 on page 324 lists the show statistics tacacs command output fields. Meaning Table 66: show statistics tacacs Output Fields Field Name...
Page 365: Table 67: Show Tacacs Output Fields
Chapter 10: Monitoring TACACS+ show statistics tacacs Related Topics Monitoring TACACS+ Information Display TACACS+ information. Purpose To display TACACS+ information. Action host1#show tacacs Key = hippo Timeout = <NOTSET>, built-in timeout of 5 will be used Source-address = <NOTSET> TACACS+ Configuration, (*) denotes inherited -------------------------------------------- Search IP Address...
Page 366 JUNOSe 11.0.x Broadband Access Configuration Guide Table 67: show tacacs Output Fields (continued) Field Name Field Description Search Order The order in which requests are sent to hosts until a response is received show tacacs Related Topics Monitoring TACACS+ Information...
Page 367: Part 3 Managing L2Tp
Part 3 Managing L2TP L2TP Overview on page 329 Configuring an L2TP LAC on page 337 Configuring an L2TP LNS on page 369 Configuring L2TP Dial-Out on page 405 L2TP Disconnect Cause Codes on page 417 Monitoring L2TP and L2TP Dial-Out on page 421 Managing L2TP...
Page 368 JUNOSe 11.0.x Broadband Access Configuration Guide Managing L2TP...
Page 369: Chapter 11 L2Tp Overview
Layer 2 Tunneling Protocol (L2TP) is a client-server protocol that allows Point-to-Point Protocol (PPP) to be tunneled across a network. This chapter includes the following topics that provide information for configuring L2TP on the Juniper Networks E Series Broadband Services Routers.
Page 370: Figure 7: Using The E Series Router As An Lac
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 7: Using the E Series Router as an LAC Figure 8: Using the E Series Router as an LNS NOTE: The E Series router does not support terminating both ends of a tunnel or session in the same router.
Page 371: Implementing L2Tp
Chapter 11: L2TP Overview Table 68: L2TP Terms (continued) Term Description L2TP network server (LNS) a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC.
Page 372: Sequence Of Events On The Lns
JUNOSe 11.0.x Broadband Access Configuration Guide The client initiates a PPP connection with the router. The router and the client exchange Link Control Protocol (LCP) packets. For details about negotiating PPP connections, see the Configuring Point-to-Point Protocol chapter in JUNOSe Link Layer Configuration Guide. By using either a local database related to the domain name or RADIUS authentication, the router determines either to terminate or to tunnel the PPP connection.
Page 373: Packet Fragmentation
Chapter 11: L2TP Overview The E Series PPP processes the proxy authentication data, if it is present, and passes the data to AAA for verification. (If the data is not present, E Series PPP requests the data from the remote system.) The router passes the authentication results to the remote system.
Page 374: L2Tp Platform Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide L2TP Platform Considerations For information about modules that support LNS and LAC on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications.
Page 375: E120 Router And E320 Router
Chapter 11: L2TP Overview E120 Router and E320 Router To use an LNS on an E120 router or an E320 router, you must install an ES2 4G line module (LM) with an ES2-S1 Service I/O adapter (IOA), or an IOA that supports the use of shared tunnel-server ports.
Page 376: L2Tp References
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: In previous releases, the JUNOSe software required that you use the license l2tp-session command to configure a license to enable support for the maximum allowable L2TP sessions on ERX1440 routers, E120 routers, and E320 routers. The license l2tp-session command still appears in the CLI, but it has no effect on the actual enforced limit.
Page 377: Lac Configuration Prerequisites
Chapter 12 Configuring an L2TP LAC An L2TP access concentrator (LAC) receives packets from a remote client and forwards them to an L2TP network server (LNS), on a remote network. You can configure your E Series router to function as an LAC. This chapter includes the following topics that provide information for configuring an L2TP LAC on the E Series router: LAC Configuration Prerequisites on page 337...
Page 378: Modifying L2Tp Lac Default Settings For Managing Destinations, Tunnels And Sessions
JUNOSe 11.0.x Broadband Access Configuration Guide Assign a router ID IP address, such as that for a loopback interface, to the virtual router. This address must be reachable by the L2TP peer. host1:west(config)#ip router-id 10.10.45.3 CAUTION: You must explicitly assign a router ID to a virtual router rather than using a dynamically assigned router ID.
Page 379: Chapter 12 Configuring An L2Tp Lac
Chapter 12: Configuring an L2TP LAC When the router is established as an LAC or LNS and is creating destinations, tunnels, and sessions, you can manage them as follows: Prevent the creation of new sessions, tunnels, and destinations. Close and reopen all or selected destinations, tunnels, and sessions. Configure drain timeout operations, which control the amount of time a disconnected LAC tunnel waits before restarting after receiving a restart request.
Page 380: Preventing Creation Of New Destinations, Tunnels, And Sessions
JUNOSe 11.0.x Broadband Access Configuration Guide (1 hour), for which the router attempts to maintain dynamic destinations, tunnels, and sessions after they have been destroyed. The router uses a timeout of 600 seconds by default. This command facilitates debugging and other analysis by saving underlying memory structures after the destination, tunnel, or session is terminated.
Page 381: Preventing Creation Of New Tunnels And Sessions At A Destination
Chapter 12: Configuring an L2TP LAC host1(config)#l2tp drain Preventing Creation of New Tunnels and Sessions at a Destination You use the l2tp drain destination command to prevent the creation of new tunnels and sessions at a specific destination. The l2tp drain destination command and the l2tp shutdown destination command both affect the administrative state of L2TP for the destination.
Page 382: Shutting Down Destinations, Tunnels, And Sessions
JUNOSe 11.0.x Broadband Access Configuration Guide Shutting Down Destinations, Tunnels, and Sessions You can configure how the router shuts down L2TP destinations, tunnels, and sessions. You can specify the following shut down methods, which also prevent the creation of new tunnels: 1.
Page 383: Closing A Specific Session
Chapter 12: Configuring an L2TP LAC The l2tp shutdown tunnel command and the l2tp drain tunnel command both affect the administrative state of L2TP for the tunnel. Although each command has a different effect, the no version of each command is equivalent. Each command’s no version leaves L2TP in the enabled state.
Page 384 JUNOSe 11.0.x Broadband Access Configuration Guide You use the aaa tunnel calling-number-format command to configure the router to generate AVP 22 in any of the following formats. Agent-circuit-id is suboption 1 of the tags supplied by the PPPoE intermediate agent from the DSLAM. Agent-remote-id is suboption 2.
Page 385 Chapter 12: Configuring an L2TP LAC Format for ATM interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) VPI (3 bytes) VCI (5 bytes) Format for Ethernet interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) VLAN (8 bytes) Format for serial interfaces: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
Page 386 JUNOSe 11.0.x Broadband Access Configuration Guide adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’. fixed-adapter-new-field If you set up the router to generate the L2TP Calling Number AVP in fixed–adapter-embedded-new-field format, the router formats the AVP to use a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte adapter field, and 2-byte port field:...
Page 387: Calling Number Avp 22 Configuration Tasks
Chapter 12: Configuring an L2TP LAC NOTE: The use of the stacked keyword is not supported for VLAN subinterfaces based on agent-circuit-identifier information, otherwise known as ACI VLANs. When you issue the aaa tunnel calling-number-format fixed stacked, aaa tunnel calling-number-format fixed-adapter-embedded stacked, or aaa tunnel calling-number-format fixed-adapter-new-field stacked command for an ACI VLAN, the values that appear in the 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect.
Page 388: Configuring The Fallback Format
JUNOSe 11.0.x Broadband Access Configuration Guide Set the format of the RADIUS Calling-Station-Id to fixed-format, and specify the optional stacked keyword to include the S-VLAN ID. host1(config)#radius calling-station-format fixed-format stacked If you use a RADIUS server to authenticate the L2TP tunnel parameters, you must configure the format for both the L2TP Calling Number AVP 22 (by using the aaa tunnel calling-number-format command) and the RADIUS Calling-Station-ID [31] attribute (by using the radius calling-station-format command).
Page 389 Chapter 12: Configuring an L2TP LAC fixed format, the router formats the AVP to use a fixed format of up to 15 characters consisting of all ASCII fields, as follows (the maximum number of characters for each field is shown in brackets): Fallback format for ATM interfaces: <system name [4]>...
Page 390 JUNOSe 11.0.x Broadband Access Configuration Guide Slot ASCII Slot ASCII Number Character Number Character – – For example, slot 16 is shown as the ASCII character uppercase G. Example The following command configures the fallback AVP 22 in fixed-adapter-embedded format: host1(config)#aaa tunnel calling-number-format-fallback fixed-adapter-embedded For example, when you configure this fallback format on an E320 router for...
Page 391: Disabling The Calling Number Avp
Chapter 12: Configuring an L2TP LAC For example, when you configure this fallback format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘14’...
Page 392: Mapping A User Domain Name To An L2Tp Tunnel Overview
JUNOSe 11.0.x Broadband Access Configuration Guide To prevent the LAC from sending the Calling Number AVP: host1(config)#l2tp disable calling-number-avp For more information about setting up the router to generate Calling Number AVP 22 in a format that includes either or both of the agent-circuit-id and agent-remote-id suboptions of the tags supplied by the PPPoE intermediate agent, see Configuring PPPoE Remote Circuit ID Capture in the JUNOSe Link Layer Configuration Guide .
Page 393: Mapping User Domain Names To L2Tp Tunnels From Domain Map Tunnel Mode
Chapter 12: Configuring an L2TP LAC After configuring a tunnel group and the attributes for its tunnels, you can assign the tunnel group to the domain map from Domain Map mode. The tunnel group reference in the domain map is used instead of tunnel definitions configured from Domain Map Tunnel configuration mode.
Page 394 JUNOSe 11.0.x Broadband Access Configuration Guide host1(config-domain-map-tunnel)#preference 5 (Optional) Specify an authentication password for the tunnel. host1(config-domain-map-tunnel)#password temporary NOTE: If you specify a password for the LAC, the router requires that the peer (the LNS) authenticate itself to the router. In this case, if the peer fails to authenticate itself, the tunnel terminates.
Page 395 Chapter 12: Configuring an L2TP LAC Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].) host1(config-domain-map-tunnel)#medium ipv4 (Optional) Specify a default tunnel client name. host1(config-domain-map-tunnel)#exit host1(config-domain-map)#exit host1(config)#aaa tunnel client-name boxford If the tunnel client name is not included in the tunnel attributes that are returned from the domain map or authentication server, the router uses the default name.
Page 396 JUNOSe 11.0.x Broadband Access Configuration Guide (Optional) Disable the generation of authentication challenges by the local tunnel, so that the tunnel does not send a challenge during negotiation. However, the tunnel does accept and respond to challenges it receives from the peer. host1(config)#l2tp disable challenge Verify the L2TP tunnel configuration.
Page 397: Mapping User Domain Names To L2Tp Tunnels From Tunnel Group Tunnel Mode
Chapter 12: Configuring an L2TP LAC server-name source-address tunnel tunnel group type Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode To map a domain to an L2TP tunnel locally on the router from Tunnel Group Tunnel Configuration mode, perform the following steps: Specify an AAA tunnel group and change the mode to Tunnel Group Tunnel Configuration mode.
Page 398 JUNOSe 11.0.x Broadband Access Configuration Guide The LAC sends the hostname to the LNS when communicating to the LNS about the tunnel. The hostname can be up to 64 characters (no spaces). host1(config-tunnel-group-tunnel)#client-name host4. NOTE: If the LNS does not accept tunnels from unknown hosts, and if no hostname is specified, the LAC uses the router name as the hostname.
Page 399: Configuring The Rx Speed On The Lac
Chapter 12: Configuring an L2TP LAC Tunnel Server Tunnel Virtual Name Preference Sessions Tunnel RWS Router ------ ------ ---------- -------- -------------- ------- boston system chooses host1#show aaa tunnel-parameters Tunnel password is 3&92k%b#q4 Tunnel client-name is <NULL> Tunnel nas-port-method is none Tunnel nas-port ignore disabled Tunnel nas-port-type ignore disabled tunnel assignmentId format is assignmentId...
Page 400: Managing The L2Tp Destination Lockout Process
JUNOSe 11.0.x Broadband Access Configuration Guide Specify that the RX Speed AVP is always generated. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed. host1(config)#l2tp rx-connect-speed-when-equal atm atm1483 advisory-rx-speed Related Topics l2tp rx-connect-speed-when-equal command...
Page 401: Figure 9: Lockout States
Chapter 12: Configuring an L2TP LAC NOTE: Always configure the lockout timeout to be shorter than the destruct timeout. The destruct timeout (as described in “Specifying a Destruct Timeout for L2TP Tunnels and Sessions” on page 339) overrides the lockout timeout when the destruct timeout expires, all information about the locked out destination is deleted, including the time remaining on the destination’s lockout timeout and the requirement to run a lockout test prior to returning the destination to service.
Page 402: Verifying That A Locked-Out Destination Is Available
JUNOSe 11.0.x Broadband Access Configuration Guide Verifying That a Locked-Out Destination Is Available You can use the l2tp destination lockout-test command to configure L2TP to test locked-out destinations; this verifies that a previously locked-out destination is available before the router changes the destination’s status. To verify the availability of locked out destinations: host1(config)#l2tp destination lockout-test Configuring a Lockout Timeout...
Page 403: Starting An Immediate Lockout Test
Chapter 12: Configuring an L2TP LAC Starting an Immediate Lockout Test You use the l2tp unlock-test destination command to force L2TP to immediately start the lockout test for the specified destination any remaining lockout time for the destination is ignored. You must be at privilege level 10 or higher to use this command.
Page 404: Configuring Lac Tunnel Selection Parameters
JUNOSe 11.0.x Broadband Access Configuration Guide The router accepts a change in receive address only once, during the tunnel establishment phase, and only on an SCCRP packet. Subsequent changes result in the router dropping packets. Any changes do not affect established tunnels. Use the show l2tp command to display the SCCRP address change configuration.
Page 405: Configuring The Failover Within A Preference Level Method
Chapter 12: Configuring an L2TP LAC the process. The router makes up to eight attempts to connect to a destination for a domain one attempt for each preference level. If all destinations at a preference level are marked as unreachable, the router chooses the destination that failed first and tries to make a connection.
Page 406: Configuring The Maximum Sessions Per Tunnel
JUNOSe 11.0.x Broadband Access Configuration Guide A and B at preference 0 C and D at preference 1 When the router attempts to connect to the domain, suppose it randomly selects tunnel B from preference 0. If it fails to connect to tunnel B, the router excludes tunnel B for five minutes and attempts to connect to tunnel A.
Page 407 Chapter 12: Configuring an L2TP LAC host1(config)#l2tp weighted-load-balancing Configuring the Weighted Load Balancing Method...
Page 408 JUNOSe 11.0.x Broadband Access Configuration Guide Configuring the Weighted Load Balancing Method...
Page 409: Chapter 13 Configuring An L2Tp Lns
Chapter 13 Configuring an L2TP LNS An L2TP network server (LNS) is a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC.
Page 410: Configuring An Lns
JUNOSe 11.0.x Broadband Access Configuration Guide Assign a router ID IP address, such as that for a loopback interface, to the virtual router. This address must be reachable by the L2TP peer. host1:west(config)#ip router-id 10.10.45.3 CAUTION: You must explicitly assign a router ID to a virtual router rather than using a dynamically assigned router ID.
Page 411 Chapter 13: Configuring an L2TP LNS To configure an LNS, perform the following steps: Create a destination profile that defines the location of the LAC, and access L2TP Destination Profile Configuration mode. See “Creating an L2TP Destination Profile” on page 372 . host1:boston(config)#l2tp destination profile boston4 ip address 192.168.76.20 host1:boston(config-l2tp-dest-profile)# Define the L2TP host profile and enter L2TP Destination Profile Host Configuration...
Page 412: Creating An L2Tp Destination Profile
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: When acting as the LNS, the E Series router supports dialed number identification service (DNIS). With DNIS, if users have a called number associated with them, the router searches the domain map for the called number. If it finds a match, the router uses the matching domain map entry information to authenticate the user.
Page 413: Creating An L2Tp Host Profile
Chapter 13: Configuring an L2TP LNS If the destination address is 0.0.0.0, then any LAC that can be reached via the specified virtual router is allowed to access the LNS. If the destination address is nonzero, then it must be a host-specific IP address. To create a destination profile: host1:boston(config)#l2tp destination profile boston ip address 10.10.76.12 host1:boston(config-l2tp-dest-profile)#...
Page 414: Configuring The Maximum Number Of Lns Sessions
JUNOSe 11.0.x Broadband Access Configuration Guide Creating an L2TP Destination Profile on page 372 Related Topics l2tp destination profile Configuring the Maximum Number of LNS Sessions You can use the max-sessions command in both L2TP Destination Profile Configuration mode and L2TP Destination Profile Host Configuration mode to configure the number of sessions allowed by the L2TP network server (LNS).
Page 415: Overriding Lns Out-Of-Resource Result Codes 4 And 5
Chapter 13: Configuring an L2TP LNS of the Connect-Info attribute is as follows, where the TX speed and RX speed are equal to the respective L2TP AVPs: tx-speed [ /rx-speed ] The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command.
Page 416: Displaying The Current Override Setting
JUNOSe 11.0.x Broadband Access Configuration Guide To override result codes 4 and 5: host1:boston(config-l2tp-dest-profile-host)#session-out-of-resource-result-code-override Displaying the Current Override Setting You can view the current override setting for the LNS result codes in the L2TP destination profile. To display the current override setting: ERX(config)#show l2tp destination profile boston L2TP destination profile boston Configuration...
Page 417: Assigning Bundled Group Identifiers
Chapter 13: Configuring an L2TP LNS For example, an ERX1440 Broadband Services Router has tunnel-service modules installed in slots 4, 9, and 12. Using the load-balancing mechanism, the router determines that the SM in slot 4 can accommodate the first bundled session for MLPPP bundle A, and places it there.
Page 418: Overriding All Endpoint Discriminators
JUNOSe 11.0.x Broadband Access Configuration Guide Overriding All Endpoint Discriminators NOTE: We strongly recommend that you use this feature only with the support of JTAC. You can also configure the router to ignore the value of all endpoint discriminators when it selects a SM and to use only the bundled group identifier that you assigned by issuing the bundled-group-overrides-mlppp-ed command.
Page 419: Creating Persistent Tunnels
Chapter 13: Configuring an L2TP LNS l2tp tunnel-switching Related Topics Creating Persistent Tunnels The E Series router supports persistent tunnels. A persistent tunnel is one that is configured to remain available. Persistent tunnels have only local significance; that is, they apply only to the end of the tunnel where they are set. If the other end of the tunnel chooses to terminate the tunnel, the tunnel is removed.
Page 420: Configuring Disconnect Cause Information
JUNOSe 11.0.x Broadband Access Configuration Guide Configure drain timeout operations, which control the amount of time a disconnected LAC tunnel waits before restarting after receiving a restart request. Configure how many times the router retries a transmission if the initial attempt is unsuccessful.
