Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3 Configuration Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV...
  6. Configuration manual
Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3 Configuration Manual

Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3 Configuration Manual

Nsm configuration guide for ex series devices
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
NSM Configuration Guide for EX Series Devices
Release
Published: 2010-11-15
Part Number: 530-028689-01, Revision 3
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3

  • Page 1 NSM Configuration Guide for EX Series Devices Release Published: 2010-11-15 Part Number: 530-028689-01, Revision 3 Copyright © 2010, Juniper Networks, Inc.
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
  • Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
  • Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
  • Page 6 Copyright © 2010, Juniper Networks, Inc.

  • Page 7: Table Of Contents

    Configuring Port Security (NSM Procedure) ......37 Copyright © 2010, Juniper Networks, Inc.
  • Page 8 Configuring LLDP (NSM Procedure) ........97 viii Copyright © 2010, Juniper Networks, Inc.
  • Page 9 Index ............155 Copyright © 2010, Juniper Networks, Inc.
  • Page 10 Copyright © 2010, Juniper Networks, Inc.

  • Page 11: About This Guide

    Requesting Technical Support on page xiv Objectives Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all devices.
  • Page 12 The product supports two levels of access, user and privileged. Identifies variables clusterID, ipAddress. The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Copyright © 2010, Juniper Networks, Inc.

  • Page 13: Documentation

    VPN administrators, and network security operation center administrators. Network and Security Provides details about configuring the device features for all Manager Configuring supported ScreenOS and IDP platforms. ScreenOS and IDP Devices Guide Copyright © 2010, Juniper Networks, Inc. xiii...

  • Page 14: Requesting Technical Support

    MX-series platforms. Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

  • Page 15: Self-Help Online Tools And Resources

    About This Guide Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/...
  • Page 16 Copyright © 2010, Juniper Networks, Inc.

  • Page 17: Managing Ex-Series Switches With Nsm

    Configuring Routing Options on page 59 Configuring Protocols on page 87 Configuring PoE on page 115 Configuring SNMP on page 117 Configuring Virtual LANs on page 147 Configuring a Virtual Chassis on page 149 Copyright © 2010, Juniper Networks, Inc.
  • Page 18 Copyright © 2010, Juniper Networks, Inc.

  • Page 19: Configuring User Access And Authentication

    Click the Configuration tab. In the configuration tree, select System > Radius Server. Add or modify Radius settings as specified in Table 5 on page 4. Click one: New—Adds a new RADIUS server. OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.

  • Page 20: Configuring Tacacs+ Authentication (Nsm Procedure)

    New—Adds a new TACACS+ server. OK—Saves the changes. Cancel—Cancels the modifications. Table 6: TACACS+ Authentication Configuration Details Option Function Your Action Name Specifies the IP address of the TACACS+ server. Enter the IP address of the TACACS+ server. Copyright © 2010, Juniper Networks, Inc.

  • Page 21: Configuring Authentication Order (Nsm Procedure)

    New authentication-order list. OK—Saves the changes. Cancel—Cancels the modifications. Related Configuring RADIUS Authentication (NSM Procedure) on page 3 Documentation Configuring TACACS+ Authentication (NSM Procedure) on page 4 Configuring User Access (NSM Procedure) on page 6 Copyright © 2010, Juniper Networks, Inc.

  • Page 22: Configuring User Access (Nsm Procedure)

    For example, class can use. “request system reboot”. Login > Class > Permissions Permissions Configures the login access privileges Enter a new permission. to be provided on the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 23: Configuring User Accounts

    Configuring Template Accounts (NSM Procedure) You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+ authentication. When a user is authenticated by a template account, Copyright © 2010, Juniper Networks, Inc.

  • Page 24: Creating A Remote Template Account

    Enter the user name. For example, type remote. Specifies the user identifier for a Enter the number associated with the login account. login account. Class Specifies the login class for the user. Select the login class. For example, select operator. Copyright © 2010, Juniper Networks, Inc.

  • Page 25: Creating A Local Template Account

    Select the login class. For example, select superuser. Related Configuring RADIUS Authentication (NSM Procedure) on page 3 Documentation Configuring TACACS+ Authentication (NSM Procedure) on page 4 Configuring Authentication Order (NSM Procedure) on page 5 Copyright © 2010, Juniper Networks, Inc.
  • Page 26 Copyright © 2010, Juniper Networks, Inc.

  • Page 27: Configuring Chassis

    Click the Configuration tab. In the configuration tree, expand Chassis > Aggregated Devices. Add or modify the settings as specified in Table 11 on page 12. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.

  • Page 28: Configuring Chassis Alarms (Nsm Procedure)

    Click the Configuration tab. In the configuration tree, expand Chassis > Alarm. Add or modify the alarm settings as specified in Table 12 on page 13. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.

