Download Print this page

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual

Software for e series broadband services routers broadband access configuration guide

Hide thumbs Also See for JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12:

Configuration manual (750 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

JunosE™ Software

for E Series™ Broadband

Services Routers

Broadband Access

Configuration Guide

Release

11.3.x

Published: 2010-10-12

Copyright © 2010, Juniper Networks, Inc.

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12

Page 1 JunosE™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide Release 11.3.x Published: 2010-10-12 Copyright © 2010, Juniper Networks, Inc.
Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 6 Copyright © 2010, Juniper Networks, Inc.
Page 7 Configuring Subscriber Management ....... 577 Copyright © 2010, Juniper Networks, Inc.
Page 8 Index ............725 viii Copyright © 2010, Juniper Networks, Inc.
Page 9: Table Of Contents
Authentication and Accounting Methods ......19 Copyright © 2010, Juniper Networks, Inc.
Page 10 Cisco-AVPair (Cisco VSA 26-1) ....... . . 69 How the Route-Download Server Downloads Routes ....70 Copyright © 2010, Juniper Networks, Inc.
Page 11 Monitoring Mapping Between User Domains and Virtual Routers ... . . 117 Monitoring Tunnel Subscriber Authentication ......119 Copyright © 2010, Juniper Networks, Inc.
Page 12 Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name ..162 Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation ... . 163 Copyright © 2010, Juniper Networks, Inc.
Page 13 Supported RADIUS IETF Attributes ....... . 170 Supported Juniper Networks VSAs ....... . . 173 Subscriber AAA Accounting Messages .
Page 14 [26-159] DHCP-Option 82 ........230 ANCP-Related Juniper Networks VSAs ......230 DSL Forum Vendor-Specific Attributes .
Page 15 Juniper Networks VSAs ........
Page 16 E120 Router and E320 Router ........340 Copyright © 2010, Juniper Networks, Inc.
Page 17 Creating an L2TP Destination Profile ........377 Copyright © 2010, Juniper Networks, Inc.
Page 18 Example 1: L2TP Session over ATM 1483 Interface ....399 Example 2: L2TP Session over Ethernet VLAN Interface ... 400 xviii Copyright © 2010, Juniper Networks, Inc.
Page 19 Monitoring Statistics on the Cause of a Session Disconnection ... . . 438 Monitoring Detailed Configuration Information about Specified Sessions ..439 Copyright © 2010, Juniper Networks, Inc.
Page 20 Linking Local Address Pools ........482 Copyright © 2010, Juniper Networks, Inc.
Page 21 Use the First Offer from a DHCP Server ......515 Set a Timeout for DHCP Client Renewal Messages ....516 Copyright © 2010, Juniper Networks, Inc.
Page 22 Monitoring DHCP Local Server Configuration ......552 xxii Copyright © 2010, Juniper Networks, Inc.
Page 23 Policies and QoS ..........599 Copyright © 2010, Juniper Networks, Inc.
Page 24 Referencing Policies in Service Definitions ......642 xxiv Copyright © 2010, Juniper Networks, Inc.
Page 25 Gracefully Deactivating Subscriber Service Sessions ....675 Forcing Immediate Deactivation of Subscriber Service Sessions ..676 Using Service Session Profiles to Deactivate Service Sessions ..677 Copyright © 2010, Juniper Networks, Inc.
Page 26 Index ............725 xxvi Copyright © 2010, Juniper Networks, Inc.
Page 27 Configuring Subscriber Management ....... 577 Copyright © 2010, Juniper Networks, Inc.
Page 28 Group for a Combined IPv4/IPv6 Service ......693 xxviii Copyright © 2010, Juniper Networks, Inc.
Page 29 Table 32: show subscribers Output Fields ....... 158 Copyright © 2010, Juniper Networks, Inc.
Page 30 Table 49: RADIUS IETF Attributes Supported by JunosE Software ... 255 Table 50: Juniper Networks (Vendor ID 4874) VSA Formats ....262 Table 51: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats .
Page 31 DHCP Local Server Overview ........465 Table 98: Local Pool Selection in Equal-Access Mode ..... 467 Copyright © 2010, Juniper Networks, Inc. xxxi...
Page 32 Table 136: show ip demux interface Output Fields ......627 xxxii Copyright © 2010, Juniper Networks, Inc.
Page 33 Table 164: show service-management subscriber-session Output Fields ..719 Table 165: show service-management summary Output Fields ....721 Copyright © 2010, Juniper Networks, Inc. xxxiii...
Page 34 JunosE 11.3.x Broadband Access Configuration Guide xxxiv Copyright © 2010, Juniper Networks, Inc.
Page 35: About The Documentation
Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxxvi defines notice icons used in this documentation.
Page 36: Table 1: Notice Icons
Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxxvi Copyright © 2010, Juniper Networks, Inc.
Page 37: Obtaining Documentation
CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 38: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 39: Managing Remote Access
PART 1 Managing Remote Access Configuring Remote Access on page 3 Monitoring and Troubleshooting Remote Access on page 111 Copyright © 2010, Juniper Networks, Inc.
Page 40 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 41: Configuring Remote Access
CHAPTER 1 Configuring Remote Access This chapter describes how to configure remote access to an Juniper Networks E Series Broadband Services Router. This chapter discusses the following topics: Remote Access Overview on page 4 Remote Access Platform Considerations on page 5...
Page 42: Remote Access Overview
Provide user accounting via RADIUS. NOTE: For information about configuring RADIUS attributes see “Configuring RADIUS Attributes” on page 167. Configuring IP Addresses for Remote Clients A remote client can obtain an IP address from one of the following: Copyright © 2010, Juniper Networks, Inc.
Page 43: Aaa Overview
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. B-RAS Protocol Support...
Page 44: Remote Access References
(Optional) Map a user domain name to a virtual router. By default, all requests go through a default router. (Optional) Set up domain name and realm name usage. (Optional) Specify a single name for users from a domain. Copyright © 2010, Juniper Networks, Inc.
Page 45: Configuring A B-Ras License
IP, LAC, and bridged Ethernet interfaces: 4000 8000 16,000 32,000 48,000 NOTE: To use a B-RAS license for 16,000 or more interfaces, each of your SRP modules must have 1 gigabyte (GB) of memory. license b-ras Copyright © 2010, Juniper Networks, Inc.
Page 46: Mapping A User Domain Name To A Virtual Router
Use to specify the B-RAS license. The license is a unique string of up to 15 alphanumeric characters. NOTE: Acquire the license from Juniper Networks Customer Service or your Juniper Networks sales representative. You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000, or 48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.
Page 47: Mapping User Requests Without A Configured Domain Name
VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default VR. To maintain flexibility, the redirection response may include idle time or session attributes that are considered as default unless the redirected authentication server overrides them. Copyright © 2010, Juniper Networks, Inc.
Page 48: Ip Hinting
If you use RADIUS redirect to assign virtual routers, you can assign access, IPv4, and IPv6 to the redirection target. Example host1(config)#aaa domain-map xyz.com host1(config-domain-map)#auth-router-name accessvr Use the no version to restore the default router. See auth-router-name ip-hint Copyright © 2010, Juniper Networks, Inc.
Page 49 Use to map a user domain name to an IPv6 virtual router in Domain Map Configuration mode. Example host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-router-name vroutv6 Use the no version to delete the entry. See ipv6-router-name Copyright © 2010, Juniper Networks, Inc.
Page 50: Setting Up Domain Name And Realm Name Usage
Use either the domain or the realm as the domain name when the username contains both a realm and domain name. Change the direction in which the router searches for the domain name or the realm name. Copyright © 2010, Juniper Networks, Inc.
Page 51: Using The Realm Name As The Domain Name
For example, for a username of userjohn@abc.com@xyz.com, you can identify the domain as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you specify. Copyright © 2010, Juniper Networks, Inc.
Page 52: Stripping The Domain Name
The router performs domain parsing from right to left by default. realmName—Specifies that the realm name is parsed. The router performs realm parsing from left to right by default. Copyright © 2010, Juniper Networks, Inc.
Page 53 To stop stripping the username, use the disable keyword. Example Copyright © 2010, Juniper Networks, Inc.
Page 54: Domain Name And Realm Name Examples
PPP sessions. When users request a PPP session, they specify usernames and passwords. During the negotiations for the PPP session, the router authenticates legitimate users. Copyright © 2010, Juniper Networks, Inc.
Page 55 If you specify a password only and you have configured the domain name none with the aaa domain-map command, the router rejects any users without domain names. Copyright © 2010, Juniper Networks, Inc.
Page 56: Configuring Radius Authentication And Accounting Servers
Round-robin—The first configured server is treated as a primary for the first request, the second server configured as primary for the second request, and so on. When the Copyright © 2010, Juniper Networks, Inc.
Page 57: Server Request Processing Limit
RADIUS authentication for some subscribers, while disabling authentication completely for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers, but no accounting for others. For example, you might use RADIUS authentication for ATM Copyright © 2010, Juniper Networks, Inc.
Page 58: Supporting Exchange Of Extensible Authentication Protocol Messages
EAP messages. These type of servers deny access if they receive an authentication request from AAA that includes an EAP message. EAP messages do not affect the none authentication configuration, which always grants access. Copyright © 2010, Juniper Networks, Inc.
Page 59: Immediate Accounting Updates
For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer’s accounting server. Copyright © 2010, Juniper Networks, Inc.
Page 60: Configuring Aaa Duplicate Accounting
To override the normal AAA accounting NAS information, access the correct virtual router context, and use the radius override nas-info command. For example: host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#virtual-router vrXyz2 host1:vrXyz2(config)#radius override nas-info host1:vrXyz3(config)#exit host1(config)# Copyright © 2010, Juniper Networks, Inc.
Page 61: Udp Checksums
(Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server. host1(config-radius)#retransmit 2 (Optional) Specify the number of seconds between retries. Copyright © 2010, Juniper Networks, Inc.
Page 62 (Optional) Specify the default authentication and accounting methods for the subscribers. host1(config)#aaa authentication ppp default radius none (Optional) Disable UDP checksums on virtual routers you configure for B-RAS. host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable aaa accounting broadcast Copyright © 2010, Juniper Networks, Inc.
Page 63 For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done. Example host1(config)#aaa accounting ppp default radius Copyright © 2010, Juniper Networks, Inc.
Page 64 Select an interval in the range 10–1440 minutes. The default is 0, which means that the feature is disabled. Example host1(config)#aaa accounting interval 60 Use the no version to turn off interim accounting for both users and services. See aaa accounting interval aaa accounting statistics Copyright © 2010, Juniper Networks, Inc.
Page 65 See aaa accounting vr-group aaa authentication default Use to specify the authentication method used for a particular type of subscriber. Specify one of the following types of subscribers: atm1483 tunnel radius-relay ipsec ip (IP subscriber management interfaces) Copyright © 2010, Juniper Networks, Inc.
Page 66 For information about setting the default interim accounting interval for services, see “Configuring Service Manager” on page 633. The default interval is applied on a virtual router basis—this setting is used for all users who attach to the corresponding virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 67 If all servers fail to answer a request, then instead of marking all servers as unavailable, all servers are marked as available. To turn off the deadtime mechanism, specify a value of 0. Example Copyright © 2010, Juniper Networks, Inc.
Page 68 See logout subscribers max-sessions Use to configure the number of outstanding requests supported by an authentication or accounting server. If the request limit is reached, the router sends the request to the next server. Copyright © 2010, Juniper Networks, Inc.
Page 69 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30 Use the no version to delete the instance of the RADIUS server. See radius accounting server radius algorithm Copyright © 2010, Juniper Networks, Inc.
Page 70 Use the no version to set the default of disable. See radius rollover-on-reject radius tunnel-accounting Use to specify that tunnel accounting be enabled or disabled. This command turns on accounting messages: Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as described in RFC 2867. Copyright © 2010, Juniper Networks, Inc.
Page 71 If there is no response from the secondary server, the router sends the request to the tertiary server, and so on. Example host1(config)#radius authentication server 10.10.8.1 host1(config-radius)#retransmit 2 Use the no version to set the value to the default, 3 retransmits. See retransmit test aaa Copyright © 2010, Juniper Networks, Inc.
Page 72 The router used the backoff algorithm only for subscriber AAA accounting messages except for Acct-On messages. The backoff algorithm is: Example host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#timeout 5 Copyright © 2010, Juniper Networks, Inc.
Page 73: Snmp Traps And System Log Messages
The router also generates system log messages when RADIUS servers fail to respond or when they return to active service; no configuration is required for system log messages. SNMP Traps The router generates SNMP traps and system log messages as follows: Copyright © 2010, Juniper Networks, Inc.
Page 74: System Log Messages
(Optional) Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access-Request messages. host1(config)#radius trap no-auth-server-responding enable (Optional) Enable SNMP traps when a RADIUS authentication server returns to active service. Copyright © 2010, Juniper Networks, Inc.
Page 75 RADIUS accounting request. The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable. Example host1(config)#radius trap acct-server-not-responding enable Use the no version to return to the default setting, disable. See radius trap acct-server-not-responding radius trap acct-server-responding Copyright © 2010, Juniper Networks, Inc.
Page 76 VR fail to respond to a RADIUS accounting request. The associated SNMP object is rsRadiusClientTrapOnNoAcctServerAvailable. Example host1(config)#radius trap no-acct-server-responding enable Use the no version to return to the default setting, disabled. See radius trap no-acct-server-responding radius trap no-auth-server-responding Copyright © 2010, Juniper Networks, Inc.
Page 77: Configuring Local Authentication Servers
A maximum of 100 databases can be configured. To create a local user database, use the aaa local database command and the name of the database; use the name default to create the default local user database: host1(config)#aaa local database westLocal40 Copyright © 2010, Juniper Networks, Inc.
Page 78: Adding User Entries To Local User Databases
To add a subscriber and password or secret to the default local user database, complete the following step: host1(config)#username rockyB password rockyPassword Using the aaa local username Command To enter Local User Configuration mode and add user entries to a local user database, use the following commands: Copyright © 2010, Juniper Networks, Inc.
Page 79: Assigning A Local User Database To A Virtual Router
On the E Series router, RADIUS is the default AAA authentication method for PPP subscribers. Use the commands in this section to specify that the local authentication method is used. To enable local authentication on the default router, use the following command: Copyright © 2010, Juniper Networks, Inc.
Page 80: Configuration Commands
Use the no version to delete the specified database and all entries in the database. See aaa local database aaa local select database Use to assign the local user database that the virtual router uses for local authentication. Example host1(config)#virtual-router cleveland host1:cleveland(config)#aaa local select database westLocal40 Copyright © 2010, Juniper Networks, Inc.
Page 81 Example host1(config-local-user)#ip-address-pool svPool2 Use the no version to delete the IP address pool parameter from the user entry in the local user database. See ip address-pool Copyright © 2010, Juniper Networks, Inc.
Page 82 0—An unencrypted password; this is the default 8—A two-way encrypted password Example host1(config-local-user)#password 0 myPassword Use the no version to delete the password or secret from the user entry in the local user database. See password secret Copyright © 2010, Juniper Networks, Inc.
Page 83 Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication. Copyright © 2010, Juniper Networks, Inc.
Page 84: Local Authentication Example
Copyright © 2010, Juniper Networks, Inc.
Page 85 ! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 86 ! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 87: Configuring Tunnel Subscriber Authentication
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 88: Configuring Name Server Addresses
DNS Primary and Secondary NMS Configuration To configure the DNS primary and secondary name server addresses: Specify the IP address of the DNS primary name server. host1(config)#aaa dns primary 10.10.10.5 or, for IPv6, Copyright © 2010, Juniper Networks, Inc.
Page 89 Use to specify the IPv6 address of the DNS secondary name server. Example host1(config)#aaa ipv6-dns secondary 2001:db8::8002 Use the no version to set the corresponding address to 0 (or ::). See aaa ipv6-dns Copyright © 2010, Juniper Networks, Inc.
Page 90: Wins Primary And Secondary Nms Configuration
Each local address server can have one or more local address pools. Each pool can contain a number of IP addresses that are available for allocation and used by clients, such as PPP sessions. Copyright © 2010, Juniper Networks, Inc.
Page 91: Local Address Pool Ranges
DHCP local server address pools within the same virtual router. The addresses are configured and managed within DHCP. Therefore, thresholds are not configured on the shared pool, but are instead managed by the referenced DHCP local server pool. Copyright © 2010, Juniper Networks, Inc.
Page 92: Snmp Thresholds
SNMP traps when certain conditions exist. These thresholds include high utilization threshold and abated utilization threshold. If a pool’s outstanding addresses exceed the high utilization threshold and the SNMP trap signaling is enabled, SNMP is Copyright © 2010, Juniper Networks, Inc.
Page 93: Configuring A Local Address Server
Shared_LAS_Pool_A DHCP_Pool_1 Delete a shared local address pool. host1(config)#no ip local shared-pool Shared_LAS_Pool_C Set SNMP variables by specifying an existing pool name and values. host1(config)#ip local pool addrpool_10 warning 90 80 address-pool-name Copyright © 2010, Juniper Networks, Inc.
Page 94 Use to specify the addressing scheme: dhcp, local, or none. The addressing scheme none returns a special indicator to AAA that enables the remote PPP client to assign its own address. Example Copyright © 2010, Juniper Networks, Inc.
Page 95 Use to enable SNMP pool utilization traps. Example host 1(config)#ip local pool addr_test snmpTrap Use the no version to disable SNMP pool utilization traps. See ip local pool snmpTrap ip local pool warning Copyright © 2010, Juniper Networks, Inc.
Page 96 IPv6 local address pool name configured using the ipv6-prefix-pool-name command is used to delegate prefixes to requesting DHCPv6 clients. The IPv6 local pool name is a character string up to 16 characters long. Example host1(config)#aaa domain-map sunnyvale.com host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool Copyright © 2010, Juniper Networks, Inc.
Page 97: Configuring Dhcp Features
Figure 3: Single PPP Clients per ATM Subinterface Configure an ATM interface by entering Configuration mode and performing the following tasks. For more information about configuring ATM interfaces, see JunosE Link Layer Configuration Guide. Configure a physical interface. host1(config)#interface atm 0/1 Copyright © 2010, Juniper Networks, Inc.
Page 98: Multiple Clients Per Atm Subinterface
0/1.20 Configure a PVC by specifying the vcd (virtual circuit descriptor), the vci (virtual channel identifier), the vpi (virtual path identifier), and the encapsulation type. host1(config-if)#atm pvc 10 22 100 aal5snap Configure PPPoE encapsulation. Copyright © 2010, Juniper Networks, Inc.
Page 99: Configuring Aaa Profiles
An AAA profile contains a set of commands to control access for the incoming PPP subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and domain name are not changed as a result of an AAA profile mapping. Copyright © 2010, Juniper Networks, Inc.
Page 100: Allowing Or Denying Domain Names
Determines that the AAA profile restrictToABC is valid. Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match. Searches restrictToABC for a match on the domain name default. Finds a match and denies the user access. Copyright © 2010, Juniper Networks, Inc.
Page 101: Using Domain Name Aliases
Searches forwardToXyz for a match on the PPP subscriber’s domain name and finds no match. Searches forwardToXyz for a match on the domain name default. Finds a match and continues as normal using the domain name xyz.com. Copyright © 2010, Juniper Networks, Inc.
Page 102 Parses the domain name abc1.com and examines the specified AAA profile toAbc Determines that the AAA profile toAbc is valid Searches toAbc for a match on the PPP subscriber’s domain name and finds a match Continues as normal using the domain name abc.com Copyright © 2010, Juniper Networks, Inc.
Page 103 See allow deny Use to specify the domain name(s) that you want to be denied access to AAA authentication. Example host1(config-aaa-profile)#deny xyz.com Use the no version to negate the command. See deny ppp aaa-profile Copyright © 2010, Juniper Networks, Inc.
Page 104: Manually Setting Nas-Port-Type Attribute
ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection. To set the NAS-Port-Type attribute for ATM or Ethernet interfaces: Create an AAA profile. Copyright © 2010, Juniper Networks, Inc.
Page 105 (CDMA) wireless-other wireless-umts—Wireless universal mobile telecommunications system (UMTS) xdsl—DSL of unknown type Example host1(config-aaa-profile)#nas-port-type atm wireless-80211 Use the no version to remove the NAS-Port-Type setting for ATM interfaces. See nas-port-type atm Copyright © 2010, Juniper Networks, Inc.
Page 106: Service-Description Attribute
Set the Service-Description attribute. host1(config-aaa-profile)#service-description bos-xyzcorp aaa profile Use to create and configure a AAA profile. Example host1(config)#aaa profile xyzCorpPro2 Use the no version to delete the AAA profile. See aaa profile service-description Copyright © 2010, Juniper Networks, Inc.
Page 107: Using Radius Route-Download Server To Distribute Routes
NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User cisco-avpair = “ip:route = 192.168.3.0 255.255.255.0 null0” cisco-avpair = “ip:route = vrf vrfboston 192.168.1.0/24 null 0 0 tag 6” cisco-avpair = “ip:route = vir host1 vrf vrfsunny 192.168.0.0/16 null0 0 tag 8” Copyright © 2010, Juniper Networks, Inc.
Page 108: How The Route-Download Server Downloads Routes
(Optional) Specify the UDP port used for RADIUS route-download server requests. host1(config-radius)#udp-port 1812 host1(config-radius)#exit host1(config)# Enable the route-download feature and optionally modify default parameters as needed. host1(config)#aaa route-download 1200 retry-interval 25 password dl1456atl synchronization 03:45:00 (Optional) Verify your route-download configuration: Copyright © 2010, Juniper Networks, Inc.
Page 109 You can specify a tag in the range 1–4294967295. The default tag is 0. base-user-name—The virtual router that is used for route-download requests. The default name is the router hostname. Copyright © 2010, Juniper Networks, Inc.
Page 110 Use to synchronize downloaded access routes and the routes that are installed in the routing tables of virtual routers. Use the following options to synchronize downloaded routes for a specific virtual router: Copyright © 2010, Juniper Networks, Inc.
Page 111 RADIUS route-download server. You can configure a single instance of the route downloader on the router. Example host1(config)#radius route-download server 10.10.5.10 host1(config-radius)# Copyright © 2010, Juniper Networks, Inc.
Page 112: Using The Aaa Logical Line Identifier To Track Subscribers
This step is referred to as the preauthentication request because it occurs before user authentication and authorization. The preauthentication server returns the LLID to the router in the Calling-Station-Id (RADIUS attribute 31) of an Access-Accept message. Copyright © 2010, Juniper Networks, Inc.
Page 113: Radius Attributes In Preauthentication Request
Type of service the user has requested or the type of service to be provided; for example, framed [61] NAS-Port-Type Type of physical port the NAS is using to authenticate the user [77] Connect-Info Actual user name; for example, jdoe@xyzcorp.east.com Copyright © 2010, Juniper Networks, Inc.
Page 114: Considerations For Using The Llid
For information, see “radius rollover-on-reject” on page 32. Configuring the Router to Obtain the LLID for a Subscriber To configure the router to obtain the LLID for a subscriber: Create an AAA profile that supports subscriber preauthentication. host1(config)#aaa profile preAuthLlid Copyright © 2010, Juniper Networks, Inc.
Page 115 To display a count of preauthentication requests and responses, use the show aaa statistics command. For information, see “Setting Baselines for Remote Access” on page 112. aaa profile Use to configure a new AAA profile. Example host1(config)#aaa profile boston123 Copyright © 2010, Juniper Networks, Inc.
Page 116 LLID for a subscriber. In response, the preauthentication server returns the LLID in the RADIUS Calling-Station-Id [31] attribute of an Access-Accept message. Example host1(config-aaa-profile)#pre-authenticate Use the no version to remove preauthentication support from the AAA profile. See pre-authenticate Copyright © 2010, Juniper Networks, Inc.
Page 117: Troubleshooting Subscriber Preauthentication
(ingress) policy Egress-Policy-Name Specifies the sublen string: name of the output-policy-name output (egress) policy Ingress-Statistics Indicates integer: 0 – disable, whether 1 – enable statistics are collected on input Copyright © 2010, Juniper Networks, Inc.
Page 118: Traffic Shaping For Ppp Over Atm Interfaces
Traffic Shaping for PPP over ATM Interfaces The router supports the configuration of traffic shaping parameters for PPP over ATM (PPPoA) via domain-based profiles and RADIUS. In connection with this feature, Table Copyright © 2010, Juniper Networks, Inc.
Page 119: Table 7: Traffic-Shaping Vsas That Apply To Dynamic Ip Interfaces
Example host1(config)#aaa domain-map atmTraffic host1(config-domain-map)#atm rtvbr 3897832145 3597861230 4294967295 Use the no version to remove the traffic-shaping configuration. See atm Copyright © 2010, Juniper Networks, Inc.
Page 120: Mapping Application Terminate Reasons To Radius Terminate Codes
NAS detected an error (other than on the port) that required ending the session NAS Request NAS ended the session for a non-error reason NAS Reboot NAS ended the session due to a non-administrative reboot Copyright © 2010, Juniper Networks, Inc.
Page 121: Configuration Example
(Optional) Display the current PPP terminate-cause mappings. host1(config)# run show terminate-code ppp Radius Apps Terminate Reason Description Code --------- -------------------------- -------------------------- ------ authenticate-authenticator authenticate authenticator -timeout timeout authenticate-challenge-tim authenticate challenge tim eout eout authenticate-chap-no-resou authenticate chap no resou rces rces Copyright © 2010, Juniper Networks, Inc.
Page 122 --More-- radius include Use to include the Acct-Terminate-Cause attribute (RADIUS attribute 49) in RADIUS Acct-Off messages. You control inclusion of the Acct-Terminate-Cause attribute by enabling or disabling this command. Example Copyright © 2010, Juniper Networks, Inc.
Page 123: Configuring Timeout
You can optionally configure the router to monitor only ingress traffic for the configured idle timeout period to determine session inactivity and subsequent disconnection of an inactive PPP session. Monitoring only ingress traffic for the idle timeout is useful for Copyright © 2010, Juniper Networks, Inc.
