Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 31: About This Guide
Requesting Technical Support on page xxxiv Objectives Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all devices.
Page 32: Table 1: Notice Icons
The product supports two levels of access, user and privileged. Identifies variables clusterID, ipAddress. The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects xxxii Copyright © 2010, Juniper Networks, Inc.
Page 33: Documentation
VPN administrators, and network security operation center administrators. Network and Security Provides details about configuring the device features for all Manager Configuring supported ScreenOS and IDP platforms. ScreenOS and IDP Devices Guide Copyright © 2010, Juniper Networks, Inc. xxxiii...
Page 34: Requesting Technical Support
MX-series platforms. Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
Page 35: Self-Help Online Tools And Resources
About This Guide Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/...
Page 37: Getting Started
PART 1 Getting Started Getting Started with NSM on page 3 Understanding the JUNOS CLI and NSM on page 5 Before You Begin Adding M-series and MX-series Devices on page 15 Copyright © 2010, Juniper Networks, Inc.
Page 39: Getting Started With Nsm
Introduction to Network and Security Manager Juniper Networks Network and Security Manager (NSM) gives you complete control over your network. Using NSM, you can configure all your Juniper Networks devices from one location, at one time. NSM works with networks of all sizes and complexity. You can add a single device, or create device templates to help you deploy multiple devices.
Page 40: Role-Based Administration
“Configuring Role-Based Administration” in the Network and Security Manager Administration Guide. Related Introduction to Network and Security Manager on page 3 Documentation Installing NSM on page 3 NSM and Device Management Overview on page 5 Copyright © 2010, Juniper Networks, Inc.
Page 41: Understanding The Junos Cli And Nsm
Communication Between a Device and NSM on page 13 NSM and Device Management Overview NSM is the Juniper Networks network management tool that allows distributed administration of network appliances like the M-series and MX-series routers. You can use the NSM application to centralize status monitoring, logging, and reporting, and to administer device configurations.
Page 42: Understanding The Cli And Nsm
Enter key. For more information on the CLI, see the JUNOS CLI User Guide. Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. NSM is a three-tier management system made up of the following:...
Page 43: Comparing The Cli To The Nsm Ui
The following sample output shows the protocols configuration of an M-series device: [edit] user@host# show protocols mpls { interface ge-1/3/3.0; interface fe-0/1/2.0; interface fe-0/1/1.0; ospf { traffic-engineering; area 0.0.0.1 { interface lo0.0 { passive; interface ge-1/3/3.0; interface fe-0/1/2.0; interface fe-0/1/1.0; Copyright © 2010, Juniper Networks, Inc.
Page 44: Figure 1: Overview Of The User Interface
Figure 1 on page 8 shows the NSM UI with the Configure navigation tree expanded and the main display area containing the services available from the Configure panel. Different services display when you select the Investigate or Administer panels. Figure 1: Overview of the User Interface Copyright © 2010, Juniper Networks, Inc.
Page 45 NSM Services Supported for M-series and MX-series Devices on page 10 How NSM Works with the CLI and Distributed Data Collection on page 11 Device Schemas on page 12 Communication Between a Device and NSM on page 13 Copyright © 2010, Juniper Networks, Inc.
Page 46: Nsm Services Supported For M-Series And Mx-Series Devices
IP addresses to be found by device discovery rules. Topology management—Provides discovery and management of the physical topology of a network of devices connected to a Juniper Networks EX-series switch. These include networking devices such as the J-series, M-series, MX-series and EX-series as well as ScreenOS and Intrusion Detection and Prevention (IDP) devices, IP phones, desktops, printers, and servers.
Page 47: How Nsm Works With The Cli And Distributed Data Collection
DM. The ADM contains configuration data for all objects in a specific domain. When you use the UI to interface with your managed devices, the ADM and DMs work together. Copyright © 2010, Juniper Networks, Inc.
Page 48: Device Schemas
The DM schema reads from a capability file, which lists the fields and attributes that a specific operating system version supports, to determine the supported features for the operating system version Copyright © 2010, Juniper Networks, Inc.
Page 49: Communication Between A Device And Nsm
NSM uses capability files to enable JUNOS software upgrades without changing the device configuration in NSM. The M-series and MX-series device families are described by schemas that are maintained on a schema repository owned by Juniper Networks. These schemas can be added dynamically to NSM. Related...
Page 51: Before You Begin Adding M-Series And Mx-Series Devices
Junos OS Release 9.3, 9.4, 9.5, 9.6, 10.0, 10.1, 10.2 (via schema update) Juniper Networks MX240 with MS-DPC Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1, 10.2 (via schema update) Juniper Networks MX240 with IDP Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1 services Copyright © 2010, Juniper Networks, Inc.
Page 52: Considering The Device Status
Telnet or SSHv2, and NETCONF protocol over SSH. The NSM process of importing a deployed device differs depending on whether your device is configured with a static or dynamic IP address. For information about importing Copyright © 2010, Juniper Networks, Inc.
Page 53: Configuring A Deployed M-Series Or Mx-Series Device For Importing To Nsm
Before you can add an M-series or MX-series device to NSM, you must have an IP address configured on the management interface (fxp0) and a user with full administrative privileges for the NSM administrator. Copyright © 2010, Juniper Networks, Inc.
Page 54: Check Network Connectivity
[edit] user@host# edit routing-options Configure a static route to the NSM server with the option so that the static retain route remains in the forwarding table when the routing protocol process shuts down normally: Copyright © 2010, Juniper Networks, Inc.
Page 55 PING 192.193.60.181 (192.193.60.181): 56 data bytes 64 bytes from 192.193.60.181: icmp_seq=0 ttl=64 time=23.050 ms 64 bytes from 192.193.60.181: icmp_seq=1 ttl=64 time=18.129 ms 64 bytes from 192.193.60.181: icmp_seq=2 ttl=64 time=0.304 ms --- 192.193.60.181 ping statistics --- Copyright © 2010, Juniper Networks, Inc.
Page 56: Establish A Telnet Or An Sshv2, And A Netconf Protocol Over Ssh Connection To The Nsm Server
[edit system services] user@host# set ssh protocol-version v2 [edit system services] user@host# set telnet [edit system services] user@host# set netconf ssh [edit system services] user@host# show ftp; ssh { protocol-version v2; telnet; netconf { Copyright © 2010, Juniper Networks, Inc.
Page 59: Integrating M-Series And Mx-Series Devices
PART 2 Integrating M-series and MX-series Devices Adding M-series and MX-series Devices Overview on page 25 Updating M-series and MX-series Devices Overview on page 31 Copyright © 2010, Juniper Networks, Inc.
Page 61: Adding M-Series And Mx-Series Devices Overview
Import deployed devices—Deployed devices are the devices you are currently using in your existing network. These devices have already been configured with a static or dynamic IP address and other basic information. For deployed devices, you can import the existing device configuration information into NSM. Copyright © 2010, Juniper Networks, Inc.
Page 62: Supported Add Device Workflows For M-Series And Mx-Series Devices
An M-series or MX-series device can be added using the following methods or workflows: Import device with static IP address Import device with dynamic IP address Model and activate device Rapid deployment (configlets) Device discovery Copyright © 2010, Juniper Networks, Inc.
Page 63: Importing Devices Overview
A physical connection to your network with access to network resources Connectivity to the NSM Device Server, which can be with a static IP address A Telnet or an SSHv2, and a NETCONF protocol over SSH connection Copyright © 2010, Juniper Networks, Inc.
Page 64: Modeling Devices Overview
NSM, and then install that device configuration on the physical device. Adding a single undeployed device to NSM is a four-stage process: Model the device in the UI. Create the device object configuration. Activate the device. Update the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 65: Only)
(such as all the devices in sales offices throughout western Europe). Use the groups to: Deploy new or updated device configurations to the entire device group. Deploy new or updated policies to the entire device group. Copyright © 2010, Juniper Networks, Inc.
Page 66: Documentation
Supported Add Device Workflows for M-series and MX-series Devices on page 26 Importing Devices Overview on page 27 Modeling Devices Overview on page 28 Adding Multiple Devices Using Automatic Discovery (JUNOS Software Devices Only) on page 29 Copyright © 2010, Juniper Networks, Inc.
Page 67: Updating M-Series And Mx-Series Devices Overview
From the Device Manager launchpad, select Update Device. The launchpad displays the Update Device(s) dialog box. All connected and managed devices appear in the device list. Modeled devices and devices awaiting import for the first time do not appear. Copyright © 2010, Juniper Networks, Inc.
Page 68: How The Update Process Works
For example, malicious traffic might have entered your network, requiring you to update the device to detect and prevent that attack. Copyright © 2010, Juniper Networks, Inc.
Page 69: Job Manager
NSM creates a job for that command and displays information about that job in the Job Manager module. Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains: Copyright © 2010, Juniper Networks, Inc.
Page 70: Tracking Updated Devices Using Job Manager
Job Type (Directive) List—Displays the job type (directives) and associated timestamp completion status information. All current and completed jobs appear, including device updates. However, if you have not yet performed an update using NSM, the Job List does not display an Update Configuration directive. Copyright © 2010, Juniper Networks, Inc.
Page 71: Reviewing Job Information Displayed In Job Manager
To view the job status for an individual device (including error messages and percent complete), select the device in the Percent Complete pane; the status appears in the Output pane. The job information includes: Copyright © 2010, Juniper Networks, Inc.
Page 72: Device States Displayed In Job Manager During Update
During an update, the managed device changes device state. You can view the current device state in real time in the State Description field of the Job Information dialog box. Table 6 on page 37 lists the states that a device can have. Copyright © 2010, Juniper Networks, Inc.
Page 73: Understanding Updating Errors Displayed In The Job Manager
Figure 4 on page 38 shows that on December 4 a configuration update to an MX960 failed. The super user was locked out by the root user as indicated in the text of the error Copyright © 2010, Juniper Networks, Inc.
Page 74: Figure 4: Failed Update Job Information Dialog Box
(PID). After the root user is locked out, you can try to update the configuration again. NSM should lock the configuration and continue successfully. Copyright © 2010, Juniper Networks, Inc.
Page 75 Job Manager on page 33 Tracking Updated Devices Using Job Manager on page 34 Reviewing Job Information Displayed in Job Manager on page 35 Device States Displayed in Job Manager During Update on page 36 Copyright © 2010, Juniper Networks, Inc.
Page 77: Configuring M-Series And Mx-Series Devices
Configuring Policy Options on page 243 Configuring Protocols on page 253 Configuring Routing Options on page 361 Configuring Security on page 389 Configuring Services on page 431 Configuring SNMP on page 525 Configuring System on page 531 Copyright © 2010, Juniper Networks, Inc.
Page 79: Configuring M-Series And Mx-Series Devices Overview
JUNOS VPNs Configuration Guide for policy options parameters. JUNOS Class of Service Configuration Guide for class of service parameters. JUNOS Software with Enhanced Services Security Configuration Guide for security parameters. JUNOS Services Interface Configuration Guide for service parameters. Copyright © 2010, Juniper Networks, Inc.
Page 80: M-Series And Mx-Series Device Configuration Settings Supported In Nsm
NSM. Table 7: The JUNOS Configuration Hierarchy and the NSM Configuration Tree Available in the NSM Hierarchy Level Configuration Tree edit access edit accounting-options edit applications edit bridge domains edit chassis Copyright © 2010, Juniper Networks, Inc.
Page 81: Configuring M-Series And Mx-Series Devices
Yes. edit routing-instances] edit routing-options edit schedulers edit security edit services edit snmp edit switch-options edit system edit virtual-chassis edit vlans Copyright © 2010, Juniper Networks, Inc.
Page 82: Configuring Device Features
In the device navigation tree, select a function heading to see device parameters, and then select the configuration parameter you want to configure. Make your changes to the device configuration, then choose one of the following: Click OK to save your changes and close the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 83: Example: Configuration Of Interfaces For Mpls In The Cli And Nsm
MPLS, similar to the CLI hierarchy levels. Within MPLS, Interface is highlighted, indicating that the information on the right relates to interfaces within MPLS. The information in the NSM UI example is similar to the information in the CLI example though the presentation is somewhat different. Copyright © 2010, Juniper Networks, Inc.
Page 84: Figure 6: Mpls Configuration In Nsm
M-series and MX-series devices. Related About Device Configuration on page 43 Documentation M-series and MX-series Device Configuration Settings Supported in NSM on page 44 Configuring Device Features on page 46 Copyright © 2010, Juniper Networks, Inc.
Page 85: Configuring Access
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Address Assignment. Add or modify settings as specified in Table 8 on page 50. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 86: Table 8: Address Assignment Configuration Details
3. In the Name box, enter the IP addresses of the domain name client to resolve servers, listed in order of preference. hostname-to-client 4. In the Comment box, enter the comment. mappings. Copyright © 2010, Juniper Networks, Inc.
Page 87 2. Click Add new entry next to Wins Server. the client uses to resolve 3. In the Name box, enter the IP address of each NetBIOS name NetBIOS names. server. 4. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 88: Configuring Access Address Pools (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Address Pool. Add or modify settings as specified in Table 9 on page 53. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 89: Configuring Access Group Profile (Nsm Procedure)
Configure the group profile. Click Add new entry next to Group Profile. 2. In the Name box, enter the name to be assigned to the group profile. 3. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 90: Configuring The Ldap Options (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Ldap Options. Add or modify settings as specified in Table 11 on page 55. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 91: Configuring The Ldap Server (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Ldap Server. Add or modify settings as specified in Table 12 on page 56. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 92: Configuring Access Profiles For L2Tp Or Ppp Parameters (Nsm Procedure)
Configuring the Client Filter Name (NSM Procedure) on page 61 Configuring the LDAP Options (NSM Procedure) on page 62 Configuring the LDAP Server (NSM Procedure) on page 63 Configuring the Provisioning Order (NSM Procedure) on page 64 Copyright © 2010, Juniper Networks, Inc.
Page 93: Configuring Access Profile (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Profile. Add or modify settings as specified in Table 14 on page 58. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 94: Configuring The Accounting Order (Nsm Procedure)
Configuring the Accounting Order (NSM Procedure) Beginning with JUNOS Release 8.0, you can configure RADIUS accounting for an Layer 2 Tunneling Protocol (L2TP) profile. With RADIUS accounting enabled, Juniper Networks routers, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands.
Page 95: Configuring The Authentication Order (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Profile. Copyright © 2010, Juniper Networks, Inc.
Page 96: Configuring The L2Tp Client (Nsm Procedure)
7. In the pap password box, enter the Password Authentication Protocol (PAP) password. Configure a client group. Click Client Group next to client. 2. Click Add new entry next to Client Group. 3. In the New client-group window, enter the client group. Copyright © 2010, Juniper Networks, Inc.
Page 97: Configuring The Client Filter Name (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Profile. Add or modify settings as specified in Table 22 on page 64. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 98: Configuring The Ldap Options (Nsm Procedure)
Range: 60 through 4294967295 Default: 600 5. In the Base Distinguished Name box, enter the suffix when assembling user distinguished name (DN) or base DN under which to search for user DN. Copyright © 2010, Juniper Networks, Inc.
Page 99: Configuring The Ldap Server (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Profile. Add or modify settings as specified in Table 21 on page 64. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 100: Configuring The Provisioning Order (Nsm Procedure)
Click Add new entry next to Profile. order. 2. Click Provisioning Order next to profile. 3. Click Add new entry next to Provisioning Order. 4. In the New provisioning-order window, select the order in which provisioning mechanisms are used. Copyright © 2010, Juniper Networks, Inc.
Page 101: Procedure)
Click Attributes next to Radius. accounting servers used for 2. In the Comment box, enter the comment. accounting for Dynamic Host Configuration Protocol (DHCP), Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Protocol (PPP) clients. Copyright © 2010, Juniper Networks, Inc.
Page 102 52, Acct-Input-Gigawords interface-description—Juniper VSA 26-53, Interface-Desc nas-identifier—RADIUS attribute 32, NAS-Identifier nas-port—RADIUS attribute 5, NAS-Port nas-port-id—RADIUS attribute 87, NAS-Port-Id. nas-port-type—RADIUS attribute 61, NAS-Port-Type output-filter—Juniper VSA 26-11, Egress-Policy-Name output-gigapackets—Juniper VSA 25-43, Acct-Output-Gigapackets output-gigawords—RADIUS attribute 53, Acct-Output-Gigawords Copyright © 2010, Juniper Networks, Inc.
Page 103 Range: 60 through 4294967295 seconds Default: 600 seconds 8. Select the vlan-nas-port-stacked-format check box to configure RADIUS attribute 5 (NAS-Port) to include the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 104: Configuring The Radius Parameters (Nsm Procedure)
2. Click Radius Options next to Profile. 3. In the Comment box, enter the comment. 4. From the Revert Interval list, select the amount of time the router waits after a server has become unreachable. Default: 600 seconds Copyright © 2010, Juniper Networks, Inc.
Page 105: Configuring The Radius For Subscriber Access Management, L2Tp, Or Ppp
9. In the Source Address box, enter a valid IPv4 address configured on one of the router interfaces. 10. From the Routing Instance list, select the routing instance name. Configuring Session Limit (NSM Procedure) To configure the timeout limit in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 106: Configuring The Radius For Subscriber Access Management, L2Tp, Or Ppp