  • Page 29: Configuring Routing Engine Redundancy (Nsm Procedure)

    2. In the Comment box, enter the comment. hard disk errors or a loss of a 3. Select the type of failover. keepalive signal from the master Routing Engine. Copyright © 2010, Juniper Networks, Inc.
  • Page 30 Related Configuring Aggregated Devices (NSM Procedure) on page 11 Documentation Configuring a T640 Router on a Routing Matrix (NSM Procedure) Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure) Copyright © 2010, Juniper Networks, Inc.

  • Page 31: Configuring Class Of Service

    In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure and apply behavior aggregate classifiers. Click the Configuration tab. In the configuration tree expand Class of Service. Copyright © 2010, Juniper Networks, Inc.
  • Page 32 4. From the Loss val list, select high. 5. Click Add new entry next to Code points. 6. In the Value box, type the value of the high-priority code point for expedited forwarding traffic—for example, 101111. 7. Click OK three times. Copyright © 2010, Juniper Networks, Inc.

  • Page 33: Configuring Cos Code Point Aliases (Nsm Procedure)

    A code-point alias assigns a name to a pattern of code-point bits. You can use this name instead of the bit pattern when you configure other CoS components such as classifiers, drop-profile maps, and rewrite rules. To configure code-point aliases: Copyright © 2010, Juniper Networks, Inc.
  • Page 34 Configuring CoS Interfaces (NSM Procedure) on page 22 Configuring CoS Rewrite Rules (NSM Procedure) on page 28 Configuring CoS Schedulers (NSM Procedure) on page 31 Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 32 Copyright © 2010, Juniper Networks, Inc.

  • Page 35: Configuring Cos Drop Profile (Nsm Procedure)

    You can update multiple devices at one time. See Updating Devices section in the Network and Security Manager Administration Guide for more information. Table 16: Drop Profile Configuration Fields Option Function Your Action Drop Profile Copyright © 2010, Juniper Networks, Inc.
  • Page 36 Configuring CoS Interfaces (NSM Procedure) on page 22 Configuring CoS Rewrite Rules (NSM Procedure) on page 28 Configuring CoS Schedulers (NSM Procedure) on page 31 Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 32 Copyright © 2010, Juniper Networks, Inc.

  • Page 37: Configuring Cos Forwarding Classes (Nsm Procedure)

    Select Queue and click Add new entry. 2. In the Queue num box, type 0. 3. In the Class name box, type the previously configured name of the best-effort class—for example, be-class. 4. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 38: Configuring Cos Interfaces (Nsm Procedure)

    Click the Configuration tab. In the configuration tree, expand Class of Service. Select Interfaces. Add or modify the interfaces as specified in Table 18 on page 23. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 39 2. Click the New button or particular chassis in the select an interface and chassis queue. click the Edit button in Interface. 3. Select the scheduler map chassis from the list. Copyright © 2010, Juniper Networks, Inc.
  • Page 40 Edit button in logical interface. Interface. 2. Expand the Interface tree and select Output Traffic Control Profile Remaining. 3. Specify a comment and a profile name. 4. Click Ok. Copyright © 2010, Juniper Networks, Inc.
  • Page 41 2. Click the New button or equally to interface sets that select an interface set and include child nodes and those click the Edit button. that do not include child nodes. 3. Set the internal node. Copyright © 2010, Juniper Networks, Inc.
  • Page 42 2. Click the New button or select an interface set and click the Edit button. 3. Expand interface—set tree and select Input Traffic Control Profile 4. Specify the comment and profile name. 5. Click Ok. Copyright © 2010, Juniper Networks, Inc.
  • Page 43 Configuring CoS Drop Profile (NSM Procedure) on page 19 Configuring CoS Forwarding Classes (NSM Procedure) on page 21 Configuring CoS Rewrite Rules (NSM Procedure) on page 28 Configuring CoS Schedulers (NSM Procedure) on page 31 Copyright © 2010, Juniper Networks, Inc.

  • Page 44: Configuring Cos Rewrite Rules (Nsm Procedure)

    Configure rewrite Click Configure next to Rewrite Rules. rules for DiffServ CoS. 2. Click Add new entry next to Dscp. 3. In the Name box, type the name of the rewrite rules—for example, rewrite-dscps. Copyright © 2010, Juniper Networks, Inc.
  • Page 45 7. Click Add new entry next to Loss priority. 8. From the Loss val list, select high. 9. In the Code point box, type the value of the high-priority code point for expedited forwarding traffic—for example, 101111. 10. Click OK twice. Copyright © 2010, Juniper Networks, Inc.
  • Page 46 Configuring CoS Forwarding Classes (NSM Procedure) on page 21 Configuring CoS Interfaces (NSM Procedure) on page 22 Configuring CoS Schedulers (NSM Procedure) on page 31 Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 32 Copyright © 2010, Juniper Networks, Inc.

  • Page 47: Configuring Cos Schedulers (Nsm Procedure)

    To specify buffer size as a percentage of the total buffer, select percent and type an integer from 1 through 100. To specify buffer size as the remaining available buffer, select remainder. 5. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 48: Configuring Cos And Applying Scheduler Maps (Nsm Procedure)

    To configure CoS and apply scheduler maps: In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure CoS and apply scheduler maps. Copyright © 2010, Juniper Networks, Inc.
  • Page 49 Select Forwarding Class and click Add new entry. class and scheduler. 2. In the Name box, type the name of the previously configured assured forwarding class—for example, af-class. 3. Select the previously configured assured forwarding scheduler—for example, af-scheduler. 4. Click Copyright © 2010, Juniper Networks, Inc.
  • Page 50 Configuring CoS Forwarding Classes (NSM Procedure) on page 21 Configuring CoS Interfaces (NSM Procedure) on page 22 Configuring CoS Rewrite Rules (NSM Procedure) on page 28 Configuring CoS Schedulers (NSM Procedure) on page 31 Copyright © 2010, Juniper Networks, Inc.

  • Page 51: Configuring Ethernet Switching Options

    To mirror interface traffic or VLAN traffic on the switch to an interface on the switch: In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a port mirror analyzer. In the Configuration tree, expand Ethernet Switching Options. Copyright © 2010, Juniper Networks, Inc.

  • Page 52: Configuring Redundant Trunk Links (Nsm Procedure)

    In the Configuration tree, expand Ethernet Switching Options. Select Redundant Trunk Group > Group. Click the Add icon. Add/modify settings as specified in Table 25 on page 38. Add/modify settings for the VLAN as specified in Table 23 on page 37. Copyright © 2010, Juniper Networks, Inc.

  • Page 53: Configuring Port Security (Nsm Procedure)

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 54 2. Enter the MAC address. 3. Click MAC Limit Specifies the number of MAC addresses that can be Enter the required number. learned on a single Layer 2 access port. This option is not valid for trunk ports. Copyright © 2010, Juniper Networks, Inc.

  • Page 55: Configuring Static Ip (Nsm Procedure)

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 56: Configuring Voip (Nsm Procedure)

    In the configuration tree, expand Ethernet Switching Options and select VoIP Expand tree and select VoIP Interfaces Add or modify as specified in Table 27 on page 41. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
  • Page 57 Specifies the forwarding class to which Click the New button or select an the interface is assigned. interface and click on Edit button in Interface 2. Enter the forwarding class in the Forwarding Class box. Copyright © 2010, Juniper Networks, Inc.
  • Page 58 Copyright © 2010, Juniper Networks, Inc.

  • Page 59: Configuring Firewall Filters

    You can update multiple devices at one time. See Updating Devices for more information. Table 28: Create a New Term Option Function Your Action Term Name Specifies the name of the term. Enter a name. Copyright © 2010, Juniper Networks, Inc.
  • Page 60 Dot 1q a Routing filter. dot1q-tag Specifies the tag field in the Ethernet Enter the required number. header. Values can be from 1 through 4095. NOTE: This option is not applicable for a Routing filter. Copyright © 2010, Juniper Networks, Inc.
  • Page 61 Specifies the length of the packet. Enter a value. NOTE: This option is applicable for a Routing filter. Action Counter Name Specifies the count of the number of Enter a value. packets that pass this filter, term, or policer. Copyright © 2010, Juniper Networks, Inc.

  • Page 62: Configuring A Policer For A Firewall Filter

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 63 4. In the box, type 10. 5. Click OK. Enter the loss priority for packets exceeding the limits Select Then. established by the policer—for example, high. 2. In the Comment field, enter high. 3. Click OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 64 Copyright © 2010, Juniper Networks, Inc.

  • Page 65: Configuring Policy Options

    Click the tab. Configuration In the configuration tree, expand Policy Options Select As Path Add or modify the parameters as specified in Table 30 on page 50. Click one: Copyright © 2010, Juniper Networks, Inc.

  • Page 66: Configuring An As Path Group In A Bgp Routing Policy (Nsm Procedure)

    Select As Path Group. Add or modify the parameters as specified in Table 31 on page 51. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 67: Configuring A Community For Use In Bgp Routing Policy Conditions

    In the configuration tree, expand Policy Options. Select Community. Add or modify the parameters as specified in Table 32 on page 52. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 68: Configuring A Bgp Export Policy Condition (Nsm Procedure)

    In the configuration tree, expand Policy Options. Select Condition. Add or modify the parameters as specified in Table 33 on page 53. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 69: Configuring Flap Damping To Reduce The Number Of Bgp Update Messages(Nsm Procedure)

    To configure damping for a BGP routing policy in NSM: In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Policy Options. Select Damping. Copyright © 2010, Juniper Networks, Inc.
  • Page 70 Max Suppress Indicates the maximum time in minutes Enter the time limit or select it from that a route can be suppressed no the list. matter how unstable it has been. 2. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 71: Configuring A Routing Policy Statement (Nsm Procedure)

    2. Select policy-statement 3. Specify the name. Comment Specifies the comment for the policy Click the New button or select a statement. policy statement and click Edit button. 2. Select policy-statement 3. Specify the comment. Copyright © 2010, Juniper Networks, Inc.

  • Page 72: Configuring Prefix List (Nsm Procedure)

    This feature enables you to create a named prefix list and include it in a routing policy. To configure prefix list in NSM: Copyright © 2010, Juniper Networks, Inc.
  • Page 73 Prefix List Item Specifies the prefix list item. Click the New button or select a prefix list and click Edit button. 2. Expand prefix-list tree and select Prefix List Item. 3. Specify the name and comment. Copyright © 2010, Juniper Networks, Inc.
  • Page 74 Copyright © 2010, Juniper Networks, Inc.

  • Page 75: Configuring Routing Options

    Configuring Maximum Prefixes (NSM Procedure) You can configure a limit for the number of routes installed in a routing table based upon the number of route prefixes in the table. . To configure maximum prefixes limit in NSM: Copyright © 2010, Juniper Networks, Inc.
  • Page 76 An advisory limit triggers only a warning, and additional routes are not rejected. Copyright © 2010, Juniper Networks, Inc.

  • Page 77: Configuring Multicast (Nsm Procedure)

    2. Click the New button or select a point-to-multipoint (P2MP) group and click the Edit button. label-switched paths (LSPs) are used for multicast distribution. 3. Configure the PE group name, local address, and backup address. Copyright © 2010, Juniper Networks, Inc.
  • Page 78 A new entry is created as soon as the number of multicast forwarding cache entries falls below the suppression value. You can also specify a timeout value for all multicast forwarding cache entries. Copyright © 2010, Juniper Networks, Inc.
  • Page 79 To 3. Specify the address range of the SSM deploy SSM successfully, you need an group. end-to-end multicast-enabled network and applications that use an Internet Group Management Protocol version 3 (IGMPv3). Copyright © 2010, Juniper Networks, Inc.

  • Page 80: Configuring Multipath (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 81: Configuring Options (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 82: Configuring Route Resolution (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 83: Configuring Routing Table Groups (Nsm Procedure)

    Devices Click the tab. Configuration In the configuration tree, expand Routing Options Select Rib Groups Add or modify the parameters as specified in Table 42 on page 68. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
  • Page 84 Enables you to apply one or more Expand the tree and select rib-group policies to routes imported into the Import Policy routing table group. 2. Set up the import policies for the routing table group. Copyright © 2010, Juniper Networks, Inc.

  • Page 85: Configuring Routing Tables (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 86 Maximum Prefixes Enables you to configure a limit for the Expand the tree and select number of routes installed in a routing Maximum Prefixes table. 2. Set up the and the Maximum Prefixes Threshold Copyright © 2010, Juniper Networks, Inc.

  • Page 87: Configuring Source Routing (Nsm Procedure)

    Devices section in the Network and Security Manager Administration Guide for more information. Table 44: Source Routing Fields Option Function Your Action Comment Specifies the comment for the source Enter the comment. routing configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 88: Configuring Static Routes (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 89: Configuring Generated Routes (Nsm Procedure)

    Devices Click the tab. Configuration In the configuration tree, expand Routing Options Select Generate Add or modify the parameters as specified in Table 46 on page 74. Click one: Copyright © 2010, Juniper Networks, Inc.

  • Page 90: Configuring Graceful Restart (Nsm Procedure)

    The network topology is stable. The neighbor or peer cooperates. The restarting device is not already cooperating with another restart already in progress. The grace period does not expire. To configure graceful restart in NSM: Copyright © 2010, Juniper Networks, Inc.

  • Page 91: Configuring Forwarding Table (Nsm Procedure)

    This feature enables you to configure forwarding table in NSM. To configure forwarding table in NSM: In the navigation tree, select Device Manager > Devices In the list, double click the device to select it. Devices Click the tab. Configuration Copyright © 2010, Juniper Networks, Inc.
  • Page 92 Export Enables you to apply one or more Expand the tree Forwarding Table policies to routes being exported from and select Export the routing table into the forwarding 2. Enter the export policies. table. Copyright © 2010, Juniper Networks, Inc.

  • Page 93: Configuring Flow Route (Nsm Procedure)

    Devices section in the Network and Security Manager Administration Guide for more information. Table 49: Flow Route Fields Option Function Your Action Comment Specifies the comment for the flow Enter a comment. route. Route Copyright © 2010, Juniper Networks, Inc.
  • Page 94 2. Expand the Traceoptions tree and that tracing results be saved in a log file. configure the file and flag You can configure the tracing flag, filter, parameters, and the tracing policy. and the tracing policy. Copyright © 2010, Juniper Networks, Inc.

  • Page 95: Configuring Fate Sharing (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Table 50: Fate Sharing Fields Option Function Your Action Comment Specifies the comment for the fate Enter a comment. sharing. Copyright © 2010, Juniper Networks, Inc.

  • Page 96: Configuring Martian Addresses (Nsm Procedure)

    To configure a martian address in NSM: In the navigation tree, select Device Manager > Devices In the Devices list, double click the device to select it. Click the tab. Configuration In the configuration tree, expand Routing Options Select Martians Copyright © 2010, Juniper Networks, Inc.
  • Page 97 2. Select the check box to allow the disallowed address. Selecting the allow option deletes a particular martian address from the range of martian addresses. 3. Clear the check box to disallow the addresses and mark them as a martian address. Copyright © 2010, Juniper Networks, Inc.

  • Page 98: Configuring Interface Routes (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 99: Configuring Instance Export (Nsm Procedure)

    Routing Options Select Instance Export and specify the export policies for routes being exported from a routing instance. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the routing option settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 100: Configuring Instance Import (Nsm Procedure)

    ASs (members) making up the confederation is hidden. Because each confederation is treated as if it were a single AS, you can apply the same routing policy to all the ASs that make up the confederation. To configure a confederation in NSM: Copyright © 2010, Juniper Networks, Inc.

  • Page 101: Configuring Maximum Paths (Nsm Procedure)

    To configure a maximum paths limit in NSM: In the navigation tree, select Device Manager > Devices In the list, double-click the device to select it. Devices Click the Configuration tab. Copyright © 2010, Juniper Networks, Inc.
  • Page 102 You can configure a percentage of the Limit value that when reached starts triggering the warnings. log-only—Sets the route limit as an advisory limit. An advisory limit triggers only a warning, and additional routes are not rejected. Copyright © 2010, Juniper Networks, Inc.

  • Page 103: Configuring Protocols

    In demand mode, no Hello packets are exchanged after the session is established; it is assumed that the endpoints have another way to verify connectivity to each other. To configure BFD: Copyright © 2010, Juniper Networks, Inc.

  • Page 104: Configuring Bgp (Nsm Procedure)

    BGP systems. This feature enables you to configure BGP peering sessions. To configure BGP in NSM: In the navigation tree select and select the device from the Device Manager > Devices list. In the configuration tree, expand Protocols Copyright © 2010, Juniper Networks, Inc.
  • Page 105 BGP 3. Set up the comment, Ttl and specify session. This type of session is called a whether the next hop has to be multihop BGP session. changed. Copyright © 2010, Juniper Networks, Inc.
  • Page 106 3. Enter the comment, as number, loop and specify whether it is private. Graceful Restart Enables you to specify the graceful Expand the Protocol tree. restart parameters. 2. Select and select Graceful tab. Restart 3. Specify the graceful restart parameters. Copyright © 2010, Juniper Networks, Inc.

  • Page 107: Configuring 802.1X Authentication (Nsm Procedure)

    802.1X settings. In the Configuration tree, expand Protocols > Dot1x. Select Authenticator > Interface. Click the Add icon. Add/modify member settings for the interface as specified in Table 57 on page 92. Copyright © 2010, Juniper Networks, Inc.
  • Page 108 Specifies the guest VLAN to move the interface to in case Enter the VLAN name. of an authentication failure. Reauthentication Specifies enabling reauthentication on the selected Select Reauthentication. interface. Select one: none reauthentication no-reauthentication Copyright © 2010, Juniper Networks, Inc.

  • Page 109: Configuring Static Mac Bypass

    In the navigation tree, select Device Manager > Devices. In Device Manager, select the device. In the configuration tree, expand Protocols. Select GVRP. Click the Add icon. Add/modify GVRP settings for the interface as specified in Table 58 on page 94. Copyright © 2010, Juniper Networks, Inc.

  • Page 110: Configuring Igmp (Nsm Procedure)

    In the configuration tree, expand Protocols and select IGMP Add/Modify the parameters as specified in Table 59 on page 95. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 111 6. You can enable Immediate Leave Promiscuous Mode 7. You can enable accounting on the interface. 8. Select the option Interface > Static to configure the multicast group to be associated with the interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 112: Configuring Igmp Snooping On Ex-Series Switches (Nsm Procedure)

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.

  • Page 113: Configuring Lldp (Nsm Procedure)

    In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a port mirror analyzer. In the configuration tree, expand Protocols > LLDP. Add/modify LLDP settings as specified in Table 61 on page 98. Copyright © 2010, Juniper Networks, Inc.

  • Page 114: Configuring Lldp-Med (Nsm Procedure)

    LLDP. An EX-series switch uses LLDP-MED to support device discovery of VoIP telephones and to create location databases for these telephone locations for emergency services. The location information configured is used during emergency calls to identify the location of the LLDP-MED device. To configure LLDP-MED: Copyright © 2010, Juniper Networks, Inc.

  • Page 115: Configuring Mstp (Nsm Procedure)

    In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a port mirror analyzer. In the Configuration tree, expand Protocols > MSTP. Add/modify MSTP settings as specified in Table 63 on page 100. Copyright © 2010, Juniper Networks, Inc.
  • Page 116 Bridge Priority Specifies the bridge priority. Enter a value. Bpdu Block on Edge Specifies whether Bpdu blocks must be Select to enable the feature. processed. Copyright © 2010, Juniper Networks, Inc.

  • Page 117: Configuring Ospf (Nsm Procedure)

    Click the tab. Configuration In the configuration tree, expand Protocols and select OSPF Add/Modify the parameters under the respective tabs as specified in Table 64 on page 102. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
  • Page 118 You can update multiple devices at one time. See Updating Devices for more information. Table 64: OSPF Configuration Fields Option Function Your Action OSPF Copyright © 2010, Juniper Networks, Inc.
  • Page 119 Specify whether NSSA ABR has to be configured. To enable NSSA ABR, clear the check box. To disable NSSA ABR, select the check the check box. Area Enables you to set up the area details for OSPF. Copyright © 2010, Juniper Networks, Inc.
  • Page 120 SPF algorithm can run in succession, and a holddown interval after the SPF algorithm runs the maximum number of times. Copyright © 2010, Juniper Networks, Inc.

  • Page 121: Configuring Rip (Nsm Procedure)

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 122 Import 2. Specify the import policies. Receive Enables you to configure RIP receive Expand the tree and select options. Receive 2. Specify the receive options. Copyright © 2010, Juniper Networks, Inc.

  • Page 123: Configuring Rstp On Ex-Series Switches (Nsm Procedure)

    Devices for more information. Table 66: RSTP Configuration Fields Field Function Your Action Disable Specifies whether RSTP must be Click to select the option. disabled on the port. Bridge Priority Specifies the bridge priority. Enter a value. Copyright © 2010, Juniper Networks, Inc.

  • Page 124: Configuring Stp (Nsm Procedure)

    Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Configure BPDU protection on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages. To configure STP: Copyright © 2010, Juniper Networks, Inc.
  • Page 125 Specifies the number of seconds a port Select a value. waits before changing from its spanning-tree learning and listening states to the forwarding state. Bpdu Block on Edge Specifies whether Bpdu blocks must be Select to enable the feature. processed. Copyright © 2010, Juniper Networks, Inc.

  • Page 126: Configuring Vstp (Nsm Procedure)

    Select VSTP Add/Modify the parameters under the respective tabs as specified in Table 68 on page 111. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 127 Specifies the interface to be associated Expand the Protocol tree. with VSTP. 2. Select VSTP and expand the tree. 3. Select Interfaces 4. Set up the priority, cost, mode, edge and specify whether the interface has to be disabled. Copyright © 2010, Juniper Networks, Inc.

  • Page 128: Configuring Vrrp (Nsm Procedure)

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 129 Traceoptions Enables you to configure VRRP level Expand the Protocol tree. tracing options. 2. Select VRRP and expand the tree. 3. Select Traceoptions 4. Set up the file and flag parameters. Copyright © 2010, Juniper Networks, Inc.
  • Page 130 Copyright © 2010, Juniper Networks, Inc.

  • Page 131: Configuring Poe

    Add/modify PoE settings for the interface as specified in Table 70 on page 115 Click one: OK—To save the changes. Cancel—To cancel the modifications. Table 70: PoE Edit Settings Option Description Your Action Name Specifies the name for the interface. Enter a name. Copyright © 2010, Juniper Networks, Inc.
  • Page 132 Enable logging of PoE power consumption with Select this option to log telemetries. Specify the the default telemetries settings. following: Disable—Select to disable logging of telemetries. Interval—The time interval for logging telemetries Duration—The duration for which telemtries should be logged. Copyright © 2010, Juniper Networks, Inc.

  • Page 133: Configuring Snmp

    Click the Configuration tab. In the configuration tree, select Snmp. Add or modify basic system identification information as specified in Table 71 on page 118. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 134: Configuring Client Lists (Nsm Procedure)

    In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand SNMP. Select Client List. Click the Add or Edit icon. Copyright © 2010, Juniper Networks, Inc.
  • Page 135 SNMP client list access to the device. If you leave the Restrict check box cleared by default, access is permitted for this particular client list. Related Configuring SNMP Communities (NSM Procedure) on page 140 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 136: Configuring Snmp Health Monitoring (Nsm Procedure)

    You can enter a value from over which the object instance is 1 through 2147483647. The default is sampled. The sample value is then 300. compared with the rising and falling threshold values. Copyright © 2010, Juniper Networks, Inc.

  • Page 137: Configuring The Interfaces On Which Snmp Requests Can Be Accepted

    SNMP requests can be accepted. If you do not configure specific interfaces, SNMP requests entering the device through any interface are accepted, because by default, all device interfaces have SNMP access privileges. To configure interfaces on which SNMP requests can be accepted in NSM: Copyright © 2010, Juniper Networks, Inc.
  • Page 138 Click the New button or select an interface configuration. interface and click the Edit button. 2. Enter the names of one or more logical interfaces. Related Configuring SNMP Communities (NSM Procedure) on page 140 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 139: Configuring The Snmp Local Engine Id (Nsm Procedure)

    Devices section in the Network and Security Manager Administration Guide for more information. Table 75: Configuring Engine Id Fields Option Function Your Action Comment Specifies the comment Enter a comment. for the engine ID. Copyright © 2010, Juniper Networks, Inc.

  • Page 140: Configuring The Snmp Commit Delay Timer (Nsm Procedure)

    In the configuration tree, expand SNMP. Select Nonvolatile. Enter the parameters as specified in Table 76 on page 125. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the SNMP settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 141: Configuring Snmp Rmon Alarms And Events (Nsm Procedure)

    In the configuration tree, expand SNMP. Select Rmon. Enter the parameters as specified in Table 77 on page 126. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the SNMP settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 142 You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Table 77: Configuring Rmon Fields Option Function Your Action Comment Specifies the comment Enter the comment. for the RMON configuration. Copyright © 2010, Juniper Networks, Inc.
  • Page 143 Copyright © 2010, Juniper Networks, Inc.
  • Page 144 65,535. The default is 0. Syslog Subtag—Specify the tag to be added to the system log message. You can specify a string of not more than 80 uppercase characters as the system log tag. Copyright © 2010, Juniper Networks, Inc.

  • Page 145: Enabling Snmp Access Over Routing Instances (Nsm Procedure)

    To configure access lists for SNMP access over routing instances in NSM: In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand SNMP. Copyright © 2010, Juniper Networks, Inc.
  • Page 146 Restrict—Select this check box to deny the specified SNMP client list access to the routing instance. If you leave the Restrict check box cleared by default, access is permitted for this particular list. Related Configuring SNMP Communities (NSM Procedure) on page 140 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 147: Configuring Snmpv3 (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Table 79: Configuring V3 Fields Option Function Your Action Comment Specifies the comment Enter a comment. for the SNMPv3 configuration. Copyright © 2010, Juniper Networks, Inc.
  • Page 148 This is done to associate the community string to a security name. allowed on those objects. Context—Specify the context in which the community string is to be used. Tag—Specify the addresses of managers that are allowed to use this community string. Copyright © 2010, Juniper Networks, Inc.
  • Page 149 Logical System—On routers only, specify the logical system group for this SNMPv3 target address. Target Parameters—Specify the message processing and security parameters to be used in sending notifications to a particular management target. Copyright © 2010, Juniper Networks, Inc.
  • Page 150 Security Name—The user name (if USM is used) or the SNMP community name (if SNMPv1 or SNMPv2c security models are used) when generating the notification. Copyright © 2010, Juniper Networks, Inc.
  • Page 151 Configure the plain-text password used to generate the key used for encryption meeting these requirements on a device: The password must be at least eight characters long. The password can include alphabetic, numeric, and special characters, but not control characters. Copyright © 2010, Juniper Networks, Inc.
  • Page 152 Specify this group’s security model: usm —SNMPv3 security model. v1—SNMPv1 message process model v2c—SNMPv2c message process model. Related Configuring SNMP Trap Groups (NSM Procedure) on page 144 Documentation Copyright © 2010, Juniper Networks, Inc.

  • Page 153: Configuring Tracing Of Snmp Activity (Nsm Procedure)

    You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 154 Match—Specify a regular expression (regex) to be matched in the trace operation output. Copyright © 2010, Juniper Networks, Inc.

  • Page 155: Configuring Snmp Views (Nsm Procedure)

    In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand SNMP. Select View. Select the Enable Feature check box. Copyright © 2010, Juniper Networks, Inc.

  • Page 156: Configuring Snmp Communities (Nsm Procedure)

    SNMP requests are denied. To configure SNMP communities in NSM: In the navigation tree, select Device Manager > Devices In the list, double-click the device to select it. Devices Click the tab. Configuration Copyright © 2010, Juniper Networks, Inc.
  • Page 157 You must configure a view to enable Set requests. Client List Name Specifies a client list or prefix list to be Expand the tree and Community assigned to an SNMP community. select Client List Name 2. Select a name. Copyright © 2010, Juniper Networks, Inc.

  • Page 158: Configuring Snmp Trap Options (Nsm Procedure)

    In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand SNMP. Select Trap Options. Select the Enable Feature check box. Enter the parameters as specified in Table 83 on page 143. Click one: Copyright © 2010, Juniper Networks, Inc.
  • Page 159 3. Configure the following to create and define a routing instance instances. entry: Name—Specify the name of the routing instance. Comment—Enter a comment for the routing instance. Copyright © 2010, Juniper Networks, Inc.

  • Page 160: Configuring Snmp Trap Groups (Nsm Procedure)

    Select Trap Group. Select the Enable Feature check box. Enter the parameters as specified in Table 84 on page 145. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the SNMP settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 161 (do not enter hostnames). Related Configuring Basic System Identification for SNMP (NSM Procedure) on page 117 Documentation Configuring SNMP Communities (NSM Procedure) on page 140 Configuring SNMP Views (NSM Procedure) on page 139 Copyright © 2010, Juniper Networks, Inc.
  • Page 162 Copyright © 2010, Juniper Networks, Inc.

  • Page 163: Configuring Virtual Lans

    You can update multiple devices at one time. See Updating Devices for more information. Table 85: VLAN Edit Settings Option Description Your Action Vlan Name Specifies a unique name for the VLAN. Enter a name. Copyright © 2010, Juniper Networks, Inc.
  • Page 164 2. Specify the filter to be used for incoming and outgoing packets. Interface Specifies the interface to be added to To add an interface, click Interface the VLAN. Specify the interface to be included as part of the VLAN. Copyright © 2010, Juniper Networks, Inc.

  • Page 165: Configuring A Virtual Chassis

    Interconnect the member switches using the dedicated VCPs on the rear panel of switches. See Connecting a Virtual Chassis Cable to an EX4200 Switch. NOTE: Arrange the switches in sequence, either from top to bottom or from bottom to top (0–9). Copyright © 2010, Juniper Networks, Inc.

  • Page 166: Add A Member To A Virtual Chassis

    NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
  • Page 167 Ethernet port for local troubleshooting, port. you can remove that port from being part of the Virtual Management Ethernet (VME). Refresh Refreshes the operational status of virtual chassis Click to refresh the operational status. members. Copyright © 2010, Juniper Networks, Inc.
  • Page 168 Copyright © 2010, Juniper Networks, Inc.

  • Page 169: Index

    PART 2 Index Index on page 155 Copyright © 2010, Juniper Networks, Inc.
  • Page 170 Copyright © 2010, Juniper Networks, Inc.

  • Page 171: Index

    CoS code point aliases............17 IGMP snooping................96 CoS drop profiles..............19 instance export CoS forwarding classes............21 configuring................83 CoS interfaces................22 instance import CoS rewrite rules..............28 configuring................84 CoS scheduler maps..............32 interface CoS schedulers.................31 configuring................121 customer support..............xiv interface routes contacting JTAC..............xiv configuring................82 Copyright © 2010, Juniper Networks, Inc.
  • Page 172 OSPF..................101 schedulers...................31 protocols................107 secure access port..............37 RIP..................105 SNMP STP..................108 client lists.................118 VRRP..................112 commit delay timer.............124 VSTP..................110 See also nonvolatile Protocols communities..............140 MSTP..................99 health monitoring............120 interface................121 local engine ID..............123 redundant trunk groups............36 rmon..................125 Copyright © 2010, Juniper Networks, Inc.
  • Page 173 Static Routes configuring.................72 STP.....................108 support, technical See technical support technical support contacting JTAC..............xiv traceoptions configuring...............137 trap groups configuring..............144 trap options configuring..............142 configuring................131 views configuring..............139 virtual chassis.................149 virtual LAN................147 VLANs..................147 VoIP configuring...............40 VRRP...................112 VSTP...................110 Copyright © 2010, Juniper Networks, Inc.
  • Page 174 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager

Table of Contents