Page 421: Generating The Disconnect Cause Avp With A Host Profile
Chapter 13: Configuring an L2TP LNS NOTE: Sessions for which the AVP generation is enabled by the host-profile-specific disconnect-cause command continue to generate the AVP. Generating the Disconnect Cause AVP with a Host Profile You use the disconnect-cause command in L2TP Destination Profile Host Configuration mode to specify that the E Series LNS generate PPP Disconnect Cause Code AVPs.
Page 422: Configuring The Receive Window Size
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring the Receive Window Size You can configure the L2TP receive window size (RWS) for an L2TP tunnel. L2TP uses the RWS to implement a sliding window mechanism for the transmission of control messages. When you configure the RWS, you specify the number of packets that the L2TP peer can transmit without receiving an acknowledgment from the router.
Page 423: Configuring The Receive Window Size On The Lac
Chapter 13: Configuring an L2TP LNS Receive data sequencing is not ignored Tunnel switching is disabled Retransmission retries for established tunnels is 5 Retransmission retries for not-established tunnels is 5 Tunnel idle timeout is 60 seconds Failover within a preference level is disabled Weighted load balancing is disabled Tunnel authentication challenge is enabled Calling number avp is enabled...
Page 424: Configuring The Receive Window Size On The Lns
JUNOSe 11.0.x Broadband Access Configuration Guide Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Client Peer Source Type Medium Password Name ------ ------ ------ ------ ------ -------- ------ ------ <null> <null> l2tp ipv4 <null> <null> <null> Tunnel Tunnel Tunnel Server Tunnel Tunnel Name Preference...
Page 425: Configuring Peer Resynchronization
Chapter 13: Configuring an L2TP LNS Configuring Peer Resynchronization The JUNOSe software enables you to configure the peer resynchronization method you want the router to use. Peer resynchronization enables L2TP to recover from a router warm start and to allow an L2TP failed endpoint to resynchronize with its peer non-failed endpoint.
Page 426: Configuring Peer Resynchronization For L2Tp Host Profiles And Aaa Domain Map Tunnels
JUNOSe 11.0.x Broadband Access Configuration Guide You can use the CLI or RADIUS to configure the resynchronization method for your router. 1. Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels on page 386 2. Configuring the Global L2TP Peer Resynchronization Method on page 387 3.
Page 427: Configuring The Global L2Tp Peer Resynchronization Method
Chapter 13: Configuring an L2TP LNS host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2 host1(config-l2tp-dest-profile)#remote host lac-host host1(config-l2tp-dest-host-profile-host)#failover-resync silent-failover To configure peer resynchronization for an AAA domain map tunnel: host1(config)#aaa domain-map lac-tunnel host1(config-domain-map)#tunnel 10 host1(config-domain-map-tunnel)#failover-resync silent-failover Configuring the Global L2TP Peer Resynchronization Method You can configure the peer resynchronization method globally, or for L2TP host profiles or domain map tunnels a host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.
Page 428: Table 69: L2Tp-Resynch-Method Radius Attribute
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#default l2tp failover-resync To disable peer resynchronization, use the no version of the command this is the same as using the disable keyword: host1(config)#no l2tp failover-resync Using RADIUS to Configure Peer Resynchronization The JUNOSe software supports the use of RADIUS to configure the L2TP peer resynchronization method used by your L2TP tunnels.
Page 429: Configuration Guidelines
Chapter 13: Configuring an L2TP LNS AAA tunnel groups RADIUS Access-Accept messages If none of these methods are used, you can apply the L2TP tunnel switch profile as an AAA default tunnel parameter. The default tunnel switch profile has lower precedence than the other methods for applying the tunnel switch profile.
Page 430: Configuration Tasks
JUNOSe 11.0.x Broadband Access Configuration Guide When you configure any of these AVP types for relay in an L2TP tunnel-switched network, the router preserves the value of an incoming AVP of this type when packets are switched between the inbound LNS session and the outbound LAC session. Configuration Tasks To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:...
Page 431: Applying L2Tp Tunnel Switch Profiles By Using Aaa Domain Maps
Chapter 13: Configuring an L2TP LNS host1(config)#l2tp switch-profile concord host1(config-l2tp-tunnel-switch-profile)# Configure the L2TP tunnel switching behavior for the interfaces to which this profile is assigned. Use the avp command with the relay keyword to cause the router to preserve the value of an incoming AVP of this type when packets are switched between an inbound LNS session and an outbound LAC session.
Page 432: Applying L2Tp Tunnel Switch Profiles By Using Aaa Tunnel Groups
JUNOSe 11.0.x Broadband Access Configuration Guide For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 352 . From Domain Map Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this domain map.
Page 433: Applying Default L2Tp Tunnel Switch Profiles
Chapter 13: Configuring an L2TP LNS Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Client Peer Source Type Medium Password Name ------ ------ ------ ------ ------ -------- ------ ------ <null> <null> l2tp ipv4 <null> <null> <null> Tunnel Tunnel Tunnel Tunnel Tunnel Server Tunnel Virtual...
Page 434: Configuring The Transmit Connect Speed Calculation Method
JUNOSe 11.0.x Broadband Access Configuration Guide session, you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept messages. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS Attributes” on page 165. For more information about the Tunnel-Switch-Profile attribute, see “RADIUS IETF Attributes”...
Page 435: Transmit Connect Speed Calculation Methods
“Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method” on page 400. RADIUS Include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. For instructions, see “Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method”...
Page 436: Dynamic Layer 2
JUNOSe 11.0.x Broadband Access Configuration Guide If there is no explicit static configuration for the layer 2 interface, L2TP reports the speed of the underlying physical port as the transmit connect speed. Dynamic Layer 2 The dynamic layer 2 method calculates the transmit connect speed of the subscriber’s access interface based on the dynamically configured settings for the underlying layer 2 interface.
Page 437: Table 70: Transmit Connect Speeds For L2Tp Over Atm 1483 Example
Chapter 13: Configuring an L2TP LNS A transmit connect speed of 10 Mbps is provided dynamically from a RADIUS authentication server when the subscriber logs in. The transmit connect speed calculated by QoS is 5 Mbps. Based on these characteristics, Table 70 on page 397 lists the transmit connect speed value reported in L2TP Transmit (TX) Speed AVP 24 for each calculation method, and the reason why L2TP reports this value.
Page 438: Transmit Connect Speed Reporting Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide Table 71: Transmit Connect Speeds for L2TP over Ethernet Example (continued) Transmit Connect Calculation Speed Reported in Method AVP 24 Reason Dynamic layer 2 100 Mbps L2TP reports the static layer 2 value because the dynamic layer 2 setting does not apply to a VLAN subinterface.
Page 439: Using Aaa Tunnel Groups To Configure The Transmit Connect Speed Calculation Method
Chapter 13: Configuring an L2TP LNS For more information about how to map a domain to an L2TP tunnel from Domain Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 352 . From Domain Map Tunnel Configuration mode, configure the calculation method for the transmit connect speed of the subscriber’s access interface.
Page 440: Using Aaa Default Tunnel Parameters To Configure The Transmit Connect Speed Calculation Method
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config-tunnel-group-tunnel)#run show aaa tunnel-group Tunnel Group: boston Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Client Peer Source Type Medium Password Name ------ ------ ------ ------ ------ -------- ------ ------ <null> <null> l2tp ipv4 <null>...
Page 441: Using Radius To Configure The Transmit Connect Speed Calculation Method
To use RADIUS to configure the transmit connect speed calculation method for a subscriber’s access interface, you can configure RADIUS to include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. Table 72 on page 402 describes the Tunnel-Tx-Speed-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS...
Page 442: Table 72: Tunnel--Tx-Speed-Method Radius Attribute
JUNOSe 11.0.x Broadband Access Configuration Guide Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute Attribute Subtype Number Attribute Name Description Length Length Value [26-94] Tunnel-Tx-Speed-Method The method that the router integer: uses to calculate the transmit 1 = static-layer2; TX speed connect speed of the based on static layer 2 subscriber’s access interface settings...
Page 443 Chapter 13: Configuring an L2TP LNS Attribute Number Attribute Name Acct-Input-Packets Acct-Output-Packets Termination of a tunneled session can result from PPP termination, L2TP shutdown, subscriber logout, or lower layer down events. When the session is terminated through PPP, the software counts both the PPP terminate-request and the PPP terminate-acknowledgement packets.
Page 444 JUNOSe 11.0.x Broadband Access Configuration Guide PPP Accounting Statistics...
Page 445: L2Tp Dial-Out Overview
Chapter 14 Configuring L2TP Dial-Out This chapter describes the Layer 2 Tunneling Protocol (L2TP) dial-out feature on your E Series router. This chapter includes the following sections: L2TP Dial-Out Overview on page 405 L2TP Dial-Out Platform Considerations on page 412 L2TP Dial-Out References on page 412 Before You Configure L2TP Dial-Out on page 413 Configuring L2TP Dial-Out on page 413...
Page 446: Figure 10: Network Model For Dial-Out
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 10: Network Model for Dial-Out NOTE: The dial-out feature exists in the LNS only. It does not exist in the LAC. Terms Table 73 on page 406 describes key terms used in L2TP dial-out. Table 73: L2TP Dial-Out Terms Term Description...
Page 447: Chapter 14 Configuring L2Tp Dial-Out
Chapter 14: Configuring L2TP Dial-Out the router to start a dial-out operation. The route includes a dial-out target (the virtual router context and the IP address of the remote site). When the router receives a packet destined for the target, it triggers a dial-out session to the target. The route is associated with a profile that holds parameters for the interface stack that the router builds as a result of the dial-out.
Page 448: Table 74: Chassis Operational States
JUNOSe 11.0.x Broadband Access Configuration Guide Table 74: Chassis Operational States State Description inService Dial-out service is operational at the chassis level. initializationFailed Dial-out service could not obtain enough system resources for basic operation. All configuration commands fail, and the dial-out service does not function.
Page 449: Table 77: Session Operational States
Chapter 14: Configuring L2TP Dial-Out Sessions Table 77 on page 409 describes operational states of the sessions. Table 77: Session Operational States State Description authenticating New sessions start in the authenticating state. In this state, the dial-out state machine has received a valid trigger and is waiting for authentication, authorization, and accounting (AAA) to complete the initial authentication.
Page 450: Access-Request Message
JUNOSe 11.0.x Broadband Access Configuration Guide Table 77: Session Operational States (continued) State Description dormant A session enters the dormant state after completion of a postInhibited state. The dormant timer is initialized to the chassis-wide dormant timer value, minus the time the session spent in the postInhibited state. Receipt of a new trigger packet transitions the session to the authenticating state.
Page 451: Table 78: Additions To Radius Attributes In Access-Accept Messages
Chapter 14: Configuring L2TP Dial-Out the E Series RADIUS client. The RADIUS authentication request is consistent with other requests, except that the Service-Type attribute is set to outbound (value of 5). Access-Accept Message The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 78 on page 411.
Page 452: Mutual Authentication
JUNOSe 11.0.x Broadband Access Configuration Guide After an outgoing call is successfully signaled, the router dynamically creates a PPP interface. The profile in the dial-out route definition specifies any PPP configuration options. Both the L2TP session and the PPP interface exist on a Tunnel Service module, identical to the LNS operation for incoming calls.
Page 453: Before You Configure L2Tp Dial-Out
Chapter 14: Configuring L2TP Dial-Out Before You Configure L2TP Dial-Out Create a profile that the router uses to create the dynamic PPP and IP interfaces on the LNS. The profile specifies parameters that are common to all dial-out sessions that use the profile. The following is an example of a typical profile configuration. Create a profile.
Page 454 JUNOSe 11.0.x Broadband Access Configuration Guide Reset a dial-out session by forcing it to the dormant state. host1#l2tp dial-out session reset 10.10.0.0 l2tp dial-out connecting-timer-value Use to set the maximum time allowed for attempts to establish L2TP dial-out sessions. If the session fails to be established before the connecting timer expires, subsequent attempts to establish the dial-out session to the same destination are inhibited temporarily.
Page 455: Monitoring L2Tp Dial-Out
Chapter 14: Configuring L2TP Dial-Out l2tp dial-out session delete Use to delete a dial-out session. Closes any L2TP outgoing call associated with the dial-out session. Example host1#l2tp dial-out session delete 10.10.0.0 There is no no version. See l2tp dial-out session delete l2tp dial-out session reset Use to force the dial-out session to the dormant state where it remains until the dormant timer expires or it receives a new trigger.
Page 456 JUNOSe 11.0.x Broadband Access Configuration Guide “Monitoring Chassis-wide Configuration for L2TP Dial-out” on page 442 “Monitoring Status of Dial-out Sessions” on page 447 “Monitoring Dial-out Targets within the Current VR Context” on page 448 “Monitoring Operational Status within the Current VR Context” on page 450 Monitoring L2TP Dial-Out...
Page 457: Table 79: Ppp Disconnect Cause Codes
Chapter 15 L2TP Disconnect Cause Codes L2TP Disconnect Cause Codes on page 417 L2TP Disconnect Cause Codes Table 79 on page 417 describes the Point-to-Point Protocol (PPP) disconnect cause codes that are displayed by the show l2tp received-disconnect-cause-summary command, sorted by code number. For additional information, see RFC 3145. Table 79: PPP Disconnect Cause Codes Code Name...
Page 458 JUNOSe 11.0.x Broadband Access Configuration Guide Table 79: PPP Disconnect Cause Codes (continued) Code Name Description admin The disconnection was a result of direct administrative action, disconnect including: The administrator shut down the network or link interface. The administrator logged out the subscriber. renegotiation Code 2 is not used;...
Page 459 Chapter 15: L2TP Disconnect Cause Codes Table 79: PPP Disconnect Cause Codes (continued) Code Name Description lcp mlppp mrru The link attempted to join an existing MLPPP bundle whose peer not valid maximum received reconstructed unit (MRRU) did not match the peer MRRU negotiated by the link.
Page 460 JUNOSe 11.0.x Broadband Access Configuration Guide Table 79: PPP Disconnect Cause Codes (continued) Code Name Description ncp no Code 17 is generated only if an NCP configuration error has negotiation prevented NCP negotiation from converging. This occurs when the completed two peers do not agree on acceptable NCP parameters within the time allowed for upper-layer negotiation.
Page 461: Chapter 16 Monitoring L2Tp And L2Tp Dial-Out
Chapter 16 Monitoring L2TP and L2TP Dial-Out When you have configured L2TP and L2TP dial-out on your E Series router, you can monitor the active tunnels and sessions. NOTE: All of the commands in this chapter apply to both the LAC and the LNS. L2TP and L2TP dial-out topics are described in the following sections: Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 422...
Page 462: Table 80: Show Aaa Domain-Map Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring the Mapping for User Domains and Virtual Routers with AAA Display the mapping between user domains and virtual routers. Purpose To display the mapping between user domains and virtual routers: Action host1#show aaa domain-map Domain: lac-tunnel;...
Page 463 Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 80: show aaa domain-map Output Fields (continued) Field Name Field Description override-username Single username used for all users from a domain in place of the values received from the remote client override-password Single password used for all users from a domain in place of the values received from the remote client Tunnel Tag...
Page 464: Table 81: Show Aaa Tunnel-Group Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show aaa domain-map Related Topics Monitoring Configured Tunnel Groups with AAA Display the currently configured tunnel groups. Purpose To display information about currently configured tunnel groups: Action host1#show aaa tunnel-group Tunnel Group: boston Tunnel Tunnel Tunnel Tunnel...
Page 465 Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 81: show aaa tunnel-group Output Fields (continued) Field Name Field Description strip-domain Strip domain is enabled override-username Single username used for all users from a domain in place of the values received from the remote client override-password Single password used for all users from a domain in place of the values received from the remote client...
Page 466: Table 82: Show Aaa Tunnel-Parameters Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show aaa tunnel-group Related Topics The information displayed is almost identical to the tunnel information displayed using the show aaa domain-map command. See Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 422. Monitoring Configuration of Tunnel Parameters with AAA Display configuration of tunnel parameters used for tunnel definitions.
Page 467: Monitoring Global Configuration Status On E Series Routers
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 82: show aaa tunnel-parameters Output Fields (continued) Field Name Field Description Tunnel calling number format Fallback format configured for L2TP Calling Number fallback AVP 22 generated by the LAC show aaa tunnel-parameters Related Topics Monitoring Global Configuration Status on E Series Routers Display the global configuration and status for L2TP on E Series routers, including...
Page 468: Table 83: Show L2Tp Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 83: show l2tp Output Fields Field Name Field Description Configuration Configuration and status for L2TP on E Series routers, including switched sessions L2TP administrative state Status of L2TP on the router; enabled or disabled Dynamic interface destruct Number of seconds that the router maintains dynamic timeout...
Page 469: Monitoring Detailed Configuration Information For Specified Destinations
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 83: show l2tp Output Fields (continued) Field Name Field Description Failover resync Global L2TP peer resynchronization configuration Sub-interfaces Sub-interface information about L2TP total Number of destinations, tunnels, and sessions that the router created active Number of operational destinations, tunnels, and sessions...
Page 470: Table 84: Show L2Tp Destination Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Data rx 68383456 68383456 Data tx 68383456 68383456 Table 84 on page 430 lists the show l2tp destination command output fields. Meaning Table 84: show l2tp destination Output Fields Field Name Field Description Configuration Configured status of the destination Administrative state Administrative status of the destination:...
Page 471: Table 85: Show L2Tp Destination Lockout Output Fields
Chapter 16: Monitoring L2TP and L2TP Dial-Out show l2tp destination Related Topics Monitoring Locked Out Destinations Display information about the L2TP destinations that are currently locked out. Purpose To display information about the L2TP destinations that are currently locked out: Action host1#show l2tp destination lockout L2TP destination 36 is waiting for lockout timeout (45 seconds remaining)
Page 472 JUNOSe 11.0.x Broadband Access Configuration Guide If a nondefault L2TP RWS is configured for a particular host profile, to display the RWS setting as an attribute of that host profile: host1#show l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp Virtual router lns...
Page 473: Table 86: Show L2Tp Destination Profile Output Fields
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 86: show l2tp destination profile Output Fields Field Name Field Description Destination profile attributes Destination profile attributes of L2TP destination Transport Method used to transfer traffic Virtual Router Method used to transfer traffic Peer address IP address of the LAC Destination profile maximum...
Page 474: Table 87: Show L2Tp Destination Summary Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show l2tp destination profile Related Topics Monitoring Configured and Operational Status of all Destinations Display summary of the configured and operational status of all L2TP destinations. Purpose To display a summary of the configured and operational status of all L2TP Action destinations.: host1#show l2tp destination summary...
Page 475: Table 88: Show L2Tp Received-Disconnect-Cause-Summary Output Fields
Chapter 16: Monitoring L2TP and L2TP Dial-Out show l2tp destination summary Related Topics Monitoring Statistics on the Cause of a Session Disconnection Display statistics for all information the LAC receives from an LNS about the cause Purpose of an L2TP session disconnection. To display statistics for all information the LAC receives from an LNS about the cause Action of an L2TP session disconnection.
Page 476: Table 89: Show L2Tp Session Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show l2tp received-disconnect-cause-summary Related Topics Monitoring Detailed Configuration Information about Specified Sessions Display detailed configuration information about specified sessions. Purpose To display detailed configuration information about specified sessions: Action To display L2TP session: host1#show l2tp session L2TP session 1/1/1 is Up 1 L2TP session found To display L2TP session details:...
