Juniper networks IP User Manual
JUNOSe™ Software
for E Series™ Broadband Services Routers
IP Services Configuration Guide
Release 11.1.x
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Published: 2010-04-04
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JUNOSe™ Software for E Series™ Broadband Services Routers IP Services Configuration Guide
Release 11.1.x
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Writing: Subash Babu Asokan, Mark Barnard, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer
Editing: Benjamin Mann
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design
Revision History
April 2010—FRS JUNOSe 11.1.x
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
ii ■
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
(collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded
Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
■ iii
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this
Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
iv ■
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
■ v
vi ■
Abbreviated Table of Contents
About the Documentation xxiii
Part 1 Chapters
Chapter 1 Configuring Routing Policy 3
Chapter 2 Configuring NAT 63
Chapter 3 Configuring J-Flow Statistics 95
Chapter 4 Configuring BFD 113
Chapter 5 Configuring IPSec 125
Chapter 6 Configuring Dynamic IPSec Subscribers 177
Chapter 7 Configuring ANCP 193
Chapter 8 Configuring Digital Certificates 213
Chapter 9 Configuring IP Tunnels 245
Chapter 10 Configuring Dynamic IP Tunnels 261
Chapter 11 IP Reassembly for Tunnels 279
Chapter 12 Securing L2TP and IP Tunnels with IPSec 287
Chapter 13 Configuring the Mobile IP Home Agent 315
Part 2 Index
Index 333
Abbreviated Table of Contents ■ vii
JUNOSe 11.1.x IP Services Configuration Guide
viii ■
Table of Contents
About the Documentation xxiii
E Series and JUNOSe Documentation and Release Notes ............................xxiii
Audience ....................................................................................................xxiii
E Series and JUNOSe Text and Syntax Conventions ....................................xxiii
Obtaining Documentation ...........................................................................xxv
Documentation Feedback ............................................................................xxv
Requesting Technical Support ......................................................................xxv
Self-Help Online Tools and Resources ..................................................xxvi
Opening a Case with JTAC ....................................................................xxvi
Part 1 Chapters
Chapter 1 Configuring Routing Policy 3
Overview .........................................................................................................3
Platform Considerations ..................................................................................4
References ......................................................................................................4
Route Maps .....................................................................................................4
Route Map Configuration Example ...........................................................5
Multiple Values in a Match Entry ...............................................................6
Negating Match Clauses ............................................................................7
Matching a Community List Exactly ..........................................................8
Removing Community Lists from a Route Map .........................................8
Matching a Policy List ...............................................................................9
Redistributing Access Routes ....................................................................9
Setting Multicast Bandwidths ....................................................................9
Match Policy Lists ..........................................................................................20
Access Lists ...................................................................................................21
Filtering Prefixes .....................................................................................21
Configuration Example 1 ..................................................................21
Configuration Example 2 ..................................................................22
Configuration Example 3 ..................................................................22
Filtering AS Paths ....................................................................................23
Configuration Example 1 ..................................................................24
Using Access Lists in a Route Map ..........................................................25
Configuration Example 1 ..................................................................25
Using Access Lists for PIM Join Filters .....................................................29
Clearing Access List Counters .................................................................31
Creating Table Maps ...............................................................................31
Table of Contents ■ ix
JUNOSe 11.1.x IP Services Configuration Guide
Using the Null Interface .................................................................................33
Prefix Lists ....................................................................................................33
Using a Prefix List ...................................................................................34
Prefix Trees ...................................................................................................36
Using a Prefix Tree .................................................................................37
Community Lists ...........................................................................................38
Extended Community Lists .....................................................................42
Using Regular Expressions ............................................................................44
AS-path Lists ...........................................................................................44
Community Lists .....................................................................................45
Community Numbers .............................................................................45
Metacharacters .......................................................................................45
Using Metacharacters as Literal Tokens ..................................................46
Regular Expression Examples .................................................................47
Managing the Routing Table ..........................................................................49
Troubleshooting Routing Policy .....................................................................50
Monitoring Routing Policy .............................................................................50
Chapter 2 Configuring NAT 63
Overview .......................................................................................................63
Platform Considerations ................................................................................64
Module Requirements .............................................................................64
References ....................................................................................................64
NAT Configurations .......................................................................................65
Traditional NAT .......................................................................................65
Basic NAT .........................................................................................65
NAPT ................................................................................................66
Bidirectional NAT ....................................................................................66
Twice NAT ..............................................................................................66
Network and Address Terms .........................................................................66
Inside Local Addresses ............................................................................67
Inside Global Addresses ..........................................................................67
Outside Local Addresses .........................................................................67
Outside Global Addresses ........................................................................67
Understanding Address Translation ...............................................................67
Inside Source Translation ........................................................................67
Outside Source Translation .....................................................................68
Address Assignment Methods .......................................................................68
