Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3, NETWORK AND SECURITY MANAGER Configuration Manual

NSM Configuration Guide for EX Series Devices

Release

Published: 2010-11-15

Part Number: 530-028689-01, Revision 3

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This product includes the Envoy SNMP Engine,developed by Epilogue Technology, an IntegratedSystemsCompany.Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Administration Guide

Revision History November 17, 2010— Revision 3

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas)(such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restrictedfeature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompanies the Software (the “WarrantyStatement”).Nothing in this Agreement shall give rise to any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT,OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Part 1 Managing EX-series Switches with NSM

Chapter 1 Configuring User Access and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring RADIUS Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 3

Configuring TACACS+ Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 4

Configuring Authentication Order (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 5

Configuring User Access (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring Template Accounts (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Creating a Remote Template Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Creating a Local Template Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2 Configuring Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring Aggregated Devices (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring Chassis Alarms (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring Routing Engine Redundancy (NSM Procedure) . . . . . . . . . . . . . . . . . . 13

Chapter 3 Configuring Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring CoS Classifiers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring CoS Code Point Aliases (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 17

Configuring CoS Drop Profile (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuring CoS Forwarding Classes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 21

Configuring CoS Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring CoS Rewrite Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring CoS Schedulers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring CoS and Applying Scheduler Maps (NSM Procedure) . . . . . . . . . . . . 32

Chapter 4 Configuring Ethernet Switching Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Configuring Port Mirroring to Analyze Traffic on EX-series Switches (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Configuring Redundant Trunk Links (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 36

Configuring Port Security (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configuring Static IP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring VoIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 5 Configuring Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configuring a Policer for a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 6 Configuring Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring an AS Path in a BGP Routing Policy (NSM Procedure) . . . . . . . . . . . . 49

Configuring an AS Path Group in a BGP Routing Policy (NSM Procedure) . . . . . . 50

Configuring a Community for use in BGP Routing Policy Conditions(NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring a BGP Export Policy Condition (NSM Procedure) . . . . . . . . . . . . . . . . 52

Configuring Flap Damping to Reduce the Number of BGP UpdateMessages(NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring a Routing Policy Statement (NSM Procedure) . . . . . . . . . . . . . . . . . . 55

Configuring Prefix List (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Chapter 7 Configuring Routing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring Maximum Prefixes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring Multicast (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Multipath (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Configuring Route Resolution (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configuring Routing Table Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring Routing Tables (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Configuring Source Routing (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring Static Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuring Generated Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring Graceful Restart (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configuring Forwarding Table (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring Flow Route (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring Fate Sharing (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Martian Addresses (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuring Interface Routes (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring Instance Export (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Configuring Instance Import (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring Confederation (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring Maximum Paths (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 8 Configuring Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring the BFD Protocol (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring BGP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Configuring 802.1X Authentication (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 91

Configuring 802.1X Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring Static MAC Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring GVRP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring IGMP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring IGMP Snooping on EX-series Switches (NSM Procedure) . . . . . . . . . 96

Configuring LLDP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Table of Contents

Configuring LLDP-MED (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configuring MSTP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring RIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring RSTP on EX-series Switches (NSM Procedure) . . . . . . . . . . . . . . . . 107

Configuring STP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring VSTP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configuring VRRP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 9 Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Configuring Power over Ethernet (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 10 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring Basic System Identification for SNMP (NSM Procedure) . . . . . . . . . . 117

Configuring Client Lists (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring SNMP Health Monitoring (NSM Procedure) . . . . . . . . . . . . . . . . . . . 120

Configuring the Interfaces on Which SNMP Requests Can Be Accepted (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring the SNMP Local Engine ID (NSM Procedure) . . . . . . . . . . . . . . . . . . 123

Configuring the SNMP Commit Delay Timer (NSM Procedure) . . . . . . . . . . . . . . 124

Configuring SNMP RMON Alarms and Events (NSM Procedure) . . . . . . . . . . . . . 125

Enabling SNMP Access over Routing Instances (NSM Procedure) . . . . . . . . . . . 129

Configuring SNMPv3 (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring Tracing of SNMP Activity (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 137

Configuring SNMP Views (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Configuring SNMP Communities (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 140

Configuring SNMP Trap Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 142

Configuring SNMP Trap Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 11 Configuring Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Configuring VLANs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 12 Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring a Virtual Chassis with a Preprovisioned Configuration File . . . . 149

Add a Member to a Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

About This Guide

•

Objectives on page xi

•

Audience on page xi

•

Conventions on page xi

•

Documentation on page xiii

•

Requesting Technical Support on page xiv

Objectives

Juniper Networks Network and Security Manager (NSM) is a software application that centralizescontrol and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all devices.

NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and future versions of ScreenOS. By integrating management of all Juniper Networks security devices, NSM enhances the overall security of the Internet gateway.

This guide explains how to configure EX-series devices. Use this guide in conjunction with the NSM Online Help, which provides step-by-step instructions for many of the processes described in this document.

Audience

This guide is intended for systemadministratorsresponsible for the security infrastructure of their organization. Specifically, this book discusses concepts of interest to firewall and VPN administrators, network/security operations center administrators; and system administrators responsible for user permissions on the network.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

NOTE: If the information in the latest NSM Release Notes differs from the information in this guide, follow the NSM Release Notes.

Table 1: Notice Icons

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page xii defines notice icons used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page xii defines text conventions used in this guide.

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linked with a plus (+) sign

Italics

The angle bracket (>)

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xiii defines syntax conventions used in this guide.

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

Documentation

Table 4 on page xiii describes documentation for the NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable can be optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation or upgrade of NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in | out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager Configuring ScreenOS and IDP Devices Guide

Describes how to use and configure key management features in the NSM. It provides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM Online Help, which provides step-by-stepinstructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Provides details about configuring the device features for all supported ScreenOS and IDP platforms.

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

Configuring Infranet Controllers Guide

Configuring Secure Access Devices Guide

Configuring EX-series Switches Guide

Configuring J-series Services Routers and SRX-series Services Gateways Guide

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to NSM.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notes differs from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available on the Juniper Networks Website.

Provides details about configuring the device features for all supported Infranet Controllers.

Provides details about configuring the device features for all supported Secure Access Devices.

Provides details about configuring the device features for all supported EX-series platforms .

Provides details about configuring the device features for all supported J-series Services Routers and SRX-series Services Gateways.

M-series and MX-series Devices Guide

Requesting Technical Support

Technical product support is availablethrough the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Provides details about configuring the device features for M-series and MX-series platforms.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

About This Guide

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

PART 1

Managing EX-series Switches with NSM

The chapters in Part 1 of the Release 2009.1 version of the NSM Configuration Guide for EX Series Devices provide an overview of the management system and describe how to

configure features for EX Series devices.

NOTE: Because the NSM device-side configuration guides are not updated

on the same release schedule as the JUNOS releases, consult the JUNOS Software Documentation for information about configuration settings that might occur in NSM and not in the device-side configuration guides or vice versa.

Part 1 contains the following chapters:

•

Configuring User Access and Authentication on page 3

•

Configuring Chassis on page 11

•

Configuring Class of Service on page 15

•

Configuring Ethernet Switching Options on page 35

•

Configuring Firewall Filters on page 43

•

Configuring Policy Options on page 49

•

Configuring Routing Options on page 59

•

Configuring Protocols on page 87

•

Configuring PoE on page 115

•

Configuring SNMP on page 117

•

Configuring Virtual LANs on page 147

•

Configuring a Virtual Chassis on page 149

CHAPTER 1

Configuring User Access and Authentication

This section contains the following:

•

Configuring RADIUS Authentication (NSM Procedure) on page 3

•

Configuring TACACS+ Authentication (NSM Procedure) on page 4

•

Configuring Authentication Order (NSM Procedure) on page 5

•

Configuring User Access (NSM Procedure) on page 6

•

Configuring Template Accounts (NSM Procedure) on page 7

Configuring RADIUS Authentication (NSM Procedure)

To use RADIUS authentication, you must configure at least one RADIUS server. Configuring RADIUS authentication involves identifying the RADIUS server, specifying the secret (password)of the RADIUS server, and setting the source address of the device's RADIUS requests to the loopback address of the device.

To configure RADIUS authentication:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the device for which you want to

configure RADIUS authentication.