Page 477: Monitoring Configured And Operational Summary Status
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 89: show l2tp session Output Fields (continued) Field Name Field Description SNMP traps Whether or not the router sends traps to Simple Network Management Protocol (SNMP) for operational state changes Session status Session status of the destination Effective administrative state Most restrictive of the following administrative states:...
Page 478: Table 90: Show L2Tp Session Summary Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 90: show l2tp session summary Output Fields Field Name Field Description Administrative status: Administrative status of the session: enabled No restrictions on the creation of sessions disabled Router disabled these sessions Operational status: Operational status of the session: up Session is available down Session is unavailable...
Page 479: Monitoring Detailed Configuration Information About Specified Tunnels
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 91: show l2tp switch-profile Output Fields (continued) Field Name Field Description AVP actionType action is Indicates the tunnel switching behavior or action type (for example, relay) configured for the specified L2TP AVP type show l2tp switch-profile Related Topics Monitoring Detailed Configuration Information about Specified Tunnels...
Page 480: Table 92: Show L2Tp Tunnel Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Transmit ZLB = 12 Transmit queue depth = 0 Retransmissions = 8 Tunnel operational configuration Peer host name is 'Juniper-POS' Peer vendor name is 'XYZ, Inc.' Peer protocol version is 1.1 Peer firmware revision is 0x1120 Peer bearer capabilities are digital and analog Peer framing capabilities are sync and async Table 92 on page 440 lists the show l2tp tunnel command output fields.
Page 481 Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 92: show l2tp tunnel Output Fields (continued) Field Name Field Description State Status of the enabled tunnel: idle connecting established disconnecting Local and peer tunnel id Names the router used to identify the tunnel locally and remotely Sub-interfaces: Sub-interface information for the enabled tunnel:...
Page 482: Table 93: Show L2Tp Tunnel Summary Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show l2tp tunnel Related Topics Monitoring Configured and Operational Status of All Tunnels Display a summary of the configured and operational status of all L2TP tunnels. Purpose To display a summary of the configured and operational status of all L2TP tunnels: Action host1#show l2tp tunnel summary Administrative status...
Page 483 Chapter 16: Monitoring L2TP and L2TP Dial-Out This command displays aspects of the dial-out state machine and details about the dial-out routes themselves. This section presents sample output. The actual output on your router may differ significantly. To display chassis-wide configuration, operational state, and statistics for L2TP Action dial-out: host1#show l2tp dial-out...
Page 484: Table 94: Show L2Tp Dial-Out Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Sessions reset: Triggers received: Triggers enqueued: Triggers discarded: Triggers forwarded: Triggers max enqueued: Authentication requests: No resources for authentication: Authentication grants: Authentication Denies: Dial-outs requested: Dial-outs rejected: Dial-outs established: Dial-outs timed out: Dial-outs torn down: To display summary information for chassis-wide configuration: host1#show l2tp dial-out summary Virtual routers in init pending state :...
Page 485 Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Current sessions in the process Sessions currently in the connecting state of connecting Maximum sessions connecting at Highest number of sessions recorded on the chassis one time at the same time since the last router restart Current sessions pending...
Page 486 JUNOSe 11.0.x Broadband Access Configuration Guide Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Sessions in inhibited state Sessions on the VR that are in the inhibited state Sessions in post-inhibited state Sessions on the VR that are in the postInhibited state Sessions in failed state Sessions on the VR that are in the failed state Dial-out target statistics...
Page 487: Monitoring Status Of Dial-Out Sessions
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 94: show l2tp dial-out Output Fields (continued) Field Name Field Description Dial-outs rejected Outgoing call requests that were rejected Dial-outs established Successful outgoing calls before the connecting timer expired Dial-outs timed out Number of times the connecting timer expired Dial-outs torn down Successful outgoing calls that were terminated...
Page 488: Table 95: Show L2Tp Dial-Out Session Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide host1#show l2tp dial-out session detail To display information about the operational or administrative state: host1#show l2tp dial-out session state connecting To display dial-out information across all virtual routers host1#show l2tp dial-out session allVirtualRouters NOTE: The level of a user’s permission determines the use of the allVirtualRouters option.
Page 489: Table 96: Show L2Tp Dial-Out Target Output Fields
Chapter 16: Monitoring L2TP and L2TP Dial-Out To display detailed information about a particular target, specify the target IP address and mask: host1:dialout#show l2tp dial-out target 10.1.1.0/24 Target 10.1.1.0/24 Operational status: up Active sessions: 10 Total triggers: 127 Failed sessions: 2 Connected sessions: 8 To display aggregate counts for targets in each of the possible operational and administrative states:...
Page 490: Monitoring Operational Status Within The Current Vr Context
JUNOSe 11.0.x Broadband Access Configuration Guide For detailed information about operational states, see Dial-Out Operational States Related Topics on page 407 show l2tp dial-out target Monitoring Operational Status within the Current VR Context Display dial-out state machine operational status and statistics within the current VR Purpose context.
Page 491: Table 97: Show L2Tp Dial-Out Virtual-Router Output Fields
Chapter 16: Monitoring L2TP and L2TP Dial-Out Table 97: show l2tp dial-out virtual-router Output Fields Field Name Field Description Virtual router Name of VR Virtual router operational status Operational status of the VR Maximum trigger buffers per Maximum number of trigger packets held in buffer session while the dial-out session is being established For detailed information about operational states, see Dial-Out Operational States...
Page 492 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Operational Status within the Current VR Context...
Page 493: Managing Dhcp
Part 4 Managing DHCP DHCP Overview on page 455 DHCP Local Server Overview on page 463 Configuring DHCP Local Server on page 471 Configuring DHCP Relay on page 489 Configuring the DHCP External Server Application on page 517 Monitoring and Troubleshooting DHCP on page 533 Managing DHCP...
Page 494 JUNOSe 11.0.x Broadband Access Configuration Guide Managing DHCP...
Page 495: Chapter 17 Dhcp Overview
Chapter 17 DHCP Overview The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using Transmission Control Protocol/IP (TCP/IP) can obtain protocol configuration parameters automatically from a DHCP server on the network. The following sections provide overview information for the E Series router DHCP support: DHCP Overview Information on page 455 DHCP Platform Considerations on page 456...
Page 496: Session And Resource Control Software
Session and Resource Control Software The Session and Resource Control (SRC) software, formerly the Service Deployment System (SDX) software is a component of Juniper Networks management products. The SRC software provides a Web-based interface that allows subscribers to access services, such as the Internet, an intranet, or an extranet.
Page 497: Dhcp References
Chapter 17: DHCP Overview DHCP References For more information about DHCP, consult the following resources: DSL Forum Technical Report (TR)-101 Migration to Ethernet-Based DSL Aggregation (April 2006) RFC 2131 Dynamic Host Configuration Protocol (March 1997) RFC 2132 DHCP Options and BOOTP Vendor Extensions (March 1997) 8.0.0b1 RLI-2736 (Bruce) RFC 3046 DHCP Relay Agent Information Option (January 2001) RFC 3315 Dynamic Host Configuration Protocol for IPv6 (DHCPv6) (July 2003)
Page 498: Configuring Dhcp Proxy Clients
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring DHCP Proxy Clients DHCP proxy client support enables the router to obtain an IP address from a DHCP server for a remote PPP client. Each virtual router (acting as a DHCP proxy client) can query up to five DHCP servers.
Page 499: Logging Dhcp Packet Information
Chapter 17: DHCP Overview Direct the router to request IP addresses for remote users from the DHCP server(s). host1(config)#ip address-pool dhcp ip address-pool Related Topics ip dhcp-server Logging DHCP Packet Information The JUNOSe software enables you to collect and log DHCP packet information for all JUNOSe DHCP access models on a per-interface basis.
Page 500: Viewing And Deleting Dhcp Client Bindings
JUNOSe 11.0.x Broadband Access Configuration Guide ip dhcp-capture Related Topics Viewing and Deleting DHCP Client Bindings The JUNOSe software provides commands that enable you to manage your router’s DHCP external server, DHCP local server, and DHCP relay proxy client bindings. A client binding associates an IP address with a DHCP client, and describes both the client (for example, hardware address and state) and the IP address (for example, subnet and lease time).
Page 501 Chapter 17: DHCP Overview all-relay-proxy All DHCP relay proxy client bindings binding-id DHCP binding ID for a specific client circuit-id Agent-circuit-id suboption (suboption 1) string of the DHCP relay agent information option (option 82); the circuit ID string supports matching of both regular expression metacharacters and nonprintable ASCII characters in binary sequences external DHCP external server bindings that meet the deletion criteria...
Page 502 JUNOSe 11.0.x Broadband Access Configuration Guide To delete DHCP client bindings without a lower-layer interface: host1:vr1#dhcp delete-binding no-interface To delete DHCP client bindings with the specified interface string: host1:vr2#dhcp delete-binding interface ip71.*4 This dhcp delete-binding command uses the * (asterisk) regular expression metacharacter in the interface string to delete DHCP client bindings on virtual router vr2 with an IP address beginning with 71 and ending with 4.
Page 503: Chapter 18 Dhcp Local Server Overview
For information about configuring the DHCPv6 local server, see “Configuring the DHCPv6 Local Server” on page 483. In equal-access mode, the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service.
Page 504: Equal-Access Mode Overview
JUNOSe 11.0.x Broadband Access Configuration Guide Wireless LANs (PWLANs). In PWLANS, a user scans for available broadband networks, then is redirected to a web-based authentication mechanism to request service. DHCP provides address assignment information for users. Authentication, authorization, and accounting are separate processes, and are up to the Internet service provider (ISP) to define.
Page 505: Table 98: Local Pool Selection In Equal-Access Mode
Chapter 18: DHCP Local Server Overview Table 98: Local Pool Selection in Equal-Access Mode Field How the DHCP Local Server Uses the Field Framed IP address The client’s entry can be configured with a framed IP address, which the DHCP local server can get from the SRC software (formerly the SDX software).
Page 506: Figure 11: Non-Ppp Equal Access Via The Router
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: If a DHCP client attempts to renew its address and the DHCP server receives the request on a different interface than the interface that the client originally used, the DHCP server sends a NAK message to the client, forcing the client to begin the DHCP connection process again.
Page 507: Table 99: Local Pool Selection In Standalone Mode Without Aaa
Chapter 18: DHCP Local Server Overview Table 99: Local Pool Selection in Standalone Mode Without AAA Authentication Field How the DHCP Local Server Uses the Field Giaddr A giaddr, which indicates a client’s subnetwork, can be presented to the DHCP local server in the client DHCP REQUEST message.
Page 508: Server Management Table
JUNOSe 11.0.x Broadband Access Configuration Guide Table 100: Local Pool Selection in Standalone Mode with AAA Authentication (continued) Field How the DHCP Local Server Uses the Field Giaddr A DHCP local pool is configured with a network address. A gateway IP address (giaddr), which indicates a client’s subnetwork, can be presented to the DHCP local server in the client’s DHCP request message.
Page 509: Dhcp Local Server Configuration Tasks
Chapter 18: DHCP Local Server Overview For information about defining IP addresses, see the Configuring IP chapter in JUNOSe IP, IPv6, and IGP Configuration Guide. DHCP Local Server Configuration Tasks This section covers the configuration tasks for equal-access and standalone modes. Perform the appropriate procedure: For both equal-access and standalone modes, configure the DHCP local server.
Page 510 JUNOSe 11.0.x Broadband Access Configuration Guide DHCP Local Server Configuration Tasks...
Page 511: Chapter 19 Configuring Dhcp Local Server
Chapter 19 Configuring DHCP Local Server This chapter provides information for configuring the DHCP local server on the E Series Broadband Services Routers. This chapter contains the following sections: Configuring the DHCP Local Server on page 471 Configuring DHCP Local Address Pools on page 478 Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 481 Configuring the DHCPv6 Local Server on page 483...
Page 512 JUNOSe 11.0.x Broadband Access Configuration Guide If you do not specify a mode, equal-access mode is activated, by default. When you activate equal-access mode, common open policy service usage for policy provisioning (COPS-PR) and SRC client are automatically started on the virtual router. To configure the DHCP local server: Enable the DHCP local server for either equal-access or standalone mode.
Page 513: Limiting The Number Of Ip Addresses Supplied By Dhcp Local Server
Chapter 19: Configuring DHCP Local Server Limiting the Number of IP Addresses Supplied by DHCP Local Server You can specify the maximum number of IP addresses that the DHCP local server can supply to each VPI/VCI, VLAN, Ethernet subnetwork, or POS access interface type, or to a particular interface or subinterface.
Page 514: Configuring Dhcp Local Server To Support Creation Of Dynamic Subscriber Interfaces
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring DHCP Local Server to Support Creation of Dynamic Subscriber Interfaces You can use the ip dhcp-local auto-configure agent-circuit-identifier command to configure the DHCP local server to support the creation of dynamic subscriber interfaces built over dynamic VLANs that are based on the agent-circuit-id option (suboption 1) of the option 82 field in DHCP messages.
Page 515: Logging Out Dhcp Local Server Subscribers
Chapter 19: Configuring DHCP Local Server client. The determination is based on whether the DHCP clients exist on the same or on different subnets and subinterfaces. Location of DHCP Clients with How DHCP Local Server Differentiates Identical IDs or Addresses Clients On different subinterfaces in the By unique subinterface...
Page 516: Clearing An Ip Dhcp Local Server Binding
JUNOSe 11.0.x Broadband Access Configuration Guide Clearing an IP DHCP Local Server Binding NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the dhcp delete-binding command. You can use the clear ip dhcp-local binding command to force the removal of a connected user's IP address lease and associated route configuration.
Page 517: Using Dhcp Local Server Event Logs
Chapter 19: Configuring DHCP Local Server Using DHCP Local Server Event Logs To troubleshoot and monitor your DHCP local server, use the following system event logs: dhcpLocalClients DHCP local server client events and duplicate MAC address detection dhcpLocalGeneral DHCP local server infrastructure-related events and number of client threshold events NOTE: The dhcpLocalGeneral category replaces the dhcpLocalServerGeneral category.
Page 518: Configuring Dhcp Local Address Pools
JUNOSe 11.0.x Broadband Access Configuration Guide logout subscribers command service dhcp-local ipv6 local pool Configuring DHCP Local Address Pools Tasks to configure DHCP local address pool include: Basic Configuration of DHCP Local Address Pools on page 478 Linking Local Address Pools on page 480 Setting Grace Periods for Address Leases on page 480 Basic Configuration of DHCP Local Address Pools To configure the DHCP local address pool:...
Page 519 Chapter 19: Configuring DHCP Local Server Specify the number of days, and optionally, the number of hours, minutes, and seconds. Use the keyword infinite to specify a lease that does not expire. The default lease time is 30 minutes. (Optional) Link the DHCP local address pool being configured to another local address pool.
Page 520: Linking Local Address Pools
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config-dhcp-local)#snmpTrap host1(config-dhcp-local)#warning 50 40 (Optional) Configure a grace period for address leases allocated from the current DHCP local address pool. Specify the number of days and, optionally, the number of hours, minutes, and seconds in the grace period. host1(config-dhcp-local)#grace-period 0 12 This command applies only to address leases that expire.
Page 521: Configuring Aaa Authentication For Dhcp Local Server Standalone Mode
Chapter 19: Configuring DHCP Local Server NOTE: Configuring a new grace period that is shorter than the address pool current grace period immediately terminates any existing address leases that are in the grace period state and that have already exceeded the length of the new grace period. An address continues to be counted against the address pool resources while in a grace period.
Page 522 JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: The nondomain portion of a constructed username must contain at least one character. Otherwise, the DHCP local server rejects the DHCP client without performing the AAA authentication request. When using authentication, AAA accepts the DHCP client as a subscriber this enables you to use show commands to monitor configuration information and statistics about the client.
Page 523: Configuring The Dhcpv6 Local Server
Chapter 19: Configuring DHCP Local Server circuit-identifier Specifies the circuit identifier of the interface on which the DHCP client’s request was received. circuit-type Specifies the circuit type of the interface on which the DHCP client’s request was received. mac-address Specifies the DHCP client’s MAC address. option82 Specifies the DHCP client’s option 82 value.
Page 524 JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: You must add a vendor-specific attribute to RADIUS to enable E Series routers to retrieve IPv6 Domain Name System (DNS) addresses. Use the following steps to configure the DHCPv6 local server: Enable the DHCPv6 local server. host1(config)#service dhcpv6-local Specify the IPv6 prefix and lifetime that are to be delegated to the DHCPv6 client.
Page 525: Deleting Dhcpv6 Client Bindings
Chapter 19: Configuring DHCP Local Server ipv6 dhcpv6-local delegated-prefix ipv6 dhcpv6-local dns-domain-search ipv6 dhcpv6-local dns-server ipv6 dhcpv6-local prefix-lifetime Deleting DHCPv6 Client Bindings The JUNOSe Software enables you to manage your router’s DHCPv6 local server client bindings. The client binding associates an IPv6 prefix with a unique DHCP ID (DUID) of the subscriber client.
Page 526: Figure 12: Non-Ppp Equal-Access Configuration Example
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring DHCPv6 Local Server Binding Information on page 567 Configuring the Router to Work with the SRC Software E Series Broadband Services Routers have an embedded SRC client that interacts with the SRC software. For information about configuring the SRC client, see “Configuring the SRC Client”...
Page 527 Chapter 19: Configuring DHCP Local Server host1(config-if)#exit host1(config)#interface fastEthernet 2/0 host1(config-if)#ip unnumbered loopback 0 Configure the parameters to enable the router to forward authentication requests to the RADIUS server. host1(config)#radius authentication server 10.10.1.2 host1(config)#udp-port 1645 host1(config)#key radius Specify the authentication method. host1(config)#aaa authentication ppp default radius host1(config)#aaa authentication ppp default none Enable the DHCP local server.
Page 528 JUNOSe 11.0.x Broadband Access Configuration Guide Configuring the Router to Work with the SRC Software...
Page 529: Chapter 20 Configuring Dhcp Relay
Chapter 20 Configuring DHCP Relay The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using Transmission Control Protocol/IP (TCP/IP) can obtain protocol configuration parameters automatically from a DHCP server on the network. The following sections describe how to configure your E Series router to provide DHCP support: Configuring DHCP Relay and BOOTP Relay on page 489 Configuring DHCP Relay Proxy on page 512...
Page 530: Enabling Dhcp Relay
JUNOSe 11.0.x Broadband Access Configuration Guide Enabling DHCP Relay You use the set dhcp relay command to create and enable DHCP relay in the current virtual router. Include the IP address variable to enable DHCP relay and BOOTP relay and to specify an IP address for the DHCP server.
Page 531: Treating All Packets As Originating At Trusted Sources
Chapter 20: Configuring DHCP Relay NOTE: When this feature is configured, the client bypasses the DHCP relay component and communicates directly with the DHCP server to request address renewal or to release the address. The DHCP relay component has no role in determining when or whether to remove the installed host route.
Page 532 JUNOSe 11.0.x Broadband Access Configuration Guide detect spoofed giaddrs. Also, DHCP relay does not detect spoofed relay agent option values. Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in received DHCP packets is different from the local IP address on which the DHCP relay is accessed.