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Radius Server. Add or modify settings as specified in Table 27 on page 71. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 107: Configuring The Securid Server (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Access. Select Securid Server. Add or modify settings as specified in Table 28 on page 72. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 108: Configuring The Access Profile (Nsm Procedure)
2. In the Name box, enter the name of the access profile. Related Configuring Access Profiles for L2TP or PPP Parameters (NSM Procedure) on page 56 Documentation Configuring the RADIUS Parameters (NSM Procedure) on page 68 Copyright © 2010, Juniper Networks, Inc.
Page 109: Configuring Accounting Options
Click the Configuration tab. In the configuration tree, expand Accounting Options. Select Class Usage Profile. Add or modify the settings as specified in Table 30 on page 74. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 110: Configuring A Log File (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Accounting Options. Select File. Add or modify the settings as specified in Table 31 on page 75. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 111: Configuring The Filter Profile (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Accounting Options. Select Filter Profile. Add or modify the settings as specified in Table 32 on page 76. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 112: Configuring The Interface Profile (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Accounting Options. Select Interface Profile. Add or modify the settings as specified in Table 33 on page 77. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 113: Configuring The Policy Decision Statistics Profile (Nsm Procedure)
To configure the policy decision statistics profile in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 114: Configuring The Mib Profile (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Accounting Options. Select MIB Profile. Copyright © 2010, Juniper Networks, Inc.
Page 115: Configuring The Routing Engine Profile (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Accounting Options. Select Routing Engine Profile. Add or modify the settings as specified in Table 36 on page 80. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 116: Table 36: Routing Engine Profile Configuration Details
1 minute. cpu-load-5—Average system load over the last 5 minutes. cpu-load-15—Average system load over the last 15 minutes. Memory Usage—Memory usage in bytes. Total Cpu Usage—Amount of CPU time used. Copyright © 2010, Juniper Networks, Inc.
Page 117: Configuring Applications
Add or modify settings as specified in Table 37 on page 82. Click one: OK—Saves the changes. Cancel—Cancels the modifications. NOTE: Application and application set are configurable, only if the device is in the in-device policy mode. Copyright © 2010, Juniper Networks, Inc.
Page 118: Table 37: Applications Configuration Details
5. In the Comment box, enter the comment. 6. Click Application next to application-set. 7. Click Add new entry next to Application. 8. From the Name list, select the identifier of the application. 9. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 119: Configuring Bridge Domains
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Bridge Domains. Select Domain. Add or modify settings as specified in Table 38 on page 84. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 120: Configuring Layer 2 Learning And Forwarding Properties For A Bridge Domain (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Bridge Domains. Select Domain. Add or modify settings as specified in Table 39 on page 85. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 121: Table 39: Bridge Options Configuration Details
3. From the Limit list, select the maximum number of MAC bridge domain, virtual switch, addresses learned from an interface. or set of bridge domains. Range: 1 through 131,071 MAC addresses per interface Copyright © 2010, Juniper Networks, Inc.
Page 122: Configuring Forwarding Options (Nsm Procedure)
2. For overriding the default configuration settings for the extended DHCP relay agent. extended DHCP relay agent, see “Overriding the Default Configuration Settings for the Extended DHCP Relay Agent (NSM Procedure)” on page 189. Copyright © 2010, Juniper Networks, Inc.
Page 123: Configuring Logical Interfaces (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Bridge Domains. Select Domain. Add or modify settings as specified in Table 41 on page 88. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 124: Configuring Multicast Snooping Options (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Bridge Domains. Select Domain. Add or modify the settings as specified in Table 42 on page 89. Click one: OK—saves the changes Cancel—cancels the modifications Copyright © 2010, Juniper Networks, Inc.
Page 125: Table 42: Multicast Snooping Options Configuration Details
2. In the Comment box, enter the comments. multicast snooping. 3. From the Restart Duration list, select the duration for graceful restart. Range: 0 to 300 seconds Default : 180 seconds Copyright © 2010, Juniper Networks, Inc.
Page 126 10. Click Flag next to Trace Options. 11. Click Add new entry next to flag. 12. From the Name list, select a tracing operation to perform. 13. In the Comment box, enter the comments. Copyright © 2010, Juniper Networks, Inc.
Page 127: Configuring Igmp Snooping (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Bridge Domains. Select Domain. Add or modify settings as specified in Table 43 on page 92. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 128: Table 43: Igmp Snooping Configuration Details
The router loses contact with the hosts that properly remain in the multicast group until they send join requests in response to the next general multicast listener query from the router. Copyright © 2010, Juniper Networks, Inc.
Page 129 Click Proxy next to Igmp Snooping. proxy mode. 2. In the Comment box, enter the comment. 3. In the Source Address box, enter the IP address to use as the source for IGMP snooping reports in proxy mode. Copyright © 2010, Juniper Networks, Inc.
Page 130 9. Click Add new entry next to Flag. 10. From the Name list, select the flag to perform the trace operation. 11. In the Comment box, enter the comment for the flag. 12. Select the corresponding flag modifier check box. Copyright © 2010, Juniper Networks, Inc.
Page 131 The router loses contact with the hosts that properly remain in the multicast group until they send join requests in response to the next general multicast listener query from the router. Copyright © 2010, Juniper Networks, Inc.
Page 132: Configuring Vlan Id (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Bridge Domains. Select Domain. Add or modify settings as specified in Table 44 on page 97. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 133: Table 44: Vlan Id Configuration Details
4. Select vlan tag to tag the VLAN interface so that it can be compared with the normalizing VLAN identifier. 5. In the Comment box, enter the comment. 6. In the Inner box, enter the VLAN identifier. 7. In the Outer box, enter the VLAN identifier. Copyright © 2010, Juniper Networks, Inc.
Page 135: Configuring Chassis
Click the Configuration tab. In the configuration tree, expand Chassis > Aggregated Devices. Add or modify the settings as specified in Table 45 on page 100. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 136: Configuring Chassis Alarms (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Chassis > Alarm. Add or modify the alarm settings as specified in Table 46 on page 101. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 137: Configuring Container Interfaces (Nsm Procedure)
In the Comment box, enter the comment. 2. From the Device list, select the number of container devices. Range: 1 through 128 Related Configuring Aggregated Devices (NSM Procedure) on page 99 Documentation Configuring Chassis FPC (NSM Procedure) on page 102 Copyright © 2010, Juniper Networks, Inc.
Page 138: Configuring Chassis Fpc (Nsm Procedure)
2. From the Name list, select the slot number of the DPC. corresponding Packet 3. From the Power list, configure the Flexible PIC Concentrator Forwarding Engines. (FPC) to stay offline or to come online automatically. Copyright © 2010, Juniper Networks, Inc.
Page 139 11. Click Add new entry next to Channel Group. 12. From the Name list, select the channel number. 13. In the Comment box, enter the comment. 14. In the Timeslots box, enter the actual time slot number. Copyright © 2010, Juniper Networks, Inc.
Page 140 7. In the Comment box, enter the comment. 8. Click Symmetric Hash next to Inet. 9. In the Comment box, enter the comment. 10. Select the Complement check box to include the complement of the symmetric hash in the hash key. Copyright © 2010, Juniper Networks, Inc.
Page 141 Non member list to the Members list. Remove—Removes the selected port-mirroring instances from the Members list. Add All—Adds all the port-mirroring instances from the Non-members list to the Members list. Remove All—Removes all the port-mirroring instances from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 142 5. In the Comment box, enter the comment. Related Configuring Aggregated Devices (NSM Procedure) on page 99 Documentation Configuring Chassis Alarms (NSM Procedure) on page 100 Configuring a T640 Router on a Routing Matrix (NSM Procedure) on page 107 Copyright © 2010, Juniper Networks, Inc.
Page 143: Configuring A T640 Router On A Routing Matrix (Nsm Procedure)
Packet 3. From the Name list, select the slot number of the DPC. Forwarding Engines. 4. From the Power list, configure the Flexible PIC Concentrator (FPC) to stay offline or to come online automatically. Copyright © 2010, Juniper Networks, Inc.
Page 144 11. Click Add new entry next to Channel Group. 12. From the Name list, select the channel number. 13. In the Comment box, enter the comment. 14. In the Timeslots box, enter the actual time slot number. Copyright © 2010, Juniper Networks, Inc.
Page 145 7. In the Comment box, enter the comment. 8. Click Symmetric Hash next to Inet. 9. In the Comment box, enter the comment. 10. Select the Complement check box to include the complement of the symmetric hash in the hash key. Copyright © 2010, Juniper Networks, Inc.
Page 146 Non member list to the Members list. Remove—Removes the selected port-mirroring instances from the Members list. Add All—Adds all the port-mirroring instances from the Non-members list to the Members list. Remove All—Removes all the port-mirroring instances from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 147 Configuring Aggregated Devices (NSM Procedure) on page 99 Documentation Configuring Routing Engine Redundancy (NSM Procedure) on page 112 Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure) on page 113 Copyright © 2010, Juniper Networks, Inc.
Page 148: Configuring Routing Engine Redundancy (Nsm Procedure)
Click Graceful Switchover next to Redundancy. two Routing Engines, 2. In the Comment box, enter the comment. configure a master Routing Engine to switch over gracefully to a backup Routing Engine without interruption to packet forwarding. Copyright © 2010, Juniper Networks, Inc.
Page 149: Configuring A Routing Engine To Reboot Or Halt On Hard Disk Errors (Nsm Procedure)
Routing Engine. Related Configuring Aggregated Devices (NSM Procedure) on page 99 Documentation Configuring a T640 Router on a Routing Matrix (NSM Procedure) on page 107 Configuring Routing Engine Redundancy (NSM Procedure) on page 112 Copyright © 2010, Juniper Networks, Inc.
Page 151: Configuring Authentication
New—Adds a new RADIUS server. OK—Saves the changes. Cancel—Cancels the modifications. Table 52: RADIUS Authentication Configuration Details Option Function Your Action Name Specifies the IP address of the RADIUS server. Enter the IP address of the RADIUS server. Copyright © 2010, Juniper Networks, Inc.
Page 152: Configuring Tacacs+ Authentication (Nsm Procedure)
New—Adds a new TACACS+ server. OK—Saves the changes. Cancel—Cancels the modifications. Table 53: TACACS+ Authentication Configuration Details Option Function Your Action Name Specifies the IP address of the TACACS+ server. Enter the IP address of the TACACS+ server. Copyright © 2010, Juniper Networks, Inc.
Page 153: Configuring Authentication Order (Nsm Procedure)
New authentication-order list. OK—Saves the changes. Cancel—Cancels the modifications. Related Configuring RADIUS Authentication (NSM Procedure) on page 115 Documentation Configuring TACACS+ Authentication (NSM Procedure) on page 116 Configuring User Access (NSM Procedure) on page 118 Copyright © 2010, Juniper Networks, Inc.
Page 154: Configuring User Access (Nsm Procedure)
For example, class can use. “request system reboot”. Login > Class > Permissions Permissions Configures the login access privileges Enter a new permission. to be provided on the device. Copyright © 2010, Juniper Networks, Inc.
Page 155: Configuring User Accounts
Configuring Template Accounts (NSM Procedure) You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+ authentication. When a user is authenticated by a template account, Copyright © 2010, Juniper Networks, Inc.
Page 156: Creating A Remote Template Account
Enter the user name. For example, type remote. Specifies the user identifier for a Enter the number associated with the login account. login account. Class Specifies the login class for the user. Select the login class. For example, select operator. Copyright © 2010, Juniper Networks, Inc.
Page 157: Creating A Local Template Account
Select the login class. For example, select superuser. Related Configuring RADIUS Authentication (NSM Procedure) on page 115 Documentation Configuring TACACS+ Authentication (NSM Procedure) on page 116 Configuring Authentication Order (NSM Procedure) on page 117 Copyright © 2010, Juniper Networks, Inc.
Page 159: Configuring Class Of Service Features
Configuring CoS Restricted Queues (NSM Procedure) on page 144 Configuring Tracing Operations (NSM Procedure) on page 145 Configuring CoS Traffic Control Profiles (NSM Procedure) on page 146 Configuring CoS Translation Table (NSM Procedure) on page 147 Copyright © 2010, Juniper Networks, Inc.
Page 160: Configuring Cos Classifiers (Nsm Procedure)
Click Add new entry next to Dscp. classifiers for DiffServ CoS. 2. In the Name box, type the name of the behavior aggregate classifier—for example, ba-classifier. 3. In the Import box, type the name of the default DSCP map. Copyright © 2010, Juniper Networks, Inc.
Page 161 4. In the Unit number box, type the logical interface unit number—for example, 5. Click Configure next to Classifiers. 6. In the Classifiers box, under Dscp, type the name of the previously configured behavior aggregate classifier—for example, ba-classifier. 7. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 162: Configuring Cos Code Point Aliases (Nsm Procedure)
NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 163: Configuring Cos Drop Profile (Nsm Procedure)
100 percent. To configure drop profiles in NSM: In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure drop profiles. Copyright © 2010, Juniper Networks, Inc.
Page 164: Table 60: Drop Profile Configuration Fields
Edit button. 2. Expand the Drop Profile tree and select Fill Level. 3. Click the New button or select a fill level and click the Edit button. 4. Select a value from Name list. Copyright © 2010, Juniper Networks, Inc.
Page 165: Configuring Cos Forwarding Classes (Nsm Procedure)
CoS forwarding classes. Click the Configuration tab. In the configuration tree, expand Class of Service. Select Forwarding Classes. Add or modify settings as specified in Table 61 on page 130. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 166: Table 61: Assigning Forwarding Classes To Output Queues
Configuring CoS Drop Profile (NSM Procedure) on page 127 Configuring CoS Interfaces (NSM Procedure) on page 134 Configuring CoS Rewrite Rules (NSM Procedure) Configuring CoS Schedulers (NSM Procedure) on page 141 Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 143 Copyright © 2010, Juniper Networks, Inc.
Page 167: Configuring Cos Forwarding Policy (Nsm Procedure)
2. In the Name box, enter the name of forwarding class. override the incoming 3. Click Classification Override next to Class. packet classification. 4. In the Forwarding Class box, enter the name of the forwarding class. Copyright © 2010, Juniper Networks, Inc.
Page 168: Configuring Cos Fragmentation Maps (Nsm Procedure)
Click the Device Tree tab, and then double-click the device for which you want to configure CoS Fragmentation Maps. Click the Configuration tab. In the configuration tree, expand Class of Service. Select Fragmentation Maps. Add or modify settings as specified in Table 63 on page 133. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 169: Configuring Cos Host Outbound Traffic (Nsm Procedure)
Class-of-Service Host Outbound Traffic. Click the Configuration tab. In the configuration tree, expand Class of Service. Select Host Outbound Traffic. Add or modify settings as specified in Table 64 on page 134. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 170: Configuring Cos Interfaces (Nsm Procedure)
NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 171: Table 65: Interfaces Configuration Fields
2. Click the New button or particular chassis in the select an interface and chassis queue. click the Edit button in Interface. 3. Select the scheduler map chassis from the list. Copyright © 2010, Juniper Networks, Inc.
Page 172 Edit button in logical interface. Interface. 2. Expand the Interface tree and select Output Traffic Control Profile Remaining. 3. Specify a comment and a profile name. 4. Click Ok. Copyright © 2010, Juniper Networks, Inc.
Page 173 2. Click the New button or equally to interface sets that select an interface set and include child nodes and those click the Edit button. that do not include child nodes. 3. Set the internal node. Copyright © 2010, Juniper Networks, Inc.
Page 174 2. Click the New button or select an interface set and click the Edit button. 3. Expand interface—set tree and select Input Traffic Control Profile 4. Specify the comment and profile name. 5. Click Ok. Copyright © 2010, Juniper Networks, Inc.
Page 175 Configuring CoS Code Point Aliases (NSM Procedure) on page 126 Configuring CoS Drop Profile (NSM Procedure) on page 127 Configuring CoS Forwarding Classes (NSM Procedure) on page 129 Configuring CoS Rewrite Rules (NSM Procedure) Configuring CoS Schedulers (NSM Procedure) on page 141 Copyright © 2010, Juniper Networks, Inc.
Page 176: Configuring Cos Routing Instances (Nsm Procedure)
10. Click Ieee 802.1 next to Classifiers. 11. In the Comment box, enter the comment. 12. From the Classifier name list, select the classifier name. 13. From the Vlan tag list, select the VLAN tag. Copyright © 2010, Juniper Networks, Inc.
Page 177: Configuring Cos Schedulers (Nsm Procedure)
NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 178: Table 67: Configuring Schedulers
Configuring CoS Forwarding Classes (NSM Procedure) on page 129 Configuring CoS Interfaces (NSM Procedure) on page 134 Configuring CoS Rewrite Rules (NSM Procedure) Configuring CoS and Applying Scheduler Maps (NSM Procedure) on page 143 Copyright © 2010, Juniper Networks, Inc.
Page 179: Configuring Cos And Applying Scheduler Maps (Nsm Procedure)