Page 124 PPP session. host1(config)#aaa timeout idle 1200 host1(config)#aaa timeout idle ingress-only Example 2—Sets the session timeout to 3600 seconds. host1(config)#aaa timeout session 3600 Copyright © 2010, Juniper Networks, Inc.
Page 125: Limiting Active Subscribers
AAA. aaa accounting acct-stop on-aaa-failure Use to cause the router to send an Acct-Stop message if a user fails AAA, but RADIUS grants access. Example host1:vr17(config)#aaa accounting acct-stop on-aaa-failure disable Copyright © 2010, Juniper Networks, Inc.
Page 126: Configuring Standard Radius Ipv6 Attributes For Ipv6 Neighbor Discovery Router Advertisements And Dhcpv6 Prefix Delegation
In this release, you can control the RADIUS IETF attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements and DHCPv6 Prefix Delegation by using aaa ipv6-nd-ra-prefix framed-ipv6-prefix and aaa dhcpv6-delegated-prefix delegated-ipv6-prefix commands, respectively, in Global Configuration mode on each virtual router. aaa ipv6-nd-ra-prefix framed-ipv6-prefix Copyright © 2010, Juniper Networks, Inc.
Page 127: Duplicate Ipv6 Prefix Check Overview
You can configure AAA service to detect duplicates of IPv6 Neighbor Discovery router advertisement prefixes and DHCPv6 delegated prefixes. If a non-unique IPv6 prefix is detected by AAA, the subscriber session corresponding to the duplicate prefix is terminated. Copyright © 2010, Juniper Networks, Inc.
Page 128: Configuring Duplicate Ipv6 Prefix Check
Nas-Port-Type, Nas-Port-Id, Nas-Port, and Calling-Station-Id attributes and send them to the RADIUS server in the Access-Request, Acct-Start, and Acct-Stop messages. The RADIUS client uses one of the following LAG interface ID formats: lag lag-name [.subinterface [:vlan]] Copyright © 2010, Juniper Networks, Inc.
Page 129 Calling-Station-Id attribute. For example, a subscriber with the default AAA or RADIUS configuration who is connected over a LAG interface lag1, with subinterface-1, VLAN ID 10, S-VLAN ID 1, and router named Copyright © 2010, Juniper Networks, Inc.
Page 130: Configuring The Src Client
Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 483 show subscribers Configuring the SRC Client The JunosE Software has an embedded client that interacts with the Juniper Networks SRC software, enabling the SRC software to manage the router’s policy and QoS configuration.
Page 131 PDP determines policies and sends provisioning data to the PEP. c. PEP provisions the policies. PDP requests policy provisioning a. PDP determines new policies and sends provisioning data to the PEP. b. PEP provisions the policies. Copyright © 2010, Juniper Networks, Inc.
Page 132 The proprietary PIB provides the Policy Manager and QoS Manager functionality shown in the following lists. Policy Manager Committed access rate Packet filtering Policy routing QoS classification and marking Rate limiting Traffic class QoS Manager Copyright © 2010, Juniper Networks, Inc.
Page 133 The JunosE-IP-PIB file is updated with each JunosE release. Since the PIB is implemented by both Juniper Networks SRC and JunosE devices, distribution of the PIB file to customers is not necessary. Customers can access the proprietary PIB file, on approval from Juniper Networks, through Juniper support.
Page 134 IPv6 interfaces. The IPv6 support is in addition to the default IPv4 support. Example host1(config)#sscc protocol ipv6 Use the no version to disable IPv6 support on the SRC client. See sscc protocol ipv6 sscc protocol lac Copyright © 2010, Juniper Networks, Inc.
Page 135 SRC software, which requests full synchronization, which restores correct policies and QoS provisioning. Using this option consumes more time because the command enables the router to clear the existing PIB structures in addition to performing the synchronization. Copyright © 2010, Juniper Networks, Inc.
Page 136 If you do not specify a source interface, the TCP/COPS connection is not bound to a specific source (that is, local) interface. Example host1(config)#sscc sourceInterface atm 3/0 Copyright © 2010, Juniper Networks, Inc.
Page 137 COPS details. Therefore, this feature of retrieval of updated line rate parameters from ANCP by the SRC client is backward compatible with older versions of SRC software. Copyright © 2010, Juniper Networks, Inc.
Page 138: Retrieval Of Dsl Line Rate Information From Access Nodes Overview
COPS server or SRC server. A COPS server processes the following topology parameters that it receives from the SRC client in the updated COPS messages: JunosEIpInterfaceMode JunosEIpInterfaceUpstreamRate JunosEIpInterfaceDownstreamRate JunosEIpInterfaceMinimumDataRateUpstream JunosEIpInterfaceMinimumDataRateDownstream JunosEIpInterfaceAttainableDataRateUpstream JunosEIpInterfaceAttainableDataRateDownstream Copyright © 2010, Juniper Networks, Inc.
Page 139: Dhcpv6 Local Address Pools For Allocation Of Ipv6 Prefixes Overview
IPv6 prefixes to DHCPv6 clients. In this release, you can configure IPv6 local address pools to allocate IPv6 prefixes to clients in networks that use DHCPv6. These pools can be used to assign prefixes from a delegating router, which is an E Series router configured Copyright © 2010, Juniper Networks, Inc.
Page 140 You can configure the IPv6 addresses of a primary and secondary DNS server in an IPv6 local pool. The DNS server addresses are returned to the client in DHCPv6 responses as part of the DNS Recursive Name Server option. Copyright © 2010, Juniper Networks, Inc.
Page 141: Dhcpv6 Prefix Delegation Example
DHCPv6 server or delegating router. After the IPv6 link is formed between CPE1 and PE1 and the IPv6 link-local address is created, CPE1 requests and obtains prefixes that are shorter than /64 (usually of length, /48) from PE1. Copyright © 2010, Juniper Networks, Inc.
Page 142: Prefixes
If any of the first three attributes are returned, then the prefix contained in those attributes is used and the pool name in the Framed-IPv6-Pool attribute is ignored. For example, if both the Delegated-IPv6-Prefix or Framed-IPv6-Prefix, and Copyright © 2010, Juniper Networks, Inc.
Page 143: Configuring The Dhcpv6 Local Address Pools
In this case, the starting and ending prefixes of the range are implicitly specified. In this example, the start of the range is 2002:2002::/48 and the end of the range is 2002:2002:ffff::/48. All prefixes assigned from this range have 48 as the prefix length. Copyright © 2010, Juniper Networks, Inc.
Page 144 DHCPv6 responses as part of the Domain Search List option. The client uses this domain name for DNS resolution. You can specify a maximum of four DNS domains for an IPv6 local pool’s search list. host1(config-v6-local)#dns-domain-search test1.com host1(config-v6-local)#dns-domain-search test2.com Copyright © 2010, Juniper Networks, Inc.
Page 145: Limitation On The Number Of Prefixes Used By Clients
In Use ------------------------- ------------------------- ------- ------- 3003:3003::/64 3003:3003:ffff:ffff::/64 1048576 Preferred Valid Start Exclude Util Lifetime Lifetime ------------------------- ------- ---- ---------- ---------- 3003:3003::/64 1 day 1 day host1#show ipv6 local pool IPv6 Local Address Pools Copyright © 2010, Juniper Networks, Inc.
Page 146: Example
! method. Exit the Interface Configuration mode. host1(config)#interface gigabitEthernet 2/1/4 host1(config-if)#encapsulation vlan host1(config-if)#exit ! Create a VLAN subinterface, assign a loopback address to it, and enable ! IPv6 Neighbor Discovery. Exit the Interface Configuration mode. Copyright © 2010, Juniper Networks, Inc.
Page 147 Ethernet interface 2/1/4.100, prefixes are allocated to the client from the example local pool. In this example, the local pool to use for allocation of prefixes is selected based on the IPv6 address of the interface over which the request is received. Copyright © 2010, Juniper Networks, Inc.
Page 148 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 149: Monitoring And Troubleshooting Remote Access
Monitoring Interim Accounting for Users on the Virtual Router on page 129 Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting on page 129 Monitoring Configuration Information for AAA Local Authentication on page 130 Copyright © 2010, Juniper Networks, Inc.
Page 150: Setting Baselines For Remote Access
You can set baseline statistics using the baseline commands. The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline when you retrieve baseline-relative statistics. Copyright © 2010, Juniper Networks, Inc.
Page 151: Setting A Baseline For Aaa Statistics
Setting a Baseline for Local Address Pool Statistics Purpose Set a baseline for local address pool statistics. Action Issue the show local pool statistics command: host1#show local pool statistics There is no no version. Copyright © 2010, Juniper Networks, Inc.
Page 152: Setting A Baseline For Radius Statistics
To display the show aaa accounting command: host1:vrXyz7#show aaa accounting Accounting duplication set to router vrXyz25 Broadcast accounting uses group groupXyzCompany20 send acct-stop on AAA access deny is enabled send acct-stop on authentication server access deny is disabled Copyright © 2010, Juniper Networks, Inc.
Page 153: Monitoring Aaa Accounting Default
IP subscriber management interfaces. Action To display the default AAA accounting method: host1#show aaa accounting tunnel default radius Related show aaa accounting default Documentation Monitoring Accounting Interval Purpose Display the accounting interval. Copyright © 2010, Juniper Networks, Inc.
Page 154: Monitoring Specific Virtual Router Groups
For example, you can verify that the local authentication method is configured for PPP subscribers. Action To display the default AAA authentication method list for a subscriber type: host1#show aaa authentication ppp default local none Related show aaa authentication default Documentation Copyright © 2010, Juniper Networks, Inc.
Page 155: Monitoring Domain And Realm Name Delimiters
Tunnel Tunnel Tunnel Virtual Failover Switch Speed Router Resync Profile Method ------ ------- -------- --------- ------ <null> silent failover denver Meaning Table 13 on page 118 lists the show aaa domain-map command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 156: Table 13: Show Aaa Domain-Map Output Fields
Tunnel Source Source address of the tunnel Tunnel Type L2TP Tunnel Medium Type of medium for the tunnel; only IPv4 is supported Tunnel Password Password for the tunnel Tunnel Id ID of the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 157: Monitoring Tunnel Subscriber Authentication
Action To display tunnel subscriber authentication configuration: host1#show aaa domain-map Domain: tunnel.com; auth-router-name: default; ip-router-name: default ipv6-router-name: default; tunnel-subscriber authentication: enable Meaning Authentication is enabled. Related show aaa domain-map Documentation Copyright © 2010, Juniper Networks, Inc.
Page 158: Monitoring Routing Table Address Lookup
Display the configuration of all AAA profiles or of a specific profile. Action To display the configuration of all AAA profiles or of a specific profile: host1#show aaa profile name PreAuth1 preAuth1: atm nas-port-type: ADLSL-CAP Copyright © 2010, Juniper Networks, Inc.
Page 159: Monitoring Statistics About The Radius Route-Download Server
To display statistics about the RADIUS route-download server configuration: host1#show aaa route-download AAA Route Downloader: configured in virtual router default Download Interval: 720 minutes Retry Interval: 10 minutes Default Cost: Default Tag: Base User Name: <HOSTNAME> Copyright © 2010, Juniper Networks, Inc.
Page 160: Table 15: Show Aaa Route-Download Output Fields
Last Download Attempt Either <NEVER> or the day, date, and time of attempt Last Download Success Either <NEVER> or the day, date, and time of success Copyright © 2010, Juniper Networks, Inc.
Page 161: Monitoring Routes Downloaded By The Radius Route-Download Server
Prefix/Length Type NextHop Dst/Met Intf --------------- -------- --------------- ------- ----- 192.168.1.1/32 Access-P 255.255.255.255 254/2 null0 192.168.1.5/32 Access-P 255.255.255.255 254/2 null0 192.168.1.9/32 Access-P 255.255.255.255 254/2 null0 192.168.1.13/32 Access-P 255.255.255.255 254/2 null0 Copyright © 2010, Juniper Networks, Inc.
Page 162: Servers
VRF a2 in virtual router aaa. Action To display chassis-wide information about routes that are downloaded by RADIUS route-download servers: host1#show aaa route-download routes global Number Virtual Router Present Routes --------------- --------------- ------- ------ default default Copyright © 2010, Juniper Networks, Inc.
Page 163: Table 17: Show Aaa Route-Download Routes Global Output Fields
Number of current downloaded routes Prefix/Length IP address prefix and mask information for downloaded routes Type Type of downloaded routes; Access-P indicates routes downloaded from the RADIUS route-download server NextHop IP address of the next hop Copyright © 2010, Juniper Networks, Inc.
Page 164: Monitoring Authentication, Authorization, And Accounting Statistics
Duplicate Acct requests incoming Duplicate Acct responses outgoing Broadcast Acct requests incoming Broadcast Acct responses outgoing Address requests incoming Address responses Meaning Table 18 on page 127 lists the show aaa statistics command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 165: Table 18: Show Aaa Statistics Output Fields
Broadcast Acct requests Number of broadcast accounting requests (starts, updates, stops) from AAA to the accounting task incoming Broadcast Acct Number of broadcast accounting responses (starts, responses updates, stops) from the accounting task to AAA Copyright © 2010, Juniper Networks, Inc.
Page 166: Monitoring The Number Of Active Subscribers Per Port
Documentation Monitoring Session Timeouts Purpose Display idle and session timeouts. Action To display idle and session timeouts: host1#show aaa timeout idle timeout 1200 seconds monitor ingress only session timeout 3600 seconds Copyright © 2010, Juniper Networks, Inc.
Page 167: Monitoring Interim Accounting For Users On The Virtual Router
! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC ! Juniper Edge Routing Switch ERX1440 ! Version: 9.9.9 development-4.0 (January 7, 2005 17:26) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 168: Monitoring Configuration Information For Aaa Local Authentication
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 169: Monitoring Aaa Server Attributes
! Juniper Edge Routing Switch ERX1440 ! Version: 11.2.0 beta-1.1 [BuildId 12073] (April 22, 2010 11:46) ! Copyright (c) 1999-2010 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 ! NOTE: This script represents only a subset of the full system configuration.
Page 170: Table 21: Show Configuration Category Aaa Server-Attributes Include-Defaults
Table 21: show configuration category aaa server-attributes include-defaults Output Fields Field Name Field Description virtual router Name of the virtual router aaa accounting duplication Virtual router used for duplicate accounting aaa accounting broadcast Virtual router group used for broadcast accounting Copyright © 2010, Juniper Networks, Inc.
Page 171: Monitoring The Cops Layer Over Src Connection
General Cops Information: Sessions Created: 1 Sessions Deleted: 0 Current Sessions: 1 Bytes Received: 680 Packets Received: 17 Bytes Sent: 692 Packets Sent: 21 Keep Alive Received: 12 Keep Alive Sent: 12 Copyright © 2010, Juniper Networks, Inc.
Page 172: Table 22: Show Cops Info Output Fields
Type of client for the session. For this release the client type must be 16640 (SRC client). Bytes Received Number of bytes received for this COPS session Packets Received Number of packets received for this COPS session Copyright © 2010, Juniper Networks, Inc.
Page 173: Monitoring Statistics About The Cops Layer
To display statistics about the COPS layer: host1#show cops statistics General Cops Information: Sessions Created: 0 Sessions Deleted: 0 Current Sessions: 0 Bytes Received: 1108 Packets Received: 12 Bytes Sent: 1572 Packets Sent: 18 Keep Alive Received: 2 Copyright © 2010, Juniper Networks, Inc.
Page 174: Table 23: Show Cops Statistics Output Fields
Number of packets received for this COPS session Bytes Sent Number of bytes sent on this COPS session Packets Sent Number of packets sent on this COPS session REQ Sent Number of Request packets sent on this COPS session Copyright © 2010, Juniper Networks, Inc.
Page 175: Monitoring Local Address Pool Aliases
Alias Pool ------ ----- alias1 poolA alias2 poolB alias3 poolC poolA poolD poolB poolD poolC poolD Meaning Table 24 on page 138 lists the show ip local alias command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 176: Monitoring Local Address Pools
------ ---- ----- poolB Aliases ------- alias2 Begin Free -------- --------- ---- 10.2.1.1 10.2.1.10 10.2.2.1 10.2.2.10 High Abated Pool Thresh Thresh Trap Group ----- ------ ------ ---- ----- poolC Aliases ------- alias3 Begin Free Copyright © 2010, Juniper Networks, Inc.
Page 177: Monitoring Local Address Pool Statistics
Display local address pool statistics. Use the optional delta keyword to specify that baselined statistics are to be shown. Action To display local address pool statistics: host1#show ip local pool statistics Local Address Pool Statistics Copyright © 2010, Juniper Networks, Inc.
Page 178: Monitoring Shared Local Address Pools
P- periodic download, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 L- MPLS label, V- VRF, *- via indirect next-hop Prefix/Length Type Next Hop Dst/Met Interface ------------------ --------- --------------- ---------- ----------------- Copyright © 2010, Juniper Networks, Inc.
Page 179: Monitoring The B-Ras License
Display the current RADIUS override settings. Action To display the RADIUS override settings: host1:vrXyz7#show radius override nas-ip-addr: nas-ip-addr nas-info: from authentication virtual router Meaning Table 27 on page 142 lists the show radius override command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 180: Monitoring The Radius Rollover Configuration
172.28.30.119 1812 radius alive RADIUS Accounting Configuration ------------------------------- Retry Maximum Dead IP Address Port Count Timeout Sessions Time Secret Status ------------- ---- ----- ------- -------- ---- ------ ------ 172.28.30.117 1813 radius dead Copyright © 2010, Juniper Networks, Inc.
Page 181: Table 28: Show Radius Servers Output Fields
---- ------ ------ Table 28 on page 143 lists the show radius servers command output fields. Table 28: show radius servers Output Fields Field Name Field Description IP Address IP address of RADIUS server Copyright © 2010, Juniper Networks, Inc.
Page 182: Monitoring Radius Services Statistics
Use the optional delta keyword to specify that baselined statistics are to be shown. Action To display RADIUS authentication and accounting statistics: host1#show radius statistics RADIUS Authentication Statistics -------------------------------- Statistic 10.10.121.128 ------------------- ------------- Copyright © 2010, Juniper Networks, Inc.
Page 183 172.28.30.117 ------------------- ------------- UDP Port 1812 Round Trip Time Access Requests 2809 Rollover Requests Retransmissions Access Accepts 2809 Access Rejects Access Challenges Malformed Responses Bad Authenticators Requests Pending Request Timeouts Unknown Responses Packets Dropped Copyright © 2010, Juniper Networks, Inc.
Page 184: Table 29: Show Radius Statistics Output Fields
Number of access challenges received from the server Malformed Responses Number of responses with attributes having an invalid length or unexpected attributes (such as two attributes when the response is required to have at most one) Copyright © 2010, Juniper Networks, Inc.
Page 185 Number of accounting start responses received; includes Acct-On, Acct-Start, Acct-Link-Start, and Acct-Tunnel-Start responses Interim Responses Number of interim accounting responses Stop Responses Number of accounting stop responses received; includes Acct-Off, Acct-Stop, Acct-Link-Stop, and Acct-Tunnel-Stop responses Copyright © 2010, Juniper Networks, Inc.
Page 186: Monitoring Radius Snmp Traps
RADIUS accounting is either enabled or disabled. Related show radius tunnel-accounting Documentation Monitoring RADIUS UDP Checksums Purpose Display information about UDP checksums. Action To display the status of RADIUS UDP checksums: host1#show radius udp-checksum enabled Copyright © 2010, Juniper Networks, Inc.
Page 187: Monitoring Radius Server Ip Addresses
Display whether the ability to detect duplicates of IPv6 Neighbor Discovery router advertisement prefixes and DHCPv6 delegated prefixes is enabled. Action To check whether duplicate IPv6 prefix detection capability is enabled: host1#show aaa duplicate-prefix-check enabled Copyright © 2010, Juniper Networks, Inc.
Page 188: Monitoring Src Client Connection Status
Token Creates Sent Token Deletes Sent Active Addresses Address Transitions Create Addresses Sent Delete Addresses Sent Authentication Successes Authentication Failures Meaning Table 30 on page 151 lists the show sscc info command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 189: Table 30: Show Sscc Info Output Fields
ANCP and transfers the details to the COPS server with other COPS messages, enabled or disabled The connection state is Current state of the TCP/COPS connection Copyright © 2010, Juniper Networks, Inc.
Page 190: Monitoring Src Client Connection Statistics
Display statistics about connection between the SRC client and SAE. The command output refers to the SRC client by its former name, SSC client. Action To display statistics for the SRC client connection: host1#show sscc statistics SSC Client Statistics: Copyright © 2010, Juniper Networks, Inc.
Page 191: Table 31: Show Sscc Statistics Output Fields
Number of connections the SRC client has tried to open with a remote SAE Connection Open completed Number of connections successfully open to the SAE Connection Closed sent Number of connections the SRC client has closed Copyright © 2010, Juniper Networks, Inc.
Page 192: Monitoring The Src Client Version Number
When you issue the command in the default VR, all users are displayed. When you issue the command in a nondefault VR, only those users attached to that VR are displayed. The following list describes keywords that you can use with the show subscribers command: Copyright © 2010, Juniper Networks, Inc.
Page 193 You can use the icr-partition keyword to display the active subscribers for a particular ICR partition configured on a chassis. You can use the summary keyword to display only summary information about active subscribers. Action To display general subscriber information: host1# show subscribers Copyright © 2010, Juniper Networks, Inc.
Page 194 ------------- ----- ----------- --------- 4101DHCPCLIENT@CT.NET 2.0.0.3/user default User Name Interface ------------------------ ------------ 4101DHCPCLIENT@CT.NET lag lag2.1:1-1 User Name Login Time Circuit Id ------------------------ ------------------- ---------------- 4101DHCPCLIENT@CT.NET 09/10/29 02:07:51 User Name Remote Id ------------------------ ---------------- 4101DHCPCLIENT@CT.NET Copyright © 2010, Juniper Networks, Inc.
Page 195 Total Subscribers : 10 (chassis-wide total) Peak Subscribers : 15 (chassis-wide total) To display the number of subscribers by interface: host1#show subscribers summary interface Interface Count -------------------- ----- ATM 3/2.1 ETHERNET 5/2.1 LAG lag1.100 Copyright © 2010, Juniper Networks, Inc.
Page 196: Table 32: Show Subscribers Output Fields
Remote Id User remote ID value specified by PPPoE Total Subscribers Number of active subscribers, chassis-wide Peak Subscribers Maximum value of the Total Subscriber field during the time the router has been active, chassis-wide Copyright © 2010, Juniper Networks, Inc.
Page 197: Monitoring Application Terminate Reason Mappings
Terminate Reason Description Code --------- -------------------------- -------------------------- ------ authenticate-authenticator authenticate authenticator -timeout timeout authenticate-challenge-tim authenticate challenge tim eout eout authenticate-chap-no-resou authenticate chap no resou rces rces authenticate-chap-peer-aut authenticate chap peer aut henticator-timeout henticator timeout Copyright © 2010, Juniper Networks, Inc.
Page 198 This example uses l2tp as the application and session-access-interface-down as the terminate reason. host1#show terminate-code l2tp session-access-interface-down Radius Terminate Reason Description Code ------------------------------------------------------------ ------ session access interface down Meaning Table 33 on page 161 lists the show terminate-code command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 199: Pools
Starting prefix of the range of prefixes configured in a particular pool Ending prefix of the range of prefixes configured in a particular pool Total Number of prefixes available for allocation to clients from a particular pool Copyright © 2010, Juniper Networks, Inc.
Page 200: Monitoring Ipv6 Local Pools For Dhcp Prefix Delegation By Pool Name
Percentage of IPv6 prefixes currently allocated to clients from the local address pool Start Starting prefix of the range of prefixes configured in a particular pool Ending prefix of the range of prefixes configured in a particular pool Copyright © 2010, Juniper Networks, Inc.
Page 201: Monitoring Ipv6 Local Pool Statistics For Dhcp Prefix Delegation
IPv6 Local Address Pool Statistics ---------------------------------- Statistic Value ----------------- ----- Allocations Allocation Errors Releases Release Errors Meaning Table 36 on page 164 lists the show ipv6 local pool statistics command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 202: Table 36: Show Ipv6 Local Pool Statistics Output Fields
Releases Number of prefixes released back to the pool Release Errors Number of errors encountered during the process of release of previously assigned prefixes by the requesting router Related show ipv6 local pool Documentation Copyright © 2010, Juniper Networks, Inc.
Page 203: Managing Radius And Tacacs
Configuring RADIUS Relay Server on page 247 RADIUS Attribute Descriptions on page 255 Application Terminate Reasons on page 277 Monitoring RADIUS on page 303 Configuring TACACS+ on page 317 Monitoring TACACS+ on page 329 Copyright © 2010, Juniper Networks, Inc.
Page 204 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 205: Chapter 3 Configuring Radius Attributes
RADIUS Overview RADIUS is a distributed client/server that protects networks against unauthorized access. RADIUS clients running on a Juniper Networks E Series Broadband Services Router send authentication requests to a central RADIUS server. You can access the RADIUS server through either a subscriber line or the CLI.
Page 206: Radius Services
Any attribute number beginning with 26, such as [26-1], identifies a vendor-specific attribute. For a complete list of RADIUS attributes supported by JunosE Software, see “RADIUS IETF Attributes” on page 255. RADIUS Platform Considerations RADIUS is supported on all E Series routers. Copyright © 2010, Juniper Networks, Inc.
Page 207: Radius References
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers. RADIUS References For more information about RADIUS, consult the following resources: RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
Page 208: Supported Radius Ietf Attributes
– [12] Framed-MTU – – – – (See Note 2.) [18] Reply-Message – – – (See Note 2.) [22] Framed-Route – – – – – [24] State – – – – (See Note 2.) Copyright © 2010, Juniper Networks, Inc.
Page 209 (See Note 1.) [67] Tunnel-Server-Endpoint – – – – (See Note 1.) [68] Acct-Tunnel-Connection – – – – – (See Note 1.) [69] Tunnel-Password – – – – – [77] Connect-Info – – – – – Copyright © 2010, Juniper Networks, Inc.
Page 210 Delegated-IPv6-Prefix – – – – – [135] Ascend-Primary-Dns – – – – – [136] Ascend-Secondary-Dns – – – – – [188] Ascend-Num-In-Multilink – – – – – [242] Ascend-Data-Filter – – – – – Copyright © 2010, Juniper Networks, Inc.
Page 211: Supported Juniper Networks Vsas
Chapter 3: Configuring RADIUS Attributes Supported Juniper Networks VSAs Table 38 on page 173 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages. Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported...
Page 212 JunosE 11.3.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-25] Redirect-Vrouter-Name – – – – [26-26] Qos-Profile-Name –...
Page 213 Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-64] Tunnel-Group – – – – [26-65] Activate-Service –...
Page 214 JunosE 11.3.x Broadband Access Configuration Guide Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-88] Mobile-IP-Access-Control-List – – – – [26-89] Mobile-IP-Lifetime –...
Page 215: Subscriber Aaa Accounting Messages
Chapter 3: Configuring RADIUS Attributes Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued) Attribute Access- Access- Access- CoA- Disconnect- Number Attribute Name Request Accept Reject Request Request [26-120] Max-Data-Rate-Dn – – – – [26-121] Min-LP-Data-Rate-Up –...
Page 216: Supported Radius Ietf Attributes
For this attribute to be included, an IPv6 interface ID must be assigned to the subscriber. For this attribute to be included, at least one IPv6 prefix must be assigned to the subscriber. Copyright © 2010, Juniper Networks, Inc.