Page 533: Table 101: Router Configuration And Transmission Of Dhcp Reply
Chapter 20: Configuring DHCP Relay To display whether support for broadcast flag replies is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 533. To troubleshoot applications that use this feature, you can use the dhcpCapture system event log category.
Page 534: Preventing Dhcp Relay From Installing Host Routes By Default
JUNOSe 11.0.x Broadband Access Configuration Guide Table 101: Router Configuration and Transmission of DHCP Reply Packets (continued) Broadcast Flag Layer 2 Unicast Router Behavior if Router Behavior if Replies Replies Broadcast Flag Set Broadcast Flag Not Set Disabled (off) Disabled (off) DHCP relay and DHCP DHCP relay and DHCP relay relay proxy broadcast...
Page 535: Including Relay Agent Option Values In The Pppoe Remote Circuit Id
Chapter 20: Configuring DHCP Relay commands similar to the following to create demultiplexer table entries and a subnet route that points to the static subscriber interface. In the example, the host routes are associated with the primary IP interface on Gigabit Ethernet 1/0.
Page 536: Configuring Layer 2 Unicast Transmission Method For Reply Packets To Dhcp Clients
JUNOSe 11.0.x Broadband Access Configuration Guide option (option 82). You can use the radius remote-circuit-id-format command to configure the following nondefault formats for the PPPoE remote circuit ID value: Include either or both of the agent-circuit-id (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option, with or without the NAS-Identifier [32] RADIUS attribute.
Page 537 Chapter 20: Configuring DHCP Relay To display whether the layer 2 unicast method is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 533. The dhcpRelayGeneral logging event category uses the debug severity level to log DHCP reply packets that are transmitted to clients using a layer 2 unicast address and a layer 3 broadcast address.
Page 538 JUNOSe 11.0.x Broadband Access Configuration Guide match any strings you have configured for example, you might specify that all clients with non-matching strings be dropped. You use the set dhcp vendor-option command to configure vendor-option (option 60) strings to control DHCP client traffic Create DHCP vendor-option servers by configuring DHCP relay to match DHCP option 60 strings and to specify what action to use for the traffic.
Page 539: Configuration Example Using Dhcp Relay Option 60 To Specify Traffic Forwarding
Chapter 20: Configuring DHCP Relay To configure an exact match: host1(config)#set dhcp vendor-option equals myword relay 192.168.7.7 To configure a partial match: host1(config)#set dhcp vendor-option starts-with abcd local-server To configure the default action: host1(config)#set dhcp vendor-option default drop To remove a configuration: host1(config)#no set dhcp vendor-option starts-with abcd local-server Configuration Example—Using DHCP Relay Option 60 to Specify Traffic Forwarding...
Page 540: Relaying Dhcp Packets That Originate From A Cable Modem
JUNOSe 11.0.x Broadband Access Configuration Guide - the configured vendor-string is an exact-match default - all DHCP client packets not matching a configured vendor-string implied - the DHCP application is configured but has not been enabled with the vendor-option command drop - the DHCP application responsible for the action has not been configured yet therefore all packets for this application...
Page 541: Preventing Option 82 Information From Being Stripped From Trusted Client Packets
Chapter 20: Configuring DHCP Relay Ethernet interfaces. Use this keyword to remove the subinterface ID from the Interface-Id field. The hostname and vrname keywords are a toggle; that is, specifying either hostname or virtual router name turns off the other selection. To configure the relay agent option 82 information: host1(config)#set dhcp relay options hostname Preventing Option 82 Information from Being Stripped from Trusted Client Packets...
Page 542 JUNOSe 11.0.x Broadband Access Configuration Guide Layer 2 Circuit ID (type 1) The hexadecimal representation of the layer 2 identifier in the Agent Circuit ID (suboption 1) value (for example, the ATM VPI/VCI or Ethernet SVLAN/VLAN ID.) You can configure this suboption type without the Agent Circuit ID.
Page 543: Table 102: Effect Of Commands On Option 82 Suboption Settings
Chapter 20: Configuring DHCP Relay Table 102: Effect of Commands on Option 82 Suboption Settings Command Suboption and Status Agent Circuit ID Agent Remote ID Vendor-Specific set dhcp relay agent sub-option circuit-id Enable No change No change set dhcp relay agent sub-option remote-id No change Enable No change...
Page 544 JUNOSe 11.0.x Broadband Access Configuration Guide length field specifies the total length of all TLV tuples. The JUNOSe software enterprise number is 4874 (0x130a.) The format of the Layer 2 Circuit ID type field (type 1) is hexadecimal. The data field length of a normal non-stacked VLAN is 2 bytes, with the VLAN ID occupying the 12 low-order bits of the value;...
Page 545: Using The Set Dhcp Relay Agent Sub-Option Command To Enable Option 82 Suboption Support
Chapter 20: Configuring DHCP Relay L2 Circuit ID type: 1 JUNOSe data len: 9 bytes JUNOSe IANA: 13 0a subopt 9 len: 14 bytes subopt code: 9 Using the set dhcp relay agent sub-option Command to Enable Option 82 Suboption Support NOTE: We recommend that you use the set dhcp relay agent sub-option command for new option 82 suboption configurations.
Page 546 JUNOSe 11.0.x Broadband Access Configuration Guide [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: fastEthernet 1/2.3:4 relayVr:fastEthernet 1/2:4 bostonHost:fastEthernet 1/2.3:4 Ethernet interface with Stacked VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]: <svlan id>-<vlan id> Examples: fastEthernet 1/2.3:4-5 relayVr:fastEthernet 1/2:4-5 bostonHost:fastEthernet 1/2.3:4-5 LAG interface [<hostname>|<vrname>:]<interface type> <bundle name> Examples: lag bundleA relayVr:lag bundleA...
Page 547: Configuration Example Using Dhcp Relay Option 82 To Pass Ieee 802.1P Values To Dhcp Servers
Chapter 20: Configuring DHCP Relay suboption contains a string with the username and domain name in the format: username@domainname. The Vendor-Specific suboption contains a value that includes a JUNOSe data field. You can configure the data field to support one or both of the following values: layer2-circuit-id (type 1) The hexadecimal representation of the layer 2 identifier in the Agent Circuit ID (suboption 1) value (for example, the ATM VPI/VCI or Ethernet SVLAN/VLAN ID).
Page 548: Figure 13: Passing 802.1P Values To The Dhcp Server
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 13: Passing 802.1p Values to the DHCP Server DHCP client DHCP relay DHCP server Uses UPC in option 82 Ingress VLAN policy Relay Agent copies Sends DHCP packet vendor-specific suboption maps 802.1p UPC into option 82 with assigned 802.1p to determine the IP address (user priority) to UPC...
Page 549 Chapter 20: Configuring DHCP Relay host1(config)# run show policy-list dot1pToUpc Policy Table ------ ----- VLAN Policy dot1pToUpc Administrative state: enable Reference count: Classifier control list: dot1p0, precedence 100 user-packet-class 0 Classifier control list: dot1p1, precedence 100 user-packet-class 1 Classifier control list: dot1p2, precedence 100 user-packet-class 2 Classifier control list: dot1p3, precedence 100 user-packet-class 3...
Page 550: Suboption Support
JUNOSe 11.0.x Broadband Access Configuration Guide Restore Client Timeout: 72 Inhibit Access Route Creation: off Assign Giaddr to Source IP: off Layer 2 Unicast Replies: off Giaddr Selects Interface: off Relay Agent Information Option (82): Override Giaddr: off Override Option: on Trust All Clients: on Preserve Option From Trusted Clients: off Circuit-ID Sub-option (1): on...
Page 551 Chapter 20: Configuring DHCP Relay [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vpi>.<vci> Examples: atm 4/1.2:0.101 relayVr:atm 4/1:0.101 bostonHost:atm 4/1.2:0.101 Ethernet interface [<hostname>|<vrname>:]<interface type> <slot>/<port> Examples: fastEthernet 1/2 relayVr:fastEthernet 1/2 bostonHost:fastEthernet 1/2 Ethernet interface with VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: fastEthernet 1/2.3:4 relayVr:fastEthernet 1/2:4 bostonHost:fastEthernet 1/2.3:4 Ethernet interface with Stacked VLAN [<hostname>|<vrname>:]<interface type>...
Page 552: Configuring Dhcp Relay Proxy
JUNOSe 11.0.x Broadband Access Configuration Guide lag bundleA.1:2 relayVr:lag bundleA:2 bostonHost:lag bundleA.1:2 LAG interface with Stacked VLAN [<hostname>|<vrname>:]<interface type> <bundle name>[.<sub-if>]: <svlan id>-<vlan id> Examples: lag bundleA.1:2-3 relayVr:lag bundleA:2-3 bostonHost:lag bundleA.1:2-3 The remote-id-only keyword specifies the Agent Remote ID suboption, which contains a value only when (1) the interface is a dynamic ATM interface and (2) the subscriber command is used to configure a username and domain name for the interface.
Page 553: Enabling Dhcp Relay Proxy
Chapter 20: Configuring DHCP Relay NOTE: The E Series router configured as a DHCP relay proxy must be the first hop from the DHCP client. If it is not the first hop, the router defaults to the DHCP relay configuration. Enabling DHCP Relay Proxy Enable DHCP relay proxy and specify an IP address for the DHCP server.
Page 554: Selecting The Dhcp Server Response
JUNOSe 11.0.x Broadband Access Configuration Guide Removing routes when DHCP clients release their DHCP-assigned addresses or when the addresses expire When a DHCP client sends a request to an external DHCP server, the relay proxy receives the request and forwards it to the external DHCP server. The relay proxy then sends the DHCP server’s response back to the client.
Page 555 Chapter 20: Configuring DHCP Relay client regardless of the current configuration of the set dhcp relay layer2-unicast-replies command or the set dhcp relay broadcast-flag-replies command. These commands control the transmission method used for DHCP reply packets. This behavior applies only to DHCP relay proxy; it does not apply to DHCP relay because DHCP relay does not maintain a list of active clients or receive address renewal requests from clients.
Page 556 JUNOSe 11.0.x Broadband Access Configuration Guide Configuring DHCP Relay Proxy...
Page 557: Figure 14: Dhcp External Server
Chapter 21 Configuring the DHCP External Server Application The following sections describe how to configure the DHCP external server application on the E Series router: DHCP External Server Overview on page 517 Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview on page 519 DHCP External Server Identification of Clients with Duplicate MAC Addresses Overview on page 520...
Page 558 JUNOSe 11.0.x Broadband Access Configuration Guide The services provided by integrating the E Series router’s DHCP external server application with SRC software are similar to those provided when the DHCP local server is integrated with SRC software. The router’s DHCP external application is used together with other features of the router to provide subscriber management.
Page 559: Preservation Of Dynamic Subscriber Interfaces With Dhcp External Server Overview
Chapter 21: Configuring the DHCP External Server Application If the SRC software is configured, the router also performs the following actions: Alerts the SRC software that the dynamic subscriber interface exists Alerts the SRC software that the subscriber’s address exists and provides DHCP options The SRC software then provides its enhanced services to the subscriber.
Page 560: Dhcp External Server Identification Of Clients With Duplicate Mac Addresses Overview
JUNOSe 11.0.x Broadband Access Configuration Guide ip dhcp-external recreate-subscriber-interface command from Global Configuration mode. When a bound DHCP client restarts the discovery process on a different primary IP interface than the interface on which it initiated the original discovery process, the DHCP external server application always deletes and re-creates the existing dynamic subscriber interfaces for that client.
Page 561: Configuration Guidelines For Using Duplicate Mac Mode
Chapter 21: Configuring the DHCP External Server Application By default, DHCP external server uses only the MAC address to uniquely identify DHCP clients. The default setting for DHCP external server is also referred to as unique MAC mode. To enable duplicate MAC mode for the DHCP external server application, you must issue the dhcp-external duplicate-mac-address command from Global Configuration mode.
Page 562: Dhcp External Server Configuration Requirements
JUNOSe 11.0.x Broadband Access Configuration Guide mode, if DHCP external server is configured for duplicate MAC mode and is currently managing any DHCP clients. Do not enable duplicate MAC mode for the DHCP external server application when it is configured in the same VR with either of the following: An instance of the DHCP relay application that is currently managing host routes Any instance of the DHCP relay proxy application...
Page 563: Monitoring Dhcp Traffic Between Remote Clients And Dhcp Servers
Chapter 21: Configuring the DHCP External Server Application service dhcp-external Related Topics Monitoring DHCP Traffic Between Remote Clients and DHCP Servers You can configure the router to monitor DHCP packets between remote clients and specified DHCP servers. You can specify up to four DHCP servers. To monitor DHCP packets between remote clients and a DHCP server: Issue the ip dhcp-external server-address command and specify the IP address of the DHCP server:...
Page 564: Configuring The Dhcp External Server To Support The Creation Of Dynamic Subscriber Interfaces
JUNOSe 11.0.x Broadband Access Configuration Guide The dropped traffic situation can occur because of the way some DSLAMs create the giaddr that is sent to the DHCP external server application. Some Ethernet DSLAMs use a DHCP relay implementation that inserts giaddr values and relay agent options in DHCP packets that are received from end users.
Page 565 Chapter 21: Configuring the DHCP External Server Application Issue the ip dhcp-external auto-configure command with the agent-circuit-identifier keyword from Global Configuration mode: host1(config)#ip dhcp-external auto-configure agent-circuit-identifier The use of the option 82 field enables you to stack an IP interface that is associated with a particular subscriber over a dynamically created VLAN;...
Page 566: Configuring Dhcp External Server To Control Preservation Of Dynamic Subscriber Interfaces
JUNOSe 11.0.x Broadband Access Configuration Guide ip dhcp-external auto-configure Related Topics Configuring DHCP External Server to Control Preservation of Dynamic Subscriber Interfaces You can configure the DHCP external server application to delete and re-create the dynamic subscriber interface after a bound client restarts the discovery process on the its primary IP interface.
Page 567: Configuring Dynamic Subscriber Interfaces For Interoperation With Dhcp Relay And Dhcp Relay Proxy
Chapter 21: Configuring the DHCP External Server Application Preservation of Dynamic Subscriber Interfaces with DHCP External Server Related Topics Overview on page 519 ip dhcp-external recreate-subscriber-interface Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay and DHCP Relay Proxy When you configure the DHCP relay application or the DHCP relay proxy application in the same virtual router (VR) as the DHCP external server application, we recommend that you define interface profiles to create the dynamic subscriber interfaces when the primary IP interface is static.
Page 568: Deleting Clients From A Virtual Router's Dhcp Binding Table
JUNOSe 11.0.x Broadband Access Configuration Guide Use the exclude-primary keyword in the ip auto-configure ip-subscriber command to specify that the primary interface cannot be assigned to a subscriber. If you have issued the ip dhcp-external server-sync command to resynchronize the DHCP external server application with the router and to support creation of subscriber state information based on lease renewals, you must do either of the following to ensure that the unicast acknowledgment (ACK) response to the renewal request has a route back to the DHCP client that generated the renewal...
Page 569 Chapter 21: Configuring the DHCP External Server Application To delete all clients: host1#dhcp-external delete-binding all To delete a specific client: host1#dhcp-external delete-binding binding-id 3972819365 dhcp delete-binding Related Topics dhcp-external delete-binding Deleting Clients from a Virtual Router’s DHCP Binding Table...
Page 570: Configuring Dhcp External Server To Uniquely Identify Clients With Duplicate Mac Addresses
JUNOSe 11.0.x Broadband Access Configuration Guide Configuring DHCP External Server to Uniquely Identify Clients with Duplicate MAC Addresses You can configure the DHCP external server application to use a combination of the MAC address and giaddr to uniquely identify DHCP clients attached to the router. This behavior is also referred to as duplicate MAC mode.
Page 571: Configuring Dhcp External Server To Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces
Chapter 21: Configuring the DHCP External Server Application Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces You can use the ip re-authenticate-auto-detect ip-subscriber command to re-authenticate the auto-detected subscribers or Dynamic Subscriber Interfaces (DSIs) created on static and dynamic primary IP interfaces, using the DHCP options when the DHCP external application manages the DSIs following a cold boot.
Page 572 JUNOSe 11.0.x Broadband Access Configuration Guide Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces...
Page 573: Chapter 22 Monitoring And Troubleshooting Dhcp
Chapter 22 Monitoring and Troubleshooting DHCP This chapter describes the commands you can use to monitor and troubleshoot DHCP support on E Series routers. Setting Baselines for DHCP Statistics on page 534 Monitoring Addresses Excluded from DHCP Local Server Use on page 535 Monitoring DHCP Bindings on page 536 Monitoring DHCP Binding Information on page 537 Monitoring DHCP Binding Count Information on page 540...
Page 574: Setting Baselines For Dhcp Statistics
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring DHCPv6 Local Server DNS Servers on page 569 Monitoring DHCPv6 Local Server Prefix Lifetime on page 569 Monitoring DHCPv6 Local Server Statistics on page 570 Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients on page 571 Monitoring the Maximum Number of Available Leases on page 572 Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local...
Page 575: Setting A Baseline For Dhcp External Server Statistics
Chapter 22: Monitoring and Troubleshooting DHCP Setting a Baseline for DHCP External Server Statistics To set a baseline for DHCP external server statistics. Issue the baseline ip dhcp-external command: host1#baseline ip dhcp-external There is no no version. Setting a Baseline for DHCP Local Server Statistics To set a baseline for DHCP local server statistics: Issue the baseline ip dhcp-local command: host1#baseline ip dhcp-local...
Page 576: Table 103: Show Ip Dhcp-Local Excluded Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide home.com 10.10.3.1 cable4 10.10.4.1 cable5 10.10.5.1 Table 103 on page 536 lists the show ip dhcp-local excluded command output fields. Meaning Table 103: show ip dhcp-local excluded Output Fields Field Name Field Description Pool Name of the pool that contains the excluded address Low Address Excluded address or first address in a range of addresses...
Page 577: Monitoring Dhcp Binding Information
Chapter 22: Monitoring and Troubleshooting DHCP Monitoring DHCP Binding Information Display information for specified DHCP client bindings, with results arranged in Purpose ascending order by binding ID. NOTE: The show dhcp binding command replaces the show ip dhcp-external binding, show ip dhcp-external binding-id, and show ip dhcp-local binding commands, which are deprecated and might be removed completely in a future release.
Page 578 JUNOSe 11.0.x Broadband Access Configuration Guide To display binding information for DHCP clients with a specified interface string: host1:vr2#show dhcp binding interface ip71.*4 BindingId HwAddress Type IpSubnet IpAddress State ---------- -------------- -------- -------- --------- ----- 3053453315 7000.0002.9365 external 0.0.0.0 71.1.0.4 bound 3053453325 7000.000c.9365...
Page 579: Table 104: Show Dhcp Binding Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP host1:vr1#show dhcp binding relay proxy no-interface To display binding information for DHCP clients that match the specified remote ID string: host1:vr1#show dhcp binding remote-id “remote id.*even” Filtering the display of DHCP client bindings by the circuit ID string or remote ID string is not supported for the DHCP external server application.
Page 580: Monitoring Dhcp Binding Count Information
JUNOSe 11.0.x Broadband Access Configuration Guide Table 104: show dhcp binding Output Fields (continued) Field Name Field Description Agent Remote Id Suboption 2 of the DHCP relay agent information option Vendor Specific Suboption 9 of the DHCP relay agent information option show dhcp binding Related Topics To compare the output of the show dhcp binding command and the show dhcp...
Page 581: Table 105: Show Dhcp Count Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP command displays information for the DHCP client bindings on virtual router vr3 with the specified circuit ID string, with results arranged in ascending order by binding To display count information for DHCP local server client bindings and interfaces with a specified subnet address: host1:vr1#show dhcp count local 0.0.0.0 To display count information for DHCP client bindings and interfaces with a specified...
Page 582: Monitoring Dhcp Binding Host Information
JUNOSe 11.0.x Broadband Access Configuration Guide show dhcp count Related Topics Monitoring DHCP Binding Host Information Display information for specified DHCP client bindings, with results arranged in Purpose ascending order by IP address. The show dhcp host command displays information only for DHCP client bindings with assigned IP addresses.
Page 583: Table 106: Show Dhcp Host Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP 3070230537 7000.0008.9365 relay-p 0.0.0.0 71.1.0.10 bound 3070230539 7000.000a.9365 relay-p 0.0.0.0 71.1.0.12 bound 3070230541 7000.000c.9365 relay-p 0.0.0.0 71.1.0.14 bound 3070230543 7000.000e.9365 relay-p 0.0.0.0 71.1.0.16 bound 3070230545 7000.0010.9365 relay-p 0.0.0.0 71.1.0.18 bound 3070230547 7000.0012.9365 relay-p 0.0.0.0 71.1.0.20 bound 3070230549...
Page 584: Monitoring Dhcp Bindings (Displaying Ip Address-To-Mac Address Bindings)
JUNOSe 11.0.x Broadband Access Configuration Guide Table 106: show dhcp host Output Fields (continued) Field Name Field Description IpSubnet For DHCP local server bindings, the subnet of the IP address assigned to the client; 0.0.0.0 for DHCP external server and DHCP relay proxy bindings IpAddress IP address assigned to client...
Page 585: Table 107: Show Ip Dhcp-External Binding Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP ---------------------- Hardware Giaddr IpAddress Server Lease Expire Interface -------------- -------- --------- -------- ----- ------ ------------ 7000.0001.9365 91.3.0.1 91.3.0.2 10.1.2.1 3600 3175 ATM3/1.100.1 Table 107 on page 545 lists the show ip dhcp-external binding command output Meaning fields Table 107: show ip dhcp-external binding Output Fields...
Page 586: Monitoring Dhcp Bindings (Local Server Binding Information)
JUNOSe 11.0.x Broadband Access Configuration Guide Table 108 on page 546 lists the show ip dhcp-external binding-id command output Meaning Table 108: show ip dhcp-external binding-id Field Name Field Description Binding Id DHCP client binding ID option value associated with the user Hardware MAC address of the subscriber’s computer Giaddr...
Page 587: Table 109: Show Ip Dhcp-Local Binding Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 109 on page 547 lists the show ip dhcp-local binding command output fields. Meaning Table 109: show ip dhcp-local binding Output Fields Field Name Field Description Address IP address Hardware MAC address of subscriber’s computer Lease Infinite, or the number of seconds in which the IP address is available;...
Page 588: Table 111: Show Ip Dhcp-External Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 110: show ip dhcp-external configuration Output Fields (continued) Field Name Field Description Auto-Configure Enabled or disabled Server-Sync Enabled or disabled Disregard-Giaddr-Next-hop Enabled or disabled Detect-Agent-Circuit-Id Enabled or disabled Recreate-Subscriber-Interface Enabled or disabled Duplicate-MAC-Address Enabled or disabled Servers DHCP servers whose traffic is monitored by the E Series router...
Page 589: Table 112: Show Dhcp-External Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 111: show ip dhcp-external statistics Output Fields (continued) Field Name Field Description bindings Number of IP addresses currently assigned request Number of DHCP request packets ack (request) Number of DHCP acknowledgment packets in response to DHCP requests renew Number of DHCP renew packets...
Page 590: Monitoring Dhcp Local Address Pools
JUNOSe 11.0.x Broadband Access Configuration Guide show dhcp-external Related Topics Monitoring DHCP Local Address Pools Display the DHCP local pool configurations. Purpose To display information about the local address pool: Action host1#show ip dhcp-local pool ***************************************** Pool Name - ispBoston Pool Id - 6 Domain Name - ispBoston Network - 10.10.0.0...
Page 591: Table 113: Show Ip Dhcp-Local Pool Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 113: show ip dhcp-local pool Output Fields Field Name Field Description Pool Name Name of the DHCP local pool Pool Id ID of the pool Domain Name Domain name assigned to the pool Network Addresses that the DHCP local server can provide from the pool Mask...
Page 592: Table 114: Show Ip Dhcp-Local Auth Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 113: show ip dhcp-local pool Output Fields (continued) Field Name Field Description Total Addresses In Use Number of addresses currently being used Trap Enabled Status of utilization trap, yes or no Pools Names of pools in the group show ip dhcp-local pool Related Topics Monitoring DHCP Local Server Authentication Information...
Page 593: Table 115: Show Ip Dhcp-Local Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 114: show ip dhcp-local auth Output Fields (continued) Field Name Field Description Password Password used to authenticate client Virtual Router Client’s virtual router; excluded or included Circuit Type Client’s circuit type; excluded or included Circuit ID Client’s circuit ID;...
Page 594: Monitoring Dhcp Local Server Leases
JUNOSe 11.0.x Broadband Access Configuration Guide Table 115: show ip dhcp-local Output Fields (continued) Field Name Field Description Unique Client IDs Status of duplicate client ID and duplicate hardware address detection, enabled or disabled show ip dhcp-local Related Topics Monitoring DHCP Local Server Leases Display lease information for a specific IP address or for all DHCP local server leases.
Page 595: Table 116: Show Ip Dhcp-Local Leases Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 116 on page 555 lists the show ip dhcp-local leases command output fields. Meaning Table 116: show ip dhcp-local leases Output Fields Field Name Field Description Address IP address Hardware MAC address of the subscriber’s computer Lease Infinite, or the number of seconds in which the IP address is available;...
Page 596: Table 117: Show Ip Dhcp-Local Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide unknown client packet --Transmit Statistics-- offer ack(accept) ack(renew) ack(rebind) nak(renew) nak(rebind) total out packet out error out discard To display DHCP local server statistics for a specific interface: host1#show ip dhcp-local statistics interface atm 4/0.32 DHCP Local Server SubInterface Statistics Interface Item...
Page 597 Chapter 22: Monitoring and Troubleshooting DHCP Table 117: show ip dhcp-local statistics output fields. (continued) Field Name Field Description request(accept) Number of DHCP requests accepted request(renew) Number of DHCP requests for renewal received request(rebind) Number of DHCP requests for rebinding received request(other) Number of DHCP unknown requests received decline...
Page 598: Monitoring Dhcp Option 60 Information
JUNOSe 11.0.x Broadband Access Configuration Guide show ip dhcp-local statistics Related Topics Monitoring DHCP Option 60 Information Display configuration and action information for the DHCP vendor-option (option Purpose 60) feature. Use the command without additional keywords to display information for all vendor option configurations.
Page 599: Table 118: Show Dhcp Vendor-Option Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 118: show dhcp vendor-option Output Fields Field Name Field Description Vendor-option Option 60 string; an asterisk (*) indicates that the string exactly matches a configured option 60 string, default indicates the action to take when the string does not match a configured option 60 string Action Action to take for the indicated string match;...
Page 600: Table 120: Show Dhcp Relay Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show ip dhcp-capture Related Topics Monitoring DHCP Relay Configuration Information Display DHCP relay configuration information and the IP addresses of the configured Purpose DHCP servers. To display information about the DHCP relay configuration and the IP address of the Action DHCP servers.
Page 601: Monitoring Dhcp Relay Proxy Statistics
Chapter 22: Monitoring and Troubleshooting DHCP Table 120: show dhcp relay Output Fields (continued) Field Name Field Description Layer 2 Unicast Replies On or off Giaddr Selects Interface On or off Broadcast Flag Replies On or off Override Giaddr On or off Override Option On or off Trust All Clients...
Page 602: Table 121: Show Dhcp Relay Proxy Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Client Packets: 14 Server Packets: 10 Timed Out: 0 No Offers: 4 Modify Fail: 0 Table 121 on page 562 lists the show dhcp relay proxy statistics command output Meaning fields. Table 121: show dhcp relay proxy statistics Output Fields Field Name Field Description Address...
Page 603: Monitoring Dhcp Relay Statistics
Chapter 22: Monitoring and Troubleshooting DHCP show dhcp relay proxy statistics Related Topics Monitoring DHCP Relay Statistics Display DHCP packet error and relay agent option statistics that are reported for Purpose both DHCP relay and DHCP relay proxy, and also to display DHCP server statistics related only to DHCP relay.
Page 604: Table 122: Show Dhcp Relay Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Dropped unknown xids replies Dropped stale requests Table 122 on page 564 lists the show dhcp relay statistics command output fields. Meaning Table 122: show dhcp relay statistics Output Fields Field Name Field Description Packet error statistics (standard &...
Page 605: Monitoring Dhcp Server And Dhcp Relay Agent Statistics
Chapter 22: Monitoring and Troubleshooting DHCP Table 122: show dhcp relay statistics Output Fields (continued) Field Name Field Description dropped giaddr spoof packets Number of received DHCP relay requests that were discarded because the gateway IP address field already contained this relay agent’s IP address DHCP server statistics (standard mode only) dropped duplicate request packets...
Page 606: Table 123: Show Dhcp Server Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Naks received addresses declined addresses released Informs sent unknown messages bad messages Table 123 on page 566 lists the show dhcp server statistics command output fields Meaning Table 123: show dhcp server statistics Output Fields Field Name Field Description DHCP Server Address...
Page 607: Table 124: Show Dhcp Server Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP E E 10.6.128.10 E E 10.6.128.11 Table 124 on page 567 lists the show dhcp server command output fields. Meaning Table 124: show dhcp server Output Fields Field Name Field Description Read-only value that displays the operational status of the server Read/write value that displays the administrative status of the server Enabled;...
Page 608: Table 125: Show Ipv6 Dhcpv6-Local Binding Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 125 on page 568 lists the show ipv6 dhcpv6-local binding command output Meaning fields. Table 125: show ipv6 dhcpv6-local binding Output Fields Field Name Field Description Prefix IPv6 address Client DUID DHCP unique ID of subscriber’s computer Lease Time for which the IPv6 address is available in seconds, or infinite Intf...
Page 609: Table 127: Show Ipv6 Dhcpv6-Local Dns-Servers Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP show ipv6 dhcpv6-local dns-domain-searchlist Related Topics Monitoring DHCPv6 Local Server DNS Servers Display a list of DNS servers configured on the DHCPv6 local server. Purpose To display the list of DNS servers: Action host1#show ipv6 dhcpv6-local dns-servers DNS server 1: 2001:db8:18:: DNS server 2: 2001:db8:19:: DNS server 3: 2001:db8:20::...
Page 610: Table 129: Show Ipv6 Dhcpv6-Local Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show ipv6 dhcpv6-local prefix-lifetime Related Topics Monitoring DHCPv6 Local Server Statistics Display statistics for the DHCPv6 local server. Purpose To display DHCPv6 local server statistics: Action host1#show ipv6 dhcpv6-local statistics DHCPv6 Local Server Statist --------------------------- Item Count...
Page 611: Table 130: Show Ip Dhcp-Local Duplicate-Clients Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 129: show ipv6 dhcpv6-local statistics Output Fields (continued) Field Name Field Description rebind rx Number of DHCPv6 rebind messages received reconfigure tx Number of DHCPv6 reconfigure messages transmitted advertise tx Number of DHCPv6 advertise messages transmitted successful reply tx Number of reply messages transmitted with success reply code failed reply tx...
Page 612: Table 131: Show Ip Dhcp-Local Limits Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show ip dhcp-local duplicate-clients Related Topics Monitoring the Maximum Number of Available Leases Display the maximum number of leases available for each VPI/VCI, VLAN, Ethernet Purpose subnetwork, or POS access interface type, or for a specific interface or subinterface. To display the maximum number of leases available for each interface type: Action host1(config)#show ip dhcp-local limits...
Page 613: Table 132: Show Ip Dhcp-Local Reserved Output Fields
Chapter 22: Monitoring and Troubleshooting DHCP Table 131: show ip dhcp-local limits Output Fields (continued) Field Name Field Description Ethernet Limit Number of leases available for each Ethernet subnet Limit Number of leases available to the specified interface or subinterface; indicates the configured value for the interface type unless a specific lease value is configured for the particular interface...
Page 614: Table 133: Show Dhcp Summary Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 132: show ip dhcp-local reserved Output Fields (continued) Field Name Field Description Hardware Address for which the IP address is reserved show ip dhcp-local reserved Related Topics Monitoring Status of DHCP Applications Display which DHCP applications are configured whether they are active or Purpose inactive displays the status of DHCP relay, DHCP relay proxy, DHCP local server, and DHCP external server.
Page 615: Managing The Subscriber Environment
Part 5 Managing the Subscriber Environment Configuring Subscriber Management on page 577 Monitoring Subscriber Management on page 593 Configuring Subscriber Interfaces on page 597 Monitoring Subscriber Interfaces on page 629 Managing the Subscriber Environment...
Page 616 JUNOSe 11.0.x Broadband Access Configuration Guide Managing the Subscriber Environment...
Page 617: Chapter 23 Configuring Subscriber Management
Chapter 23 Configuring Subscriber Management This chapter describes how to set up subscriber management on the E Series router. Subscriber management integrates a variety of router features and enables you to manage your constantly changing subscriber environment without affecting the performance you provide to your customers.
Page 618: Subscriber Management Platform Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide RADIUS server Session and Resource Control (SRC) software You employ the components you need in a variety of configurations, depending on your specific requirements. Subscriber Management Platform Considerations Subscriber management is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router.
Page 619: Figure 15: Dhcp External Server
Chapter 23: Configuring Subscriber Management In the first case, the interface is created when an external DHCP server or the DHCP local server responds to a subscriber request. In the second case, the subscriber interface is created when the router receives a packet (the packet detect feature) with a source IP address that is not in the demultiplexer table.
Page 620: Configuring Subscriber Management With An External Dhcp Server
JUNOSe 11.0.x Broadband Access Configuration Guide In Figure 15 on page 579, the subscriber requests an address from the DHCP server. The E Series router DHCP external server application monitors all DHCP communications between the subscriber and the DHCP server. After the subscriber receives an IP address, the subscriber can access the Internet and use the value-added services provided by the SRC software.
Page 621: Subscriber Management Commands
Chapter 23: Configuring Subscriber Management Specify each DHCP server for which to monitor traffic. You can specify a maximum of four DHCP servers. host1(config)#ip dhcp-external server-address 10.10.10.1 Configure a default policy for subscribers, using a previously configured classifier group. host1(config)#ip policy-list filterAll host1(config-policy-list)#classifier-group filterGroupA host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit...
Page 622 JUNOSe 11.0.x Broadband Access Configuration Guide deny Drop addresses that appear in the source address range primary Associate the source prefix with the primary IP interface Example host1(config-if)#clear ip demux There is no no version. See clear ip demux domain Use to specify a domain for an IP service profile.
Page 623 Chapter 23: Configuring Subscriber Management Use the no version to disable inclusion of the suboption in the username. See include dhcp-option 82 include hostname Use to include the router hostname in the username that is dynamically created by JUNOSe subscriber management. Example host1(config-service-profile)#include hostname Use the no version to disable inclusion of the router hostname in the username.
Page 624 JUNOSe 11.0.x Broadband Access Configuration Guide Use to configure an IP interface to support creation of dynamic subscriber interfaces. The specified IP interface is considered the primary interface. The router creates the required dynamic subscriber interfaces when the IP address is assigned to the associated subscriber.
Page 625 Chapter 23: Configuring Subscriber Management host1(config-if)#ip destination-prefix 10.0.0.0 255.0.0.0 Use the no version to remove the association between the interface and the specified IP destination address and mask. See ip destination-prefix ip inactivity-timer Use to configure the inactivity timer value for an IP interface. A dynamically created subscriber interface is deleted if it is inactive for a period longer than the inactivity timer value.
Page 626 JUNOSe 11.0.x Broadband Access Configuration Guide Use to configure an interface to perform route-map processing, and to specify the route map that is applied to the IP interface subscriber. If no route map is specified, then all packets trigger the creation of a dynamic subscriber interface. You can issue this command from Interface Configuration mode or Profile Configuration mode.
Page 627 Chapter 23: Configuring Subscriber Management Example host1(config-if)#ip source-prefix 10.0.0.0 255.0.0.0 Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix ip use-framed-routes ip-subscriber Use to configure a static primary IP interface to use framed routes as source IP addresses when creating dynamic subscriber interfaces.
Page 628 JUNOSe 11.0.x Broadband Access Configuration Guide Use to specify the name of a subscriber’s service profile that is used in the route map. You can specify a service profile name with up to 32 ASCII characters. Example host1(config-route-map)#set ip service-profile yourServiceProfile Use the no version to remove the service profile from the route map.
Page 629: Subscriber Management Configuration Examples
Chapter 23: Configuring Subscriber Management Use to assign an IP service profile to a VLAN subinterface. Service profiles contain user and password information, and are used in route maps for subscriber management and to authenticate subscribers with RADIUS. You can specify a service profile name with up to 32 ASCII characters. Example host1(config-profile)#vlan service-profile vlanClass1Service host1(config-profile)#...
Page 630: Username With Vlan Circuit Identifier And Circuit Type
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier atm host1(config-service-profile)#exit host1(config)# The example generates the following username: The circuit identifier indicates a user at slot 2, port 3, with a virtual path identifier (VPI) of 32 and a virtual channel identifier (VCP) of 100.
Page 631 Chapter 23: Configuring Subscriber Management host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan host1(config-service-profile)#include mac-address host1(config-service-profile)#include dhcp-option 82 agent-circuit-id host1(config-service-profile)#exit host1(config)# The example generates the following username, which includes the MAC address: Subscriber Management Configuration Examples...
Page 632 JUNOSe 11.0.x Broadband Access Configuration Guide Subscriber Management Configuration Examples...
Page 633: Table 134: Show Ip Service-Profile Output Fields
Chapter 24 Monitoring Subscriber Management This chapter describes how to monitor subscriber management on the E Series router. The following sections describe commands you can use to display status information and statistics for the subscriber management environment: Monitoring IP Service Profiles on page 593 Monitoring Active IP Subscribers Created by Subscriber Management on page 594 Monitoring IP Service Profiles Display information for all IP service profiles or for a specific profile.
Page 634: Monitoring Active Ip Subscribers Created By Subscriber Management
JUNOSe 11.0.x Broadband Access Configuration Guide Table 134: show ip service-profile Output Fields (continued) Field Name Field Description user-prefix User prefix used to retrieve information from RADIUS for subscriber interfaces domain Domain used to retrieve information from RADIUS for subscriber interfaces include ip-address IP address is included in the service profile include virtual-router-name...