3. Click the Configuration tab. In the configuration tree, select System > Radius Server.

4. Add or modify Radius settings as specified in Table 5 on page 4.

5. Click one:

•

New—Adds a new RADIUS server.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 5: RADIUS Authentication Configuration Details

Your ActionFunctionOption

Specifies the IP address of the RADIUS server.Name

Specifies the shared secret (password) of the RADIUS server. The secret is stored as an encrypted value in the configuration database.

Specifies the source address to be included in the RADIUS server requests by the device. In most cases, you can use the loopback address of the device.

Documentation

Secret

Source Address

Configuring TACACS+ Authentication (NSM Procedure) on page 4•

• Configuring Authentication Order (NSM Procedure) on page 5

• Configuring User Access (NSM Procedure) on page 6

Configuring TACACS+ Authentication (NSM Procedure)

To use TACACS+ authentication, you must configure at least one TACACS+ server. Configuring TACACS+ authentication involvesidentifying the TACACS+server, specifying the secret (password) of the TACACS+ server, and setting the source address of the device's TACACS+ requests to the loopback address of the device.

Enter the IP address of the RADIUS server.

Enter the shared secret of the RADIUS server.

Enter the loopback addressof the device.

To configure TACACS+ authentication:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

configure TACACS+ authentication.

3. Click the Configuration tab. In the configuration tree, select System > TACACS+

Server.

4. Add or modify TACACS+ settings as specified in Table 6 on page 4.

5. Click one:

•

New—Adds a new TACACS+ server.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 6: TACACS+ Authentication Configuration Details

Your ActionFunctionOption

Specifies the IP address of the TACACS+ server.Name

Enter the IP address of the TACACS+ server.

Chapter 1: Configuring User Access and Authentication

Table 6: TACACS+ Authentication Configuration Details (continued)

Your ActionFunctionOption

Specifies the shared secret (password) of the TACACS+ server. The secret is stored as an encrypted value in the configuration database.

Specifies the source address to be included in the TACACS+ server requests by the device. In most cases, you can use the loopback address of the device.

Documentation

Secret

Source Address

Configuring RADIUS Authentication (NSM Procedure) on page 3•

• Configuring Authentication Order (NSM Procedure) on page 5

• Configuring User Access (NSM Procedure) on page 6

Configuring Authentication Order (NSM Procedure)

You can configure the device so that user authentication occurs with the local password first, then with the RADIUS server, and finally with the TACACS+ server.

To configure authentication order:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

configure authentication order.

Enter the shared secret of the TACACS+ server.

Enter the loopback address of the device.

Documentation

3. Click the Configuration tab. In the configurationtree, select System > Authentication

Order.

4. In the Authentication Order workspace, click the New button. The New

authentication-order list appears.

5. To add RADIUS authentication to the authentication order, select radius from the

New authentication-order list.

6. To add TACACS+ authentication to the authentication order, select tacplus from the

New authentication-order list.

7. To add Password authentication to the authentication order, select password from

the New authentication-order list.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Configuring RADIUS Authentication (NSM Procedure) on page 3•

• Configuring TACACS+ Authentication (NSM Procedure) on page 4

• Configuring User Access (NSM Procedure) on page 6

Configuring User Access (NSM Procedure)

This section includes the following topics:

•

Configuring Login Classes on page 6

•

Configuring User Accounts on page 7

Configuring Login Classes

You can define any number of login classesand then apply one login class to an individual user account. All users who can log in to the router must be in a login class. With login classes, you define the following:

•

Access privileges users have when they are logged in to the router

•

Commands and statements that users can and cannot specify

•

How long a login session can be idle before it times out and the user is logged out

To configure login classes:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

configure a login class.

3. Click the Configuration tab. In the configuration tree, select System > Login > Class.

4. Add or modify login class settings as specified in Table 7 on page 6.

5. Click one:

•

New—Adds a new login class.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 7: Login Class Authentication Configuration Details

Your ActionFunctionOption

Enter a name for the login class.Specifies a name for the login class.Name

Allow Commands

Specifies the operational mode commands that members of a login class can use.

Permissions

to be provided on the device.

Enter the command name enclosed in quotation marks. For example, “request system reboot”.

Enter a new permission.Configures the login access privileges

Configuring User Accounts

User accounts provide one way for users to access the device. (Users can access the router without accounts if you configured RADIUS or TACACS+servers.) For each account, define the login name for the user and, optionally, information that identifies the user. After you have created an account, a home directory is created for the user.

