How it Works
Juniper
Loading...
J
L
M
Loading...
Loading...
JUNOSE 11.2.X
Configuration Manual
356 pgs4.54 Mb0
Configuration Manual
742 pgs13.11 Mb0
Configuration Manual
256 pgs2.89 Mb0

Juniper JUNOSE 11.2.X IP SERVICES, JUNOSE 11.2.X Configuration Manual

JunosE™ Software for E Series™ Broadband Services Routers
IP Services Configuration Guide
Release
11.2.x
Published: 2010-06-29
Copyright © 2010, Juniper Networks, Inc.
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JunosE™ Software for E Series™ Broadband Services Routers IP Services Configuration Guide
Release 11.2.x Copyright © 2010, Juniper Networks, Inc. All rights reserved. Printed in USA.
Writing: Subash Babu Asokan, Mark Barnard, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Namrata Mehta Editing: Benjamin Mann Illustration: Nathaniel Woodward Cover Design: Edmonds Design
Revision History July 2010—FRS JunosE 11.2.x
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
Copyright © 2010, Juniper Networks, Inc.ii
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.
BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOTOR CANNOT AGREE TO THE TERMSCONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks(Cayman)Limited(if the Customer’s principaloffice is locatedoutside the Americas)(such applicable entity beingreferred to herein as“Juniper”), and (ii)the person ororganizationthat originally purchased from Juniperor an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper oran authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicablefeesand the limitations andrestrictions set forthherein, Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitstoCustomer’suse ofthe Software.Such limitsmay restrict use toa maximum number of seats, registeredendpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in anyform, to anythird party; (d)removeany proprietary notices, labels,or marks on or in any copyof the Softwareor anyproduct in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in thesecondhandmarket;(f) use any‘locked’ orkey-restricted feature,function, service, application,operation,or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the
iiiCopyright © 2010, Juniper Networks, Inc.
Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercialefforts to maintain the Software and associated documentation in confidence, which at a minimum includes restrictingaccess to the Software to Customer employees and contractors havinga need touse the Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthataccompaniesthe Software (the “Warranty Statement”). Nothing inthis Agreement shallgive rise to anyobligation tosupport the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS ORPROCUREMENT OFSUBSTITUTE GOODSOR SERVICES,OR FORANYSPECIAL,INDIRECT, ORCONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIED SOFTWARE. IN NOEVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.
Copyright © 2010, Juniper Networks, Inc.iv
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS
227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations ofconfidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier ofJuniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shallhave theright to enforce this Agreement in its own nameas if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL
at http://www.gnu.org/licenses/lgpl.html .
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).
vCopyright © 2010, Juniper Networks, Inc.
Copyright © 2010, Juniper Networks, Inc.vi
Abbreviated Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Part 1 Chapters
Chapter 1 Configuring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 3 Configuring J-Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 4 Configuring BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 5 Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 6 Configuring Dynamic IPSec Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Chapter 7 Configuring ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Chapter 8 Configuring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chapter 9 Configuring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Chapter 10 Configuring Dynamic IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 11 IP Reassembly for Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Chapter 12 Securing L2TP and IP Tunnels with IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Chapter 13 Configuring the Mobile IP Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
viiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Copyright © 2010, Juniper Networks, Inc.viii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
E Series and JunosE Documentation and Release Notes . . . . . . . . . . . . . . . . . . . xxiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
E Series and JunosE Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Part 1 Chapters
Chapter 1 Configuring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Route Map Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Multiple Values in a Match Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Negating Match Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Matching a Community List Exactly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Removing Community Lists from a Route Map . . . . . . . . . . . . . . . . . . . . . . . . . 8
Matching a Policy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Redistributing Access Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Setting Multicast Bandwidths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Match Policy Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Filtering Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuration Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Filtering AS Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuration Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using Access Lists in a Route Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuration Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using Access Lists for PIM Join Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Clearing Access List Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Creating Table Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Using the Null Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
ixCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Prefix Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Managing the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Troubleshooting Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Monitoring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 2 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
NAT Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Network and Address Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Understanding Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Address Assignment Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Order of Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
PPTP and GRE Tunneling Through NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Packet Discard Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring a NAT License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Limiting Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Specifying Inside and Outside Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Defining Static Address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Using a Prefix Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Extended Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
AS-path Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Community Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Metacharacters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using Metacharacters as Literal Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Regular Expression Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Traditional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Bidirectional NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Inside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Inside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Outside Local Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Outside Global Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Inside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Outside Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Static Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Inside-to-Outside Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Outside-to-Inside Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Creating Static Inside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Creating Static Outside Source Translations . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Copyright © 2010, Juniper Networks, Inc.x
