Juniper JUNOS OS 10.3 - LN1000 MOBILE SECURE ROUTER USER GUIDE 8-26-2010, LN1000 User Manual

®

JUNOS

LN1000 Mobile Secure Router User Guide

OS

Release

10.3

Published: 2010-08-26

Copyright © 2010, Juniper Networks, Inc.

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright© 1986-1997,
Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part
of them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s
HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD
software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.
L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS LN1000 Mobile Secure Router User Guide

Release 10.3
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.

Revision History
July 2010—R1 Junos 10.3

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through
the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase
order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.
By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the
software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses.
The software license may state conditions under which the license is automatically terminated. You should consult the license for further
details. For complete product documentation, please see the Juniper Networks website at www.juniper.net/techpubs.

Copyright © 2010, Juniper Networks, Inc.ii

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS
CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO
BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMSCONTAINED
HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS
REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or
Juniper Networks (Cayman) Limited(if the Customer’s principaloffice is locatedoutside theAmericas) (such applicable entity beingreferred
to herein as “Juniper”), and(ii) the person ororganization thatoriginally purchased fromJuniper or an authorized Juniper reseller theapplicable
license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for
which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by
Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” alsoincludes updates, upgrades
and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper
equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment ofthe applicablefees andthe limitationsand restrictionsset forthherein, Juniper grants to Customer
a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the
following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by
Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units
for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access
Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space
and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines
(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single
chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may
specify limitsto Customer’s useof theSoftware.Such limitsmay restrict use to amaximum numberof seats, registered endpoints, concurrent
users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of
separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,
performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use
of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.
Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the
Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not
extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s
enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the
Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase
the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees
not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized
copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software,in any form, to any third party; (d) remove anyproprietary notices, labels, ormarks onor in any copy of the Software or any product
in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper
equipment sold inthe secondhandmarket; (f) use any‘locked’or key-restricted feature,function, service, application, operation,or capability
without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application,
operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

iiiCopyright © 2010, Juniper Networks, Inc.

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i)
use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that
the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking
of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other thanas expressly
provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.
As such, Customer shall exercise all reasonable commercial efforts to maintain the Softwareand associated documentation in confidence,
which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software
for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to
the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance
of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies
of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty
statementthat accompanies theSoftware (the “WarrantyStatement”). Nothingin thisAgreement shall giverise toany obligationto support
the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services
agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,
OR COSTSOR PROCUREMENTOF SUBSTITUTE GOODS ORSERVICES, ORFOR ANYSPECIAL, INDIRECT,OR CONSEQUENTIALDAMAGES
ARISING OUTOF THIS AGREEMENT,THE SOFTWARE, ORANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE.IN NO EVENTSHALL JUNIPER
BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.
EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY
AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES
JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’
or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid
by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by
Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in
reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between
the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same
form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination
of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related
documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from
the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction
shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All
payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in
connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing
Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to
be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with
all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any
liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under
this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any
applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such
restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without
an export license.

Copyright © 2010, Juniper Networks, Inc.iv

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use,
duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer
with the interface information needed to achieve interoperability between the Software and another independently created program, on
payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use
such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded inthe Softwareand any supplier ofJuniper whose products
or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,
and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party
software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent
portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such
portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper
will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three
years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws
principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes
arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal
courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer
with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written
(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an
authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained
herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing
by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity
of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the
Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de
même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that
this Agreement and all related documentation is and will be in the English language)).

vCopyright © 2010, Juniper Networks, Inc.

Copyright © 2010, Juniper Networks, Inc.vi

Abbreviated Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Part 1 LN1000 Mobile Secure Router

Chapter 1 LN1000 Mobile Secure Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3 Configuring Gigabit Ethernet Interfaces to Match Your Topology . . . . . . . . . 21

Chapter 4 Location-Based IP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 5 Configuring Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . 29

Chapter 6 Configuring PPPoE-Based Radio-to-Router Protocols . . . . . . . . . . . . . . . . . 35

Chapter 7 Configuring the R2CP Radio-to-Router Protocol . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 8 Summary of Junos Statements for the LN1000 Router . . . . . . . . . . . . . . . . . 51

Chapter 9 Junos Statement Hierarchy for the LN1000 Router . . . . . . . . . . . . . . . . . . . . 69

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

viiCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Copyright © 2010, Juniper Networks, Inc.viii

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

LN1000 Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Part 1 LN1000 Mobile Secure Router

Chapter 1 LN1000 Mobile Secure Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

LN1000 Mobile Secure Router Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Interface and Routing Features on the LN1000 Mobile Secure Router . . . . . . . . . . 5

Security Features on the LN1000 Mobile Secure Router . . . . . . . . . . . . . . . . . . . . . 7

Administration Features on the LN1000 Mobile Secure Router . . . . . . . . . . . . . . . . 11

Chapter 2 Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing Software on an LN1000 Mobile Secure Router . . . . . . . . . . . . . . . . . . . . 15

Setting Non-Volatile Memory Read-Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing Software Upgrades from the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3 Configuring Gigabit Ethernet Interfaces to Match Your Topology . . . . . . . . . 21

Configuring a Gigabit Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Swapping Small Form-Factor Pluggable (SFP) Devices . . . . . . . . . . . . . . . . . . . . 22

Chapter 4 Location-Based IP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Location-Based IP Address Pools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring Location-Based IP Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Example: Configuring a Location-Based IP Address Pool . . . . . . . . . . . . . . . . . . . 26

Verifying and Managing Location-Based IP Address Pools . . . . . . . . . . . . . . . . . . 27

Chapter 5 Configuring Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . 29

PPPoE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

PPPoE Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

PPPoE Discovery Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

PPPoE Session Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Optional CHAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring the PPPoE Interfaces MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ixCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Disabling the Sending of PPPoE Keepalive Messages . . . . . . . . . . . . . . . . . . . 31

Configuring PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Setting the Appropriate Encapsulation on the PPPoE Interface . . . . . . . . . . . 31

Configuring a PPPoE Underlying Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Identifying the Access Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring the PPPoE Service Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring the PPPoE Server Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring the PPPoE Source and Destination Addresses . . . . . . . . . . . . . . 32

Deriving the PPPoE Source Address from a Specified Interface . . . . . . . . . . . 33

Configuring the PPPoE IP Address by Negotiation . . . . . . . . . . . . . . . . . . . . . 33

Configuring the Protocol MTU PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Verifying a PPPoE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 6 Configuring PPPoE-Based Radio-to-Router Protocols . . . . . . . . . . . . . . . . . 35

PPPoE-Based Radio-to-Router Protocols Overview . . . . . . . . . . . . . . . . . . . . . . . 35

Configuring PPPoE-Based Radio-to-Router Protocols . . . . . . . . . . . . . . . . . . . . . 36

Example: Configuring the PPPoE-Based Radio-to-Router Protocol . . . . . . . . . . . 37

Configuring a Gigabit Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Verifying PPPoE Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Displaying Statistics for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Credit Flow Control for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Example: PPPoE Credit-Based Flow Control Configuration . . . . . . . . . . . . . . . . . . 42

Verifying Credit-Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Setting Tracing Options for PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 7 Configuring the R2CP Radio-to-Router Protocol . . . . . . . . . . . . . . . . . . . . . . 45

R2CP Radio-to-Router Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring the R2CP Radio-to-Router Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Verifying R2CP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 8 Summary of Junos Statements for the LN1000 Router . . . . . . . . . . . . . . . . . 51

address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

address-assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

apply-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

credit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

hub-assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

location-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

location-pool-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

mac-mode (Gigabit Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

node-terminate-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

node-terminate-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Copyright © 2010, Juniper Networks, Inc.x

Table of Contents

r2cp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

radio-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

radio-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

server-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

session-terminate-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

session-terminate-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

virtual-channel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 9 Junos Statement Hierarchy for the LN1000 Router . . . . . . . . . . . . . . . . . . . . 69

[edit access address-assignment location-pool] Hierarchy Level . . . . . . . . . . . . 69

[edit interfaces gigether-options] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . 69

[edit interfaces unit family inet location-pool-address] Hierarchy Level . . . . . . . 70

[edit interfaces unit radio-router] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . 70

[edit protocols r2cp] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

xiCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Copyright © 2010, Juniper Networks, Inc.xii

About the Documentation

•

LN1000 Documentation and Release Notes on page xiii

•

Objectives on page xiii

•

Audience on page xiii

•

Documentation Conventions on page xiv

•

Documentation Feedback on page xv

•

Requesting Technical Support on page xvi

LN1000 Documentation and Release Notes

For a list of related LN1000 Mobile Secure Router documentation, see

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the
documentation, follow the LN1000 Mobile Secure Router Release Notes.

To obtain the most current version of all Juniper Networks technical documentation, see
the product documentation page on the Juniper Networks®website at

http://www.juniper.net/techpubs/.

Objectives

Audience

This documentation contains instructions for setting up the Juniper Networks LN1000
Mobile Secure Router. The LN1000 router is based on and includes many of the features
of the Juniper Networks SRX Series Services Gateways. This documentation provides
information about features unique to the LN1000 router.

This documentation is designed for anyone who installs, sets up, configures, monitors,
or administers an LN1000 router running Junos OS. It is intended for the following
audiences:

•

Customers with technical knowledge of and experience with networks and network
security, the Internet, and Internet routing protocols.

•

Network administrators who install, configure, and manage Internet routers.

xiiiCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Documentation Conventions

Table 1 on page xiv defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Table 2 defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Represents text that you type.Bold text like this

Fixed-width text like this

Italic text like this

Italic text like this

Represents output that appears on the
terminal screen.

•

Introduces important new terms.

•

Identifies book names.

•

Identifies RFC and Internet draft titles.

Represents variables (options for which
you substitute a value) in commands or
configuration statements.

Alerts you to the risk of personal injury from a laser.Laser warning

ExamplesDescriptionConvention

To enter configuration mode, type the

configure command:

user@host> configure

user@host> show chassis alarms
No alarms currently active

•

A policy term is a named structure
that defines match conditions and
actions.

•

Junos System Basics Configuration
Guide

•

RFC 1997, BGPCommunities Attribute

Configure the machine’s domain name:

[edit]
root@# set system domain-name

domain-name

Copyright © 2010, Juniper Networks, Inc.xiv

Table 2: Text and Syntax Conventions (continued)

Plain text like this

Represents names of configuration
statements, commands, files, and
directories; IP addresses; configuration
hierarchy levels; or labels on routing
platform components.

About the Documentation

ExamplesDescriptionConvention

•

To configure a stub area, include the

stub statement at the [edit protocols
ospf area area-id] hierarchy level.

•

The console portis labeled CONSOLE.

stub <default-metric metric>;Enclose optional keywords or variables.< > (angle brackets)

| (pipe symbol)

# (pound sign)

[ ] (square brackets)

Indention and braces ( { } )

; (semicolon)

J-Web GUI Conventions

Bold text like this

Indicates a choice betweenthe mutually
exclusivekeywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.

same lineas theconfiguration statement
to which it applies.

Enclose a variable for which you can
substitute one or more values.

Identify a level in the configuration
hierarchy.

Identifies a leaf statement at a
configuration hierarchy level.

Represents J-Web graphical user
interface (GUI) items you click or select.

broadcast | multicast

(string1 | string2 | string3)

rsvp { # Required for dynamic MPLS onlyIndicates a comment specified on the

community name members [
community-ids ]

[edit]
routing-options {

static {

route default {

nexthop address;
retain;

}

}

}

•

In the Logical Interfaces box, select
All Interfaces.

•

To cancel the configuration, click

Cancel.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

•

Document or topic name

•

URL or page number

Separates levels in a hierarchy of J-Web
selections.

In the configuration editor hierarchy,
select Protocols>Ospf.

xvCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

•

Software release version (if applicable)

Requesting Technical Support

Technical product support is available throughthe JuniperNetworks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify serviceentitlement by productserial number, use our Serial NumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2010, Juniper Networks, Inc.xvi

About the Documentation

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

xviiCopyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Copyright © 2010, Juniper Networks, Inc.xviii

PART 1

LN1000 Mobile Secure Router

•

LN1000 Mobile Secure Router Overview on page 3

•

Installing the Software on page 15

•

Configuring Gigabit Ethernet Interfaces to Match Your Topology on page 21

•

Location-Based IP Address Pools on page 25

•

Configuring Point-to-Point Protocol over Ethernet on page 29

•

Configuring PPPoE-Based Radio-to-Router Protocols on page 35

•

Configuring the R2CP Radio-to-Router Protocol on page 45

•

Summary of Junos Statements for the LN1000 Router on page 51

•

Junos Statement Hierarchy for the LN1000 Router on page 69

1Copyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

Copyright © 2010, Juniper Networks, Inc.2

CHAPTER 1

LN1000 Mobile Secure Router Overview

This chapter includes the following topics:

•

LN1000 Mobile Secure Router Overview on page 3

•

Interface and Routing Features on the LN1000 Mobile Secure Router on page 5

•

Security Features on the LN1000 Mobile Secure Router on page 7

•

Administration Features on the LN1000 Mobile Secure Router on page 11

LN1000 Mobile Secure Router Overview

The LN1000 Mobile Secure Router is an embedded router that operates in both wire-line
and wireless environments with communication nodes that are either mobile or stationary.
The router provides reliable and secure data, voice, and video services. The LN1000-V
processes WAN and LAN routing functions. The router offers multiple DiffServ classes
and can interleave lower priority real-time data (voice traffic) with higher priority non
real-time data. It is developed on 3U compact node slot interface (VITA) architecture
as defined in the VITA 46.0 IEEE 1101.2 specifications and runs Junos OS for routing,
forwarding, and security.

The software supports the following features:

•

IPv4 and IPv6 unicast forwarding

•

Routing, including OSPF, BGP, RIPv2, IS-IS, and static routes

•

Multicast, including IGMPv2, IGMPv3, PIM, SDP, DVMRP, MLD, and source-specific

•

Encapsulation, including Ethernet (MAC and tagged), PPP, and PPPoE

•

PPPoE interface to radios and link quality metrics imported into OSPF

•

IP address management, including status, DHCP, and DHCP Relay

•

Tunneling, including GRE, IP in IP, and IPsec

•

NAT and stateful firewall filters, and intrusion detection

In addition, the following features are supported on the LN1000 router:

3Copyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

•

Support for non-volatile memory read-only (NVMRO). As a security feature unique to
the LN1000 Mobile Secure Router, NVMRO physically locks all non-volatile storage
against modifications. This includes the NAND system storage, the NOR boot flash,
and all Juniper Networks ID EEPROMS.

•

Support for advanced class-of-service (CoS)on Point-to-Point Protocol over Ethernet
(PPPoE) interfaces, whichincludes policingand shaping, weighted round robin (WRR)
queuing with prioritization, weighted random early detection (WRED), queuing based
on PPPoE interfaces, in addition to the supported VLAN/interface.

•

Support for up to eight ports of gigabit traffic with up to 1024 logical interfaces with
eight queues per logical interface and four priorities per queue. All eight ports interface
with the backplane. The LN1000 router supports most Layer 2 and Layer 3 protocols,
route redistribution, tunneling, multicast, routing, CoS, and security.

•

Support for location-based IP address pools for IPv4 addresses. A location pool can
specify IP addresses and subnet masks for multiple locations (relative positions of
cards within a shelf). You can configure an IP interface to obtain an IP address and
subnet mask from a selected location pool instead of specifying an explicit IP address
and subnet mask.

•

Support for PPPoE-based radio-to-router protocols. Extensions tothe PPPoEprotocol
include:

•

Messages that define how an external device provides the router with timely
information about the quality of a link connection

•

A flow control mechanism that indicates how much data the router can forward

The router uses the information provided in these PPPoE messages to dynamically
adjust theinterface speed of PPPlinks. When OSPF is notified of this change, it adjusts
the cost of the link and updates the routing tables accordingly.

•

Support for translation of Protocol Independent Multicast (PIM) join/prune messages
to Internet Group Management Protocol (IGMP) or Multicast Listener Discovery(MLD)
report/leave messages. To enable the use of IGMP or MLD to forward multicast traffic
across the PIM domains, you can configure the rendezvous point (RP) router that
resides between the edge domain and core domain to translate PIM join/prune
messages received from PIM neighbors on downstream interfaces into corresponding
IGMP or MLD report/leave messages. The router then transmits the report/leave
messages by proxying them to one or two upstream interfaces that you configure on
the RP router.

•

Support for Open Shortest Path First (OSPF) refresh and flooding reduction in stable
topologies, which facilitates OSPF scaling by reducing OSPF protocol traffic overhead
and maintains OSPF adjacencies and flood link-state advertisements (LSAs).

Junos OS on the LN1000 router supports many of the features that exist on the SRX
Series Services Gateways. For further information about these features, refer to the SRX
Series documentation located at:

http://www.juniper.net/techpubs/hardware/junos-srx/index.html

Related Topics LN1000–V Mobile Secure Router Hardware Guide•

Copyright © 2010, Juniper Networks, Inc.4

Chapter 1: LN1000 Mobile Secure Router Overview

• Junos OS Interfaces and Routing Configuration Guide for J Series Services Routers and

SRX Series Services Gateways

• Junos OS Routing Protocols and Policies for Security Devicesfor JSeries Services Routers

and SRX Series Services Gateways

• Junos OS Class of Service Configuration Guide for Security Devices for J Series Services

Routers and SRX Series Services Gateways

• Junos OS Security Configuration Guide for J Series Services Routers and SRX Series

Services Gateways

• Junos OS Administration Guide for Security Devices for J Series Services Routers and

SRX Series Services Gateways

Interface and Routing Features on the LN1000 Mobile Secure Router

This section lists interface and routing features that are supported on the LN1000 router.
For further information on these features, see the SRX Series Services Gateway
documentation at http://www.juniper.net/techpubs/hardware/junos-srx/index.html.

Class of Service (CoS)

•

Code-point aliases

•

Classifiers

•

Forwarding classes

•

Transmission queues

•

Schedulers

•

Virtual channels

•

Tunnels

•

Policing

For more information, see the Junos OS Class of Service Configuration Guide for Security
Devices for J Series Services Routers and SRX Series Services Gateways.

Interfaces

•

Ethernet interface

•

Fast Ethernet interface

•

Generic routing encapsulation (GRE) interface

•

Gigabit Ethernet interface

•

Internally generated GRE interface

•

Internally generated link services interface

•

Internally generated IP-over-IP interface

5Copyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

•

Internally generated Protocol Independent Multicast (PIM) encapsulation interface

•

IP-over-IP encapsulation interface

•

Link services interface

•

Loopback interface

•

Passive monitoring interface

•

Point-to-Point Protocol interface

•

Point-to-Point Protocol over Ethernet (PPPoE) interface

For more information, see the Junos OS Interfaces and Routing Configuration Guide for J
Series Services Routers andSRX SeriesServices Gateways, Chapter 1, Interfaces Overview.

Multicast

•

Primary routing mode

•

Session Announcement Protocol (SAP)

•

Session Description Protocol (SDP)

•

Internet Group Management Protocol (IGMP)

•

Protocol Independent Multicast (PIM) Static RP

•

Filtering PIM Register Messages

•

PIM RPF Routing Table

For moreinformation, see Junos OS Interfaces and Routing Configuration Guide for J Series
Services Routers and SRX Series Services Gateways, Chapter 22, Multicast.

Routing Options

•

IPv4 options and broadcast Internet diagrams

•

Static routing

•

RIPv1, RIPv2

•

RIP next generation (RIPng)

•

OSPFv2

•

OSPFv3

•

IS-IS

•

BGP

•

Neighbor Discovery Protocol (NDP) and Secure Neighbor Discovery Protocol (SNDP)

•

Multiple virtual routers

•

Network Time Protocol (NTP)

•

Virtual Router Redundancy Protocol (VRRP)

Copyright © 2010, Juniper Networks, Inc.6

For more information, see the Junos OS Interfaces and Routing Configuration Guide for J
Series Services Routers and SRX Series Services Gateways.

Stateless Firewall Filters

•

Stateless firewall filters

For more information, see Junos OS Routing Protocols and Policies Configuration Guide

for Security Devices for J Series Services Routers and SRX Series Services Gateways,
Chapter 9, Stateless Firewall Filters.

Security Features on the LN1000 Mobile Secure Router

This section lists security features that are supported on the LN1000 router. For
information about the interfaces that are supported on your device, see the Junos OS
Interfaces and Routing Configuration Guide. For further information on these features, see
the documentation for the SRX Series Services Gateway at

http://www.juniper.net/techpubs/hardware/junos-srx/index.html.

Application Layer Gateways (ALGs)

Chapter 1: LN1000 Mobile Secure Router Overview

•

FTP

•

Trivial File Transfer Protocol (TFTP)

•

Domain Name System (DNS)

•

Point-to-Point Tunneling Protocol (PPTP)

•

REAL

•

Remote procedure call (RPC)

•

Remote shell (RSH)

•

Real-Time Streaming Protocol (RTSP)

•

Structured Query Language (SQL)

•

TALK

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 9, ALGs.

Attack Detection and Prevention

•

Bad IP option

•

Block fragment traffic

•

FIN flag without ACK flag set protection

•

ICMP flood protection

•

ICMP fragment protection

•

Large size ICMP packet protection

•

Loose source route option

7Copyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

•

IP record route option

•

IP security option

•

IP address spoof

•

IP stream option

•

IP strict source route option

•

IP address sweep

•

IP timestamp option

•

Land attack protection

•

Ping of death attack protection

•

Port scan

•

Source IP based session limit

•

SYN-ACK-ACK proxy protection

•

SYN and FIN flags set protection

•

SYN flood protection

•

SYN fragment protection

•

Teardrop attack protection

•

TCP packet without flag set protection

•

Unknown protocol protection

•

UDP flood protection

•

WinNuke attack protection

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 35, Attack Detection and Prevention.

Firewall Authentication

•

Web authentication

•

Pass-through authentication

•

Local authentication server

•

RADIUS authentication server

•

LDAP authentication server

•

SecurID authentication server

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 16, Firewall User Authentication.

Flow-based and Packet-based Processing

•

Flow-based processing

Copyright © 2010, Juniper Networks, Inc.8

Chapter 1: LN1000 Mobile Secure Router Overview

•

Packet-based processing

•

Stateless packet-based services option

For more information, see Junos OS Security Configuration Guide for J Series Services
Routersand SRXSeries Services Gateways,Chapter 1, Introducing Junos OS for SRX Series
Services Gateways and Chapter 3, Introducing Junos OS for J Series Services Routers.

Intrusion Detection and Prevention (IDP)

•

IDP Policy

•

Intrusion prevention system (IPS) rulebase

•

Differentiated Services code point (DSCP) marking

•

IDP signature database

•

Application identification

•

IDP logging

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 22, IDP Policies. For information on
IDP monitoring and debugging, see the Junos OS CLI Reference for JSeries Services Routers
and SRX Series Services Gateways.

IPsec

•

Policy-based and route-based VPNs

•

Tunnel mode

•

Authentication Header (AH) protocol

•

Encapsulating Security Payload (ESP) protocol

•

IKE phase 1

•

IKE phase 2

•

Manual key management

•

Autokey management

•

Antireplay (packet replay attack prevention)

•

Dead peer detection (DPD)

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 18, Internet Protocol Security.

Network Address Translation (NAT)

•

Destination IP address translation

•

Static NAT

•

Rule-based NAT

•

Source IP address translation

9Copyright © 2010, Juniper Networks, Inc.

Junos OS LN1000 Mobile Secure Router User Guide

•

Configuring proxy Address Resolution Protocol (ARP)

•

Persistent NAT

•

Disable source NAT port randomization

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 42, Network Address Translation.

Public Key Infrastructure (PKI)

•

Internet Key Exchange (IKE) support

•

Entrust, Microsoft, and Verisign certificate authorities (CAs)

•

Automatic generation of self-signed certificates

•

Distinguished Encoding Rules (DER), Privacy-Enhanced Mail (PEM), Public-Key
Cryptography Standard 7 (PKCS7), and X509 certificate encoding

•

Manual installation of DER-encoded and PEM-encoded CRLs

•

Online certificate revocation list (CRL) retrieval through LDAP and HTTP

•

CRL update at user-specified interval

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 19, Public Key Cryptography for
Certificates.

Security Policy

•

Address books

•

Policy application sets

•

Schedulers

•

Policy applications

•

Internet Control Message Protocol (ICMP) predefined policy application

•

Internet-related predefined policy applications

•

Microsoft predefined policy applications

•

Dynamic routing protocols predefined policy applications

•

Streaming video predefined policy applications

•

Sun remote procedure protocol (RPC) predefined policy applications

•

Security and tunnel predefined policy applications

•

IP-related predefined policy applications

•

Instant messaging predefined policy applications

•

Management predefined policy applications

•

Mail predefined policy applications

Copyright © 2010, Juniper Networks, Inc.10

Chapter 1: LN1000 Mobile Secure Router Overview

•

UNIX predefined policy applications

•

Miscellaneous predefined policy applications

•

Custom policy Applications

•

Policy application timeouts

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 8, Security Policy Applications.

Zones

•

Security zone

•

Functional zone

For more information, see Junos OS Security Configuration Guide for J Series Services
Routers and SRX Series Services Gateways, Chapter 4, Security Zones and Interfaces.

Administration Features on the LN1000 Mobile Secure Router

This section lists the administration features that are supported on the LN1000 router.
For further information on these features, see the documentation for the SRX Series
Services Gateway at http://www.juniper.net/techpubs/hardware/junos-srx/index.html.

Administrator Authentication

•

RADIUS

•

TACACS+

•

Local authentication

For more information, see Junos OS Administration Guide for Security Devices for J Series
Services Routers and SRX Series Services Gateways, Chapter 3, Managing Administrator
Authentication.

Alarms

•

Chassis alarms

•

Interface alarms

•

System alarms

For more information, see Junos OS Administration Guide for Security Devices for J Series
Services Routers and SRX Series Services Gateways, Chapter 11, Configuring and Monitoring
Alarms.

DHCP

•

Dynamic Host Configuration Protocol (DHCP) server address pools

•

DHCP server static mapping

•

DHCP client

11Copyright © 2010, Juniper Networks, Inc.