To configure user accounts:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

configure login class.

3. Click the Configuration tab. In the configuration tree, select System > Login > User.

4. Add or modify login class settings as specified in Table 8 on page 7.

5. Click one:

•

Chapter 1: Configuring User Access and Authentication

New—Adds a new user account.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 8: User Authentication Configuration Details

Name

name.

Specifies the user’s password.Plain Text Password

Value

Documentation

Configuring RADIUS Authentication (NSM Procedure) on page 3•

• Configuring TACACS+ Authentication (NSM Procedure) on page 4

• Configuring Authentication Order (NSM Procedure) on page 5

Configuring Template Accounts (NSM Procedure)

Your ActionFunctionOption

Enter a unique name for the user.Identifies the user with a unique

Select the class name.Specifies the user's login class.Class

Enter the plain text password for the user.

You can create template accounts that are shared by a set of users when you are using RADIUS or TACACS+ authentication. When a user is authenticatedby a template account,

the CLI username is the login name, and the privileges, file ownership, and effective user ID are inherited from the template account.

To configure template accounts, follow these procedures:

•

Creating a Remote Template Account on page 8

•

Creating a Local Template Account on page 9

Creating a Remote Template Account

You can create a remote template that is applied to users authenticated by RADIUS or TACACS+ that do not belong to a local template account.

By default, JUNOS software with enhanced services uses the remote template account when:

•

The authenticated user does not exist locally on the Services Router.

•

The authenticated user's record in the RADIUS or TACACS+ server specifies local user, or the specified local user does not exist locally on the device.

The following procedure creates a sample user named remote that belongs to the operator login class.

To create a remote template account:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

create a remote template account.

3. Click the Configuration tab. In the configuration tree, select System > Login > User.

4. Add or modify login class settings as specified in Table 9 on page 8.

5. Click one:

•

New—Creates a new remote template account.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 9: Remote Template Account Details

Your ActionFunctionOption

Enter the user name. For example, type remote.

Enter the number associated with the login account.

Selectthe login class. For example, select operator.

Uid

Specifies a name for the user name.Name

Specifies the user identifier for a login account.

Specifies the login class for the user.Class

Creating a Local Template Account

You can create a local template that is applied to users authenticated by RADIUS or TACACS+ that are assigned to the local template account. You use local template accounts when you need different types of templates. Each template can define a different set of permissions appropriate for the group of users who use that template.

The following procedure creates a sample user named admin that belongs to the superuser login class.

To create a local template account:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab and then double-click the device for which you want to

create a local template account.

3. Click the Configuration tab. In the configuration tree, select System > Login > User.

4. Add or modify login class settings as specified in Table 10 on page 9.

Chapter 1: Configuring User Access and Authentication

Documentation

5. Click one:

•

New—Creates a new local template account.

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 10: Local Template Account Details

Your ActionFunctionOption

Specifies a name for the user name.Name

Uid

• Configuring RADIUS Authentication (NSM Procedure) on page 3

• Configuring TACACS+ Authentication (NSM Procedure) on page 4

• Configuring Authentication Order (NSM Procedure) on page 5

Specifies the user identifier for a login account.

Specifies the login class for the user.Class

Enter the user name. For example, type admin.

Enter the number associated with the login account.

Selectthe login class. For example, select superuser.

CHAPTER 2

Configuring Chassis

This section contains the following:

•

Configuring Aggregated Devices (NSM Procedure) on page 11

•

Configuring Chassis Alarms (NSM Procedure) on page 12

•

Configuring Routing Engine Redundancy (NSM Procedure) on page 13

Configuring Aggregated Devices (NSM Procedure)

The JUNOS Software supports the aggregation of physical devices into the defined virtual links, such as the link aggregation of Ethernet interfaces defined by the IEEE 802.3ad standard. You can configure the properties for Ethernet and sonet aggregated devices on the router.

To configure the aggregated devices on the router:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the device to select it.

3. Click the Configuration tab. In the configuration tree, expand Chassis > Aggregated

Devices.

4. Add or modify the settings as specified in Table 11 on page 12.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 11: Aggregated Devices Configuration Details

Your ActionTask

Documentation

Configure properties for Ethernet aggregated devices.