Page 635: Table 135: Show Ip-Subscriber Output Fields
Chapter 24: Monitoring Subscriber Management Profile Login Time Mac Address Handle ---------- ------------------------ -------------- -------- 2835349506 WED AUG 23 20:46:24 2006 3000.0001.9365 13631489 Interface Service Profile Profile Option 82 ---------- --------- --------- ---------------- 2835349506 myProfile profile22 FastEthernet 3/1 Table 135 on page 595 lists the show ip-subscriber command output field. Meaning Table 135: show ip-subscriber Output Fields Field Name...
Page 636 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Active IP Subscribers Created by Subscriber Management...
Page 637: Chapter 25 Configuring Subscriber Interfaces
Chapter 25 Configuring Subscriber Interfaces This chapter describes how to configure static and dynamic subscriber interfaces for remote access to the E Series router. This chapter contains the following sections: Subscriber Interfaces Overview on page 597 Subscriber Interfaces Platform Considerations on page 603 Subscriber Interfaces References on page 604 Dynamic Creation of Subscriber Interfaces on page 604 Configuring Static Subscriber Interfaces on page 609...
Page 638: Figure 16: Example Of A Dynamic Interface Stack
JUNOSe 11.0.x Broadband Access Configuration Guide 10-Gigabit Ethernet (with and without VLANs) GRE tunnels For information about platform support for subscriber interfaces, see “Subscriber Interfaces Platform Considerations” on page 603. Dynamic Interfaces and Dynamic Subscriber Interfaces Dynamic interfaces are created automatically and transparently in response to external events.
Page 639: Figure 17: Example Of A Dynamic Subscriber Interface
Chapter 25: Configuring Subscriber Interfaces For example, on an Ethernet VLAN, multiple subscribers can enter the network from a Wi-Fi hotspot, as shown in Figure 17 on page 599: Figure 17: Example of a Dynamic Subscriber Interface To other locations subscriber xyz Service selection L2 transport...
Page 640: Figure 18: Subscriber Interfaces Over Ethernet
JUNOSe 11.0.x Broadband Access Configuration Guide Relationship to Primary IP Interfaces A subscriber interface operates only with a primary IP interface a normal IP interface on a supported layer 2 interface, such as Ethernet. You create a primary interface by assigning an IP address to the Ethernet interface. Although you can configure a subscriber interface directly on an Ethernet interface, the subscriber interface does not operate until you assign an IP address to the Ethernet interface.
Page 641: Moving Interfaces
Chapter 25: Configuring Subscriber Interfaces without VLANs. Using subscriber interfaces, the router can demultiplex or separate the traffic associated with different subscribers. You can configure subscriber interfaces with VLANs. If you do so, the E Series router demultiplexes packets by using first the VLAN and then the subscriber interface. Moving Interfaces A shared IP interface that has associated subscriber demultiplexing attributes retains these attributes when it moves.
Page 642: Figure 19: Subscriber Interfaces In A Cable Modem Network
JUNOSe 11.0.x Broadband Access Configuration Guide Directing Traffic Toward Special Local Content Figure 19 on page 602 shows an example of a cable modem network. Multiple cable modem termination systems (CMTSs) connect to multiple shared media access LANs. Many subscribers connect to each LAN. In this example, the service provider uses subscriber interfaces to direct traffic toward special local content on the network: a voice over Internet Protocol (VoIP) service on network 10.11.0.0/16, or a local gaming service on network 10.12.0.0/16.
Page 643: Figure 20: Associating Subnets With A Vpn Using Subscriber Interfaces
Chapter 25: Configuring Subscriber Interfaces Differentiating Traffic for VPNs Similarly, service providers can use subscriber interfaces to differentiate traffic for VPNs. Figure 20 on page 603 shows an example of this application. Customers on subnet A need to connect to VPN A, and customers on subnet B need to connect to VPN B.
Page 644: Interface Specifiers
JUNOSe 11.0.x Broadband Access Configuration Guide See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications. See ERX Module Guide, Appendix A, Module Protocol Support for information about the modules that support subscriber interfaces. For information about modules that support subscriber interfaces on the E120 and E320 Broadband Services Routers: See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications.
Page 645: Dhcp Servers
IP address and immediately allocates the subscriber an IP address from one of the local address pools. In equal-access mode, the DHCP local server works with Juniper Networks Session and Resource Control (SRC) software and the authorization, accounting, and address assignment utility to provide an advanced subscriber configuration and management service.
Page 646: Figure 21: Ip Over Ethernet Dynamic Subscriber Interface Configuration
JUNOSe 11.0.x Broadband Access Configuration Guide server is integrated with SRC software. For more information, see SRC-PE Getting Started Guide, Chapter 1, SRC Product Overview. DHCP Relay Configuration When you are configuring dynamic subscriber interface support, and you configure DHCP relay in the same virtual router as the dynamic subscriber interfaces, you must use the set dhcp relay inhibit-access-route-creation command to ensure that DHCP replay does not install access internal routes.
Page 647: Designating Traffic For The Primary Ip Interface
Chapter 25: Configuring Subscriber Interfaces not in the demultiplexer table. In this case, the primary IP interface must be in autoconfiguration mode. Packet detection is the only method of dynamically creating subscriber interfaces on GRE tunnel interfaces; you cannot use DHCP local server or DHCP external server. Issuing the ip auto-configure ip-subscriber command configures the primary IP address to enable dynamic configuration of subscriber interfaces.
Page 648: How Mac Address Validation State Inheritance Works
JUNOSe 11.0.x Broadband Access Configuration Guide IP-based Ethernet interfaces, and is very useful in subscriber management applications. When MAC address validation is enabled on an interface, the router checks the entry in the MAC validation table that corresponds to the IP source address of an incoming packet.
Page 649: Verification Of Mac Address Validation State Inheritance
Chapter 25: Configuring Subscriber Interfaces created from this primary IP interface after you change the MAC address validation state inherit the new MAC validation state. When you configure a dynamic subscriber interface with one or more framed routes (subnets), we recommend that you use the ip mac-validate loose command to configure MAC address validation for the static primary IP interface.
Page 650: Figure 22: Subscriber Interfaces Using A Destination Address To Demultiplex
JUNOSe 11.0.x Broadband Access Configuration Guide Using a Destination Address to Demultiplex Traffic The example in Figure 22 on page 610 shows how you can use static subscriber interfaces to direct traffic toward special local content on the network, based on the traffic’s destination address.
Page 651: Using A Source Address To Demultiplex Traffic
Chapter 25: Configuring Subscriber Interfaces Configure the primary interface to use a destination address to demultiplex traffic. (By default, a source address is used to demultiplex traffic.) host1(config-if)#ip demux-type da-prefix d. Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. a.
Page 652: Figure 23: Subscriber Interfaces Using A Source Address To Demultiplex
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex Traffic E Series router To configure the static subscriber interfaces shown in Figure 23 on page 612, perform the following steps: Configure a primary IP interface on a supported layer 2 interface. a.
Page 653 Chapter 25: Configuring Subscriber Interfaces b. Associate the shared IP interface with the layer 2 interface by using one of the following methods: Static host1:vra(config-if)#ip share-interface fastEthernet 4/1 Dynamic host1:vra(config-if)#ip share-nexthop 10.1.1.2 To fully configure the shared interface, assign an address or make it unnumbered.
Page 654 JUNOSe 11.0.x Broadband Access Configuration Guide Use to create an IP interface to share a layer 2 interface. Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to the shared IP interface, because the shared interface can be moved.
Page 655 Chapter 25: Configuring Subscriber Interfaces The shared interface is operationally up when the layer 2 interface is operationally up and IP is properly configured. You can create operational shared IP interfaces in the absence of a primary IP interface. Example host1(config-if)#ip share-interface atm 5/3.101 Use the no version to remove the association between the layer 2 interface and the shared IP interface.
Page 656: Configuring Dynamic Subscriber Interfaces
JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix Configuring Dynamic Subscriber Interfaces You can configure dynamic subscriber interfaces in the following configurations: IP over Ethernet IP over VLAN over Ethernet IP over bridged Ethernet over ATM...
Page 657: Figure 24: Ip Over Ethernet Dynamic Subscriber Interface Configuration
Chapter 25: Configuring Subscriber Interfaces Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over VLANs To configure a dynamic subscriber interface in an IP over VLAN over Ethernet configuration by using DHCP events, perform the following steps: Configure the DHCP server.
Page 658: Figure 25: Ip Over Vlan Over Ethernet Dynamic Subscriber Interface
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over Bridged Ethernet To configure a dynamic subscriber interface in an IP over bridged Ethernet over ATM configuration by using DHCP events, perform the following steps: Configure DHCP server.
Page 659: Figure 26: Ip Over Bridged Ethernet Over Atm Dynamic Subscriber Interface
Chapter 25: Configuring Subscriber Interfaces (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.20 255.255.255.0 Figure 26 on page 619 shows the interface stack built for this configuration. Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over GRE Tunnels To configure a dynamic subscriber interface in an GRE tunnel configuration by using packet detection, perform the following steps:...
Page 660: Figure 27: Gre Tunnel Dynamic Subscriber Interface Configuration
JUNOSe 11.0.x Broadband Access Configuration Guide (Optional) Specify the IP inactivity timer. host1(config-subif)#ip inactivity-timer 100 (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.1 255.255.255.0 Figure 27 on page 620 shows the interface stack built for this configuration. Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration Dynamic Subscriber Interface Configuration Example The procedure in this section shows how to configure dynamic subscriber interfaces...
Page 661 Chapter 25: Configuring Subscriber Interfaces Specify the enduring IP addresses that the DHCP local server can assign from the local address pool. host1(config-dhcp-local)#network 10.20.0.0 255.255.192.0 Specify the router to forward traffic from the IP addresses to destinations on other subnets. host1(config-dhcp-local)#default-router 10.20.32.1 Exit DHCP Local Pool Configuration mode.
Page 662 JUNOSe 11.0.x Broadband Access Configuration Guide atm pvc Use to configure a PVC on an ATM interface. Specify the VCD, the VPI, the VCI, and the encapsulation type. (For more information about these parameters, see the Creating a Basic Configuration section in JUNOSe Link Layer Configuration Guide .) Example host1(config-subif)#atm pvc 10 100 22 aal5snap...
Page 663 Chapter 25: Configuring Subscriber Interfaces interface atm Use to configure an ATM interface or subinterface type in the slot/port.subinterface format: slot Specifies router chassis slot port Specifies I/O module port subinterface Specifies subinterface number Example host1(config-if)#interface atm 9/1.1 Use the no version to remove the ATM interface or subinterface. See interface atm interface fastEthernet Use to select a Fast Ethernet (FE) interface on a line module or an SRP module.
Page 664 JUNOSe 11.0.x Broadband Access Configuration Guide Example host1(config)#interface tenGigabitEthernet 4/0/1 Use the no version to remove IP from an interface. You must issue the no version from the highest level down; you cannot remove an interface or subinterface if the one above it still exists. See interface tenGigabitEthernet interface loopback Use to access and configure a loopback interface.
Page 665 Chapter 25: Configuring Subscriber Interfaces Use the no version to remove the IP address or to disable IP processing. See ip address ip auto-configure ip-subscriber Use to configure an IP interface to support creation of dynamic subscriber interfaces. The specified IP interface is considered the primary interface. The router creates the required dynamic subscriber interfaces when the IP address is assigned to the associated subscriber.
Page 666 JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to prevent the DHCP local server from supplying IP addresses from the specified pool. See ip dhcp-local pool ip inactivity-timer Use to configure the inactivity timer value. A dynamically created subscriber interface is deleted if it is inactive for a period longer than the inactivity timer value.
Page 667 Chapter 25: Configuring Subscriber Interfaces Use the no version to disable IP processing on the interface. See ip unnumbered ip use-framed-routes ip-subscriber Use to configure a static primary IP interface to use framed routes as source IP addresses when creating dynamic subscriber interfaces. The router uses the Framed-Route RADIUS attribute [22] sent in Access-Accept messages to apply framed routes to subscriber interfaces associated with the primary interface.
Page 668 JUNOSe 11.0.x Broadband Access Configuration Guide Use the noversion to restore the default in which DHCP relay builds dynamic subscriber interfaces on the IP interface that is used for DHCP server-destined messages. See set dhcp relay giaddr-selects-interface vlan id Use to configure a VLAN ID for a VLAN subinterface. Specify a VLAN ID number that is in the range 0–4095 and is unique within the Ethernet interface.
Page 669: Table 136: Show Ip Demux Interface Output Fields
Chapter 26 Monitoring Subscriber Interfaces This chapter describes how to monitor static and dynamic subscriber interfaces for remote access to the E Series router. This chapter contains the following sections: Monitoring Subscriber Interfaces Overview on page 629 Monitoring Subscriber Interfaces on page 629 Monitoring Active IP Subscribers Created by Subscriber Management on page 630 Monitoring Subscriber Interfaces Overview The state of the subscriber interface is determined by state of the Ethernet interface...
Page 670: Monitoring Active Ip Subscribers Created By Subscriber Management
JUNOSe 11.0.x Broadband Access Configuration Guide Table 136: show ip demux interface Output Fields (continued) Field Name Field Description SA/DA Demultiplexing method for subscriber interface Source address Destination address Subscriber-Intf Name of shared interface on which subscriber interface is configured VR/VRF Name of virtual router (VR) or VPN routing and forwarding (VRF) instance on which the subscriber interface is configured...
Page 671: Table 137: Show Ip-Subscriber Output Fields
Chapter 26: Monitoring Subscriber Interfaces ---------- --------- --------- ---------------- 2835349506 myProfile profile22 FastEthernet 3/1 Table 137 on page 631 lists the show ip-subscriber command output fields. Meaning Table 137: show ip-subscriber Output Fields Field Name Field Description ID of the subscriber User Name Username used to retrieve information from RADIUS for the subscriber interface...
Page 672 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Active IP Subscribers Created by Subscriber Management...
Page 673 Part 6 Managing Subscriber Services Configuring Service Manager on page 635 Monitoring Service Manager on page 701 Managing Subscriber Services...
Page 674 JUNOSe 11.0.x Broadband Access Configuration Guide Managing Subscriber Services...
Page 675: Chapter 27 Configuring Service Manager
Chapter 27 Configuring Service Manager This chapter describes how to use the Service Manager application to define, activate, and monitor networking services for your subscribers. This chapter discusses the following topics: Service Manager Overview on page 635 Service Manager Platform Considerations on page 637 Service Manager References on page 637 Service Manager Configuration Tasks on page 637 Service Definitions on page 639...
Page 676: Table 138: Service Manager Terms And Acronyms
JUNOSe 11.0.x Broadband Access Configuration Guide messages can create and delete Service Manager subscriber sessions and activate and deactivate service sessions. For CLI clients, CLI commands create and delete the subscriber sessions and activate and deactivate service sessions. A subscriber’s service is based on a service definition service definitions can include profiles, policies, and quality of service (QoS) settings that define the scope of a service granted to the subscriber.
Page 677: Service Manager Platform Considerations
Chapter 27: Configuring Service Manager Table 138: Service Manager Terms and Acronyms (continued) Term Definition Service instance An instance that is created when you specify parameter values for a service definition to create a service session Service session A session that is created when a service instance is activated for a subscriber;...
Page 678 JUNOSe 11.0.x Broadband Access Configuration Guide Use the macro language to define service definitions Download service definition macro files to the router’s nonvolatile storage (NVS) Install service definitions on the router Uninstall service definitions Configure the Service Manager license Configure RADIUS accounting Use RADIUS login and RADIUS CoA to manage subscriber service sessions Specify the subscriber Specify optional attributes...
Page 679: Figure 28: Service Manager Configuration Flowchart
Chapter 27: Configuring Service Manager Figure 28: Service Manager Configuration Flowchart Service Definitions A service definition is a high-level, platform-independent template that defines a service that you want to let your subscribers use. You use the JUNOSe software’s embedded macro language on your computer to create the macro file that defines the service.
Page 680: Table 139: Junose Objects Tracked By Service Manager
JUNOSe 11.0.x Broadband Access Configuration Guide Interface profiles Specify a set of characteristics that can be dynamically assigned to IP interfaces. A service definition must use at least one interface profile. Policy lists Specify policy actions for traffic traversing an interface. Classifier lists Specify the criteria by which the router defines a packet flow.
Page 681 Chapter 27: Configuring Service Manager Table 139: JUNOSe Objects Tracked by Service Manager (continued) Name Requirement Description output-stat-clacl Optional Collects output statistics from policy manager Can be a list of clacls activate-profile Required Specifies the interface profile used on activation of the service Deletion of the profile is Service Manager’s responsibility deactivate-profile...
Page 682: Figure 29: Sample Service Definition Macro File
JUNOSe 11.0.x Broadband Access Configuration Guide Table 139: JUNOSe Objects Tracked by Service Manager (continued) Name Requirement Description output-stat-epg Optional Collects output statistics associated with the external group from policy manager Both the external parent group and the corresponding hierarchical policy parameter must be specified Can be multiple pairs of external parent groups and hierarchical policy parameters...
Page 683: Managing Your Service Definitions
Chapter 27: Configuring Service Manager Managing Your Service Definitions After you have created the macro file for your service definition, you can perform the following operations with the service definition macro file: Copy You must copy the service definition from the local computer that you used to create the macro file to the router’s NVS card.
Page 684: Referencing Policies In Service Definitions
JUNOSe 11.0.x Broadband Access Configuration Guide During installation, Service Manager precompiles the service definition and extracts the definition file’s timestamp. After you install the service definition, you can use the definition to create service sessions for subscribers. To update an existing service definition, you make changes to the original macro file on your computer, copy the updated file to NVS, and install the updated file.
Page 685: Referencing Qos Configurations In Service Definitions
Chapter 27: Configuring Service Manager Referencing QoS Configurations in Service Definitions You can use QoS profiles and QoS parameters to define a service for a subscriber. For example, you can configure the shaping rate for traffic in a video service by using a QoS parameter instance.
Page 686: Specifying Qos Profiles In A Service Definition
JUNOSe 11.0.x Broadband Access Configuration Guide qos-profile Use to add a QoS profile command for use with Service Manager. When the service is activated, the QoS profile is created and attached to the subscriber interface. Example host1(config)#profile iptv host1(config-profile)#qos-profile video Use the no version to remove the QoS profile from the profile.
Page 687: Specifying Qos Parameter Instances In A Service Definition
Chapter 27: Configuring Service Manager Configure the QoS parameter definition described in JUNOSe Quality of Service Configuration Guide, QoS Parameter Overview. You must configure at least one controlled-interface type and one subscriber-interface type. The range specified in the parameter definition controls the available value of the parameter instance.
Page 688: Modifying Qos Configurations With Service Manager
JUNOSe 11.0.x Broadband Access Configuration Guide Specifying the Add and Initial-Value Keywords You can use the add keyword to add value to an existing parameter instance. For example: <# qosserviceone(bandwidth1, bandwidth2) #> profile <# profileName ; '\n' #> qos-parameter <# qosParameterName3 ; ' add ' ; bandwidth2 ; '\n' #> <# endtmpl #>...
Page 689: Table 140: Sample Modifications Using The Add And Initial-Value
Chapter 27: Configuring Service Manager Table 140 on page 649 lists the results of a series of activations and deactivations of parameters using the add and initial-value keywords. Table 140: Sample Modifications Using the Add and Initial-Value Keywords Action QoS Parameter Instance Result Activate qos-parameter video-bw add 5000000...