Table of Contents
Defining Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Creating Access List Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Defining Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Defining Dynamic Translation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Creating Dynamic Inside Source Translation Rules . . . . . . . . . . . . . . . . . 74
Creating Dynamic Outside Source Translation Rules . . . . . . . . . . . . . . . . 74
Defining Translation Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Clearing Dynamic Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
NAT Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
NAPT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Bidirectional NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Twice NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Cross-VRF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Tunnel Configuration Through NAT Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Clients on an Inside Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Clients on an Outside Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
GRE Flows Through NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Monitoring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying the NAT License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying Translation Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Displaying Translation Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Displaying Address Pool Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Displaying Inside and Outside Rule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 3 Configuring J-Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Interface Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Aggregation Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Flow Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Main Flow Cache Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Cache Flow Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Aging Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Operation with NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Operation with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Before You Configure J-Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring Flow-Based Statistics Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Enabling Flow-Based Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Enabling Flow-Based Statistics on an Interface . . . . . . . . . . . . . . . . . . . . . . . 95
Defining a Sampling Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Setting Cache Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Defining Aging Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Specifying the Activity Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Specifying the Inactivity Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Specifying Flow Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring Aggregation Flow Caches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Monitoring J-Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Clearing J-Flow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
J-Flow show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
xiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Chapter 4 Configuring BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Bidirectional Forwarding Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
BFD Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
BFD References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring a BFD License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
BFD Version Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Managing BFD Adaptive Timer Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Clearing BFD Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Monitoring BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 5 Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
IPSec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
IKE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
How BFD Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Negotiation of the BFD Liveness Detection Interval . . . . . . . . . . . . . . . . . . . 108
System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Viewing BFD Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
IPSec Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Secure IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RFC 2401 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
IPSec Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Manual Versus Signaled Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Operational Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Transport Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Inbound and Outbound SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Transform Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Other Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
IP Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
ESP Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
AH Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
IPSec Maximums Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
DPD and IPSec Tunnel Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Tunnel Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Main Mode and Aggressive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Aggressive Mode Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Authentication Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Diffie-Hellman Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Copyright © 2010, Juniper Networks, Inc.xii
Table of Contents
IKE SA Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Generating Private and Public Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring an IPSec License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring IPSec Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Creating an IPSec Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configuring DPD and IPSec Tunnel Failover . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Defining an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Refreshing SAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Enabling Notification of Invalid Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Monitoring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Chapter 6 Configuring Dynamic IPSec Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Dynamic Connection Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Dynamic Connection Teardown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Dynamic IPSec Subscriber Recognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Inherited Subscriber Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Using IPSec Tunnel Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Relocating Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Creating an IPSec Tunnel Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring IPSec Tunnel Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Limiting Interface Instantiations on Each Profile . . . . . . . . . . . . . . . . . . . . . . 174
Specifying IKE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Setting the IKE Local Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Setting the IKE Peer Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Appending a Domain Suffix to a Username . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Overriding IPSec Local and Peer Identities for SA Negotiations . . . . . . . . . . 176
Specifying an IP Profile for IP Interface Instantiations . . . . . . . . . . . . . . . . . . 176
Defining the Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Specifying Local Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Defining IPSec Security Association Lifetime Parameters . . . . . . . . . . . . . . . 178
Defining User Reauthentication Protocol Values . . . . . . . . . . . . . . . . . . . . . . 178
