Sign In
Upload
Manuals
Brands
Juniper Manuals
Software
JUNOSE 11.1.X IP SERVICES
Juniper JUNOSE 11.1.X IP SERVICES Manuals
Manuals and User Guides for Juniper JUNOSE 11.1.X IP SERVICES. We have
1
Juniper JUNOSE 11.1.X IP SERVICES manual available for free PDF download: Configuration Manual
Juniper JUNOSE 11.1.X IP SERVICES Configuration Manual (366 pages)
IP Services Configuration Guide
Brand:
Juniper
| Category:
Software
| Size: 3.91 MB
Table of Contents
Table of Contents
9
List of Figures
19
About the Documentation
23
Audience
23
Documentation Feedback
23
E Series and Junose Documentation and Release Notes
23
E Series and Junose Text and Syntax Conventions
23
Obtaining Documentation
23
Requesting Technical Support
23
Table 1: Notice Icons
24
Table 2: Text and Syntax Conventions
24
About the Documentation
25
Opening a Case with JTAC
26
Self-Help Online Tools and Resources
26
Part 1 Chapters
27
Chapters
27
Chapter 5 Configuring Ipsec
27
Configuring Routing Policy
29
Overview
29
Platform Considerations
30
References
30
Route Maps
30
Chapter 1 Configuring Routing Policy
31
Route Map Configuration Example
31
Figure 1: Applying Route Maps to Routes
32
Multiple Values in a Match Entry
32
Chapter 1 Configuring Routing Policy
33
Negating Match Clauses
33
Matching a Community List Exactly
34
Removing Community Lists from a Route Map
34
Matching a Policy List
35
Redistributing Access Routes
35
Setting Multicast Bandwidths
35
Match Policy Lists
46
Access Lists
47
Filtering Prefixes
47
Configuration Example 1
47
Configuration Example 2
48
Configuration Example 3
48
Filtering as Paths
49
Figure 2: Filtering with Access Lists
49
Configuration Example 1
50
Figure 3: Filtering with AS-Path Access Lists
50
Using Access Lists in a Route Map
51
Configuration Example 1
51
Figure 4: Route Map Filtering
51
Using Access Lists for PIM Join Filters
55
Clearing Access List Counters
57
Creating Table Maps
57
Table 3: Match and Set Policy Values
58
Prefix Lists
59
Using a Prefix List
60
Using the Null Interface
59
Prefix Trees
62
Using a Prefix Tree
63
Community Lists
64
Figure 5: Community Lists
64
Table 4: Action Based on Well-Known Community Membership
64
Extended Community Lists
68
Using Regular Expressions
70
AS-Path Lists
70
Community Lists
71
Community Numbers
71
Metacharacters
71
Table 5: Supported Regular Expression Metacharacters
71
Using Metacharacters as Literal Tokens
72
Regular Expression Examples
73
Table 6: Sample Regular Expressions
73
Managing the Routing Table
75
Monitoring Routing Policy
76
Troubleshooting Routing Policy
76
Configuring NAT
89
Overview
89
Platform Considerations
90
Module Requirements
90
References
90
NAT Configurations
91
Chapter 2 Configuring NAT
91
Traditional NAT
91
Basic NAT
91
Bidirectional NAT
92
Napt
92
Network and Address Terms
92
Inside Local Addresses
93
Inside Global Addresses
93
Outside Local Addresses
93
Outside Global Addresses
93
Twice NAT
92
Understanding Address Translation
93
Inside Source Translation
93
Outside Source Translation
94
Address Assignment Methods
94
Static Translations
94
Dynamic Translations
95
Order of Operations
95
Inside-To-Outside Translation
95
Outside-To-Inside Translation
95
Before You Begin
96
Packet Discard Rules
96
PPTP and GRE Tunneling through NAT
96
Configuring a NAT License
97
Limiting Translation Entries
97
Specifying Inside and Outside Interfaces
97
Defining Static Address Translations
98
Creating Static Inside Source Translations
98
Creating Static Outside Source Translations
99
Defining Dynamic Translations
100
Creating Access List Rules
100
Defining Address Pools
101
Defining Dynamic Translation Rules
102
Creating Dynamic Inside Source Translation Rules
103
Creating Dynamic Outside Source Translation Rules
103
Defining Translation Timeouts
104
Clearing Dynamic Translations
105
NAT Configuration Examples
105
NAPT Example
105
Figure 6: NAPT Example
106
Bidirectional NAT Example
107