Page 217: Table 39: Aaa Accounting Message Radius Ietf Attributes Supported
NAS-Identifier [40] Acct-Status-Type [41] Acct-Delay-Time [42] Acct-Input-Octets – – – [43] Acct-Output-Octets – – – [44] Acct-Session-Id [45] Acct-Authentic [46] Acct-Session-Time – – – [47] Acct-Input-Packets – – – [48] Acct-Output-Packets – – – Copyright © 2010, Juniper Networks, Inc.
Page 218 – [82] Tunnel-Assignment-Id (LAC only) – – (See Note 1.) [83] Tunnel-Preference (LAC only) – – [87] NAS-Port-Id – – [90] Tunnel-Client-Auth-Id – – (See Note 1.) [91] Tunnel-Server-Auth-Id – – (See Note 1.) Copyright © 2010, Juniper Networks, Inc.
Page 219: Supported Juniper Networks Vsas
– (See Note 3.) Supported Juniper Networks VSAs Table 40 on page 182 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Acct-Start, Acct-Stop, Interim-Acct, Acct-On, Acct-Off, Partition-Accounting-On, and Partition-Accounting-Off messages. The following notes are referred to in Table 40 on page 182: The attribute is not included in Acct-Stop messages that are sent when a user session does not get established in one of the following situations.
Page 220: Table 40: Aaa Accounting Message Juniper Network (Vendor Id 4874) Vsas
– – [26-45] Ipv6-Virtual-Router – – – – [26-46] Ipv6-Local-Interface – – – – [26-47] Ipv6-Primary-DNS – – – – [26-48] Ipv6-Secondary-DNS – – – – [26-51] Disconnect-Cause – – – – – – Copyright © 2010, Juniper Networks, Inc.
Page 221 – – – – [26-119] Max-Data-Rate-Up – – – – [26-120] Max-Data-Rate-Dn – – – – [26-121] Min-LP-Data-Rate-Up – – – – [26-122] Min-LP-Data-Rate-Dn – – – – [26-123] Max-Interlv-Delay-Up – – – – Copyright © 2010, Juniper Networks, Inc.
Page 222: Tunnel Accounting Messages
(See Note 2.) [26-159] DHCP-Option 82 – – – – (See Note 1.) Tunnel Accounting Messages Table 41 on page 185 lists RADIUS attributes supported by the following tunnel-related accounting messages: Acct-Tunnel-Start Acct-Tunnel-Stop Acct-Tunnel-Reject Acct-Tunnel-Link-Start Copyright © 2010, Juniper Networks, Inc.
Page 223: Table 41: Aaa Accounting Tunnel Message Radius Attributes Supported
Event-Timestamp [64] Tunnel-Type [65] Tunnel-Medium-Type [66] Tunnel-Client-Endpoint [67] Tunnel-Server-Endpoint [68] Acct-Tunnel- Connection [82] Tunnel-Assignment-Id (LAC only) [83] Tunnel-Preference – – – (LAC only) [86] Acct-Tunnel-Packets- – – – – Lost [90] Tunnel-Client-Auth-Id [91] Tunnel-Server-Auth-Id Copyright © 2010, Juniper Networks, Inc.
Page 224: Dsl Forum Vsas In Aaa Access And Accounting Messages
(DSLAM). NOTE: JunosE Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “Juniper Networks VSAs” on page 261 . Table 42 on page 186 lists the DSL Forum VSAs supported by JunosE Software in Access-Request, Acct-Start, Acct-Stop, (if Acct-Stop is specified) Interim-Acct, and CoA-Request messages.
Page 225: Cli Aaa Messages
Table 43 on page 187 lists the RADIUS attributes supported for CLI AAA messages. Table 43: CLI AAA Access Message RADIUS Attributes Supported Attribute Number Attribute Name Access-Request Access-Accept Access-Challenge Access-Reject User-Name – – – Copyright © 2010, Juniper Networks, Inc.
Page 226: Cli Commands Used To Modify Radius Attributes
CLI Commands Used to Modify RADIUS Attributes This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands. For many attributes, you can configure the router to include the attribute in RADIUS messages.
Page 227: Radius Ietf Attributes
See radius override nas-info Related Monitoring Override Settings of RADIUS IETF Attributes on page 303 Documentation [5] NAS-Port Use the following commands to manage and display information for the NAS-Port RADIUS attribute: radius include nas-port radius nas-port-format Copyright © 2010, Juniper Networks, Inc.
Page 228 Example: If the PPP user is received on a VC from the card in slot 7, port 2, then the bit pattern is either 00111010 (for 0ssssppp) or 01110010 (for ssss0ppp). host1(config)#radius nas-port-format Ossssppp Use the no version to restore the default. radius nas-port-format extended atm radius nas-port-format extended ethernet Copyright © 2010, Juniper Networks, Inc.
Page 229 If you do not specify a value for a field, the number of bits is set to 0. See radius nas-port-format extended Example 1—Sets the field widths for ATM interfaces host1(config)#radius nas-port-format extended atm field-widths slot 4 Copyright © 2010, Juniper Networks, Inc.
Page 230: Framed-Ip-Address
Use to include the Framed-IP-Address attribute in Acct-Start and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. For RADIUS to include this attribute, an IP address must be assigned to the subscriber. See radius include Copyright © 2010, Juniper Networks, Inc.
Page 231: Framed-Ip-Netmask
Use the no version to restore the default, enable. [13] Framed-Compression Use the following command to manage the Framed-Compression RADIUS attribute. radius include framed-compression radius include framed-compression Use to include the Framed-Compression attribute in Acct-Start or Acct-Stop messages. Copyright © 2010, Juniper Networks, Inc.
Page 232: [22] Framed-Route
See radius include Example host1(config)#radius include class acct-start disable Use the no version to restore the default, enable. [30] Called-Station-Id Use the following command to manage the Called-Station-Id RADIUS attribute. radius include called-station-id radius include called-station-id Copyright © 2010, Juniper Networks, Inc.
Page 233: [31] Calling-Station-Id
E Series router, use the delimited keyword. Format for ATM interfaces: <delimiter> <system name> <delimiter> <interface> <delimiter> <VPI> <delimiter> <VCI><delimiter> Format for Ethernet interfaces: <delimiter> <system name> <delimiter> <interface> <delimiter> <VLAN> Copyright © 2010, Juniper Networks, Inc.
Page 234 For E120 and E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 (representing the right IOA bay on the E120 router or the upper IOA bay on the E320 router) or 1 (representing the left IOA bay on the E120 Copyright © 2010, Juniper Networks, Inc.
Page 235 <VPI [3]> <VCI [5]> Format for Ethernet interfaces: <system name [4]> <slot [2]> <adapter [1]> <port [2]> <VLAN [8]> Format for serial interfaces: <system name [4]> <slot [2]> <adapter [1]> <port [2]> <0 [8]> Copyright © 2010, Juniper Networks, Inc.
Page 236 LNS and the LAC is a dial-up LAC (not an E Series router). When the LNS receives the Calling-Station-Id and Called-Station-Id AVPs, the router includes the values as they are, with no format changes in the RADIUS messages. Example 1 Copyright © 2010, Juniper Networks, Inc.
Page 237 Use the no version to remove the delimiter. radius include calling-station-id Use to include the Calling-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.
Page 238: [32] Nas-Identifier
See radius nas-identifier radius include nas-identifier Use to include the NAS-Identifier attribute in Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.
Page 239 For more information about how to use this command, see the Using the PPPoE Remote Circuit ID to Identify Subscribers and Configuring PPPoE Remote Circuit ID Capture sections in JunosE Link Layer Configuration Guide. See radius remote-circuit-id-format Examples host1(config)#radius remote-circuit-id-format nas-identifier agent-circuit-id agent-remote-id host1(config)#radius remote-circuit-id-format dsl-forum-1 Copyright © 2010, Juniper Networks, Inc.
Page 240: [41] Acct-Delay-Time
Use the no version to restore the default, enable. [44] Acct-Session-Id Use the following commands to manage and display information for the Acct-Session-Id RADIUS attribute. radius include acct-session-id radius acct-session-id-format Copyright © 2010, Juniper Networks, Inc.
Page 241 “Propagation of LAG Subscriber Information to AAA and RADIUS” on page 90. decimal—Configures the RADIUS client to use a decimal format. For example: 435264 See radius acct-session-id-format Example host1(config)#radius acct-session-id-format decimal Use the no version to negate the Acct-Session-Id format. Copyright © 2010, Juniper Networks, Inc.
Page 242: [45] Acct-Authentic
Use to include the Acct-Multi-Session-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages. You can control inclusion of the Acct-Multi-Session-Id attribute by enabling or disabling this command. See radius include Example host1(config)#radius include acct-multi-session-id acct-stop disable Copyright © 2010, Juniper Networks, Inc.
Page 243: [51] Acct-Link-Count
Use the following command to manage the Acct-Output-Gigawords RADIUS attribute. radius include output-gigawords radius include output-gigawords Use to include the Acct-Output-Gigawords attribute in Acct-Stop messages. You can control inclusion of the Acct-Output-Gigawords attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.
Page 244: [55] Event-Timestamp
If the interface (port) is Ethernet, then it sets the attribute to Ethernet and disregards the parameter set with this command. Options include: Copyright © 2010, Juniper Networks, Inc.
Page 245: [64] Tunnel-Type
Use the no version to restore the default, enable. Related Monitoring the DSL-Port-Type RADIUS Attribute on page 306 Documentation [64] Tunnel-Type Use the following command to manage the Tunnel-Type RADIUS attribute. radius include tunnel-type radius include tunnel-type Copyright © 2010, Juniper Networks, Inc.
Page 246: [65] Tunnel-Medium-Type
Acct-Stop messages. You can control inclusion of the Tunnel-Client-Endpoint attribute by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-client-endpoint acct-start enable Use the no version to restore the default, enable. Copyright © 2010, Juniper Networks, Inc.
Page 247: [67] Tunnel-Server-Endpoint
Use the no version to restore the default, enable. [77] Connect-Info Use the following commands to manage and display information for the Connect-Info RADIUS attribute. radius connect-info-format l2tp-connect-speed radius include connect-info radius connect-info-format Copyright © 2010, Juniper Networks, Inc.
Page 248: [82] Tunnel-Assignment-Id
Use the no version to restore the default, enable. Related Monitoring the Connect-Info RADIUS Attribute on page 307 Documentation [82] Tunnel-Assignment-Id Use the following command to manage the Tunnel-Assignment-Id RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.
Page 249: [83] Tunnel-Preference
RADIUS uses the LAG interface ID for the Nas-Port-Id attribute. For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see “Propagation of LAG Subscriber Information to AAA and RADIUS” on page 90. Copyright © 2010, Juniper Networks, Inc.
Page 250: [90] Tunnel-Client-Auth-Id
Monitoring Override Settings of RADIUS IETF Attributes on page 303 Documentation Monitoring the NAS-Port-ID RADIUS Attribute on page 307 [90] Tunnel-Client-Auth-Id Use the following command to manage the Tunnel-Client-Auth-Id RADIUS attribute. radius include tunnel-client-auth-id radius include tunnel-client-auth-id Copyright © 2010, Juniper Networks, Inc.
Page 251: [91] Tunnel-Server-Auth-Id
You can control inclusion of the Framed-Interface-Id attribute by enabling or disabling this command. For RADIUS to include this attribute, an IPv6 interface ID must be assigned to the subscriber. See radius include Example host1(config)#radius include framed-interface-id acct-start enable Copyright © 2010, Juniper Networks, Inc.
Page 252: [97] Framed-Ipv6-Prefix
See radius include Example host1(config)#radius include framed- ipv6-route acct-start enable Use the no version to restore the default, disable. [100] Framed-Ipv6-Pool Use the following command to manage the Framed-Ipv6-Pool RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.
Page 253: [123] Delegated-Ipv6-Prefix
For static interfaces, although the prefix configured using the CLI command is used for DHCPv6 Prefix Delegation instead of the value returned by the RADIUS server, the immediate accounting, Acct-Stop, or Interim-Acct messages contain the prefix returned Copyright © 2010, Juniper Networks, Inc.
Page 254: [188] Ascend-Num-In-Multilink
You can control inclusion of all tunnel server attributes by enabling or disabling this command. See radius include Example host1(config)#radius include tunnel-server-attributes access-request enable Use the no version to restore the default, disable. Copyright © 2010, Juniper Networks, Inc.
Page 255: Juniper Networks Vendor-Specific Attributes
Chapter 3: Configuring RADIUS Attributes Juniper Networks Vendor-Specific Attributes This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.
Page 256: [26-11] Egress-Policy-Name
Use to cause the Service-Category attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example host1(config)#radius ignore atm-service-category enable Copyright © 2010, Juniper Networks, Inc.
Page 257: [26-15] Pcr
Use to cause the MBS attribute to be ignored in Access-Accept messages. You can control this behavior by enabling or disabling this command. See radius ignore Example host1(config)#radius ignore atm-mbs enable Copyright © 2010, Juniper Networks, Inc.
Page 258: [26-24] Pppoe-Description
Use the following command to manage the Acct-Output-Gigapackets RADIUS attribute. radius include output-gigapkts radius include output-gigapkts Use to include the Acct-Output-Gigapackets attribute in Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Example Copyright © 2010, Juniper Networks, Inc.
Page 259: [26-44] Tunnel-Interface-Id
If the IPv6 virtual router context is configured from the profile, it is reported in the immediate-update message for DHCPv6 prefix delegation. See radius include Example host1(config)#radius include ipv6-virtual-router acct-start enable Use the no version to restore the default, disable. Copyright © 2010, Juniper Networks, Inc.
Page 260: [26-46] Ipv6-Local-Interface
AAA domain map. See radius include Example host1(config)#radius include ipv6-primary-dns acct-start enable Use the no version to restore the default, disable. [26-48] Ipv6-Secondary-DNS Use the following command to manage the Ipv6-Secondary-DNS RADIUS attribute. Copyright © 2010, Juniper Networks, Inc.
Page 261: [26-51] Disconnect-Cause
Use to include the Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. See radius include Copyright © 2010, Juniper Networks, Inc.
Page 262: [26-55] Dhcp-Options
Use the following command to manage the DHCP-GI-Address RADIUS attribute. radius include dhcp-gi-address radius include dhcp-gi-address Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the attribute by enabling or disabling this command. Copyright © 2010, Juniper Networks, Inc.
Page 263: [26-62] Mlppp-Bundle-Name
There is no explicit command to include the Interface-Desc attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages. See radius include Example host1(config)#radius include interface-description acct-start enable Copyright © 2010, Juniper Networks, Inc.
Page 264: [26-81] L2C-Information
Use to include the L2C-Down-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the L2C-Down-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default. Copyright © 2010, Juniper Networks, Inc.
Page 265: [26-129] Ipv6-Ndra-Prefix
Use to include the Downstream-Calculated-Qos-Rate attribute in Access-Request, Acct-Start, and Acct-Stop messages. You can control inclusion of the Downstream-Calculated-Qos-Rate attribute by enabling or disabling this command. Inclusion is disabled by default. Example host1(config)#radius include downstream-calculated-qos-rate access-request enable Copyright © 2010, Juniper Networks, Inc.
Page 266: [26-142] Upstream-Calculated-Qos-Rate
Use to cause the Max-Clients-Per-Interface attribute to be ignored in Access-Accept messages returned by the RADIUS server. You can control this behavior by enabling or disabling this command. Ignoring the Max-Clients-Per-Interface attribute is enabled by default. Copyright © 2010, Juniper Networks, Inc.
Page 267: [26-150] Icr-Partition-Id
You can configure ICR partition accounting per virtual router. Example host1(config)#radius icr-partition-accounting enable Use the no version to restore the default, disable. All IPv6 Accounting Attributes Use the following command to manage all IPv6 accounting attributes: Copyright © 2010, Juniper Networks, Inc.
Page 268: Dhcp-Option 82
Use the no version to restore the default, disable. ANCP-Related Juniper Networks VSAs You use the radius include command to specify information about Access Node Control Protocol (ANCP), also known as Layer 2 Control (L2C), that you want to include in the Copyright © 2010, Juniper Networks, Inc.
Page 269: Table 44: Ancp (L2C)-Related Keywords For Radius Include Command
RADIUS. By default, the router does not include the ANCP-related information provided by the Juniper Networks VSAs in RADIUS messages. These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006...
Page 270: Dsl Forum Vendor-Specific Attributes
DSL. A service provider might find it useful to enable inclusion of the DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection. Copyright © 2010, Juniper Networks, Inc.
Page 271 NOTE: JunosE Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See “ANCP-Related Juniper Networks VSAs” on page 230 and “Juniper Networks VSAs” on page 261 . The router receives data containing one or more of the DSL Forum VSAs from a DSLAM connected to the router via a PPPoE interface.
Page 272: Including Or Excluding Attributes In Radius Messages
Use to specify that a RADIUS attribute be ignored or be accepted from Access-Accept messages. Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute. Examples Copyright © 2010, Juniper Networks, Inc.
Page 273 Use the no version to restore the default, enable. See radius include Related To see the list of attributes that the router uses or ignores, see Monitoring Ignored Documentation RADIUS Attributes on page 309 Copyright © 2010, Juniper Networks, Inc.
Page 274 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 275: Configuring Radius Dynamic-Request Server
RADIUS servers to centrally manage user sessions. The RADIUS dynamic-request server enables the router to receive the following types of messages from RADIUS servers: Disconnect messages—Immediately terminate specific user sessions. Change-of-Authorization (CoA) messages—Dynamically modify session authorization attributes, such as data filters. Copyright © 2010, Juniper Networks, Inc.
Page 276: Radius Dynamic-Request Server Platform Considerations
RADIUS dynamic-request server is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. Copyright © 2010, Juniper Networks, Inc.
Page 277: Radius Dynamic-Request Server References
User Datagram Protocol (UDP). The Disconnect-Request message sent by the RADIUS server has the same format as the CoA-Request packet that is sent for a change of authorization operation. The disconnect response is either a Disconnect-ACK or a Disconnect-NAK message: Copyright © 2010, Juniper Networks, Inc.
Page 278: Supported Error-Cause Codes (Radius Attribute 101)
If the User-Name (1) attribute is also present in the request, the username and session ID are used to perform the disconnection. Authentication, authorization, and accounting (AAA) services handle the actual request. Copyright © 2010, Juniper Networks, Inc.
Page 279: Security/Authentication
CoA messages are used by the E Series router’s RADIUS-initiated packet mirroring feature, which is described in the Configuring RADIUS-Based Mirroring chapter in JunosE Policy Management Configuration Guide, and by Service Manager, which is described in “Configuring Service Manager” on page 633 of this guide. Copyright © 2010, Juniper Networks, Inc.
Page 280: Change-Of-Authorization Messages
Some other aspect of the request is invalid, such as if one or more attributes (for example, the packet mirroring Mirror Identifier value) are not formatted properly. Session context not The session context identified in the request does not exist on the found NAS. Copyright © 2010, Juniper Networks, Inc.
Page 281: Qualifications For Change Of Authorization
Accounting-Request in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator. The response authenticator is calculated as specified for an Accounting-Response message in RFC 2866. Copyright © 2010, Juniper Networks, Inc.
Page 282: Configuring Radius-Initiated Change Of Authorization
RADIUS dynamic-request server and the RADIUS server. If no key is specified, the router drops all requests from the RADIUS server. Example host1(config-radius)#key Secret3Clientkey Use the no version to set the default, no Authenticator. See key radius disconnect client Copyright © 2010, Juniper Networks, Inc.
Page 283 NOTE: This command and the RADIUS dynamic-request server feature replace the radius disconnect client command, which may be removed completely in a future release. The RADIUS Disconnect Configuration mode is also deprecated. See subscriber disconnect udp-port Copyright © 2010, Juniper Networks, Inc.
Page 284: Monitoring Radius Dynamic-Request Servers
To monitor RADIUS dynamic-request servers, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 310 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 310 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 311 Copyright © 2010, Juniper Networks, Inc.
Page 285: Configuring Radius Relay Server
Dynamic Host Configuration Protocol (DHCP) local or external server. The RADIUS relay server can also use the RADIUS server or the optional Session and Resource Control (SRC) software (formerly the SDX software), to provide the accounting support. Copyright © 2010, Juniper Networks, Inc.
Page 286: Radius Relay Server Platform Considerations
EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware. Copyright © 2010, Juniper Networks, Inc.
Page 287: Authentication And Addressing
The VSA indicates the RADIUS relay server’s IP address. For information about using the SRC software with the RADIUS relay server to provide accounting, see “RADIUS Relay Server and the SRC Software” on page 250. Copyright © 2010, Juniper Networks, Inc.
Page 288: Terminating The Wireless Subscriber's Connection
The second domain is created for the connection between the E Series router and the SRC software. If you want to continue to use the SRC software’s user session and problem-tracking features, you should not configure the SRC software to generate RADIUS accounting Copyright © 2010, Juniper Networks, Inc.
Page 289: Configuring Radius Relay Server Support
IP Address IP Mask Secret ------------- --------------- --------- 10.10.15.0 255.255.255.0 secret 10.10.8.15 255.255.255.255 newsecret 192.168.25.9 255.255.255.255 mysecret 192.168.102.5 255.255.255.255 999Y2K Udp Port: 1812 RADIUS Relay Accounting Server Configuration -------------------------------------------- IP Address IP Mask Secret Copyright © 2010, Juniper Networks, Inc.
Page 290 Use to specify the router’s UDP port on which the RADIUS relay server resides. Example host1(config-radius-relay)#udp-port 1850 Use the no version to return to the default, port 1812 for authentication servers or port 1813 for accounting servers. See udp-port Copyright © 2010, Juniper Networks, Inc.
Page 291: Monitoring Radius Relay Server
To monitor RADIUS relay server, see: “Setting the Baseline for RADIUS Dynamic-Request Server Statistics” on page 310 “Monitoring RADIUS Dynamic-Request Server Statistics” on page 310 “Monitoring the Configuration of the RADIUS Dynamic-Request Server” on page 311 Copyright © 2010, Juniper Networks, Inc.
Page 292 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 293: Radius Attribute Descriptions
This chapter lists the RADIUS attributes that are supported by JunosE Software. Table 49 on page 255 describes the supported RADIUS IETF attributes. Table 50 on page 262 describes the supported Juniper Networks vendor-specific attributes (VSAs). Table 51 on page 273 describes the DSL Forum VSA formats supported by JunosE Software. Table 52 on page 274 describes RADIUS attributes that are simply passed to their destination by the router.
Page 294 <addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>] [24] State An arbitrary value that the router includes in new Access-Request packets from the previous Accept-Challenge Applicable for CLI, telnet, or EAP message exchange Copyright © 2010, Juniper Networks, Inc.
Page 295 Unique accounting identifier that makes it easy to match start and stop records in a log file See the radius acct-session-id-format and the radius include acct-session-id access-request commands in “Configuring RADIUS Attributes” on page 167. Copyright © 2010, Juniper Networks, Inc.
Page 296 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB Copyright © 2010, Juniper Networks, Inc.
Page 297 Must be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge messages that include EAP-Message attributes [82] Tunnel-Assignment-Id Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned Copyright © 2010, Juniper Networks, Inc.
Page 298 Name used by the tunnel initiator during the authentication phase of tunnel establishment [91] Tunnel-Server-Auth-Id Name used by the tunnel terminator during the authentication phase of tunnel establishment [96] Framed-Interface-Id IPv6 interface identifier configured by the user Copyright © 2010, Juniper Networks, Inc.
Page 299: Juniper Networks Vsas
Juniper Networks VSAs Table 50 on page 262 lists Juniper Networks VSA formats for RADIUS. JunosE Software uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned Numbers Authority (IANA). Copyright © 2010, Juniper Networks, Inc.
Page 300: Table 50: Juniper Networks (Vendor Id 4874) Vsa Formats
JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats Attribute Subtype Number Attribute Name Description Length Length Value [26-1] Virtual-Router Virtual router name for the Broadband sublen string: Remote Access Server (B-RAS) user’s virtual-router-name IP interface.
Page 301 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-10] Ingress-Policy-Name Input policy name to apply to B-RAS user’s sublen string: interface input-policy-name [26-11] Egress-Policy-Name...
Page 302 JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-22] Sa-Validate Enable or disable source address sublen integer: 0 = disable, validation on a user’s interface...
Page 303 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-39] Tunnel-Min-Bps Minimum line speed for L2TP dial-out integer [26-40] Tunnel-Max-Bps Maximum line speed for L2TP dial-out...
Page 304 JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-56] DHCP-MAC-Address Client’s MAC address sublen string:mac-address [26-57] DHCP-GI-Address DHCP relay agent’s IP address integer:4-octet...
Page 305 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-71] IGMP-Access-Name Access List to use for the group (G) filter sublen string:32-octet [26-72] IGMP-Access-Src-Name Access List to use for the source-group...
Page 306 JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-82] Qos-Parameters Name of the QoS parameter instance to sublen string: format is create on the user’s interface, followed by parameter name the value of the parameter.
Page 307 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-92] L2C-Up-Stream-Data Actual upstream rate access loop sublen string: actual parameter (ASCII encoded) as defined in...
Page 308 JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-111] Acc-Aggr-Cir-Id-Bin Unique identification of the DSL line sublen integer: 8-octet [26-112] Acc-Aggr-Cir-Id-Asc Identification of the uplink on the access...
Page 309 Chapter 6: RADIUS Attribute Descriptions Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-126] Act-Interlv-Delay-Dn Subscriber’s actual one-way downstream integer: 4-octet interleaving delay [26-127] DSL-Line-State State of the DSL line...
Page 310 JunosE 11.3.x Broadband Access Configuration Guide Table 50: Juniper Networks (Vendor ID 4874) VSA Formats (continued) Attribute Subtype Number Attribute Name Description Length Length Value [26-147] Backup-Address-Pool Name of the backup local address pool that sublen string: can be used to assign addresses to users...
Page 311: Dsl Forum Vsas
[26-138] Minimum-Data-Rate- Minimum downstream data rate in low integer: 4-octet Downstream-Low-Power power state configured for the subscriber [26-139] Maximum-Interleaving- Maximum one-way upstream interleaving integer: 4-octet Delay-Upstream delay configured for the subscriber Copyright © 2010, Juniper Networks, Inc.
Page 312: Pass Through Radius Attributes
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000) RFC 2866—RADIUS Accounting (June 2000) RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support (June 2000) RFC 2868—RADIUS Attributes for Tunnel Protocol Support (June 2000) RFC 2869—RADIUS Extensions (June 2000) Copyright © 2010, Juniper Networks, Inc.
Page 313 NOTE: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress. Please refer to the IETF Web site at http://www.ietf.org for the latest drafts. Copyright © 2010, Juniper Networks, Inc.
Page 314 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 315: Application Terminate Reasons
Code Description deny address allocation failure user error deny address assignment failure user error deny application error user error deny authentication denied user error deny authentication failure user error deny authorization failure user error Copyright © 2010, Juniper Networks, Inc.