Page 690: Table 142: Configuration Within A Single Service Manager Event
JUNOSe 11.0.x Broadband Access Configuration Guide Table 141: Sample Modifications Using Parameter Instances (continued) Action QoS Parameter Instance Result Deactivate qos-parameter video-bw add 5000000 5000000 is subtracted from parameter initial-value 0 instance video-bw for a total of -4000000 Deactivate qos-parameter video-bw 2000000 Parameter instance video-bw is removed Modifying QoS Configurations in a Single Service Manager Event...
Page 691: Table 143: Modifying Qos Configurations With Other Sources
Chapter 27: Configuring Service Manager Table 143: Modifying QoS Configurations with Other Sources QoS Profile QoS Parameter Attachment Instances Service Manager RADIUS SNMP – SRC software – The following sections describe the precedence of each source when modifying configurations. Service Manager QoS profile attachments and parameter instances created through Service Manager have precedence over all other sources.
Page 692: Figure 30: Qos Configuration Dependency Chain
JUNOSe 11.0.x Broadband Access Configuration Guide Conversely, QoS profiles and parameter instances configured through the CLI, SNMP, or the SRC software can be overwritten by any source. Removing QoS Configurations Referenced by Service Manager When Service Manager no longer references a QoS configuration, it must be removed from the service definition.
Page 693: Radius Or Service Manager
Chapter 27: Configuring Service Manager RADIUS or Service Manager We recommend that you choose either RADIUS or Service Manager to create a single parameter instance. If you use both RADIUS and Service Manager, parameter instances activated using Service Manager take precedence. Interoperability with Other Service Components Service Manager removes QoS profiles and parameter instances if other components in the service definition (for example, policies) cause an error.
Page 694: Managing And Activating Service Sessions
10 subscriber sessions. The license is a unique string of up to 15 alphanumeric characters. NOTE: Obtain the license from Juniper Networks Customer Service or your Juniper Networks sales representative. Example host1(config)#license service-management 123456789 Use the no version to disable the license.
Page 695: Figure 31: Comparing Radius Login And Radius Coa Methods
Chapter 27: Configuring Service Manager the subscriber’s RADIUS record. RADIUS then uses vendor-specific attributes (VSAs) in the Access-Accept packet to activate the service session for the subscriber. This method is useful when your subscribers are not currently logged RADIUS CoA method Supports dynamic service selection for subscribers. For example, the subscriber might have logged in without a service, or might have used the RADIUS login method to activate a service at login.
Page 696: Service Manager Radius Attributes
JUNOSe 11.0.x Broadband Access Configuration Guide Create the RADIUS record for the subscriber and service: For RADIUS login Create the RADIUS record for the subscriber and include the Activate-Service VSA in the record. Specify values for the parameters defined in the service template name of the definition macro file. For RADIUS CoA Format the CoA message to create the RADIUS record for the subscriber.
Page 697: Table 144: Service Manager Radius Attributes
Chapter 27: Configuring Service Manager Table 144: Service Manager RADIUS Attributes Attribute RADIUS Message Number Attribute Name Type VSA Description User-Name (used with Access-Accept Uniquely identifies the subscriber Virtual-Router, Juniper session Networks VSA 26-1) Framed-IP-Address Access-Accept Uniquely identifies the subscriber (used with session Virtual-Router, Juniper...
Page 698: Table 145: Sample Radius Access-Accept Packet
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: Service Manager statistics collection is a three-part procedure. You must configure statistics information in the service definition macro file, enable statistics collection in the RADIUS record, and also enable statistics collection for the policy referenced in the service macro using the statistics enabled keyword in the command used for policy attachment in the profile.
Page 699: Table 146: Using Tags
Chapter 27: Configuring Service Manager Service-Timeout Service-Volume Service-Interim-Acct-Interval Table 146 on page 659 describes an Access-Accept packet that activates the two services, tiered and voice, for subscriber client1@isp1.com. Each service has its own unique tag, enabling you to assign attributes for one service, but not the other. For example, the two services have different timeout settings and different interim accounting intervals, and statistics are enabled only for the tiered service.
Page 700: Using The Deactivate-Service Attribute
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: The Service-Timeout and Service-Volume attributes use values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. See “Configuring Service Manager Statistics”...
Page 701: Using Mutex Groups To Activate And Deactivate Subscriber Services
Chapter 27: Configuring Service Manager attribute is used by RADIUS CoA messages, such as in a guided entrance service. See “Guided Entrance Service Example” on page 687 for more information. Using Mutex Groups to Activate and Deactivate Subscriber Services Service Manager supports two methods that use RADIUS CoA-Request messages to activate and deactivate subscriber services and that can also dynamically change a service that is currently provided to a subscriber.
Page 702: Configuring A Mutex Service
JUNOSe 11.0.x Broadband Access Configuration Guide services. Active services that are members of different mutex groups are unaffected. Configuring a Mutex Service To configure and enable a mutex service, you complete the following steps: Create the new service definition and configure the service as a member of a mutex group.
Page 703: Combined And Independent Ipv4 And Ipv6 Services In A Dual Stack Overview
Chapter 27: Configuring Service Manager Use a RADIUS CoA-Request message and the new service definition to create the mutex service. The new service is considered a mutex service because it belongs to a mutex group. Service Manager activates the new service and deactivates any existing active service that is a member of the same mutex group as the new service.
Page 704: Activation And Deactivation Of Ipv4 And Ipv6 Services In A Dual Stack
JUNOSe 11.0.x Broadband Access Configuration Guide You can use the service-interface-type object in the service definition macro file to specify whether a service must be defined for IPv4 or IPv6. Configuring the service-interface-type object is not mandatory if a service is required only for IPv4 or L2TP subscribers.
Page 705: Combined Ipv4 And Ipv6 Service In A Dual Stack
Chapter 27: Configuring Service Manager called iponeV6 to be used for IPv6 traffic. Both the services defined for IPv4 and IPv6 must be configured for the subscriber on the RADIUS server. When the subscriber is authenticated using RADIUS authentication, two services, one each for IPv4 and IPv6, are created.
Page 706: Configuring Radius Accounting For Service Manager
JUNOSe 11.0.x Broadband Access Configuration Guide number of services configured. You can view the number of service sessions currently active for a subscriber by viewing the Service Sessions field from the output of the show service-management command. If you configured a combined IP4 and IPv6 service, the memory usage is the same as that required for one subscriber service session.
Page 707: Table 147: Service Manager Radius Accounting Attributes
Chapter 27: Configuring Service Manager Table 147 on page 667 lists the RADIUS accounting attributes used by the Service Manager application. Table 147: Service Manager RADIUS Accounting Attributes Attribute RADIUS Message Number Attribute Name Type VSA Description [26-83] Service-Session For service Name of the service (including sessions only: parameter values) with which the...
Page 708: Table 148: Determining The Service Interim Accounting Interval
JUNOSe 11.0.x Broadband Access Configuration Guide When the Service-Interim-Acct-Interval attribute is configured for a service, Service Manager uses the guidelines shown in Table 148 on page 668 to determine the correct interim accounting interval to use for the service. Table 148: Determining the Service Interim Accounting Interval Service-Interim-Acct- Interval Value Service Manager Action...
Page 709 Chapter 27: Configuring Service Manager Table 149: Sample Acct-Start Message for a Service Session (continued) RADIUS Attribute Sample Value ingress-policy-name (vsa) forwardAll egress-policy-name (vsa) forwardAll calling-station-id #ERX-01-00-06#E12#0 acct-input-gigawords acct-input-octets 4032 acct-output-gigawords acct-output-octets 2163 acct-input-gigapackets (vsa) acct-input-packets acct-output-gigapackets (vsa) acct-output-packets nas-port-type nas-port 3221225472 nas-port-id...
Page 710: Service Interim Accounting For Ipv4 And Ipv6 Services In A Dual Stack Overview
JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: To enable interim service accounting, the service accounting interval must be set to a non-zero value and the service statistics type must not be set to none. Example host1(config)#aaa service accounting interval 60 Use the no version to reset the accounting interval to 0, which turns off interim service accounting when no value is specified in the Service-Interim-Acct-Interval attribute (Juniper VSA 26-140).
Page 711: Using The Cli To Manage Subscriber Service Sessions
Chapter 27: Configuring Service Manager in a dual stack. You can also obtain external parent group statistics for IPv4 and IPv6 services configured independently in a dual stack. You can retrieve either external parent group statistics or classifier statistics from policy manager.
Page 712 JUNOSe 11.0.x Broadband Access Configuration Guide Subscriber name and interface method Activates the service session based on the subscriber name and the interface that the subscriber is using for this subscriber session. host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “ tiered(1280000, 5120000)” Owner name and ID method Activates the service session based on the owner that created the subscriber session and the ID that was generated by the owner.
Page 713 Chapter 27: Configuring Service Manager session for the same subscriber, only the newest subscriber session, with its services, is used. Example 1 Activate a service session for an existing subscriber host1(config)#service-management owner-session aaa 573498 service-session “video(4500000, 192.168.10.3)” Example 2 Activate multiple service sessions for an existing subscriber host1(config)#service-management owner-session aaa 573498 service-session “video(4500000, 192.168.10.3)”...
Page 714: Preprovisioning Services
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “video(4500000, 192.168.10.3)” Example 2 Activate a single subscriber session with multiple service sessions host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “video(4500000, 192.168.10.3)” host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “tiered(1000000, 2000000)” host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “voice(1000000, 10.10.10.1)”...
Page 715 Chapter 27: Configuring Service Manager For example, you might assign the same video service to two subscribers, but use different service session profiles to set different time limits for each subscriber’s service. One subscriber uses the video service for 5 hours (18000 seconds) while the other subscriber’s video service is for 10 hours (36000 seconds).
Page 716 JUNOSe 11.0.x Broadband Access Configuration Guide Use to create a new service session profile or to specify the name of an existing profile you want to modify, and to enter Service Session Profile Configuration mode. In Service Session Profile Configuration mode, you specify the attributes used in the service session profile, such as the maximum volume limit for the session and the maximum time the session can be used.
Page 717: Using The Cli To Deactivate Subscriber Service Sessions
Chapter 27: Configuring Service Manager host1(config)#service-management service-session-profile vodISP1 host1(config-service-session-profile)#time 6000 Use the no version to delete the time attribute from the service session profile. See time volume Use to specify the maximum amount of bandwidth that can use the service. The router immediately terminates the subscriber’s service session when the specified traffic volume is exceeded.
Page 718: Gracefully Deactivating Subscriber Service Sessions
JUNOSe 11.0.x Broadband Access Configuration Guide Gracefully Deactivating Subscriber Service Sessions Use the following commands to gracefully deactivate subscriber’s services you can deactivate a specific service for a subscriber, or you can delete a subscriber session, which deactivates all of the subscriber’s service sessions. We recommend you use this command to deactivate subscriber service sessions.
Page 719: Using Service Session Profiles To Deactivate Service Sessions
Chapter 27: Configuring Service Manager We recommend this method if you encounter difficulty when you used the graceful deactivation method. Always use the graceful method first. no service-management subscriber-session force Use to force the immediate termination of a subscriber session and to deactivate all services for the specified subscriber session.
Page 720: Configuring Service Manager Statistics
JUNOSe 11.0.x Broadband Access Configuration Guide host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “video(4500000, 192.168.10.3)” service-session-profile vodISP1 Configuring Service Manager Statistics The Service Manager application provides a flexible and efficient process for identifying and capturing statistics related to subscriber service sessions. Configuring Service Manager to collect statistics is a three- part process.
Page 721: Table 150: Radius-Enabled Statistics
Chapter 27: Configuring Service Manager ip policy secondary-input <# name #> statistics enabled merge ip policy output <# oname #> statistics enabled merge qos-profile triplePlayIP qos-parameter maxSubscBW <# outputBW; '\n' #> <# env.setResult("activate-profile", name) #> <# env.setResult("secondary-input-stat-clacl", "matchAll") #> <# env.setResult("output-stat-clacl", "matchAll") #>...
Page 722: Enabling Statistics Collection With The Cli
JUNOSe 11.0.x Broadband Access Configuration Guide Table 150: RADIUS-Enabled Statistics (continued) RADIUS Attribute Value service-statistics When you enable statistics for a RADIUS-activated service, RADIUS accounting reports can use the statistics. Enabling Statistics Collection with the CLI You use service session profiles to enable statistics when you activate a service session with the CLI.
Page 723: External Parent Group Statistics Collection Setup
Chapter 27: Configuring Service Manager Input Packets : 1 Output Packets : 2 External Parent Group Statistics Collection Setup Policies for interface groups include external parent groups that are implicitly instantiated during policy attachment based on each unique interface group encountered.
Page 724: Service Manager Performance Considerations
JUNOSe 11.0.x Broadband Access Configuration Guide <# env.setResult("input-stat-epg", "vc-v4v6-in v4v6" ) #> <# env.setResult("output-stat-epg", "vc-v4v6-out v4v6" ) #> The <# env.setResult("secondary-input-stat-epg", "vc-v4v6-in v4v6") #> command specifies that Service Manager track statistics associated with the external parent group named vc-v4v6-in and the corresponding hierarchical policy named v4v6, and that this external parent group is associated with the policy that is attached at the input stage.
Page 725: Video-On-Demand Service Definition Example
Chapter 27: Configuring Service Manager !parameterizes input and output bandwidth <# tiered(inputBW, outputBW) #> <# uid := app.servicemanager.getUniqueId #> <# name := "SM-tiered-" $ uid #> <# oname := "SM-O-tiered-" $ uid #> classifier-list matchAll ip any any rate-limit-profile <# name #> one-rate committed-rate <# inputBW;...
Page 726: Voice-Over-Ip Service Definition Example
JUNOSe 11.0.x Broadband Access Configuration Guide <# uid := app.servicemanager.getUniqueId #> <# name := "SM-video-" $ uid #> classifier-list <# name #> ip any <# serverAddress #> 0.0.0.0 policy-list <# name; '\n' #> classifier-group <# name #> precedence 5000 traffic-class video profile <# name;...
Page 727: Guided Entrance Service Example
Chapter 27: Configuring Service Manager forward profile <# name ; '\n' #> ip policy input <# name #> statistics enabled merge ip policy output <# oname #> statistics enabled merge <# env.setResult("activate-profile", name) #> <# endtmpl #> RADIUS Attribute Value Sample RADIUS username none...
Page 728: Figure 32: Guided Entrance
JUNOSe 11.0.x Broadband Access Configuration Guide Figure 32: Guided Entrance Service Manager requires additional configuration considerations for the guided entrance service. The <# redirectUrlName := "http://" $ serverIp $ ":" $ serverPort #> command in the service definition Specifies the HTTP local service to which the subscriber is redirected after login.
Page 729: Using Coa Messages With Guided Entrance Services
Chapter 27: Configuring Service Manager <# claclName := genericName #> <# profileName := genericName #> <# inputPolicyName := genericInputName #> <# inputRateLimitName := genericInputName #> <# outputPolicyName := genericOutputName #> <# outputRateLimitName := genericOutputName #> <# exceptionClaclName := "exceptionClaclPort" $ serverPort #> <# serverClaclName := "serverClaclIp"...
Page 730: Table 151: Deactivating A Guided Entrance Service
JUNOSe 11.0.x Broadband Access Configuration Guide If you configure a guided entrance service, you must also ensure that the router’s RADIUS dynamic-request server is enabled and supports CoA messages. See “Configuring RADIUS Dynamic-Request Server” on page 235, for information about the RADIUS dynamic-request server and CoA messages.
Page 731 Chapter 27: Configuring Service Manager NOTE: Currently, the HTTP local server does not support two different ports for IPv4 and IPv6 packets. However, the HTTP local server can listen for both IPv4 and IPv6 exception packets on the same port, simultaneously. To configure the HTTP local server to support guided entrance for IPv4: Access the virtual router context.
Page 732 JUNOSe 11.0.x Broadband Access Configuration Guide (Optional) Specify a standard IP access list that defines which subscribers can connect to the HTTP local server. host1:west40(config)#ip http access-class chicagoList (Optional) Specify the port on which the HTTP local server receives connection attempts.
Page 733 Chapter 27: Configuring Service Manager Use to allow only subscribers on the specified standard IP access list to connect to the HTTP local server. Example host1(config)#ip http access-class chicagoList Use the no version to remove the association between the access list and the HTTP local server.
Page 734 JUNOSe 11.0.x Broadband Access Configuration Guide NOTE: The HTTP local server must be configured and enabled in the virtual router for the interface on which you use the ip http redirectUrl command. Otherwise, the URL redirect operation will fail. Example host1(config-if)#ip http redirectUrl http://ispsite.redirect.com Use the no version to restore the default, which disables the HTTP redirect feature.
Page 735 Chapter 27: Configuring Service Manager Use to specify the port on which the HTTP local server receives connection attempts for IPv6 exception packets. NOTE: You can modify the port on which the HTTP local server receives connection attempts. However, you must first disable the HTTP local server and then modify the port.
Page 736: Figure 33: Input Traffic Flow With Rate-Limit Profile On An External Parent
JUNOSe 11.0.x Broadband Access Configuration Guide Use the no version to disable the HTTP local server. See ipv6 http server. Combined IPv4 and IPv6 Service in a Dual Stack Example When you configure a combined IPv4 and IPv6 service in a dual stack, the policies defined in the interface profile are attached to the appropriate interfaces based on the type of the interface.
Page 737 Chapter 27: Configuring Service Manager <# uid := app.servicemanager.getUniqueId #> <# genericName := "combined-service-" $ uid #> <# SAClaclName := genericName $ "SA" #> <# profileName := genericName #> policy-parameter v4v6-<# uid #> hierarchical aggregation-node <# NODE #><# '\n' #> rate-limit-profile rlpv4v6-<# genericName #>-vb-out one-rate hier committed-rate <# outBw #><# '\n' #>...
Page 738 JUNOSe 11.0.x Broadband Access Configuration Guide ipv6 policy secondary-input pl6-v4v6-<# genericName #>-in statistics enabled merge <# env.setResult("activate-profile", profileName) #> <# env.setResult("service-interface-type", "ipv4-ipv6") #> <# env.setResult("secondary-input-stat-epg", "vb-v4v6-"$ uid $"-in v4v6-"$ uid $"") #> <# env.setResult("output-stat-epg", "vb-v4v6-"$ uid $"-out v4v6-"$ uid $"") #> <# endtmpl #>...
Page 739 Chapter 27: Configuring Service Manager are applied to the secondary input stage. The IPv4 and IPv6 policies for voice-over-IP traffic leaving the IPv4 and IPv6 interfaces respectively are applied to the output stage. Statistics collection is enabled for the policies referenced in the service macro using the statistics enabled keyword in the command used for policy attachment in the profile.
Page 740 JUNOSe 11.0.x Broadband Access Configuration Guide combined_service(64000, 64000, 10.0.0.1, 2001::1, vlan) where 64000 Bandwidth for outbound traffic, denoted as outBw in the macro 64000 Bandwidth for inbound traffic, denoted as inBw in the macro 10.0.0.1 Host IP address for IPv4 subscribers, denoted as VBG1 in the macro 2001::1 Host IP address for IPv6 subscribers, denoted as VB6G1 in the macro vlan Interface on which the service is configured, denoted as NODE in the macro Service Definition Examples...