Select Forwarding Class and click Add new entry. class and scheduler. 2. In the Name box, type the name of the previously configured expedited forwarding class—for example, ef-class. 3. Select the previously configured expedited forwarding scheduler—for example, ef-scheduler. 4. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 180: Configuring Cos Restricted Queues (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Class of Service. Select Restricted Queue. Add or modify settings as specified in Table 69 on page 145. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 181: Configuring Tracing Operations (Nsm Procedure)
Your Action Configure tracing In the Comment box, enter the comment for the traceoptions. operations. 2. Select the No Remote Trace check box to disable remote tracing globally or for a specific tracing operation. Copyright © 2010, Juniper Networks, Inc.
Page 182: Configuring Cos Traffic Control Profiles (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Class of Service. Select Traffic Control Profiles. Add or modify settings as specified in Table 71 on page 147. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 183: Configuring Cos Translation Table (Nsm Procedure)
(DLCIs) (units) that you can configure on each PIC varies based on the number and type of BA classification tables configured on the interfaces. To configure CoS Translation Table in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 184: Table 72: Translation Table Configuration Details
Non member list to the Members list. Remove—Removes the selected code points from the Members list. Add All—Adds all the code points from the Non-members list to the Members list. Remove All—Removes all the code points from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 185 Non member list to the Members list. Remove—Removes the selected code points from the Members list. Add All—Adds all the code points from the Non-members list to the Members list. Remove All—Removes all the code points from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 186 Non member list to the Members list. Remove—Removes the selected code points from the Members list. Add All—Adds all the code points from the Non-members list to the Members list. Remove All—Removes all the code points from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 187 Configuring CoS Rewrite Rules (NSM Procedure) Documentation Configuring CoS Routing Instances (NSM Procedure) on page 140 Configuring Tracing Operations (NSM Procedure) on page 145 Configuring CoS Traffic Control Profiles (NSM Procedure) on page 146 Copyright © 2010, Juniper Networks, Inc.
Page 189: Configuring Event Options
Table 73: Destination Configuration Details Option Function Your Action Name Specifies the name of the Enter the name for the destination. destination. Comment Specifies the comment for the Enter the comment for the destination. destination. Copyright © 2010, Juniper Networks, Inc.
Page 190: Configuring Event Script (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Event Options > Event Script. Select Event Script. Add or modify settings as specified in Table 74 on page 155. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 191: Table 74: Event Script Configuration Details
Configuring Destinations for File Archiving (NSM Procedure) on page 153 Documentation Generating Internal Events (NSM Procedure) on page 156 Configuring Event Policy (NSM Procedure) on page 156 Configuring Event Policy Tracing Operations (NSM Procedure) on page 159 Copyright © 2010, Juniper Networks, Inc.
Page 192: Generating Internal Events (Nsm Procedure)
Configuring Event Policy Tracing Operations (NSM Procedure) on page 159 Configuring Event Policy (NSM Procedure) Event policies can listen for specific events, create log files, invoke JUNOS commands, and invoke event scripts. To configure an event policy in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 193: Table 76: Configure Event Policy Details
3. Select the Ignore check box to define a policy that ignores actions. particular events. 4. Select the Raise Trap check box to define a policy that raises a Simple Network Management Protocol (SNMP) trap in response to an event. Copyright © 2010, Juniper Networks, Inc.
Page 194 3. From the Destination list, select the name of a destination. 4. From the User Name list, select the username. 5. From the transfer relay list, select the delay before transferring files. Copyright © 2010, Juniper Networks, Inc.
Page 195: Configuring Event Policy Tracing Operations (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Event Options. Select Traceoptions. Copyright © 2010, Juniper Networks, Inc.
Page 196: Table 77: Event Options Traceoptions Configuration Details
Configuring Destinations for File Archiving (NSM Procedure) on page 153 Documentation Configuring Event Script (NSM Procedure) on page 154 Generating Internal Events (NSM Procedure) on page 156 Configuring Event Policy (NSM Procedure) on page 156 Copyright © 2010, Juniper Networks, Inc.
Page 197: Configuring Firewall
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Any. Add or modify settings as specified in Table 78 on page 162. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 198: Table 78: Firewall Filter Configuration Details
Select one of the following: single-rate—if the named tricolor policer is a single-rate policer. two-rate—if the named tricolor policer is a two-rate policer. Related Configuring the Firewall Filter for Bridge Family Type (NSM Procedure) on page 163 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 199: Configuring The Firewall Filter For Bridge Family Type (Nsm Procedure)
6. Select Interface Specific to configure interface-specific names for firewall counters. Configure accounting for Click Accounting Profile next to filter. firewall filter. 2. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 200 Related Configuring the Firewall Filter for Any Family Type (NSM Procedure) on page 161 Documentation Configuring the Firewall Filter for Ccc Family Type (NSM Procedure) on page 165 Copyright © 2010, Juniper Networks, Inc.
Page 201: Configuring The Firewall Filter For Ccc Family Type (Nsm Procedure)
Configure accounting for Click Accounting Profile next to filter. firewall filter. 2. Click Add new entry next to Accounting Profile. 3. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 202 Configuring the Firewall Filter for Bridge Family Type (NSM Procedure) on page 163 Documentation Configuring the Firewall Filter for MPLS Family Type (NSM Procedure) on page 176 Configuring the Firewall Filter for VPLS Family Type (NSM Procedure) on page 179 Copyright © 2010, Juniper Networks, Inc.
Page 203: Configuring Filters For Inet Family Type (Nsm Procedure)
Configure accounting for Click Accounting Profile next to filter. firewall filters. 2. Click Add new entry next to Accounting Profile. 3. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 204 23. From the Loss Priority list, set the packet loss priority (PLP) to low, medium-low, medium-high, or high. 24. In the Forwarding Class box, enter the packet forwarding class name. 25. From the Prefix Action list, select the prefix specific action. Copyright © 2010, Juniper Networks, Inc.
Page 205: Configuring Prefix-Specific Actions (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet. Click Prefix Action. Add or modify settings as specified in Table 82 on page 170. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 206: Configuring Service Filters (Nsm Procedure)
Configure service filter. Click Service Filter next to Inet. 2. Click Add new entry next to Service Filter. 3. Expand service-filter. 4. In the Name box, enter the name that identifies the service filter. Copyright © 2010, Juniper Networks, Inc.
Page 207: Configuring Simple Filters (Nsm Procedure)
The next-term action is not supported. The except and protocol-except match conditions are not supported. Noncontiguous masks are not supported. Only one source-address and one destination-address prefix are allowed for each filter term. Copyright © 2010, Juniper Networks, Inc.
Page 208: Configuring Filters For Inet6 Family Type (Nsm Procedure)
You can configure filter and service filters for inet6 using the Firewall option. See the following topics: Configuring Firewall Filter for inet6 Family Type (NSM Procedure) on page 173 Configuring Service Filters for inet6 (NSM Procedure) on page 175 Copyright © 2010, Juniper Networks, Inc.
Page 209: Configuring Firewall Filter For Inet6 Family Type (Nsm Procedure)
Configure accounting for Click Accounting Profile next to filter. firewall filters. 2. Click Add new entry next to Accounting Profile. 3. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 210 20. From the Loss Priority list, set the packet loss priority (PLP) to low, medium-low, medium-high, or high. 21. In the Forwarding Class box, enter the packet forwarding class name. 22. From the Prefix Action list, select the prefix specific action. Copyright © 2010, Juniper Networks, Inc.
Page 211: Configuring Service Filters For Inet6 (Nsm Procedure)
Configure service filter. Click Service Filter next to inet. 2. Click Add new entry next to Service Filter. 3. Expand service-filter. 4. In the Name box, enter the name that identifies the service filter. Copyright © 2010, Juniper Networks, Inc.
Page 212: Configuring The Firewall Filter For Mpls Family Type (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Firewall > Family > MPLS. Add or modify settings as specified in Table 87 on page 177. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 213: Table 87: Mpls Firewall Filter Configuration Details
Configure accounting for Click Accounting Profile next to filter. firewall filters. 2. Click Add new entry next to Accounting Profile. 3. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 214 Configuring the Firewall Filter for Any Family Type (NSM Procedure) on page 161 Documentation Configuring Filters for inet Family Type (NSM Procedure) on page 167 Configuring Filters for inet6 Family Type (NSM Procedure) on page 172 Copyright © 2010, Juniper Networks, Inc.
Page 215: Configuring The Firewall Filter For Vpls Family Type (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Firewall > Family > VPLS. Add or modify settings as specified in Table 88 on page 180. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 216: Table 88: Vpls Firewall Filter Configuration Details
Configure accounting for Click Accounting Profile next to filter. firewall filters. 2. Click Add new entry next to Accounting Profile. 3. In the New accounting-profile window, enter the name to be assigned to the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 217 Expand Three Color Policer. b. Click Single Rate next to Three Color Policer. c. Select one of the following: single-rate—If the named tricolor policer is a single-rate policer. two-rate—If the named tricolor policer is a two-rate policer. Copyright © 2010, Juniper Networks, Inc.
Page 218: Configuring A Policer For A Firewall Filter
Set the bandwidth limit or percentage for the bandwidth allowed—for example, 2k. allowed for this type of traffic—for example, use a bandwidth percent of 10. 3. Select Bandwidth Limit, select bandwidth-limit. 4. In the box, type 10. 5. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 219 Table 89: Configuring a Policer for a Firewall Filter (continued) Enter the loss priority for packets exceeding the limits Select Then. established by the policer—for example, high. 2. In the Comment field, enter high. 3. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 221: Configuring Forwarding Options
Cancel—Cancels the modifications. Table 90: Accounting Options Configuration Details Task Your Action Configure an accounting Click Add new entry next to Accounting. group. 2. In the Name box, type the name of the accounting group. Copyright © 2010, Juniper Networks, Inc.
Page 222 6. From the Engine Id list, select the identity of the accounting interface. 7. From the Engine Type list, select the type of this accounting interface. 8. In the Source Address box, enter the address used for generating packets. Copyright © 2010, Juniper Networks, Inc.
Page 223: Configuring The Extended Dhcp Agent (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Forwarding Options > DHCP Relay. Select Authentication. Add or modify Authentication settings as specified in Table 91 on page 188. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 224: Configuring Group (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Forwarding Options > DHCP Relay. Select Group. Copyright © 2010, Juniper Networks, Inc.
Page 225: Overriding The Default Configuration Settings For The Extended Dhcp Relay
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, select Forwarding Options > DHCP Relay. Select Overrides. Copyright © 2010, Juniper Networks, Inc.
Page 226: Table 93: Overrides Configuration Details
From the Interface Client Limit limit. list, select the interface client limit. No Arp Disable Address Resolution Select the No Arp check box to Protocol entry for this client. drop the unwanted ARP requests. Copyright © 2010, Juniper Networks, Inc.
Page 227: Configuring Relay Option 60 Information For Forwarding Client Traffic To
DHCP relay server group. servers. Select Drop to drop DHCP client packets that contain an option 60 string that matches the ASCII or hexadecimal match string and match criteria. Copyright © 2010, Juniper Networks, Inc.
Page 228: Configuring Relay Option 82 For A Dhcp Server (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Forwarding Options > DHCP Relay. Select Relay Option 82. Add or modify settings as specified in Table 95 on page 193. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 229: Specifying The Name Of A Group Of Dhcp Server Addresses For Use By The Extended Dhcp Relay Agent (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Forwarding Options > DHCP Relay. Select Server Group. Add or modify settings as specified in Table 96 on page 194. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 230: Configuring Operations For Extended Dhcp Relay Agent Processes
In the Comment box, enter the comment for the traceoptions. for extended DHCP relay 2. Select the No Remote Trace check box to disable remote agent processes. tracing globally or for a specific tracing operation. Copyright © 2010, Juniper Networks, Inc.
Page 231: Specifying Address Family For Filters (Nsm Procedure)
3. In the Comment box, enter the comment. 4. From the Input list, select the name of the applied filter. 5. From the Output list, select the name of the applied filter. Copyright © 2010, Juniper Networks, Inc.
Page 232: Configuring Load Balancing Using Hash Key (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Forwarding Options > Hash Key. Add or modify settings as specified in Table 99 on page 197. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 233: Configuring Helpers (Nsm Procedure)
Configuring Per-Flow and Per-Prefix Load Balancing (NSM Procedure) on page 205 Configuring Helpers (NSM Procedure) You can enable Trivial File Transfer Protocol (TFTP) or Domain Name System (DNS) request packet forwarding, or configure the router or interface to act as a Dynamic Host Copyright © 2010, Juniper Networks, Inc.
Page 234: Configuring A Router Or Interface To Act As A Bootstrap Protocol Relay
4. From the Minimum Wait Time list, select the minimum time allowed. Default: 3 seconds 5. From the Client Response Ttl list, select the IIP time-to-live (TTL) value in DHCP response packets sent to a DHCP client. Copyright © 2010, Juniper Networks, Inc.
Page 235 ID. 14. Click Vendor Id next to Dhcp Option82. 15. In the Comment box, enter the comment. 16. In the Use String check box, enter the raw string instead of the default remote ID. Copyright © 2010, Juniper Networks, Inc.
Page 236 10. From the Minimum Wait Time list, select the minimum time allowed. Default: 3 seconds 11. From the Client Response Ttl list, select the IIP time-to-live (TTL) value in DHCP response packets sent to a DHCP client. Copyright © 2010, Juniper Networks, Inc.
Page 237: Enabling Dns Request Packet Forwarding
DNS and TFTP request packets. To enable DNS request packet forwarding in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 238: Table 101: Dns And Tftp Configuration Details
18. In the Comment box, enter the comment. 19. In the Address box, enter the address of the server. 20. Expand Server. 21. Click Logical System next to Server. 22. Select logical-system or routing-instance. Copyright © 2010, Juniper Networks, Inc.
Page 239: Configuring A Port For A Dhcp Or Bootp Relay Agent
Click the Configuration tab. In the configuration tree, expand Forwarding Options > Helpers. Select Port. Add or modify settings as specified in Table 102 on page 204. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 240: Configuring Tracing Operations For Bootp, Dns, And Tftp Packet
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Forwarding Options > Helpers > TFTP. Copyright © 2010, Juniper Networks, Inc.
Page 241: Configuring Per-Flow And Per-Prefix Load Balancing (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Forwarding Options > Load Balance. Add or modify settings as specified in Table 104 on page 206. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 242: Configuring Port Mirroring (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Forwarding Options > Port Mirroring. Add or modify settings as specified in Table 105 on page 207. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 243: Table 105: Port Mirroring Configuration Details
3. In the Name box, enter the name of the port-mirroring instance. 4. To configure the address type family to sample for port mirroring, refer Table 105 on page 207. 5. To configure input packet properties for port mirroring, refer Table 105 on page 207. Copyright © 2010, Juniper Networks, Inc.
Page 244 Related Configuring Per-Flow and Per-Prefix Load Balancing (NSM Procedure) on page 205 Documentation Configuring Load Balancing Using Hash Key (NSM Procedure) on page 196 Specifying Address Family for Filters (NSM Procedure) on page 195 Copyright © 2010, Juniper Networks, Inc.
Page 245: Configuring Interfaces
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Copyright © 2010, Juniper Networks, Inc.
Page 246: Table 106: Interface Properties Configuration Details
Management Protocol (SNMP) notifications when the state of the connection changes. no-traps—To disable the sending of Simple Network Management Protocol (SNMP) notifications when the state of the connection changes. 15. From the Accounting Profile list, select the accounting profile. Copyright © 2010, Juniper Networks, Inc.
Page 247: Damping Interface Transitions (Nsm Procedure)
Range: 0 through 4,294,967,295 milliseconds Default: 0 milliseconds 6. From the Down list, select the hold time to use when an interface transitions from up to down Range: 0 through 4,294,967,295 milliseconds Default: 0 milliseconds Copyright © 2010, Juniper Networks, Inc.
Page 248: Configuring Receive Bucket Properties On Interfaces (Nsm Procedure)
Configuring Tracing Operations of an Individual Router Interface (NSM Procedure) You can define tracing operations for individual interfaces using this option. To specify more than one tracing operation, include multiple flag statements. To configure tracing operations of an router interface in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 249: Configuring Transmit Leaky Bucket Properties (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 110 on page 214. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 250: Configuring Logical Interface Properties (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 111 on page 215. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 251: Configuring An Ip Demux Underlying Interface (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 112 on page 216. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 252: Configuring The Logical Demux Source Family Type On The Ip Demux Underlying Interface (Nsm Procedure)