Page 316: L2Tp Terminate Reasons
L2TP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 54: Default L2TP Mappings L2TP Terminate Reason RADIUS Acct-Terminate-Cause Code Description session access interface down port error session admin close admin reset Copyright © 2010, Juniper Networks, Inc.
Page 317 Copyright © 2010, Juniper Networks, Inc.
Page 318 Copyright © 2010, Juniper Networks, Inc.
Page 319 Copyright © 2010, Juniper Networks, Inc.
Page 320 Copyright © 2010, Juniper Networks, Inc.
Page 321 Copyright © 2010, Juniper Networks, Inc.
Page 322 Copyright © 2010, Juniper Networks, Inc.
Page 323 Copyright © 2010, Juniper Networks, Inc.
Page 324 Copyright © 2010, Juniper Networks, Inc.
Page 325 Copyright © 2010, Juniper Networks, Inc.
Page 326 Copyright © 2010, Juniper Networks, Inc.
Page 327 Copyright © 2010, Juniper Networks, Inc.
Page 328 Copyright © 2010, Juniper Networks, Inc.
Page 329 Copyright © 2010, Juniper Networks, Inc.
Page 330 Copyright © 2010, Juniper Networks, Inc.
Page 331 Copyright © 2010, Juniper Networks, Inc.
Page 332: Ppp Terminate Reasons
PPP Terminate Reasons Table 55 on page 295 lists the default PPP terminate mappings. The table indicates the supported PPP terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Copyright © 2010, Juniper Networks, Inc.
Page 333: Table 55: Default Ppp Mappings
Copyright © 2010, Juniper Networks, Inc.
Page 334 Copyright © 2010, Juniper Networks, Inc.
Page 335 Copyright © 2010, Juniper Networks, Inc.
Page 336 Copyright © 2010, Juniper Networks, Inc.
Page 337 Copyright © 2010, Juniper Networks, Inc.
Page 338 Copyright © 2010, Juniper Networks, Inc.
Page 339: Radius Client Terminate Reasons
RADIUS client terminate reasons and the RADIUS Acct-Terminate-Cause attributes they are mapped to by default. Table 56: Default RADIUS Client Mappings RADIUS Client Terminate Reason RADIUS Acct-Terminate-Cause Code Description no-acct-server nas request system-reboot nas request virtual-router-deletion nas request Copyright © 2010, Juniper Networks, Inc.
Page 340 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 341: Monitoring Radius
Monitoring the Status of ICR Partition Accounting on page 315 Monitoring Override Settings of RADIUS IETF Attributes Purpose Display the current override setting for RADIUS IETF attributes. You can monitor the NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] attributes. Copyright © 2010, Juniper Networks, Inc.
Page 342: Monitoring The Nas-Port-Format Radius Attribute
Display information for the NAS-Port attribute. Action To display the setting for the NAS-Port attribute: host1#show radius nas-port-format 0ssssppp To display information about the NAS-Port attribute on an ATM interface on an E320 Broadband Services Router: Copyright © 2010, Juniper Networks, Inc.
Page 343: Monitoring The Calling-Station-Id Radius Attribute
To display information about the NAS-Identifier value: host1#show radius nas-identifier Related show radius nas-identifier Documentation Monitoring the Format of the Remote-Circuit-ID for RADIUS Purpose Display the format configured for the PPPoE remote circuit ID value captured from a DSLAM. Copyright © 2010, Juniper Networks, Inc.
Page 344: Monitoring The Delimiter Character In The Remote-Circuit-Id For Radius
Monitoring the DSL-Port-Type RADIUS Attribute Purpose Display the DSL port type for NAS-Port-Type attribute for ATM and Ethernet users. Action To display the DSL port type for NAS-Port-Type attribute for ATM users: host1#show radius dsl-port-type xdsl Copyright © 2010, Juniper Networks, Inc.
Page 345: Monitoring The Connect-Info Radius Attribute
Stop -------------------------- ------- ------- -------- -------- -------- acct-authentic enabled enabled acct-delay-time enabled enabled acct-link-count enabled enabled acct-multi-session-id disabled enabled enabled acct-session-id enabled enabled enabled acct-terminate-cause enabled acct-tunnel-connection enabled enabled enabled ascend-num-in-multilink disabled disabled disabled Copyright © 2010, Juniper Networks, Inc.
Page 346 Copyright © 2010, Juniper Networks, Inc.
Page 347: Monitoring Ignored Radius Attributes
(vsa) accepted from RADIUS server attribute atm-mbs (vsa) accepted from RADIUS server attribute atm-pcr (vsa) accepted from RADIUS server attribute atm-scr (vsa) accepted from RADIUS server attribute egress-policy-name (vsa) accepted from RADIUS server Copyright © 2010, Juniper Networks, Inc.
Page 348: Setting The Baseline For Radius Dynamic-Request Server Statistics
CoA Rejects CoA No Session ID CoA Bad Authenticators CoA Packets Dropped No Secret Unknown Request Invalid Addresses Received Meaning Table 59 on page 311 lists the show radius dynamic-request statistics command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 349: Monitoring The Configuration Of The Radius Dynamic-Request Server
To display the configuration of the RADIUS dynamic-request server: host1#show radius dynamic-request servers RADIUS Request Configuration ---------------------------- Change IP Address Port Disconnect Authorization Secret ------------- ---- ---------- ------------- ------ 192.168.2.3 1700 disabled disabled <NULL> 10.10.120.104 1700 disabled disabled mysecret Copyright © 2010, Juniper Networks, Inc.
Page 350: Setting A Baseline For Radius Relay Statistics
To show RADIUS relay server statistics that were baselined: host1#show radius relay statistics delta RADIUS Relay Authentication Server Statistics --------------------------------------------- Statistic Total ------------------ ----- Access Requests 1000 Access Accepts 1000 Access Challenges Access Rejects Pending Requests Copyright © 2010, Juniper Networks, Inc.
Page 351: Table 61: Show Radius Relay Statistics Output Fields
Bad Authenticators Authenticator in the response is incorrect for the matching request; can occur if the secret for the RADIUS relay server and the WAP does not match Unknown Requests Packets received from nonconfigured clients Copyright © 2010, Juniper Networks, Inc.
Page 352: Monitoring The Configuration Of The Radius Relay Server
Table 62: show radius relay servers Output Fields Field Name Field Description IP Address Address of the RADIUS relay server IP Mask Mask of the RADIUS relay server Secret Secret used for exchanges between the RADIUS relay server and client Copyright © 2010, Juniper Networks, Inc.
Page 353: Monitoring The Status Of Radius Relay Udp Checksums
Display the status of ICR partition accounting. Action To display the status of ICR partition accounting: host1#show radius icr-partition-accounting enabled Meaning ICR partition accounting status is either enabled or disabled. Related show radius icr-partition-accounting Documentation Copyright © 2010, Juniper Networks, Inc.
Page 354 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 355: Configuring Tacacs
TACACS+ provides security by encrypting all traffic between the NAS and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process. Table 64 on page 318 describes terms that are frequently used in this chapter. Copyright © 2010, Juniper Networks, Inc.
Page 356: Aaa Overview
TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The TACACS+ host responds with a Reply packet, which either grants or denies access, reports an error, or challenges the user. Copyright © 2010, Juniper Networks, Inc.
Page 357: Privilege Authentication
TACACS+ accounting is disabled. Default method list—Configuration used by consoles and lines when no named method list is assigned. You enable TACACS+ accounting by defining default accounting method lists for each service type. Copyright © 2010, Juniper Networks, Inc.
Page 358: Table 65: Tacacs+ Accounting Information
Name of user running the Exec session or CLI command port Packet body NAS port used by the Exec session or CLI command rem-addr Packet body User’s remote location; either an IP address or the caller service User’s primary service: Shell Copyright © 2010, Juniper Networks, Inc.
Page 359: Tacacs+ Platform Considerations
Web site at http://www.ietf.org for the latest drafts. Before You Configure TACACS+ Before you begin to configure TACACS+, you must determine the following for the TACACS+ authentication and accounting servers: IP addresses TCP port numbers Secret keys Copyright © 2010, Juniper Networks, Inc.
Page 360: Configuring Tacacs+ Support
Apply an authentication list to the vty lines you specified on your router. host1(config-line)#login authentication tac Configuring Accounting Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting. Perform the following steps: Copyright © 2010, Juniper Networks, Inc.
Page 361 Specify stop-only to send a stop accounting notice at the end of a process and tacacs+ as the accounting protocol. Example host1(config)#aaa accounting commands 12 listX stop-only tacacs+ Use the no version to delete the accounting method list. See aaa accounting commands aaa accounting exec Copyright © 2010, Juniper Networks, Inc.
Page 362 If the authentication method list is empty, the local enable password is used. Example host1(config)#aaa authentication enable default tacacs+ radius Use the no version to empty the list. See aaa authentication enable default aaa authentication login Copyright © 2010, Juniper Networks, Inc.
Page 363 If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line. Example host1(config)#aaa new-model Use the no version to restore simple authentication (login and password). See aaa new-model accounting Copyright © 2010, Juniper Networks, Inc.
Page 364 Use to add or delete a host to or from the list of TACACS+ servers. You can optionally specify a nondefault port number, a host-specific key, a single connection and a timeout interval. Use the primary keyword to assign the host as the primary host. Copyright © 2010, Juniper Networks, Inc.
Page 365 TACACS+ servers that do not have a server-specific timeout set up by tacacs-server host command. The timeout interval is between 1 and 300. The default is 5 seconds. Example Copyright © 2010, Juniper Networks, Inc.
Page 366 JunosE 11.3.x Broadband Access Configuration Guide host1(config)#tacacs-server timeout 15 Use the no version to reset the timeout to the default. See tacacs-server timeout Copyright © 2010, Juniper Networks, Inc.
Page 367: Monitoring Tacacs
To display TACACS+ statistics: host1#show statistics tacacs TACACSPLUS Statistics --------------------- Statistic 10.5.0.174 10.5.1.199 --------------- ---------- ---------- Search Order TCP Port 3049 4049 Auth Requests Auth Replies Auth Pending Auth Timeouts Author Requests 6399 Author Replies 6301 Copyright © 2010, Juniper Networks, Inc.
Page 368: Table 66: Show Statistics Tacacs Output Fields
Number of accounting replies received from the host Acct Pending Number of expected but not received accounting replies from the host Acct Timeouts Number of accounting timeouts for the host Related show statistics tacacs Documentation Copyright © 2010, Juniper Networks, Inc.
Page 369: Monitoring Tacacs+ Information
This IP address’s primary host; options: y = yes, n = Authentication and encryption key for this IP address Search Order The order in which requests are sent to hosts until a response is received Copyright © 2010, Juniper Networks, Inc.
Page 370 JunosE 11.3.x Broadband Access Configuration Guide Related show tacacs Documentation Copyright © 2010, Juniper Networks, Inc.
Page 371: Managing L2Tp
Configuring an L2TP LAC on page 343 Configuring an L2TP LNS on page 373 Configuring L2TP Dial-Out on page 409 L2TP Disconnect Cause Codes on page 421 Monitoring L2TP and L2TP Dial-Out on page 425 Copyright © 2010, Juniper Networks, Inc.
Page 372 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 373: L2Tp Overview
Layer 2 Tunneling Protocol (L2TP) is a client-server protocol that allows Point-to-Point Protocol (PPP) to be tunneled across a network. This chapter includes the following topics that provide information for configuring L2TP on the Juniper Networks E Series Broadband Services Routers.
Page 374: L2Tp Terminology
L2TP network server (LNS)—a node that acts as one side of an L2TP tunnel endpoint and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that is being tunneled from the remote system by the LAC. Copyright © 2010, Juniper Networks, Inc.
Page 375: Implementing L2Tp
The client initiates a PPP connection with the router. The router and the client exchange Link Control Protocol (LCP) packets. For details about negotiating PPP connections, see the Configuring Point-to-Point Protocol chapter in JunosE Link Layer Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 376: Sequence Of Events On The Lns
The E Series PPP processes the proxy authentication data, if it is present, and passes the data to AAA for verification. (If the data is not present, E Series PPP requests the data from the remote system.) The router passes the authentication results to the remote system. Copyright © 2010, Juniper Networks, Inc.
Page 377: Packet Fragmentation
For information about modules that support LNS and LAC on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, ERX Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 378: L2Tp Module Requirements
ES2 4G LM and the ES2 require the ES2-S1 Service IOA to condition it to receive and transmit data to other line modules. The ES2-S1 Service IOA also does not have ingress or egress ports. Copyright © 2010, Juniper Networks, Inc.
Page 379: Sessions And Tunnels Supported
60,000. The show license l2tp-session command also still appears in the CLI. To obtain the maximum number of ingress and egress policy attachments supported for L2TP sessions, see JunosE Release Notes, Appendix A, System Maximums. Copyright © 2010, Juniper Networks, Inc.
Page 380: L2Tp References
For information about how to secure Layer 2 Tunneling Protocol (L2TP) tunnels with IP Security (IPSec) on your E Series router, see the Securing L2TP and IP Tunnels with IPSec chapter in JunosE IP Services Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 381: Configuring An L2Tp Lac
Managing Address Changes Received from Remote Endpoints on page 368 Configuring LAC Tunnel Selection Parameters on page 369 LAC Configuration Prerequisites Before you begin configuring the router as a LAC, perform the following steps: Create a virtual router. host1(config)#virtual-router west Copyright © 2010, Juniper Networks, Inc.
Page 382 NOTE: The previous two operations also apply to an LNS, however there is no default configuration that enables the LNS. When the router is established as an LAC or LNS and is creating destinations, tunnels, and sessions, you can manage them as follows: Copyright © 2010, Juniper Networks, Inc.
Page 383: Generating Udp Checksums In Packets To L2Tp Peers
10G ADV LM. If an ES2 10G LM or an ES2 10G ADV LM is present when L2TP checksum is enabled, the checksum is not calculated and its value is set to zero. Related l2tp checksum Documentation Copyright © 2010, Juniper Networks, Inc.
Page 384: Specifying A Destruct Timeout For L2Tp Tunnels And Sessions
The l2tp drain command and the l2tp shutdown command both affect the administrative state of L2TP on the router. Although each command has a different effect, the no version of each command is equivalent. Each command’s no version leaves L2TP in the enabled state. Copyright © 2010, Juniper Networks, Inc.
Page 385: Preventing Creation Of New Tunnels And Sessions At A Destination
You can specify the following shut down methods, which also prevent the creation of new tunnels: Closing Existing and Preventing New Destinations, Tunnels, and Sessions on the Router on page 348 Closing Existing and Preventing New Tunnels and Sessions for a Destination on page 348 Copyright © 2010, Juniper Networks, Inc.
Page 386: On The Router
To close all existing sessions in a specific tunnel and prevent creation of new sessions: host1(config)#l2tp shutdown tunnel 1/isp.com Closing a Specific Session You use the l2tp shutdown session command to close the specified session. To close a specific session: host1(config)#l2tp shutdown session 1/1/1 Copyright © 2010, Juniper Networks, Inc.
Page 387: Specifying The Number Of Retransmission Attempts
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description> <delimit> <agent-circuit-id> descriptive include-agent-circuit-id include-agent-remote-id—This format includes the following elements: <interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect info> <delimit> <PPPoE description> <delimit> <agent-circuit-id> <delimit> <agent-remote-id> Copyright © 2010, Juniper Networks, Inc.
Page 388 E120 router or the lower IOA bay on the E320 router). For ERX7xx models, ERX14xx models, and ERX310 Broadband Services Routers, which do not use IOAs, adapter is always shown as 0. Copyright © 2010, Juniper Networks, Inc.
Page 389 Format for serial interfaces: systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte) port (2 bytes) 0 (8 bytes) Slot numbers 0 through 16 are shown as integers in the 2-byte slot field. Copyright © 2010, Juniper Networks, Inc.
Page 390 The S-VLAN ID field in the Calling Number AVP is set to 0 (zero) if you do not specify the optional stacked keyword, or if you specify the optional stacked keyword but the Ethernet interface does not have an S-VLAN ID. Copyright © 2010, Juniper Networks, Inc.
Page 391: Calling Number Avp 22 Configuration Tasks
The calling number format determines what element triggers use of the fallback format, as shown in the following table: Calling Number Format Fallback Trigger agent-circuit-id agent-circuit-id is empty Copyright © 2010, Juniper Networks, Inc.
Page 392 AVP to use a fixed format of up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte adapter field, and 1-byte port field: Copyright © 2010, Juniper Networks, Inc.
Page 393 For example, when you configure this fallback format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’. Copyright © 2010, Juniper Networks, Inc.
Page 394 Fallback format for Ethernet interfaces that use fixed-adapter-embedded: systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) S-VLAN (4 bytes) VLAN (4 bytes) Fallback format for Ethernet interfaces that use fixed-adapter-new-field: Copyright © 2010, Juniper Networks, Inc.
Page 395: Disabling The Calling Number Avp
L2TP AVP 22 and specify that the fixed format is used when both PPPoE agent-circuit-id and agent-remote-id are unavailable, issue the following commands: host1(config)#radius calling-station-format fixed-format host1(config)#radius remote-circuit-id-delimiter # host1(config)#radius override calling-station-id remote-circuit-id host1(config)#radius remote-circuit-id-format agent-circuit-id agent-remote-id Copyright © 2010, Juniper Networks, Inc.
Page 396: Mapping A User Domain Name To An L2Tp Tunnel Overview
To map a domain to an L2TP tunnel locally on the router from Domain Map Tunnel mode, perform the following steps: Specify a domain name and enter Domain Map Configuration mode: host1(config)#aaa domain-map westford.com host1(config-domain-map)# Specify a virtual router; in this case, the default router is specified. Copyright © 2010, Juniper Networks, Inc.
Page 397 Otherwise, the tunnel is terminated. The server name can be up to 64 characters (no spaces). host1(config-domain-map-tunnel)#server-name boston (Optional) Specify a source IP address for the LAC tunnel endpoint. All L2TP packets sent to the peer use this source address. host1(config-domain-map-tunnel)#source-address 192.0.3.3 Copyright © 2010, Juniper Networks, Inc.
Page 398 When enabled, the attribute is supplied by the tunnel peer. When disabled, the attribute is not supplied. Use the no version of the command to restore the default, enable. host1(config)#aaa tunnel ignore nas-port enable host1(config)#aaa tunnel ignore nas-port-type disable Copyright © 2010, Juniper Networks, Inc.
Page 399: Mapping User Domain Names To L2Tp Tunnels From Tunnel Group Tunnel
Tunnel calling number format is descriptive Related Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode on Documentation page 362 aaa domain-map aaa tunnel assignment-id-format aaa tunnel client-name aaa tunnel ignore aaa tunnel password Copyright © 2010, Juniper Networks, Inc.
Page 400: Mode
You can specify up to eight levels of preference, and you can assign the same preference to a maximum of 31 tunnels. When you define multiple preferences for a destination, you increase the probability of a successful connection. host1(config-tunnel-group-tunnel)#preference 5 Copyright © 2010, Juniper Networks, Inc.
Page 401 Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].) host1(config-tunnel-group-tunnel)#medium ipv4 Specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type). Currently, the only supported value is L2TP. host1(config-tunnel-group-tunnel)#type l2tp Verify the L2TP tunnel configuration. Copyright © 2010, Juniper Networks, Inc.
Page 402: Configuring The Rx Speed On The Lac
38. If you do not specify this command, the RX Speed AVP is generated only when the RX speed differs from the TX speed. The AVPs can be used to generate the RADIUS Connect-Info attribute [77] on the LNS. Copyright © 2010, Juniper Networks, Inc.
Page 403: Managing The L2Tp Destination Lockout Process
If no such tunnel currently exists, L2TP must wait until it receives a new session request that has tunnel parameters for the locked out destination. The destination remains locked out while L2TP waits for the tunnel parameters and becomes available Copyright © 2010, Juniper Networks, Inc.
Page 404: Figure 9: Lockout States
Use the show l2tp and show l2tp destination lockout commands to view information about the L2TP configuration and statistics. Copyright © 2010, Juniper Networks, Inc.
Page 405: Verifying That A Locked-Out Destination Is Available
Any remaining lockout time and the lockout test setting (if configured) are not taken into account. You must be at privilege level 10 or higher to use this command. To unlock a currently locked-out destination: host1(config)#l2tp unlock destination ip 192.168.1.98 Copyright © 2010, Juniper Networks, Inc.
Page 406: Starting An Immediate Lockout Test
The router accepts a change in receive address only once, during the tunnel establishment phase, and only on an SCCRP packet. Subsequent changes result in the router dropping packets. Any changes do not affect established tunnels. Copyright © 2010, Juniper Networks, Inc.
Page 407: Configuring Lac Tunnel Selection Parameters
If all destinations at a preference level are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. The key is to understand that the router chooses a single destination at each level of preference, even if all Copyright © 2010, Juniper Networks, Inc.
Page 408: Configuring The Failover Within A Preference Level Method
C and D at preference 1 When the router attempts to connect to the domain, suppose it randomly selects tunnel B from preference 0. If it fails to connect to tunnel B, the router excludes tunnel B for five Copyright © 2010, Juniper Networks, Inc.
Page 409: Configuring The Maximum Sessions Per Tunnel
The router uses a round-robin tunnel selection method by default. To configure the router to base tunnel selection within a preference level on the maximum sessions per tunnel. host1(config)#l2tp weighted-load-balancing Copyright © 2010, Juniper Networks, Inc.
Page 410 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 411: Configuring An L2Tp Lns
Configuring the Transmit Connect Speed Calculation Method on page 397 PPP Accounting Statistics on page 405 Stateful Line Module Switchover for LNS Sessions on page 406 LNS Configuration Prerequisites Before you begin configuring the router as an LNS, perform the following steps: Copyright © 2010, Juniper Networks, Inc.
Page 412: Configuring An Lns
An L2TP host profile—Defines the attributes used when communicating with an LAC NOTE: If you remove a destination profile or modify attributes of a host profile, all tunnels and sessions using the profile will be dropped. Copyright © 2010, Juniper Networks, Inc.
Page 413 (Optional) Specify that the LNS override out-of-resource result codes 4 and 5 with code 2 for interoperation with third-party implementations that do not support codes 4 and 5. host1:boston(config-l2tp-dest-profile-host)#session-out-of-resource-result-code-override Copyright © 2010, Juniper Networks, Inc.
Page 414 Selecting Service Modules for LNS Sessions Using MLPPP on page 380 bundled-group-id bundled-group-id-overrides-mlppp-ed default-upper-type mlppp command disable proxy lcp enable proxy authenticate l2tp destination profile local host local ip address command max-sessions radius connect-info-format remote host session-out-of-resource-result-code-override tunnel password Copyright © 2010, Juniper Networks, Inc.
Page 415: Creating An L2Tp Destination Profile
The remote hostname is matched against the hostname AVP in the received Start-Control-Connection-Request (SCCRQ). The remote hostname can be up to 64 characters (no spaces). Example host1:boston(config)#l2tp destination profile boston1 ip address 192.168.76.12 host1:boston(config-l2tp-dest-profile)#remote host default Copyright © 2010, Juniper Networks, Inc.
Page 416: Configuring The Maximum Number Of Lns Sessions
10.10.21.2 host1(config-l2tp-destination-profile)#max-sessions 20000 To set the maximum session allowed for the specified host, use the max-sessions command in L2TP Destination Profile Host Configuration mode: host1(config-dest-profile))#remote host default host1(config-l2tp-destination-profile-host)#max-sessions 20000 Related max-sessions Documentation Copyright © 2010, Juniper Networks, Inc.
Page 417: Configuring The Radius Connect-Info Attribute On The Lns
5—Call failed due to lack of appropriate facilities being available (permanent condition) The following sections describe how to override the result codes and how to display the current code values. Overriding the Result Codes on page 380 Displaying the Current Override Setting on page 380 Copyright © 2010, Juniper Networks, Inc.
Page 418: Overriding The Result Codes
SM where it places the first bundled session for an MLPPP bundle, the router uses a load-balancing mechanism. After the router determines the appropriate SM, it places all sessions for the same bundle on the same SM. By default, the router determines Copyright © 2010, Juniper Networks, Inc.
Page 419: Assigning Bundled Group Identifiers
SM. NOTE: We recommend that you assign bundled group identifiers only when you are certain that endpoint discriminators are unavailable to identify bundle membership. To assign a numeric bundled group identifier: Copyright © 2010, Juniper Networks, Inc.
Page 420: Overriding All Endpoint Discriminators
NOTE: Each individual L2TP session involved in tunnel switching is counted toward the maximum number of sessions supported on an E Series router. To enable tunnel switching: host1(config)#l2tp tunnel-switching Related l2tp tunnel-switching Documentation Copyright © 2010, Juniper Networks, Inc.
Page 421: Creating Persistent Tunnels
Configure how many times the router retries a transmission if the initial attempt is unsuccessful. Related Generating UDP Checksums in Packets to L2TP Peers on page 345 Documentation Specifying a Destruct Timeout for L2TP Tunnels and Sessions on page 346 Copyright © 2010, Juniper Networks, Inc.
Page 422: Configuring Disconnect Cause Information
E Series LNS generate PPP Disconnect Cause Code AVPs. This command pertains only to L2TP sessions to which the L2TP destination host profile applies. The AVP is included in all L2TP CDN messages that the LNS sends to an LAC for covered sessions. Copyright © 2010, Juniper Networks, Inc.
Page 423: Enabling Radius Accounting For Disconnect Cause
LNS by using the l2tp tunnel default-receive-window command (in global Configuration mode). Configure the RWS for a tunnel on the LAC by using either the receive-window command (in Domain Map Tunnel Configuration mode) or by including the Copyright © 2010, Juniper Networks, Inc.
Page 424: Configuring The Default Receive Window Size
Use the receive-window command to configure the L2TP RWS for a tunnel on the LAC. Use the no version of the command to revert to the systemwide RWS setting configured with the l2tp tunnel default-receive-window command. Copyright © 2010, Juniper Networks, Inc.
Page 425: Configuring The Receive Window Size On The Lns
Use the no version of the command to revert to the systemwide RWS setting configured with the l2tp tunnel default-receive-window command. To configure the RWS for a tunnel on the LNS: Access L2TP Destination Profile Host Configuration mode. For example: host1(config)#virtual-router fms02 Copyright © 2010, Juniper Networks, Inc.
Page 426: Configuring Peer Resynchronization
You can configure L2TP to use the failover protocol method as the primary peer resynchronization method, but then fall back to the silent failover method if the peer does not support the failover protocol method. Copyright © 2010, Juniper Networks, Inc.
Page 427: Configuring Peer Resynchronization For L2Tp Host Profiles And Aaa Domain
L2TP failover protocol method; however, if the peer non-failed endpoint does not support the L2TP failover protocol method, the tunnel falls back to using the silent failover method. Copyright © 2010, Juniper Networks, Inc.