Configure properties for sonet aggregated devices.

1. Click Ethernet next to Aggregated Devices.

2. Enter the number of aggregated logical devices available to the router.

Range: 1 through 256 devices

3. Click Lacp next to Ethernet.

4. In the System Priority box, enter the priority for the aggregated Ethernet system.

5. Click Link Protection next to Lacp.

6. Select the Non Revertive check box if you want to disable the ability to switch to a better priority link (if one is available) once a link is established as active and a collection or distribution is enabled.

1. Click Sonet next to Aggregated Devices.

2. From the Device Count list, select the number of aggregated logical devices available to the router.

Range: 1 through 16 Devices

Configuring Chassis Alarms (NSM Procedure) on page 12•

• Configuring a T640 Router on a Routing Matrix (NSM Procedure)

• Configuring Routing Engine Redundancy (NSM Procedure) on page 13

• Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure)

Configuring Chassis Alarms (NSM Procedure)

You can configure the chassis alarms for an interface type to trigger a red or yellow alarm or to ignore an alarm. Various conditions relatedto the chassis components trigger yellow and red alarms.

To configure chassis alarm on the router:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the device to select it.

3. Click the Configuration tab. In the configuration tree, expand Chassis > Alarm.

4. Add or modify the alarm settings as specified in Table 12 on page 13.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 12: Chassis Alarms Configuration Details

Your ActionTask

Chapter 2: Configuring Chassis

1. Select the interface type listed next to Alarm.

2. Select the alarm type for the chassis condition for each interface type.

Documentation

Configuring the alarm type.

Configuring Aggregated Devices (NSM Procedure) on page 11•

• Configuring Chassis FPC (NSM Procedure)

• Configuring Routing Engine Redundancy (NSM Procedure) on page 13

Configuring Routing Engine Redundancy (NSM Procedure)

You can configure redundancy properties for routers that have multiple Routing Engines or these multiple switching control boards: Switching and Forwarding Modules (SFMs), System and Switch Boards (SSBs), Forwarding Engine Boards (FEBs), or Compact Forwarding Engine Boards (CFEBs).

To configure routing engine redundancy in NSM:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Click the Device Tree tab, and then double-click the device to select it.

3. Click the Configuration tab. In the configuration tree, select Chassis > Redundancy.

4. Add or modify settings as specified in Table 13 on page 13.

5. Click one:

•

OK—Saves the changes.

•

Cancel—Cancels the modifications.

Table 13: Chassis Redundancy Configuration Details

Your ActionTask

Configure redundancy options.

Instruct the backup router to take mastership if it detects hard disk errors or a loss of a keepalive signal from the master Routing Engine.

1. In the Comment box, enter the comment.

2. From the keepalive list, select the time before the backup

router takes mastership when it detects loss of the keepalive signal.

Range: 2 through 10,000

1. Click Failover next to Redundancy.

2. In the Comment box, enter the comment.

3. Select the type of failover.

Table 13: Chassis Redundancy Configuration Details (continued)

Your ActionTask

Documentation

For routing platforms with two Routing Engines, configure a master Routing

1. Click Graceful Switchover next to Redundancy.

2. In the Comment box, enter the comment.

Engine to switch over gracefully to a backup Routing Engine without interruption to packet forwarding.

Sets the function of the Routing Engine for the specified slot. By default, the Routing Engine in slot 0 is the master Routing Engine and the Routing Engine in slot 1 is the backup Routing Engine.

• Configuring Aggregated Devices (NSM Procedure) on page 11

• Configuring a T640 Router on a Routing Matrix (NSM Procedure)

• Configuring a Routing Engine to Reboot or Halt on Hard Disk Errors (NSM Procedure)

1. Click Routing Engine next to Redundancy.

2. From the Name list, select the slot number.

3. In the Comment box, enter the comment.

4. Select the function of the Routing Engine for the specified slot.

5. Select one of the following:

•

master—To configure the routing engine to be the master.

•

backup—To configure the routing engine to be the backup.

•

disabled—To disable the routing engine.

+ 144 hidden pages

Juniper NETWORK AND SECURITY MANAGER - NSM CONFIGURATION GUIDE FOR EX SERIES DEVICES REV 3, NETWORK AND SECURITY MANAGER Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual