Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 14 Standard SNMP MIBs ........140 Juniper Networks E Series Enterprise MIBs ..... . . 140 Accessing Supported SNMP MIBs .
Page 26 Table 46: CLI User Access Levels ........431 Table 47: Juniper Networks–Specific CLI Access VSA Descriptions ... 432 Table 48: Juniper Networks–Specific Virtual Router Access VSA...
Page 27: About The Documentation
Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxviii defines notice icons used in this documentation.
Page 28: Table 1: Notice Icons
Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxviii Copyright © 2010, Juniper Networks, Inc.
Page 29: Obtaining Documentation
CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 30: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 31: Chapters
Managing Modules on page 341 Passwords and Security on page 403 Writing CLI Macros on page 459 Booting the System on page 495 Configuring the System Clock on page 507 Configuring Virtual Routers on page 525 Copyright © 2010, Juniper Networks, Inc.
Page 33: Planning Your Network
Planning Your Network This chapter describes planning steps that will make it easier to configure the physical interfaces, logical interfaces, and routing protocols for the Juniper Networks E Series Broadband Services Routers in: A new network that you are creating and implementing...
Page 34: Interface Specifiers
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
Page 35: Xdsl Session Termination
(DSLAMs). Directly connected to the subscriber premises, the DSLAMs handle the copper termination and aggregate the traffic into a higher-speed uplink. The output from the DSLAM is fed into the router through a DS3 or OC3 link. Copyright © 2010, Juniper Networks, Inc.
Page 36: Layered Approach
Therefore, the JunosE configuration guides use a bottom-up approach to describe the configuration process. Figure 3 on page 7 shows the relationship of layers, protocols, and interfaces to the configuration process. Software functions are layered on top of Copyright © 2010, Juniper Networks, Inc.
Page 37: Planning Your Network
“ OCx/STMx line modules” refers to both the OCx/STMx ATM and the OCx/STMx POS line modules. Similarly, the term “ GE I/O modules” refers to both the GE Multimode I/O module and the GE Single Mode I/O module. Copyright © 2010, Juniper Networks, Inc.
Page 38: Interfaces
Assign an interface type, such as POS or ATM. Assign the associated interface specifier to the interface, such as the slot/port or slot/adapter/port and channel/subchannel. Assign one or more subinterfaces. interface Command The interface command has the following format: interface interfaceType interfaceSpecifier Copyright © 2010, Juniper Networks, Inc.
Page 39: General Configuration Tasks
Multiple distinct virtual routers are supported within a single router, which allows service providers to configure multiple, separate, secure routers within a single chassis. These routers are identified as virtual routers (VRs). Applications for this function include the Copyright © 2010, Juniper Networks, Inc.
Page 40: Configuring Ipsec
GE/FE line module supports Gigabit Ethernet and Fast Ethernet. GE-2 line module and GE-HDE line module support Gigabit Ethernet. OCx/STMx ATM line module supports OC3/STM1 ATM, OC12/STM4 ATM, and unchannelized T3. OCx/STMx POS line module supports OC3/STM1 POS and OC12/STM4 POS. Copyright © 2010, Juniper Networks, Inc.
Page 41: Line Module Features
Three different clocking options: internal timing, loop timing, and chassis timing DS3 framing type—Both M23 framing and C-bit parity DS1 framing type—Both D4 framing mode and ESF framing mode DS3 loopback—For line, payload, diagnostic, and DS1 loopbacks DS1 loopback—For line, payload, and diagnostic loopbacks Copyright © 2010, Juniper Networks, Inc.
Page 42: Configurable Hdlc Parameters
T1s. Assign full and fractional T1 channels (DS0) to a virtual channel. Figure 5 on page 12 shows sample parameters for a channelized T3 interface configuration. Figure 5: Channelized T3 Interface Configuration Parameters Copyright © 2010, Juniper Networks, Inc.
Page 43: Configuring T3 And E3 Interfaces
The following sample command sequence configures a serial interface for a T3 module. See JunosE Physical Layer Configuration Guide, for details. host1(config)#controller t3 0/1 host1(config-controll)#framing m23 host1(config-controll)#cablelength 300 host1(config-controll)#ds3-scramble host1(config-controll)#exit host1(config)#interface serial 0/1 host1(config-if)#invert data host1(config-if)#mtu 1600 host1(config-if)#mru 1600 Copyright © 2010, Juniper Networks, Inc.
Page 44: Configuring Ocx/Stmx And Oc48 Interfaces
I/O module used with the line module: Fractional T1/E1 over SONET/SDH virtual tributaries or T3 Unframed E1 Unchannelized DS3 Figure 8 on page 15 shows the configuration parameters for a sample T1 over DS3 interface configuration. Copyright © 2010, Juniper Networks, Inc.
Page 45: Configuring Ethernet Interfaces
Specify the line speed and duplex mode. Specify the MTU. The following sample command sequence configures an IP interface on a VLAN on an Ethernet interface: host1(config)#interface fastEthernet 2/0 host1(config-if)#encapsulation vlan host1(config-if)#interface fastEthernet 2/0.1 Copyright © 2010, Juniper Networks, Inc.
Page 46: Configuring Ipsec-Service Interfaces
The router supports IP over Frame Relay PVCs on the CT3 12-F0 and OCx/STMx POS modules. The interface presented to the incoming traffic is an IP/Frame Relay router. In addition, IP/PPP/Frame Relay is supported on the T3 and E3 modules. With this interface, the service provider can: Copyright © 2010, Juniper Networks, Inc.
Page 47: Figure 9: Frame Relay Interface Design
LMI specifies a polling mechanism to receive incremental and full-status updates from the network. The router can represent either side of the User-to-Network Interface (UNI) and supports unidirectional LMI. Bidirectional support for the Network-to-Network Interface (NNI) is also supported. Copyright © 2010, Juniper Networks, Inc.
Page 48: Configuring Ip/Atm
ATM interfaces, to take in traffic from other network devices that use ATM, such as DSLAMs, and to connect to service providers with ATM backbone structures. Figure 12 on page 18 shows an IP/ATM access connection. Figure 12: E Series Router IP/ATM Access Connection Copyright © 2010, Juniper Networks, Inc.
Page 49: Figure 13: Structure Of The Atm Interface Design
(ILMI) provides local management across the UNI. Figure 14: Structure of ATM Protocol Figure 15 on page 19 shows sample configuration parameters for a typical ATM interface configuration. Figure 15: ATM Interface Configuration Parameters Copyright © 2010, Juniper Networks, Inc.
Page 50: Configuring Ip/Ppp
PPP, providing support for IP/PPP/ATM, IP/PPP/HDLC, and IP/PPP/Frame Relay. Both SONET and DSx/Ex interfaces are supported at the physical layer. Figure 17: Structure of PPP Figure 18 on page 21 shows sample configuration parameters for PPP on a serial interface. Copyright © 2010, Juniper Networks, Inc.
Page 51: Configuring Ip/Hdlc
HDLC layer or ATM or SONET interface. Both SONET and DSx/Ex interfaces are supported at the physical layer. The following example configures HDLC on a serial interface. See JunosE Link Layer Configuration Guide , for details. host1(config)#interface serial 3/1:2/1 host1(config-if)#encapsulation hdlc host1(config-if)#ip address 192.32.10.2 255.255.255.0 Copyright © 2010, Juniper Networks, Inc.
Page 52: Configuring Ip/Ethernet
The E Series router supports subscriber interfaces on a particular type of layer 2 interface, Ethernet. In the absence of VLANS, Ethernet does not have a demultiplexing layer. A Copyright © 2010, Juniper Networks, Inc.
Page 53: Configuring Routing Protocols
There are two fundamental aspects to MPLS: Label distribution—The set of actions MPLS performs to establish and maintain a label-switched path (LSP), also known as an MPLS tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 54: Configuring Vrrp
Best-effort service provides packet transmission with no guarantee of results. The major QoS features that the E Series router provides are: Copyright © 2010, Juniper Networks, Inc.
Page 55: Configuring Policy Management
PPP, for transmission across a network. In an L2TP relationship, an L2TP access concentrator (LAC) forms a client-server relationship with a destination, known as an L2TP network server (LNS), on a remote network. Copyright © 2010, Juniper Networks, Inc.
Page 56 DSL) environments or environments that use bridged Ethernet over ATM, because network operators can support one central system rather than an individual PPPoE client on each subscriber’s computer. See JunosE Broadband Access Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 57: Chapter 2 Command-Line Interface
By recognizing the command-line prompt, you can identify where you are in the CLI at any given point. When you can easily identify where you are, it is easy to get to where you want to be. Copyright © 2010, Juniper Networks, Inc.
Page 58: Command-Line Prompts
Command-Line Prompts Within the CLI, the command-line prompt identifies both the hostname and the command mode. The hostname is the name of your router; the command mode indicates your location within the CLI system. Copyright © 2010, Juniper Networks, Inc.
Page 59: Command-Line Interface
The CLI indicates the type of parameter that you must enter. When you see a range of numbers or uppercase letters, it indicates that you must specify a value. For example: CLI Parameter Placeholder or Range Sample Parameter User Input ROUTER[:VRF] charlie:1234 INTERFACE 3/2:20/15 Copyright © 2010, Juniper Networks, Inc.
Page 60: Keywords And Parameters Together
Abbreviated Commands on page 31 The ? Key on page 31 Backspace or Delete on page 31 Enter on page 31 Tab on page 32 Arrow Keys on page 32 The no Version on page 32 Copyright © 2010, Juniper Networks, Inc.
Page 61: Abbreviated Commands
Backspace or Delete Use either key to delete the character immediately preceding the cursor. Enter Always use this key to execute the command you entered. Copyright © 2010, Juniper Networks, Inc.
Page 62: Tab
Most User Exec and Privileged Exec mode commands do not have no versions. The CLI can act on no versions of commands when you have entered sufficient information to distinguish the command syntactically; the CLI ignores all subsequent input on that line. Copyright © 2010, Juniper Networks, Inc.
Page 63: Run And Do Commands
Chapter 2: Command-Line Interface To be compatible with some non-Juniper Networks implementations, the no versions of commands will accept the same options as the affirmative version of the commands. The CLI ignores the optional input if it has no effect on the command behavior. If using the option changes the behavior of the no version, the individual command entry in this guide describes the difference in behavior.
Page 64: Show Commands
| begin inter Please wait...log verbosity low internalNetwork log verbosity low ipEngine log verbosity low ipProfileMgr log verbosity low ipProfileMgrEngineering no log engineering log fields timestamp instance no-calling-task Copyright © 2010, Juniper Networks, Inc.
Page 65 5 no ospf shutdown ip route-type both timers spf 3 maximum-paths 4 ospf auto-cost reference-bandwidth 100 distance ospf intra-area 110 distance ospf inter-area 112 distance ospf external 114 ! Area 0.0.0.0 Copyright © 2010, Juniper Networks, Inc.
Page 66 NameResolverLog log verbosity low atm log verbosity low atm1483 log verbosity low atmAal5 log verbosity low bgpConnections log verbosity low bgpDampening host1# Copyright © 2010, Juniper Networks, Inc.
Page 68: Redirection Of Show Command Output
You can use redirection with output filtering. The general syntax is: show options [ { > | >> | &> | &>> } filename ] [ | { begin | include | exclude } filterstring ] Copyright © 2010, Juniper Networks, Inc.
Page 69: Regular Expressions
Numerals enclosed by underscores can be preceded or followed by any of the characters listed above. Matches characters on either side of the metacharacter; logical OR. Copyright © 2010, Juniper Networks, Inc.
Page 70: The - -More- - Prompt
! Configuration script being generated on FRI AUG 04 2006 12:48:48 UTC ! Juniper Edge Routing Switch ERX-700 ! Version: 7.3.0 beta-1.6 [BuildId 5672] (July 11, 2006 11:58) ! Copyright (c) 1999-2006 Juniper Networks, Inc. All rights reserved. boot config running-configuration boot system erx_7-3-0.rel...
Page 71 ! Configuration script being generated on FRI AUG 04 2006 12:48:48 UTC ! Juniper Edge Routing Switch ERX-700 ! Version: 7.3.0 beta-1.6 [BuildId 5672] (July 11, 2006 11:58) ! Copyright (c) 1999-2006 Juniper Networks, Inc. All rights reserved. boot config running-configuration boot system erx_7-3-0.rel boot config running-configuration boot system 3-3.1.rel...
Page 72 ! Configuration script being generated on FRI AUG 04 2006 12:48:48 UTC ! Juniper Edge Routing Switch ERX-700 ! Version: 7.3.0 beta-1.6 [BuildId 5672] (July 11, 2006 11:58) ! Copyright (c) 1999-2006 Juniper Networks, Inc. All rights reserved. boot config running-configuration boot system erx_7-3-0.rel boot config running-configuration boot system 3-3.1.rel...
Page 73: Responding To Prompts
To disagree with the prompt and cancel the action, you must type n and press Enter or type no and press Enter. Pressing Enter alone, or entering any other characters, is not an acceptable response, and the CLI will repeat the prompt. Copyright © 2010, Juniper Networks, Inc.
Page 74: Cli Status Indicators
80 characters, each of the 50 dots indicates 2 percent of the total time (2 percent x 50 characters = 100 percent). See “Managing the System” on page 239 for information about setting the terminal width. The following examples show progress indicator output for a 50-character-wide display. Copyright © 2010, Juniper Networks, Inc.
Page 75: Levels Of Access
The system supports a local console session and up to 30 virtual terminal (vty) sessions simultaneously. A virtual terminal session can be a Telnet session, Secure Shell Server (SSH) protocol session, or File Transfer Protocol (FTP) server session. Copyright © 2010, Juniper Networks, Inc.
Page 76: Privileged-Level Access
In general, command privileges fall within one of the following levels: 0—Allows you to execute the help, enable, disable, and exit commands 1—Allows you to execute commands in User Exec mode plus commands at level 0 Copyright © 2010, Juniper Networks, Inc.
Page 77: Accessing The Privileged Exec Level
1 and 0 10—Allows you to execute all commands except support commands, which may be provided by Juniper Networks Customer Service, or the privilege command to assign privileges to commands 15—Allows you to execute support commands and assign privileges to commands For information about how to set individual command levels, see “CLI Command...
Page 78: Moving From Privileged Exec To User Exec Mode
Specifying a privilege level after the disable command changes the Privileged Exec mode to the lower level that you specify; you do not return to User Exec mode. Example 1 host1#disable host1> Example 2 host1#show privilege Privilege level is 10 host1#disable 5 host1#show privilege Copyright © 2010, Juniper Networks, Inc.
Page 80: Examples Using Privilege Group Membership
A user at privilege 15 does not have access to commands in privilege groups 11, 12, or Example 3 host1(config)#privilege-group membership clear 13 host1(config)#privilege-group membership 13 add 10 In Example 3: Commands are executed in the following sequence: 15 contains 14, 14 contains 13, 13 contains 12, and so forth, Copyright © 2010, Juniper Networks, Inc.
Page 81 15. Example 7 host1(config)#privilege-group membership clear dailyAdmin host1(config)#privilege-group membership dailyAdmin add dailyTroll In Example 7, privilege group 10 alias dailyAdmin has one member: privilege group 6 alias dailyTroll. Example 8 host1(config)#no privilege-group membership 9 Copyright © 2010, Juniper Networks, Inc.
Page 84: Cli Command Exceptions
You cannot change the privilege level of keywords that are separated from the command string by a parameter in the command sequence. In other words, once the privilege algorithm reaches a parameter, the privilege algorithm that maps the commands to the Copyright © 2010, Juniper Networks, Inc.
Page 85: Setting Privileges For Ambiguous Commands
If you want to set the privilege level for both traffic-class and traffic-class-group and you do not want the exact match to be made to traffic-class, issue a partial command such as traffic-c. The privilege level of all commands that begin with traffic-c is modified. Copyright © 2010, Juniper Networks, Inc.
Page 86: Setting Privilege Levels For No Or Default Versions
The effectiveness of a privilege level that is set with the all keyword depends on its precedence level in the CLI. A privilege level is considered to be in effect only if a privilege level that is configured at a higher precedence level does not override it. Copyright © 2010, Juniper Networks, Inc.
Page 87: Superseding Privilege Levels With The All Keyword
5 snmp The show configuration output displays all snmp commands at level 5, superseding the existing level 6 setting. The snmp-server community command is still present in the show configuration output, but it is ineffective. Copyright © 2010, Juniper Networks, Inc.
Page 88: Removing The All Keyword
Use to change the default privilege level of the console line or one or more vty lines. Example host1(config-line)#privilege level 5 Copyright © 2010, Juniper Networks, Inc.
Page 89: Viewing Cli Privilege Information
For example, if the session is enabled at level 5, issuing the show configuration command displays only output for commands at level 5 and below. show privilege group Use to view the privilege groups. Example Copyright © 2010, Juniper Networks, Inc.
Page 90: Using Help
The following examples show different ways you can use the ? key. When you use ? on a line by itself or when it is preceded by one or more spaces, a list of all next available choices is displayed. Copyright © 2010, Juniper Networks, Inc.
Page 91 Configure system-level services Configure sleep Make the Command Interface pause for a specified duration slot Configure and administer slot operation snmp-server Configure SNMP parameters sscc The SSC Client telnet telnet telnet daemon configuration Copyright © 2010, Juniper Networks, Inc.
Page 92 When you want to see a list of commands that begin with a particular set of characters, type a question mark ( ? ) immediately after the last letter. Do not use a space between the partial keyword and the ? key. For example: host1#sh? show shutdown host1#sh Copyright © 2010, Juniper Networks, Inc.
Page 93: Help Command
Command-Line Editing Keys You can use several keys to edit the command line. Table 7 on page 64 defines the keys for editing the command line. Arrow keys functions only on ANSI-compatible terminals, such as VT100s. Copyright © 2010, Juniper Networks, Inc.
Page 94: Table 7: Command-Line Editing Keys
Set the boot option flag by using the service ctrl-x-reboot command from Global Configuration mode. Ctrl+y Recalls most recent entry from delete buffer; recalled characters overwrite or are inserted in current line depending on overwrite/insert toggle Copyright © 2010, Juniper Networks, Inc.
Page 95: Command History Keys
--More-- prompt appears. Table 9 on page 66 defines the pagination keys that you can use when the --More-- prompt appears. For more information, see “The - -More- - Prompt” on page 40. Copyright © 2010, Juniper Networks, Inc.
Page 96: Accessing Command Modes
Configuration attributes for an ATM mode, use the vc-class to Global Configuration mode. data PVC. atm command, and Press Ctrl+z to return to Exec specify the name of the mode. VC class. Prompt: host1(config-vc-class)# Copyright © 2010, Juniper Networks, Inc.
Page 97 From Global Configuration Use the exit command once to Local Pool Configuration pools. mode, use the ip return to Global Configuration dhcp-local pool mode. command. Press Ctrl+z to return to Exec Prompt: mode. host1(config-dhcp-local)# Copyright © 2010, Juniper Networks, Inc.
Page 98 Use the exit command, or press function. mode, use the configure Ctrl+z to return to Exec mode. command. Disable a feature or Use the interface command to function. Prompt: enter Interface Configuration mode. Configure a feature or host1(config)# function. Copyright © 2010, Juniper Networks, Inc.
Page 99 Configuration used in offline certificate Configuration mode, use return to Global Configuration requests and during the ipsec identity mode. negotiations with IKE command. Press Ctrl+z to return to Exec peers. Prompt: mode. host1(config-ipsec- identity)# Copyright © 2010, Juniper Networks, Inc.
Page 100 Global Configuration tunnels destination profile mode. command or the dvmrp Press Ctrl+z to return to Exec destination profile mode. command and specify a destination profile name. Prompt: host1(config-dest-profile)# Copyright © 2010, Juniper Networks, Inc.
Page 101 Layer 2 Control Configure ANCP (L2C) From Global Configuration Use the exit command once to Configuration parameters. mode, use the l2c return to Global Configuration command. mode. Prompt: Press Ctrl+z to return to Exec mode. host1(config-l2c)# Copyright © 2010, Juniper Networks, Inc.
Page 102 Map List Configuration Configure map list From Global Configuration Use the exit command once to parameters. mode, use the map-list return to Global Configuration command. mode. Prompt: Press Ctrl+z to return to Exec mode. host1(config-map-list)# Copyright © 2010, Juniper Networks, Inc.
Page 103 User Exec mode. Set operating parameters. Prompt: Use the exit command to log out Access Global of the CLI. Configuration mode. host1# Use the configure command to enter Global Configuration mode. Copyright © 2010, Juniper Networks, Inc.
Page 104 Queue Profile Configure queue profiles. From Global Configuration Use the exit command once to Configuration mode, use the return to Global Configuration queue-profile command. mode. Prompt: Press Ctrl+z to return to Exec mode. host1(config-queue)# Copyright © 2010, Juniper Networks, Inc.
Page 105 Configure routing tables From Global Configuration Use the exit command once to and source and mode, use the route-map return to Global Configuration destination information. command. mode. Prompt: Press Ctrl+z to return to Exec mode. host1(config-route-map)# Copyright © 2010, Juniper Networks, Inc.
Page 106 SNMP Event Manager Configure SNMP events. From Global Configuration Use the exit command once to Configuration mode, use the return to Global Configuration snmp-server mode. management-event Press Ctrl+z to return to Exec command. menu. Prompt: host1(config-mgmtevent)# Copyright © 2010, Juniper Networks, Inc.
Page 107 Use the exit command once to Configuration definitions to a tunnel mode, use the aaa return to Global Configuration group. tunnel-group command mode. and specify the name of Press Ctrl+z to return to Exec the tunnel. mode. Prompt: host1(config-tunnel-group)# Copyright © 2010, Juniper Networks, Inc.
Page 108 Use the exit command twice to group for AAA broadcast mode, use aaa accounting return to Global Configuration accounting. vr-group to enter VR mode. Group Configuration Press Ctrl+z to return to Exec mode. mode. Prompt: host1(config-vr-group)# Copyright © 2010, Juniper Networks, Inc.
Page 109: Exec Modes
Trace the path that packets traverse to their destination Privileged Exec mode provides privileged-level access and therefore should also be password protected to prevent unauthorized use. Privileged Exec commands allow you to perform such functions as: Display system information. Copyright © 2010, Juniper Networks, Inc.
Page 110: Password Protection
Negate a command or set its default(s) ping Send echo request to remote host pppoe Set PPPoE information profile-reassign Perform profile reassignment redundancy Perform a redundancy action reload Halt and perform a cold restart Copyright © 2010, Juniper Networks, Inc.
Page 111: Global Configuration Mode
NOTE: The filename must end with an .scr extension, and the file must contain a series of valid CLI commands. The file can be a local file on the router or a remote file on a host system. Copyright © 2010, Juniper Networks, Inc.
Page 112: Aaa Profile Configuration Mode
In this mode, you can configure individual attributes for an ATM data PVC. These attributes include the service category, encapsulation method, Inverse Address Resolution Protocol (Inverse ARP), and F5 Operation, Administration, and Management (OAM) parameters. Copyright © 2010, Juniper Networks, Inc.
Page 113: Atm Vc Class Configuration Mode
Exit from the current command mode help Describe the interactive help system inarp Configure the Inverse Address Resolution Protocol (InARP) protocol Configure logging settings macro Run a CLI macro Negate a command or set its default(s) Copyright © 2010, Juniper Networks, Inc.
Page 114: Classifier Group Configuration Mode
Exit from the current command mode green-mark Apply TOS mark to IP packets classified Green by the rate limit hierarchy help Describe the interactive help system Configure logging settings macro Run a CLI macro Copyright © 2010, Juniper Networks, Inc.
Page 115: Control Plane Configuration Mode
Set a command to its default(s) default-router The default-router to use for this pool dns-server The dns-server to use for this pool Run an exec mode command (alias command run) Copyright © 2010, Juniper Networks, Inc.
Page 116: Domain Map Configuration Mode
Configure the domain name stripping feature for the domain tunnel Configure tunnel tag virtual-router Configure the virtual-router for the domain name Domain Map Tunnel Configuration Mode In this mode, you can configure tunnel parameters such as the tunnel’s endpoint. Copyright © 2010, Juniper Networks, Inc.
Page 117: Dos Protection Group Configuration Mode
In this mode, you can configure drop profiles for QoS. Drop profiles control RED dropping behavior. From Global Configuration mode, type the drop-profile command, and press Enter. host1(config)#drop profile host1(config-drop-profile)#? average-length-exponent Select TAQL coefficient committed-threshold Specify committed queue thresholds and maximum drop probability Copyright © 2010, Juniper Networks, Inc.
Page 118: Explicit Path Configuration Mode
Describe the interactive help system Configure logging settings macro Run a CLI macro Negate a command or set its default(s) Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration Copyright © 2010, Juniper Networks, Inc.
Page 119: Interface Configuration Mode
30 host1(config-ipnat-pool)#? address Configure address ranges default Set a command to its default(s) Run an exec mode command (alias command run) exit Exit from the current command mode help Describe the interactive help system Copyright © 2010, Juniper Networks, Inc.
Page 120: Ip Pim Data Mdt Configuration Mode
Configure a user name user-prefix Configure a username prefix IPSec CA Identity Configuration Mode In this mode, you can specify the information that the system uses in online certificate requests and during negotiations with its peers. Copyright © 2010, Juniper Networks, Inc.
Page 121: Ipsec Identity Configuration Mode
Configure the Diffie-Hellman group identifier hash Configure the hash algorithm within an IKE policy help Describe the interactive help system lifetime Configure the time an SA will live before expiration Configure logging settings Copyright © 2010, Juniper Networks, Inc.
Page 122: Ipsec Manual Key Configuration Mode
In this mode, you can configure an IP Security (IPSec) transport profile, which is used for Layer 2 Tunneling Protocol (L2TP) over IPSec connections. From the Global Configuration mode, type ipsec transport profile, the profileName, virtual-router vrName, ip address ipAddress, and press Enter. Copyright © 2010, Juniper Networks, Inc.
Page 123: Ipsec Tunnel Profile Configuration Mode
In this mode, you can specify parameters for GRE or DVMRP dynamic tunnels. From Global Configuration mode, type gre destination profile or dvmrp destination profile and the destination profile name, and press Enter. host1(config)#gre destination profile global host1(config-dest-profile)#? Copyright © 2010, Juniper Networks, Inc.
Page 124: Ipv6 Local Pool Configuration Mode
Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration NOTE: You must enable the IPv6 local address pool feature to be able to configure IPv6 local address pools. Copyright © 2010, Juniper Networks, Inc.
Page 125: L2 Transport Load-Balancing-Circuit Configuration Mode
Enter. host1(config-l2tp-dest-profile)#remote host george host1(config-l2tp-dest-profile-host)#? default Set a command to its default(s) disable Disable L2TP parameter for remote host Run an exec mode command (alias command run) Copyright © 2010, Juniper Networks, Inc.
Page 126: L2Tp Tunnel Switch Profile Configuration Mode
Configure l2c neighbor parameters Negate a command or set its default(s) Run an exec mode command (alias command do) session-timeout Configure the l2c time-out attribute sleep Make the Command Interface pause for a specified duration Copyright © 2010, Juniper Networks, Inc.
Page 128: Local Ipsec Transport Profile Configuration
In this mode, you can configure parameters for user entries in local user databases. From the Global Configuration mode, type either aaa local username and the userName and databaseName or aaa local database and the databaseName. Then press Enter. Copyright © 2010, Juniper Networks, Inc.
Page 129: Map Class Configuration Mode
Exit from the current command mode help Describe the interactive help system Add IP address to the map Configure logging settings macro Run a CLI macro Negate a command or set its default(s) Copyright © 2010, Juniper Networks, Inc.
Page 130: Parent Group Configuration Mode
Create a set TOS byte policy next-hop Create a next-hop policy next-interface Create a next-interface policy Negate a command or set its default(s) rate-limit-profile Create a rate-limit policy Run an exec mode command (alias command do) Copyright © 2010, Juniper Networks, Inc.
Page 131: Policy List Parent Group Configuration Mode
AC should ignore (drop), rather than respond to (terminate, the default action), a PPPoE Active Discovery Initiation (PADI) request from a client containing the empty service name tag. Copyright © 2010, Juniper Networks, Inc.
Page 132: Profile Configuration Mode
Define the member interface type of the interface set Negate a command or set its default(s) qos-interface-parent Select a QoS interface super set as the parent of this interface. qos-parameter Instantiate a QoS parameter for this interface qos-profile Attach/Detach a qos-profile Copyright © 2010, Juniper Networks, Inc.
Page 133: Qos Interface Superset Configuration Mode
Set the valid range of a QoS parameter Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration subscriber-interface-type Configure interface types representing subscriber interfaces Copyright © 2010, Juniper Networks, Inc.
Page 134: Qos Profile Configuration Mode
Configure the minimum dynamic rate for a simple shared shaper as a percentage of the shared-shaping-rate Negate a command or set its default(s) reaction-factor Configure how the simple shared shaper reacts to changes in measured rate Copyright © 2010, Juniper Networks, Inc.
Page 135: Queue Profile Configuration Mode
Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration timeout Configure the number of seconds to wait for a RADIUS response before retransmitting udp-port Configure the RADIUS server's UDP port Copyright © 2010, Juniper Networks, Inc.
Page 136: Radius Relay Configuration Mode
Set the exceeded action exit Exit from the current command mode help Describe the interactive help system Configure logging settings macro Run a CLI macro mask-val Set mask to be applied with mark values Copyright © 2010, Juniper Networks, Inc.
Page 137: Redundancy Configuration Mode
Set transmit characteristics sleep Make the Command Interface pause for a specified duration split-horizon Enable Split-horizon time-to-live Configure ttl used to send to this neighbor update-source Source address to be used for transmit Copyright © 2010, Juniper Networks, Inc.
Page 138: Route Map Configuration Mode
Identify a network for BGP to announce Negate a command or set its defaults overload Configure BGP behaviour when reaching overload state (no more resources available) redistribute Configure the redistribution of routing information from another protocol Copyright © 2010, Juniper Networks, Inc.
Page 139: Rsvp Configuration Mode
Specify the request payload size Run an exec mode command (alias command do) samples-of-history-kept Specify the maximum history samples sleep Make the Command Interface pause for a specified duration Specify the user defined tag Copyright © 2010, Juniper Networks, Inc.
Page 140: Scheduler Profile Configuration Mode
In this mode, you can configure certain SNMP triggers for events, what occurs when an event is triggered, resource limits for triggers, and some trap notification options. From Global Configuration mode, type the snmp-server management-event command and then press Enter. Copyright © 2010, Juniper Networks, Inc.
Page 141: Statistics Profile Configuration Mode
From Interface Configuration mode, indicate a subinterface by typing the interface command and an interfaceSpecifier in slot/port.subinterface format, and then press Enter. For example: host1(config-if)#interface atm 3/2.6 host1(config-subif)# Copyright © 2010, Juniper Networks, Inc.
Page 142: Subscriber Policy Configuration Mode
Describe the interactive help system Configure logging settings macro Run a CLI macro Negate a command or set its default(s) Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration Copyright © 2010, Juniper Networks, Inc.
Page 143: Traffic Class Group Configuration Mode
Set a command to its default(s) Run an exec mode command (alias command run) exit Exit from the current command mode help Describe the interactive help system identification Configure tunnel identification Configure logging settings Copyright © 2010, Juniper Networks, Inc.
Page 144: Tunnel Profile Configuration Mode
Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration VRF Configuration Mode In this mode, you can create and configure VRF parameters for BGP/MPLS VPNs. Copyright © 2010, Juniper Networks, Inc.
Page 145: Vr Group Configuration Mode
Run a CLI macro Negate a command or set its default(s) Run an exec mode command (alias command do) sleep Make the Command Interface pause for a specified duration support Enter Support mode Copyright © 2010, Juniper Networks, Inc.
Page 147: Installing Junose Software
Operating with Two SRP Modules” on page 131.) When installing new JunosE Software, you must copy the contents of the release files to a network host and transfer the release files to at least one router in the network. Copyright © 2010, Juniper Networks, Inc.
Page 148: Identifying The Software Release File
Identifying the Software Release File You can find the software release file in the software image bundle that you can download from the Juniper Networks website at . The http://www.juniper.net/customers/support .zip file that you download contains the software release file.
Page 149: Installing Junose Software
10. Install the software release file to the system space on the router. 11. Save the current configuration. 12. Reboot the system. Task 1: Obtain the Required Information Before you install the software, obtain the following information: Copyright © 2010, Juniper Networks, Inc.
Page 150: Task 2: Divert Network Traffic To Another Router
NOTE: If an IP interface is not configured, an Invalid interface message appears. If the interface already has an IP address, go to Step 5. Otherwise, proceed with Step Configure an IP address on the interface. On ERX7xx models, ERX14xx models, and the ERX310 router: Copyright © 2010, Juniper Networks, Inc.
Page 151: Task 5: Copy The Release Files To The Network Host
Press Ctrl+z to return to Privileged Exec mode. Task 5: Copy the Release Files to the Network Host If you downloaded the software from the Juniper Networks website as a .zip file, uncompress the files to a directory, and copy the release files to the network host.
Page 152: Task 7: Enable The Ftp Server On The Router
JunosE Software CD that you created from the downloaded, compressed, image bundle or from the directory in which you downloaded from the Juniper Networks website. The software release file contains a list of all the files associated with the release.
Page 153: Task 11: Save The Current Configuration
WARNING: Execution of this command will cause the system to reboot. Proceed with reload? [confirm] The system reboots. The reboot might take longer than normal because line modules initialize with the old version of the software, acquire the new version from the SRP Copyright © 2010, Juniper Networks, Inc.
Page 154: Installing Software When A Firewall Does Not Exist
The password (if one is configured) that enables you to access Privileged Exec mode on the router The IP address of the network host The IP address of the router The IP address of the next hop to reach the destination network (for example, a gateway) Copyright © 2010, Juniper Networks, Inc.
Page 155: Task 2: Divert Network Traffic To Another Router
Configuring from terminal or file [terminal]? Enter configuration commands, one per line. End with CNTL/Z. host1(config)#interface fastEthernet 6/0 host1(config-if)#ip address ipAddress [ mask ] On the E120 and E320 routers: host1#configure Configuring from terminal or file [terminal]? Copyright © 2010, Juniper Networks, Inc.
Page 156: Task 5: Configure Access To The Network Host
Task 6: Copy the Release Files to the Network Host If you downloaded the software from the Juniper Networks website as a .zip file, uncompress the files to a directory, and copy the release files to the network host.
Page 157: Task 7: Copy The Software Release File To The Router
Make sure that the router is ready to boot with the new software release. host1#show boot If the old software version is still listed, verify that you completed the previous steps correctly. Run the reload command. Copyright © 2010, Juniper Networks, Inc.
Page 158: Installing Software In Boot Mode
The system will be unavailable during the installation process. Task 3: Access the Boot Mode To access Boot mode from the local console: At the Privileged Exec prompt, type the reload command. Information on the reloading process appears. Copyright © 2010, Juniper Networks, Inc.
Page 159: Task 4: Assign An Ip Address
Task 7: Copy the Release Files to the Network Host If you downloaded the software from the Juniper Networks website as a .zip file, uncompress the files to a directory, and copy the release files to the network host.
Page 160: Task 8: Copy The Software Release File To The Router
The other routers are unreachable from the network host but have network connectivity to the router on which you installed the new software. The connection between routers is faster than the connection between a router and the network host to which it is connected. Copyright © 2010, Juniper Networks, Inc.
Page 161: Upgrading Systems That Are Operating With Two Srp Modules
If a firewall separates the router from the network host, transfer files to the user space with the FTP client on the network host, and install files on the system space (See “Installing Software When a Firewall Exists” on page 119.) For example: host1#copy /incoming/releases/erx_x-y-z.rel erx_x-y-z.rel Copyright © 2010, Juniper Networks, Inc.
Page 162 Switch from the primary SRP module to the redundant SRP module. host1#srp switch The redundant SRP module becomes the primary. The former primary SRP module reboots and becomes the redundant. Reenable autosynchronization. host1(config)#no disable-autosync Copyright © 2010, Juniper Networks, Inc.
Page 163: Upgrading Junose Software
The procedure you use depends on the number of SRP modules in the system. Upgrading a System That Contains One SRP Module If the system contains only one SRP module, you must power off the system before you upgrade the NVS card. Copyright © 2010, Juniper Networks, Inc.
Page 164: Upgrading A System That Contains Two Srp Modules
NOTE: The release you are installing must be Release 5.1.2 or higher-numbered 5.x.x release. Reinsert the SRP module into the chassis. Force the redundant SRP module to take over from the primary SRP module. host1#srp switch Turn on autosychronization. host1#enable host1#configure Copyright © 2010, Juniper Networks, Inc.
Page 165: Downgrading Junose Software
NVS and configuration script incompatibilities. CAUTION: We do not recommend that you attempt to downgrade JunosE Software without the assistance of a Juniper Technical Assistance Center representative. Contact the Juniper Technical Assistance Center to obtain help. Copyright © 2010, Juniper Networks, Inc.
Page 167: Configuring Snmp
For example, SNMP uses a common form and semantics for interface statistics, a process that supports consistent interpretation and meaningful comparison. SNMP is an application-level protocol that comprises the following three elements: Copyright © 2010, Juniper Networks, Inc.
Page 168: Terminology
Also known as a managed device; a hardware device, such as a PC or a router notification A message that indicates a status change (equivalent to a trap) server Also referred to as agent; a managed device, such as a router, that collects and stores management information Copyright © 2010, Juniper Networks, Inc.
Page 169: Snmp Features Supported
SNMP Client The SNMP client runs on a network host and communicates with one or more SNMP servers on other network devices, such as routers, to configure and monitor the operation of those network devices. Copyright © 2010, Juniper Networks, Inc.
Page 170: Snmp Server
For complete information about the SNMP MIBs supported by your router, see the software image bundle that is available for downloading from the Juniper Networks website. In the MIBs folder you will find information about all supported standard and Juniper Networks E Series Enterprise (proprietary) MIBs.
Page 171: Configuring Snmp
IP address. If the access list number is zero, the IP address is accepted. A nonmatching community or an invalid IP address causes an SNMP authentication error. Each entry in the community table identifies: Copyright © 2010, Juniper Networks, Inc.
Page 172: Management Features
Table 17: Relationship Among Groups, Security Levels, and Views Notification/ Group Name Security Level Read View Write View Trap View admin authentication everything everything everything and privacy mirror authentication mirrorAdmin mirrorAdmin mirrorAdmin and privacy public none user nothing nothing Copyright © 2010, Juniper Networks, Inc.
Page 173: Virtual Routers
Disabling and Reenabling SNMP Proxy The ability to proxy SNMP from a virtual router (VR) is enabled by default whenever you create a virtual router agent. However, you can disable or reenable the proxy feature on Copyright © 2010, Juniper Networks, Inc.
Page 174: Communicating With The Snmp Engine
24 bits of the 32-bit router index (or router UID). You can obtain the contextName for a specific router through the Juniper-ROUTER-MIB from the juniRouterContextName object in the juniRouterTable, which is indexed by the 32-bit router index (juniRouterIndex). Copyright © 2010, Juniper Networks, Inc.
Page 175: Snmp Attributes
Privilege SNMP Operations SNMP has the five operations defined in Table 20 on page 145. Table 20: SNMP Operations SNMP Operation Definition Allows the client to retrieve an object instance from the server. Copyright © 2010, Juniper Networks, Inc.
Page 176: Snmp Pdu Types
SNMP is supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 router. Copyright © 2010, Juniper Networks, Inc.
Page 177: References
Routers in the E120 and E320 Hardware Guide. Also make sure that you have the necessary configuration information for: Communities and their assigned privileges IP addresses of SNMP clients and trap recipients SNMPv3 users Copyright © 2010, Juniper Networks, Inc.
Page 178: Snmp Configuration Tasks
You can also set up SNMP traps and set up the router to collect bulk statistics. See “Configuring Traps” on page 156 and “Collecting Bulk Statistics” on page 183. Enabling SNMP To enable the SNMP server, use the following command. snmp-server Use to enable SNMP server operation. Example Copyright © 2010, Juniper Networks, Inc.
Page 179: Configuring Snmp V1/V2C Community
The name can be up to 31 characters, and it must be enclosed in quotation marks. The maximum number of communities in each virtual router is 32. By default, an SNMP community permits only read-only access. Copyright © 2010, Juniper Networks, Inc.
Page 180: Configuring Snmpv3 Users
15 to view or use this command. Example host1(config-profile)#snmp-server group grp1authpriv usm priv read grp1read write grp1write notify grp1notify Use the no version to remove the dynamically created group. See snmp-server group. snmp-server view Copyright © 2010, Juniper Networks, Inc.
Page 181: Setting Server Parameters
Increase this value to improve the efficiency of the GetBulk operation. Example host1(config)#snmp-server packetsize 1000 Use the no version to set the SNMP packet size to the default maximum size, 1500 bytes. See snmp-server packetsize. Copyright © 2010, Juniper Networks, Inc.
Page 182: Configuring Memory Warning
E Series routers. proprietary—Sets the encoding scheme to the E Series router proprietary method. Example host1(config)#snmp-server interfaces description-format common Copyright © 2010, Juniper Networks, Inc.
Page 183: Managing Interface Sublayers
SonetVT SonetVT interface layer VlanMajor VlanMajor interface layer VlanSub VlanSub interface layer <cr> If you enter the snmp-server interfaces compress command without keywords, the following interface types are removed from the interface tables: ethernetSubinterface hdlc ipLoopback ipVirtual Copyright © 2010, Juniper Networks, Inc.
Page 184 Compression will be applicable to ifStackTable/ifInvStackTable/juniIfStackTable interface-tables Compression will be applicable to ifTable/ifXtable/juniIfTable host1(config)#snmp-server interfaces compress atm table-type interface-tables host1(config)#snmp-server interfaces compress Ds1 table-type interface-stack-tables Router#show snmp interfaces Compressed(Removed) Interface Types : From ipNetToMediaTable: Copyright © 2010, Juniper Networks, Inc.
Page 185: Controlling Interface Numbering
The maxIfNumber option sets the maximum number of interfaces allowed in the interface tables. CAUTION: Reducing the value of the maxIfIndex or maxIfNumber causes the router to automatically reboot to factory default settings. Copyright © 2010, Juniper Networks, Inc.
Page 186: Monitoring Interface Tables
HDLC, FT1, ATM, ATM1483 Armed Interface Numbering Mode: RFC1213, maxIfIndex=65535, maxIfNumber=65535 Interface Description Setting: proprietary See show snmp interfaces. Configuring Traps This section provides information for: IP Hosts on page 157 Trap Categories on page 157 Copyright © 2010, Juniper Networks, Inc.
Page 187: Ip Hosts
Vector Multicast Routing Protocol traps dvmrpProp—E Series router proprietary DVMRP traps environment—Power, optical power, temperature, fan, and memory utilization traps fileXfer—File transfer status change traps haRedundancy—High availability and redundancy traps inventory—System inventory and status traps Copyright © 2010, Juniper Networks, Inc.
Page 188: Trap Severity Levels
The router provides a method of filtering traps according to severity. Table 22 on page 158 describes the supported severity levels. Table 22: Trap Severity Descriptions Severity Number Severity Name System Response Emergency System unusable Alert Immediate action needed Copyright © 2010, Juniper Networks, Inc.
Page 189 To set up a severity filter for a specific host, use the snmp-server host command. snmp-server enable traps Use to enable and configure SNMP trap generation on a global basis. Traps are unsolicited messages sent from an SNMP server (agent) to an SNMP client (manager). Copyright © 2010, Juniper Networks, Inc.
Page 190 SONET category in Step 3, the global severity level remains unchanged as notice. This behavior occurs because only the category-specific severity level was configured in the last operation. Example 2—Overwriting the global severity level to the last-configured setting Copyright © 2010, Juniper Networks, Inc.
Page 191 You can enable the traps listed in “Trap Categories” on page 157. You can filter traps according to the trap severity levels described in Table 22 on page 158. Example host1(config)# snmp-server host 126.197.10.5 version 2c westford udp-port 162 snmp link trapfilters alert Copyright © 2010, Juniper Networks, Inc.
Page 192 Use the no version to disable these traps for the interface. NOTE: This command operates in Controller Configuration mode. It is supported only by the DS3, DS1, and FT1 interface layers. See snmp trap ip link-status. traps Copyright © 2010, Juniper Networks, Inc.
Page 193: Specifying An Egress Point For Snmp Traps
Use to control the SNMP trap egress rate for the host that is receiving SNMP traps. Use one or more of the following keywords: Copyright © 2010, Juniper Networks, Inc.
Page 194: Configuring Trap Notification Logs
(Optional) Enable the snmpTrap log to severity level info. host1(config)#log severity info snmpTrap NOTE: Enabling the snmpTrap log provides the same information in the router log as appears in the snmp-server notification log. However, long trap strings may appear truncated. log severity Copyright © 2010, Juniper Networks, Inc.
Page 195 Use to configure SNMP notification log tables. Use the adminStatus keyword to enable administrative status. Use the includeVarbinds keyword to include log names and log indexes in the trap’s variable bindings. Example host1(config)snmp-server notificationLog log 10.10.4.4 adminStatus includeVarbinds Copyright © 2010, Juniper Networks, Inc.
Page 196: Recovering Lost Traps
The SNMP server event manager works in conjunction with the Event MIB (RFC 2981). The purpose of this application is to allow many management functions (for example, fault detection, configuration management, accounting management, and performance management). These functions are traditionally performed by the network management Copyright © 2010, Juniper Networks, Inc.
Page 197: Event Mib Purpose
For example, a trigger entry of a specific type of test in the mteTriggerTable creates a linked entry in the appropriate subtable. In turn, this subtable contains more specific information about the specific test. Copyright © 2010, Juniper Networks, Inc.
Page 198: Objects Table
If an event fails to set, the router sends an mteEventSetFailure trap. Sets define certain modifications to other MIB objects based on a particular event. Configuration Tasks To configure the SNMP server event manager: Access the SNMP server management event application. host1(config)#snmp-server management-event host1(config-mgmtevent)# Copyright © 2010, Juniper Networks, Inc.
Page 199 If a failure occurs, and the trigger owner and the event owner are the same, the router sends the trap. Enable the event, and exit the event configuration level. host1(config-mgmtevent)#event sysadmin failuretrigger host1(config-mgmtevent-event)#enable host1(config-mgmtevent-event)#exit host1(config-mgmtevent)#event sysadmin fallingtrigger host1(config-mgmtevent-event)#enable host1(config-mgmtevent-event)#exit host1(config-mgmtevent)#event sysadmin risingtrigger host1(config-mgmtevent-event)#enable host1(config-mgmtevent-event)#exit Copyright © 2010, Juniper Networks, Inc.
Page 201: Defining An Existence Test
NOTE: You do not need to bind a failure event to a trigger. If you create a failure event, if a failure occurs, and if the trigger owner and the event owner are the same, the router sends the trap. Copyright © 2010, Juniper Networks, Inc.
Page 203 Use to define Boolean test values for the trigger that you are configuring, including comparison settings, a Boolean value, a startup condition, and binding an event to the Boolean-test trigger. Example 1—Specifying a comparison setting Copyright © 2010, Juniper Networks, Inc.
Page 204 Once enabled, you cannot edit an event or trigger configuration (even when it is disabled). To change an enabled event or trigger, you must delete it and re-create it. There is no no version. See enable. event Copyright © 2010, Juniper Networks, Inc.
Page 205 Use to set the frequency (in seconds) at which you want MIB sampling to occur. Example host1(config-mgmtevent)#frequency 100 Use the no version to restore the default frequency value (600 seconds). See frequency. notification id Use to specify a trap notification for an event. Example host1(config-mgmtevent-event)#notification id mteTriggerFailure Copyright © 2010, Juniper Networks, Inc.
Page 206 Use the no version to remove the set operation. See set. snmp-server management-event Use to launch the SNMP server event manager mode on each virtual router on which you plan to manage events. Example host1(config)#snmp-server management-event host1(config-mgmtevent)# Copyright © 2010, Juniper Networks, Inc.
Page 207 Use to create a trigger and access the trigger configuration mode of the SNMP server event manager. Example host1(config-mgmtevent)#trigger fred trigger1 host1(config-mgmtevent-trigger)# To leave the trigger configuration mode, use the exit command. Use the no version to remove the trigger. See trigger. Copyright © 2010, Juniper Networks, Inc.
Page 208: Monitoring Events
SampleInstancesLacks—Number of times this system could not take a new sample because that allocation would have exceeded the limit set by mteResourceSampleInstanceMaximum Triggers Owner—Owner value assigned to the trigger Name—Name value assigned to the trigger Copyright © 2010, Juniper Networks, Inc.
Page 209 ObjectsOwner—Owner of this object Objects—Name of this object EventOwner—Owner of this event Event—Name of this event Existence Test—Test type for this trigger Startup—Startup condition for this trigger ObjectsOwner—Owner of this object Objects—Name of this object Copyright © 2010, Juniper Networks, Inc.
Page 210 RisingEventOwner—Rising event owner value for this trigger RisingEvent—Rising event name value for this trigger FallingEventOwner—Falling event owner value for this trigger FallingEvent—Falling event name value for this trigger DeltaRisingEventOwner—Delta rising event owner value for this trigger Copyright © 2010, Juniper Networks, Inc.
Page 211 ContextName—Management context (for example, router1) from which to obtain mteTriggerValueID ContextNameWildcard—Whether or not the context name is a wildcard Example host1#show snmp management-event Resource --------------------------------------------------------------------------- SampleMinimum: 1 SampleInstanceMaximum: 50 SampleInstances: 14 SampleInstancesHigh: 14 SampleInstancesLacks: 0 Copyright © 2010, Juniper Networks, Inc.
Page 212 Test: absent Startup: absent ObjectsOwner: unitTest Objects: test3 EventOwner: unitTest Event: eventTest3 ------------------------ Threshold Startup: falling Rising: 200 Falling: 100 DeltaRising: 0 DeltaFalling: 0 ObjectsOwner: Objects: RisingEventOwner: unitTest RisingEvent: eventTest2 FallingEventOwner: unitTest FallingEvent: eventTest3 Copyright © 2010, Juniper Networks, Inc.
Page 213: Collecting Bulk Statistics
Service providers need reasonably accurate data about customers’ use of networks. This data is used for billing customers and must be available at a customer’s request. Accounting applications based on SNMP polling models consume significant network bandwidth because they poll large volumes of data frequently. Copyright © 2010, Juniper Networks, Inc.
Page 214 The name of the bulk statistics file that is transferred to the host when there is a collectorSequence attribute in the remote name is as follows: fileName - z - mmddHHMM - s. sts where: Copyright © 2010, Juniper Networks, Inc.
Page 215: Interface Strings
Sonet Path interfaces SONET SonetPath ATM interfaces ATM AAL5 interfaces AtmAal5 ATM 1483 interfaces Atm1483 Ft1 interfaces SERIAL HDLC interfaces HDLCIntf HDLC IpLoopback interfaces Loopback IpLoopback IpVirtual interfaces IpVirtual IpVirtual Frame Relay Sub interfaces FrameRelaySub Copyright © 2010, Juniper Networks, Inc.
Page 216 Sonet VT interfaces SONET SonetVT Vlan major interfaces VLAN-MAJ VlanMajor Vlan sub interfaces VLAN-SUB VlanSub Gtp interfaces L2fTunnel interfaces L2fTunnel L2fTunnel L2fSession interfaces L2fSession L2fSession L2fDestination interfaces L2fDestination L2fDestination IpSec Tunnel interfaces IpSecTunnel IpsecTunnel Copyright © 2010, Juniper Networks, Inc.
Page 217: Understanding Counter Discontinuity
To take advantage of this detection capability, the bulk statistics parsing entity should use the record to terminate expression or formula calculations for the indicated slot and to establish a new baseline. Configuring Collectors and Receivers To configure the router to collect statistics: Copyright © 2010, Juniper Networks, Inc.
Page 218 (Optional) Configure bulk statistics traps. host1(config)#bulkstats traps nearly-full (Optional) Collect bulk statistics per virtual router. host1(config)#bulkstats virtual-router-group collector 2 routerISP3 NOTE: The bulk statistics feature supports generating files on a per interface basis. bulkstats collector Copyright © 2010, Juniper Networks, Inc.
Page 219 5767168 bytes. Although the CLI accepts the commands, you cannot unconfigure or modify the configuration of the maximum file size until the router is rebooted. Example host1(config)#bulkstats collector 2 max-size 20480 Copyright © 2010, Juniper Networks, Inc.
Page 220 Use to set the encoding scheme of the ifDescr object that the bulk statistics application reports to the conventional industry method. This command provides compatibility with software that uses the industry encoding scheme. For more information, see “Configuring Encoding Method” on page 152. Example host1(config)#bulkstats interfaces description-format common Copyright © 2010, Juniper Networks, Inc.
Page 221 NOTE: You cannot collect statistics on the SRP Ethernet interface. Example 1 host1(config)#bulkstats interface-type ppp 3/1 collector 2 Example 2 host1(config)#bulkstats interface-type vlan 2/3:1 collector 1 Example 3 host1(config)#bulkstats interface-type mplsMajor 2/3:1 collector 1 Copyright © 2010, Juniper Networks, Inc.
Page 222 A collector can have a maximum of 64 virtual routers associated with it. Routers are identified by their assigned name or router index. Supported only on if-stats and igmp schemas. Supported on all interface types supported by the bulk statistics application. Copyright © 2010, Juniper Networks, Inc.
Page 223: Deleting All Bulkstats Configurations
File Format—End of the line format in bulkstats files, carriage return and line feed (CR+LF) or LF Current Time—Current system time used to compare with the collection stop/start time Intervals—Number of times the bulk statistics collector has cycled through a collection Copyright © 2010, Juniper Networks, Inc.
Page 224 Primary-Receiver—Index number of the primary receiver to which the system transfers data, if defined Second-Receiver—Index of the secondary receiver to which the system transfers data Last Transfer Failure—Last time that the collector attempted to retrieve statistics and was unsuccessful Copyright © 2010, Juniper Networks, Inc.
Page 226 Index Interval Start Time Interval Stop Time ----- ---------------------------- ------------------------- TUE AUG 15 2000 15:52:33 UTC TUE AUG 15 2000 16:02:33 UTC Not started Schema Information: Index Subtree ----- ------------------------------------------------- ifStats Copyright © 2010, Juniper Networks, Inc.
Page 227 ----- ----------------------- Bulk SNMP Statistics Collection See show bulkstats collector description. show bulkstats collector interval Use to display information about the collector transfer interval configuration. Field descriptions Index—Index number of the bulk statistics collector Copyright © 2010, Juniper Networks, Inc.
Page 228 Primary-Receiver—Receives the bulk statistics sent by the collector Secondary-Receiver—Serves as a backup to the primary receiver Example host1#show bulkstats collector transfer-mode Index Transfer-Mode Primary-Receiver Secondary-Receiver ----- ------------- ---------------- ------------------ auto-xfer Copyright © 2010, Juniper Networks, Inc.
Page 229 Index—Index number of the receiver RemoteFileName—Hostname, path, and filename of the remote FTP server Index—Index number of the receiver State active—Receiver is properly configured and currently active notInSvc—Receiver has been decommissioned by a management client Copyright © 2010, Juniper Networks, Inc.
Page 230 CollectorStarts—Number of times the bulk statistics collector has started CollectorIncompleteCfgs—Number of times the bulk statistics collector attempted to start a collector, but failed because the collector’s configuration was incomplete Copyright © 2010, Juniper Networks, Inc.
Page 231 Transferred—Number of record for dynamic interface that were written to the bulk statistics (.sts) file. Dropped—Number of records for dynamic interfaces that were dropped (that is, not written to the bulk statistics [.sts] file) Copyright © 2010, Juniper Networks, Inc.
Page 232 SNMP entity on this system when the threshold is reached file-full—Trap will be posted to the SNMP entity on this system when the trap reaches 100% State—Configuration setting: enabled, disabled Copyright © 2010, Juniper Networks, Inc.
Page 233: Understanding Schemas
Table 24: Data Retrieved According to Schema Schema Retrieves if-stack The interface and interface column configuration. It is a complete retrieval of the ifStackTable, which stores the configured interfaces and their stacking relationship on a router. Copyright © 2010, Juniper Networks, Inc.
Page 234: If-Stats Schema Objects
Configure If-stats schema for in-mcast-pkts in-octets Configure If-stats schema for in-octets in-policed-octets Configure If-stats schema for in-policed-octets in-policed-pkts Configure If-stats schema for in-policed-pkts in-spoofed-pkts Configure If-stats schema for in-spoofed-pkts in-ucast-pkts Configure If-stats schema for in-ucast-pkts Copyright © 2010, Juniper Networks, Inc.
Page 235: Igmp Schema Objects
IGMP Schema Objects Table 26 on page 206 describes the IGMP objects that you can configure using the bulkstats schema subtree igmp command. Copyright © 2010, Juniper Networks, Inc.
Page 236: Policy Schema Objects
Configure policy schema for upper red bytes upper-red-packets Configure policy schema for upper red packets upper-yellow-bytes Configure policy schema for upper yellow bytes upper-yellow-packets Configure policy schema for upper yellow packets yellow-bytes Configure policy schema for yellow bytes Copyright © 2010, Juniper Networks, Inc.
Page 237: Qos Schema Objects
Configure QoS schema to export the number of bytes of green traffic that were dropped on this queue green-dropped-packets Configure QoS schema to export the number of packets of green traffic that were dropped on this queue Copyright © 2010, Juniper Networks, Inc.
Page 238 Configure QoS schema to export the number of bytes of yellow traffic that were dropped on the queue yellow-dropped-packets Configures QoS schema to export the number of yellow packets that were dropped on the queue Copyright © 2010, Juniper Networks, Inc.
Page 239: Configuring Schemas
See “Configuring Collectors and Receivers” on page 187 for information about configuring collectors. bulkstats schema Use to create the schema for collecting bulk statistics. Example—Creates schema with schema index 4 host1(config)#bulkstats schema 4 Use the no version to delete the specified schema. Copyright © 2010, Juniper Networks, Inc.
Page 240 Configure bulkstats for MPLS minor Interfaces Configure bulkstats for PPP interfaces vlan Configure bulkstats for VLAN Sub-Interfaces Use the no version to delete the specified schema. See bulkstats schema subtree. bulkstats schema subtree igmp Copyright © 2010, Juniper Networks, Inc.
Page 242: Mapping Bulkstats Output To Mib Flies And Cli Configurations For Bulk Statistics Schema
RFC1213 ifDescr – A textual string containing information about the interface. This string should include the name of the manufacturer, the product name and the version of the interface hardware/software Copyright © 2010, Juniper Networks, Inc.
Page 243 This object is a 64-bit version of ifInOctets Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime Copyright © 2010, Juniper Networks, Inc.
Page 244 Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime Copyright © 2010, Juniper Networks, Inc.
Page 245 0 Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime Copyright © 2010, Juniper Networks, Inc.
Page 246 Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of jjifCounterDiscontinuityTime Copyright © 2010, Juniper Networks, Inc.
Page 247 I pIfStatsOutSchedDropOctets out-sched-octets Scheduler octets dropped ifOutSchedPkts juniAcctng j u ni I pIfStatsOutSchedDropPackets out-sched-pkts Scheduler packets dropped ifLowerInterface juniAcctng juniAcctngIfLowerInterface lower-interface The ifIndex of the lower interface Copyright © 2010, Juniper Networks, Inc.
Page 248 This object is a 64-bit version of ifInBroadcastPkts Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime Copyright © 2010, Juniper Networks, Inc.
Page 249 Multicast octets received ifHCOutMulticastOctets out-mcast-octets Multicast octets sent Table 30 on page 220 shows the mapping between the bulkstats output and the CLI and MIBs for QoS schema. Copyright © 2010, Juniper Networks, Inc.
Page 250: Table 30: Mapping Bulkstats Output To Mib Flies And Cli Configurations For Qos
The attribute is a 32–bit integer. ParentNodeChildrenWeight rsacctng rsAcctngParentChildWeight parent-weight The total weight of the child queues for a parent node in the scheduling hierarchy. The attribute is a 32–bit integer. Copyright © 2010, Juniper Networks, Inc.
Page 252 QFwdedRate rsacctng rsAcctngForwardedRate forwarded-rate The average forward rate of the queue. It is averaged over the rate period of the statistics-profile associated with the queue. The attribute is a 64–bit integer. Copyright © 2010, Juniper Networks, Inc.
Page 253 The attribute is a 64–bit integer. QYellowDiscardOctets rsacctng rsAcctngYellowDropBytes yellow-drop-bytes The number of yellow octets which were chosen to be discarded even though no errors had been detected to prevent their being received. The attribute is a 64–bit integer. Copyright © 2010, Juniper Networks, Inc.
Page 254: Monitoring Schema Statistics
Subtree List—Types of statistics the schema is configured to receive Example 1—Displays bulk statistics information for a schema that is configured to retrieve the if-stack and system information. host1#show bulkstats schema Copyright © 2010, Juniper Networks, Inc.
Page 255: Configuring Interface Numbering Mode
1 and ranging to ifNumber. This mode differs from the default interface numbering mode, which encodes a type field in the upper 8 bits of a 32-bit integer. The use of the upper 8 bits creates large gaps in the ifIndex numbering scheme. Copyright © 2010, Juniper Networks, Inc.
Page 256: Using The Bulk Statistics Formatter
Setting Remote Filenames The router supports the following special characters for remote filenames: %x—An integer in hexadecimal format (base 16) %s—A character string %u—An unsigned integer in decimal (base 10) %d—An integer in decimal (base 10) Copyright © 2010, Juniper Networks, Inc.
Page 257: Guidelines
Use to strip the carriage return from the end of each line in the bulkstats file. Example host1(config)#bulkstats file-format endOfLine-LF Use the no version to return to the default, CR and LF. See bulkstats file-format endOfLine-LF. Copyright © 2010, Juniper Networks, Inc.
Page 258: Managing Virtual Routers
0 Number of requested variables 0 Number of altered variables 1 Get-request PDUs 1 Get-next PDUs 0 Set-request PDUs 0 Unknown security models 0 Unavailable contexts 2 SNMP packets out 0 Too big errors (Maximum packet size 1500) Copyright © 2010, Juniper Networks, Inc.
Page 259: Viewing Snmp Status
Number of altered variables—Number of variable bindings processed successfully in SNMP set commands Get-request PDUs—Number of get-exact SNMP PDUs processed Get-next PDUs—Number of get-next SNMP PDUs processed Set-request PDUs—Number of set SNMP PDUs processed Copyright © 2010, Juniper Networks, Inc.
Page 260 SNMP engine Unknown Engine ID Report PDUs—Number of packets received by the SNMP engine that were dropped because they referenced an snmpEngineID that was not known to the SNMP engine Copyright © 2010, Juniper Networks, Inc.
Page 261 Use to display information about the groups you configured. Field descriptions Group Name—Name of the group Model—Security model; for example, user-based security model (USM) Level—Method for authentication and privacy none—No authentication and no privacy auth—Authentication only priv—Authentication and privacy Copyright © 2010, Juniper Networks, Inc.
Page 262 ------- admin@default everything private@default user public@default user See show snmp community. show snmp group Use to display the list of available groups. Detailed information is available through the show snmp access command. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 263 Global Age Out Value—Ageout for traps in the notification log tables Global Entry Limit Value—Maximum number of notifications kept in all notification log tables Example host1#show snmp notificationLog Global Age Out Value: 1440 minutes Copyright © 2010, Juniper Networks, Inc.
Page 264 Queue DrainRate—Maximum number of traps per second to be sent to the host. Queue Full discard method—Method used to discard traps when the queue is full: dropFirstIn—Oldest trap in the queue is dropped. dropLastIn—Most recent trap is dropped . Copyright © 2010, Juniper Networks, Inc.
Page 265 Trap(s) out—Total number of traps sent by the virtual router Trap(s) proxied—Total number of traps proxied by the virtual router Address—IP address of the host Copyright © 2010, Juniper Networks, Inc.
Page 266 Use to display information about users. Field descriptions User—Name of the user Auth—Authorization protocol for this user no—No authorization protocol md5—HMAC-MD5-96 authorization protocol sha—HMAC-SHA-96 authorization protocol Priv—Privacy protocol for this user no—No privacy protocol Copyright © 2010, Juniper Networks, Inc.
Page 267 1.3.6.1.6.3.12. user excluded 1.3.6.1.6.3.13. user excluded 1.3.6.1.6.3.14. user excluded 1.3.6.1.6.3.15. user excluded 1.3.6.1.6.3.16. user excluded 1.3.6.1.6.3.18. nothing excluded 1.3.6.1. everything included 1.3.6.1. everything excluded 1.3.6.1.4.1.4874.2.2.77. mirrorAdmin included 1.3.6.1.4.1.4874.2.2.77. See show snmp view. Copyright © 2010, Juniper Networks, Inc.
Page 268: Output Filtering
Output Filtering You can use the output filtering feature of the show commands to include or exclude lines of output based on a text string you specify. See “Command-Line Interface” on page 27, for details. Copyright © 2010, Juniper Networks, Inc.
Page 269: Managing The System
Using a Loopback Interface on page 304 Using the Telnet Client on page 305 Configuring DNS on page 305 Troubleshooting the System on page 309 Managing and Monitoring Resources on page 320 Monitoring the System on page 322 Copyright © 2010, Juniper Networks, Inc.
Page 270: Overview
When you receive the router, it has a factory default host name. To rename the router, use the hostname command. hostname Use to rename the router. The assigned name is displayed in the command-line interface (CLI) prompts. Example Copyright © 2010, Juniper Networks, Inc.
Page 271: Managing The System
See hostname. Configuring the Switch Fabric Bandwidth By default, the switch fabric for the Juniper Networks ERX1440, ERX310, E120, and E320 routers uses a bandwidth weighting ratio of 15:2 for multicast-to-unicast weighted round robin (WRR). In the absence of strict-priority traffic, and when both unicast and multicast...
Page 272 On the E120 and E320 routers, you can specify sonet for only two of the available three timing sources (primary, secondary, or tertiary). The available sources to choose are: ds1—DS1 interface ds3—DS3 interface e1—E1 interface e3—E3 interface sonet—SONET interface internal—Internal system controller (SC) oscillator line—External timing input on SRP module Copyright © 2010, Juniper Networks, Inc.
Page 273: Monitoring Timing
However, if the warm restart is not complete in 5 minutes, the warm start is cancelled and configuration access is restored. Example 1 host1#configure Configuring from terminal or file [terminal]? Enter configuration commands, one per line. End with CNTL/Z. host1(config)# Copyright © 2010, Juniper Networks, Inc.
Page 274 You can access the Privileged Exec commands using one of 16 levels of command privilege. If you do not enter a privilege level and you are not accessing the router through a RADIUS authentication account, the default CLI access level is 10. For Copyright © 2010, Juniper Networks, Inc.
Page 275 Use to exit the current command mode or the system when issued from the User Exec mode. Example host1#exit host1> There is no no version. See exit. help Use to display basic information about the interactive help system. Example Copyright © 2010, Juniper Networks, Inc.
Page 276: Managing Vty Lines
AAA authentication on the lines. line vty Use to open or configure vty lines. You can specify a single line or a range of lines. The range is 0–29. Copyright © 2010, Juniper Networks, Inc.
Page 277: Monitoring Vty Lines
For more information about configuring security for vty lines, see “Managing the System” on page 239. Monitoring vty Lines Use the show line vty command to monitor vty lines. show line vty Use to display the configuration of a vty line. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 278: Clearing Lines
You can specify the line type and the relative number to clear a specific type of line. For each line on the system, the relative number is listed in the line name field of the show users command output. Example 1 host1#clear line 2 Copyright © 2010, Juniper Networks, Inc.
Page 279: Monitoring The Current Configuration
Combination Interfaces Format Entire configuration Entire configuration Layer 2 configuration appears in appears in the default appears in the layer 3 the default router the layer 3 router output virtual router output virtual router output Copyright © 2010, Juniper Networks, Inc.
Page 280 5/0.103.1 encapsulation ppp ppp authentication pap ip address 100.0.1.1 255.255.255.0 interface atm 5/0.104 point-to-point atm pvc 104 0 104 aal5snap 0 0 0 ip address 150.0.1.1 255.255.255.0 ipv6 address 2000:0:17::1/60 Copyright © 2010, Juniper Networks, Inc.
Page 281 … interface null 0 interface loopback 0 ip address 127.0.0.2 255.0.0.0 interface atm 5/1.100.1 ip address 102.0.1.2 255.255.255.0 interface atm 5/1.102 ip address 102.0.2.2 255.255.255.0 interface atm 5/1.103 ip address 100.0.0.2 255.255.255.0 Copyright © 2010, Juniper Networks, Inc.
Page 282 100 0 100 aal5snap 0 0 0 encapsulation pppoe pppoe sessions 1 interface atm 5/1.100.1 encapsulation ppp ppp authentication chap interface atm 5/1.102 multipoint atm pvc 1021 0 1021 aal5snap 0 0 0 Copyright © 2010, Juniper Networks, Inc.
Page 283 150.0.1.1 255.255.255.0 ipv6 address 2000:0:17::1/60 ip route 0.0.0.0 0.0.0.0 10.13.5.1 ip route 40.0.0.0 255.0.0.0 atm5/0.104 ip route 172.28.32.70 255.255.255.255 10.13.5.1 no ip source-route ipv6 ! ============================================================================ virtual-router foo … interface null 0 interface loopback 0 Copyright © 2010, Juniper Networks, Inc.
Page 284: Customizing The Configuration Output
Use the tag-group command to configure an interface tag group. Any number of interfaces can be in a tag group. The following interface types cannot be added to tag groups: tunnel, lag, mlppp, and mlframe-relay. An interface can be in only one tag group. Copyright © 2010, Juniper Networks, Inc.
Page 285: Table 32: Categories Of Router Settings
? command. You can combine the category keyword with the virtual-router keyword to display the current configuration of specific settings for a virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 286 27, for details. Example host1# show configuration ! Configuration script being generated on TUE JAN 29 200X 00:31:12 UTC! Juniper Networks Edge Routing Switch ERX-700 ! Version: x.y.z (January 18, 200X 15:01) ! Copyright (c) 1999-200X Juniper Networks, Inc. All rights reserved.
Page 287 4/0.2 point-to-point qos-profile myQosProfile ip description TestIP interface atm 4/0.3 point-to-point Example using category keyword: host1# show configuration category system file-system boot config running-configuration boot system m.rel no boot backup Copyright © 2010, Juniper Networks, Inc.
Page 288: Detecting Corrupt File Configurations
Manual mode is the default detection mode. For corruption detection of the CNF files, you must use manual mode. A critical message that indicates whether the corrupted configuration files are recoverable appears prompting you to manually recover the corrupt files. Copyright © 2010, Juniper Networks, Inc.
Page 289 Example 2—Check running configuration in manual mode when auto mode is enabled host1(config)#service check-config running-configuration WARNING: This command will cause config monitor to switch into manual mode. Proceed with current command? [confirm] Copyright © 2010, Juniper Networks, Inc.
Page 290: Automatically Recovering Corrupt Configuration Files
You can use the service check-config auto-recover command to enable auto-recovery of corrupt CFG files in the running configuration. You can use the service check-config running-configuration command to view a list of corrupt files in the running configuration and the files that are recoverable. Copyright © 2010, Juniper Networks, Inc.
Page 291 If the file system on the standby SRP is corrupt when HA is disabled and the mode of the service check-config command has been set to auto-recover, auto, or manual, the following changes occur: Copyright © 2010, Juniper Networks, Inc.
Page 292 Auto-Recovery—Monitoring of corrupt configuration stops on both the primary and standby SRP modules and a message appears indicating whether the files are recoverable. If the SRPs are successfully recovered, monitoring of corrupt Copyright © 2010, Juniper Networks, Inc.
Page 293 SRP and the standby SRP. Example host1(config)#service check-config running-configuration Use the no version without the running-configuration option to restore the default action, manual detection. See service check-config. service check-config running-configuration recover Copyright © 2010, Juniper Networks, Inc.
Page 294: Configuring The System Automatically
“show running-configuration” on page 258. If you are in Manual Commit mode and want to save the configuration changes to NVS, you must issue either the write memory command or the copy running-configuration startup-configuration command. Copyright © 2010, Juniper Networks, Inc.
Page 295 Tools folder of the software image bundle that you can download from the Juniper Networks website, depending on whether you want to install the software on an ERX model or an E120 and E320 model, shipped with your router that enables you to view the text configuration in a configuration file that contains both binary and text configuration.
Page 296 Issuing this command causes an immediate save of configuration data not yet committed to NVS. If issued when high availability is initializing, the CLI notifies you of the state and requests that you try again later. Example host1(config)#service manual-commit Copyright © 2010, Juniper Networks, Inc.
Page 297: Using The Desktop Tool For Viewing Uncompressed Text Configuration
You must configure execute permisions for the files and executables that you install from software image bundle that you downloaded from the Juniper Networks website or from the software CD that you created from the downloaded bundle.
Page 298: Requirements For Microsoft Windows Systems
The GCC compiler is available with Linux 5.0 and Linux 5.1 platforms. If the GCC compiler is not installed on your Linux system, install the required RPMs from the Linux installation disk. Perl is also available with Linux 5.0 and Linux 5.1 installation. Copyright © 2010, Juniper Networks, Inc.
Page 299: Usage Notes For The Perl Script
Use the no version to revert to the default, 9600 bps. See speed. terminal speed Use to set the speed for the current console session. Example host1#terminal speed 14400 There is no no version. See terminal speed. Copyright © 2010, Juniper Networks, Inc.
Page 300: Configuring The Display Terminal
Set the number of bits to 7 to view only characters in the standard ASCII set. Example host1(config)#line vty 1 3 host1(config-line)#data-character-bits 7 Copyright © 2010, Juniper Networks, Inc.
Page 301: Configuring Login Conditions
To do so: Access the line configuration mode using either the console or vty keyword. Specify the time during which the user must enter the password. For example: host1(config)#line console 0 Copyright © 2010, Juniper Networks, Inc.
Page 302: Setting Time Limits For User Input
4192 13 Use the no version to remove the time limit. See exec-timeout. Configuring CLI Messages You can configure text banners for the CLI to display to users at different times in the connection process. Copyright © 2010, Juniper Networks, Inc.
Page 303 You can configure MOTD or exec banners, but not login banners, for the CLI to display on a per-line basis. Use the no version to remove the banner. See banner. exec-banner Copyright © 2010, Juniper Networks, Inc.
Page 304: Monitoring The Console Settings
Monitoring the Console Settings You can use the following commands to monitor console settings. show line console 0 Use to view the parameters configured for all future console sessions and the current console session. Example Copyright © 2010, Juniper Networks, Inc.
Page 305 Never—Indicates that there is no time limit Example host1#show terminal Length: 25 lines, Width: 80 columns data-character-bits: 8 bits per character Speed: 9600 bits per second dsr-detect disabled exec-timeout never exec-banner enabled motd-banner enabled login-timeout 30 seconds See show terminal. Copyright © 2010, Juniper Networks, Inc.
Page 306: Sending Messages
--More-- prompt. The receiving terminal displays the message, the line number of the sender, the username of the sender if the user was authenticated through RADIUS, and the time the message was sent. send Copyright © 2010, Juniper Networks, Inc.
Page 307: Managing Memory
Table 33: Types of System Files and Corresponding Extensions Type of File Extension Description Configuration *.cnf Snapshot of the system’s configuration Core dump *.dmp File you can create for troubleshooting if a module fails Copyright © 2010, Juniper Networks, Inc.
Page 308 However, users cannot access the system space through FTP. To install a file from the user space to the system space, use the copy command. For detailed information about transferring files between locations, see “Transferring Files” on page 287. Copyright © 2010, Juniper Networks, Inc.
Page 309: Managing The User Space From A Network Host
Change file structure settings (only stream mode supported). MODE Change file transfer mode (only stream mode supported). PASV Make the server listen on a port for data connection. NOOP Do nothing. DELE Delete a file. Copyright © 2010, Juniper Networks, Inc.
Page 310: File Commands And Ftp Servers
Use to rename a local file. You can change the base name but not the extension of a file. Example host1#rename boston1.cnf boston2.cnf There is no no version. Copyright © 2010, Juniper Networks, Inc.
Page 311: Table 35: File Types You Can Rename
*.hty *.log (excluding *.log system.log) *.mac *.mac *.pub *.scr *.rel *.txt *.scr *.sts *.txt Nonsystem files Network Host None None None None Within a Firewall Standby SRP None None None None Module See rename. Copyright © 2010, Juniper Networks, Inc.
Page 312: Deleting Files
WARNING: The force option is ignored for this file type. Delete disk0:sample-1.dmp? [confirm] -> press n disk0:sample-1.dmp: not deleted (per user request) Delete disk0:sample-2.dmp? [confirm] -> press y disk0:sample-2.dmp: Deleted Deleted 1 file, matched 2 files host1#delete /outgoing/test.scr There is no no version. Copyright © 2010, Juniper Networks, Inc.
Page 313: Monitoring Files
Use to show a list of files in NVS. Specify a directory path, a local filename, a local device name, or some combination of these to view any local files or directories. You canot use the dir command on a network device. Copyright © 2010, Juniper Networks, Inc.
Page 314 255400 disk0:730beta19.cnf 283141 283141 disk0:730beta18.cnf 284503 284503 disk0:erx_8-0-0b0-24.cnf 327404 327404 disk0:7.3run.cnf 301635 301635 disk0:80beta_bce_backup.cnf 333228 333228 disk0:800beta5.cnf 300575 300575 disk0:820beta5.cnf 311616 311616 disk0:810beta16.cnf 297764 297764 disk0:SRP-10Ge_3_SC_08_22_2006_07_39.dmp 153268924 153268924 disk0:SRP-10Ge_3_SC_04_12_2007_09_47.dmp 182385184 182385184 disk0:reboot.hty 402368 402368 Copyright © 2010, Juniper Networks, Inc.
Page 315 1054900224 167372414 68157440 standby-disk0: 1054900224 153330775 68157440 Example 2 host1#dir *.txt Please wait..Active/standby file systems are synchronized. unshared file size size ---------------------------------- --------- --------- disk0:bng___1.txt 11092 11092 disk0:bng___2.txt 11092 11092 disk0:bng___3.txt 11092 11092 Copyright © 2010, Juniper Networks, Inc.
Page 316: Viewing Files
Use the more command to display the contents of a macro, script, or text file. The file can reside in NVS on the primary SRP module, in NVS on the redundant (standby) SRP module, or on a remote server that you access using FTP. more Copyright © 2010, Juniper Networks, Inc.
Page 317: Transferring Files
However, if there is no firewall between the E Series router and the network host, you can use the copy command, the remote FTP server, or the remote TFTP server to transfer files. Copyright © 2010, Juniper Networks, Inc.
Page 318: References
(but not both) can be remote files. The following URL format is supported for both source and destination files: protocol://[username [:password]@]location[/directory]/filename The location can be a hostname or an IP address. The two versions of the URL format are as follows: ftp://[username[:password ]@]location[/directory]/filename tftp://location[/directory]/filename Copyright © 2010, Juniper Networks, Inc.
Page 319: Using The Copy Command
In the following example, the directory passed to the FTP protocol layer is dirA/dirB/dirC. ftp://username:pwd@mary/dirA/dirB/dirc/fileA Using the copy Command Table 37 on page 290 shows the types of files that you can transfer between the locations by using the copy command. Copyright © 2010, Juniper Networks, Inc.
Page 320: Table 37: File Types You Can Transfer Using The Copy Command
*.log *.scr *.mac *.txt *.pub *.rel ( *.rel file only, not files associated with the *.rel file) *.scr *.txt Nonsystem files Network Host *.cnf None None None Within a *.mac Firewall *.rel *.scr *.txt Copyright © 2010, Juniper Networks, Inc.
Page 321 See Table 37 on page 290 for the types of files that you can copy. Specify a network path to copy to or from another device on the network. Specify the incoming or outgoing directory to copy to or from the user space. Copyright © 2010, Juniper Networks, Inc.
Page 322 You can copy and paste the command showing the encrypted forms into a macro or script to use as desired. Specify the number 8 before the username and before the password to enter an encrypted value. Copyright © 2010, Juniper Networks, Inc.
Page 324: Copy Command Examples
The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host Copyright © 2010, Juniper Networks, Inc.
Page 325: Using Tftp To Transfer Files
TFTP. Before transferring files by the remote TFTP server, you must use the host command to define the host and to specify TFTP as the file transfer protocol. Copyright © 2010, Juniper Networks, Inc.
Page 326: Configuring The Ftp Server
Configuring Authentication Before you enable the FTP server, configure the authentication procedure for the vty lines, as follows: Configure host access lists. Copyright © 2010, Juniper Networks, Inc.
Page 327: Configuration Tasks
POP subnet only through the RADIUS server. The following example shows all steps for configuring this scenario, from specifying a RADIUS server to enabling the FTP line: Configure the RADIUS server. host1(config)#radius authentication server 10.6.131.51 host1(config-radius)#key abc123 host1(config-radius)#udp-port 1645 Copyright © 2010, Juniper Networks, Inc.
Page 328: Monitoring The Ftp Server
Statistics since last system reload—Data about the connection attempts since you last booted the system attempts—Number of attempts to connect failed hosts—Number of connection attempts that failed because of disallowed host addresses failed users—Number of connection attempts that failed because users were not authenticated Copyright © 2010, Juniper Networks, Inc.
Page 329 ------ -------------- ----- ---------- ---------------- console 0 console 02/12/2001 19:57 vty 3 (ftp) fred 10.10.0.64 02/12/2001 20:04 vty 4 (telnet) 10.10.0.64 02/12/2001 20:04 Note: '*' indicates current user. Example 2 Copyright © 2010, Juniper Networks, Inc.
Page 330: Copying Partial Releases
(Optional) Determine whether the currently running software is a result of a copy with excluded subsystems. The word “ Partial” indicates that subsystems were excluded. host1#show version Juniper Networks, Inc. Operating System Software Copyright (c) 200X Juniper Networks, Inc. All rights reserved. System Release: x-y-z.rel Partial Copyright © 2010, Juniper Networks, Inc.
Page 331 Use the command before you copy a release to verify which subsystems are present in the release. Example host1#show subsystems file m:/x/images/x-y-z.rel oc12p oc12a coc12 oc12s Use the command after copying a release to verify which subsystems are included and excluded. Example Copyright © 2010, Juniper Networks, Inc.
Page 332: Configuring The Nfs Client
Add the remote host to the host table. Configure the remote host as an NFS server for this virtual router. Specify the E Series interface that this virtual router will use to exchange NFS communications with this server. host Copyright © 2010, Juniper Networks, Inc.
Page 333: Monitoring The Nfs Client
NFS servers. Use “show ip nfs” on page 304 command to display information about the interface that the current virtual router uses to exchange messages with the NFS server. show ip nfs Copyright © 2010, Juniper Networks, Inc.
Page 334: Using A Loopback Interface
Use to access and configure the loopback interface. Provides a stable address to minimize impact of a physical interface going down. Example host1(config)#interface loopback 20 host1(config-if)#ip address 10.10.20.5 255.255.255.254 Use the no version to delete the loopback interface. See interface loopback. Copyright © 2010, Juniper Networks, Inc.
Page 335: Using The Telnet Client
The name resolver is the client side of DNS and receives address-to-hostname requests from its own clients when they want to contact hosts on other networks. By polling name servers, the name resolver learns name-to-address translations for the hosts its clients want to contact. Copyright © 2010, Juniper Networks, Inc.
Page 336: References
Access the virtual router context. Define static routes to the gateways that provide access to the name servers. Enable the virtual router to query name servers. Specify a default domain name for the hosts. Specify the name servers. Copyright © 2010, Juniper Networks, Inc.
Page 337 Use to specify a DNS name server that the system can query for hostname-to-IP-address resolution. This command supports both IPv4 and IPv6 addressing formats. Example host1(config)#ip name-server 192.168.25.100 1:2:3:4:5:6:7:8:9:0:a:b:c:d:e:f Use the no version to delete the name server. See ip name-server. Copyright © 2010, Juniper Networks, Inc.
Page 338: Using One Name Resolver For Multiple Virtual Routers
Using following Domain Name Servers—Name servers you assigned Using following Local Domain Names—Default domain names you specified Example—The virtual router boston uses the name resolver on the default virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 339: Troubleshooting The System
You can enable the system to create a core dump file if a module fails. You can choose to send the core dump file to an FTP server or save the file to NVS. Juniper Networks Customer Service can then access the core dump file and analyze it to determine what went wrong.
Page 340: Global Configuration Mode
To send the core dump file to NVS memory, use the local keyword. Local core dumps—stored in NVS—are enabled by default. Example host1(config)#exception dump 192.168.56.7 CORE_DUMPS Use the no version to disable the core dump. See exception dump. exception gateway Copyright © 2010, Juniper Networks, Inc.
Page 341 Reloading the standby SRP causes high availability to be temporarily disabled until the standby SRP reloads and resynchronizes with the active SRP. Example host1#reload There is no no version. See reload. show exception dump Copyright © 2010, Juniper Networks, Inc.
Page 342: Managing Core Dump Files
E320 routers has a second NVS card which is dedicated to storing core dump files. The core dump monitor eliminates the impact that core dumps may have on redundant routers by allowing you to manage core dump files in NVS. The core dump monitor allows Copyright © 2010, Juniper Networks, Inc.
Page 343: Enabling And Disabling The Core Dump Monitor
FTP server. If you choose not to define a username or password, the router uses the values of “ anonymous” and “ null,” respectively. See exception monitor. Copyright © 2010, Juniper Networks, Inc.
Page 344: Specifying The Core Dump Monitor Interval
Files on flash which have not been transferred—A list of core dump files in the router NVS that have not yet been transferred to the FTP host Example host1#show exception monitor Core dump monitor is enabled Next dump monitor check time: WED AUG 16 2003 15:50:38 UTC Host: 10.10.120.99 Copyright © 2010, Juniper Networks, Inc.
Page 345: Accessing The Core Dump File
You can now transfer the core dump file to a network host for examination. For example, to transfer the file SRP_1_SC_05_24_2000_02_20.dmp from NVS of the failed SRP module to the host server1, enter the following command: host1#copy SRP_1_SC_05_24_2000_02_20.dmp host:/public/server1/SRP-5G_1_SC_05_24_2000_02_20.dmp copy Copyright © 2010, Juniper Networks, Inc.
Page 346: Capturing And Writing Core Dumps
Example 1—Prompts for confirmation to reboot host1#write core force Example 2—Reboots the module in slot 7 and writes a core memory file host1#write core slot 7 There is no no version. See write core. Copyright © 2010, Juniper Networks, Inc.
Page 347: Understanding The Core Dump File
Table 38: Chassis Slot Numbers Versus Hardware Slot Numbers ERX7xx Model ERX14xx Model E320 Model Slot Number Hardware Slot Hardware Slot Hardware Slot on Chassis Number Number Number – – – – – – – – – – – – Copyright © 2010, Juniper Networks, Inc.
Page 348: Tracking Ip Prefix Reachability
Object—Name of the object being tracked Type—Type of object being tracked Parameter—Parameter type being tracked Value—State of the object being tracked Example host1(config)#show track brief Object Type Parameter Value ERX-WF IP-route reachability ERX-BNG IP-route reachability Copyright © 2010, Juniper Networks, Inc.
Page 349: Gathering Information For Customer Support
Customer support will provide you with an encoded string of commands that this command then executes. tech-support encoded-string Use to execute an encoded command string provided by Juniper Networks customer support personnel. This command requires privilege level 15 access.
Page 350: Managing And Monitoring Resources
JunosE 11.3.x System Basics Configuration Guide show tech-support Use to display technical support information used by Juniper Networks customer support personnel to assist in troubleshooting the router. Example host1#show tech-support Show Technical Support --------------------------------------------------------------------------- System Name : host1 Time : THU JUL 15 2004 17:12:48 UTC...
Page 351: Viewing Resource Threshold Information
Example 1 host1#show resource Resource Threshold Trap: enabled current rising type location capacity value threshold Copyright © 2010, Juniper Networks, Inc.
Page 352: Monitoring The System
Typically, the optional delta keyword is used with show commands to specify that baselined statistics are to be shown. This command applies the “ delta” function implicitly. Example host1#baseline show-delta-counts Use the no version to have access to the total statistics. See baseline show-delta-counts. show configuration Copyright © 2010, Juniper Networks, Inc.
Page 353 NVS and amount of space used power—States of power feeds AC power—For ERX310 router only; states of power feeds srp redundancy—Availability of a redundant SRP module Copyright © 2010, Juniper Networks, Inc.
Page 355 *** system operational: no processor processor temperature temperature temperature temperature slot (10C - 70C) status (10C - 70C) status ---- ----------- ----------- ----------- ----------- normal normal normal normal normal normal normal normal Copyright © 2010, Juniper Networks, Inc.
Page 356 GE-4 IOA normal fabric temperature ranges below -5C is too cold above 79C is too hot low temperature warning below 10C high temperature warning above 70C processor temperature ranges below -5C is too cold Copyright © 2010, Juniper Networks, Inc.
Page 357 -5C is too cold above 79C is too hot low temperature warning below 10C high temperature warning above 56C processor temperature ranges below -5C is too cold above 79C is too hot Copyright © 2010, Juniper Networks, Inc.
Page 358 56C See show environment. show fabric weights Use to display multicast-to-unicast ratio for the router switch fabric. Field descriptions multicast—Ratio value of multicast bandwidth unicast—Ratio value of unicast bandwidth Example host1#show fabric weights Copyright © 2010, Juniper Networks, Inc.
Page 359 2001 See show hosts. show memory-management protection Use to display information about memory management protection of the router. You can use this command only in the support mode and it is not user configurable. Copyright © 2010, Juniper Networks, Inc.
Page 360 0 memProtLock count: 1 maxReversionQueueDepth: 0 context switch stack: 0xaa2646c Mmu driver summary: page size: 4096 total memory mapped: 0x80436000 (2052MB, 525366 pages) highest mapped address: 0xffffffff Page table summary: size: 8388608 (2^23) bytes Copyright © 2010, Juniper Networks, Inc.
Page 361 5 second utilization (%)—CPU use by the process for the last 5 seconds 1 minute utilization (%)—CPU use by the process for the last minute 5 minute utilization (%)—CPU use by the process for the last 5 minutes Example host1# show processes cpu Process Statistics Copyright © 2010, Juniper Networks, Inc.
Page 362 This can result in the sum total for the “ current size” column not matching the sum of the values that appear within the column. This disparity can occur under shared memory conditions Copyright © 2010, Juniper Networks, Inc.
Page 363 *** Memory usage summary (by application, 37 total) *** application: * router: * current size utilization headroom ---------- ------- ----------- -------- 100% 100% bridge 100% 100% 100% dhcp 644K 100% 100% dvmrp 100% ethernet 100% forwarding 100% gplaan 100% igmp 100% Copyright © 2010, Juniper Networks, Inc.
Page 365 SRP module and line modules for all E Series routers. Use the all keyword with the E120 and E320 routers to display the operational status of the IOAs. Field descriptions Model identification Copyright—Copyright details for the system software Copyright © 2010, Juniper Networks, Inc.
Page 366 SRP is initializing type—Kind of module; an “ e” at the end of an SRP module type (for example, SRP-5Ge) indicates that the module includes error checking code (ECC) admin—Status of the slot in the software Copyright © 2010, Juniper Networks, Inc.
Page 367 * This release reflects whichever release the router is armed with at startup. Example 1—Displays the version of an ERX7xx model host1#show version Juniper Edge Routing Switch ERX-700 Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. System Release: erx_7-1-0.rel Partial Version: 7.1.0 [BuildId 4518]...
Page 368 2d19h:13m:08s Example 3—Displays the version of an E320 router using the all keyword host1# show version all Juniper Edge Routing Switch E320 Copyright (c) 1999-2006 Juniper Networks, Inc. All rights reserved. System Release: 7-3-0.rel Version: 7.3.0 [BuildId 5759] (July 27, 2006...
Page 369 16/1 present OC3/STM1-8 ATM IOA enabled Example 4—Displays the version of an E120 router host1# show version Juniper Edge Routing Switch E120 Copyright (c) 1999-2007 Juniper Networks, Inc. All rights reserved. System Release: 8-2-0b0-9.rel Version: 8.2.0 beta-0.9 [BuildId 7030] (April 2, 2007...
Page 370 1d08h:34m:30s Example 5—Displays the version of an E120 router using the all keyword host1# show version all Juniper Edge Routing Switch E120 Copyright (c) 1999-2007 Juniper Networks, Inc. All rights reserved. System Release: 8-2-0b0-9.rel Version: 8.2.0 beta-0.9 [BuildId 7030] (April 2, 2007...
Page 371: Managing Modules
For example, before you remove an SRP module, you must enter the halt command to prevent damage to nonvolatile storage (NVS). This chapter describes the software issues associated with managing modules. Each section in the chapter covers a different topic; where appropriate, a section contains an Copyright © 2010, Juniper Networks, Inc.
Page 372: Platform Considerations
I/O module. For example, the Service Module (SM) does not have a corresponding I/O module. By configuring the performance line rate for a line module in the Juniper Networks ERX705, ERX710, and ERX1410 Broadband Services Routers, you can enable the line modules either to operate at full line rate performance or to allow line modules to operate at a rate dependent on the resources available.
Page 373: Managing Modules
Similarly, the 320 Gbps switch fabric on the E320 router allocates 10 Gbps of overall bandwidth to each line module slot. For both configurations, you can install any line module in any of the slots. Copyright © 2010, Juniper Networks, Inc.
Page 374: Table 39: Ioa Management Information
4G LM or ES2 10G LM; GE-8, OC3/STM1, and OC12/STM4 IOAs when paired with ES2 4G LM) ES2-S3 Not applicable Not applicable GE-20 applicable (Full-height IOA) ES2-S1 Not applicable Not applicable 10GE applicable (Full-height IOA) Copyright © 2010, Juniper Networks, Inc.
Page 375: Srp Modules And Sfms
Interface Types and Specifiers in JunosE Command Reference Guide. SRP Modules and SFMs The router accommodates up to two SRP modules and three SFMs that act as an integrated system controller (SC) and switch fabric system. The SC is located on the Copyright © 2010, Juniper Networks, Inc.
Page 376: Disabling And Reenabling Line Modules, Srp Modules, And Sfms
If you specify a slot on the E120 or E320 router that contains an SRP module, you disable the SC subsystem on that slot by default. You do not, however, disable the fabric slice that resides on the slot. Copyright © 2010, Juniper Networks, Inc.
Page 377 348 command. The default is enable. Example 1—Enables the module in slot 3 host1(config)#slot enable 3 Example 2—Enables the SRP module and the SC subsystem in slot 7 (applies only to E120 and E320 routers) Copyright © 2010, Juniper Networks, Inc.
Page 378: Disabling And Reenabling Ioas
5/0 There is no no version. See adapter disable. adapter enable Use to enable the IOA in the specified IOA bay. Enables you to restart the IOA that was installed in the slot. Copyright © 2010, Juniper Networks, Inc.
Page 379: Removing An Srp Module
Chapter 4, Installing Modules. halt Use to stop the router’s operation before you remove or power down an SRP module The following guidelines apply when you issue the halt command in Privileged Exec mode: Copyright © 2010, Juniper Networks, Inc.
Page 380: Replacing Line Modules On Erx Routers, The E120 Router, And The E320 Router
When you configure a line module and an I/O module or IOAs, the router stores the configuration in NVS. In some cases, you must erase the interface configuration on the slot and reconfigure it after you have installed the new line module. However, some line Copyright © 2010, Juniper Networks, Inc.
Page 381: Replacing A Line Module By Erasing The Slot Configuration
For information about replacing the ES2 4G LM or an ES2 10G LM without erasing the slot configuration, see “Replacing Line Modules on ERX Routers, the E120 Router, and the E320 Router” on page 350 . To replace a line module: Copyright © 2010, Juniper Networks, Inc.
Page 382: Replacing A Line Module Without Erasing The Slot Configuration
LM, or vice-versa. In this case, both the line modules must be paired with any one of the following IOAs: ES2-S2 10GE PR IOA ES2-S1 10GE PR IOA ES2-S1 REDUND IOA You can replace a single line module or all of the line modules in a redundancy group using this procedure. Copyright © 2010, Juniper Networks, Inc.
Page 383 LM. Do not remove the ES2-S1 GE-8 IOA or the ES2-S1 Redund IOA. After the new line module has booted, issue the show version command to ensure that the status of the line module is disabled (mismatch). host1#show version Juniper Edge Routing Switch E120 ..Copyright © 2010, Juniper Networks, Inc.
Page 384 Configure the Ethernet physical interface configuration using an SNMP set request for entPhysicalAssetID and entPhysicalAlias. b. Specify the threshold values for specific interface types for the slot. host1(config)#resource if-type ip slot 1 threshold Related redundancy lockout Documentation resource if-type slot accept slot replace snmp-server Copyright © 2010, Juniper Networks, Inc.
Page 385: Replacing Ioas On The E120 Router And The E320 Router
Replace a 5-Gbps SRP module with a 10-Gbps SRP module or vice versa. Transfer an SRP module from an ERX7xx router to a Juniper Networks ERX1410 router or vice versa. You cannot use the slot accept command to force the router to accept the new SRP module.
Page 386 Issuing this command erases the interfaces associated with the specified IOA. To erase the interfaces for both IOAs installed in a slot, issue the slot erase command. Example—Erasing the IOA in the upper bay of slot 5 in an E320 router host1(config)#adapter erase 5/0 Copyright © 2010, Juniper Networks, Inc.
Page 387 7 (applies only to E120 and E320 routers) host1(config)#slot accept 7 Example 3—Accepts the configuration of the SC on the SRP module in slot 7 (applies only to E120 and E320 routers) Copyright © 2010, Juniper Networks, Inc.
Page 388 7 Example 3—Erases the configuration of the SC on the SRP module in slot 7 (applies only to E120 and E320 routers) host1(config)#slot erase 7 srp There is no no version. See slot erase. Copyright © 2010, Juniper Networks, Inc.
Page 389: Software Compatibility
Line modules in an ERX1440 or an ERX310 router always operate at line rate performance. However, you can configure ERX7xx models and the Juniper Networks ERX1410 Broadband Services Router to enable the line modules either to operate at full line rate performance or to allow line modules to operate at a rate dependent on the resources available.
Page 390: Choosing A Combination Of Line Modules
SRP switch can supply per slot group. Table 40 on page 361 shows the bandwidth that each line module requires for line rate performance and the switches that the line module can use on the SRP-5G+ and SRP-10G modules. Copyright © 2010, Juniper Networks, Inc.
Page 391: Allowed Combinations For Line Rate Performance
Table 41 on page 362, Table 42 on page 362, and Table 43 on page 362 indicate combinations of line modules that allow line rate performance. Copyright © 2010, Juniper Networks, Inc.
Page 392: Table 41: Combinations Of Line Modules For Line Rate Performance-Srp-10G Module In An Erx7Xx Model
NOTE: The total bandwidth of all line modules must not exceed 5 Gbps. To make optimal use of the available bandwidth, put line modules that require maximum bandwidth in slot 2, 3, or 4. Copyright © 2010, Juniper Networks, Inc.
Page 393: Specifying The Type Of Performance
See bandwidth oversubscription. Monitoring Bandwidth Oversubscription Use the show bandwidth oversubscription and show utilization (see “Monitoring Modules” on page 394) commands to monitor the status of bandwidth oversubscription. show bandwidth oversubscription Copyright © 2010, Juniper Networks, Inc.
Page 394: Troubleshooting Bandwidth Oversubscription
Each SRP module contains a flash card that stores system files. On the E120 and E320 routers, each SRP module can have an additional flash card; the second card is reserved for the storage of core dumps. Copyright © 2010, Juniper Networks, Inc.
Page 395: Flash Features
(.dmp) files. When the a card is installed and mounted as disk1 or standby-disk1, all .dmp files are automatically stored on this card. You must use the card mounted as disk0 or standby-disk0 for all other file types. Copyright © 2010, Juniper Networks, Inc.
Page 396 0 or standby disk 0. Flash cards installed and mounted as disk1 or standby disk1 can be safely removed by issuing the no mount command for the card and then ejecting the card. Always reboot the router using the Copyright © 2010, Juniper Networks, Inc.
Page 397: Installing And Removing Flash Cards
The no version prepares the flash card for safe removal. The router subsequently behaves as if the second flash card is no longer present. To access the second card, you must either eject and re-insert the card, or issue the mount command for the card. Copyright © 2010, Juniper Networks, Inc.
Page 398: Synchronizing Flash Cards
30 seconds after the primary module has rebooted. These conditions prevent a redundant SRP module with corrupted or missing files from becoming the primary and overwriting files or directories on the primary module. synchronize Copyright © 2010, Juniper Networks, Inc.
Page 399: Synchronizing Flash Cards Of Different Capacities
Disabling Autosynchronization If autosynchronization is enabled while you are copying long scripts or installing new software releases, it detects a disparity between the modules during the middle of the Copyright © 2010, Juniper Networks, Inc.
Page 400: Validating And Recovering Redundant Srp File Integrity
SRP module with the contents of the same file residing on the flash card of the redundant SRP module. To validate and recover redundant SRP file integrity: Copyright © 2010, Juniper Networks, Inc.
Page 401 For best results, do not run these commands simultaneously on the same router. In addition, do not run multiple instances of the flash-disk-compare command simultaneously on the same router. flash-disk compare Copyright © 2010, Juniper Networks, Inc.
Page 402 Proceed? [confirm] WARNING: No changes should be made to the system while this command is in progress. Please wait..At least one configuration file failed checksum test. There is no no version. See flash-disk compare. Copyright © 2010, Juniper Networks, Inc.
Page 403: Reformatting The Primary Flash Card
You can reformat the primary flash card. To do so: Access Boot mode. a. From Privileged Exec mode, enter the reload command. Information about the reloading process is displayed. b. When the countdown begins, press the mb key sequence (case-insensitive). Copyright © 2010, Juniper Networks, Inc.
Page 404: Copying The Image On The Primary Srp Module
You can copy the contents of NVS on the primary SRP module to a spare flash card. To do so: Access Boot mode. a. From Privileged Exec mode, enter the reload command. Information about the reloading process is displayed. Copyright © 2010, Juniper Networks, Inc.
Page 405: Scanning Flash Cards
On the E120 and E320 routers only, you can use this command to check and repair a second flash card installed as disk1. You can issue this command in Boot mode for Copyright © 2010, Juniper Networks, Inc.
Page 406 Finally, the user scans NVS again, and finds no files with errors. :boot##flash-disk scan Proceed with Flash disk scan? [confirm] Srp PCMCIA Card Scan... Boot Block OK File Allocation Table OK Root Directory OK Checking File Space Copyright © 2010, Juniper Networks, Inc.
Page 407: Monitoring Flash Cards
0 of the SRP module disk1—Flash card installed in slot 1 of the SRP module; available only on SRP modules for the E120 and E320 routers Manufacturer—Name of manufacturer of the installed flash card Copyright © 2010, Juniper Networks, Inc.
Page 408: Updating The Router With Junose Hotfix Files
Hotfixes also enable the delivery of software updates without having to load an entire software release. Hotfixes can also deploy debugging code to collect data that facilitates troubleshooting of software issues. Copyright © 2010, Juniper Networks, Inc.
Page 410: Removing Hotfixes
However, the armed hotfix settings are retained in the event that the system reverts to its normal (nonbackup) boot settings. If that happens, these hotfixes are automatically rearmed and reactivated after a reload. Copyright © 2010, Juniper Networks, Inc.
Page 411: Hotfixes And Standby Srp Modules
Activation failure results in the generation of an appropriate log message. E Series routers do not support activation of a hotfix on a per-slot basis or a per-subsystem basis. Copyright © 2010, Juniper Networks, Inc.
Page 412 Use in Boot mode to disarm all armed hotfixes for all releases. Example :boot##no boot hotfix all-releases There is no affirmative version of this command; there is only a no version. See no boot hotfix all-releases. Copyright © 2010, Juniper Networks, Inc.
Page 413: Monitoring Hotfixes
ID number, which is useful if the filename has been changed. This command also displays dependencies for each hotfix; that is, other hotfixes that must be activated before that hotfix can be activated. For more usage details and sample output, see “show hotfix” on page 385. Copyright © 2010, Juniper Networks, Inc.
Page 414 You can use the show version command to display a summary of each of the hotfixes currently activated on the system, including the hotfix name and hotfix ID. host1#show version Juniper Edge Routing Switch ERX-1400 Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. System Release: 6-0-1p0-5.rel Version: 6.0.1 patch-0.5...
Page 415 Chapter 6: Managing Modules hf63037.hfx (Id: 34563037) ! Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 15 boot config running-configuration boot system 6-0-1p0-5.rel boot hotfix hf63036.hfx boot hotfix hf63037.hfx...
Page 416: Example: Using And Monitoring Hotfixes
This example presents several aspects of hotfix use. In this example, 6-0-1p0-5.rel is the currently armed and active release. Hotfix hf63035.hfx is compatible with this release and is currently activated and armed as a startup hotfix. host1# dir Active System Controller: Copyright © 2010, Juniper Networks, Inc.
Page 417 -------------------- --------- --------- ------------------- reboot.hty 596288 596288 03/07/2005 19:35:52 system.log 6762 6762 03/07/2005 17:30:08 haIpSetup.mac 4874 4874 03/24/2004 10:02:08 6-0-1p0-5.rel 125987342 125987342 02/30/2005 18:17:32 6-1-0.rel 148489185 148489185 02/28/2005 20:19:20 hf63035.hfx 30445 30445 03/07/2005 14:04:02 Copyright © 2010, Juniper Networks, Inc.
Page 418: Managing The Ethernet Port On The Srp Module
On ERX7xx models, ERX14xx models, and ERX310 router, the Fast Ethernet port is located on the SRP I/O module. For more information about configuring the Fast Ethernet port on an SRP I/O module, see ERX Hardware Guide, Chapter 7, Accessing ERX Routers. Copyright © 2010, Juniper Networks, Inc.
Page 419: Monitoring Statistics
SRP module in the higher slot or even if you have only one SRP module and it is installed in the higher slot, as shown in the following example: host1#show version Juniper Edge Routing Switch ERX-700 Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. System Release: erx_7-1-0.rel Partial Version: 7.1.0 [BuildId 4518]...
Page 420 ! Juniper Edge Routing Switch ERX-700 ! Version: 6.0.0 beta-1.8 [BuildId 2538] (September 7, 2004 12:46) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! Commands displayed are limited to those available at privilege level 10 boot config running-configuration boot system erx_6-0-0b1-8.rel...
Page 421: Enabling Warm Restart Diagnostics On Modules
To ensure complete diagnostic test coverage, we recommend that you disable line module redundancy using the redundancy lockout command before enabling warm restart diagnostics. Enabling Warm Restart Diagnostics Use the diag command to enable warm restart diagnostics on a module. diag Copyright © 2010, Juniper Networks, Inc.
Page 422: Enabling Diagnostics
There is no no version. See diag-level. Ignoring Diagnostic Test Failures You can ignore diagnostic test failures on the line module or SRP. This enables you to categorize diagnostic failures and determine the impact on functional behavior. Copyright © 2010, Juniper Networks, Inc.
Page 423 1 2 3 4 5 8 9 10 11 13 diagnostic failure is ignored on slot: 0,6,7 line redundancy: none temperature: ok timing: primary primary: internal SC oscillator (ok) secondary: internal SC oscillator (ok) tertiary: internal SC oscillator (ok) Copyright © 2010, Juniper Networks, Inc.
Page 424: Monitoring Modules
E120 and E320 routers; an “e” at the end of an SRP module type (for example, SRP-5Ge) indicates that the module includes error-checking code (ECC) memory. serial number—Serial number of the module, chassis, or fan tray Copyright © 2010, Juniper Networks, Inc.
Page 425 OC3(8)-MM I/O 4304443600 4500001501 GE-SFP I/O 4605310064 4500002001 base slot MAC address ---- -------------- 0090.1aa0.577a 0090.1a41.7c68 0090.1aa0.6216 Example 2—Displays the status of hardware on the E320 router host1#show hardware Chassis ------- serial assembly assembly Major/Minor Copyright © 2010, Juniper Networks, Inc.
Page 426 ---- -------- ---------- ---------- -------- --------- GE-4 IOA 4304020462 4500006800 SRP IOA 4303470366 4500006500 11/0 11/1 12/0 12/1 13/0 13/1 14/0 14/1 15/0 15/1 16/0 16/1 base Major/Minor Copyright © 2010, Juniper Networks, Inc.
Page 427 ---- ----------- LM-10 4306493492 4500009501 1024 1.108 LM-10 4306493502 4500009501 1024 1.108 SRP-120 4306483377 4501008401 4096 1.102 SFM-120 4306483377 4501008401 1.102 SRP-120 4306483378 4501008401 4096 1.102 SFM-120 4306483378 4501008401 1.102 SFM-120 4306493692 4501008501 1.102 Copyright © 2010, Juniper Networks, Inc.
Page 428 To display detailed information about the average CPU utilization percentage calculated over 5-second, 1-minute, and 5-minute intervals for each module installed in the router, use the detail keyword. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 429 A line module is very busy (that is, using 100 percent of its CPU capacity) and is unable to send its CPU utilization data to the SRP module. A line module is experiencing communication problems that prevent it from sending its CPU utilization data to the SRP module. Copyright © 2010, Juniper Networks, Inc.
Page 430 Please wait... System Resource Utilization --------------------------- last heap available slot type cpu (%) exceed ---- ---------- ---- --------- ------ OC3-4A COC3/COC12 COC3-4 OC3-4A OC3-4A OC3-4A SRP-40G+ SRP-40G+ OC3-4P FE-8 FE-8 CT3-12 CT3-12 Copyright © 2010, Juniper Networks, Inc.
Page 431 LM-4 LM-4 SRP-100 SRP-100 SFM-100 SFM-100 SFM-100 LM-4 LM-4 LM-4 Note: '---' indicates empty slots or fabric Slices. '???' indicates data not available. '***' indicates board running incompatible version of software. See show utilization. Copyright © 2010, Juniper Networks, Inc.
Page 433: Passwords And Security
Passwords and security are supported on all E Series routers. For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. Copyright © 2010, Juniper Networks, Inc.
Page 434: Setting Basic Password Parameters
You or users with high privilege levels can now use the encrypted password, dq]XG`,%N"SS7d}o)_?Y, with the password command. Creating Secrets This example generates a secret for the password rocket, and creates a secret for privilege level 15. Copyright © 2010, Juniper Networks, Inc.
Page 435: Passwords And Security
Use to set a password, which controls access to Privileged Exec mode and some configuration modes. Enter the password in plain text (unencrypted) or cipher text (encrypted). In either case, the system stores the password as encrypted. Copyright © 2010, Juniper Networks, Inc.
Page 436 The default is no encryption. Use of this command prevents casual observers from viewing passwords, for example, in data obtained from show config displays. The command is not intended to provide protection from serious analysis. Copyright © 2010, Juniper Networks, Inc.
Page 437: Setting And Erasing Passwords
Privileged Exec show commands plus commands at levels 0 and 1 All commands except support commands Support commands that Juniper Networks Technical Support may provide and all other commands To maximize security and usability, set different passwords for levels 1, 5, 10, and 15. By default, no enable passwords exist.
Page 438: Setting Enable Passwords
60 Within the time limit that you specified for the erase secrets command, press the recessed software reset button on the primary SRP module (see Figure 25 on page 409). Copyright © 2010, Juniper Networks, Inc.
Page 439: Figure 25: Location Of The Software Reset Button
Allows you to set a new password when you have forgotten your password. Can be used with the service unattended-password-recovery command. Example host1>erase secrets 60 There is no no version. See erase secrets. service unattended-password-recovery Copyright © 2010, Juniper Networks, Inc.
Page 440: Setting A Console Password
6 through 29. You cannot remove lines 0 through 4. See line. login Use to enable password checking at login. The default setting is to enable a password. Example host1(config)#line vty 1 4 Copyright © 2010, Juniper Networks, Inc.
Page 441: Erasing The Console Password
Reboot the router by pressing the recessed software reset button on the primary SRP module (Figure 25 on page 409) and then pressing the mb key sequence during the countdown. Disable authentication at the console level. :boot##disable console authentication Copyright © 2010, Juniper Networks, Inc.
Page 442: Monitoring Passwords
7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited 7 (password) zRFj_6>^]1OkZR@e!|S$ inherited See show secrets. Copyright © 2010, Juniper Networks, Inc.
Page 443: Vty Line Authentication And Authorization
Use the no version to remove a vty line or a range of lines from your configuration; users will not be able to run Telnet, SSH, or FTP to lines that you remove. When you remove Copyright © 2010, Juniper Networks, Inc.
Page 444 Example 1 (unencrypted password) host1(config-line)#password 0 mypassword Example 2 (secret) host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6 Example 3 (encrypted password) host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y Use the no version to remove the password. By default, no password is specified. See password. Copyright © 2010, Juniper Networks, Inc.
Page 445: Configuring Aaa Authentication And Aaa Authorization
To configure AAA new model authentication and authorization for inbound sessions to vty lines on your router: Specify AAA new model authentication. host1(config)#aaa new-model Create an authentication list that specifies the types of authentication methods allowed. host1(config)#aaa authentication login my_auth_list tacacs+ line enable Copyright © 2010, Juniper Networks, Inc.
Page 446 After you have specified aaa new-model as the authentication method for vty lines, an authentication list called default is automatically assigned to the vty lines. To allow users to access the vty lines, you must create an authentication list and either: Copyright © 2010, Juniper Networks, Inc.
Page 447 If the initial method fails, the next method in the list is used. The process continues until either there is successful communication with a listed authorization method or all methods defined are exhausted. Example host1(config)#aaa authorization exec Copyright © 2010, Juniper Networks, Inc.
Page 448 (or use the default method list) for a particular type of authorization, you must apply the defined list to the appropriate lines for authorization to take place. Example host1(config)#line vty 6 host1(line-config)#authorization commands 15 sonny Copyright © 2010, Juniper Networks, Inc.
Page 449 “Setting Basic Password Parameters” on page 404 to obtain the encrypted password or secret. You cannot create your own encrypted password or secret; you must use a system-generated password or secret. Example 1 (unencrypted password) Copyright © 2010, Juniper Networks, Inc.
Page 450: Virtual Terminal Access Lists
12 15 host1(config-line)#access-class Management in Use the no version to remove access restrictions. See access-class in. access-list Use to configure an access list. Example host1(config)#access-list Management permit ip 192.168.11.16 0.0.0.15 any Copyright © 2010, Juniper Networks, Inc.
Page 451: Secure System Administration With Ssh
(MAC), and compression. Each party sends two lists. One list has the algorithms supported for transmission; the other has the algorithms supported for receipt. The Copyright © 2010, Juniper Networks, Inc.
Page 452: User Authentication
You create a host key for the SSH server with the crypto key generate dss command. If a host key already exists, this command replaces it with a new key and terminates all ongoing SSH sessions. Any SSH clients that previously accepted the old host key reject Copyright © 2010, Juniper Networks, Inc.
Page 453: Performance
Reduce the effective baud rate compared with Telnet or the local CLI. Users are unlikely to notice this performance degradation because user interaction is inherently slow compared with other system operations. Increase the general load on the system CPU. Copyright © 2010, Juniper Networks, Inc.
Page 454: Security Concerns
You configure SSH on individual virtual routers, rather than on the global system. To configure SSH: Access the context of the virtual router. Configure encryption.(Optional) Configure user authentication, including connection parameters. Configure message authentication.(Optional) Enable SSH. Display SSH to verify configuration. Copyright © 2010, Juniper Networks, Inc.
Page 455: Configuring Encryption
(3des-cbc, twofish-cbc, and blowfish-cbc). The default list does not include the none option. Example host1(config)#ip ssh crypto server-to-client default 3des-cbc If you do not specify a direction (client-to-server or server-to-client), the command applies the algorithm to both inbound and outbound lists. Copyright © 2010, Juniper Networks, Inc.
Page 456: Configuring User Authentication
Specify an integer in the range 0–20. Example host1(config)#ip ssh authentication-retries 3 Use the no version to restore the default value, 20 retry attempts. See ip ssh authentication-retries. ip ssh disable-user-authentication Copyright © 2010, Juniper Networks, Inc.
Page 457: Configuring Message Authentication
You need to configure encryption only if you need to specifically remove or add any supported algorithm from the list. The system supports the following SSH algorithms for hash function-based message authentication: Copyright © 2010, Juniper Networks, Inc.
Page 458: Enabling And Disabling Ssh
Use the zeroize keyword to remove the SSH server host key and stop the SSH daemon if it is running. Issuing this command terminates any active client sessions. The next Copyright © 2010, Juniper Networks, Inc.
Page 459: Displaying Ssh Status
SSH since the last time the system was reset connections since daemon startup—Number of connections made since the SSH server was enabled active sessions—Number of SSH sessions currently active Copyright © 2010, Juniper Networks, Inc.
Page 460: Terminating An Ssh Session
To view failed connection attempts and other protocol errors logged at the error severity level, use the show log data command: host1#show log data category ssh severity error See show ip ssh. Terminating an SSH Session You can use the session identifier to terminate an SSH session. Copyright © 2010, Juniper Networks, Inc.
Page 461: Restricting User Access
Level 0 commands and all other commands available in User Exec mode Level 1 commands and all Privileged show commands All commands except support and privilege change commands Commands that Juniper Networks Technical Support may provide and all other commands Restricting Access to Commands with RADIUS You can use RADIUS authentication to specify a level of commands that a user is allowed.
Page 462: Per-User Enable Authentication
The decision to deny or approve the user’s request is based on the list the system received through RADIUS. See Table 47 on page 432. Table 47: Juniper Networks–Specific CLI Access VSA Descriptions Subtype Description...
Page 463: Vsa Configuration Examples
VSA Alt-CLI-Virtual-Router-Name specifies which VRs other than the VR specified by the VSA virtual-router are accessible to restricted users. See Table 48 on page 433. Table 48: Juniper Networks–Specific Virtual Router Access VSA Descriptions Subtype...
Page 464: Commands Available To Users
Can issue the virtual-router command in Privileged Exec mode to switch to another previously configured VR to which they have access. Cannot create new VRs or access VRs other than those to which they have access. Copyright © 2010, Juniper Networks, Inc.
Page 465: Denial Of Service (Dos) Protection
Figure 26 on page 436 shows an example of the state of a flow with DoS protection using suspicious control flow detection (SCFD). Copyright © 2010, Juniper Networks, Inc.
Page 466: Suspicious Control Flow Detection
If a control flow is marked as suspicious, every packet associated with the flow is considered suspicious. When a packet is marked as suspicious, it is dropped based on drop probability before being delivered to the control processor. Copyright © 2010, Juniper Networks, Inc.
Page 467: Suspicious Control Flow Monitoring
This flow information is useful under severe distributed DoS attacks. Group membership is based on physical port and control protocol; all flows in that group are considered suspicious. Copyright © 2010, Juniper Networks, Inc.
Page 468: Configurable Options
View a trap or log generated when a control flow is considered suspicious. View a trap or log generated when a control flow is no longer suspicious. Traps and Logs The system generates a trap and a log message under the following conditions: Copyright © 2010, Juniper Networks, Inc.
Page 469: Suspicious Control Flow Commands
Use to turn off overflow protection for suspicious control flow detection, enabling flows to be grouped into larger entities when the line module flow table overflows. Example host1(config)#suspicious-control-flow-detection grouping-off Use the no version to turn on overflow protection. See suspicious-control-flow-detection grouping-off. suspicious-control-flow-detection off Copyright © 2010, Juniper Networks, Inc.
Page 470 When set to zero, a suspicious flow cannot change to the nonsuspicious state via a threshold rate. Example host1(config)#suspicious-control-flow-detection protocol iposi threshold 1024 Use the no version to restore the defaults for the protocol. See suspicious-control-flow-detection protocol threshold. Copyright © 2010, Juniper Networks, Inc.
Page 471: Monitoring Suspicious Control Flow
Number of table overflows: 0 See show suspicious-control-flow-detection counts. show suspicious-control-flow-detection flows Use to display suspicious flows. Field descriptions Interface—Interface for the flow Protocol—Control protocol of the flow MAC address—Source MAC address of the flow Copyright © 2010, Juniper Networks, Inc.
Page 472 Transitions—Number of times this protocol or priority has transitioned to the suspicious state Priority Information Priority—Priorities map to a specific queue and color; priority groups are Hi-Green, Hi-Yellow, Lo-Green and Lo-Yellow. State: OK—Protocol is currently not receiving an excess amount of traffic Copyright © 2010, Juniper Networks, Inc.
Page 473 IP Multicast Control (IC) IP Multicast VRRP IP Mulitcast Cache Miss IP Multicast Cache Miss Auto Reply IP Multicast Wrong Interface IP Local DHCP (SC) IP Local Dhcp (IC) IP Local Icmp Echo IP Local Icmp Other Copyright © 2010, Juniper Networks, Inc.
Page 474 Threshold—Threshold in packets per second Lo-Threshold—Low threshold in packets per second Backoff-Time—Backoff time in seconds Example host1(config)#show suspicious-control-flow-detection protocol Protocol Threshold Lo-Threshold Backoff-Time ------------------------------ --------- ------------ ------------ Ppp Echo Request Ppp Echo Reply Ppp Echo Reply Fastpath Copyright © 2010, Juniper Networks, Inc.
Page 475 IP Route To SRP Ethernet IP Route No Route Exists IP Normal Path MTU IP Neighbor Discovery IP Neighbor Discovery Miss IP Search Error IP MLD IP Local PIM Assert IP Local BFD 1024 IP IKE Copyright © 2010, Juniper Networks, Inc.
Page 476: Denial-Of-Service Protection Groups
The drop probability is the percentage probability that a suspicious packet is dropped. Protocol skip priority rate limiter enables you to configure the system so that the specified protocol is not subject to the priority rate limiter for the priority and DoS Copyright © 2010, Juniper Networks, Inc.
Page 477: Attaching Groups
Table 49: Layer 2-Related Protocols CLI Name Description of Flow atmControl ATM ILMI packets atmOAM ATM OAM packets atmDynamicIf ATM dynamic interface column creation atmInverseArp ATM inverse ARP packets dhcpExternal DHCP external packets Copyright © 2010, Juniper Networks, Inc.
Page 478 PPP echo request packets destined for the IC pppEchoReply PPP echo reply packets destined for the IC pppEchoReplyFast PPP echo request packets generating an FC-based reply pppControl other PPP control packets pppoeControl PPPoE PADx packets Copyright © 2010, Juniper Networks, Inc.
Page 479: Table 50: Ip-Related Protocols
IP L2TP control packets for IC ipLocalL2tpControlSC IP L2TP control packets for SC ipLocalLDP IP LDP packets ipLocalOspf IP OSPF packets ipLocalOther IP Local packets not otherwise classified ipLocalPim IP PIM packets (except typeAssert) Copyright © 2010, Juniper Networks, Inc.
Page 480 IP Router Alert ipOsi OSI packets ipReassembly IP packets that have been reassembled on a server card ipRouteNoRoute IP packets with no route indication ipRouteToSrpEthernet Packets routed to the SRP Ethernet ipTtlExpired IP TTL expired Copyright © 2010, Juniper Networks, Inc.
Page 481: Dos Protection Group Configuration Example
Use to attach an ATM DoS protection group to an interface. Example host1(config-if)#atm dos-protection-group group1 Use the no version to remove the attachment of the DoS protection group from the interface. Copyright © 2010, Juniper Networks, Inc.
Page 482 Use the no version to remove the attachment of the DoS protection group from the interface. See frame-relay dos-protection-group. hdlc dos-protection-group Use to attach an HDLC DoS protection group to an interface. Example host1(config-if)#hdlc dos-protection-group group1 Copyright © 2010, Juniper Networks, Inc.
Page 483 Use to attach a PPP DoS protection group to an interface. Example host1(config-if)#ppp dos-protection-group group1 Use the no version to remove the attachment of the DoS protection group from the interface. See ppp dos-protection-group. Copyright © 2010, Juniper Networks, Inc.
Page 484 Use the no version to return to the default value of 0. See priority rate. protocol burst Use to set the burst size in packets-per-second for the protocol. The default value is one half the maximum rate in packets. Example host1(config-dos-protection)#protocol IpLocalDhcpIc burst 65535 Copyright © 2010, Juniper Networks, Inc.
Page 485 DoS protection groups. Example host1(config-dos-protection)#protocol IpLocalDhcpIc rate 100 Use the no version to set the value to the value specified in the associated default group. See protocol rate. protocol skip-priority-rate-limiter Copyright © 2010, Juniper Networks, Inc.
Page 486 Use to attach a VLAN DoS protection group to an interface. Example host1(config-if)#vlan dos-protection-group Use the no version to remove the attachment of the DoS protection group from the interface. See vlan dos-protection-group. Copyright © 2010, Juniper Networks, Inc.
Page 487: Monitoring Dos Protection Groups
Example host1(config)#show dos-protection-group DOS Protection Groups: Default (canned-group: “ default” ) *modified* Uplink (canned-group: “ link” (canned-group: “ pppoe” *modified* VLAN (canned-group: “ mixed-access” ) See show dos-protection-group. Copyright © 2010, Juniper Networks, Inc.
Page 489: Chapter 8 Writing Cli Macros
Macros consist of control expressions and noncontrol expressions. Control expressions are enclosed by control brackets, which are angle-bracket and number sign pairs, like this: <# controlExpression #>. Examples of control expressions include the macro name Copyright © 2010, Juniper Networks, Inc.
Page 490: Environment Commands
Environment Commands Macros use environment commands to write data to the macro output, to determine a value, or to call other commands. Table 51 on page 461 describes the environment commands that are currently supported. Copyright © 2010, Juniper Networks, Inc.
Page 491: Table 51: Environment Commands
Starts the capture of command output env.stopCommandResults Stops the capture of command output env.getResults Returns one line of output from the capture buffer env.regexpMatch(string) Checks a string against a regular expression env.getRegexpMatch(string) Extracts a string from a larger string Copyright © 2010, Juniper Networks, Inc.
Page 492: Capturing Output Of Commands
<# endif #> In this example, the string interface is checked to determine whether it has the correct syntax: <# interface := env.argv(1) #> <# if env.regexpMatch(interface, "^[0-9]+/[0-9]+$") #> . . . <# endif #> Copyright © 2010, Juniper Networks, Inc.
Page 493: Writing Cli Macros
When the macro runs, the global variable interface is set and the interface command contains an invalid interface value. The CLI reports a syntax error and the macro onError is called. Within the onError macro, the global variable interface is retrieved. Copyright © 2010, Juniper Networks, Inc.
Page 494: Unique Ids For Macros
When you run the macro, the error command is blank and the error status is Status is not available: ERX-40-4a-cc#macro b.mac errorStatusTest Macro 'errorStatusTest' in file 'b.mac' starting execution (Id: 17) error: status: "Macro is not onError. Status is not available" Macro 'errorStatusTest' in file 'b.mac' ending execution (Id: 17) Copyright © 2010, Juniper Networks, Inc.
Page 495: Variables
Table 52 on page 465 lists the available macro operators in order of precedence by operation type. Operators within a given row are equal in precedence. Table 52: Macro Operators Operation Type Operators Extraction substr() rand() round() truncate() Copyright © 2010, Juniper Networks, Inc.
Page 496: Table 53: Operator Actions
Evaluates as true (returns a 1) if the element to the left of the operator is greater than or equal to the expression to the right of the operator; otherwise the result is false Copyright © 2010, Juniper Networks, Inc.
Page 498: Assignment
In Example 1, the result is that i equals 1 and j equals 10, because the expression is evaluated (10 – 0 = 10) before i is incremented. Example 2 <# i := 0; j := 10 #> <# j := j - ++i #> Copyright © 2010, Juniper Networks, Inc.
Page 499: String Operations
<# round(decimal) #>The result is decimal is now 5 The truncate operator truncates noninteger numbers to the value left of the decimal point: <# decimal:= 4.7 #> <# truncate(decimal) #>The result is decimal is now 4 Copyright © 2010, Juniper Networks, Inc.
Page 500: Arithmetic Operations
<# i := 5; j := 0; !i || !j #>The result is 1 Relational operators have a higher precedence than logical AND and OR. The NOT operator is equal in precedence to the increment and decrement operators. Copyright © 2010, Juniper Networks, Inc.
Page 501: Miscellaneous Operations
If constructs provide a means to execute portions of the macro based on conditions that you specify. An if construct consists of the following components: An opening if expression A group of any number of additional expressions (Optional) Any number of elseif expressions and groups of associated expressions Copyright © 2010, Juniper Networks, Inc.
Page 502 <# sure := env.getline("Are you sure that " $ color $ " is your favorite color? ") #> <# if substr(sure, 0, 1) = ’y’ || substr(sure, 0, 1) = ’Y’ #> <# if color != "black" && color != "white"; Copyright © 2010, Juniper Networks, Inc.
Page 503: While Constructs
<# // Remember that the value of a string used as an integer is the number. #> <# // of characters in the string. #> <# stars := "*" #> <# while stars < 10, stars := stars $ "*"#> !<# stars;"\n" #> Copyright © 2010, Juniper Networks, Inc.
Page 504: Passing Parameters In Macros
(that is, not all commands and comments). In this case, you can use <# setoutput console #> to send the information directly to the console display when it executes. Copyright © 2010, Juniper Networks, Inc.
Page 505: Invoking Other Macros
Use the exit keyword to halt execution of all macros. Example 1 The following sample macro demonstrates macro invocation: <# invoking_examples #> <# //---------------------------------------- #> <# name := env.getline("What is your first name? ") #> Copyright © 2010, Juniper Networks, Inc.
Page 506: Detecting And Recording Macro Errors
An onError macro can call other macros. If another error occurs after the onError macro is invoked, macro execution stops again and the onError macro is invoked again. This process continues either until the onError macro completes or until reaching the recursion limit of 10. Copyright © 2010, Juniper Networks, Inc.
Page 507: Detectable Macro Errors
In other words, if the macro ends after setting the third result (that is, 3) the log file displays the following: A is 3 If the macro finishes completely, the log file displays the following: Copyright © 2010, Juniper Networks, Inc.
Page 508: Viewing Macro Errors
<# badInterfaceCommandMacro #> <# env.setResult("runStatus","start" ) #> <# theLoopCount := 500 #> conf t <# while theLoopCount > 0 #> <# env.setResult("runStatus", "Loop:" $ theLoopCount ) #> interface fastEthernet <# theLoopCount; '\n' #> <# --theLoopCount #> Copyright © 2010, Juniper Networks, Inc.
Page 509: Detecting Invalid Commands
However, the second command in the sequence is invalid. <# badExecCommandMacro #> <# env.setResult("runStatus","start" ) #> show clock <# env.setResult("runStatus","after first show clock" ) #> <# env.setResult("runStatus","after foo" ) #> show privilege Copyright © 2010, Juniper Networks, Inc.
Page 510: Detecting Missing Macros
NOTICE 01/08/2006 07:21:50 macroData: Macro 'badExecCommandMacro' in file 'badExecCommandTest.mac' ending execution (Id: 101) on vty, 0 Detecting Missing Macros In this example, the following macro file (badMacroInvocation.mac) is programmed to invoke a missing or nonexistent macro (tmpl.foo). <# badMacroInvocation #> Copyright © 2010, Juniper Networks, Inc.
Page 511: Running Macros
This command invokes a hidden FTP client and takes place in the context of the current virtual router (VR) rather than the default VR. You must configure the FTP server so Copyright © 2010, Juniper Networks, Inc.
Page 512 <# atmOverDs3 #> <# i:=0; while i++ < 3 #> controller t3 9/<#i;'\n'#> no shut clock source internal module framing cbitadm ds3-scramble interface atm 9/<#i;'\n'#> atm vc-per-vp 256 <# endwhile #> Copyright © 2010, Juniper Networks, Inc.
Page 513 9/2 host1(config)#atm vc-per-vp 256 host1(config)#controller t3 9/3 host1(config)#no shut host1(config)#clock source internal module host1(config)#framing cbitadm host1(config)#ds3-scramble host1(config)#interface atm 9/3 host1(config)#atm vc-per-vp 256 host1(config)#interface atm 9/1.1 host1(config)#encap pppoe Copyright © 2010, Juniper Networks, Inc.
Page 514: Scheduling Macros
30 john.mac getuptime host1#schedule macro interval time-of-day 00:10 day-of-month 2 fred.mac freddie host1#configure terminal host1(config)#schedule macro joe.mac interval time-of-day 00:00 day-of-week sunday start host1(config)#exit host1#schedule macro at 20:00 February 14 john.mac getuptime Copyright © 2010, Juniper Networks, Inc.
Page 515 <# m(left,right,third) #> <# mult := left * right #> <# multFinal := mult * third #> <# env.setResult("operation", "" $ left $ " * " $ right $ " * " $ third) #> Copyright © 2010, Juniper Networks, Inc.
Page 518: Table 54: Contents Of Ds1Mac.mac
! This macro will configure e1 ports as unframed. ! This macro should be called with 4 arguments. ! The argument list should be as follows: ! type; number of numPorts; slot; port; clock; framing; lineCoding <# return #> Copyright © 2010, Juniper Networks, Inc.
Page 519 ! type; number of numPorts; slot; port; clock; framing; coding; proto; frType; frLmi; numCirs; dlci <# return #> <# endif #> <# type := env.argv(1) #> <# ifCount := env.argv(2) #> <# slot := env.argv(3) #> Copyright © 2010, Juniper Networks, Inc.
Page 520 <# port := env.atoi(param[3]) #> <# proto := param[4] #> <# if proto = 'fr' #> <# proto := 'frame-relay ietf' #> <# endif #> <# while ifCount-- > 0 #> interface serial <# slot;'/';port;':1';'\n' #> Copyright © 2010, Juniper Networks, Inc.
Page 521: Configuring Atm Interfaces
<# while (authType < authNone || authType > authChapPap ); authTypeStr :=env.getline("authentication (1 = None, 2 = PAP, 3 = CHAP, 4 = PAP/CHAP; 5 = CHAP/PAP)?"); authType := env.atoi(authTypeStr); endwhile #> <# endif #> Copyright © 2010, Juniper Networks, Inc.
Page 522 <# i; ' '; vp; ' '; vc; ' '; vcTypeStr;'\n'#> <# if encapType = encapPpp #> encap ppp <# if authType = authPap#> ppp authentication pap <# elseif authType = authPapChap#> ppp authentication pap chap Copyright © 2010, Juniper Networks, Inc.
Page 523 <# elseif encapType = encapBridged #> encap bridged1483 <# endif #> <# if loopbackStr != “ ” #> ip unnumbered loopback <# loopbackStr;” \n” #> <# endif #> <# endwhile #> <# endwhile #> <# endtmpl #> Copyright © 2010, Juniper Networks, Inc.
Page 525: Booting The System
Broadband Services Routers. Configuring Your System for Booting Juniper Networks delivers your E Series router already set up with a factory default configuration and a software release (.rel) file. You can, however, create a new configuration file (.cnf) and select a different software release file to use in future reboots of your router.
Page 526: Booting The Ge-2 Line Module
You can require the system to reboot from an existing configuration file, from an existing local script file, or with the factory default configuration. Example host1(config)#boot backup rel_1_1_0.rel newfile.cnf Use the no version of this command to remove the backup setting. See boot backup. boot config Copyright © 2010, Juniper Networks, Inc.
Page 527: Booting The System
If the system is in Manual Commit mode: host1(config)#boot config startup-configuration See “Saving the Current Configuration” on page 264 in “Managing the System” on page 239, for information about Automatic and Manual Commit modes. Copyright © 2010, Juniper Networks, Inc.
Page 529 SRP with no backup boot PROM, the following message is displayed: “ Write to Backup Boot ROM failed.” In this instance, this message is correct, and you can ignore it. Copyright © 2010, Juniper Networks, Inc.
Page 530: Rebooting Your System
If you specify the force keyword, the procedure will fail if the system is updating the boot prom. In this case, the system will display a message that indicates that the procedure cannot currently be performed and the cause. However, if the system is in Copyright © 2010, Juniper Networks, Inc.
Page 532: Rebooting When A Command Takes A Prolonged Time To Execute
CLI displays no output other than “ Please wait...” for a prolonged period, you can press Ctrl+x to reset the system. Use Ctrl+x only as a last resort; if at all possible, wait Copyright © 2010, Juniper Networks, Inc.
Page 533: Configuration Caching
Proceed with reload? [confirm] Reload operation commencing, please wait... Press the mb key sequence (case-insensitive) during the countdown that is displayed immediately after the BPOST tests are bypassed. This puts the CLI in Boot mode. :boot## Copyright © 2010, Juniper Networks, Inc.
Page 534: Displaying Boot Information
(MB) ---- ---------------- ---------- ---------- -------- ---- SRP-10Ge 4305358981 3500005472 2048 SRP-10Ge 4305359020 3500005472 2048 CT3-12 4305337201 3500010901 OC3/OC12/DS3-ATM 4605300290 3500103958 GE/FE 4605340294 3500104554 Copyright © 2010, Juniper Networks, Inc.
Page 535 Use to display the configuration of the system hardware and the software version. Example host1#show version Juniper Edge Routing Switch ERX-700 Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved. System Release: erx_7-1-0.rel Partial Version: 7.1.0 [BuildId 4518] (December 21, 2005 11:23) Copyright ©...
Page 536: Output Filtering
25d03h:28m:49s online CT3-12 enabled erx_7-1-0.rel 25d03h:24m:46s online OC3-4A-APS enabled erx_7-1-0.rel 25d03h:24m:22s online enabled erx_7-1-0.rel 25d03h:24m:44s See show version. Output Filtering The output filtering feature of the show command is not available in Boot mode. Copyright © 2010, Juniper Networks, Inc.
Page 537: Configuring The System Clock
NTP uses a hierarchical structure of hosts, such as computers and routers, that form client-server and peer associations. An NTP client synchronizes with an NTP server, which in turn synchronizes with another time source. If two hosts provide synchronization for each other, they are peers. Copyright © 2010, Juniper Networks, Inc.
Page 538: System Operation As An Ntp Client
By default, NTP servers respond to the interface from which an NTP request originated. You can direct responses from all NTP servers to one interface on the system, or from a specific NTP server to a specific interface. Copyright © 2010, Juniper Networks, Inc.
Page 539: Configuring The System Clock
The system acquires time information from servers periodically. The system evaluates which server is currently the best time source (the master) by analyzing time data in the messages and comparing the data from different servers. Copyright © 2010, Juniper Networks, Inc.
Page 540: System Operation As An Ntp Server
This implementation of NTP meets the following specifications: RFC 1305—Network Time Protocol (version 3) Specification, Implementation and Analysis (March 1992) RFC 2030—Simple Network Time Protocol (SNTP) (Version 4) for IPv4, IPv6, and OSI (October 1996) Copyright © 2010, Juniper Networks, Inc.
Page 541: Setting The System Clock Manually
There is no no version. See clock set. clock summer-time date Use to set the clock to switch automatically to summer time (daylight saving time). Example host1(config)#clock summer-time PDT date 1 April 200X 2:00 Copyright © 2010, Juniper Networks, Inc.
Page 542: Before You Configure Ntp
Before you configure NTP, complete the following procedures: Configure at least one IP address on the router. Check that the system clock reads the correct time to within 15 minutes, and that the time zone and summer time settings are correct. Copyright © 2010, Juniper Networks, Inc.
Page 543: Choosing Ntp Servers
This command associates NTP services and the NTP client with the current virtual router. Example host1:boston(config)#ntp enable Use the no version to disable NTP polling and clock correction and to remove the association between NTP services and the virtual router. See ntp enable. Copyright © 2010, Juniper Networks, Inc.
Page 544: Ntp Client Configuration
Use the no version to set the estimated round-trip delay to the default, 3000 microseconds. See ntp broadcast-delay. ntp disable Use to disable NTP on an interface. Example host1(config-if)#ntp disable Use the no version to reenable NTP on an interface. See ntp disable. ntp server Copyright © 2010, Juniper Networks, Inc.
Page 545: Directing Responses From Ntp Servers
You can prevent the system from receiving certain types of broadcasts and specify the servers from which the system will accept NTP broadcasts. To do so: Issue the ntp access-group command. Configure an access list. access-list Copyright © 2010, Juniper Networks, Inc.
Page 546: Ntp Server Configuration
NTP server. Issuing the ntp master command on multiple systems in the network might lead to unreliable timestamps if those systems do not agree on the time. (Optional) Specify the stratum of this NTP server. ntp broadcast Copyright © 2010, Juniper Networks, Inc.
Page 547: Configuration Examples
The following examples show how to configure the system as an NTP client and an NTP server. Example 1 NTP communications are established on the virtual router boston. The system is a client of the NTP server with IP address 172.16.5.1. host1#virtual-router boston Copyright © 2010, Juniper Networks, Inc.
Page 548: Monitoring Ntp
NTP messages. The NTP client uses this data to compare the performance of its NTP servers and to choose a master. show ntp associations Use to view the information about the NTP servers you assigned. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 549 0.038s 0.073s (* Master, + Selected, - Candidate, x Unusable) (p Preferred, ~ Configured) See show ntp associations. show ntp associations Use to view the information about the NTP servers you assigned. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 550 Precision—Length of the clock tick (interrupt interval) of the server’s clock Source—IP address of the interface to which NTP servers should send NTP responses Copyright © 2010, Juniper Networks, Inc.
Page 551 No. of associations—Number of peer associations for the NTP server Clock Status: Offset Error—Time difference between the system and the master, in seconds Frequency Error—Error in the frequency of the system’s clock, in seconds per second Copyright © 2010, Juniper Networks, Inc.
Page 552 BcastClient—Indication of whether or not this interface accepts broadcasts from NTP servers, On or Off BcastServer—Indication of whether or not this interface functions as a broadcast server, On or Off Name—Type of interface and its location Copyright © 2010, Juniper Networks, Inc.
Page 553 Timezone Name : UTC Timezone Offset : 00:0 hours:minutes Access List 'Server Source' Interface ‘Client Source’ Interface : Default (transmit interface) Interface Configuration Address Enable BcastClient BcastServer Name 1.1.1.1 FastEthernet1/0 See show ntp status. Copyright © 2010, Juniper Networks, Inc.
Page 555: Configuring Virtual Routers
For example, a physical ATM link may have circuits that are connected to different VRs. The physical and data link layers are not aware that there are multiple router instances. See Figure 28 on page 526. Copyright © 2010, Juniper Networks, Inc.
Page 556: Routing Protocols
When a VRF receives an update message, it needs to know whether it should add the route to its routing table. Similarly, when a VRF sends update messages, it needs to identify the VPNs that it wants to receive the updates. See JunosE BGP and MPLS Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 557: Configuring Virtual Routers
Create a VRF to provide forwarding information to your router. In this example, the VRF created is in context with the VR created above. host1:western(config)#ip vrf eastern Proceed with new VRF creation? [confirm] host1:western(config-vrf)#virtual-router:eastern host1:western:eastern(config)# Copyright © 2010, Juniper Networks, Inc.
Page 558 Configure a route map router Configure a routing protocol Configure rtr parameters service Configure system-level services Configure sleep Make the Command Interface pause for a specified duration slot Configure and administer slot operation snmp-server Configure SNMP parameters Copyright © 2010, Juniper Networks, Inc.
Page 559 Virtual Router : miami Virtual Router : northern VRF : southern host1# Map a VR to a user domain name in Domain Map Configuration mode. The VR must already exist. host1(config)#aaa domain-map jacksonville host1(config-domain-map)#virtual-router western host1(config-domain-map)# Copyright © 2010, Juniper Networks, Inc.
Page 560 VR. Issuing the command no virtual-router vrName.vrfName has no effect. Issuing a no version of this command (no virtual-router : vrfName or no virtual-router vrName : vrfName) that specifies an existing VRF displays only the error message: Copyright © 2010, Juniper Networks, Inc.
Page 561: Monitoring Virtual Routers
Tunnel Tunnel Peer Source Type Medium Password Hostname ------ ------ ------ ------ ------ -------- ------ -------- <null> <null> l2tp ipv4 <null> <null> <null> Tunnel Tunnel Server Tunnel Name Preference ------ ------ ---------- <null> 2000 Copyright © 2010, Juniper Networks, Inc.
Page 562 Field descriptions Free Memory—Amount of memory free on the line module, in kilobytes Virtual Router—Name of the virtual routers configured on the line module Memory (KB)—Amount of memory consumed by the VR, in kilobytes Copyright © 2010, Juniper Networks, Inc.
Page 563 VRF : western VRF : northern VRF : southern Virtual Router : vr3 VRF : eastern VRF : western VRF : northern VRF : southern Example 2 host1#show virtual-router detail Virtual Router : default Copyright © 2010, Juniper Networks, Inc.
Page 564 VRF Count: 4 Virtual Router vr3 VRF Count: 4 Total VR Count: 4 VRs with VRFs Count: 3 VRs without VRFs Count: 1 Total VRF Count: 12 Total Count : 16 See show virtual-router. Copyright © 2010, Juniper Networks, Inc.
Page 567: Appendix A Abbreviations And Acronyms
ATM end system address assured forwarding authority and format identifier authentication header alarm indication signal AIS-L alarm indication signal – line AIS-P alarm indication signal – path application-level gateway ANSI American National Standards Institute application programming interface Copyright © 2010, Juniper Networks, Inc.
Page 568 Bidirectional Forwarding Detection (protocol) Border Gateway Protocol broadcast multiaccess BOOTP bootstrap protocol B-RAS Broadband Remote Access Server Berkeley Software Distribution certificate authority call admission control (MPLS); connection admission control (ATM) content-addressable memory Copyright © 2010, Juniper Networks, Inc.
Page 569: Abbreviations And Acronyms
CLEC competitive local exchange carrier command-line interface CLNP Connectionless Network Protocol CLNS Connectionless Network Service cell loss priority CMDA code division multiple access CMTS cable modem termination system change of authorization channelized optical carrier Copyright © 2010, Juniper Networks, Inc.
Page 570 Underwriter Laboratories and Canadian Standards Association for joint product safety approval direct current Data Country Code data carrier detect data communication equipment dynamic configuration manager discard eligibility DES; 3DES Data Encryption Standard; triple DES don’t fragment (bit) Copyright © 2010, Juniper Networks, Inc.
Page 571 Border Gateway Protocol dynamic subscriber interface digital subscriber line DSLAM digital subscriber line access multiplexer domain-specific part data set ready Digital Signature Standard Daylight Saving Time data service unit data terminal equipment data terminal ready Copyright © 2010, Juniper Networks, Inc.
Page 572 E-LSP EXP-inferred-PSC LSP European Norm early packet discard end system electrostatic discharge extended superframe end system identifier Encapsulating Security Payload experimental (refers to bits in MPLS shim header) file allocation table Copyright © 2010, Juniper Networks, Inc.
Page 573 FQDN fully qualified domain name field-replaceable unit finite state machine forwarding table entry File Transfer Protocol Gbps gigabits per second Gigabit Ethernet giaddr gateway IP address Generic Routing Encapsulation GRxx (refers to Bellcore standards) Copyright © 2010, Juniper Networks, Inc.
Page 574 Internet Control Message Protocol ICRQ incoming-call request identification; identifying; identifier I-DAS integrated DHCP access server initial domain identifier initial domain part IDSL ISDN digital subscriber line International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers Copyright © 2010, Juniper Networks, Inc.
Page 575 Intermediate System–to–Intermediate System IPSec Service module International Organization for Standardization Internet service provider IS Voice Intelligent Service Voice application ITU-T International Telecommunication Union – Telecommunication Standardization JATE Japan Approvals Institute for Telecommunications Terminal Equipment Copyright © 2010, Juniper Networks, Inc.
Page 576 Link Integrity Protocol logical link control L-LSP label-only-inferred-PSC LSP local management interface; link management interface L2TP network server loss of frame loss of pointer loss of signal link-state advertisement Copyright © 2010, Juniper Networks, Inc.
Page 577 Multilink Point-to-Point Protocol motd message of the day MOTM message of the minute MP-BGP Border Gateway Protocol multiprotocol extensions (sometimes referred to as multiprotocol Border Gateway Protocol) MPLS Multiprotocol Label Switching mrinfo multicast router information Copyright © 2010, Juniper Networks, Inc.
Page 578 NEBS Network Equipment Building System network entity title NLRI network layer reachability information Network Management Center network management system network-to-network interface nonreturn to zero NRZI nonreturn to zero inverted NSAP network service access point Copyright © 2010, Juniper Networks, Inc.
Page 579 PADI PPPoE Active Discovery Initiation PADM PPPoE Active Discovery Message PADN PPPoE Active Discovery Network PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session Copyright © 2010, Juniper Networks, Inc.
Page 580 Protocol Independent Multicast sparse mode PIM SSM Protocol Independent Multicast source-specific multicast public key infrastructure PLCP physical layer convergence procedure policy manager PNNI private network-to-network interface point of presence packet over SONET POST power-on self-test Copyright © 2010, Juniper Networks, Inc.
Page 581 RESV reservation Request for Comments routing information base Routing Information Protocol RISC reduced instruction set computing Remote Method Invocation (Java) rendezvous point (router) reverse-path forwarding Copyright © 2010, Juniper Networks, Inc.
Page 582 (abbreviation pronounced “ scuzzy” ) Synchronous Digital Hierarchy SDRAM synchronous dynamic random access memory SDSL symmetric digital subscriber line service data unit Service Deployment System (formerly SSC) severely errored framing severely errored second Copyright © 2010, Juniper Networks, Inc.
Page 583 SONET Synchronous Optical Network security policy database shortest path first security parameter index strict-priority queues SPVC soft permanent virtual circuit Structured Query Language switch route processor source-rooted tree Copyright © 2010, Juniper Networks, Inc.
Page 584 Transmission Control Protocol traffic engineering TFTP Trivial File Transfer Protocol terminal interface processor type-length-value type of service TPID Tag Protocol Identifier Tunnel Service line module time-to-live tributary unit tributary unit group transmit Copyright © 2010, Juniper Networks, Inc.
Page 585 (or connection) virtual channel connection VCCI Voluntary Control Council for Interference virtual circuit descriptor virtual channel identifier volts direct current VDSL very-high-bit-rate digital subscriber line VLAN virtual local area network Copyright © 2010, Juniper Networks, Inc.
Page 586 Wired Equivalent Privacy weighted fair queuing WINS Windows Internet Name Service (Microsoft) WLAN wireless local area network wireless local loop WRED weighted random early detection weighted round-robin Copyright © 2010, Juniper Networks, Inc.
Page 587 Appendix A: Abbreviations and Acronyms Abbreviation or Acronym Term xDSL combined term used to refer to ADSL, HDSL, SDSL, and VDSL 10-gigabit small form-factor pluggable transceiver Copyright © 2010, Juniper Networks, Inc.
Page 589: References
Protocol (LDP) Signaling (January 2007) RFC 4684—Constrained Route Distribution for Border Gateway BGP/MPLS VPNs Protocol/MultiProtocol Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual Private Networks (VPNs) ( 2006) RFC 4679—DSL Forum Vendor-Specific RADIUS Attributes RADIUS (September 2006) Copyright © 2010, Juniper Networks, Inc.
Page 590 RFC 3633—IPv6 Prefix Options for Dynamic Host Configuration Protocol DHCP 7.1.x (DHCP) Version 6 (December 2003) RFC 3630—Traffic Engineering (TE) Extensions to OSPF Version 2 OSPF (September 2003) RFC 3623—Graceful OSPF Restart (November 2003) OSPF Copyright © 2010, Juniper Networks, Inc.
Page 591 Management Protocol (SNMP) (December 2002) RFC 3417—Transport Mappings for the Simple Network Management SNMP Protocol (SNMP) (December 2002) RFC 3416—Version 2 of the Protocol Operations for the Simple Network SNMP Management Protocol (SNMP) (December 2002) Copyright © 2010, Juniper Networks, Inc.
Page 592 RFC 3291—Textual Conventions for Internet Network Addresses (May 2002) RFC 3280—Internet X.509 Public Key Infrastructure Certificate and Digital certificates Certificate Revocation List (CRL) Profile (April 2002) RFC 3277—Intermediate System to Intermediate System (IS-IS) IS-IS Transient Blackhole Avoidance (April 2002) Copyright © 2010, Juniper Networks, Inc.
Page 593 RFC 3036—LDP Specification (January 2001) MPLS, VPLS RFC 3035—MPLS using LDP and ATM VC Switching (January 2001) MPLS RFC 3032—MPLS Label Stack Encoding (January 2001) MPLS RFC 3031—Multiprotocol Label Switching Architecture (January 2001) MPLS Copyright © 2010, Juniper Networks, Inc.
Page 594 RFC 2923—TCP Problems with Path MTU Discovery (September 2000) RFC 2918—Route Refresh Capability for BGP-4 (September 2000) RFC 2917—A Core MPLS IP Architecture (September 2000) MPLS RFC 2890—Key and Sequence Number Extensions to GRE (September 2000) Copyright © 2010, Juniper Networks, Inc.
Page 595 RFC 2763—Dynamic Hostname Exchange Mechanism for IS-IS (February IS-IS 2000) RFC 2748—The COPS (Common Open Policy Service) Protocol (January COPS 2000) RFC 2747—RSVP Cryptographic Authentication (January 2000) MPLS RFC 2740—OSPF for IPv6 OSPF RFC 2737—Entity MIB (Version 2) (December 1999) SNMP Copyright © 2010, Juniper Networks, Inc.
Page 596 RFC 2598—An Expedited Forwarding PHB (June 1999) RFC 2597—Assured Forwarding PHB Group (June 1999) MPLS; Policy management; QoS RFC 2580—Conformance Statements for SMIv2 (April 1999) SNMP RFC 2579—Textual Conventions for SMIv2 (April 1999) SNMP Copyright © 2010, Juniper Networks, Inc.
Page 597 RFC 2474—Definition of the Differentiated Services Field (DS Field) in MPLS; Policy the IPv4 and IPv6 Headers (December 1998) management; QoS RFC 2466—Management Information Base for IP Version 6: ICMPv6 IPv6; Neighbor Group (December 1998) Discovery Copyright © 2010, Juniper Networks, Inc.
Page 598 RFC 2405—The ESP DES-CBC Cipher Algorithm With Explicit IV IPSec (November 1998) RFC 2404—The Use of HMAC-SHA-1-96 within ESP and AH (November IPSec 1998) RFC 2403—The Use of HMAC-MD5-96 within ESP and AH (November IPSec 1998) Copyright © 2010, Juniper Networks, Inc.
Page 599 RFC 2210—The Use of RSVP with IETF Integrated Services (September MPLS 1997) RFC 2209—Resource ReSerVation Protocol (RSVP) -- Version 1, MPLS Message Processing Rules (September 1997) RFC 2205—Resource ReSerVation Protocol (RSVP) -- Version 1, MPLS Functional Specification (September 1997) Copyright © 2010, Juniper Networks, Inc.
Page 600 RFC 1966—BGP Route Reflection An alternative to full mesh IBGP (June 1996) RFC 3065—Autonomous System Confederations for BGP (Febuary 2001)) RFC 1930—Guidelines for creation, selection, and registration of an Autonomous System (AS) (March 1996) Copyright © 2010, Juniper Networks, Inc.
Page 601 Border Gateway Protocol (BGP-4) using SMIv2 (July 1997) RFC 1587—The OSPF NSSA Option (March 1994) OSPF RFC 1493—Definitions of Managed Objects for Bridges (July 1993) Transparent bridging RFC 1490—Multiprotocol Interconnect over Frame Relay (July 1993) Frame Relay Copyright © 2010, Juniper Networks, Inc.
Page 602 RFC 1158—Management Information Base for Network Management TCP/IP of TCP/IP-based internets: MIB-II (May 1990) RFC 1157—A Simple Network Management Protocol (SNMP) (May 1990) SNMP RFC 1155—Structure and Identification of Management Information for SNMP TCP/IP-based Internets (May 1990) Copyright © 2010, Juniper Networks, Inc.
Page 603 RFC 826—An Ethernet Address Resolution Protocol (November 1982) Ethernet RFC 793—Transmission Control Protocol (September 1981) RFC 792—Internet Control Message Protocol (September 1981) RFC 791—Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 768—User Datagram Protocol (August 1980) Copyright © 2010, Juniper Networks, Inc.
Page 604: Draft Rfcs
2001 expiration) Distance Vector Multicast Routing IP multicasting Protocol—draft-ietf-idmr-dvmrp-v3-11.txt (April 2004 expiration) Dynamic Capability for BGP-4—draft-ietf-idr-dynamic-cap-04.txt (February 2004 expiration) Encapsulation Methods for Transport of ATM Over MPLS Layer 2 services Networks—draft-ietf-pwe3-atm-encap-07.txt (April 2005 expiration) Copyright © 2010, Juniper Networks, Inc.
Page 605 GSMP extensions for layer2 control (L2C) Topology Discovery and Line ANCP Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006 expiration) IGMP-based Multicast Forwarding (“ IGMP Proxying” IP multicasting )—draft-ietf-magma-igmp-proxy-00.txt (May 2002 expiration) IGMP/MLD-based Multicast Forwarding ('IGMP/MLD IPv6 multicasting Proxying')—draft-ietf-magma-igmp-proxy-06.txt (October 2004 expiration) Copyright © 2010, Juniper Networks, Inc.
Page 606 Layer 2 services (PWE3)—draft-ietf-pwe3-requirements-08.txt (June 2004 expiration) Routing IPv6 with IS-IS—draft-ietf-isis-ipv6-06.txt (April 2006 expiration) IS-IS Source-Specific Multicast for IP—draft-ietf-ssm-arch-06.txt (March IP multicasting 2005 expiration) Source-Specific Protocol Independent Multicast in IP multicasting 232/8—draft-ietf-mboned-ssm232-08.txt (September 2004 expiration) Copyright © 2010, Juniper Networks, Inc.
Page 607: Other Software Standards
AT&T Technical Reference 54016—Requirements for Interfacing Digital FDL (T1 interfaces) Terminal Equipment to Services Employing the Extended Superframe Format (September 1989) ATM Forum—ATM User-Network Interface Specification, Version 3.0 (September 1993) ATM Forum—ATM User-Network Interface Specification, Version 3.1 (September 1994) Copyright © 2010, Juniper Networks, Inc.
Page 608 IEEE 802.3u (Fast Ethernet only) Ethernet IEEE 802.3z (Gigabit Ethernet only) Ethernet IEEE 802.3ah-2004 (Clause 57, Operations, Administration, and Ethernet Maintenance [OAM])—Media Access Control Parameters, Physical Layers, and Management Parameters for Subscriber Access Networks Copyright © 2010, Juniper Networks, Inc.
Page 609 ITU-T X.21: Interface between Data Terminal Equipment and Data X.21 Circuit-terminating Equipment for synchronous operation on public data networks (September 1992) Lawfully Authorized Electronic Surveillance (LAES) for IP Network Packet Mirroring Access, American National Standard for Telecommunications, version PTSC-LAES-2006-084R6 Copyright © 2010, Juniper Networks, Inc.
Page 610: Hardware Standards
34 Mbit/s digital unstructured and structured leased lines: 97/639/EC – OJ No. L271 Vol. 40, 3 October 1997 EIA-310-D Cabinets, Racks, Panels, and Associated Equipment, September Mechanical 1992 EMC Directive (89/336/EEC) Copyright © 2010, Juniper Networks, Inc.
Page 611 CCITT recommendation G,703 interface at a rate of 2048 kbit/s with a 75 ohm unbalanced presentation, 1994 RTTE Directive (1999/5/EEC) Telecom SR-3580 (FD-15): Network Equipment Building System (NEBS) Criteria Safety Levels, Issue 1, November 1995 Copyright © 2010, Juniper Networks, Inc.
Page 612 JunosE 11.3.x System Basics Configuration Guide Table 58: E Series Hardware Standards (continued) Protocol or Reference Feature UL 60950, 3rd Edition, Safety of Information Technology Equipment Safety VCCI (Voluntary Control Council for Interference by Information Technology Equipment) Copyright © 2010, Juniper Networks, Inc.
Page 615: Index
(CLI)..............45 access lists................24 B-RAS applications for Telnet sessions............420 overview................25 access-class in command..........420 B-RAS commands access-list command..........420, 516 aaa accounting vr-group..........81 adapter commands backing up software configuration.........126 adapter accept.............356 Backspace key.................64 adapter disable............348 backup router................24 Copyright © 2010, Juniper Networks, Inc.
Page 616 CLI (command-line interface)........243 bridge subscriber-policy..........81 abbreviating keywords.........28, 63 broadcasts, NTP..............515 accessing................45 bulk statistics, SNMP command modes. See command modes collecting...............183, 226 context-sensitive help........60, 243 configuring editing keys...............63 collectors and receivers........183 editing on................63 schemas..............203 logging in................45 formatter.................226 Copyright © 2010, Juniper Networks, Inc.
Page 617 See command modes default version................32 configuration tasks, general..........9 default virtual router............525 configuration, software..........122, 126 delete command..............282 configure command...............81 Delete key..................64 configuring. See specific feature or protocol confirmations explicit command........43 Copyright © 2010, Juniper Networks, Inc.
Page 618 Enterprise SNMP MIB............138 ppp dos-protection-group........446 entity, SNMP................138 pppoe dos-protection-group.........446 environment, system............323 priority burst..............446 erase secrets command.........408, 409 priority over-subscription-factor......446 Esc-key combinations (CLI)..........65 priority rate..............446 Ethernet protocol burst...............446 Telnet on.................305 protocol drop-probability........446 protocol priority............446 Copyright © 2010, Juniper Networks, Inc.
Page 619 E120 and E320 Broadband Services Routers standards...............580 features...............364 versions, displaying..........394, 504 formatting..............370 HDLC parameters..............12 halt command to prevent corruption....364 help....................243 installing ................364 CLI system................60 managing...............364 help command............60, 63, 245 monitoring..............370 Copyright © 2010, Juniper Networks, Inc.
Page 620 IOAs ipsec key manual............81 disabling.................348 ipsec key pubkey-chain rsa.........81 enabling................348 IPSec Identity Configuration mode......69, 91 erasing configurations..........356 IPSec IKE Policy Configuration mode.......70, 91 replacing.................355 IPSec Manual Key Configuration mode....70, 92 Copyright © 2010, Juniper Networks, Inc.
Page 621 IPv6 Local Pool Configuration mode........71 line rates................10 IS-IS protocol................23 performance rate............359 issuing commands from other CLI modes....243 replacing.................350 restricted combinations..........363 slot groups............360, 363 Juniper Networks E Series enterprise SNMP software MIB..................138 compatibility............359 switch usage..............360 troubleshooting............309 keywords................29, 30 line rates..................10 partial-keyword .............60 line vty command............97, 246...
Page 622 IP multicast...............23 message-of-the-day (MOTD) banner......273 IP/ATM.................18 MIBs (Management Information Bases) IP/Frame Relay..............16 definition of..............138 IP/HDLC................21 Juniper Networks E Series enterprise....138 IP/PPP................20 standard SNMP.............138 L2TP..................25 modules layered approach..............6 disabling.................346 line module features............11 E Series, managing............341 MPLS...................23 Copyright © 2010, Juniper Networks, Inc.
Page 623 66, 80, 403 ntp commands..............516 enabling................405 ntp access-group............516 encryption..............404 ntp broadcast..............516 erasing console passwords........410 ntp broadcast-client...........513 See also Privileged Exec mode ntp broadcast-delay............513 passwords and secrets ntp disable..............513 deleting................408 ntp enable...............513 Copyright © 2010, Juniper Networks, Inc.
Page 624 NTP servers............507 private line aggregation............4 privilege groups...............49 RADIUS (Remote Authentication Dial-In User privilege level Service) accessing................46 authentication, restricting access......432 ambiguous commands..........49 password authentication..........421 changing command privileges.........49 per-user enable authentication......431 command exceptions..........49 defining CLI..............46 Copyright © 2010, Juniper Networks, Inc.
Page 625 Remote Neighbor Configuration mode....75, 107 resetting system while running......503 remote-neighbor command..........107 secondary NTP servers............508 rename command...............280 secure IP tunnels..............16 renaming files................280 Secure Shell Server protocol. See SSH replies, NTP................513 reset button, software............410 resetting while running scripts or macros....503 Copyright © 2010, Juniper Networks, Inc.
Page 627 229 snmp-server trap-proxy..........162 multiple virtual routers........143, 228 snmp-server trap-source...........157 operations...............143 snmp-server user............150 packet mirroring............139 SNMP Event Manager Configuration mode..76, 110 packet size, setting............151 Copyright © 2010, Juniper Networks, Inc.
Page 628 SSH (Secure Shell Server)..........421 subscriber interfaces..............22 algorithm negotiation..........421 subscriber policy commands client configuration.............422 subscriber-policy............81 configuration prerequisites........422 Subscriber Policy Configuration mode....77, 112 configuring..............422 summer time, specifying.............511 connections..............421 support, technical See technical support disabling................422 enabling................422 Copyright © 2010, Juniper Networks, Inc.
Page 629 RADIUS password authentication......421 sending messages to..........276 software reset button..........410 setting length (in lines)..........269 system configuration files.........277 setting width (in characters)........269 system name..............240 Copyright © 2010, Juniper Networks, Inc.
Page 630 VR to domain map........527, 529 tunnel..................81 monitoring...............531 Tunnel Group Configuration mode......77, 113 name resolvers for multiple........308 Tunnel Group Tunnel Configuration mode....78, 113 NTP..............507, 513, 516 Tunnel Profile Configuration mode......78, 114 Copyright © 2010, Juniper Networks, Inc.
Page 631 SNMP trap............157 while constructs, macro.............473 width of terminal screen, setting........269 write memory command..........264 writing macros..............459 xDSL protocols................6 session termination............5 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.3

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - SYSTEM BASICS CONFIGURATION GUIDE 2010-10-04 Configuration Manual

Chapter 1 Planning Your Network

Chapter 2 Command-Line Interface

Chapter 3 Installing Junose Software

Chapter 4 Configuring SNMP

Quick Links

Troubleshooting

Related Manuals for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - SYSTEM BASICS CONFIGURATION GUIDE 2010-10-04

Summary of Contents for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - SYSTEM BASICS CONFIGURATION GUIDE 2010-10-04