Page 428: Configuring The Global L2Tp Peer Resynchronization Method
Choose one of the following keywords to specify the peer resynchronization method. All tunnels in the chassis use the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration. Copyright © 2010, Juniper Networks, Inc.
Page 429: Using Radius To Configure Peer Resynchronization
Subtype Number Attribute Name Description Length Length Value [26-90] L2TP-Resynch-Method L2TP peer integer: resynchronization method 0 = disabled 1= failover protocol 2 = silent failover 3 = failover protocol with silent failover as backup Copyright © 2010, Juniper Networks, Inc.
Page 430: Configuring L2Tp Tunnel Switch Profiles
In some cases, attributes configured in a tunnel switch profile take precedence over similar attributes configured globally on the router. For example, configuring L2TP Calling Number AVP 22 for relay overrides the l2tp disable calling-number-avp command issued from Global Configuration mode to Copyright © 2010, Juniper Networks, Inc.
Page 431: Configuring L2Tp Avps For Relay
To apply a default tunnel switch profile to a virtual router, use the aaa tunnel switch-profile command from Global Configuration mode. For details, see “Applying Default L2TP Tunnel Switch Profiles” on page 396 . The following sections describe how to perform each of these tasks. Copyright © 2010, Juniper Networks, Inc.
Page 432: Enabling Tunnel Switching On The Router
2 L2TP tunnel switch profiles found host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile concord L2TP tunnel switch profile concord AVP bearer type action is relay AVP calling number action is relay AVP Cisco nas port info action is relay Copyright © 2010, Juniper Networks, Inc.
Page 433: Applying L2Tp Tunnel Switch Profiles By Using Aaa Domain Maps
Group Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 358 . From Tunnel Group Tunnel Configuration mode, issue the switch-profile command to apply the specified L2TP switch profile to the sessions associated with this tunnel group. host1(config-tunnel-group-tunnel)#switch-profile sanjose Copyright © 2010, Juniper Networks, Inc.
Page 434: Applying Default L2Tp Tunnel Switch Profiles
Tunnel password is <NULL> Tunnel client-name is <NULL> Tunnel nas-port-method is none Tunnel switch-profile is boston Tunnel nas-port ignore disabled Tunnel nas-port-type ignore disabled Tunnel assignmentId format is assignmentId Tunnel calling number format is descriptive Copyright © 2010, Juniper Networks, Inc.
Page 435: Applying L2Tp Tunnel Switch Profiles By Using Radius
Global Configuration mode. The router uses the calculation method specified with this command if the tunnel attributes returned from an AAA domain map, an AAA tunnel group, or a RADIUS authentication server do not include the Copyright © 2010, Juniper Networks, Inc.
Page 436: Transmit Connect Speed Calculation Methods
Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method” on page 403. RADIUS Include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. For instructions, see “Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method”...
Page 437: Dynamic Layer 2
OC3/STM1 ATM IOA. The configuration has the following characteristics: There is no explicit static configuration for the layer 2 (ATM 1483) interface. A transmit connect speed of 10 Mbps is provided dynamically from a RADIUS authentication server when the subscriber logs in. Copyright © 2010, Juniper Networks, Inc.
Page 438: Example 2: L2Tp Session Over Ethernet Vlan Interface
VLAN subinterface. Dynamic layer 2 100 Mbps L2TP reports the static layer 2 value because the dynamic layer 2 setting does not apply to a VLAN subinterface. Copyright © 2010, Juniper Networks, Inc.
Page 439: Transmit Connect Speed Reporting Considerations
Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP Tunnel Overview” on page 358 . From Domain Map Tunnel Configuration mode, configure the calculation method for the transmit connect speed of the subscriber’s access interface. Copyright © 2010, Juniper Networks, Inc.
Page 440: Using Aaa Tunnel Groups To Configure The Transmit Connect Speed Calculation Method
-------- ------ ------ <null> <null> l2tp ipv4 <null> <null> <null> Tunnel Tunnel Tunnel Tunnel Server Tunnel Virtual Name Preference Sessions Tunnel RWS Router ------ ------ ---------- -------- -------------- ------- <null> 2000 system chooses <null> Copyright © 2010, Juniper Networks, Inc.
Page 441: Using Aaa Default Tunnel Parameters To Configure The Transmit Connect Speed Calculation Method
“Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation Method” on page 402: static-layer2 dynamic-layer2 actual (Optional) Use the show aaa tunnel-parameters command to verify configuration of the transmit connect speed calculation method. Copyright © 2010, Juniper Networks, Inc.
Page 442: Method
To use RADIUS to configure the transmit connect speed calculation method for a subscriber’s access interface, you can configure RADIUS to include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS Access-Accept messages. Table 72 on page 404 describes the Tunnel-Tx-Speed-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see “Configuring RADIUS Attributes”...
Page 443: Ppp Accounting Statistics
PPP LCP terminate-request or terminate-acknowledgement packets from the client or LNS when PPP initiates termination of the session If present, the two PPP header bytes (Address Field 0xFF and Control Field 0x03) as part of the L2TP payload Copyright © 2010, Juniper Networks, Inc.
Page 444: Stateful Line Module Switchover For Lns Sessions
E120 and E320 routers installed with ES2 4G LMs and Service IOAs. This feature is supported only for PPP-based stacks (such as L2TP, PPP, and IP) and not for other applications such as GRE. Copyright © 2010, Juniper Networks, Inc.
Page 445 Related Stateful Line Module Switchover Overview Documentation Preservation of Statistics During Stateful Line Module Switchover Application Support for Stateful Line Module Switchover Copyright © 2010, Juniper Networks, Inc.
Page 446 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 447: Configuring L2Tp Dial-Out
Figure 10 on page 410 shows the dial-out model in which the LNS initiates L2TP sessions and provides enough information to the narrowband LAC so that it can complete the dial-out from the home site to the remote site. Copyright © 2010, Juniper Networks, Inc.
Page 448: Terms
The route includes a dial-out target (the virtual router context and the IP address of the remote site). When the router receives a packet destined for the target, it triggers a dial-out session to the target. The route is associated with a Copyright © 2010, Juniper Networks, Inc.
Page 449: Dial-Out Process
IP flow. The dial-out state machine has four levels of control: the router chassis, virtual router, targets, and sessions. This section describes the operational states of each of these levels. Chassis Table 74 on page 412 describes the operational states of the chassis. Copyright © 2010, Juniper Networks, Inc.
Page 450: Virtual Router
Note that sessions within a down target that are already in the process of connecting or are in the inService state are not affected by this condition. Sessions Table 77 on page 413 describes operational states of the sessions. Copyright © 2010, Juniper Networks, Inc.
Page 451: Table 77: Session Operational States
Receipt of a new trigger packet transitions the session to the authenticating state. If the dormant timer expires, the session is deleted. The dormant state exists to allow analysis of a dial-out session before it is deleted. Copyright © 2010, Juniper Networks, Inc.
Page 452: Outgoing Call Setup Details
The router expects RADIUS attributes that define a tunnel to be returned with the additions in Table 78 on page 415. If tunnel attributes are excluded from the Access-Accept message or the returned Service-Type attribute is not set to outbound, the dial-out session is denied. Copyright © 2010, Juniper Networks, Inc.
Page 453: Outgoing Call
Both the L2TP session and the PPP interface exist on a Service module, identical to the LNS operation for incoming calls. Once the PPP interface is created, Link Control Protocol (LCP) and IPCP are negotiated. Copyright © 2010, Juniper Networks, Inc.
Page 454: Mutual Authentication
Create a profile that the router uses to create the dynamic PPP and IP interfaces on the LNS. The profile specifies parameters that are common to all dial-out sessions that use the profile. The following is an example of a typical profile configuration. Create a profile. host1(config)#profile dialOut host1(config-profile)# Copyright © 2010, Juniper Networks, Inc.
Page 455: Configuring L2Tp Dial-Out
If the session fails to be established before the connecting timer expires, subsequent attempts to establish the dial-out session to the same destination are inhibited temporarily. The range is 30–3600 seconds. Example host1(config)#l2tp dial-out connecting-timer-value 30 Copyright © 2010, Juniper Networks, Inc.
Page 456 Use to force the dial-out session to the dormant state where it remains until the dormant timer expires or it receives a new trigger. Closes any L2TP outgoing call associated with the dial-out session. Example Copyright © 2010, Juniper Networks, Inc.
Page 457: Monitoring L2Tp Dial-Out
“Monitoring Chassis-wide Configuration for L2TP Dial-out” on page 446 “Monitoring Status of Dial-out Sessions” on page 450 “Monitoring Dial-out Targets within the Current VR Context” on page 452 “Monitoring Operational Status within the Current VR Context” on page 453 Copyright © 2010, Juniper Networks, Inc.
Page 458 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 459: L2Tp Disconnect Cause Codes
Authentication failures not covered by any of the authentication-related codes (codes 13-16), such as: Authentication denial of the local LCP by the peer Local authentication failure due to no resources Local authentication failure due to no authenticator Copyright © 2010, Juniper Networks, Inc.
Page 460 MLPPP bundling supported for MLPPP/L2TP, uses the endpoint discriminator discriminator as part of the key for bundle selection. Therefore, there mismatch will never be an unexpected endpoint discriminator for an existing MLPPP bundle. Copyright © 2010, Juniper Networks, Inc.
Page 461 LCP fails (that is, the authenticator received a PAP NAK or CHAP Failure packet). Note that there are a variety of causes for authentication failures, including bad credentials (bad name, password or secret) and resource problems. Copyright © 2010, Juniper Networks, Inc.
Page 462 NCP because the required network-layer parameters were not available as a result of the authentication stage. Code 20 with direction 1 is never generated; the NCPs are never enabled if there is no non-null local address. Copyright © 2010, Juniper Networks, Inc.
Page 463: Monitoring L2Tp And L2Tp Dial-Out
Monitoring Dial-out Targets within the Current VR Context on page 452 Monitoring Operational Status within the Current VR Context on page 453 Monitoring the Mapping for User Domains and Virtual Routers with AAA Purpose Display the mapping between user domains and virtual routers. Copyright © 2010, Juniper Networks, Inc.
Page 464: Table 80: Show Aaa Domain-Map Output Fields
IP hint IP hint is enabled strip-domain Strip domain is enabled override-username Single username used for all users from a domain in place of the values received from the remote client Copyright © 2010, Juniper Networks, Inc.
Page 465 Name of the L2TP tunnel switch profile Tunnel Tx Speed Method Method that the router uses to calculate the transmit connect speed of the subscriber’s access interface: static layer2, dynamic layer2, qos, actual, not set Related show aaa domain-map Documentation Copyright © 2010, Juniper Networks, Inc.
Page 466: Monitoring Configured Tunnel Groups With Aaa
IPv6 interface information to use on the local (E Series) side of the subscriber’s interface poolname Local address pool from which the router allocates addresses for this domain IP hint IP hint is enabled Copyright © 2010, Juniper Networks, Inc.
Page 467 Name of the L2TP tunnel switch profile Tunnel Tx Speed Method Method that the router uses to calculate the transmit connect speed of the subscriber’s access interface: static layer2, dynamic layer2, qos, actual, not set Copyright © 2010, Juniper Networks, Inc.
Page 468: Monitoring Configuration Of Tunnel Parameters With Aaa
NAS-Port-Type [61] attribute; enabled or disabled Tunnel assignmentId format Value of the tunnel assignment ID that is passed to PPP/L2TP Tunnel calling number format Format configured for L2TP Calling Number AVP 22 generated by the LAC Copyright © 2010, Juniper Networks, Inc.
Page 469: Monitoring Global Configuration Status On E Series Routers
Table 83: show l2tp Output Fields Field Name Field Description Configuration Configuration and status for L2TP on E Series routers, including switched sessions L2TP administrative state Status of L2TP on the router; enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 470 Enabled or disabled Destination lockout timeout Number of seconds that L2TP destinations remain in the lockout state after they become unavailable Destination lockout test Status of the L2TP destination lockout test, enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 471: Monitoring Detailed Configuration Information For Specified Destinations
Local address 192.168.1.230, peer address 172.31.1.98 Destination status Effective administrative state is enabled Sub-interfaces total active failed auth-errors Tunnels Sessions Statistics packets octets discards errors Control rx 3251 Control tx 23939 Data rx 68383456 68383456 Data tx 68383456 68383456 Copyright © 2010, Juniper Networks, Inc.
Page 472: Table 84: Show L2Tp Destination Output Fields
Number of requests that did not reach an operational state for this destination auth-errors Number of requests that failed because the tunnel password was invalid for this destination Statistics Information about the traffic sent and received Copyright © 2010, Juniper Networks, Inc.
Page 473: Monitoring Locked Out Destinations
If a nondefault L2TP RWS is configured for a particular host profile, to display the RWS setting as an attribute of that host profile: host1#show l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp Copyright © 2010, Juniper Networks, Inc.
Page 474: Configuration
Table 86 on page 436 lists the show l2tp destination profile command output fields. Table 86: show l2tp destination profile Output Fields Field Name Field Description Destination profile attributes Destination profile attributes of L2TP destination Transport Method used to transfer traffic Copyright © 2010, Juniper Networks, Inc.
Page 475 L2TP peer resynchronization method for the host profile Override State of result code override, enabled or disabled out-of-resource-result-code Current session count Number of current sessions for the host profile Related show l2tp destination profile Documentation Copyright © 2010, Juniper Networks, Inc.
Page 476: Monitoring Configured And Operational Status Of All Destinations
To display statistics for all information the LAC receives from an LNS about the cause of an L2TP session disconnection. host1# show l2tp received-disconnect-cause-summary Disconnect Cause (Code) Global Peer Local --------------------------------------------- ---------- ---------- ---------- no info (0) admin disconnect (1) Copyright © 2010, Juniper Networks, Inc.
Page 477: Monitoring Detailed Configuration Information About Specified Sessions
L2TP session 1/1/1 is Up Configuration Administrative state is enabled SNMP traps are enabled Session status Effective administrative state is enabled State is established Local session id is 25959, peer session id is 2 Copyright © 2010, Juniper Networks, Inc.
Page 478: Table 89: Show L2Tp Session Output Fields
Names the router uses to identify the session locally and remotely Statistics Information about the traffic for this session Session operational configuration Information received from the peer when the session was created Related show l2tp session Documentation Copyright © 2010, Juniper Networks, Inc.
Page 479: Monitoring Configured And Operational Summary Status
To display information about the settings in a particular L2TP tunnel switch profile: host1#show l2tp switch-profile concord L2TP tunnel switch profile concord AVP bearer type action is relay AVP calling number action is relay AVP Cisco nas port info action is relay Copyright © 2010, Juniper Networks, Inc.
Page 480: Monitoring Detailed Configuration Information About Specified Tunnels
Control rx Control tx 4666 Data rx 67900944 67900944 Data tx 67900944 67900944 Control channel statistics Receive window size = 4 Receive ZLB = 17 Receive out-of-sequence = 0 Receive out-of-window = 0 Copyright © 2010, Juniper Networks, Inc.
Page 481: Table 92: Show L2Tp Tunnel Output Fields
UDP ports for the local and remote ends of the tunnel. If the router is set up to accept address and port changes in SCCRP packets, both the transmit and receive UDP ports are listed for the peer. Tunnel status Tunnel status information. Copyright © 2010, Juniper Networks, Inc.
Page 482 Number of acknowledgments that the router has sent to the peer. Transmit queue depth Number of packets that the router is waiting to send to the peer, plus the number of packets for which the peer has not yet acknowledged receipt. Copyright © 2010, Juniper Networks, Inc.
Page 483: Monitoring Configured And Operational Status Of All Tunnels
(such as a line module) supporting the tunnel is inaccessible Related show l2tp tunnel summary Documentation Copyright © 2010, Juniper Networks, Inc.
Page 484: Monitoring Chassis-Wide Configuration For L2Tp Dial-Out
Sessions in authenticating state: Sessions in connecting state: Sessions in in-service state: Sessions in inhibited state: Sessions in post-inhibited state: Sessions in failed state: Dial-out target statistics Targets active: Targets created: Targets removed: Targets in down state: Copyright © 2010, Juniper Networks, Inc.
Page 485: Table 94: Show L2Tp Dial-Out Output Fields
Field Description Operational status Current operational status of the chassis Connecting timer value Configuration of the connecting timeout Dormant timer value Configuration of the dormant timeout Dial-out Chassis Statistics Statistics at the chassis level Copyright © 2010, Juniper Networks, Inc.
Page 486 VRs in the initializationFailed state Virtual routers in down state VRs in the down state Virtual routers in in-service state VRs in the inService state IP Discarded trigger frames Trigger frames that IP discarded Copyright © 2010, Juniper Networks, Inc.
Page 487 Statistics at the session level Sessions active Currently active sessions Sessions created All sessions created Sessions removed Sessions deleted Sessions reset Sessions reset using the l2tp dial-out session reset command Triggers received Triggers received for dial-out sessions Copyright © 2010, Juniper Networks, Inc.
Page 488: Monitoring Status Of Dial-Out Sessions
This section presents sample output. The actual output on your router may differ significantly. Action To display all sessions within the current virtual router context: host1#show l2tp dial-out session Session Status Copyright © 2010, Juniper Networks, Inc.
Page 489: Table 95: Show L2Tp Dial-Out Session Output Fields
IP address of the session Status Current status of the session Operational status Current operational status of session Related For detailed information about operational states, see Dial-Out Operational States on Documentation page 411 show l2tp dial-out session Copyright © 2010, Juniper Networks, Inc.
Page 490: Monitoring Dial-Out Targets Within The Current Vr Context
For example, if you have permission to view only the current virtual router, then that is all that is displayed when you enter a command. Meaning Table 96 on page 453 lists the show l2tp dial-out target command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 491: Monitoring Operational Status Within The Current Vr Context
To display detailed configuration, state, and statistics: host1:dialout#show l2tp dial-out virtual-router detail To display information about the operational or administrative state: host1:dialout#show l2tp dial-out virtual-router state down To displays dial-out information across all virtual routers: Copyright © 2010, Juniper Networks, Inc.
Page 492: Table 97: Show L2Tp Dial-Out Virtual-Router Output Fields
Maximum number of trigger packets held in buffer session while the dial-out session is being established Related For detailed information about operational states, see Dial-Out Operational States on Documentation page 411 show l2tp dial-out virtual-router Copyright © 2010, Juniper Networks, Inc.
Page 493: Managing Dhcp
DHCP Local Server Overview on page 465 Configuring DHCP Local Server on page 473 Configuring DHCP Relay on page 491 Configuring the DHCP External Server Application on page 519 Monitoring and Troubleshooting DHCP on page 533 Copyright © 2010, Juniper Networks, Inc.
Page 494 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 495: Dhcp Overview
DHCP clients can be reliably and dynamically configured with parameters appropriate to the current network architecture. You can configure the E Series router to support the following DHCP features: DHCP access model DHCP proxy client DHCP relay DHCP relay proxy Copyright © 2010, Juniper Networks, Inc.
Page 496: Session And Resource Control Software
Session and Resource Control Software The Session and Resource Control (SRC) software, formerly the Service Deployment System (SDX) software is a component of Juniper Networks management products. The SRC software provides a Web-based interface that allows subscribers to access services, such as the Internet, an intranet, or an extranet.
Page 497: Dhcp References
DHCP proxy client support enables the router to obtain an IP address from a DHCP server for a remote PPP client. Each virtual router (acting as a DHCP proxy client) can query up to five DHCP servers. Copyright © 2010, Juniper Networks, Inc.
Page 498 You can specify a maximum of five DHCP servers. host1(config)#ip dhcp-server 10.6.128.10 Direct the router to request IP addresses for remote users from the DHCP server(s). host1(config)#ip address-pool dhcp Related ip address-pool Documentation ip dhcp-server Copyright © 2010, Juniper Networks, Inc.
Page 499: Logging Dhcp Packet Information
The following commands enable you to view information about current DHCP client bindings: To display information and track lease times and status for specified DHCP client bindings, with results arranged in ascending order by binding ID, use the show dhcp binding command. Copyright © 2010, Juniper Networks, Inc.
Page 500 (address and subnetwork mask) of the DHCP client local—DHCP local server bindings that meet the deletion criteria Copyright © 2010, Juniper Networks, Inc.
Page 501 To specify nonprintable byte codes in the circuit ID string or remote ID string, you can use the string \\xab, where ab is a hex code of the byte. This dhcp delete-binding command uses the string \\xe3 to represent byte E3 in the circuit ID string. This Copyright © 2010, Juniper Networks, Inc.
Page 502 JunosE 11.3.x Broadband Access Configuration Guide command deletes DHCP client bindings on virtual router vr3 with the specified circuit ID string. Related dhcp delete-binding Documentation show dhcp binding show dhcp count show dhcp host Copyright © 2010, Juniper Networks, Inc.
Page 503: Dhcp Local Server Overview
DHCP local server. For information about configuring the DHCPv6 local server, see “Configuring the DHCPv6 Local Server” on page 485. In equal-access mode, the DHCP local server works with the Juniper Networks SRC software to provide an advanced subscriber configuration and management service.
Page 504: Equal-Access Mode Overview
DHCP pools in the order presented in Table 98 on page 467. When the router finds a match, it selects a pool based on the match and does not examine other parameters. Copyright © 2010, Juniper Networks, Inc.
Page 505: The Connection Process
The router maintains a host route that maps the IP address to the router’s interface associated with the subscriber’s computer. The subscriber’s computer retains the IP address until the subscriber turns off the computer. Copyright © 2010, Juniper Networks, Inc.
Page 506: Standalone Mode Overview
DHCP pools in the order presented in Table 99 on page 469. When the router finds a match, it selects a pool based on the match and does not examine other parameters. Copyright © 2010, Juniper Networks, Inc.
Page 507: Table 99: Local Pool Selection In Standalone Mode Without Aaa
DHCP local server receives the domain name from the AAA server. If the client’s domain name does not match the name of the DHCP local pool, the router attempts to match the client’s domain name to the domain name field within the pool. Copyright © 2010, Juniper Networks, Inc.
Page 508: Server Management Table
Configure an unnumbered IP address associated with the loopback interface on the ATM or Ethernet interface. For information about defining IP addresses, see the Configuring IP chapter in JunosE IP, IPv6, and IGP Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 509: Dhcp Local Server Configuration Tasks
483 for a sample configuration. For non-PPP equal access, configure the router to work with the SRC software. See “Configuring the Router to Work with the SRC Software” on page 487 for a sample configuration. Copyright © 2010, Juniper Networks, Inc.
Page 510 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 511: Configuring Dhcp Local Server
If you do not use SRC for managing subscribers, use standalone mode. SRC contributes to the address pool selection and so when you use standalone mode, SRC is not used for address allocation. Copyright © 2010, Juniper Networks, Inc.
Page 512: Limiting The Number Of Ip Addresses Supplied By Dhcp Local Server
You can specify the maximum number of IP addresses that the DHCP local server can supply to each VPI/VCI, VLAN, Ethernet subnetwork, or POS access interface type, or to a particular interface or subinterface. Copyright © 2010, Juniper Networks, Inc.
Page 513: Excluding Ip Addresses From Address Pools
DHCP local server to support the creation of dynamic subscriber interfaces built over dynamic VLANs that are based on the agent-circuit-id option (suboption 1) of the option 82 field in DHCP messages. Copyright © 2010, Juniper Networks, Inc.
Page 514: Address
Identical IDs or Addresses Clients On different subinterfaces in the By unique subinterface same subnet On the same subinterface in different By unique subnet subnets On different subinterfaces in By unique subinterface and unique subnet different subnets Copyright © 2010, Juniper Networks, Inc.
Page 515: Logging Out Dhcp Local Server Subscribers
This command applies to DHCP local server local-access and standalone clients, as well as to PPP users. You can log out all subscribers, or log out subscribers by username, domain, virtual-router, or port. Copyright © 2010, Juniper Networks, Inc.
Page 516: Clearing An Ip Dhcp Local Server Binding
For information about setting up SNMP, see the Configuring SNMP chapter in JunosE System Basics Configuration Guide. Using DHCP Local Server Event Logs To troubleshoot and monitor your DHCP local server, use the following system event logs: Copyright © 2010, Juniper Networks, Inc.
Page 517 Using SNMP Traps to Monitor DHCP Local Server Events on page 478 clear ip dhcp-local binding dhcp delete-binding ip dhcp-local auto-configure agent-circuit-identifier ip dhcp-local excluded-address ip dhcp-local limit ip dhcp-local unique-client-ids logout subscribers command service dhcp-local ipv6 local pool Copyright © 2010, Juniper Networks, Inc.
Page 518: Configuring Dhcp Local Address Pools
See “Linking Local Address Pools” on page 482 for more information about linking local address pools. host1(config-dhcp-local)#link ispChicago (Optional) Assign a NetBIOS server for subscribers. Some DHCP clients request the DHCP local server to assign a NetBIOS server. Copyright © 2010, Juniper Networks, Inc.
Page 519 Address Leases” on page 482 for more information about grace periods. (Optional) Specify that the grace period is applied to addresses that have been explicitly released by clients. By default, the grace period is applied only to address Copyright © 2010, Juniper Networks, Inc.
Page 520: Linking Local Address Pools
The address is released back to the address pool if the grace period expires before the address is reapplied to the original client. Copyright © 2010, Juniper Networks, Inc.
Page 521: Configuring Aaa Authentication For Dhcp Local Server Standalone Mode
DHCP local server for standalone mode. Doing so removes your entire DHCP local server configuration. Therefore, if you want to configure authentication, do so before you have otherwise configured the DHCP local server. Copyright © 2010, Juniper Networks, Inc.
Page 522 (Optional) Verify your authentication configuration. host1(config)#show ip dhcp-local auth config DHCP Local Server Authentication Configuration User-Prefix : ERX4-Boston Domain : ISP1.com Password : to4TooL8 Virtual Router : included Circuit Type : included Circuit ID : included Copyright © 2010, Juniper Networks, Inc.