Page 741: Chapter 28 Monitoring Service Manager
Chapter 28 Monitoring Service Manager This chapter describes how to monitor the Service Manager application. This chapter discusses the following topics: Setting a Baseline for HTTP Local Server Statistics on page 701 Monitoring the Connections to the HTTP Local Server on page 702 Monitoring the Configuration of the HTTP Local Server on page 702 Monitoring Statistics for Connections to the HTTP Local Server on page 703 Monitoring Profiles for the HTTP Local Server on page 704...
Page 742: Table 152: Show Ip Http Scalar Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring Statistics for Connections to the HTTP Local Server on page 703 Related Topics baseline ip http Monitoring the Connections to the HTTP Local Server Display information about the connections to the HTTP local server. Purpose To display information about the HTTP local server: Action...
Page 743: Table 153: Show Ip Http Server Output Fields
Chapter 28: Monitoring Service Manager host1#show ip http server Admin status: enabled Access class: not defined Listening port: 80 Same host limit: 3 Protocol: IPv6 Table 153 on page 703 lists the show ip http server command output fields. Meaning Table 153: show ip http server Output Fields Field Name Field Description...
Page 744: Table 154: Show Ip Http Statistics Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Malformed http requests: 0 Urls not found: 0 Table 154 on page 704 lists the show ip http statistics command output fields. Meaning Table 154: show ip http statistics Output Fields Field Name Field Description Server enable count Total number of enabled HTTP local servers Server disable count...
Page 745: Table 155: Show Profile Output Fields
Chapter 28: Monitoring Service Manager Auto Detect : Disabled Auto Configure : Disabled IP FlowStats : Disabled Ip http redirect Url : myredirect.html Ipv6 http redirect Url: myredirect.html Table 155 on page 705 lists the show profile command output fields. Meaning Table 155: show profile Output Fields Field Name...
Page 746: Table 157: Show License Service-Management Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide show aaa service accounting interval Related Topics Monitoring the Status of the Service Manager License Display the status of the Service Manager license. Purpose To display the status of the Service Manager license: Action host1#show license service-management service management license is set Table 157 on page 706 lists the show license service-management command output...
Page 747: Table 158: Show Profile Output Fields
Chapter 28: Monitoring Service Manager Table 158 on page 707 lists the show profile command output fields. Meaning Table 158: show profile Output Fields Field Name Field Description Input Policy Name of input policy and whether statistics are enabled or disabled Output Policy Name of output policy and whether statistics are enabled or disabled...
Page 748 JUNOSe 11.0.x Broadband Access Configuration Guide Forwarded packets 0, bytes 0 Dropped committed packets 0, bytes 0 Dropped conformed packets 0, bytes 0 Dropped exceeded packets 0, bytes 0 Http Redirect Url: http://www.juniper.net To display information about a specific IPv6 interface. host1#show ipv6 interface FastEthernet 9/0.6 FastEthernet9/0.6 line protocol VlanSub is up, ipv6 is up Description: IPv6 interface in Virtual Router Hop6...
Page 749: Table 159: Show Ip Interface Output Fields
Chapter 28: Monitoring Service Manager rate-limit-profile RlpOutB Committed: 0 packets, 0 bytes Conformed: 0 packets, 0 bytes Exceeded: 0 packets, 0 bytes IPv6 policy local-input ipv6PolLocIn5 rate-limit-profile Rlp1Mb classifier-group clgC entry 1 Committed: 0 packets, 0 bytes Conformed: 0 packets, 0 bytes Exceeded: 0 packets, 0 bytes rate-limit-profile Rlp5Mb...
Page 750 JUNOSe 11.0.x Broadband Access Configuration Guide Table 159: show ip interface Output Fields (continued) Field Name Field Description reasm req Number of requests for reassembly reasm fails Number of reassembly failures frag ok Number of packets fragmented successfully frag req Number of frames requiring fragmentation frag fails Number of packets unsuccessfully fragmented...
Page 751 Chapter 28: Monitoring Service Manager Table 159: show ip interface Output Fields (continued) Field Name Field Description timestamp req Requests for a timestamp timestamp rpy Replies to timestamp requests addr mask req Address mask requests addr mask rpy Address mask replies ARP spoof checking Status of the check for spoofed ARP packets received on an IP interface.
Page 752: Table 160: Show Ipv6 Interface Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide Table 159: show ip interface Output Fields (continued) Field Name Field Description Out Forwarded Packets, Bytes Total number of packets and bytes forwarded out of the IP interface Unicast Packets, Bytes Unicast packets and bytes forwarded out of the IP interface Multicast Routed Packets, Bytes Multicast packets and bytes forwarded out of the IP...
Page 753 Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description local destination Frames with this router as destination hdr errors Number of packets containing header errors addr errors Number of packets containing addressing errors unkn proto Number of packets received containing unknown protocols...
Page 754 JUNOSe 11.0.x Broadband Access Configuration Guide Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description Group membership (queries, Number of queries, responses, and reduction requests responses, reductions) received from within a group to which the interface is assigned ICMPv6 Statistics Sent total Total number of received packets...
Page 755 Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description ND reachable time Amount of time (in milliseconds) that the neighbor is expected to remain reachable ND duplicate address detection Number of times that the router attempts to attempts determine a duplicate address ND neighbor solicitation...
Page 756 JUNOSe 11.0.x Broadband Access Configuration Guide Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description In Error Packets Packets discarded on a receive IP interface because of IP header errors In Discarded Packets Packets discarded on the ingress interface because of a configuration problem rather than a problem with the packet itself Out Forwarded Packets, Bytes...
Page 757: Table 161: Show Service-Management Service-Definition Output Fields
Chapter 28: Monitoring Service Manager Table 160: show ipv6 interface Output Fields (continued) Field Name Field Description Dropped exceeded packets, bytes Total number of exceeded packets and bytes dropped by this interface show ip interface Related Topics show ipv6 interface Monitoring Service Definitions Display information about the service definitions configured on your router.
Page 758: Monitoring Service Session Profiles
JUNOSe 11.0.x Broadband Access Configuration Guide Table 161: show service-management service-definition Output Fields (continued) Field Name Field Description Installed Status of definition: True installed False not installed Reference Count Number of times the service definition has been used to instantiate a unique service instance (which identifies the policy, QoS, and profile objects for a service).
Page 759: Table 162: Show Service-Management Service-Session-Profile Output Fields
Chapter 28: Monitoring Service Manager Table 162: show service-management service-session-profile Output Fields Field Name Field Description Name Name of the service session profile Volume Volume threshold, in MB, for the service session Time Time threshold, in seconds, for the service session Statistics Type of statistics that are captured: Disabled (none)
Page 760: Table 163: Show Service-Management Owner-Session Output Fields
JUNOSe 11.0.x Broadband Access Configuration Guide ----------------------- ------------ tiered(2000000,3000000) False To display information for a particular owner with service session information: host1# show service-management owner-session aaa 4194326 service-session User Name: client1@isp.COM, Interface: ip192.168.0.1 Service : tiered(2000000,3000000) Non-volatile : False Owner : AAA 4194326 State : Config ApplySuccess Activate : True Statistics Type : time-based and volume-based...
Page 761: Monitoring Active Subscriber Sessions With Service Manager
Chapter 28: Monitoring Service Manager Table 163: show service-management owner-session Output Fields (continued) Field Name Field Description Statistics Type Type of statistics collected; none, time, or volume-time Statistics Complete Whether statistics have been successfully collected; True or False Poll Interval Interval, in seconds, that interim statistics reports are sent Poll Expire...
Page 762 JUNOSe 11.0.x Broadband Access Configuration Guide host1# show service-management subscriber-session brief Subscriber Sessions ------------------- Service Name Interface Owner/Id State Non-volatile Sessions ---------------- -------------- --------- ------ ------------ -------- CLIENT1@ISP.COM ip192.168.0.3 AAA 4194326 Active False CLIENT2@ISP.COM ip192.168.0.7 AAA 4194327 Active False CLIENT3@ISP.COM ip192.168.0.4 AAA 4194328 Active...
Page 763: Table 164: Show Service-Management Subscriber-Session Output Fields
Chapter 28: Monitoring Service Manager host1#show service-management subscriber-session 20 User Name: CLIENT50@ISP.COM, Interface: ip192.168.100.33 Id: 20 Owner/Id: CLI Non-volatile: True State: Active ServiceSessions: Name mutex Owner State Operation ------------------- ----- ----- ------------------- --------- internet(5000,8000) Config ApplySuccess Activate Name Non-volatile ------------------ ------------ internet(5000,8000) True...
Page 764 JUNOSe 11.0.x Broadband Access Configuration Guide Table 164: show service-management subscriber-session Output Fields (continued) Field Name Field Description Poll Interval Interval, in seconds, that interim statistics reports are sent Poll Expire Number of seconds until the next statistics report is sent Activate Time Day, date, and time when the service session was...
Page 765: Table 165: Show Service-Management Summary Output Fields
Chapter 28: Monitoring Service Manager Total Service Sessions : 10 Table 165 on page 725 lists the show service-management summary command Meaning output fields. Table 165: show service-management summary Output Fields Field Name Field Description Total Subscriber Sessions Number of active subscriber sessions on the router Total Service Sessions Number of active service sessions on the router show service-management summary...
Page 766 JUNOSe 11.0.x Broadband Access Configuration Guide Monitoring the Number of Active Subscriber and Service Sessions with Service Manager...
Page 767 Part 7 Index Index on page 729 Index...
Page 768 JUNOSe 11.0.x Broadband Access Configuration Guide Index...
Page 769: Index
Index aaa local database..........41 aaa local select database........41 Symbols aaa local username ..........41 10-Gigabit Ethernet interfaces aaa new-model...........311, 319 specifying an interface........621 aaa parse-direction..........12 aaa parse-order.............12 aaa profile..........63, 68, 76 aaa route-download..........71 AAA (authentication, authorization, accounting) aaa route-download now........71 DSL Forum VSAs.........182, 231 aaa route-download suspend........71 EAP authentication..........18 aaa service accounting interval......668...
Page 770 JUNOSe 11.0.x Broadband Access Configuration Guide RADIUS attributes in preauthentication Acct-Multi-Session-Id (RADIUS attribute 50)....201 request............76, 77 Acct-Off messages............175 troubleshooting.............76 Acct-On messages............175 using to track subscribers........76 Acct-Output-Gigapackets (RADIUS attribute AAA logical line identifier (LLID). See AAA LLID 26-36)..............218 AAA profile commands Acct-Session-Id (RADIUS attribute 44)..199, 657, 666 aaa profile.............68 Acct-Start messages...........175...
Page 771 Index authentication, authorization, accounting. See AAA mapping user domain names to a virtual authorization router..............8 AAA overview.............311 mapping user requests description..............5 without a valid domain name......8 TACACS+............311 without configured domain name....9 authorization change command.........242 monitoring............109 AVP (attribute value pair)...........330 multiple clients per ATM subinterface....62 Bearer Type (AVP 18) overview..............4 relaying in L2TP tunnel-switched...
Page 772 JUNOSe 11.0.x Broadband Access Configuration Guide broadcast flag, DHCP example............696 controlling transmission of DHCP reply performance impact........665 packets............492 rate limiting and interaction with layer 2 unicast transmission example............696 method............493 service interim accounting........670 bundled session commands statistics collection and bundled-group-id........370, 376 external parent groups.........683 bundled-group-id-overrides-mlppp-ed..370, 376 command-line interface.
Page 773 Index overview..........60, 455, 489 local address pool group......480, 551 per-interface logging...........459 local pool selection, equal-access......464 source IP address..........489 using domain name........465 trust-all...............489 using framed IP address......465 DHCP access model using giaddr..........465 configuring............455 using pool name..........465 DHCP broadcast flag local pool selection, standalone......466 interaction with layer 2 unicast transmission using giaddr..........466 method............493...
Page 774 JUNOSe 11.0.x Broadband Access Configuration Guide netbios-node-type..........480 DHCPv6 Prefix Delegation network..............480 and IPv6 Neighbor Discovery reserve..............480 without configuring server-address.............480 Delegated-IPv6-Prefix.........90 snmpTrap............480 assigned prefix length of /128 use-release-grace-period........480 in local address pools........103 warning..............480 enabling DHCP proxy client IPv6 local address pool feature....105 configuring............458 example for non-PPP client requests....107 DHCP relay...
Page 775 Index DNS domains DSLAMs (digital subscriber line access configuring more than one multiplexers)..............4 using the CLI interface.........106 DSLs (digital subscriber lines).........4 in IPv6 local address pools dual stack processing client requests for combined IPv4 and IPv6 services resolution..........106 example of ..........696 in responses to clients IPv4 and IPv6 services Domain Search List option and....106...
Page 776 JUNOSe 11.0.x Broadband Access Configuration Guide RADIUS authentication.........18 GRE (Generic Routing Encapsulation) tunnels dynamic TACACS+ server..........18 subscriber interfaces........606, 619 EAP-Message (RADIUS attribute 79)......21 guided entrance..........636, 687 Egress-Policy-Name (RADIUS attribute 26-11)....215 CoA-Request messages........688 enable proxy authenticate command......372 encapsulation commands encapsulation bridge1483........621 encapsulation vlan..........621 HTTP local server..........688, 690 endpoint discriminator..........376...
Page 777 Index ip http same-host-limit........690 hinting..............9 ip http server............690 IP addresses IP interfaces assigning to name servers......51, 118 creating...............612 configuring for remote client........4 IP interfaces that support PPP clients ip commands configuring............61 clear ip demux............581 IP spoofing ip address............621 preventing............607 ip address-pool dhcp...........458 IPv4 and IPv6 services..........665 ip auto-configure ip-subscriber....581, 606, 621 combined services in a dual stack...
Page 778 JUNOSe 11.0.x Broadband Access Configuration Guide multiple configuration IPv6-NdRa-Prefix attribute on virtual router, preference order....103 used for IPv6 Neighbor Discovery name length............60 from Access-Accept messages.......90 not configured in domain map IPv6-Primary-DNS (RADIUS attribute 26-47)....220 method for determining prefix to be Ipv6-Secondary-DNS (RADIUS attribute 26-46)...220 delegated..........103 IPv6-Virtual-Router (RADIUS attribute 26-45).....219...
Page 779 Index l2tp switch-profile..........393 L2TP transmit connect speed and Transmit (TX) Speed l2tp tunnel default-receive-window.....382 AVP 24 l2tp tunnel idle-timeout........379 calculation methods l2tp tunnel test............379 actual............396 l2tp tunnel-switching........378, 393 dynamic layer 2...........396 l2tp unlock destination........363 examples.............396 l2tp unlock-test destination.........363 QoS.............396 l2tp weighted-load-balancing command.....364 static layer 2..........395 max-sessions command......370, 374 configuring...
Page 780 JUNOSe 11.0.x Broadband Access Configuration Guide LLID (logical line identifier) manuals configuration steps..........76 comments on...........xxxix how it works............76 max-sessions command..........31 monitoring..........119, 126 MBS (RADIUS attribute 26-17)........217 preauthentication considerations......76 media access control addresses. See MAC addresses RADIUS attributes in preauthentication medium ipv4 command........356, 359 request..............76 merging policies troubleshooting.............76...
Page 781 Index packet fragmentation..........331 prefixes packet mirroring............239 allocated to clients from packets interface configuration.........103 demultiplexing............597 IPv6 local address pools.......103 transmitting............329 RADIUS Access-Accept message....103 Partition-Accounting-Off messages......175 assigned length of /128 Partition-Accounting-On messages......175 in IPv6 local address pools......103 password command........356, 359, 587 assigning to PCR (RADIUS attribute 26-15)........216 DHCPv6 clients..........105 peer................331...
Page 782 JUNOSe 11.0.x Broadband Access Configuration Guide RADIUS (Remote Authentication Dial-In User Service) radius ignore virtual-router.........203 AAA failure............90 radius include accounting methods..........18 ANCP (L2C)-related Juniper Networks attribute descriptions......18, 165, 253 VSAs............229 attributes supported..........253 radius include access-loop-parameters....203 authentication and accounting servers....18 radius include acct-authentic.......197 authentication methods........18...
Page 783 Index radius include pppoe-description......203 RADIUS IPv6 attributes radius include profile-service-description....203 configuring radius include tunnel-assignment-id....203 for DHCPv6 Prefix Delegation......90 radius include tunnel-client-auth-id.....203 for IPv6 Neighbor Discovery......90 radius include tunnel-client-endpoint....203 verifying radius include tunnel-interface-id......203 for DHCPv6 Prefix Delegation......148 radius include tunnel-medium-type.....203 for IPv6 Neighbor Discovery......148 radius include tunnel-preference......203 RADIUS relay server radius include tunnel-server-attributes....203...
Page 784 JUNOSe 11.0.x Broadband Access Configuration Guide RX speed AVP............359 overview.............635 parameter values..........658 preprovisioning services......671, 674 S-VLAN links considerations..........652 between CPE and PE routers modifying configurations of ......647 pool section for Prefix Delegation....107 referencing configurations of.......645 SCR (RADIUS attribute 26-16)........217 removing references of........647 SDX (Service Deployment System) software....133 RADIUS dynamic-request server......688 See also SRC software...
Page 785 Index session...............331 show aaa tunnel-group........422, 424 Session and Resource Control. See SRC software show aaa tunnel-parameters.......424, 426 session timeout show aaa user accounting interval......128 configuring............88 show radius route-download.......120 interpreting default value........88 show configuration commands range for...............88 show configuration category aaa session-out-of-resource-result-code-override global-attributes..........128 command...............376...
Page 786 JUNOSe 11.0.x Broadband Access Configuration Guide show ip dhcpv6-local commands show radius pppoe nas-port-format....298 show ip dhcpv6-local binding......567 show radius remote-circuit-id-delimiter....300 show ip dhcpv6-local dns-domain-searchlist..568 show radius remote-circuit-id-format....300 show ip dhcpv6-local dns-servers......569 show radius rollover-on-reject......141 show ip dhcpv6-local prefix-lifetime....569 show radius route-download statistics....141 show ip dhcpv6-local statistics......570 show radius servers........141, 306 show ip http commands...
Page 787 Index standard RADIUS attributes configuring TACACS+ for DHCPv6 Prefix Delegation......90 AAA services............311 for IPv6 Neighbor Discovery......90 accounting............311 IPv6 Neighbor Discovery and authentication login process.......311 configuring logging severity......90 authorization............311 warning message...........90 configuring............316 using the same values daemon............311, 312 for Neighbor Discovery and Prefix host..............312 Delegation..........90 NAS (network access server).......311, 312...
Page 788 JUNOSe 11.0.x Broadband Access Configuration Guide applying through RADIUS........393 virtual routers AVP relay, configuring........388, 390 mapping user domain names..8, 115, 125, 422 configuration guidelines........388 redirected authentication........9 configuring............390 Virtual-Router (RADIUS attribute 26-1).......214 how to apply............388 vlan commands monitoring............438 vlan id..............621 Tunnel-Assignment-Id (RADIUS attribute 82).....207 VLAN links Tunnel-Client-Auth-Id (RADIUS attribute 90)....209 between CPE and PE routers...

This manual is also suitable for:

Junose 11.0.x