Specifying IPSec Security Association Transforms . . . . . . . . . . . . . . . . . . . . 179
Specifying IPSec Security Association PFS and DH Group Parameters . . . . 179
Defining the Tunnel MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Defining IKE Policy Rules for IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Specifying a Virtual Router for an IKE Policy Rule . . . . . . . . . . . . . . . . . . . . . 180
Defining Aggressive Mode for an IKE Policy Rule . . . . . . . . . . . . . . . . . . . . . . 181
xiiiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Monitoring IPSec Tunnel Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Chapter 7 Configuring ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Configuring ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Configuring ANCP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Configuring ANCP Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Configuring Topology Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configuring ANCP for QoS Adaptive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Triggering ANCP Line Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Adjusting the Data Rate Reported by ANCP for DSL Lines . . . . . . . . . . . . . . . . . . 194
Configuring Transactional Multicast for IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Triggering ANCP OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Monitoring ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Chapter 8 Configuring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
IKE Authentication with Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Access Topology Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Line Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Transactional Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Retrieval of DSL Line Rate Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Learning the Partition ID from an Access Node . . . . . . . . . . . . . . . . . . . . . . . 187
Creating a Listening TCP Socket for ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Accessing L2C Configuration Mode for ANCP . . . . . . . . . . . . . . . . . . . . . . . . 188
Defining the ANCP Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Learning the Access Node Partition ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Accessing L2C Neighbor Configuration Mode for ANCP . . . . . . . . . . . . . . . . 190
Defining an ANCP Neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Limiting Discovery Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Clearing ANCP Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Creating an IGMP Session for ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
ANCP IGMP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Complete Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Digital Certificate Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Signature Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Generating Public/Private Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Obtaining a Root CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Obtaining a Public Key Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Offline Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Online Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Authenticating the Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Verifying CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Copyright © 2010, Juniper Networks, Inc.xiv
Table of Contents
File Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Certificate Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
IKE Authentication Using Public Keys Without Digital Certificates . . . . . . . . . . . . 212
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Public Key Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring Digital Certificates Using the Offline Method . . . . . . . . . . . . . . . . . . . 213
Configuring Digital Certificates Using the Online Method . . . . . . . . . . . . . . . . . . . 219
Configuring Peer Public Keys Without Digital Certificates . . . . . . . . . . . . . . . . . . 224
Monitoring Digital Certificates and Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Chapter 9 Configuring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . 238
E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Redundancy and Tunnel Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Configuring IP Tunnels to Forward IP Frames . . . . . . . . . . . . . . . . . . . . . . . . 243
Preventing Recursive Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Creating Multicast VPNs Using GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . 244
Monitoring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Chapter 10 Configuring Dynamic IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Dynamic IP Tunnel Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Data MDT for Multicast VPNs and Dynamic IP Tunnels . . . . . . . . . . . . . . . . 252
Mobile IP and Dynamic IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Combining Dynamic and Static IP Tunnels in the Same Chassis . . . . . . . . . 253
Changing and Removing Existing Dynamic IP Tunnels . . . . . . . . . . . . . . . . . 253
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . 254
E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Redundancy and Tunnel Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring a Destination Profile for Dynamic IP Tunnels . . . . . . . . . . . . . . . . . . 255
Modifying the Default Destination Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Modifying the Configuration of the Default Destination Profile . . . . . . . 256
Configuring a Destination Profile for GRE Tunnels . . . . . . . . . . . . . . . . . . . . 256
Creating a Destination Profile for DVMRP Tunnels . . . . . . . . . . . . . . . . . . . . 256
Monitoring Dynamic IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
xvCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Chapter 11 IP Reassembly for Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Monitoring IP Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Chapter 12 Securing L2TP and IP Tunnels with IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
L2TP/IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
GRE/IPSec and DVMRP/IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Configuring IPSec Transport Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels . . . . . . . . . . . . 294
Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . 270
E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Setting Statistics Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Displaying Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Tunnel Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
IPSec Secured-Tunnel Maximums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Setting Up the Secure L2TP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
L2TP with IPSec Control and Data Frames . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Compatibility and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Client Software Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Interactions with NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Interaction Between IPSec and PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
LNS Change of Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Group Preshared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
NAT Passthrough Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
How NAT-T Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
UDP Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
UDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
NAT Keepalive Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring and Monitoring NAT-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Single-Shot Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuration Tasks for Client PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Configuration Tasks for E Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Enabling IPSec Support for L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Configuring NAT-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configuring Single-Shot Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Setting Up the Secure GRE or DVMRP Connection . . . . . . . . . . . . . . . . . . . . 288