Page 523: Configuring The Dhcpv6 Local Server
Specify the number of days and, optionally, the number of hours, minutes, and seconds. You cannot specify a lifetime of zero (that is, you cannot set the days, hours, minutes, and seconds fields all to zero). Copyright © 2010, Juniper Networks, Inc.
Page 524: Deleting Dhcpv6 Client Bindings
(filter) the client bindings you want to delete: all—All DHCPv6 local server client bindings ipv6Prefix—IPv6 prefix (address and subnetwork mask) of the DHCPv6 clients; for example, 2002:2:4:1::/64 Copyright © 2010, Juniper Networks, Inc.
Page 525: Configuring The Router To Work With The Src Software
Configuration Example Figure 12 on page 488 shows the scenario for this example. Subscribers obtain access to ISP Boston via a router. Subscribers log in through the SRC software, and a RADIUS server provides authentication. Copyright © 2010, Juniper Networks, Inc.
Page 526: Figure 12: Non-Ppp Equal-Access Configuration Example
Configure the parameters to enable the router to forward authentication requests to the RADIUS server. host1(config)#radius authentication server 10.10.1.2 host1(config)#udp-port 1645 host1(config)#key radius Specify the authentication method. host1(config)#aaa authentication ppp default radius host1(config)#aaa authentication ppp default none Copyright © 2010, Juniper Networks, Inc.
Page 527 10.10.2.0 255.255.255.0 host1(config-dhcp-local)#domain-name ispBoston host1(config-dhcp-local)#default-router 10.10.2.1 host1(config-dhcp-local)#lease 0 0 10 host1(config-dhcp-local)#ip dhcp-local limit atm 5 Configure the SRC client. host1(config)#sscc enable host1(config)#sscc retryTimer 200 host1(config)#sscc primary address 10.10.1.2 port 3288 Copyright © 2010, Juniper Networks, Inc.
Page 528 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 529: Chapter 20 Configuring Dhcp Relay
82) to add information to the DHCP packets sent to DHCP servers—the additional information, in the form of suboptions to the option 82 value, helps you to manage the IP address and service level assignments granted to your subscribers. For example, you Copyright © 2010, Juniper Networks, Inc.
Page 530: Enabling Dhcp Relay
You can use the unknown keyword with the dhcp relay discard access-routes command to remove the routing information for these interfaces. To remove access routes: host1(config)#set dhcp relay discard-access-routes Copyright © 2010, Juniper Networks, Inc.
Page 531: Treating All Packets As Originating At Trusted Sources
Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in received DHCP packets is different from the local IP address on which the DHCP relay is accessed. In this situation, DHCP relay always honors the giaddr. To configure DHCP relay to override Copyright © 2010, Juniper Networks, Inc.
Page 532: Packets
“Behavior for Bound Clients and Address Renewals” on page 517. To display whether support for broadcast flag replies is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 533. Copyright © 2010, Juniper Networks, Inc.
Page 533: Interaction With Layer 2 Unicast Transmission Method
2 proxy use layer 2 unicast unicast and layer 3 and layer 3 broadcast broadcast transmission to transmission to send DHCP send DHCP reply packets reply packets to clients. to clients. Copyright © 2010, Juniper Networks, Inc.
Page 534: Preventing Dhcp Relay From Installing Host Routes By Default
IP and saves it in NVS. Configuration Example—Preventing Installation of Host Routes This example describes a sample procedure for configuring multiple subscribers over a particular static subscriber interface (ip53001 in this example)—you might use commands Copyright © 2010, Juniper Networks, Inc.
Page 535: Including Relay Agent Option Values In The Pppoe Remote Circuit Id
By default, the router formats the captured PPPoE remote circuit ID to include only the agent-circuit-id suboption (suboption 1) of the DHCP relay agent information option (option 82). You can use the radius remote-circuit-id-format command to configure the following nondefault formats for the PPPoE remote circuit ID value: Copyright © 2010, Juniper Networks, Inc.
Page 536: Interfaces
“Behavior for Bound Clients and Address Renewals” on page 517. To display whether the layer 2 unicast method is currently on or off on the router, use the show dhcp relay command. For information, see “Monitoring and Troubleshooting DHCP” on page 533. Copyright © 2010, Juniper Networks, Inc.
Page 537: Servers
You use the set dhcp vendor-option command to configure vendor-option (option 60) strings to control DHCP client traffic Create DHCP vendor-option servers by configuring Copyright © 2010, Juniper Networks, Inc.
Page 538 Client packets that have option 60 configured but have no string specified (a string of 0 length) are treated as nonmatching strings and handled accordingly. To configure an exact match: host1(config)#set dhcp vendor-option equals myword relay 192.168.7.7 Copyright © 2010, Juniper Networks, Inc.
Page 539: Configuration Example-Using Dhcp Relay Option 60 To Specify Traffic
- the DHCP application responsible for the action has not been configured yet therefore all packets for this application will be dropped Total 3 entries. Vendor-option Action -------------------------------- ---------------------------------------- Copyright © 2010, Juniper Networks, Inc.
Page 540: Relaying Dhcp Packets That Originate From A Cable Modem
The hostname and vrname keywords are a toggle; that is, specifying either hostname or virtual router name turns off the other selection. To configure the relay agent option 82 information: host1(config)#set dhcp relay options hostname Copyright © 2010, Juniper Networks, Inc.
Page 541: Packets
See the JunosE Policy Management Configuration Guide for information about layer 2 policies. The Agent Circuit ID suboption (suboption 1) and the Agent Remote ID suboption (suboption 2) are typically determined by the client network access device and depend Copyright © 2010, Juniper Networks, Inc.
Page 542: Table 102: Effect Of Commands On Option 82 Suboption Settings
No change Enable No change set dhcp relay agent sub-option vendor-specific suboption-type No change No change Enable specified suboption type no set dhcp relay agent sub-option circuit-id Disable No change No change Copyright © 2010, Juniper Networks, Inc.
Page 543: Option 82
VLAN is 2 bytes, with the VLAN ID occupying the 12 low-order bits of the value; the 4 high-order bits are 0. The data field length of a stacked Copyright © 2010, Juniper Networks, Inc.
Page 544 L2 Circuit ID val: 00 7b b2 6e L2 Circuit ID len: 4 bytes L2 Circuit ID type: 1 JUNOSE data len: 9 bytes JUNOSE IANA: 13 0a subopt 9 len: 14 bytes subopt code: 9 Copyright © 2010, Juniper Networks, Inc.
Page 545: Using The Set Dhcp Relay Agent Sub-Option Command To Enable Option 82 Suboption Support
4/1.2:0.101 Ethernet interface [<hostname>|<vrname>:]<interface type> <slot>/<port> Examples: fastEthernet 1/2 relayVr:fastEthernet 1/2 bostonHost:fastEthernet 1/2 Ethernet interface with VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: fastEthernet 1/2.3:4 relayVr:fastEthernet 1/2:4 bostonHost:fastEthernet 1/2.3:4 Ethernet interface with Stacked VLAN Copyright © 2010, Juniper Networks, Inc.
Page 546 2 policy application. The layer 2 policy application can be used to map the DHCP packet or message IEEE 802.1p value to the user packet class field. See the JunosE Policy Management Configuration Guide for information about layer 2 policies. Copyright © 2010, Juniper Networks, Inc.
Page 547: Configuration Example-Using Dhcp Relay Option 82 To Pass Ieee 802.1P Values To Dhcp Servers
Configure a layer 2 policy that maps 802.1p values to user packet class values for a VLAN interface. host1(config)# vlan classifier-list dot1p0 user-priority 0 host1(config)# vlan classifier-list dot1p1 user-priority 1 host1(config)# vlan classifier-list dot1p2 user-priority 2 host1(config)# vlan classifier-list dot1p3 user-priority 3 host1(config)# vlan classifier-list dot1p4 user-priority 4 Copyright © 2010, Juniper Networks, Inc.
Page 548 3 Classifier control list: dot1p4, precedence 100 user-packet-class 4 Classifier control list: dot1p5, precedence 100 user-packet-class 5 Classifier control list: dot1p6, precedence 100 user-packet-class 6 Classifier control list: dot1p7, precedence 100 user-packet-class 7 Copyright © 2010, Juniper Networks, Inc.
Page 549 Preserve Option From Trusted Clients: off Circuit-ID Sub-option (1): on select - hostname select - exclude-subinterface-id Remote-ID Sub-option (2): on Vendor-Specific Sub-option (9): on select - layer2-circuit-id select - user-packet-class DHCP Server Addresses --------------------- 192.168.32.1 192.168.32.2 Copyright © 2010, Juniper Networks, Inc.
Page 550: Using The Set Dhcp Relay Agent Command To Enable Option 82 Suboption Support
ATM interface [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vpi>.<vci> Examples: atm 4/1.2:0.101 relayVr:atm 4/1:0.101 bostonHost:atm 4/1.2:0.101 Ethernet interface [<hostname>|<vrname>:]<interface type> <slot>/<port> Examples: fastEthernet 1/2 relayVr:fastEthernet 1/2 bostonHost:fastEthernet 1/2 Ethernet interface with VLAN [<hostname>|<vrname>:]<interface type> <slot>/<port>[.<sub-if>]:<vlan id> Examples: fastEthernet 1/2.3:4 Copyright © 2010, Juniper Networks, Inc.
Page 551 The remote-id-only keyword disables support for the Agent Circuit ID suboption. If you do not explicitly specify the circuit-id-only or remote-id-only keyword, both suboptions are used. Related radius remote-circuit-id-format Documentation set dhcp relay set dhcp relay agent Copyright © 2010, Juniper Networks, Inc.
Page 552: Rate Of Dhcp Client Packets Processed By Dhcp Relay Overview
When the uplink line module cannot handle heavy loads, packets are discarded before they reach the IC. You can set the maximum rate of client packets based on the uplink load capacity. Copyright © 2010, Juniper Networks, Inc.
Page 553: Configuring The Rate Of Client Packets Processed By Dhcp Relay
Use the First Offer from a DHCP Server You can configure the DHCP relay proxy to use the first offer it receives from any configured DHCP server and send that offer to the DHCP client. By default, DHCP relay proxy sends Copyright © 2010, Juniper Networks, Inc.
Page 554: Set A Timeout For Dhcp Client Renewal Messages
A major benefit of the relay proxy configuration is that the E Series router is kept informed of the status of a DHCP client’s address. When addresses are released by clients, the router removes the installed host route for that client. In the DHCP relay configuration, Copyright © 2010, Juniper Networks, Inc.
Page 555: Selecting The Dhcp Server Response
“Configuring Layer 2 Unicast Transmission Method for Reply Packets to DHCP Clients” on page 498. Related Managing Host Routes on page 516 Documentation set dhcp relay proxy set dhcp relay proxy send-first-offer set dhcp relay proxy timeout Copyright © 2010, Juniper Networks, Inc.
Page 556 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 557: Configuring The Dhcp External Server Application
You can configure the E Series router to provide support for an external DHCP server. This enables the router, which is not running DHCP relay or DHCP proxy server, to monitor DHCP packets and to keep information for subscribers based on their IP address and Copyright © 2010, Juniper Networks, Inc.
Page 558: Figure 14: Dhcp External Server
The E Series router views the subscriber as active once the subscriber sends a packet. The router then performs the following actions: Processes the subscriber’s IP address by using a route map Extracts the dynamic subscriber interface profile (optional) Copyright © 2010, Juniper Networks, Inc.
Page 559: Overview
By default, the DHCP external server preserves the client’s existing dynamic subscriber interface in this situation. To configure the DHCP external server to delete and re-create the client’s dynamic subscriber interface Copyright © 2010, Juniper Networks, Inc.
Page 560: Overview
MAC address and the giaddr to uniquely identify the clients connected to the router. This setting for DHCP external server is also referred to as duplicate MAC mode. Copyright © 2010, Juniper Networks, Inc.
Page 561: Configuration Guidelines For Using Duplicate Mac Mode
MAC address and giaddr to uniquely identify DHCP clients, otherwise known as duplicate MAC mode: You can issue the dhcp-external duplicate-mac-address command at any time to enable duplicate MAC mode. However, you cannot issue the no dhcp-external Copyright © 2010, Juniper Networks, Inc.
Page 562: Dhcp External Server Configuration Requirements
Documentation Monitoring DHCP Traffic Between Remote Clients and DHCP Servers You can configure the router to monitor DHCP packets between remote clients and specified DHCP servers. You can specify up to four DHCP servers. Copyright © 2010, Juniper Networks, Inc.
Page 563: Synchronizing The Dhcp External Application And The Router
IP address as the next hop, This operation results in the subscriber-destined traffic being incorrectly sent to the Ethernet DSLAM, which cannot process the traffic. To avoid dropping the traffic in this situation, use the ip set dhcp-external disregard-giaddr-next-hop command to configure the DHCP external server application Copyright © 2010, Juniper Networks, Inc.
Page 564: Configuring The Dhcp External Server To Support The Creation Of Dynamic Subscriber Interfaces
(suboption 1) that is contained in the DHCP option 82 field. For information about configuring agent-circuit-id–based dynamic VLAN subinterfaces, see the Configuring Dynamic Interfaces Using Bulk Configuration chapter in JunosE Link Layer Configuration Guide. Related ip dhcp-external auto-configure Documentation Copyright © 2010, Juniper Networks, Inc.
Page 565: Configuring Dhcp External Server To Control Preservation Of Dynamic Subscriber
DHCP external server, see DHCP External Server in the Known Behavior section of the JunosE Release Notes. Related Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview Documentation on page 521 Copyright © 2010, Juniper Networks, Inc.
Page 566: Configuring Dynamic Subscriber Interfaces For Interoperation With Dhcp Relay And Dhcp Relay Proxy
(ACK) response to the renewal request has a route back to the DHCP client that generated the renewal request: Copyright © 2010, Juniper Networks, Inc.
Page 567: Deleting Clients From A Virtual Router's Dhcp Binding Table
To delete clients from a virtual router’s DHCP binding table, issue the dhcp-external delete-binding command in Privileged Exec configuration mode: To delete all clients: host1#dhcp-external delete-binding all To delete a specific client: host1#dhcp-external delete-binding binding-id 3972819365 Related dhcp delete-binding Documentation dhcp-external delete-binding Copyright © 2010, Juniper Networks, Inc.
Page 568: Configuring Dhcp External Server To Uniquely Identify Clients With Duplicate
DHCP external server application on the router, and is not issued on a per-VR basis. Related DHCP External Server Identification of Clients with Duplicate MAC Addresses Overview Documentation on page 522 dhcp-external duplicate-mac-address Copyright © 2010, Juniper Networks, Inc.
Page 569: Configuring Dhcp External Server To Re-Authenticate Auto-Detected Dynamic Subscriber Interfaces
Issue the ip re-authenticate-auto-detect ip-subscriber command from Interface Configuration or Profile Configuration mode: host1:vr1(config)#ip re-authenticate-auto-detect ip-subscriber Related Preservation of Dynamic Subscriber Interfaces with DHCP External Server Overview Documentation on page 521 ip dhcp-external recreate-subscriber-interface Copyright © 2010, Juniper Networks, Inc.
Page 570 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 571: Monitoring And Troubleshooting Dhcp
Monitoring DHCP Server and DHCP Relay Agent Statistics on page 565 Monitoring DHCP Server and Proxy Client Information on page 566 Monitoring DHCPv6 Local Server Binding Information on page 567 Monitoring DHCPv6 Local Server DNS Search Lists on page 567 Copyright © 2010, Juniper Networks, Inc.
Page 572: Setting Baselines For Dhcp Statistics
There is no no version. Setting a Baseline for DHCP External Server Statistics To set a baseline for DHCP external server statistics. Issue the baseline ip dhcp-external command: host1#baseline ip dhcp-external Copyright © 2010, Juniper Networks, Inc.
Page 573: Setting A Baseline For Dhcp Local Server Statistics
Table 103: show ip dhcp-local excluded Output Fields Field Name Field Description Pool Name of the pool that contains the excluded address Low Address Excluded address or first address in a range of addresses Copyright © 2010, Juniper Networks, Inc.
Page 574: Monitoring Dhcp Bindings
NOTE: The show dhcp binding command replaces the show ip dhcp-external binding, show ip dhcp-external binding-id, and show ip dhcp-local binding commands, which are deprecated and might be removed completely in a future release. Action To display information about all DHCP local server bindings: Copyright © 2010, Juniper Networks, Inc.
Page 575 ID. To display binding information for DHCP clients that match the specified circuit ID string: host1:vr3#show dhcp binding circuit-id \\xe3 BindingId HwAddress Type IpSubnet IpAddress State ---------- -------------- ------- -------- --------- ----- Copyright © 2010, Juniper Networks, Inc.
Page 576: Table 104: Show Dhcp Binding Output Fields
Table 104: show dhcp binding Output Fields Field Name Field Description BindingId Client binding ID HwAddress MAC address of client Type Binding type; external (DHCP external server), local (DHCP local server), or relay-p (DHCP relay proxy) Copyright © 2010, Juniper Networks, Inc.
Page 577: Monitoring Dhcp Binding Count Information
Monitoring DHCP Binding Count Information Purpose Display count information for DHCP client bindings and interfaces. Action To display count information for all DHCP client bindings and interfaces: host1:vr1#show dhcp count Assigned Bound Type IpSubnet Interfaces Clients Clients Clients Copyright © 2010, Juniper Networks, Inc.
Page 578 DHCP external server application. DHCP external server does not store information about the agent-circuit-id suboption or agent-remote-id suboption of option 82. Meaning Table 105 on page 541 lists the show dhcp count command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 579: Monitoring Dhcp Binding Host Information
ID. To display binding information for DHCP clients with a specified interface string: host1:vr2#show dhcp host interface ip71.*4 BindingId HwAddress Type IpSubnet IpAddress State Copyright © 2010, Juniper Networks, Inc.
Page 580 Filtering the display of DHCP client bindings by the circuit ID string or remote ID string is not supported for the DHCP external server application. DHCP external server does not store information about the agent-circuit-id suboption or agent-remote-id suboption of option 82. Copyright © 2010, Juniper Networks, Inc.
Page 581: Monitoring Dhcp Bindings
Monitoring DHCP Binding Information on page 536 Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address Bindings) Purpose Display the mapping between the assigned IP address and the MAC address of the subscriber’s computer. Copyright © 2010, Juniper Networks, Inc.
Page 582: Monitoring Dhcp Bindings (Displaying Dhcp Bindings Based On Binding Id)
Display binding information for all DHCP clients. NOTE: This command is deprecated and might be removed completely in a future release. The function provided by this command has been replaced by the show dhcp binding command. Copyright © 2010, Juniper Networks, Inc.
Page 583: Monitoring Dhcp Bindings (Local Server Binding Information)
192.168.1.3 Dhcp Local Bindings ------------------- Address Hardware Lease Interface State ----------- ----------------- ----- ---------------- ------- 192.168.1.3 11-11-22-22-33-33 (600) fastEthernet 5/0 expired To display DHCP local server binding information for a specific interface: Copyright © 2010, Juniper Networks, Inc.
Page 584: Monitoring Dhcp External Server Configuration Information
Server-Sync : Enabled Disregard-Giaddr-Next-Hop : Enabled Detect-Agent-Circuit-Id : Disabled Recreate-Subscriber-Interface : Enabled Duplicate-MAC-Address : Enabled Servers: ----------- 10.1.1.1 10.2.1.1 10.3.1.1 Meaning Table 110 on page 547 lists the show ip dhcp-external configuration command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 585: Monitoring Dhcp External Server Statistics
Table 111 on page 547 lists the show ip dhcp-external statistics command output fields. Table 111: show ip dhcp-external statistics Output Fields Field Name Field Description memUsage Memory in bytes used by DHCP server bindings Number of IP addresses currently assigned Copyright © 2010, Juniper Networks, Inc.
Page 586: Monitoring Dhcp External Server Duplicate Mac Address Setting
Enabled—DHCP external server uses a combination of the MAC address and giaddr to uniquely identify DHCP clients. Disabled—(Default) DHCP external server uses only the MAC address to uniquely identify DHCP clients. Related show dhcp-external Documentation Copyright © 2010, Juniper Networks, Inc.
Page 587: Monitoring Dhcp Local Address Pools
High Utilization Thresh: Abated Utilization Thresh: 75% Current Utilization: Trap Enabled: ====== Pools ====== pool8_7-1 pool8_7-2 pool8_7-3 pool8_7-4 pool8_7-5 Meaning Table 113 on page 550 lists the show ip dhcp-local pool command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 588: Table 113: Show Ip Dhcp-Local Pool Output Fields
Percentage of local address pool currently used Utilization trap Status of the utilization trap, which is generated when the high utilization threshold is reached; enabled or disabled Shared pool allocations Number of addresses allocated to shared pools Copyright © 2010, Juniper Networks, Inc.
Page 589: Monitoring Dhcp Local Server Authentication Information
DHCP Local Server Authentication Statistics ---------------------------------------- Item Count ----------------------- ---------- auth requests auth request failures auth grants auth denies Meaning Table 114 on page 552 lists the show ip dhcp-local auth command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 590: Monitoring Dhcp Local Server Configuration
***************************************** DHCP Local Server Configuration Mode: Standalone SNMP Traps Enabled - no Unique Client IDs - enabled Meaning Table 115 on page 553 lists the show ip dhcp-local command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 591: Monitoring Dhcp Local Server Leases
THU JUL 06 2006 10:07:22 UTC 192.168.55.5 THU JUL 06 2006 08:04:11 UTC infinite Address Initial Lease Start ------------ ---------------------------- 10.1.0.2 THU JUL 06 2006 08:01:12 UTC 10.1.0.3 THU JUL 06 2006 08:01:12 UTC Copyright © 2010, Juniper Networks, Inc.
Page 592: Monitoring Dhcp Local Server Statistics
To display all DHCP local server statistics: host1#show ip dhcp-local statistics DHCP Local Server Statistics ---------------------------- Item Count ----------------------- ----- memUsage bindings --Receive Statistics-- discover request(accept) request(renew) request(rebind) request(other) decline release inform total in packet in error Copyright © 2010, Juniper Networks, Inc.
Page 593: Table 117: Show Ip Dhcp-Local Statistics Output Fields
Number of bytes of memory used by the DHCP local server bindings Number of leased IP addresses currently assigned Receive Statistics Statistics for packets that have been received discover Number of DHCP discover messages received Copyright © 2010, Juniper Networks, Inc.
Page 594 Number of DHCP NAK messages sent in response renewal requests nak(rebind) Number of DHCP NAK messages sent in response to rebinding requests total out packet Number of packets sent by the DHCP local server Copyright © 2010, Juniper Networks, Inc.
Page 595: Monitoring Dhcp Option 60 Information
- all DHCP client packets not matching a configured vendor-string implied - the DHCP application is configured but has not been enabled with the vendor-option command drop - the DHCP application responsible for the action has not been Copyright © 2010, Juniper Networks, Inc.
Page 596: Monitoring Dhcp Packet Capture Settings
Table 119 on page 558 lists the show ip dhcp-capture command output fields. Table 119: show ip dhcp-capture Output Fields Field Name Field Description Router Router name Interface Interface whose DHCP packets are logged Copyright © 2010, Juniper Networks, Inc.
Page 597: Monitoring Dhcp Relay Configuration Information
Table 120 on page 559 lists the show dhcp relay command output fields. Table 120: show dhcp relay Output Fields Field Name Field Description Mode DHCP relay mode; either Standard (DHCP relay mode) or Proxy (DHCP relay proxy mode) Copyright © 2010, Juniper Networks, Inc.
Page 598: Monitoring Dhcp Relay Proxy Statistics
Monitoring DHCP Relay Proxy Statistics Purpose Display statistics for the DHCP relay proxy. NOTE: The show dhcp relay statistics command displays additional DHCP statistics that the router reports for both DHCP relay and DHCP relay proxy. Copyright © 2010, Juniper Networks, Inc.
Page 599: Table 121: Show Dhcp Relay Proxy Statistics Output Fields
Total number of packets received from clients Server Packets Total number of packets received from servers Timed Out Number of clients removed because of lease expiration No Offers Number of clients removed because no server sent an offer Copyright © 2010, Juniper Networks, Inc.
Page 600: Monitoring Dhcp Relay Statistics
Relay Agent Option already present dropped giaddr spoof packets DHCP server statistics (standard mode only): dropped duplicate request packets packets transmitted to servers packets received from servers dropped unknown xid reply packets dropped stale request packets Copyright © 2010, Juniper Networks, Inc.
Page 601: Table 122: Show Dhcp Relay Statistics Output Fields
Packet Pacing Algorithm (standard & proxy modes) Speed up pacer Number of times the DHCP relay increased the rate of client packets processed Slow down pacer Number of times the DHCP relay decreased the rate of client packets processed Copyright © 2010, Juniper Networks, Inc.
Page 602 DHCP servers that were discarded because their server address and XID do not match an outstanding DHCP server request dropped stale request packets Number of DHCP relay requests sent to DHCP servers that were discarded because their replies timed out Copyright © 2010, Juniper Networks, Inc.
Page 603: Monitoring Dhcp Server And Dhcp Relay Agent Statistics
Number of IP addresses rejected because they were already in use addresses released Number of IP addresses released back to the server Informs sent Number of inform messages sent to the server Copyright © 2010, Juniper Networks, Inc.
Page 604: Monitoring Dhcp Server And Proxy Client Information
Address IP address of a DHCP server Leases Number of IP address leases granted by the server Offers Number of offers sent by the server Requests Number of requests sent to the server Copyright © 2010, Juniper Networks, Inc.
Page 605: Monitoring Dhcpv6 Local Server Binding Information
Router’s interface that is associated with the subscriber’s computer Related show ipv6 dhcpv6-local binding Documentation Monitoring DHCPv6 Local Server DNS Search Lists Purpose Display the DHCPv6 local servers DNS search list. Action To display the DNS search list for DHCPv6 local servers: Copyright © 2010, Juniper Networks, Inc.
Page 606: Monitoring Dhcpv6 Local Server Dns Servers
To display the DHCPv6 default prefix lifetime: host1#show ipv6 dhcpv6-local prefix-lifetime default prefix lifetime is 1 day, 12 hours, 30 minutes Meaning Table 128 on page 569 lists the show ipv6 dhcpv6-local prefix-lifetime command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 607: Monitoring Dhcpv6 Local Server Statistics
Number of leased IPv6 prefixes currently assigned solicit rx Number of DHCPv6 solicit messages received request(accept) rx Number of DHCPv6 request messages received request(renew) rx Number of DHCPv6 requests for renewal received decline rx Number of DHCPv6 decline messages received Copyright © 2010, Juniper Networks, Inc.
Page 608: Monitoring Duplicate Mac Addresses Use By Dhcp Local Server Clients
Table 130 on page 570 lists the show ip dhcp-local duplicate-clients command output fields. Table 130: show ip dhcp-local duplicate-clients Output Fields Field Name Field Description Duplicate MAC address Interface Interfaces used by the duplicate MAC address Copyright © 2010, Juniper Networks, Inc.
Page 609: Monitoring The Maximum Number Of Available Leases
Denied Denied --------- ----- ----- ------ ------ fastEthernet0/0 atm 3/1 atm 4/2 5000 atm 5/1 5000 pos 2/1 1000 Meaning Table 131 on page 572 lists the show ip dhcp-local limits command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 610: Server
Dhcp Reserved Addresses ----------------------- Pool Address Hardware ---------- ------------ ----------------------------------------------- cablemodem 10.44.44.100 12-34-12-34-12-34-00-00-00-00-00-00-00-00-00-00 cablemodem 10.44.44.101 22-33-22-33-22-33-00-00-00-00-00-00-00-00-00-00 Meaning Table 132 on page 573 lists the show ip dhcp-local reserved command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 611: Monitoring Status Of Dhcp Applications