Static Translations ...................................................................................68
Dynamic Translations .............................................................................69
Order of Operations ......................................................................................69
Inside-to-Outside Translation ..................................................................69
Outside-to-Inside Translation ..................................................................69
PPTP and GRE Tunneling Through NAT .........................................................70
Packet Discard Rules .....................................................................................70
Before You Begin ...........................................................................................70
Configuring a NAT License ............................................................................71
Limiting Translation Entries ..........................................................................71
Specifying Inside and Outside Interfaces .......................................................71
x ■ Table of Contents
Table of Contents
Defining Static Address Translations .............................................................72
Creating Static Inside Source Translations ...............................................72
Creating Static Outside Source Translations ............................................73
Defining Dynamic Translations .....................................................................74
Creating Access List Rules .......................................................................74
Defining Address Pools ...........................................................................75
Defining Dynamic Translation Rules .......................................................76
Creating Dynamic Inside Source Translation Rules ...........................77
Creating Dynamic Outside Source Translation Rules ........................77
Defining Translation Timeouts ................................................................78
Clearing Dynamic Translations ......................................................................79
NAT Configuration Examples ........................................................................79
NAPT Example ........................................................................................79
Bidirectional NAT Example .....................................................................81
Twice NAT Example ................................................................................83
Cross-VRF Example ................................................................................85
Tunnel Configuration Through NAT Examples ...............................................86
Clients on an Inside Network ..................................................................87
Clients on an Outside Network ...............................................................87
GRE Flows Through NAT ...............................................................................88
Monitoring NAT .............................................................................................88
Displaying the NAT License Key .............................................................88
Displaying Translation Statistics ..............................................................89
Displaying Translation Entries ................................................................91
Displaying Address Pool Information ......................................................92
Displaying Inside and Outside Rule Settings ...........................................93
Chapter 3 Configuring J-Flow Statistics 95
Overview .......................................................................................................95
Interface Sampling ..................................................................................95
Aggregation Caches ................................................................................96
Flow Collection .......................................................................................96
Main Flow Cache Contents ...............................................................96
Cache Flow Export ...........................................................................97
Aging Flows ............................................................................................97
Operation with NAT ................................................................................98
Operation with High Availability .............................................................98
Platform Considerations ................................................................................98
Before You Configure J-Flow Statistics ...........................................................98
Configuring Flow-Based Statistics Collection ..................................................98
Enabling Flow-Based Statistics ................................................................99
Enabling Flow-Based Statistics on an Interface .......................................99
Defining a Sampling Interval .................................................................100
Setting Cache Size .................................................................................101
Defining Aging Timers ..........................................................................101
Specifying the Activity Timer ..........................................................101
Specifying the Inactivity Timer .......................................................102
Specifying Flow Export .........................................................................102
Configuring Aggregation Flow Caches ...................................................103
Table of Contents ■ xi
JUNOSe 11.1.x IP Services Configuration Guide
Monitoring J-Flow Statistics .........................................................................106
Clearing J-Flow Statistics .......................................................................106
J-Flow show Commands .......................................................................106
Chapter 4 Configuring BFD 113
Bidirectional Forwarding Detection Overview .............................................113
How BFD Works ...................................................................................114
Negotiation of the BFD Liveness Detection Interval ..............................114
BFD Platform Considerations ......................................................................116
BFD References ...........................................................................................116
Configuring a BFD License ..........................................................................117
BFD Version Support ...................................................................................117
Configuring BFD ..........................................................................................118
Managing BFD Adaptive Timer Intervals .....................................................118
Clearing BFD Sessions .................................................................................119
Monitoring BFD ...........................................................................................120
System Event Logs ................................................................................120
Viewing BFD Information .....................................................................121
Chapter 5 Configuring IPSec 125
Overview .....................................................................................................125
IPSec Terms and Acronyms ..................................................................125
Platform Considerations ..............................................................................127
References ..................................................................................................127
IPSec Concepts ............................................................................................128
Secure IP Interfaces ..............................................................................128
RFC 2401 Compliance ....................................................................129
IPSec Protocol Stack .......................................................................129
Security Parameters ..............................................................................130
Manual Versus Signaled Interfaces .................................................131
Operational Virtual Router ..............................................................132
Transport Virtual Router .................................................................132
Perfect Forward Secrecy .................................................................134
Lifetime ..........................................................................................134
Inbound and Outbound SAs ...........................................................135
Transform Sets ...............................................................................135