Configuring Epd Threshold for the Logical Interface (NSM Procedure) To configure Epd threshold for the logical interface in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 253: Configuring Protocol Family Information For The Logical Interface
Procedure) on page 232 Configuring Protocol Family (TCC) Information for the Logical Interface (NSM Procedure) on page 234 Configuring Protocol Family (Ccc) Information for the Logical Interface (NSM Procedure) To configure ccc family information in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 254: Table 115: Ccc Family Configuration Details
Click Add new entry next to output-list. b. In the New output-list window, enter the filter names. Up to 16 filters can be included in a filter input list. Copyright © 2010, Juniper Networks, Inc.
Page 255: Configuring Protocol Family (Inet) Information For The Logical Interface
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 116 on page 220. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 256: Table 116: Inet Family Configuration Details
5. In the Comment box, enter the comment. 6. Select the Input check box to configure at least one expected ingress point. 7. Select the Output check box to configure at least one expected egress point. Copyright © 2010, Juniper Networks, Inc.
Page 257 Virtual Router Redundancy Protocol (VRRP) advertisement packets. Range: 100 through 999 milliseconds inet6-advertise-interval—To configure the interval between Virtual Router Redundancy Protocol (VRRP) IPv6 advertisement packets Range: 100 to 40,950 milliseconds (ms) Copyright © 2010, Juniper Networks, Inc.
Page 258 11. From the Priority Cost list, select the VRRP routers’ priority cost for becoming the master default router. The router with the highest priority within the group becomes the master. Range: 1 through 254 Copyright © 2010, Juniper Networks, Inc.
Page 259 Click Add new entry next to input-list. b. In the New input-list window, enter the filter names. Up to 16 filters can be included in a filter input list. Copyright © 2010, Juniper Networks, Inc.
Page 260 2. Select the Input check box to configure at least one expected ingress point. traffic to be 3. Select the Output check box to configure at least one expected egress sampled. point. Copyright © 2010, Juniper Networks, Inc.
Page 261: Configuring Protocol Family (Inet6) Information For The Logical Interface (Nsm
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 117 on page 226. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 262: Table 117: Inet6 Family Configuration Details
5. In the Comment box, enter the comment. 6. Select the Input check box to configure at least one expected ingress point. 7. Select the Output check box to configure at least one expected egress point. Copyright © 2010, Juniper Networks, Inc.
Page 263 Virtual Router Redundancy Protocol (VRRP) advertisement packets. Range: 100 through 999 milliseconds inet6-advertise-interval—To configure the interval between Virtual Router Redundancy Protocol (VRRP) IPv6 advertisement packets Range: 100 to 40,950 milliseconds (ms) Copyright © 2010, Juniper Networks, Inc.
Page 264 10. From the Priority Cost list, select the VRRP router’s priority cost for becoming the master default router. The router with the highest priority within the group becomes the master. Range: 1 through 254 Copyright © 2010, Juniper Networks, Inc.
Page 265 Click Add new entry next to input-list. b. In the New input-list window, enter the filter names. Up to 16 filters can be included in a filter input list. Copyright © 2010, Juniper Networks, Inc.
Page 266 In the Comment box, enter the comment. traffic to be sampled. 2. Select the Input check box to configure at least one expected ingress point. 3. Select the Output check box to configure at least one expected egress point. Copyright © 2010, Juniper Networks, Inc.
Page 267: Configuring Protocol Family (Iso) Information For The Logical Interface (Nsm
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 118 on page 232. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 268: Configuring Protocol Family (Mpls) Information For The Logical Interface (Nsm
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Interfaces. Select Interface. Add or modify settings as specified in Table 119 on page 233. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 269: Table 119: Mpls Family Configuration Details
3. In the Input box, enter the name of one policer to evaluate when packets are received on the interface. 4. In the Output box, enter the name of one policer to evaluate when packets are transmitted on the interface. Copyright © 2010, Juniper Networks, Inc.
Page 270: Configuring Protocol Family (Tcc) Information For The Logical Interface (Nsm
When you use an ATM encapsulation on ATM1 and ATM2 IQ interfaces, you can define bandwidth utilization, which consists of either a constant rate or a peak cell rate, with sustained cell rate and burst tolerance. To configure traffic shaping profile in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 271: Table 121: Traffic Shaping Configuration Details
In the Comment box, enter the comment. b. In the Peak box, enter the peak rate. c. In the Sustained box, enter the sustained rate. d. In the Burst box, enter the burst length. Copyright © 2010, Juniper Networks, Inc.
Page 272: Configuring Interface Set On The Routing Platform (Nsm Procedure)
11. From the Name list, select the outer VLAN ID. 12. In the Comment box, enter the comment. Related Configuring Interfaces on the Routing Platform (NSM Procedure) on page 209 Documentation Configuring Trace Options on the Routing Platform (NSM Procedure) on page 237 Copyright © 2010, Juniper Networks, Inc.
Page 273: Configuring Trace Options On The Routing Platform (Nsm Procedure)
Select kernel-detail to log details of configuration messages to kernel. Select config-states to log the configuration state machine changes. 3. Enter the comment for the flag. 4. Select the Disable check box to disable the tracing operation. Copyright © 2010, Juniper Networks, Inc.
Page 274 M-series and MX-series Devices Related Configuring Interfaces on the Routing Platform (NSM Procedure) on page 209 Documentation Configuring Interface set on the Routing Platform (NSM Procedure) on page 236 Copyright © 2010, Juniper Networks, Inc.
Page 275: Configuring Multicast Snooping Options
In the Devices list, double click the device to select it. In the Configuration tab, expand Multicast Snooping Options. Add or modify the settings as specified in Table 124 on page 240. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 276: Table 124: Multicast Snooping Options Configuration Details
7. From the Mark list, select the time interval in seconds to mark the trace file. Range : -2147483647 seconds to 2147483647 Seconds Default : 0 8. Expand Syslog. 9. Click Level next to Syslog. 10. Select the Level of severity to be logged. Copyright © 2010, Juniper Networks, Inc.
Page 277 12. Click Add new entry next to flag. 13. From the Name list, select a tracing operation to perform. 14. In the Comment box, enter the comments. Related Configuring Interfaces on the Routing Platform (NSM Procedure) on page 209 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 279: Configuring Policy Options
Devices Click the tab. Configuration In the configuration tree, expand Policy Options Select As Path Add or modify the parameters as specified in Table 125 on page 244. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
Page 280: Configuring An As Path Group In A Bgp Routing Policy (Nsm Procedure)
Select As Path Group. Add or modify the parameters as specified in Table 126 on page 245. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.
Page 281: Configuring A Community For Use In Bgp Routing Policy Conditions
In the configuration tree, expand Policy Options. Select Community. Add or modify the parameters as specified in Table 127 on page 246. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.
Page 282: Configuring A Bgp Export Policy Condition (Nsm Procedure)
In the configuration tree, expand Policy Options. Select Condition. Add or modify the parameters as specified in Table 128 on page 247. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply — To apply the protocol settings. Copyright © 2010, Juniper Networks, Inc.
Page 283: Configuring Flap Damping To Reduce The Number Of Bgp Update Messages(Nsm Procedure)
To configure damping for a BGP routing policy in NSM: In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Policy Options. Select Damping. Copyright © 2010, Juniper Networks, Inc.
Page 284: Table 129: Damping Configuration Details
Max Suppress Indicates the maximum time in minutes Enter the time limit or select it from that a route can be suppressed no the list. matter how unstable it has been. 2. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 285: Configuring A Routing Policy Statement (Nsm Procedure)
2. Select policy-statement 3. Specify the name. Comment Specifies the comment for the policy Click the New button or select a statement. policy statement and click Edit button. 2. Select policy-statement 3. Specify the comment. Copyright © 2010, Juniper Networks, Inc.
Page 286: Configuring Prefix List (Nsm Procedure)
This feature enables you to create a named prefix list and include it in a routing policy. To configure prefix list in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 287: Table 131: Configuring Prefix List Fields
Prefix List Item Specifies the prefix list item. Click the New button or select a prefix list and click Edit button. 2. Expand prefix-list tree and select Prefix List Item. 3. Specify the name and comment. Copyright © 2010, Juniper Networks, Inc.
Page 289: Configuring Protocols
In asynchronous mode, both endpoints periodically send Hello packets to each other. If a number of those packets are not received, the session is considered down. In demand mode, no Hello packets are Copyright © 2010, Juniper Networks, Inc.
Page 290: Configuring Bgp (Nsm Procedure)
The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This feature enables you to configure BGP peering sessions. To configure BGP in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 291: Table 133: Bgp Configuration Fields
Enables you to specify the metric value Expand the tree. Protocol to add to the routes transmitted to the 2. Select and select tab. Metric Out neighbor. 3. Set up the metric value and minimum IGP. Copyright © 2010, Juniper Networks, Inc.
Page 292 Expand the Protocol tree. different local autonomous session (AS) 2. Select and select tab. Local As number for each BGP session 3. Enter the comment, as number, loop and specify whether it is private. Copyright © 2010, Juniper Networks, Inc.
Page 293: Configuring The Ilmi Protocol (Nsm Procedure)
Your Action Define tracing options. In the Comment box, enter the comment for the traceoptions. 2. Select the No Remote Trace check box to disable remote tracing globally or for a specific tracing operation. Copyright © 2010, Juniper Networks, Inc.
Page 294: Configuring Layer 2 Address Learning And Forwarding Properties
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > L2 Learning. Copyright © 2010, Juniper Networks, Inc.
Page 295: Configuring Layer 2 Circuit (Nsm Procedure)
You can configure a virtual circuit entirely on the local router, terminating the circuit on a local interface. Possible uses for this feature include being able to enable switching between frame relay Data-Link Connection Identifier (DLCI)s. To configure local interface switching in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 296: Configuring The Neighbor Interface For The Layer 2 Circuit
(transporting the Layer 2 circuit). To configure a neighbor interface in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 297: Table 137: Neighbor Interface Configuration Details
PE router. 15. From the Switchover Delay list, select the time to wait before switching to the backup pseudowire after the primary pseudowire fails. Range: 0 through 180,000 milliseconds Default: 10,000 milliseconds Copyright © 2010, Juniper Networks, Inc.
Page 298 Range: 1000000 through 1048575 6. From the Outgoing Label list, select the outgoing label for the static pseudowire. Range: 299776 through 1048575 7. Select the Send Oam check box to send oam. Copyright © 2010, Juniper Networks, Inc.
Page 299: Tracing Layer 2 Circuit Creation And Changes (Nsm Procedure)
4. In the Comment box, enter the comment for the flag. 5. Select the modifier for the tracing flag. Select one the following check boxes. Send—Packets being transmitted Receive—Packets being received Detail—Detailed trace information Disable—Disable tracing Copyright © 2010, Juniper Networks, Inc.
Page 300: Configuring Layer 2 Protocol Tunneling And Bpdu Protection
4. Click Interface next to Bpdu Block. 5. Click Add new entry next to Interface. 6. In the Name box, enter the interface name. 7. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 301 12. Select the Disable check box to disable the tracing operation. Related Configuring Link Management Protocol (NSM Procedure) on page 277 Documentation Configuring Layer 2 Address Learning and Forwarding Properties (NSM Procedure) on page 258 Copyright © 2010, Juniper Networks, Inc.
Page 302: Configuring Label Distribution Protocol (Nsm Procedure)
In the Configuration tab, expand Protocols > LDP. Add or modify the settings as specified in Table 140 on page 267. Click one: OK — To save the changes Cancel — To cancel the modifications Copyright © 2010, Juniper Networks, Inc.
Page 303: Table 140: Ldp Configuration Details
Members list. 5. Click Add All to add all the Non members to the Members list. 6. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 304 3. Click Remove after selecting a policy from the Members list to remove it from the Members list. 4. Click Add All to add all the Non-members to the Members list. 5. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 305 Click Log Updown next to LDP. 2. In the Comment box, enter the comment. 3. Click Trap next to Log Updown. 4. In the Comment box, enter the comment. 5. Select the Disable check box to disable LDP traps. Copyright © 2010, Juniper Networks, Inc.
Page 307 13. Click Detection Time next to Bfd Liveness Detection. 14. In the Comment box, enter the comment. 15. From the Threshold list, select the time the BFD session must remain up before state change notification is sent. Range: 1 through 4294967295 Copyright © 2010, Juniper Networks, Inc.
Page 308 6. From the Minimum Interval list, select the minimum transmit and receive interval. Range: 1 through 255,000 7. From the Threshold list, select the time the BFD session must remain up before state change notification is sent. Range: 1 through 4294967295 Copyright © 2010, Juniper Networks, Inc.
Page 309 15. From the Fanout list, select the maximum number of next hops to search per node. Range: 1 through 16 16. Select Disable check box to disable tracing for a specific FEC. Range: 1 through 16 Copyright © 2010, Juniper Networks, Inc.
Page 310 9. From the Exp list, select the class of service to use when sending probes. Range: 0 through 7 10. From the Fanout list, select the maximum number of next hops to search per node. Range: 1 through 16 Copyright © 2010, Juniper Networks, Inc.
Page 311 2. In the Comment box, enter the comment. 3. From the Hello Interval list, select the hello interval in seconds. Range: 1 through 65535 4. From the Hold Time list, select the hold time interval in seconds. Range: 1 through 65535 Copyright © 2010, Juniper Networks, Inc.
Page 312 9. From the Files list, select the maximum number of trace files. Range: 2 through 1000 10. Select one of the following: world-readable—To enable unrestricted file access. no-world-readable—To restrict file access to owner. This is the default setting. Copyright © 2010, Juniper Networks, Inc.
Page 313: Configuring Link Management Protocol (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Protocols > Link Management. Add or modify the settings as specified in Table 141 on page 278. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 314: Table 141: Link Management Protocol Configuration Details
5. In the Address box, enter the ID of the peer. 6. Expand Peer. 7. Click Control Channel next to Peer. 8. Click Add new entry next to Control Channel. 9. In the dialog box, enter the name of the control channel interface. Copyright © 2010, Juniper Networks, Inc.
Page 315 LMP control channels. 13. Click Te-Link next to peer. 14. Click Add new entry next to Te-Link. 15. In the dialog box, enter the name of the te-link to be associated with this peer. Copyright © 2010, Juniper Networks, Inc.
Page 316 11. Click Add new entry next to flag. 12. From the Name list, select a tracing operation to perform. 13. In the Comment box, enter the comment. Related Configuring the ILMI Protocol (NSM Procedure) on page 257 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 317: Configuring Mpls Protocol (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 142 on page 282. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 318: Table 142: Mpls Configuration Details
12. From the Revert Timer list, select the amount of time (in seconds) that an LSP must wait before traffic reverts to a primary path. Range: 0 through 65,535 seconds Default: 60 seconds Copyright © 2010, Juniper Networks, Inc.
Page 319 LSP should not record the routes in the path. 24. Select the standby check box to have the path remain up at all times to provide instant switchover if connectivity problems occur. Copyright © 2010, Juniper Networks, Inc.
Page 320: Configuring Administrative Group (Nsm Procedure)
To configure administrative groups in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Copyright © 2010, Juniper Networks, Inc.
Page 321: Configuring Bandwidth For The Reroute Path (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 145 on page 286. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 322: Configuring Diffserv-Aware Traffic Engineering (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 146 on page 287. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 323: Configuring Mpls On Interfaces (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 147 on page 288. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 324: Table 147: Interface Configuration Details
IP address of the next hop to the destination. a. Enter the IP address of the next-hop router. reject—to reject the packet. discard—to discard the packet. Copyright © 2010, Juniper Networks, Inc.
Page 325: Configure A Label Switched Path (Lsp) To Use In Dynamic Mpls
Click the Configuration tab. In the configuration tree, expand Protocols. Select Label Switched Path. Add or modify settings as specified in Table 148 on page 290. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 326: Table 148: Lsp Configuration Details
Range: 2 through 255 (for an LSP); 0 through 255 (for fast reroute) Default: 255 (for an LSP); 6 (for fast reroute) 16. Select the No Cspf check box to disable constrained-path LSP computation. Copyright © 2010, Juniper Networks, Inc.
Page 327 27. Select the Adaptive check box for RSVP to use shared explicit (SE) reservation styles and assists in smooth transition during rerouting. 28. Select the Associate backup Pe Groups check box to enable an LSP to monitor the status of its destination PE router. Copyright © 2010, Juniper Networks, Inc.
Page 328: Configuring Administrative Group (Nsm Procedure)
You can configure an LSP with minimal bandwidth, and this feature can dynamically adjust the LSP’s bandwidth allocation based on current traffic patterns. To configure automatic bandwidth allocation in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 329: Configuring Bandwidth For The Reroute Path (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Copyright © 2010, Juniper Networks, Inc.
Page 330: Configuring Fast Reroute (Nsm Procedure)
4. From the Hop Limit list, select the maximum number of hops. Range: 2 through 255 (for an LSP); 0 through 255 (for fast reroute) Default: 255 (for an LSP); 6 (for fast reroute) Copyright © 2010, Juniper Networks, Inc.
Page 331: Adding Lsp-Related Routes To The Inet.3 Routing Table (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Copyright © 2010, Juniper Networks, Inc.
Page 332: Configuring Mpls Lsps For Gmpls (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Add or modify settings as specified in Table 154 on page 297. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 333: Configuring Bfd For Mpls Ipv4 Lsps (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Copyright © 2010, Juniper Networks, Inc.
Page 334: Table 155: Oam Configuration Details
LSP, an attempt is made to signal a new LSP path before tearing down the old LSP path. a. In the Comment box, enter the comment. b. From the Teardown Timeout list, select the time in seconds. Copyright © 2010, Juniper Networks, Inc.
Page 335: Configuring The Primary Point-To-Multipoint Lsp (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Add or modify settings as specified in Table 156 on page 300. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 336: Configuring Policers For Lsps (Nsm Procedure)
3. In the Comment box, enter the comment. 4. From the Filter list, select the name of the policing filter. 5. Select the No Auto Policing check box to disable automatic policing on this LSP. Copyright © 2010, Juniper Networks, Inc.
Page 337: Configuring Primary Paths For An Lsp (Nsm Procedure)
8. From the Hop Limit list, select the maximum number of hops. Range: 2 through 255 (for an LSP); 0 through 255 (for fast reroute) 9. Select the No Cspf check box to disable constrained-path LSP computation. Copyright © 2010, Juniper Networks, Inc.
Page 338 In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Copyright © 2010, Juniper Networks, Inc.
Page 339: Table 159: Administrative Group Configuration Details
Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Add or modify settings as specified in Table 160 on page 304. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 340: Table 160: Bandwidth Configuration Details
3. Click Add new entry next to Primary. 4. Click Oam next to primary. 5. In the Comment box, enter the comment. 6. From the Lsp Ping Interval list, select the duration of the LSP ping interval in seconds. Copyright © 2010, Juniper Networks, Inc.
Page 341 BFD session. Range: 1 through 255,000 milliseconds 4. From the Threshold list, select the threshold for detecting the adaptation of the transmit interval. Range: 0 through 4,294,967,295 milliseconds Copyright © 2010, Juniper Networks, Inc.
Page 342: Configuring Secondary Paths For An Lsp (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Copyright © 2010, Juniper Networks, Inc.
Page 343: Table 162: Secondary Paths Configuration Details
Range: 2 through 255 (for an LSP); 0 through 255 (for fast reroute) Default: 255 (for an LSP); 6 (for fast reroute) 9. Select the No Cspf check box to disable constrained-path LSP computation. Copyright © 2010, Juniper Networks, Inc.
Page 344 In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Copyright © 2010, Juniper Networks, Inc.
Page 345: Table 163: Administrative Group Configuration Details
Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Add or modify settings as specified in Table 164 on page 310. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 346: Table 164: Bandwidth Configuration Details
3. Click Add new entry next to Secondary. 4. Click Oam next to secondary. 5. In the Comment box, enter the comment. 6. From the Lsp Ping Interval list, select the duration of the LSP ping interval in seconds. Copyright © 2010, Juniper Networks, Inc.
Page 348 Click the Configuration tab. In the configuration tree, expand Protocols > Mpls. Select Label Switched Path. Add or modify settings as specified in Table 166 on page 313. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 349: Table 166: Egress Router Address Configuration Details
(KB), megabytes (MB), or gigabytes (GB). 8. From the Files list, select the maximum number of trace files. Range: 2 through 1000 9. Select one of the following: world-readable—To enable unrestricted file access. no-world-readable—To restrict file access to owner. Copyright © 2010, Juniper Networks, Inc.
Page 350: Procedure)
4. Select the Trap Path Down check box to generate SNMP traps whenever an LSP path goes down. 5. Select the Trap Path Up check box to generate SNMP traps whenever an LSP path goes up. Copyright © 2010, Juniper Networks, Inc.
Page 351: Configuring Bfd For Mpls Ipv4 Lsps (Nsm Procedure)
Enable OAM for Click Oam next to Mpls. RSVP-signaled LSPs. 2. In the Comment box, enter the comment. 3. From the Lsp Ping Interval list, select the duration of the LSP ping interval in seconds. Copyright © 2010, Juniper Networks, Inc.
Page 352 BFD session. Range: 1 to 255,000 milliseconds 4. From the Threshold list, select the threshold for detecting the adaptation of the transmit interval. Range: 0 to 4,294,967,295 Copyright © 2010, Juniper Networks, Inc.
Page 353: Configuring Named Paths (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 170 on page 318. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 354: Configuring Mtu Signaling In Rsvps (Nsm Procedure)
2. Select the Enable Feature check box to enable the option. packet fragmentation and 3. In the Comment box, enter the comment. MTU signaling. 4. Select the Allow Fragmentation check box to allow IP packets to be fragmented before they are encapsulated in MPLS. Copyright © 2010, Juniper Networks, Inc.
Page 355: Configuring Static Lsps On The Ingress Router (Nsm Procedure)
3. In the Name box, enter the name of the routing table. 4. In the Comment box, enter the comment. 5. In the Next Hop box, enter the IP address of the next hop to the destination. Copyright © 2010, Juniper Networks, Inc.
Page 356: Configuring Mpls Statistics (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 173 on page 321. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 357: Tracing Mpls Packets And Operations (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Mpls. Add or modify settings as specified in Table 174 on page 322. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 358: Configuring Msdp Protocol (Nsm Procedure)
You can enable multicast source discovery protocol (MSDP) on the router using the MSDP option. To enable MSDP on the router in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 359: Configuring The Msdp Active Source Limit (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Msdp. Add or modify settings as specified in Table 176 on page 324. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 360: Configuring Export Policy (Nsm Procedure)
Click Remove after selecting a policy from the Members list to remove it from the Members list. Click Add All to add all the Non members to the Members list. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 361: Configuring Msdp Peer Group
Click Remove after selecting a policy from the Members list to remove it from the Members list. Click Add All to add all the Non members to the Members list. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 362: Configuring Msdp Peers (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Msdp. Add or modify settings as specified in Table 179 on page 327. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 363: Table 179: Msdp Peer Configuration Details
Click Remove after selecting a policy from the Members list to remove it from the Members list. Click Add All to add all the Non members to the Members list. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 364: Configuring A Routing Table Group With Msdp (Nsm Procedure)
Associate a routing table Click Rib Group next to Msdp. group with MSDP. 2. In the Comment box, enter the comment. 3. In the Ribgroup Name box, enter the name of the routing table group. Copyright © 2010, Juniper Networks, Inc.
Page 365: Configuring Per-Source Active Source Limit (Nsm Procedure)
You can configure the MSDP traceoption using the Traceoption option. To configure traceoptions in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 366: Configuring Mstp (Nsm Procedure)
In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure a port mirror analyzer. In the Configuration tree, expand Protocols > MSTP. Add/modify MSTP settings as specified in Table 183 on page 331. Copyright © 2010, Juniper Networks, Inc.
Page 367: Table 183: Mstp Configuration Fields
Bridge Priority Specifies the bridge priority. Enter a value. Bpdu Block on Edge Specifies whether Bpdu blocks must be Select to enable the feature. processed. Copyright © 2010, Juniper Networks, Inc.
Page 368: Configuring Ospf (Nsm Procedure)
Click the tab. Configuration In the configuration tree, expand Protocols and select OSPF Add/Modify the parameters under the respective tabs as specified in Table 184 on page 333. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
Page 369: Table 184: Ospf Configuration Fields
You can update multiple devices at one time. See Updating Devices for more information. Table 184: OSPF Configuration Fields Option Function Your Action OSPF Copyright © 2010, Juniper Networks, Inc.
Page 370 Specify whether NSSA ABR has to be configured. To enable NSSA ABR, clear the check box. To disable NSSA ABR, select the check the check box. Area Enables you to set up the area details for OSPF. Copyright © 2010, Juniper Networks, Inc.
Page 372: Configuring Rip (Nsm Procedure)
NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
Page 373: Table 185: Rip Configuration Fields
Import 2. Specify the import policies. Receive Enables you to configure RIP receive Expand the tree and select options. Receive 2. Specify the receive options. Copyright © 2010, Juniper Networks, Inc.
Page 374: Configuring Ripng Protocol (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Ripng. Add or modify settings as specified in Table 186 on page 339. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 375: Configuring Graceful Restart For Ripng (Nsm Procedure)
4. Select the Disable check box to disable the graceful restart. 5. From the Restart Time list, select the estimated time period for the restart to finish. Range: 1 through 600 seconds Default: 60 seconds Copyright © 2010, Juniper Networks, Inc.
Page 376: Configuring Group
7. From the Preference list, select the preference value. A lower value indicates a more preferred route. Range: 0 through 4,294,967,295 (2 – 1) Default: 100 8. From the Metric Out list, select the metric value. Range: 1 through 15 Default: 1 Copyright © 2010, Juniper Networks, Inc.
Page 377: Applying Policies To Routes Exported By Ripng (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Ripng. Add or modify settings as specified in Table 189 on page 342. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 378: Applying Policies To Routes Imported By Ripng (Nsm Procedure)
Click Remove after selecting a policy from the Members list to remove it from the Members list. Click Add All to add all the Non members to the Members list. Click Remove All to remove all the members from the Members list. Copyright © 2010, Juniper Networks, Inc.
Page 379: Configuring Ripng Neighbor Properties
To configure neighbor specific parameters for RIPng in NSM: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 380: Table 192: Import Policy Configuration Details
Task Your Action Enable or disable the Click Receive next to Neighbor. receiving update messages. 2. In the Comment box, enter the comment. 3. Select the None check box to disable receiving update messages. Copyright © 2010, Juniper Networks, Inc.
Page 381: Enable Or Disable Receiving Of Update Messages (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Ripng. Add or modify settings as specified in Table 195 on page 346. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 382: Configuring Ripng Send Update Messages (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Ripng. Add or modify settings as specified in Table 197 on page 347. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 383: Configuring Router Advertisement (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select Router Advertisement. Add or modify settings as specified in Table 198 on page 348. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 384: Table 198: Router Advertisement Configuration Details
12. From the Current Hop Limit list, select the hop limit. Range: 0 through 255 Default: 6 13. From the Default Lifetime list, select the default lifetime. Range: Maximum advertisement interval value through 9000 seconds Default: Three times the maximum advertisement interval value Copyright © 2010, Juniper Networks, Inc.
Page 385: Configuring Icmp Router Discovery (Nsm Procedure)
12. In the Comment box, enter the comment for the flag. Configuring ICMP Router Discovery (NSM Procedure) To configure a router as a server for Internet Control Message Protocol (ICMP) router discovery, use the Router Discovery option. To configure router discovery in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 386: Table 199: Router Discovery Configuration Details
9. From the Priority list, select the preference of the addresses for becoming the default router. Range: 0 through 0x80000000 Default: 0 (This address has the least chance of becoming the default router.) Copyright © 2010, Juniper Networks, Inc.
Page 387: Configuring Rsvp (Nsm Procedure)
Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Protocols. Select RSVP. Add or modify settings as specified in Table 200 on page 352. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 388: Table 200: Rsvp Configuration Details
6. From the Maximum Helper Recovery Time list, select the maximum length of time the router stores the state of neighboring routers when they undergo a graceful restart. Range: 1 through 3600 seconds Default: 0 (disabled) Copyright © 2010, Juniper Networks, Inc.
Page 389 10. In the Bandwidth box, enter the bandwidth in bits per second. 11. From the Update Threshold list, select the percentage change in bandwidth to trigger an Interior Gateway Protocol (IGP) update. Range: 1 through 60 seconds Default: 9 seconds Copyright © 2010, Juniper Networks, Inc.
Page 390 11. From the Reservation Priority list, select the reservation priority. Range: 0 through 7, where 0 is the highest and 7 is the lowest priority. Default: 0 (Once the session is set up, no other session can preempt it.) Copyright © 2010, Juniper Networks, Inc.
Page 391 19. Select one of the following: loose—If the LSP can traverse other routers before reaching this router. strict—If the LSP must go to the next address specified in the path statement without traversing other nodes. Copyright © 2010, Juniper Networks, Inc.
Page 392 9. From the Hello Interval list, select the length of time between hello packets. A value of 0 disables the sending of hello packets on the interface. Range: 1 through 60 seconds Default: 9 seconds Copyright © 2010, Juniper Networks, Inc.
Page 393 RSVP traffic. Range: 0 to 8 devices Related Configuring the ILMI Protocol (NSM Procedure) on page 257 Documentation Configuring Link Management Protocol (NSM Procedure) on page 277 Copyright © 2010, Juniper Networks, Inc.
Page 394: Configuring Vrrp (Nsm Procedure)
You can update multiple devices at one time. See Updating Devices for more information. Table 201: VRRP Configuration Fields Field Function Your Action VRRP Comment Specifies comment for VRRP. Expand the tree and select Protocol VRRP 2. Enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 395: Configuring Vstp (Nsm Procedure)
NOTE: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information. Copyright © 2010, Juniper Networks, Inc.
Page 396: Table 202: Vstp Configuration Fields
Traceoptions Enables you to configure VSTP level Expand the tree. Protocol tracing options. 2. Select and expand the tree. VSTP 3. Select Traceoptions 4. Set up the file and flag parameters. Copyright © 2010, Juniper Networks, Inc.
Page 397: Configuring Routing Options
Configuring Routing Table Groups (NSM Procedure) on page 383 Configuring Source Routing (NSM Procedure) on page 384 Configuring Static Routes (NSM Procedure) on page 385 Configuring Topologies (NSM Procedure) on page 387 Configuring Traceoptions (NSM Procedure) on page 387 Copyright © 2010, Juniper Networks, Inc.
Page 398: Configuring Confederation (Nsm Procedure)
Table 203: Confederation Fields Option Function Your Action Comment Specifies the comment for the Enter a comment. confederation. Confederation As Specifies the confederation AS number. Enter a number from 1 through 65535. Copyright © 2010, Juniper Networks, Inc.
Page 399: Configuring Dynamic Tunnels (Nsm Procedure)
8. Click Destination Networks next to dynamic-tunnel. 9. Click Add new entry next to Destination Networks. 10. In the Name box, enter the prefix name. 11. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 400: Configuring Fate Sharing (Nsm Procedure)
All objects are treated as /32 host addresses. You can specify one or more objects within a group. The objects can be LAN interfaces, device IDs, or point-to-point links. To configure fate sharing in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 401: Table 205: Fate Sharing Fields
Specifies the comment for the fate Expand the tree and Fate Sharing sharing group. select Group 2. Click the New button or select a group and click the Edit button. 3. Enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 402: Configuring Flow Route (Nsm Procedure)
In the configuration tree, expand Routing Options Select Flow Add or modify the parameters as specified in Table 206 on page 367. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the routing option settings. Copyright © 2010, Juniper Networks, Inc.
Page 403: Table 206: Flow Route Fields
Enables you to specify the action to take Expand the tree and select Route if the packet matches the conditions you Then have configured in the flow route. 2. Configure the then conditions for the packet. Copyright © 2010, Juniper Networks, Inc.
Page 404: Configuring Forwarding Table (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 405: Configuring Generated Routes (Nsm Procedure)
. By default, when generated routes are installed in 128.96.0.0/13 the routing table, the next hop device selects from the primary contributing route. To configure generated routes in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 406: Configuring Instance Export (Nsm Procedure)
IGP export policy. However, no policy controls the export process itself. You can configure the instance export policy to control the export process. The policy model supports both interinstance route export and IGP export. To configure an instance export policy in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 407: Configuring Instance Import (Nsm Procedure)
Instance Import are imported to a routing instance. Click one: OK—To save the changes. Cancel—To cancel the modifications. Apply—To apply the routing option settings. Copyright © 2010, Juniper Networks, Inc.
Page 408: Configuring Interface Routes (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Table 209: Interface Routes Fields Option Function Your Action Comment Specifies the comment for the interface Enter a comment. route. Copyright © 2010, Juniper Networks, Inc.
Page 409: Configuring Martian Addresses (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 410: Configuring Maximum Paths (Nsm Procedure)
To configure a maximum paths limit in NSM: In the navigation tree, select Device Manager > Devices In the Devices list, double-click the device to select it. Click the tab. Configuration In the configuration tree, expand Routing Options Select Maximum Paths Copyright © 2010, Juniper Networks, Inc.
Page 411: Configuring Maximum Prefixes (Nsm Procedure)
Configuring Maximum Prefixes (NSM Procedure) You can configure a limit for the number of routes installed in a routing table based upon the number of route prefixes in the table. . To configure maximum prefixes limit in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 413: Configuring Multicast (Nsm Procedure)
2. Click the New button or select a point-to-multipoint (P2MP) group and click the Edit button. label-switched paths (LSPs) are used for multicast distribution. 3. Configure the PE group name, local address, and backup address. Copyright © 2010, Juniper Networks, Inc.
Page 414 A new entry is created as soon as the number of multicast forwarding cache entries falls below the suppression value. You can also specify a timeout value for all multicast forwarding cache entries. Copyright © 2010, Juniper Networks, Inc.
Page 415 To 3. Specify the address range of the SSM deploy SSM successfully, you need an group. end-to-end multicast-enabled network and applications that use an Internet Group Management Protocol version 3 (IGMPv3). Copyright © 2010, Juniper Networks, Inc.
Page 416: Configuring Options (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 417: Configuring Routing Tables (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 418: Table 215: Rib Fields
Maximum Prefixes Enables you to configure a limit for the Expand the tree and select number of routes installed in a routing Maximum Prefixes table. 2. Set up the and the Maximum Prefixes Threshold Copyright © 2010, Juniper Networks, Inc.
Page 419: Configuring Routing Table Groups (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 420: Configuring Source Routing (Nsm Procedure)
IP packet to take on its way to its destination. To configure source routing in NSM: In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 421: Configuring Static Routes (Nsm Procedure)
To configure static routes for a routing table group in NSM: In the navigation tree, select Device Manager > Devices In the Devices list, double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 422: Table 218: Static Fields
Enables you to configure the individual Expand the tree and select Static static routes options. These options Route apply to the individual destination only 2. Enter the individual route. and override any options configured in section. Defaults Copyright © 2010, Juniper Networks, Inc.
Page 423: Configuring Topologies (Nsm Procedure)
To modify the global tracing operations for an individual protocol, configure the tracing option when configuring that protocol. To configure tracing options for routing protocols in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 424: Table 220: Traceoption Fields
2. Enter the file parameters. Flag Specifies the global routing protocol Expand the tree and Traceoptions tracing options to be performed. You can select File specify more than one option. 2. Enter the flag parameters. Copyright © 2010, Juniper Networks, Inc.
Page 425: Configuring Security
Click the Configuration tab. In the configuration tree, expand Security. Select Authentication Key Chains. Add or modify settings as specified in Table 221 on page 390. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 426: Configuring Certificates (Nsm Procedure)
Comment Supplies a descriptive comment for the (Optional) Enter a comment. certificates. Path Length Specifies the maximum length of the certificate Set the maximum length of the certificate path. path. Range: 0 - 15. Copyright © 2010, Juniper Networks, Inc.
Page 427: Configuring Certification Authority (Nsm Procedure)
Specifies the file from which to read the certificate. Enter the path and the filename. Specifies the file to read the CRL. Enter the path and the CRL filename. Enrollment Url Specifies the enrollment URL. Enter the enrollment URL. Copyright © 2010, Juniper Networks, Inc.
Page 428: Configuring The Local Certificate (Nsm Procedure)
To configure firewall authentication feature: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the firewall authentication feature. Copyright © 2010, Juniper Networks, Inc.
Page 429: Configuring A Flow (Nsm Procedure)
To configure the flow feature: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the flow options. Copyright © 2010, Juniper Networks, Inc.
Page 430: Configuring A Bridge (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Flow > Bridge. Configure the options as specified in Table 227 on page 395. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the bridge settings. Copyright © 2010, Juniper Networks, Inc.
Page 431: Configuring The Tcp Mss Option (Nsm Procedure)
Function Your Action Comment Supplies a descriptive comment for TCP MSS. (Optional) Enter a comment. Tcp Mss > All Tcp Comment Supplies a descriptive comment for the all TCP (Optional) Enter a comment. options. Copyright © 2010, Juniper Networks, Inc.
Page 432: Configuring The Tcp Session Option (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Flow > Tcp Session. Configure the options as specified in Table 229 on page 397. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 433: Configuring Traceoptions (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Flow > Traceoptions. Configure the options as specified in Table 230 on page 398. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the traceoptions settings. Copyright © 2010, Juniper Networks, Inc.
Page 434: Configuring File Options (Nsm Procedure)
Specifies the maximum number of the trace files. Set the maximum number of the trace files. Range: 2 - 1000. None Specifies that neither the world-readable nor the Select the option. no-world-readable option is enabled. Copyright © 2010, Juniper Networks, Inc.
Page 435: Configuring Flag Options (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Flow > Traceoptions > Packet Filter. Add or modify settings as specified in Table 233 on page 400. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 436: Configuring Forwarding Options (Nsm Procedure)
In the configuration tree, select Security > Forwarding Options > Family. Enter a comment in the Family workspace that describes the family. Configure the options as specified in Table 234 on page 401. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 437: Configuring Ike (Nsm Procedure)
IKE options. Click the Configuration tab. In the configuration tree, select Security > Ike. Enter a comment in the IKE workspace that describes the IKE. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 438: Configuring A Gateway (Nsm Procedure)
Specifies the external interface for the IKE Enter the external interface for the IKE negotiations. negotiations. gateway > Address address Specifies the address of the gateway. Select the option and add or modify the address. Copyright © 2010, Juniper Networks, Inc.
Page 439 Comment Supplies a descriptive comment for the (Optional) Enter a comment. gateway local identity. gateway > Local Identity > Inet None Specifies that inet, hostname, Select the option. user-at-hostname, and distinguished-name are not enabled. Copyright © 2010, Juniper Networks, Inc.
Page 440: Configuring A Policy (Nsm Procedure)
Select the mode from the list. Description Specifies a text description for the IKE policy. Enter a Description. Proposal Set Specifies the type of the default IKE proposal set. Select the proposal set from the list. Copyright © 2010, Juniper Networks, Inc.
Page 441 Select the option and enter the hexadecimal text key. Policy > Proposals Proposals Specifies the members added as proposals. Select the proposals from the nonmembers list. Then click Add to move them to the members list. Copyright © 2010, Juniper Networks, Inc.
Page 442: Configuring A Respond Bad Spi (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Ike > Traceoptions. Configure the options as specified in Table 238 on page 407. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the traceoptions settings. Copyright © 2010, Juniper Networks, Inc.
Page 443: Configuring The File Options (Nsm Procedure)
Specifies that neither the world-readable nor the Select the option. no-world-readable option is enabled. world-readable Allows any user to read the log file. (Optional) Select the option. no-world-readable Prevents any user from reading the log file. (Optional) Select the option. Copyright © 2010, Juniper Networks, Inc.
Page 444: Configuring Flag Options (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the IPsec feature. Click the Configuration tab. In the configuration tree, select Security > Ipsec. Copyright © 2010, Juniper Networks, Inc.
Page 445: Configuring A Policy (Nsm Procedure)
Specifies the type of default IPsec proposal set. Select the proposal set from the list. policy > Perfect Forward Secrecy Comment Supplies a descriptive comment for the perfect Enter a comment. forward secrecy option. This is optional. Copyright © 2010, Juniper Networks, Inc.
Page 446: Configuring Traceoptions (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure a VPN. Click the Configuration tab. In the configuration tree, select Security > Ipsec > Vpn. Copyright © 2010, Juniper Networks, Inc.
Page 447: Table 243: Vpn Configuration Details
Enables the ASCII text key. Select the option and enter the ASCII text key. hexadecimal Enables the hexadecimal text key. Select the option and enter the hexadecimal text key. vpn > Manual > manual > Encryption Copyright © 2010, Juniper Networks, Inc.
Page 448 Comment Specifies a descriptive comment for the proxy (Optional) Enter a comment. identity option. Local Specifies the local IP address. Enter the IP address. Remote Specifies the remote IP address. Enter the IP address. Copyright © 2010, Juniper Networks, Inc.
Page 449: Configuring Vpn Monitor Options (Nsm Procedure)
Your Action Comment Supplies a descriptive comment for the for the VPN Enter a comment. monitor options. Interval Specifies (in seconds) the duration of monitoring Set the interval duration. Range: 1 - 3600. interval. Copyright © 2010, Juniper Networks, Inc.
Page 450: Configuring A Pki (Nsm Procedure)
To configure the auto re-enrollment feature: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the auto re-enrollment feature. Copyright © 2010, Juniper Networks, Inc.
Page 451: Configuring A Ca Profile (Nsm Procedure)
CA profile. Click the Configuration tab. In the configuration tree, select Security > Pki > Ca Profile. Add or modify settings as specified in Table 246 on page 416. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 452: Table 246: Ca Profile Configuration Details
> Revocation Check > Crl Comment Supplies a descriptive comment for the CRL. (Optional) Enter a comment. Refresh Interval Specifies the CRL refresh interval. Set the CRL refresh interval. Range: 0 through 8784. Copyright © 2010, Juniper Networks, Inc.
Page 453: Configuring Traceoptions (Nsm Procedure)
Configure the options as specified in Table 247 on page 417. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the traceoptions settings. Table 247: Traceoptions Configuration Details Option Function Your Action Comment Supplies a descriptive comment for the (Optional) Enter a comment. traceoptions. Copyright © 2010, Juniper Networks, Inc.
Page 454: Configuring The File Options (Nsm Procedure)
Allows any user to read the log file. (Optional) Select the option. no-world-readable Prevents any user from reading the log file. (Optional) Select the option. Match Specifies the regular expression for the lines to be logged. Enter the match expression. Copyright © 2010, Juniper Networks, Inc.
Page 455: Configuring Flag Options (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the NAT. Click the Configuration tab. In the configuration tree, select Security > Nat. Copyright © 2010, Juniper Networks, Inc.
Page 456: Configuring A Destination (Nsm Procedure)
Supplies a descriptive comment for the destination. (Optional) Enter a comment. Destination > Pool > General Name Specifies the name of the destination pool. Enter a name. Comment Supplies a descriptive comment for the destination (Optional) Enter a comment. pool. Copyright © 2010, Juniper Networks, Inc.
Page 457: Configuring The Destination Nat (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Security > Nat > Destination Nat. Add or modify settings as specified in Table 251 on page 422. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the destination NAT settings. Copyright © 2010, Juniper Networks, Inc.
Page 458: Configuring The Interface (Nsm Procedure)
Add or modify the interface settings as specified in Table 252 on page 422. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the interface parameters. Table 252: Interface Configuration Details Option Function Your Action interface Copyright © 2010, Juniper Networks, Inc.
Page 459 Select the No Port Translation check box to enable this feature. Allow Incoming Allows the pool to support incoming traffic. Select the Allow Incoming check box to enable this feature. interface > Source Nat > > pool > Address Pool Copyright © 2010, Juniper Networks, Inc.
Page 460: Configuring A Proxy Address Resolution Protocol (Nsm Procedure)
Click the Device Tree tab, and then double-click the device for which you want to configure a proxy ARP. Click the Configuration tab. In the configuration tree, select Security > Nat > Proxy Arp. Copyright © 2010, Juniper Networks, Inc.
Page 461: Configuring A Source (Nsm Procedure)
Click the Device Tree tab, and then double-click the device for which you want to configure the source. Click the Configuration tab. In the configuration tree, select Security > Nat > Source. Configure the options as specified in Table 254 on page 426. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 462: Table 254: Source Configuration Details
Enter the pool name. Comment Supplies a descriptive comment for the pool. This Enter a comment. is optional. Pool > Routing Instances Comment Supplies a descriptive comment for the routing (Optional) Enter a comment. instances. Copyright © 2010, Juniper Networks, Inc.
Page 463 Specifies the upper limit of the port range. Enter the following: Comment—A descriptive comment for the upper limit of the port range. High—Specifies the upper limit of the port range. Range: -2147483648 - 2147483647. Pool > Overflow Pool > General Copyright © 2010, Juniper Networks, Inc.
Page 464: Configuring Traceoptions (Nsm Procedure)
Select the No Remote Trace check box to enable this feature. You can now configure the following options: Configuring the File Options (NSM Procedure) on page 429 Configuring Flag Options (NSM Procedure) on page 429 Copyright © 2010, Juniper Networks, Inc.
Page 465: Configuring The File Options (Nsm Procedure)
Click the Device Tree tab, and then double-click the device for which you want to configure flag options. Click the Configuration tab. In the configuration tree, select Security > Nat > Traceoptions > Flag. Copyright © 2010, Juniper Networks, Inc.
Page 466: Table 257: Flag Configuration Details
Select the Syslog check box to enable this to the system log. feature. Related Configuring IKE (NSM Procedure) on page 401 Documentation Configuring an IPsec (NSM Procedure) on page 408 Configuring a PKI (NSM Procedure) on page 414 Copyright © 2010, Juniper Networks, Inc.
Page 467: Configuring Services
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services. Select Adaptive Services. Add or modify the settings as specified in Table 258 on page 432. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 468: Configuring Border Signaling Gateways (Nsm Procedure)
Configuring Gateway Properties (NSM Procedure) on page 432 Configuring Gateway Properties (NSM Procedure) Configuring Gateway (NSM Procedure) on page 433 Configuring an Admission Controller (NSM Procedure) on page 433 Configuring Session Policy Decision Function (NSM Procedure) on page 434 Copyright © 2010, Juniper Networks, Inc.
Page 469: Configuring Gateway (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Services > Border Signaling Gateway. Select Gateway. Add or modify settings as specified in Table 260 on page 434. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 470: Configuring Session Policy Decision Function (Nsm Procedure)
4. From the Committed Burst Rate list, select the maximum number of transactions allowed to burst above the committed rate and still be accepted. Range: 0 through 3000 Configuring Session Policy Decision Function (NSM Procedure) To configure session policy decision function in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 471: Table 261: Session Policy Decision Configuration Details
Multiservices PIC or DPC. 3. Click Add new entry next to Service Class. 4. In the Name box, enter the identifier for the service class. 5. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 472: Configuring Service Point (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Services > Border Signaling Gateway. Select Gateway. Add or modify settings as specified in Table 262 on page 437. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 473: Configuring Sip Policies And Timers (Nsm Procedure)
13. Select the corresponding transport protocol. Configuring SIP Policies and Timers (NSM Procedure) See the following topics: Configuring Message Manipulation Rules (NSM Procedure) on page 438 Configuring New Call Usage Policy (NSM Procedure) on page 439 Copyright © 2010, Juniper Networks, Inc.
Page 474: Table 263: Message Manipulate Rules Configuration Details
14. In the Comment box, enter the comment. 15. In the With box, enter the regular expression that you want to modify followed by the value with which you want to replace the regular expression. Copyright © 2010, Juniper Networks, Inc.
Page 475 Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Services > Border Signaling Gateway. Select Gateway. Add or modify settings as specified in Table 264 on page 440. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 476: Table 264: New Call Usage Policy Configuration Details
Click Term next to new-call-usage-policy. policy term properties. 2. Click Add new entry next to Term. 3. In the Name box, enter the identifier for the term. 4. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 477 21. Click Add new entry next to Source Address. 22. In the New source-address window, enter the IP addresses that you want to match. Syntax: To specify more than one IP address, enclose the IP addresses in brackets. Copyright © 2010, Juniper Networks, Inc.
Page 478: Table 265: New Call Usage Policy Set Configuration Details
5. Click Add new entry next to New Call Usage Policy Set. 6. In the Name box, enter the identifier for the new call usage policy set. 7. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 479: Table 266: Transaction Policy Configuration Details
Click Term next to new-transaction-policy. policy term properties. 2. Click Add new entry next to Term. 3. In the Name box, enter the identifier for the term. 4. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 480 21. Click Add new entry next to Source Address. 22. In the New source-address window, enter the IP addresses that you want to match. Syntax: To specify more than one IP address, enclose the IP addresses in brackets. Copyright © 2010, Juniper Networks, Inc.
Page 481 Select the transport protocol for routing to the next hop. request-uri—To route all requests and responses on the dialog according to SIP. Configuring a New Transaction Policy Set (NSM Procedure) To configure a new transaction policy set in NSM: Copyright © 2010, Juniper Networks, Inc.
Page 482: Table 267: Transaction Policy Set Configuration Details
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device to select it. Click the Configuration tab. In the configuration tree, expand Services > Border Signaling Gateway. Copyright © 2010, Juniper Networks, Inc.
Page 483: Configuring Traceoptions (Nsm Procedure)
Click the Configuration tab. In the configuration tree, expand Services > Border Signaling Gateway. Select Gateway. Add or modify settings as specified in Table 269 on page 448. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 484: Table 269: Traceoption Bsg Configuration Details
7. From the Data list, select the trace level for the data subcomponent. 8. From the Handle list, select the trace level for the access API for the database. 9. From the Db list, select the trace level for the wrapper layer around the database. Copyright © 2010, Juniper Networks, Inc.
Page 485 14. From the Memory Pool list, select the trace level for the message component of SBC utilities. 15. From the Memory Pool list, select the trace level for the memory pool component of SBC utilities. Copyright © 2010, Juniper Networks, Inc.
Page 486 CONTACT replacement and removal or modification of certain headers. 12. From the Policy list, select the trace options for the signaling component that applies policies for call admission, routing decisions, security settings, and so on. Copyright © 2010, Juniper Networks, Inc.
Page 487: Configuring Class Of Service (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > CoS. Add or modify the settings as specified in table Table 270 on page 452. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 488: Table 270: Cos Configuration Details
21. In the Comment box, enter the comment. 22. In the Dscp box, enter the DSCP mapping that is applied to the packets. 23. In the Forwarding Class box, enter the name of the target application. Copyright © 2010, Juniper Networks, Inc.
Page 489 In the Forwarding Class, enter the forwarding class to which packets are assigned d. From the Application Profile list, select the identifier for the application profile. e. Select the Syslog check box to enable system logging. Copyright © 2010, Juniper Networks, Inc.
Page 490: Configuring Intrusion Detection Service (Nsm Procedure)
Click the Device tree tab and then double-click the device to select it. In the Configuration tab, expand Services > Ids. Add or modify the settings as specified in Table 271 on page 455. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 491: Table 271: Ids Configuration Details
Destination Address, Destination Address Range, Destination Prefix List, Source Address, Source Address Range, and Source Prefix List. Define the IDS term actions. Click Then next to term. 2. In the Comment box, enter the comment. 3. Expand Then. Copyright © 2010, Juniper Networks, Inc.
Page 492 Click Logging next to Then. term. 2. In the Comment box, enter the comment. 3. From the Threshold list, select the logging threshold number of events per second. 4. Select the Syslog check box to enable system logging. Copyright © 2010, Juniper Networks, Inc.
Page 493 6. Click Rule next to rule-set. 7. Click Add new entry next to Rule. 8. In the Name box, enter the rule the router uses when applying this service. 9. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 494: Tracing Services Pic Operations (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services. Select Logging. Add or modify the settings as specified in Table 272 on page 459. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 495: Configuring Network Address Translation (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Nat. Add or modify the settings as specified in Table 273 on page 461. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
Page 497: Table 273: Nat Configuration Details
8. In the dialog box, enter an alphanumeric string of up to 3 characters that the BGF uses to match with a termination hint located in the Direction field of a nonstandard termination ID. Copyright © 2010, Juniper Networks, Inc.
Page 498 19. Select the Syslog check box to enable system logging. 20. Click No Translation next to Then. 21. Select one of the following: no-translation—To specify that traffic is not to be translated. translated—To define properties for translated traffic. Copyright © 2010, Juniper Networks, Inc.
Page 499: Configuring Pgcp (Nsm Procedure)
Configuring a Rule (NSM Procedure) on page 489 Configuring Rule Set (NSM Procedure) on page 490 Configuring Session Mirroring (NSM Procedure) on page 490 Configuring Traceoptions (NSM Procedure) on page 491 Configuring Virtual Interface (NSM Procedure) on page 492 Copyright © 2010, Juniper Networks, Inc.
Page 500: Configuring Gateway (Nsm Procedure)
6. From the Service State list, select the service state of the virtual BGF. 7. From the Max Concurrent Calls list, select the Maximum number of concurrent calls on the virtual BGF. Range: 0 through 10,000 Copyright © 2010, Juniper Networks, Inc.
Page 501: Configuring Data Inactivity Detection (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 275 on page 466. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 502: Configuring Gateway Controller (Nsm Procedure)
To configure gateway controller in NSM: In the navigation tree select Device Manager > Devices. In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Copyright © 2010, Juniper Networks, Inc.
Page 503: Configuring Graceful Restart (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 277 on page 468. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 504: Configuring H248 Options Properties (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 278 on page 469. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 505: Changing Encoding Defaults (Nsm Procedure)
See the following topics: Configuring Context Indications (NSM Procedure) on page 470 Configure Control Association Indications (NSM Procedure) on page 470 Configuring Virtual Interface Indications (NSM Procedure) on page 473 Copyright © 2010, Juniper Networks, Inc.
Page 506: Table 280: Context Indication Configuration Details
To configure control associations indications in NSM: In the navigation tree select Device Manager > Devices. In the Devices list, double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 507 Chapter 23: Configuring Services In the Configuration tab, expand Services. Select Pgcp. Add or modify the settings as specified in Table 281 on page 472. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 508: Table 281: Control Association Configuration Details
5. From the Graceful list, select the method and reason that the virtual BGF includes in Notification ServiceChange commands that it sends to the gateway controller when the control association transitions from In-Service to Out-of-Service-Graceful. Copyright © 2010, Juniper Networks, Inc.
Page 509 In the Configuration tab, expand Services > Pgcp . Select Gateway. Add or modify the settings as specified in Table 282 on page 474. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 510: Configuring H248 Properties (Nsm Procedure)
You can configure default values for H248 properties using the following options. See the following topics: Configuring Application Data Inactivity Detection (NSM Procedure) on page 475 Configuring Base Root (NSM Procedure) on page 475 Copyright © 2010, Juniper Networks, Inc.
Page 511: Configuring Application Data Inactivity Detection (Nsm Procedure)
You can configure default values for properties in the base root package using the Base Root option: To configure base root package in NSM: In the navigation tree select Device Manager > Devices. In the Devices list, double-click the device to select it. Copyright © 2010, Juniper Networks, Inc.
Page 512 M-series and MX-series Devices In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 284 on page 477. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 513: Table 284: Base Root Package Configuration Details
3. From the Default list, select the default interval within which property of the base root the virtual BGF waits for a response to transactions from the package. gateway controller. Range: 500 through 29,000 milliseconds. Copyright © 2010, Juniper Networks, Inc.
Page 514: Configuring Differentiated Services (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp . Select Gateway. Add or modify the settings as specified in Table 286 on page 479. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 515: Hanging Termination Detection (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 287 on page 480. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 516: Configuring Inactivity Timer (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 288 on page 481. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 517: Configuring Notification Behavior (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 289 on page 482. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 518: Configuring Segmentation (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 290 on page 483. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 519: Configuring Traffic Management (Nsm Procedure)
To configure traffic management in NSM: In the navigation tree select Device Manager > Devices. In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Copyright © 2010, Juniper Networks, Inc.
Page 520: Table 291: Traffic Management Configuration Details
9. Select one of the following: percentage—if the value entered is a percentage of the RTP’s gate rate. fixed-value—if the value entered is a fixed number of bits per second. Range: 0 through 2147483647 Copyright © 2010, Juniper Networks, Inc.
Page 521: Configuring H248 Timers (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 292 on page 486. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 522: Configuring The Monitor (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Gateway. Add or modify the settings as specified in Table 293 on page 487. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 523: Configuring Overload Control (Nsm Procedure)
3. In the Comment box, enter the comment. 4. From the Queue Limit Percentage list, select the percentage of the overload control work queue in use that triggers creation of an overload notification. Range: 1 through 100 Copyright © 2010, Juniper Networks, Inc.
Page 524: Configuring Session Mirroring (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Media Service. Add or modify the settings as specified in Table 296 on page 489. Click one: OK—To save the changes. Copyright © 2010, Juniper Networks, Inc.
Page 525: Configuring A Rule (Nsm Procedure)
4. From the Gateway list, select the identifier of the virtual BGF. 5. Expand rule. 6. Click Media Service next to rule. 7. Click Add new entry next to Media Service. 8. In the New media-service window, enter the identifier for the media service name. Copyright © 2010, Juniper Networks, Inc.
Page 526: Configuring Rule Set (Nsm Procedure)
In the Configuration tab, expand Services > Pgcp. Select Session Mirroring. Add or modify the settings as specified in Table 299 on page 491. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 527: Configuring Traceoptions (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Pgcp. Select Traceoptions. Add or modify the settings as specified in Table 300 on page 492. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 528: Configuring Virtual Interface (Nsm Procedure)
In the Configuration tab, expand Services > Pgcp. Select Virtual Interface. Add or modify the settings as specified in Table 301 on page 493. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 529: Configuring Service Interface Pools (Nsm Procedure)
Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the service interface pool options. Table 302: Service Interface Pools Configuration Details Option Function Your Action Name Specifies the service interface pool name. Enter a name. Copyright © 2010, Juniper Networks, Inc.
Page 530: Configuring A Service Set (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services. Select Service Set. Add or modify the settings as specified in Table 303 on page 495. Click one: OK—Save the changes. Cancel—Cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 531: Table 303: Service Set Configuration Details
Click Extension Service next to service-set. set. 2. Click Add new entry next to Extension Service. 3. In the Name box, enter the identifier for a provider-specific service. 4. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 532 NAT rule set included in this service set. 3. Click Add new entry. 4. From the Name list, select the rule or rule set name. 5. In the Comment box, enter the comment. Copyright © 2010, Juniper Networks, Inc.
Page 534: Configuring Stateful Firewall (Nsm Procedure)
In the Devices list, double-click the device to select it. In the Configuration tab, expand Services > Stateful Firewall. Add or modify the settings as specified in Table 304 on page 499. Click one: OK—To save the changes. Cancel—To cancel the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 535: Table 304: Stateful Firewall Configuration Details
Select reject to accept the traffic and return a rejection message. Define Ip option. Click Allow Ip Options next to Then. 2. Click Add new entry next to Allow Ip Options. 3. From the dropdown list, select the IP option name. Copyright © 2010, Juniper Networks, Inc.
Page 536: Configuring Captive Portal (Nsm Procedure)
Comment Supplies a descriptive comment for the captive portal. Enter a comment. This is optional. Authentication Profile Specifies the access profile name used for Select an authentication profile name Name authentication. from the list. Copyright © 2010, Juniper Networks, Inc.
Page 537: Configuring Custom Options (Nsm Procedure)
Header Message Specifies the header message. Enter a message. Banner Message Specifies the terms and conditions of usage message. Enter a message. Form Header Message Specifies the login form header message. Enter a message. Copyright © 2010, Juniper Networks, Inc.
Page 538: Configuring The Interface (Nsm Procedure)
Specifies the duration to wait after an authentication Set the quiet period. Range: 0 through 65535. failure. Server Timeout Specifies the timeout interval for the authentication Set the server timeout. Range: 1 through 60. server. Copyright © 2010, Juniper Networks, Inc.
Page 539: Configuring Traceoptions (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Services > Captive Portal > Traceoptions > File. Configure the file options as specified in Table 308 on page 504. Click one: OK — Saves the changes. Cancel — Cancels the modifications. Apply—Applies the file settings. Copyright © 2010, Juniper Networks, Inc.
Page 540: Configuring Flag Options (Nsm Procedure)
Name Specifies the trace flag name. Select a name from the list. Comment Supplies a descriptive comment for the trace flag. Enter a comment. Disable Disables the trace flag. Select the Disable check box. Copyright © 2010, Juniper Networks, Inc.
Page 541: Configuring Mobile Ip (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Services > Mobile Ip > Access Type. Enter a comment in the Access Type workspace that describes the access type. Configure the access type options as specified in Table 310 on page 506. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 542: Configuring The Authenticate Mechanism (Nsm Procedure)
Your Action Comment Supplies a descriptive comment for the authenticate option. Enter a comment. This is optional. Order Specifies the order in which to use the authenticate Select an order from the list. mechanism. Copyright © 2010, Juniper Networks, Inc.
Page 543: Configuring Dynamic Home Assignment (Nsm Procedure)
Specifies the IP address of the home agent. Enter the IP address. Configuring the Home Agent (NSM Procedure) The home agent feature allows you to configure enable service, pool match order, and virtual network. Copyright © 2010, Juniper Networks, Inc.
Page 544: Configuring Enable Service (Nsm Procedure)
Table 313: Enable Service Configuration Details Option Function Your Action Name Specifies the interface name. Enter the interface name. Value: gigabit, fast ethernet or a 10-gigabit ethernet interface. Comment Specifies the comment for the interface. Enter a comment. Copyright © 2010, Juniper Networks, Inc.
Page 545: Configuring Pool Match Order (Nsm Procedure)
Enter a comment in the Virtual Network workspace that describes the virtual network. Add or modify the settings as specified in Table 315 on page 510. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the virtual network options. Copyright © 2010, Juniper Networks, Inc.
Page 546: Configuring The Peer (Nsm Procedure)
Add or modify the settings as specified in Table 316 on page 510. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 316: Peer Configuration Details Option Function Your Action Peer > Ip Address Name Specifies the peer IP address. Enter the IP address. Copyright © 2010, Juniper Networks, Inc.
Page 547 Select the option. 2. Enter a comment and a hexadecimal value. ascii Enables ASCII text key. Select the option. 2. Enter a comment and ASCII value. Peer > Ip Address > Spi > Replay Method Copyright © 2010, Juniper Networks, Inc.
Page 548 Peer > Nai > Spi > Entity Type Comment Specifies the comment for the entity type. Enter a comment. none Specifies that neither the host or the mobility-agent Select the option. entity type is enabled. Copyright © 2010, Juniper Networks, Inc.
Page 549: Configuring Traceoptions (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure traceoptions. Click the Configuration tab. In the configuration tree, select Services > Mobile IP > Traceoptions. Copyright © 2010, Juniper Networks, Inc.
Page 550: Configuring File (Nsm Procedure)
Specifies the comment for the filename. Enter a comment. Filename Specifies the filename to write the traceoptions. Enter a filename. Size Specifies the maximum size of the trace file. Enter the maximum file size. Copyright © 2010, Juniper Networks, Inc.
Page 551: Configuring Flag (Nsm Procedure)
Select a name from the drop-down list. Comment Specifies the comment for the flag. Enter a comment. Configuring RPM (NSM Procedure) Real-time Performance Monitoring (RPM) includes the Border Gateway Protocol (BGP), probe, and probe server. Copyright © 2010, Juniper Networks, Inc.
Page 552: Configuring Bgp (Nsm Procedure)
BGP feature. Click the Configuration tab. In the configuration tree, select Services > Rpm > Bgp. Configure the options as specified in Table 321 on page 517. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 553: Configuring Routing Instances (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select Services > Rpm > Bgp > Routing Instances. Add or modify the settings as specified in Table 322 on page 518. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 554: Configuring Probe (Nsm Procedure)
Enter the value or select it from the list. Range: 1 through 15. Probe Interval Specifies the amount of time between the probes. Enter the value or select it from the list. Range: 1 through 255. Copyright © 2010, Juniper Networks, Inc.
Page 555 RPM test is specified. address Specifies the IP address of the remote server that Select the option and enter the address. is being probed by the RPM test. Copyright © 2010, Juniper Networks, Inc.
Page 556 Range: 0 through 60000000. Std Dev Egress Specifies maximum source-to-destination standard Enter the value or select it from the list. deviation per test. Range: 0 through 60000000. probe > test > Traps Copyright © 2010, Juniper Networks, Inc.
Page 557: Configuring Probe Server (Nsm Procedure)
Enter the name of the destination interface. probes. Probe Server > Udp Comment Specifies the comment for UDP. Enter a comment. Port Specifies the UDP port number. Set the port number. Range: 0 through 65535. Copyright © 2010, Juniper Networks, Inc.
Page 558: Configuring Unified Access Control (Nsm Procedure)
UAC includes configuring the following topics: Configuring Infranet Controller (NSM Procedure) on page 522 Configuring Traceoptions (NSM Procedure) on page 523 Configuring Infranet Controller (NSM Procedure) This section describes how to configure infranet controller for UAC. Copyright © 2010, Juniper Networks, Inc.
Page 559: Configuring Traceoptions (Nsm Procedure)
This section describes how to configure traceoptions for UAC. To configure traceoptions: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the traceoptions feature. Copyright © 2010, Juniper Networks, Inc.