Table 133 on page 573 lists the show dhcp summary command output fields. Table 133: show dhcp summary Output Fields Field Name Field Description configured Applications that are currently configured active or inactive Current status of the application Related show dhcp summary Documentation Copyright © 2010, Juniper Networks, Inc.
Page 612 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 613: Managing The Subscriber Environment
PART 5 Managing the Subscriber Environment Configuring Subscriber Management on page 577 Monitoring Subscriber Management on page 591 Configuring Subscriber Interfaces on page 595 Monitoring Subscriber Interfaces on page 627 Copyright © 2010, Juniper Networks, Inc.
Page 614 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 615: Configuring Subscriber Management
Multiple subscribers using the same primary interface User authentication and accounting Differentiated services for individual subscribers A subscriber management environment can include the following components: Local Dynamic Host Configuration Protocol (DHCP) server External DHCP server Copyright © 2010, Juniper Networks, Inc.
Page 616: Subscriber Management Platform Considerations
Dynamic IP Subscriber Interfaces You can set up your subscriber management environment to create dynamic IP subscriber interfaces in two situations—when a DHCP event occurs or when a packet is detected. Copyright © 2010, Juniper Networks, Inc.
Page 617: Subscriber Management Procedure
Figure 15: DHCP External Server In Figure 15 on page 579, the subscriber requests an address from the DHCP server. The E Series router DHCP external server application monitors all DHCP communications Copyright © 2010, Juniper Networks, Inc.
Page 618: Configuring Subscriber Management With An External Dhcp Server
Figure 15 on page 579, use the following procedure on E Series routers: Enable the DHCP external server application. host1(config)#service dhcp-external Specify each DHCP server for which to monitor traffic. You can specify a maximum of four DHCP servers. Copyright © 2010, Juniper Networks, Inc.
Page 619: Subscriber Management Commands
Use to clear all dynamically created demultiplexer table entries associated with the route-map processing of the set ip source-prefix command. deny—Drop addresses that appear in the source address range primary—Associate the source prefix with the primary IP interface Example host1(config-if)#clear ip demux Copyright © 2010, Juniper Networks, Inc.
Page 620 Use the no version to disable inclusion of the suboption in the username. See include dhcp-option 82 include hostname Use to include the router hostname in the username that is dynamically created by JunosE subscriber management. Example host1(config-service-profile)#include hostname Copyright © 2010, Juniper Networks, Inc.
Page 621 Use the exclude-primary keyword to specify that the primary interface cannot be used for subscribers. The primary interface is not assigned to a subscriber by default. You can issue this command from Interface Configuration mode, Subinterface Configuration mode, or Profile Configuration mode. Example Copyright © 2010, Juniper Networks, Inc.
Page 622 IP polls the dynamic interface at the configured interval to determine whether the interface was active during the interval. Inactive interfaces are deleted only when the period of inactivity is equal to or greater than the configured value. Copyright © 2010, Juniper Networks, Inc.
Page 623 Service profiles contain user and password information, and are used in route maps for subscriber management and to authenticate subscribers with RADIUS. You can specify a service profile name with up to 32 ASCII characters. Copyright © 2010, Juniper Networks, Inc.
Page 624 Example host1(config-if)#ip use-framed-routes ip-subscriber Use the no version to disable the use of framed routes when creating dynamic subscriber interfaces associated with this primary IP interface. See ip use-framed-routes ip-subscriber password Copyright © 2010, Juniper Networks, Inc.
Page 625 Use to specify the username for an IP service profile. The username is used as the dynamically created username by JunosE subscriber management. You can specify a username with up to 32 ASCII characters. Copyright © 2010, Juniper Networks, Inc.
Page 626: Subscriber Management Configuration Examples
An IP policy that restricts access. host1(config)#ip policy-list restrictAccess host1(config-policy-list)#classifier-group * host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#exit host1(config-policy-list)#exit host1(config)# An interface profile that references the restrictAccess policy. host1(config)#profile atlInterfaceProfile host1(config-profile)#ip policy input restrictAccess host1(config-profile)#ip policy output restrictAccess Copyright © 2010, Juniper Networks, Inc.
Page 627: Username With Atm Circuit Identifier And No Circuit Type
This example shows the steps to configure a service profile for a username that includes a VLAN circuit identifier and the circuit type. host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan prepend-circuit-type host1(config-service-profile)#exit The example generates the following username: Copyright © 2010, Juniper Networks, Inc.
Page 628: Username With Mac Address
It does not work for IP subscribers that have statically configured IP addresses. host1(config)#ip service-profile atlServiceProfile host1(config-service-profile)#user-prefix xyzcorp.atl host1(config-service-profile)#domain eastcoast host1(config-service-profile)#include hostname host1(config-service-profile)#include circuit-identifier vlan host1(config-service-profile)#include mac-address host1(config-service-profile)#include dhcp-option 82 agent-circuit-id host1(config-service-profile)#exit host1(config)# The example generates the following username, which includes the MAC address: Copyright © 2010, Juniper Networks, Inc.
Page 629: Monitoring Subscriber Management
Table 134 on page 591 lists the show ip service-profile command output field. Table 134: show ip service-profile Output Fields Field Name Field Description ip service-profile Name of profile user-name Username used to retrieve information from RADIUS for subscriber interfaces Copyright © 2010, Juniper Networks, Inc.
Page 630: Monitoring Active Ip Subscribers Created By Subscriber Management
Login time ---------- ------------------------ 2835349506 WED AUG 23 20:46:24 2006 host1# show ip-subscriber detail Subscriber List --------------- Virtual User Name Ip Address Router Interface ---------- -------------- ----------- ------- ------------- 2835349506 user1@isp1.com 192.168.0.1 default ip192.168.0.1 Profile Copyright © 2010, Juniper Networks, Inc.
Page 631: Table 135: Show Ip-Subscriber Output Fields
AAA Option 82 DHCP relay agent information (option 82) circuit identifier that describes the physical interface location associated with the subscriber Related show ip-subscriber Documentation Copyright © 2010, Juniper Networks, Inc.
Page 632 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 633: Configuring Subscriber Interfaces
10-Gigabit Ethernet (with and without VLANs) IP over ATM Generic Routing Encapsulation (GRE) tunnels Dynamic subscriber interfaces Bridged Ethernet over ATM (with and without VLANs) Fast Ethernet (with and without VLANs) Gigabit Ethernet (with and without VLANs) Copyright © 2010, Juniper Networks, Inc.
Page 634: Dynamic Interfaces And Dynamic Subscriber Interfaces
DSIs when there are no PPPoE, PPPoA, or PPPoEoA sessions to provide separation between layers and when subscriber management is required. For example, on an Ethernet VLAN, multiple subscribers can enter the network from a Wi-Fi hotspot, as shown in Figure 17 on page 597: Copyright © 2010, Juniper Networks, Inc.
Page 635: Relationship To Shared Ip Interfaces
A subscriber interface operates only with a primary IP interface—a normal IP interface on a supported layer 2 interface, such as Ethernet. You create a primary interface by assigning an IP address to the Ethernet interface. Although you can configure a subscriber Copyright © 2010, Juniper Networks, Inc.
Page 636: Ethernet Interfaces And Vlans
VLANs. Using subscriber interfaces, the router can demultiplex or separate the traffic associated with different subscribers. You can configure subscriber interfaces with VLANs. If you do so, the E Series router demultiplexes packets by using first the VLAN and then the subscriber interface. Copyright © 2010, Juniper Networks, Inc.
Page 637: Moving Interfaces
Internet Protocol (VoIP) service on network 10.11.0.0/16, or a local gaming service on network 10.12.0.0/16. Rate limits and policies on the subscriber interface customize the service level for the associated service. Copyright © 2010, Juniper Networks, Inc.
Page 638: Differentiating Traffic For Vpns
(one on virtual router B and one on virtual router A), the E Series router can separate the traffic from subnets A and B. Because the E Series router is forwarding traffic in this application, the shared IP interface should demultiplex the traffic by using a source address. Copyright © 2010, Juniper Networks, Inc.
Page 639: Subscriber Interfaces Platform Considerations
See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications. See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about the modules that support subscriber interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 640: Interface Specifiers
DHCP Servers The DHCP event that triggers dynamic creation of subscriber interfaces occurs when either a local DHCP server or external DHCP server assigns an IP address to a subscriber Copyright © 2010, Juniper Networks, Inc.
Page 641: Dhcp Local Server And Address Allocation
IP address and immediately allocates the subscriber an IP address from one of the local address pools. In equal-access mode, the DHCP local server works with Juniper Networks Session and Resource Control (SRC) software and the authorization, accounting, and address assignment utility to provide an advanced subscriber configuration and management service.
Page 642: Packet Detection
You can configure the period of time by issuing the ip inactivity-timer command. To configure dynamic creation of subscriber interfaces on GRE tunnel interfaces, see “Configuring Dynamic Subscriber Interfaces” on page 613. Copyright © 2010, Juniper Networks, Inc.
Page 643: Designating Traffic For The Primary Ip Interface
IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, Copyright © 2010, Juniper Networks, Inc.
Page 644: Configuration Of Mac Address Validation State Inheritance
Verification of MAC Address Validation State Inheritance To verify inheritance of the MAC address validation state on a dynamic subscriber interface, you can use the show ip mac-validate interface command and the show arp command. Copyright © 2010, Juniper Networks, Inc.
Page 645: Configuring Static Subscriber Interfaces
In this application, a local VoIP service is on network 10.11.0.0./16, and a local gaming service is on network 10.12.0.0/16. Copyright © 2010, Juniper Networks, Inc.
Page 646: Figure 22: Subscriber Interfaces Using A Destination Address To Demultiplex
Configure the primary interface to use a destination address to demultiplex traffic. (By default, a source address is used to demultiplex traffic.) host1(config-if)#ip demux-type da-prefix d. Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. a. Create the shared IP interface. Copyright © 2010, Juniper Networks, Inc.
Page 647: Using A Source Address To Demultiplex Traffic
10.12.0.0 255.255.0.0 Using a Source Address to Demultiplex Traffic Figure 23 on page 610 shows how you can use static subscriber interfaces to differentiate traffic for VPN access, based on the traffic’s source address. Copyright © 2010, Juniper Networks, Inc.
Page 648: Figure 23: Subscriber Interfaces Using A Source Address To Demultiplex
Create a primary IP interface. host1(config-if)#ip address 10.1.1.1 255.255.255.0 c. Exit Interface Configuration mode. host1(config-if)#exit Configure subscriber interface IP1. a. Create the shared IP interface. host1(config)#virtual-router vra Proceed with new virtual-router creation? [confirm] yes host1:vra(config)#interface ip ip1 Copyright © 2010, Juniper Networks, Inc.
Page 649 Use the specified name to refer to the shared IP interface; you cannot use the layer 2 interface to refer to the shared IP interface, because the shared interface can be moved. Example host1(config)#interface ip si0 Copyright © 2010, Juniper Networks, Inc.
Page 650 The shared interface is operationally up when the layer 2 interface is operationally up and IP is properly configured. You can create operational shared IP interfaces in the absence of a primary IP interface. Example host1(config-if)#ip share-interface atm 5/3.101 Copyright © 2010, Juniper Networks, Inc.
Page 651: Configuring Dynamic Subscriber Interfaces
Use the no version to remove the association between the interface and the specified IP source address and mask. See ip source-prefix Configuring Dynamic Subscriber Interfaces You can configure dynamic subscriber interfaces in the following configurations: Copyright © 2010, Juniper Networks, Inc.
Page 652: Configuring Dynamic Subscriber Interfaces Over Ethernet
Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration Configuring Dynamic Subscriber Interfaces over VLANs To configure a dynamic subscriber interface in an IP over VLAN over Ethernet configuration by using DHCP events, perform the following steps: Copyright © 2010, Juniper Networks, Inc.
Page 653: Figure 25: Ip Over Vlan Over Ethernet Dynamic Subscriber Interface
(Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-if)#ip source-prefix 192.168.2.10 255.255.255.0 Figure 25 on page 615 shows the interface stack built for this configuration. Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface Configuration Copyright © 2010, Juniper Networks, Inc.
Page 654: Configuring Dynamic Subscriber Interfaces Over Bridged Ethernet
(Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.20 255.255.255.0 Figure 26 on page 617 shows the interface stack built for this configuration. Copyright © 2010, Juniper Networks, Inc.
Page 655: Configuring Dynamic Subscriber Interfaces Over Gre Tunnels
100 (Optional) Specify the source address of traffic that is destined for the primary IP interface. host1(config-subif)#ip source-prefix 192.168.2.1 255.255.255.0 Figure 27 on page 618 shows the interface stack built for this configuration. Copyright © 2010, Juniper Networks, Inc.
Page 656: Dynamic Subscriber Interface Configuration Example
10.20.0.0 255.255.192.0 Specify the router to forward traffic from the IP addresses to destinations on other subnets. host1(config-dhcp-local)#default-router 10.20.32.1 Exit DHCP Local Pool Configuration mode. host1(config-dhcp-local)#exit Configure a loopback interface. host1(config)#interface loopback 0 Copyright © 2010, Juniper Networks, Inc.
Page 657 Use to specify the IP address of the router for the subscriber’s computer to use for traffic destined for locations beyond the local subnet. Specify the IP address of a primary server, and optionally, specify the IP address of a secondary server. Example Copyright © 2010, Juniper Networks, Inc.
Page 658 Use the no version to remove the ATM interface or subinterface. See interface atm interface fastEthernet Use to select a Fast Ethernet (FE) interface on a line module or an SRP module. Example host1(config)#interface fastEthernet 1/0 Copyright © 2010, Juniper Networks, Inc.
Page 659 IP address and mask as 1.1.1.1/16, the 1.1.0.0/16 route entry is entered on the line module and all traffic destined to the to 1.1.0.0/16 subnet is forwarded to the SRP module by the line module. Although the Copyright © 2010, Juniper Networks, Inc.
Page 660 Use the exclude-primary keyword to specify that the primary interface is not used for subscribers. The primary interface is not assigned to a subscriber by default. You can issue this command from Interface Configuration mode, Subinterface Configuration mode, or Profile Configuration mode. Example Copyright © 2010, Juniper Networks, Inc.
Page 661 A timer value of 0 specifies that dynamically created subscriber interfaces are never deleted by the inactivity timer. Example host1(config-if)#ip inactivity-timer 100 Use the no version to restore the default, in which inactivity timer feature is disabled. See ip inactivity-timer ip source-prefix Copyright © 2010, Juniper Networks, Inc.
Page 662 Use the no version to disable the use of framed routes when creating dynamic subscriber interfaces associated with this primary IP interface. See ip use-framed-routes ip-subscriber network Use to specify the IP addresses that the DHCP local server can provide from an address pool. Example host1(config-dhcp-local)#network 10.10.1.0 255.255.255.0 Copyright © 2010, Juniper Networks, Inc.
Page 663 Specify a VLAN ID number that is in the range 0–4095 and is unique within the Ethernet interface. Issue the vlan id command before you configure any upper-layer interfaces, such as Example host1(config-if)#vlan id 400 There is no no version. See vlan id Copyright © 2010, Juniper Networks, Inc.
Page 664 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 665: Monitoring Subscriber Interfaces
Table 136 on page 627 lists the show ip demux interface command output fields. Table 136: show ip demux interface Output Fields Field Name Field Description Prefix/Length Source or destination addresses that the subscriber interface demultiplexes SA/DA Demultiplexing method for subscriber interface Copyright © 2010, Juniper Networks, Inc.
Page 666: Monitoring Active Ip Subscribers Created By Subscriber Management
WED AUG 23 20:46:24 2006 3000.0001.9365 13631489 Interface Service Profile Profile Option 82 ---------- --------- --------- ---------------- 2835349506 myProfile profile22 FastEthernet 3/1 Meaning Table 137 on page 629 lists the show ip-subscriber command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 667: Table 137: Show Ip-Subscriber Output Fields
IP service profile name used by subscriber management to authorize and configure the subscriber interface with AAA Option 82 DHCP relay agent information (option 82) circuit identifier that describes the physical interface location associated with the subscriber Related show ip-subscriber Documentation Copyright © 2010, Juniper Networks, Inc.
Page 668 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 669: Managing Subscriber Services
PART 6 Managing Subscriber Services Configuring Service Manager on page 633 Monitoring Service Manager on page 697 Copyright © 2010, Juniper Networks, Inc.
Page 670 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 671: Configuring Service Manager
Service Manager supports two client types—RADIUS and CLI. Service Manager starts when it receives a request from a RADIUS or CLI client. For RADIUS clients, RADIUS Access-Accept messages and Change-of-Authorization-Request (CoA-Request) Copyright © 2010, Juniper Networks, Inc.
Page 672: Service Manager Terms And Acronyms
A macro file that defines a named parameterized description of a service; used to create a service instance and the resulting subscriber service session; can include a combination of parameters such as policy lists, rate-limit profiles, QoS profiles, and interface profiles Copyright © 2010, Juniper Networks, Inc.
Page 673: Service Manager Platform Considerations
For information about creating IPv4 interface profiles, see the Configuring IP chapter in JunosE IP, IPv6, and IGP Configuration Guide. Service Manager Configuration Tasks To use the Service Manager application to create subscriber service sessions, you perform the following tasks: Create and manage service definitions Copyright © 2010, Juniper Networks, Inc.
Page 674 Create and apply optional service session profiles Enable statistics collection Activate the service session Deactivate service sessions Figure 28 on page 637 shows the sequence of operations you use to create and monitor subscriber service sessions. Copyright © 2010, Juniper Networks, Inc.
Page 675: Service Definitions
Interface profiles—Specify a set of characteristics that can be dynamically assigned to IP interfaces. A service definition must use at least one interface profile. Policy lists—Specify policy actions for traffic traversing an interface. Copyright © 2010, Juniper Networks, Inc.
Page 676: Creating Service Definitions
Optional Collects output statistics from policy manager Can be a list of clacls activate-profile Required Specifies the interface profile used on activation of the service Deletion of the profile is Service Manager’s responsibility Copyright © 2010, Juniper Networks, Inc.
Page 677 Collects output statistics associated with the external group from policy manager Both the external parent group and the corresponding hierarchical policy parameter must be specified Can be multiple pairs of external parent groups and hierarchical policy parameters Copyright © 2010, Juniper Networks, Inc.
Page 678: Managing Your Service Definitions
NVS card. Install—You must install the service definition before you can use it to create a service session. During installation, Service Manager precompiles the definition and extracts Copyright © 2010, Juniper Networks, Inc.
Page 679 NVS, and install the updated file. All subsequent service sessions use the new service definition file. However, currently active service sessions continue to use the original definition file until the sessions are deactivated, then reactivated. Example 1—Installing Copyright © 2010, Juniper Networks, Inc.
Page 680: Referencing Policies In Service Definitions
Specifying QoS Profiles in a Service Definition You can configure one QoS profile per subscriber interface. We recommend that you specify the QoS profile in the first set of services applied to the subscriber's interface. Copyright © 2010, Juniper Networks, Inc.
Page 681: Configuring A Qos Profile For Service Manager
Specifying QoS Profiles in a Service Definition After you configure a QoS profile for Service Manager, you can reference it in a service definition. For example: profile <# eastcoast ; '\n' #> qos-profile <# video; '\n' #> Copyright © 2010, Juniper Networks, Inc.
Page 682: Specifying Qos Parameter Instances In A Service Definition
Use the add keyword in Profile Configuration mode to add a value to an existing parameter instance. Use the initial-value keyword to create a new instance with the specified value. Examples host1(config)#profile video host1(config-profile)#qos-parameter max-subscriber-bandwidth initial-value 15000 Copyright © 2010, Juniper Networks, Inc.
Page 683: Specifying Qos Parameter Instances In A Service Definition
Service Manager attempts to locate the parameter instance qosParameterName4 for the subscriber's interface. If it finds a parameter instance, it adds bandwidth2 (3,000,000) to the current value. If Service Manager does not find a parameter instance, it creates Copyright © 2010, Juniper Networks, Inc.
Page 684: Modifying Qos Configurations With Service Manager
Table 141 on page 647 lists a series of activations and deactivations using parameter instances in profiles and explicit parameter instances. By the second deactivation, the parameter has a negative value (-4000000). Copyright © 2010, Juniper Networks, Inc.
Page 685: Modifying Qos Configurations In A Single Service Manager Event
Each row represents new QoS profiles and parameter instances; columns represent existing QoS profiles and parameter instances. Table 142: Configuration Within a Single Service Manager Event Profile RADIUS Service Manager Profile – – RADIUS – Copyright © 2010, Juniper Networks, Inc.
Page 686: Modifying Qos Configurations Using Other Sources
QoS profile attachments and parameter instances configured through RADIUS can overwrite QoS profile attachments and parameter instances configured through the SNMP, the SRC software, and the CLI, but not those created by Service Manager. Copyright © 2010, Juniper Networks, Inc.
Page 687: Removing Qos Configurations Referenced By Service Manager
QoS profile and parameter instances, Service Manager automatically removes the following QoS configurations in the following order: QoS profiles Scheduler profiles Queue profiles Drop profiles Statistics profiles Service Manager does not automatically remove the following QoS configurations: Copyright © 2010, Juniper Networks, Inc.
Page 688: Qos For Service Manager Considerations
Configuring the Service Manager License Use the Service Manager license to enable full Service Manager application support. You can create a maximum of 10 subscriber sessions when the Service Manager license is Copyright © 2010, Juniper Networks, Inc.
Page 689: Managing And Activating Service Sessions
10 subscriber sessions. The license is a unique string of up to 15 alphanumeric characters. NOTE: Obtain the license from Juniper Networks Customer Service or your Juniper Networks sales representative.
Page 690: Using Radius To Manage Subscriber Service Sessions
The RADIUS CoA method also supports the use of mutex groups to create mutex services. See “Using Mutex Groups to Activate and Deactivate Subscriber Services” on page 658. Figure 31 on page 652 compares the two RADIUS-based methods. Figure 31: Comparing RADIUS Login and RADIUS CoA Methods Copyright © 2010, Juniper Networks, Inc.
Page 691: Using Radius To Activate Subscriber Service Sessions
Service Manager to activate the appropriate service session. For the RADIUS CoA method, Service Manager uses the VSAs for service activation and deactivation, threshold configuration, statistics configuration, and interim accounting in Copyright © 2010, Juniper Networks, Inc.
Page 692: Table 144: Service Manager Radius Attributes
Name of the service (including sessions only: parameter values) with which the Acct-Start statistics are associated Acct-Stop Interim-Acct [26-140] Service-Interim-Acct- Access-Accept Number of seconds between Interval accounting updates for a service; a CoA-Request tagged VSA Copyright © 2010, Juniper Networks, Inc.
Page 693: Table 145: Sample Radius Access-Accept Packet
(service-statistics value of 2). Also, accounting for the service is updated every 600 seconds (10 minutes). Table 145: Sample RADIUS Access-Accept Packet RADIUS Attribute Value username none client1@isp1.com class none (binary data) service-activation tiered(1280000, 5120000) service-timeout 18000 service-statistics Copyright © 2010, Juniper Networks, Inc.
Page 694: Using Tags With Radius Attributes
Table 146: Using Tags RADIUS Attribute Value username none client1@isp1.com class none (binary data) service-activation tiered(1280000, 5120000) service-timeout 18000 service-statistics service-interim-acct-interval service-activation voice(100000) service-timeout 1440 service-interim-acct-interval 1200 Copyright © 2010, Juniper Networks, Inc.
Page 695: Using Radius To Deactivate Service Sessions
See “Configuring Service Manager Statistics” on page 677. The service-volume threshold accuracy is based on a 10-second period. Service Manager does not immediately deactivate a service session when the output byte count reaches Copyright © 2010, Juniper Networks, Inc.
Page 696: Using The Deactivate-Service Attribute
In these cases, the subscriber might be without an active service. If statistics are enabled when you activate a mutex service, Service Manager sends a RADIUS Acct-Stop message for the deactivated service. Copyright © 2010, Juniper Networks, Inc.
Page 697: Activating And Deactivating Multiple Services
<# name #> one-rate committed-rate <# inputBW; '\n' #> policy-list <# name; '\n' #> classifier-group matchAll precedence 10000 rate-limit-profile <# name; '\n' #> traffic-class best-effort policy-list <# oname; '\n' #> classifier-group matchAll precedence 10000 traffic-class best-effort Copyright © 2010, Juniper Networks, Inc.
Page 698: Combined And Independent Ipv4 And Ipv6 Services In A Dual Stack Overview
A dual-stack implementation supports both IPv4 and IPv6 hosts to help provide a smooth transition to all parts of a enterprise network. With this flexible method of implementation, providers can carry IPv6 traffic over their existing core networks and customers can roll out IPv6 to more sites. Copyright © 2010, Juniper Networks, Inc.
Page 699 To configure a service macro to be used for IPv6 interfaces only, specify the following object in the macro definition file. The profile identifier returned from the activate-profile object is applied to IPv6 interfaces. <# env.setResult("service-interface-type", ipv6 ) #> Copyright © 2010, Juniper Networks, Inc.
Page 700: Activation And Deactivation Of Ipv4 And Ipv6 Services In A Dual Stack
After the subscriber service session is activated, the policies defined in the interface profile specified by the activate-profile object in the service macro file are applied to both IPv4 and IPv6 interfaces. The elements in the profile to be attached to the interfaces are Copyright © 2010, Juniper Networks, Inc.
Page 701: Performance Impact On The Router And Compatibility With Previous Releases For An Ipv4 And Ipv6 Dual Stack
Service Manager volume statistics for a service session. When you terminate a subscriber session, Service Manager first sends RADIUS Acct-Stop messages for any active services associated with the subscriber session, and then sends the Acct-Stop message for the subscriber session. Copyright © 2010, Juniper Networks, Inc.