Other Security Features ........................................................................138
IP Security Policies .........................................................................138
ESP Processing ...............................................................................139
AH Processing ................................................................................139
IPSec Maximums Supported ...........................................................139
DPD and IPSec Tunnel Failover ............................................................139
Tunnel Failover ..............................................................................140
xii ■ Table of Contents
Table of Contents
IKE Overview ..............................................................................................140
Main Mode and Aggressive Mode ..........................................................141
Aggressive Mode Negotiations ........................................................141
IKE Policies ...........................................................................................142
Priority ...........................................................................................142
Encryption ......................................................................................143
Hash Function ................................................................................143
Authentication Mode ......................................................................143
Diffie-Hellman Group ......................................................................144
Lifetime ..........................................................................................144
IKE SA Negotiation ................................................................................144
Generating Private and Public Key Pairs ...............................................144
Configuration Tasks .....................................................................................145
Configuring an IPSec License ................................................................145
Configuring IPSec Parameters ...............................................................146
Creating an IPSec Tunnel ......................................................................149
Configuring DPD and IPSec Tunnel Failover .........................................154
Defining an IKE Policy ..........................................................................156
Refreshing SAs ......................................................................................159
Enabling Notification of Invalid Cookies ................................................159
Configuration Examples ..............................................................................160
Configuration Notes ..............................................................................160
Monitoring IPSec .........................................................................................168
System Event Logs ................................................................................168
show Commands ..................................................................................169
Chapter 6 Configuring Dynamic IPSec Subscribers 177
Overview .....................................................................................................177
Dynamic Connection Setup ..................................................................177
Dynamic Connection Teardown ............................................................178
Dynamic IPSec Subscriber Recognition .................................................178
Licensing Requirements ........................................................................178
Inherited Subscriber Functionality ........................................................179
Using IPSec Tunnel Profiles ...................................................................179
Relocating Tunnel Interfaces .................................................................180
User Authentication ..............................................................................180
Platform Considerations ..............................................................................180
References ..................................................................................................181
Creating an IPSec Tunnel Profile .................................................................181
Configuring IPSec Tunnel Profiles ................................................................182
Limiting Interface Instantiations on Each Profile ...................................182
Specifying IKE Settings .........................................................................182
Setting the IKE Local Identity .........................................................182
Setting the IKE Peer Identity ..........................................................183
Appending a Domain Suffix to a Username ..........................................184
Overriding IPSec Local and Peer Identities for SA Negotiations .............184
Specifying an IP Profile for IP Interface Instantiations ...........................185
Defining the Server IP Address .............................................................185
Specifying Local Networks ....................................................................186
Table of Contents ■ xiii
JUNOSe 11.1.x IP Services Configuration Guide
Defining IPSec Security Association Lifetime Parameters ......................186
Defining User Reauthentication Protocol Values ...................................187
Specifying IPSec Security Association Transforms ................................188
Specifying IPSec Security Association PFS and DH Group
Parameters .....................................................................................188
Defining the Tunnel MTU ......................................................................189
Defining IKE Policy Rules for IPSec Tunnels ................................................189
Specifying a Virtual Router for an IKE Policy Rule .................................189
Defining Aggressive Mode for an IKE Policy Rule ..................................190
Monitoring IPSec Tunnel Profiles .................................................................190
System Event Logs ................................................................................190
show Commands ..................................................................................191
Chapter 7 Configuring ANCP 193
Overview .....................................................................................................193
Access Topology Discovery ...................................................................194
Line Configuration ................................................................................194
Transactional Multicast .........................................................................194
OAM .....................................................................................................195
Retrieval of DSL Line Rate Parameters ..................................................195
Learning the Partition ID from an Access Node .....................................195
Platform Considerations ..............................................................................195
References ..................................................................................................196
Configuring ANCP .......................................................................................196
Creating a Listening TCP Socket for ANCP ............................................196
Accessing L2C Configuration Mode for ANCP ........................................196
Defining the ANCP Session Timeout .....................................................197
Learning the Access Node Partition ID ..................................................197
.............................................................................................................198
Configuring ANCP Interfaces .......................................................................198
Configuring ANCP Neighbors .......................................................................198
Accessing L2C Neighbor Configuration Mode for ANCP ........................199
Defining an ANCP Neighbor ..................................................................199
Limiting Discovery Table Entries ...........................................................200
Clearing ANCP Neighbors .....................................................................200
Configuring Topology Discovery ..................................................................200
Configuring ANCP for QoS Adaptive Mode ..................................................201
Triggering ANCP Line Configuration ............................................................202
Adjusting the Data Rate Reported by ANCP for DSL Lines ...........................202