Page 560: Table 327: Traceoptions Configuration Details
Click one: OK—Saves the changes. Cancel—Cancels the modifications. Table 327: Traceoptions Configuration Details Option Function Your Action Name Specifies the flag name. Select a name. Comment Specifies the comment for the flag. Enter a comment. Copyright © 2010, Juniper Networks, Inc.
Page 561: Configuring Snmp
Enter the system location information information. (such as a lab name and a rack name). Contact Specifies the contact information Enter the system contact information for the system. (such as a name and a phone number). Copyright © 2010, Juniper Networks, Inc.
Page 562: Configuring Snmp Communities (Nsm Procedure)
You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information. Copyright © 2010, Juniper Networks, Inc.
Page 563: Table 329: Configuring Community Fields
To configure the default routing instance on a logical system, specify the logical system name followed by “default.” Comment—Enter a comment for the routing instance. Related Configuring Client Lists (NSM Procedure) Documentation Copyright © 2010, Juniper Networks, Inc.
Page 564: Configuring Snmp Trap Groups (Nsm Procedure)
Destination Port Specifies the SNMP trap group port Enter a trap group port number. number. Routing Instance Specifies a routing instance for trap Enter the name of the routing instance. targets. Copyright © 2010, Juniper Networks, Inc.
Page 565: Configuring Snmp Views (Nsm Procedure)
To configure SNMP views in NSM: In the navigation tree, select Device Manager > Devices. In the Devices list, double-click the device to select it. Click the Configuration tab. In the configuration tree, expand SNMP. Select View. Copyright © 2010, Juniper Networks, Inc.
Page 566: Table 331: Configuring Snmp View Fields
MIB objects represented by the specified OID. Related Configuring Basic System Identification for SNMP (NSM Procedure) on page 525 Documentation Configuring SNMP Communities (NSM Procedure) on page 526 Configuring SNMP Trap Groups (NSM Procedure) on page 528 Copyright © 2010, Juniper Networks, Inc.
Page 567: Configuring System
Configuring TACACS+ Server (NSM Procedure) on page 561 Configuring Accounting (NSM Procedure) The accounting feature directs the voice daemon to generate and collect call records, write them to a file, and store them in an archive. Copyright © 2010, Juniper Networks, Inc.
Page 568: Configuring Destination
Table 332: Destination Configuration Details Option Function Your Action System > Accounting > Destination > Radius Enable Feature Enables to configure the radius feature of the Select the Enable Feature check box to enable destination option. this feature. Copyright © 2010, Juniper Networks, Inc.
Page 569 Enter the password for the secret with the server. authentication server. Timeout Specifies the request time period of the Set the request timeout period of the authentication server. authentication server. Range: 1 - 90. Copyright © 2010, Juniper Networks, Inc.
Page 570: Configuring Events
Enter a comment for the traceoptions. Select the No Remote Trace check box to enable remote tracing. Add or modify settings as specified in Table 333 on page 535. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 571: Configuring Archival (Nsm Procedure)
Enter a comment in the Archival workspace that describes the archival feature. In the configuration tree, select System > Archival > Configuration. Enter a comment in the Configuration workspace that describes the configuration of the archival feature. Copyright © 2010, Juniper Networks, Inc.
Page 572: Configuring Arp (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Arp. Select Enable Feature to enable this feature. Add or modify settings as specified in Table 335 on page 537. Click one: OK—Saves the changes. Copyright © 2010, Juniper Networks, Inc.
Page 573: Configuring Auto Configuration (Nsm Procedure)
To configure the auto configuration feature: In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the auto configuration feature. Copyright © 2010, Juniper Networks, Inc.
Page 574: Table 336: Auto Configuration Traceoptions Details
Prevents any user from reading the log file. (Optional) Select the option. Match Specifies the regular expression for the lines to be Enter the regular expression for the lines to logged. be logged. System > Auto Configuration > Traceoptions > Flag Copyright © 2010, Juniper Networks, Inc.
Page 575: Configuring A Backup Router (Nsm Procedure)
Cancel—Cancels the modifications. Apply—Applies the backup router configuration settings. Related Configuring Authentication Order (NSM Procedure) on page 117 Documentation Configuring Auto Configuration (NSM Procedure) on page 537 Configuring a Commit (NSM Procedure) on page 540 Copyright © 2010, Juniper Networks, Inc.
Page 576: Configuring A Commit (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Diag Port Authentication. In the Diag Port Authentication workspace, enter a plain text password value. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 577: Configuring A Domain Search (Nsm Procedure)
In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the device for which you want to configure the extensions feature. Click the Configuration tab. In the configuration tree, select System > Extensions. Copyright © 2010, Juniper Networks, Inc.
Page 578: Configuring Providers
Click the Device Tree tab, and then double-click the device for which you want to configure the resource limits. Click the Configuration tab. In the configuration tree, select System > Extensions > Resource Limits. Copyright © 2010, Juniper Networks, Inc.
Page 579: Table 338: Resource Limits Configuration Details
Specifies the maximum size of a file that can be created. Enter the file size. Open Specifies the maximum number of simultaneous open Set the number of open files. Range: 0 - files. 2147483647. Copyright © 2010, Juniper Networks, Inc.
Page 580: Configuring An Inet6 Backup Router (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Inet6 Backup Router. Add or modify the settings as described in Table 339 on page 545. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 581: Configuring Internet Options (Nsm Procedure)
OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the internet options configuration settings. Table 340: Internet Options Configuration Details Option Function Your Action Comment Supplies a descriptive comment for the (Optional) Enter a comment. internet option. Copyright © 2010, Juniper Networks, Inc.
Page 582 OS to disable RFC 1323 TCP extensions. No Tcp Rfc1323 Paws Specifies that you can configure the Junos Select No Tcp Rfc1323 Paws to enable this OS to disable the RFC 1323 Protection feature. Against Wrapped Sequence (PAWS) number extension. Copyright © 2010, Juniper Networks, Inc.
Page 583 Supplies a descriptive comment for the (Optional) Enter a comment. source port. Upper Limit Specifies the upper limit of the source port Set the upper limit value. Range: 5000 - 65535. selection range. Default value is none. Copyright © 2010, Juniper Networks, Inc.
Page 584: Configuring Location (Nsm Procedure)
Enter a long distance service area of the location. Vcoord Specifies the Bellcore vertical coordinate information. Enter a Bellcore vertical coordinate value. Hcoord Specifies the Bellcore horizontal coordinate Enter a Bellcore horizontal coordinate value. information. Copyright © 2010, Juniper Networks, Inc.
Page 585: Configuring Login (Nsm Procedure)
Enter an announcement in the Login workspace that describes the system announcement message. Enter a message in the Login workspace that describes the system login message. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Copyright © 2010, Juniper Networks, Inc.
Page 586: Configuring Class
Specifies that you can execute this login script while Enter a login script. logging in. Login Tip Specifies the display login tip when logging in. Enable the Login Tip check box to enable this feature. Copyright © 2010, Juniper Networks, Inc.
Page 587: Configuring Password
OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the password settings. Table 343: Password Configuration Details Option Function Your Action System > Login > Password Comment Supplies a descriptive comment for the password. (Optional) Enter a comment. Copyright © 2010, Juniper Networks, Inc.
Page 588: Configuring Retry Options
Set the maximum number of times a Disconnect to attempt to enter a password to log in through SSH or user is allowed to attempt to enter a Telnet. password. Range: 1 - 10. Copyright © 2010, Juniper Networks, Inc.
Page 589: Configuring User
Supplies a descriptive comment for the user. (Optional) Enter a comment. Full Name Specifies the complete name of the user. Enter the complete name. Specifies the user identifier for a login account. Set the user identifier. Range: 100 - 64000. Copyright © 2010, Juniper Networks, Inc.
Page 590: Configuring A Name Server (Nsm Procedure)
Enter a DNS name server address in the name-server workspace. Enter a comment for the DNS name server in the name-server workspace. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the name server settings. Copyright © 2010, Juniper Networks, Inc.
Page 591: Configuring Pic Console Authentication (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Ports. Enter a comment in the Ports workspace that describes the ports. Add or modify the settings as specified in Table 346 on page 556. Click one: Copyright © 2010, Juniper Networks, Inc.
Page 592: Configuring Radius Options (Nsm Procedure)
Click the Device Tree tab. Then double-click the device for which you want to configure radius options. Click the Configuration tab. In the configuration tree, select System > Radius Options. Enter a comment in the Radius Options workspace that describes the RADIUS options. Copyright © 2010, Juniper Networks, Inc.
Page 593: Configuring Radius Server (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Radius Server. Add or modify settings as specified in the Table 348 on page 558. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the RADIUS server settings. Copyright © 2010, Juniper Networks, Inc.
Page 594: Configuring Root Authentication (Nsm Procedure)
Click the Configuration tab. In the configuration tree, select System > Root Authentication. Enter a plaintext password in the Plain text Password Value. NOTE: You can specify only one plain text password. Copyright © 2010, Juniper Networks, Inc.
Page 595: Configuring Static Host Mapping (Nsm Procedure)
Click the plus sign (+) to add static host mapping. Add or modify settings as specified in the Table 350 on page 560. Click one: OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the static host mapping settings. Copyright © 2010, Juniper Networks, Inc.
Page 596: Configuring Tacacs+ Options (Nsm Procedure)
OK—Saves the changes. Cancel—Cancels the modifications. Apply—Applies the TACACS+ options settings. Table 351: TACACS+ Options Configuration Details Option Function Your Action Comment Supplies a descriptive comment for the TACACS+ option. (Optional) Enter a comment. Copyright © 2010, Juniper Networks, Inc.
Page 597: Configuring Tacacs+ Server (Nsm Procedure)
Table 352: TACACS+ Server Configuration Details Option Function Your Action Name Specifies the TACACS+ authentication server address. Enter the TACACS+ authentication server address name. Comment Supplies a descriptive comment of the TACACS+ server. (Optional) Enter a comment. Copyright © 2010, Juniper Networks, Inc.
Page 598 Specifies the source address for the TACACS+ server. Enter the source address name. Related Configuring TACACS+ Options (NSM Procedure) on page 560 Documentation Configuring RADIUS Server (NSM Procedure) on page 557 Configuring Static Host Mapping (NSM Procedure) on page 559 Copyright © 2010, Juniper Networks, Inc.
Page 599: Managing M-Series And Mx-Series Devices
Managing M-series and MX-series Devices Managing M-series and MX-series Devices Overview on page 565 Viewing the M-series and MX-series Device Inventory in NSM and the CLI on page 567 Topology Manager on page 573 Copyright © 2010, Juniper Networks, Inc.
Page 601: Managing M-Series And Mx-Series Devices Overview
For more information and steps about updating the device software version, see “Upgrading the Device Software” in the Network and Security Manager Administration Guide. Related Viewing and Reconciling Device Inventory on page 567 Documentation Comparing Device Inventory in NSM and the CLI on page 568 Copyright © 2010, Juniper Networks, Inc.
Page 603: Cli
N/A—Either the device is not yet connected and managed by NSM, or the device is a ScreenOS security device or IDP sensor Changes to the device inventory are not automatically updated in the NSM database. Copyright © 2010, Juniper Networks, Inc.
Page 604: Comparing Device Inventory In Nsm And The Cli
Right-click the device whose inventory you want to view. Select View/Reconcile Inventory. The Device Inventory window opens, similar to the example shown in Figure 7 on page 568. Figure 7: The Device Inventory Window Copyright © 2010, Juniper Networks, Inc.
Page 605: Figure 8: Viewing The Hardware Inventory
OS and its version, and any other installed packages. (See Figure 9 on page 569.) Figure 9: Viewing the Software Inventory NOTE: The License tab not supported for M-series or MX-series devices. Copyright © 2010, Juniper Networks, Inc.
Page 606: Viewing Device Inventory From The Cli
M10i device. The row of output showing the midplane is in bold to illustrate that the midplane information in this example is identical to the midplane information in the NSM UI example. Copyright © 2010, Juniper Networks, Inc.
Page 607 M10i device. In this instance, the CLI output provides more information than is provided by the NSM UI. Related Managing M-series and MX-series Device Software Versions on page 565 Documentation Viewing and Reconciling Device Inventory on page 567 Copyright © 2010, Juniper Networks, Inc.
Page 609: Topology Manager
NSM user interface (UI) to discover and manage the physical topology of a network of devices connected to a Juniper Networks EX-series switch. These include networking devices such as the J-series, M-series, MX-series, and EX-series, as well as ScreenOS and IDP devices, IP phones, desktops, printers, and servers.
Page 610: About The Nsm Topology Manager Toolbar
The Topology Manager status bar at the bottom of the screen indicates the timestamp of the last completed topology discovery and whether a discovery is in progress. Copyright © 2010, Juniper Networks, Inc.
Page 611 For more information about the Topology Manager, see the Network and Security Manager Administration Guide. Related Overview of the NSM Topology Manager on page 573 Documentation Requisites for a Topology Discovery on page 573 Copyright © 2010, Juniper Networks, Inc.
Page 615: Real Time Monitoring Of M-Series And Mx-Series
Related Viewing Device Status on page 580 Documentation Viewing Device Monitor Alarm Status on page 582 Setting the Polling Interval For Device Alarm Status on page 583 Copyright © 2010, Juniper Networks, Inc.
Page 616: Viewing Device Status
A device in this state cannot connect to NSM. Update Needed—An update to this device is required. Managed—The device is currently being managed by NSM. Managed, In Sync—The physical device configuration is synced with the modeled configuration in NSM. Copyright © 2010, Juniper Networks, Inc.
Page 617 N/A—The device's alarm is not pollable or discoverable, for example, this column shows "N/A" for ScreenOS and IDP devices. Alarm is colored: Red for Major. Orange for Minor. Green for Ignore, None, Unknown, or N/A. Copyright © 2010, Juniper Networks, Inc.
Page 618: Viewing Device Monitor Alarm Status
To view the Alarm status and time: From Device Monitor, right-click the device row entry and select the View Alarm option. The device Alarm Status dialog box displays the alarm list and polling time for the device. Copyright © 2010, Juniper Networks, Inc.
Page 619: Setting The Polling Interval For Device Alarm Status
The minimum polling interval is 60 seconds. The maximum interval is 2,147,483,647 seconds. You cannot disable polling. Related About the Realtime Monitor on page 579 Documentation Viewing Device Status on page 580 Viewing Device Monitor Alarm Status on page 582 Copyright © 2010, Juniper Networks, Inc.
Page 623: Index
CoS drop profiles..............127 aggregated devices, configuring........99 CoS forwarding classes............129 alarm status CoS forwarding policy, configuring........131 setting polling intervals..........583 CoS fragmentation maps, configuring......132 viewing................582 CoS host outbound traffic, configuring......133 API....................12 CoS interfaces................134 Copyright © 2010, Juniper Networks, Inc.
Page 624 82, configuring........192 gateway, configuring............433 DHCP agent, configuring............187 generated routes discovery rules................29 configuring..............369 distributed data collection...........13 group specific properties RIPng, configuring....340 DMI See distributed data collection group, device................29 drop profiles................127 dynamic tunnels, configuring..........363 Copyright © 2010, Juniper Networks, Inc.
Page 625 IP demux, configuring..........215 properties, configuring..........209 unit properties, configuring........214 receive bucket properties, configuring....212 tracing operations, configuring........212 traffic shaping profile, configuring......234 Copyright © 2010, Juniper Networks, Inc.
Page 626 MSDP peer group, configuring.........325 rule set, configuring............490 MSDP, configuring..............322 rule, configuring............489 MSTP..................330 session mirroring, configuring......488, 490 MTU signaling, configuring..........318 Copyright © 2010, Juniper Networks, Inc.
Page 627 MSTP................330 martian addresses............373 maximum paths............374 maximum prefixes............375 RADIUS, configuring...............70 multicast................377 Realtime Monitor Options................380 using.................579 rib..................381 reroute path rib groups................383 automatic bandwidth, configuring.......293 source routing...............384 retain Static Routes..............385 option..................18 Traceoptions..............387 RSVP, configuring..............351 configuring..............381 Copyright © 2010, Juniper Networks, Inc.
Page 628 See technical support T640 router, configuring.............107 TCP See Transmission Control Protocol technical overview..............3 technical support contacting JTAC............xxxiv topologies, configuring............387 Traceoptions configuring..............387 Transmission Control Protocol...........13 trap groups configuring..............528 unreachable workflow importing device..............16 views configuring..............529 VRRP..................358 VSTP..................359 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

M-series Mx-series

Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1 Manual

Chapter 1 Getting Started with NSM

Chapter 2 Understanding the JUNOS CLI and NSM

Chapter 3 Before You Begin Adding M-Series and MX-Series Devices

Chapter 4 Adding M-Series and MX-Series Devices Overview

Chapter 5 Updating M-Series and MX-Series Devices Overview

Chapter 6 Configuring M-Series and MX-Series Devices Overview

Chapter 7 Configuring Access

Chapter 8 Configuring Accounting Options

Chapter 9 Configuring Applications

Chapter 10 Configuring Bridge Domains

Chapter 11 Configuring Chassis

Chapter 12 Configuring Authentication

Chapter 13 Configuring Class of Service Features

Chapter 14 Configuring Event Options

Chapter 15 Configuring Firewall

Chapter 16 Configuring Forwarding Options

Quick Links

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1