Page 702: Configuring Service Interim Accounting
Configuring Service Interim Accounting Interim accounting determines how often accounting information is updated and sent to an accounting server. In addition to the user-based interim accounting supported on the router, Service Manager supports service-related interim accounting—you can Copyright © 2010, Juniper Networks, Inc.
Page 703: Table 148: Determining The Service Interim Accounting Interval
Table 149 on page 666 describes a sample Acct-Start message for a service session. In the table, the three fields used by Service Manager are shown in bold characters. An Acct-Start message for a subscriber session without any active services does not include the Service-Session attribute. Copyright © 2010, Juniper Networks, Inc.
Page 704: Table 149: Sample Acct-Start Message For A Service Session
FastEthernet 12/0:0001048580:002478 nas-ip-address 10.6.128.45 class (binary data) framed-protocol framed-compression framed-ip-address 100.20.0.1 framed-ip-netmask 0.0.0.0 ingress-policy-name (vsa) forwardAll egress-policy-name (vsa) forwardAll calling-station-id #ERX-01-00-06#E12#0 acct-input-gigawords acct-input-octets 4032 acct-output-gigawords acct-output-octets 2163 acct-input-gigapackets (vsa) acct-input-packets acct-output-gigapackets (vsa) acct-output-packets Copyright © 2010, Juniper Networks, Inc.
Page 705 Use the no version to reset the accounting interval to 0, which turns off interim service accounting when no value is specified in the Service-Interim-Acct-Interval attribute (Juniper VSA 26-140). See aaa service accounting interval aaa user accounting interval Copyright © 2010, Juniper Networks, Inc.
Page 706: Overview
IPv6 services. For the combined IPv4 and IPv6 service, the statistics are a sum of the values in the external parent group and hierarchical policy parameter pair lists (defined as input-stat-epg, secondary-input-stat-epg, and output-stat-epg in the service definition macro). Copyright © 2010, Juniper Networks, Inc.
Page 707: Using The Cli To Manage Subscriber Service Sessions
RADIUS is used to create the subscriber session, the owner name is AAA and the owner ID is the Acct-Session-ID that was generated by RADIUS during subscriber creation. host1(config)#service-management owner-session AAA 537446 service-session “ tiered(1280000, 5120000)” Copyright © 2010, Juniper Networks, Inc.
Page 708 573498 service-session “video(4500000, 192.168.10.3)” host1(config)#service-management owner-session aaa 573498 service-session “tiered(1000000, 2000000)” host1(config)#service-management owner-session aaa 573498 service-session “voice(1000000, 10.10.10.1)” Example 3—Include a service session profile when you activate a subscriber’s service session Copyright © 2010, Juniper Networks, Inc.
Page 709 4/0.1 service-session “tiered(1000000, 2000000)” host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “voice(1000000, 10.10.10.1)” Example 3—Include a service session profile when you activate a subscriber’s service session host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “video(4500000, 192.168.10.3)” service-session-profile vodISP1 Copyright © 2010, Juniper Networks, Inc.
Page 710: Preprovisioning Services
See “Configuring Service Manager Statistics” on page 677 for additional information about capturing Service Manager statistics. You can specify the following types of statistics: time—The service’s duration volume-time—The service’s duration and traffic volume Copyright © 2010, Juniper Networks, Inc.
Page 711 Use the no version to delete the service session profile. See service-management service-session-profile statistics Use to enable statistics collection and to specify the type of statistics to collect. Use the time keyword to collect statistics about the duration of the service session. Copyright © 2010, Juniper Networks, Inc.
Page 712 NOTE: The volume attribute uses values captured by the Service Manager statistics feature to determine when the threshold is exceeded. Therefore, you must configure and enable statistics collection to use this attribute. See “Configuring Service Manager Statistics” on page 677. The range is 0–16777251MB. Copyright © 2010, Juniper Networks, Inc.
Page 713: Using The Cli To Deactivate Subscriber Service Sessions
Use the no version with the service-session keyword to deactivate the specified service session. Use the no version without the service-session keyword to delete the subscriber’s session and deactivate all of the subscriber’s service sessions. Example host1(config)#no service-management owner-session aaa 426777 service-session “video(4500000, 192.168.10.3)” Copyright © 2010, Juniper Networks, Inc.
Page 714: Forcing Immediate Deactivation Of Subscriber Service Sessions
AAA (RADIUS) or CLI. Example host1(config)#no service-management subscriber-session 8 force There is no affirmative version of this command; there is only a no version. See no service-management subscriber-session force Copyright © 2010, Juniper Networks, Inc.
Page 715: Using Service Session Profiles To Deactivate Service Sessions
“Enabling Statistics Collection with the CLI” on page 679 if you are using the CLI. Setting Up the Service Definition File for Statistics Collection Service Manager statistics are based on classifier lists—the classifier lists are referenced by policy lists that you define in your service definition macro file. Copyright © 2010, Juniper Networks, Inc.
Page 716 This example shows how you can also configure your service definition to collect total statistics from multiple classifier lists. The following command specifies that three classifier lists are used to generate output statistics for a service created by the service Copyright © 2010, Juniper Networks, Inc.
Page 717: Enabling Statistics Collection With Radius
Apply the service session when you activate the subscriber service session. host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “ tiered(1000000, 2000000)” service-session-profile isp1_tiered3 The captured statistics are now used when you use the Service Manager show service-management commands. For example: Copyright © 2010, Juniper Networks, Inc.
Page 718: External Parent Group Statistics Collection Setup
Copyright © 2010, Juniper Networks, Inc.
Page 719: Service Manager Performance Considerations
Service Manager to build a popular service only once. You then reuse the original service when you activate future subscriber service sessions. See “Preprovisioning Services” on page 672 for details. Capture volume statistics when needed—Repeatedly capturing volume statistics can waste resources. Copyright © 2010, Juniper Networks, Inc.
Page 720: Service Definition Examples
<# env.setResult("secondary-input-stat-clacl", "matchAll") #> <# env.setResult("output-stat-clacl", "matchAll") #> <# endtmpl #> RADIUS Attribute Value Sample RADIUS username none client1@isp1.com Attributes activate-service tiered(1280000, 5120000) Sample CLI Command host1(config)#service-management subscriber-session client1@isp1.com interface atm 4/0.1 service-session “tiered(1280000, 5120000)” Copyright © 2010, Juniper Networks, Inc.
Page 721: Video-On-Demand Service Definition Example
!parameterizes source address and port, destination address and port, and protocol type <# mgFlow(upDA, upDPort, downDA, downDPort, protType) #> <# uid := app.servicemanager.getUniqueId #> <# name := "SM-mgFlow-" $ uid #> Copyright © 2010, Juniper Networks, Inc.
Page 722: Guided Entrance Service Example
For example, a subscriber who has purchased the sports package service is presented with a Web page that lists the currently available sporting events. Or, a subscriber might prepay a VoIP service for a set amount of time. Copyright © 2010, Juniper Networks, Inc.
Page 723: Guided Entrance Service Definition Example
Guided Entrance Service Definition Example This example shows a guided entrance service. Upon login, the subscriber is redirected to a specific uniform resource locator (URL) at which the subscriber can choose from a list of available services. Copyright © 2010, Juniper Networks, Inc.
Page 724: Using Coa Messages With Guided Entrance Services
Typically, a guided entrance service directs a subscriber to a Web site, where the subscriber can select from a group of available services. When the subscriber selects a new service to use, Service Manager uses a RADIUS CoA message to activate the new service—you Copyright © 2010, Juniper Networks, Inc.
Page 725: Configuring The Http Local Server To Support Guided Entrance
Web site when they log in. At the Web site, the subscribers can then select the service they want to use. You can configure one HTTP local server per virtual router. The HTTP local server is disabled by default. Copyright © 2010, Juniper Networks, Inc.
Page 726 To configure the HTTP local server to support guided entrance for IPv6: Access the virtual router context. host1(config)#virtual-router west400 host1:west400(config)# Create the HTTP local server. host1:west40(config)#ipv6 http Copyright © 2010, Juniper Networks, Inc.
Page 727 Use the no version to delete the HTTP local server. See ip http ip http access-class Use to allow only subscribers on the specified standard IP access list to connect to the HTTP local server. Example host1(config)#ip http access-class chicagoList Copyright © 2010, Juniper Networks, Inc.
Page 728 NOTE: The HTTP local server must be configured and enabled in the virtual router for the interface on which you use the ip http redirectUrl command. Otherwise, the URL redirect operation will fail. Example host1(config-if)#ip http redirectUrl http://ispsite.redirect.com Copyright © 2010, Juniper Networks, Inc.
Page 729 NOTE: You can modify the port on which the HTTP local server receives connection attempts. However, you must first disable the HTTP local server and then modify the port. Specify a port number in the range 1–65535. Example host1(config)#ipv6 http port 8080 Copyright © 2010, Juniper Networks, Inc.
Page 730: Combined Ipv4 And Ipv6 Service In A Dual Stack Example
The incoming voice-over-IP classified traffic flows for IPv4 and IPv6 subscribers are allocated a total of 64 Kbps. The Copyright © 2010, Juniper Networks, Inc.
Page 731: Figure 33: Input Traffic Flow With Rate-Limit Profile On An External Parent Group
<# outBw #><# '\n' #> committed-action transmit unconditional conformed-action transmit unconditional rate-limit-profile rlpv4v6-<# genericName #>-vb-in one-rate hier committed-rate <# inBw #><# '\n' #> committed-action transmit unconditional conformed-action transmit unconditional parent-group vb-v4v6-<# uid #>-in rate-limit-profile rlpv4v6-<# genericName #>-vb-in Copyright © 2010, Juniper Networks, Inc.
Page 732 (yellow) packets and a token bucket for committed (green) packets. The following are the attributes configured in the rate-limit profile applied to ingress and egress interfaces: Copyright © 2010, Juniper Networks, Inc.
Page 733 IPv4 and IPv6 interfaces. The service definition macro is configured to collect input and output statistics associated with external parent groups in a hierarchical policy for IPv4 and IPv6 subscribers as follows: Copyright © 2010, Juniper Networks, Inc.
Page 734 10.0.0.1—Host IP address for IPv4 subscribers, denoted as VBG1 in the macro 2001::1—Host IP address for IPv6 subscribers, denoted as VB6G1 in the macro vlan—Interface on which the service is configured, denoted as NODE in the macro Copyright © 2010, Juniper Networks, Inc.
Page 735: Monitoring Service Manager
To set a baseline: Include the baseline ip http command at the User Exec or Privilege Exec level: host1#baseline ip http There is no no version. Copyright © 2010, Juniper Networks, Inc.
Page 736: Monitoring The Connections To The Http Local Server
Purpose Display information about the configuration of the HTTP local server. Action To display information about the HTTP local server: host1#show ip http server Admin status: enabled Access class: not defined Listening port: 80 Copyright © 2010, Juniper Networks, Inc.
Page 737: Monitoring Statistics For Connections To The Http Local Server
Http connections terminated: 2 Http connections aged out: 1 Urls successfully served: 0 Malformed http requests: 0 Urls not found: 0 Meaning Table 154 on page 700 lists the show ip http statistics command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 738: Monitoring Profiles For The Http Local Server
To display information about the redirect URL used by the HTTP local server: host1#show profile name guidedProfile2 Profile : guidedProfile2 Auto Detect : Disabled Auto Configure : Disabled IP FlowStats : Disabled Ip http redirect Url : myredirect.html Copyright © 2010, Juniper Networks, Inc.
Page 739: Monitoring The Default Interval For Interim Accounting Of Services
Display the status of the Service Manager license. Action To display the status of the Service Manager license: host1#show license service-management service management license is set Meaning Table 157 on page 702 lists the show license service-management command output fields. Copyright © 2010, Juniper Networks, Inc.
Page 740: Monitoring Profiles For Service Manager
Output Policy Name of output policy and whether statistics are enabled or disabled qos-parameter Name and value of the QoS parameter assigned to the profile qos-profile Name of the QoS profile assigned to the profile Copyright © 2010, Juniper Networks, Inc.
Page 741: Monitoring Ipv4 And Ipv6 Interfaces For Service Manager
ND duplicate address detection attempts is 100 ND neighbor solicitation retransmission interval is 1000 milliseconds ND proxy is enabled ND RA source link layer is advertised ND RA interval is 200 seconds, lifetime is 1800 seconds Copyright © 2010, Juniper Networks, Inc.
Page 742 0: traffic class best-effort, bound to ipv6 FastEthernet9/0.6 Queue length 0 bytes Forwarded packets 0, bytes 0 Dropped committed packets 0, bytes 0 Dropped conformed packets 0, bytes 0 Dropped exceeded packets 0, bytes 0 Http Redirect Url: http://www.juniper.net Copyright © 2010, Juniper Networks, Inc.
Page 743: Table 159: Show Ip Interface Output Fields
Number of reassembly failures frag ok Number of packets fragmented successfully frag req Number of frames requiring fragmentation frag fails Number of packets unsuccessfully fragmented IP Statistics Sent generated Number of packets generated Copyright © 2010, Juniper Networks, Inc.
Page 744 Packets sent with parameter errors src quench Source quench packets sent redirect Send packets redirect timestamp req Requests for a timestamp timestamp rpy Replies to timestamp requests addr mask req Address mask requests Copyright © 2010, Juniper Networks, Inc.
Page 745 In Fabric Dropped Packets Packets discarded on a receive IP interface because eof internal fabric congestion Out Forwarded Packets, Bytes Total number of packets and bytes forwarded out of the IP interface Copyright © 2010, Juniper Networks, Inc.
Page 746: Table 160: Show Ipv6 Interface Output Fields
Url to which a subscriber’s initial web browser session is redirected Internet Address IP address of the interface Link local address Local IPv6 address of this interface Network Protocols Network protocols configured on this interface IPv6 Statistics Rcvd Copyright © 2010, Juniper Networks, Inc.
Page 747 MTU size redirects Received packet redirects echo requests Echo request (ping) packets echo replies Echo replies received rtr solicits Number of received router solicitations Copyright © 2010, Juniper Networks, Inc.
Page 748 Number of received neighbor solicitations neighbor advertisements Number of received neighbor advertisements Group membership (queries, Number of queries, responses, and reduction requests responses, reductions) received from within a group to which the interface is assigned Copyright © 2010, Juniper Networks, Inc.
Page 749 Total number of packets and bytes received on the IP interface. Unicast Packets, Bytes Unicast packets and bytes received on the IP interface; link-local received multi-cast packets (non-multicast-routed frames) are counted as unicast packets. Copyright © 2010, Juniper Networks, Inc.
Page 750 Out Discarded Packets Packets discarded on the egress interface because of a configuration problem rather than a problem with the packet itself IPv6 policy Type (input, output, local-input) and name of policy rate-limit-profile Name of profile Copyright © 2010, Juniper Networks, Inc.
Page 751: Monitoring Service Definitions
- WED DEC 14 14:41:20 2005 Installed: True Service: tiered(inputbw, outputbw) Reference Count: 0 To display summary information for all service definitions: host1#show service-management service-definition brief Service Definitions ------------------- Reference Filename Service Installed Count Copyright © 2010, Juniper Networks, Inc.
Page 752: Monitoring Service Session Profiles
Action To display summary information for all service session profiles: host1#show service-management service-session-profile brief Service Session Profiles ------------------------ Name Volume Time Statistics ------- ------ ---- ---------- tiered1 20000 1000 Volume-Time tiered2 20000 1000 Time Copyright © 2010, Juniper Networks, Inc.
Page 753: Monitoring Active Owner Sessions With Service Manager
AAA 4194326 Active False CLIENT2@ISP.COM ip192.168.0.7 AAA 4194327 Active False CLIENT3@ISP.COM ip192.168.0.4 AAA 4194328 Active False CLIENT4@ISP.COM ip192.168.0.5 AAA 4194329 Active False CLIENT5@ISP.COM ip192.168.0.6 AAA 4194330 Active False CLIENT6@ISP.COM ip192.168.0.8 AAA 4194331 Active False Copyright © 2010, Juniper Networks, Inc.
Page 754: Table 163: Show Service-Management Owner-Session Output Fields
Type and IP address of the subscriber’s interface Owner/Id Method used to activate the subscriber session (CLI, AAA) and ID number generated by the owner State Status of the subscriber session (active or inactive), or status of the service session Copyright © 2010, Juniper Networks, Inc.
Page 755 Input Bytes Current value of input bytes that the statistics configuration is measuring Output Bytes Current value of output bytes that the statistics configuration is measuring Copyright © 2010, Juniper Networks, Inc.
Page 756: Monitoring Active Subscriber Sessions With Service Manager
------------------ --------- tiered(2000000,3000000) AAA 4194326 ConfigApplySuccess Activate Name Non-volatile ----------------------- ------------ tiered(2000000,3000000) False To display information for that particular subscriber with the service session: host1# show service-management subscriber-session client1@isp.COM interface ip 192.168.0.1 service-session tiered Copyright © 2010, Juniper Networks, Inc.
Page 757: Table 164: Show Service-Management Subscriber-Session Output Fields
ID number of the subscriber session mutex Index number of the mutex group to which the service session belongs Owner/Id Method used to activate the subscriber session (CLI, AAA) and ID number generated by the owner (Acct-Session-ID for AAA) Copyright © 2010, Juniper Networks, Inc.
Page 758 Volume left until the threshold is exceeded; this value starts as the volume threshold value and is decremented as the service statistics measure volume Input Bytes Current value of input bytes that the statistics configuration is measuring Copyright © 2010, Juniper Networks, Inc.
Page 759: Service Manager
Table 165: show service-management summary Output Fields Field Name Field Description Total Subscriber Sessions Number of active subscriber sessions on the router Total Service Sessions Number of active service sessions on the router Related show service-management summary Documentation Copyright © 2010, Juniper Networks, Inc.
Page 760 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 761: Part 7 Index
PART 7 Index Index on page 725 Copyright © 2010, Juniper Networks, Inc.
Page 762 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 763: Index
See also show aaa commands aaa authentication default.........27, 40 AAA default tunnel parameters aaa authentication enable default....317, 322 L2TP transmit connect speed.......403 aaa authentication login...........324 aaa delimiter..............12 aaa dhcpv6-delegated-prefix delegated-ipv6-prefix..........88 aaa dns primary.............50 aaa dns secondary............50 Copyright © 2010, Juniper Networks, Inc.
Page 764 Prefix Delegation...........58 mapping to domain name.........56 with Framed-IPv6-Prefix attribute ranges.................53 for Prefix Delegation..........88 address-pool-name command........56 with IPv6-NdRa-Prefix attribute agent circuit ID (suboption 1)..........503 for IPv6 Neighbor Discovery......88 agent remote ID (suboption 2)........503 Copyright © 2010, Juniper Networks, Inc.
Page 765 DHCP (Dynamic Host Configuration Protocol) TACACS+................317 proxy client and server..........4 authorization change command........244 IP hinting................9 limiting active subscribers..........87 local address server............4 manually setting NAS-Port-Type......66 mapping address pool to domain......56 mapping backup address pool to domain...56 Copyright © 2010, Juniper Networks, Inc.
Page 766 RADIUS Bearer Type AVP attributes..............188 relaying in L2TP tunnel-switched client-name command..........362, 364 network.............392, 394 BOOTP (bootstrap protocol)...........491 bootstrap protocol. See BOOTP Copyright © 2010, Juniper Networks, Inc.
Page 767 26-66).............654, 658, 687 recreate-subscriber-interface....521, 527 deadtime command..............29 ip inactivity-timer............619 default domain name..............8 set ip interface-profile..........586 default-router command...........619 set ip source-prefix.............586 default-upper-type mlppp command......376 show dhcp-external...........548 Delegated-Ipv6-Prefix (RADIUS attribute 123)..215 See also show dhcp commands Copyright © 2010, Juniper Networks, Inc.
Page 768 IP address....468 netbios-node-type.............482 logging information.............478 network................482 modes................465 reserve................482 monitoring............545, 570 server-address.............482 overview................465 snmpTrap...............482 RADIUS accounting support for......465 use-release-grace-period........482 RADIUS accounting support for standalone warning................482 mode................90 DHCP proxy client standalone mode configuring..............459 address allocation........468, 483 authentication.............483 Copyright © 2010, Juniper Networks, Inc.
Page 769 DNIS (dialed number identification service)..9, 376 DHCPv6 local address pools See IPv6 local address DNS (Domain Name System) pools assigning IP addresses..........120 DHCPv6 local server overview................50 IPv6..................485 DNS addresses order of preference in allocation to clients........104 Copyright © 2010, Juniper Networks, Inc.
Page 770 117, 126, 425 interoperate with DHCP relay and DHCP relay mapping user requests without domain proxy ................528 name................8, 9 configuring DHCP external server to none..................9 preserve..............521, 527 specifying single name for users.......16 Copyright © 2010, Juniper Networks, Inc.
Page 771 B-RAS for delegation of prefixes........107 configuring................85 example for non-PPP client requests....108 idle timeout, range for............85 for DHCPv6 prefixes include commands delegated to clients..........107 include circuit-id............581 Extensible Authentication Protocol. See EAP include dhcp-option 82..........581 Copyright © 2010, Juniper Networks, Inc.
Page 772 604, 619 ip http same-host-limit..........687 ip auto-detect ip-subscriber........581 ip http server..............687 ip demux-type...............610 IP interfaces ip destination-prefix........584, 610, 612 creating................610 ip dhcp-local pool............619 IP interfaces that support PPP clients ip inactivity-timer............584 configuring................59 Copyright © 2010, Juniper Networks, Inc.
Page 773 IPv6 services viewing..............161 in a dual stack guidelines for configuration........102 activating...............662 limitation on combined and independent number of allocated prefixes......107 configuration...........660 Copyright © 2010, Juniper Networks, Inc.
Page 774 L2TP access concentrator. See LAC references...............416 l2tp commands..............384 route..................410 disconnect-cause............384 session................410 failover-resync ..............391 target................410 l2tp checksum..............345 trigger................410 l2tp destination lockout-test........368 l2tp dial-out commands............416 l2tp destination lockout-timeout......368 l2tp dial-out connecting-timer-value....417 l2tp destination profile........374, 377 l2tp dial-out dormant-timer-value......417 Copyright © 2010, Juniper Networks, Inc.
Page 775 RADIUS.........397 configuring..............374 AVP relay, configuring........392, 394 configuring receive window size (RWS).....385 configuration guidelines..........392 installing multiple service modules.....380 configuring..............394 modules supported............382 how to apply..............392 out-of-resource result codes........379 monitoring...............441 overriding out-of-resource result codes.....379 sequence of events.............337 Copyright © 2010, Juniper Networks, Inc.
Page 776 See MAC addresses packet detection dynamic subscriber medium ipv4 command..........362, 364 interfaces................604 merging policies packet fragmentation............337 naming conventions...........642 packet mirroring..............241 Message-Authenticator (RADIUS attribute 80)..21 MLPPP Bundle Name (RADIUS attribute 26-62)..................225 Copyright © 2010, Juniper Networks, Inc.
Page 777 QoS (quality of service) preferred lifetime calculation method for L2TP transmit connect for delegated prefixes speed................399 configuring.............106 on subscriber interfaces...........599 default..............106 QoS commands setting qos-parameter.............644 without expiration..........106 qos-profile..............642 Prefix Delegation See DHCPv6 Prefix Delegation Copyright © 2010, Juniper Networks, Inc.
Page 778 257 radius include framed-ip-add acct-start...256 radius algorithm............18, 27 radius include framed-ip-addr.......188 radius calling-station-delimiter....188, 257 radius include radius calling-station-format....188, 257, 349 framed-ip-netmask........82, 188, 201 radius client...............27 radius include framed-ipv6-pool......188 radius connect-info-format........206 radius include framed-ipv6-prefix.......206 Copyright © 2010, Juniper Networks, Inc.
Page 779 RADIUS relay server radius nas-port-format extended configuring...............251 ethernet...............188 monitoring..............253 radius override calling-station-id radius remote-circuit-id-format command....513 remote-circuit-id............188 RADIUS route-download server........69 radius override nas-info......27, 188, 200 configuring................69 radius override nas-ip-addr format of routes.............69 tunnel-client-endpoint.........188 how it works..............69 Copyright © 2010, Juniper Networks, Inc.
Page 780 RX speed AVP...............364 independent, deactivating......662 independent, overview........660 overview............660, 662 S-VLAN links license sessions............650 between CPE and PE routers macros................634 pool section for Prefix Delegation....108 multiple services............659 SCR (RADIUS attribute 26-16)........219 mutex service.............634, 658 Copyright © 2010, Juniper Networks, Inc.
Page 781 Service Manager license set dhcp relay proxy send-first-offer.....517 configuring..............650 set dhcp relay proxy timeout........517 service modules set dhcp vendor-option command......499 installing multiple for LNS sessions....380 shared IP interfaces.............597 Copyright © 2010, Juniper Networks, Inc.
Page 782 Copyright © 2010, Juniper Networks, Inc.
Page 783 See also show sscc commands show radius route-download statistics....142 standalone DHCP local server........468 show radius servers..........142, 311 show radius statistics.......142, 144, 310 show radius trap............148 Copyright © 2010, Juniper Networks, Inc.
Page 784 L2TP. See L2TP transmit overview connect speed dynamic..............602 tunnel static...............598 defined..............335, 337 static.................607 selection, L2TP.............369 subscribers switching.................382 accounting messages..........177 authorization and authentication messages..............169 E Series Broadband Services Routers....154 Copyright © 2010, Juniper Networks, Inc.
Page 785 Web access to E Series router.........457 checksums............23, 32, 148 Windows Internet Name Service. See WINS udp-port command...........35, 246, 252 WINS, assigning IP addresses........50, 120 Upstream-Calculated-QoS-Rate (RADIUS attribute 26-142).................228 user domain, mapping to L2TP tunnel......358 Copyright © 2010, Juniper Networks, Inc.
Page 786 JunosE 11.3.x Broadband Access Configuration Guide Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.3