Figure 7: Bidirectional NAT Example
108
Twice NAT Example
109
Figure 8: Twice NAT Example
109
Cross-VRF Example
111
Figure 9: Cross-VRF Example
111
Tunnel Configuration through NAT Examples
112
Clients on an Inside Network
113
Clients on an Outside Network
113
Figure 10: PPTP Tunnels on an Inside Network
113
Figure 11: PPTP Tunnels on an Outside Network
113
GRE Flows through NAT
114
Monitoring NAT
114
Displaying the NAT License Key
114
Displaying Translation Statistics
115
Displaying Translation Entries
117
Displaying Address Pool Information
118
Displaying Inside and Outside Rule Settings
119
Configuring J-Flow Statistics
121
Overview
121
Interface Sampling
121
Aggregation Caches
122
Flow Collection
122
Main Flow Cache Contents
122
Cache Flow Export
123
Aging Flows
123
Operation with NAT
124
Operation with High Availability
124
Before You Configure J-Flow Statistics
124
Configuring Flow-Based Statistics Collection
124
Enabling Flow-Based Statistics
125
Enabling Flow-Based Statistics on an Interface
125
Defining a Sampling Interval
126
Setting Cache Size
127
Defining Aging Timers
127
Specifying the Activity Timer
127
Specifying the Inactivity Timer
128
Specifying Flow Export
128
Configuring Aggregation Flow Caches
129
Platform Considerations
124
Monitoring J-Flow Statistics
132
Clearing J-Flow Statistics
132
J-Flow Show Commands
132
Bidirectional Forwarding Detection Overview
139
How BFD Works
140
Negotiation of the BFD Liveness Detection Interval
140
Configuring BFD
139
Chapter 4 Configuring BFD
141
BFD Platform Considerations
142
BFD References
142
BFD Version Support
143
Configuring a BFD License
143
Table 7: Determining BFD Versions
143
Configuring BFD
144
Managing BFD Adaptive Timer Intervals
144
Clearing BFD Sessions
145
Monitoring BFD
146
System Event Logs
146
Viewing BFD Information
147
Monitoring BFD
147
Configuring Ipsec
151
Overview
151
Ipsec Terms and Acronyms
151
Table 8: Ipsec Terms and Abbreviations
151
Platform Considerations
153
References
153
Ipsec Concepts
154
Secure IP Interfaces
154
RFC 2401 Compliance
155
Ipsec Protocol Stack
155
Figure 12: Ipsec Tunneling Stack
155
Security Parameters
156
Figure 13: Ipsec Tunneling Packet Encapsulation
156
Table 9: Security Parameters Used on Secure IP Interfaces
156
Figure 14: Ipsec Security Parameters in Relation to the Secure IP
157
Manual Versus Signaled Interfaces
157
Operational Virtual Router
158
Table 10: Security Parameters Per Ipsec Policy Type
158
Transport Virtual Router
158
Lifetime
160
Perfect Forward Secrecy
160
Inbound and Outbound Sas
161
Transform Sets
161
Table 11: Supported Transforms
162
Table 12: Supported Security Transform Combinations
163
Other Security Features
164
IP Security Policies
164
ESP Processing
165
AH Processing
165
Ipsec Maximums Supported
165
DPD and Ipsec Tunnel Failover
165
Tunnel Failover
166
IKE Overview
166
Main Mode and Aggressive Mode
167
Aggressive Mode Negotiations
167
IKE Policies
168
Priority
168
Table 13: Initiator Proposals and Policy Rules
168
Encryption
169
Hash Function
169
Authentication Mode
169
Diffie-Hellman Group
170
Lifetime
170
IKE SA Negotiation
170
Generating Private and Public Key Pairs
170
Configuration Tasks
171
Configuring an Ipsec License
171
Configuring Ipsec Parameters
172
Creating an Ipsec Tunnel
175
Configuring DPD and Ipsec Tunnel Failover
180
Defining an IKE Policy
182
Refreshing Sas
185
Enabling Notification of Invalid Cookies
185
Configuration Examples
186
Configuration Notes
186
Figure 15: Customer A's Corporate Frame Relay Network
186
Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the
187
Figure 17: Connecting Customers Who Use Similar Address Schemes
190
Monitoring Ipsec
194
System Event Logs
194
Show Commands
195
Configuring Dynamic Ipsec Subscribers
203
Overview
203
Dynamic Connection Setup
203
Dynamic Connection Teardown
204
Dynamic Ipsec Subscriber Recognition
204
Licensing Requirements
204
Inherited Subscriber Functionality
205
Using Ipsec Tunnel Profiles
205
Relocating Tunnel Interfaces
206
User Authentication
206
Platform Considerations
206
Creating an Ipsec Tunnel Profile
207
Configuring Ipsec
207
Configuring Digital Certificates
207
References
207
Configuring Ipsec Tunnel Profiles
208
Limiting Interface Instantiations on each Profile
208
Specifying IKE Settings
208
Setting the IKE Local Identity
208
Setting the IKE Peer Identity
209
Appending a Domain Suffix to a Username
210
Overriding Ipsec Local and Peer Identities for SA Negotiations
210
Specifying an IP Profile for IP Interface Instantiations
211
Defining the Server IP Address
211
Specifying Local Networks
212
Defining Ipsec Security Association Lifetime Parameters
212
Defining User Reauthentication Protocol Values
213
Specifying Ipsec Security Association Transforms
214
Specifying Ipsec Security Association PFS and DH Group Parameters
214
Defining the Tunnel MTU
215
Defining IKE Policy Rules for Ipsec Tunnels
215
Specifying a Virtual Router for an IKE Policy Rule
215
Defining Aggressive Mode for an IKE Policy Rule
216
Monitoring Ipsec Tunnel Profiles
216
System Event Logs
216
Show Commands
217
Chapter 7 Configuring ANCP
219
Access Topology Discovery
220
Line Configuration
220
Transactional Multicast
220
Oam
221
Retrieval of DSL Line Rate Parameters
221
Learning the Partition ID from an Access Node
221
Configuring ANCP
219
Overview
219
Platform Considerations
221
Configuring ANCP
222
Creating a Listening TCP Socket for ANCP
222
Accessing L2C Configuration Mode for ANCP
222
Defining the ANCP Session Timeout
223
Learning the Access Node Partition ID
223
References
222
Configuring ANCP Interfaces
224
Configuring ANCP Neighbors
224
Accessing L2C Neighbor Configuration Mode for ANCP
225
Defining an ANCP Neighbor
225
Limiting Discovery Table Entries
226
Clearing ANCP Neighbors
226
Configuring Topology Discovery
226
Configuring ANCP for Qos Adaptive Mode
227
Adjusting the Data Rate Reported by ANCP for DSL Lines
228
Triggering ANCP Line Configuration
228
Configuring Transactional Multicast for IGMP
229
Creating an IGMP Session for ANCP
229
ANCP IGMP Configuration Example
230
Figure 18: Using ANCP with an Access Node
230
Complete Configuration Example
231
Triggering ANCP OAM
231
Monitoring ANCP
232
Configuring Digital Certificates
239
Overview
239
Digital Certificate Terms and Acronyms
239
Table 14: Digital Certificate Terms and Acronyms
239
Platform Considerations
240
References
240
IKE Authentication with Digital Certificates
241
Signature Authentication
241
Generating Public/Private Key Pairs
242
Obtaining a Root CA Certificate
242
Obtaining a Public Key Certificate
243
Offline Certificate Enrollment
243
Online Certificate Enrollment
243
Authenticating the Peer
244
Verifying Crls
244
File Extensions
245
Certificate Chains
245
Table 15: Outcome of IKE Phase 1 Negotiations
245
Table 16: File Extensions (Offline Configuration)
245
IKE Authentication Using Public Keys Without Digital Certificates
246
Configuration Tasks
246
Public Key Format
247
Configuring Digital Certificates Using the Offline Method
247
Configuring Digital Certificates Using the Online Method
253
Configuring Peer Public Keys Without Digital Certificates
258
Monitoring Digital Certificates and Public Keys
263
Chapter 9 Configuring IP Tunnels
271
GRE Tunnels
272
DVMRP Tunnels
272
Configuring IP Tunnels
271
Figure 19: IP Tunneling
271
Overview
271
Platform Considerations
272
Module Requirements
272
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
272
E120 Router and E320 Router
273
Redundancy and Tunnel Distribution
273
References
273
Configuration Tasks
274
Configuration Example
276
Configuring IP Tunnels to Forward IP Frames
278
Preventing Recursive Tunnels
278
Creating Multicast Vpns Using GRE Tunnels
279
Figure 20: Transport and Tunnel Networks Using Different Routing Protocols
279
Monitoring IP Tunnels
279
Configuring Dynamic IP Tunnels
287
Dynamic IP Tunnel Overview
287
Data MDT for Multicast Vpns and Dynamic IP Tunnels
287
Mobile IP and Dynamic IP Tunnels
288
Combining Dynamic and Static IP Tunnels in the same Chassis
289
Changing and Removing Existing Dynamic IP Tunnels
289
Platform Considerations
289
Module Requirements
290
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
290
E120 Router and E320 Router
290
Redundancy and Tunnel Distribution
291
Configuring a Destination Profile for Dynamic IP Tunnels
291
Modifying the Default Destination Profile
291
Modifying the Configuration of the Default Destination Profile
291
Configuring a Destination Profile for GRE Tunnels
292
Creating a Destination Profile for DVMRP Tunnels
293
References
291
Monitoring Dynamic IP Tunnels
296
Chapter 11 IP Reassembly for Tunnels
305
Overview
305
Platform Considerations
306
Module Requirements
306
Erx7Xx Models, Erx14Xx Models, and the ERX310 Router
306
Figure 21: Tunneling through an IP Network that Fragments Packets
306
E120 Router and E320 Router
307
Configuring IP Reassembly
307
Monitoring IP Reassembly
308
Setting Statistics Baselines
308
Displaying Statistics
309
Overview
313
Tunnel Creation
313
Ipsec Secured-Tunnel Maximums
314
Securing L2TP and IP Tunnels with Ipsec
313
Platform Considerations
314
Module Requirements
314
References
314
L2Tp/Ipsec Tunnels
315
Chapter 12 Securing L2TP and IP Tunnels with Ipsec
315
Figure 22: L2TP with Ipsec Application
316
Figure 23: L2Tp/Ipsec Connection
316
Setting up the Secure L2TP Connection
316
Compatibility and Requirements
317
Client Software Supported
317
Interactions with NAT
317
Figure 24: L2TP Control Frame Encapsulated by Ipsec
317
Figure 25: L2TP Data Frame Encapsulated by Ipsec
317
Interaction between Ipsec and PPP
318
LNS Change of Port
318
Group Preshared Key
318
L2TP with Ipsec Control and Data Frames
317
NAT Passthrough Mode
318
NAT Traversal
319
How NAT-T Works
319
UDP Encapsulation
319
UDP Statistics
320
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation
320
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation
320
Figure 28: IKE Packet with NAT-T UDP Encapsulation
320
NAT Keepalive Messages
321
Configuring and Monitoring NAT-T
321
Single-Shot Tunnels
321
Table 17: Configuration and Monitoring Tasks for NAT-T
321
Configuration Tasks for Client PC
322
Table 18: Differences in Handling Timeout Periods for L2Tp/Ipsec Tunnels
322
Configuration Tasks for E Series Routers
323
Enabling Ipsec Support for L2TP
323
Configuring NAT-T
324
Configuring Single-Shot Tunnels
325
Gre/Ipsec and Dvmrp/Ipsec Tunnels
326
Setting up the Secure GRE or DVMRP Connection
327
Configuration Tasks
327
Enabling Ipsec Support for GRE and DVMRP Tunnels
327
Figure 29: Gre/Ipsec Connection
327
Configuring Ipsec Transport Profiles
328
Monitoring Dvmrp/Ipsec, Gre/Ipsec, and L2Tp/Ipsec Tunnels
333
System Event Logs
333
Show Commands
333
Configuring the Mobile IP Home Agent
341
Mobile IP Overview
341
Mobile IP Agent Discovery
342
Mobile IP Registration
342
Home Address Assignment
342
Authentication
342
Aaa
343
Subscriber Management
344
Mobile IP Routing and Forwarding
344
Before You Configure the Mobile IP Home Agent
345
Mobile IP Platform Considerations
345
Mobile IP References
345
Configuring the Mobile IP Home Agent
346
Monitoring the Mobile IP Home Agent
351
Index
357
Index
359
Advertisement
Advertisement
Related Products
Juniper JUNOSE 11.1.X BGP AND MPLS
Juniper JUNOSE 11.1.X MULTICAST ROUTING
Juniper JUNOSe 11.1
Juniper JUNOSE 11.1.1
Juniper JUNOSe 11.1.0
Juniper JUNOSE 11.0.X IP SERVICES
Juniper JUNOSE 11.2.X MULTICAST ROUTING
Juniper JUNOSE 11.0
Juniper JUNOSE 11.2.X IP SERVICES
Juniper JUNOSE FOR E SERIES BROADBAND SERVICES ROUTERS - S 11.1.1
Juniper Categories
Network Router
Switch
Gateway
Software
Network Hardware
More Juniper Manuals
Login
Sign In
OR
Sign in with Facebook
Sign in with Google
Upload manual
Upload from disk
Upload from URL