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Enabling IPSec Support for GRE and DVMRP Tunnels . . . . . . . . . . . . . . . . . 289
System Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Copyright © 2010, Juniper Networks, Inc.xvi
Table of Contents
Chapter 13 Configuring the Mobile IP Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Mobile IP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Mobile IP Agent Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Mobile IP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Home Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Mobile IP Routing and Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Mobile IP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Mobile IP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Before You Configure the Mobile IP Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring the Mobile IP Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Monitoring the Mobile IP Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
xviiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Copyright © 2010, Juniper Networks, Inc.xviii
List of Figures
Part 1 Chapters
Chapter 1 Configuring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Applying Route Maps to Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2: Filtering with Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3: Filtering with AS-Path Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 4: Route Map Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 5: Community Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 2 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 6: NAPT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 7: Bidirectional NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 8: Twice NAT Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 9: Cross-VRF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 10: PPTP Tunnels on an Inside Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 11: PPTP Tunnels on an Outside Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Chapter 5 Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Figure 12: IPSec Tunneling Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 13: IPSec Tunneling Packet Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 14: IPSec Security Parameters in Relation to the Secure IP Interface . . . . 125
Figure 15: Customer A's Corporate Frame Relay Network . . . . . . . . . . . . . . . . . . . 153
Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the
Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Figure 17: Connecting Customers Who Use Similar Address Schemes . . . . . . . . 156
Chapter 7 Configuring ANCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Figure 18: Using ANCP with an Access Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Chapter 9 Configuring IP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 19: IP Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 20: Transport and Tunnel Networks Using Different Routing Protocols . . 244
Chapter 11 IP Reassembly for Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Figure 21: Tunneling Through an IP Network That Fragments Packets . . . . . . . . 270
Chapter 12 Securing L2TP and IP Tunnels with IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 22: L2TP with IPSec Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 23: L2TP/IPSec Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 24: L2TP Control Frame Encapsulated by IPSec . . . . . . . . . . . . . . . . . . . . 279
Figure 25: L2TP Data Frame Encapsulated by IPSec . . . . . . . . . . . . . . . . . . . . . . 279
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation . . . . . . . . . . . . . 281
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation . . . . . . . . . . . . . . . 282
xixCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Figure 28: IKE Packet with NAT-T UDP Encapsulation . . . . . . . . . . . . . . . . . . . . . 282
Figure 29: GRE/IPSec Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Copyright © 2010, Juniper Networks, Inc.xx
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Part 1 Chapters
Chapter 1 Configuring Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Match and Set Policy Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 4: Action Based on Well-Known Community Membership . . . . . . . . . . . . . . 37
Table 5: Supported Regular Expression Metacharacters . . . . . . . . . . . . . . . . . . . . 43
Table 6: Sample Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 4 Configuring BFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Table 7: Determining BFD Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 5 Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 8: IPSec Terms and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 9: Security Parameters Used on Secure IP Interfaces . . . . . . . . . . . . . . . . . 124
Table 10: Security Parameters per IPSec Policy Type . . . . . . . . . . . . . . . . . . . . . . 126
Table 11: Supported Transforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Table 12: Supported Security Transform Combinations . . . . . . . . . . . . . . . . . . . . . 131
Table 13: Initiator Proposals and Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 8 Configuring Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Table 14: Digital Certificate Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 205
Table 15: Outcome of IKE Phase 1 Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table 16: File Extensions (Offline Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Chapter 12 Securing L2TP and IP Tunnels with IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Table 17: Configuration and Monitoring Tasks for NAT-T . . . . . . . . . . . . . . . . . . . 283
Table 18: Differences in Handling Timeout Periods for L2TP/IPSec Tunnels . . . . 284
xxiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Copyright © 2010, Juniper Networks, Inc.xxii
About the Documentation
E Series and JunosE Documentation and Release Notes on page xxiii
Audience on page xxiii
E Series and JunosE Text and Syntax Conventions on page xxiii
Obtaining Documentation on page xxv
Documentation Feedback on page xxv
Requesting Technical Support on page xxv
E Series and JunosE Documentation and Release Notes
For a list of related JunosE documentation, see
http://www.juniper.net/techpubs/software/index.html .
If the information in the latest release notes differs from the information in the documentation, follow the JunosE Release Notes.
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Audience
This guide is intended for experienced system and network specialists working with Juniper Networks E SeriesBroadband Services Routers in an Internet access environment.
E Series and JunosE Text and Syntax Conventions
Table 1 on page xxiv defines notice icons used in this documentation.
xxiiiCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Table 1: Notice Icons
Table 2 on page xxiv defines text and syntax conventions that we use throughout the E Series and JunosE documentation.
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2: Text and Syntax Conventions
Representscommandsand keywordsin text.Bold text like this
Fixed-width text like this
Italic text like this
Plus sign (+) linking key names
Syntax Conventions in the Command Reference Guide
Representsinformationas displayedon your terminal’s screen.
Emphasizes words.
Identifies variables.
Identifies chapter, appendix, and book names.
keys simultaneously.
ExamplesDescriptionConvention
Issue the clock source command.
Specify the keyword exp-msg.
host1(config)#traffic class low-loss1Represents text that the user must type.Bold text like this
host1#show ip ospf 2
Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an Area Border Router (ABR)
There are two levels of access: user and privileged.
clusterId, ipAddress.
Appendix A, System Specifications
Press Ctrl + b.Indicates that you must press two or more
terminal lengthRepresents keywords.Plain text like this
mask, accessListNameRepresents variables.Italic text like this
Copyright © 2010, Juniper Networks, Inc.xxiv
Table 2: Text and Syntax Conventions (continued)
About the Documentation
ExamplesDescriptionConvention
| (pipe symbol)
or variable to the left or to the right of this symbol. (The keyword or variable can be either optional or required.)
[ ]* (brackets and asterisk)
that can be entered more than once.
Represent required keywords or variables.{ } (braces)
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation, see the Technical Documentation page on the Juniper Networks Web site at
http://www.juniper.net/.
To download complete sets of technical documentation to create your own documentation CD-ROMs or DVD-ROMs, see the Portable Libraries page at
http://www.juniper.net/techpubs/resources/index.html
diagnostic | lineRepresents a choice to select one keyword
[ internal | external ]Represent optional keywords or variables.[ ] (brackets)
[ level1 | level2 | l1 ]*Represent optional keywords or variables
{ permit | deny } { in | out }
{ clusterId | ipAddress }
Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site athttp://www.juniper.net/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation to better meet your needs. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
Document or topic name
URL or page number
Software release version
Requesting Technical Support
Technical productsupport isavailable through theJuniper NetworksTechnical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
xxvCopyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verifyservice entitlement by product serialnumber, use ourSerial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
Copyright © 2010, Juniper Networks, Inc.xxvi
PART 1
Chapters
Configuring Routing Policy on page 3
Configuring NAT on page 61
Configuring J-Flow Statistics on page 91
Configuring BFD on page 107
Configuring IPSec on page 119
Configuring Dynamic IPSec Subscribers on page 169
Configuring ANCP on page 185
Configuring Digital Certificates on page 205
Configuring IP Tunnels on page 237
Configuring Dynamic IP Tunnels on page 251
IP Reassembly for Tunnels on page 269
Securing L2TP and IP Tunnels with IPSec on page 275
Configuring the Mobile IP Home Agent on page 303
1Copyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Copyright © 2010, Juniper Networks, Inc.2
CHAPTER 1
Configuring Routing Policy
This chapter provides information about configuringrouting policyfor your E Series router. It describes routingpolicy configuration in general as itmight beused withvarious routing protocols,such as Border Gateway Protocol (BGP), Intermediate Systemto Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).
This chapter contains the following sections:
Overview on page 3
Platform Considerations on page 4
References on page 4
Route Maps on page 4
Match Policy Lists on page 19
Access Lists on page 20
Using the Null Interface on page 32
Prefix Lists on page 32
Prefix Trees on page 35
Community Lists on page 37
Using Regular Expressions on page 42
Managing the Routing Table on page 47
Troubleshooting Routing Policy on page 47
Monitoring Routing Policy on page 48
Overview
Routing policy determines howthe system handles the routes it receives from and sends to neighboring routers. In many cases, routing policy consists of the following:
Filtering routes
Accepting certain routes
Accepting and modifying other routes
3Copyright © 2010, Juniper Networks, Inc.
JunosE 11.2.x IP Services Configuration Guide
Rejecting some routes
Determining the routing protocol used to distribute the routes
You can think of routing policy as a way to control the flow of routes into and out of the router.
The decision about which routes to accept from and advertise to various neighbors has an important impact on the traffic that crosses a network. Routing policy is used to enforce business agreements between two or more Internet service providers (ISPs) concerning the amount and type of traffic that is allowed to pass between them.
You can use one or more of the following mechanisms to configure routing policy:
“Route Maps” on page 4
“Match Policy Lists” on page 19
“Access Lists” on page 20
“Prefix Lists” on page 32
“Prefix Trees” on page 35
“Community Lists” on page 37
Platform Considerations
Configuring routing policies is supported on all E Series routers.
For information about the modules supported on E Series routers:
See the ERXModuleGuide for modulessupportedon ERX7xx models,ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router.
See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
References
For more information about the protocols discussed in this chapter, see their respective chapters in this guide and other guides within the JunosE documentation set, and to the References sections within those chapters.
Route Maps
You can useroutemaps to control and modify routing information and todefine conditions for redistributing routes between routing domains. Youcan applyroute maps to inbound, outbound, or redistribution routes. A routemap consists ofmatch clauses and set clauses.
Match clauses specify the attribute values that determine whether a route matches the route map. Aroute that has thesame attribute valuespasses the match condition. Routes that pass all the match conditions match the route map. You issue match commands to define the match conditions for a route map. You can specify the match conditions in
Copyright © 2010, Juniper Networks, Inc.4
Loading...
+ 326 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use