Configuring Transactional Multicast for IGMP ..............................................203
Creating an IGMP Session for ANCP ......................................................203
ANCP IGMP Configuration Example ......................................................204
Complete Configuration Example .........................................................205
Triggering ANCP OAM .................................................................................205
Monitoring ANCP ........................................................................................206
xiv ■ Table of Contents
Table of Contents
Chapter 8 Configuring Digital Certificates 213
Overview .....................................................................................................213
Digital Certificate Terms and Acronyms ................................................213
Platform Considerations ..............................................................................214
References ..................................................................................................214
IKE Authentication with Digital Certificates .................................................215
Signature Authentication .......................................................................215
Generating Public/Private Key Pairs ......................................................216
Obtaining a Root CA Certificate ............................................................216
Obtaining a Public Key Certificate .........................................................217
Offline Certificate Enrollment .........................................................217
Online Certificate Enrollment .........................................................217
Authenticating the Peer ........................................................................218
Verifying CRLs ......................................................................................218
File Extensions ......................................................................................219
Certificate Chains ..................................................................................219
IKE Authentication Using Public Keys Without Digital Certificates ...............220
Configuration Tasks ..............................................................................220
Public Key Format ................................................................................221
Configuring Digital Certificates Using the Offline Method ............................221
Configuring Digital Certificates Using the Online Method ............................227
Configuring Peer Public Keys Without Digital Certificates ............................232
Monitoring Digital Certificates and Public Keys ...........................................237
Chapter 9 Configuring IP Tunnels 245
Overview .....................................................................................................245
GRE Tunnels .........................................................................................246
DVMRP Tunnels ....................................................................................246
Platform Considerations ..............................................................................246
Module Requirements ...........................................................................246
ERX7xx Models, ERX14xx Models, and the ERX310 Router ...........246
E120 Router and E320 Router ........................................................247
Redundancy and Tunnel Distribution ....................................................247
References ..................................................................................................247
Configuration Tasks .....................................................................................248
Configuration Example .........................................................................250
Configuring IP Tunnels to Forward IP Frames .......................................252
Preventing Recursive Tunnels ...............................................................252
Creating Multicast VPNs Using GRE Tunnels .........................................253
Monitoring IP Tunnels .................................................................................253
Chapter 10 Configuring Dynamic IP Tunnels 261
Dynamic IP Tunnel Overview ......................................................................261
Data MDT for Multicast VPNs and Dynamic IP Tunnels ........................261
Mobile IP and Dynamic IP Tunnels .......................................................262
Table of Contents ■ xv
JUNOSe 11.1.x IP Services Configuration Guide
Combining Dynamic and Static IP Tunnels in the Same Chassis ...........263
Changing and Removing Existing Dynamic IP Tunnels .........................263
Platform Considerations ..............................................................................263
Module Requirements ...........................................................................264
ERX7xx Models, ERX14xx Models, and the ERX310 Router ...........264
E120 Router and E320 Router ........................................................264
Redundancy and Tunnel Distribution ....................................................265
References ..................................................................................................265
Configuring a Destination Profile for Dynamic IP Tunnels ...........................265
Modifying the Default Destination Profile .............................................265
Modifying the Configuration of the Default Destination Profile .......265
Configuring a Destination Profile for GRE Tunnels ................................266
Creating a Destination Profile for DVMRP Tunnels ................................267
Monitoring Dynamic IP Tunnels ..................................................................270
Chapter 11 IP Reassembly for Tunnels 279
Overview .....................................................................................................279
Platform Considerations ..............................................................................280
Module Requirements ...........................................................................280
ERX7xx Models, ERX14xx Models, and the ERX310 Router ...........280
E120 Router and E320 Router ........................................................281
Configuring IP Reassembly ..........................................................................281
Monitoring IP Reassembly ...........................................................................282
Setting Statistics Baselines ....................................................................282
Displaying Statistics ..............................................................................283
Chapter 12 Securing L2TP and IP Tunnels with IPSec 287
Overview .....................................................................................................287
Tunnel Creation ....................................................................................287
IPSec Secured-Tunnel Maximums .........................................................288
Platform Considerations ..............................................................................288
Module Requirements ...........................................................................288
References ..................................................................................................288
L2TP/IPSec Tunnels .....................................................................................289
Setting Up the Secure L2TP Connection ................................................290
L2TP with IPSec Control and Data Frames ............................................291
Compatibility and Requirements ..........................................................291
Client Software Supported ..............................................................291
Interactions with NAT .....................................................................291
Interaction Between IPSec and PPP ................................................292
LNS Change of Port ........................................................................292
Group Preshared Key .....................................................................292
NAT Passthrough Mode .........................................................................292
NAT Traversal .......................................................................................293
How NAT-T Works ..........................................................................293
UDP Encapsulation .........................................................................293
UDP Statistics .................................................................................294
NAT Keepalive Messages ................................................................295
xvi ■ Table of Contents
Table of Contents
Configuring and Monitoring NAT-T .................................................295
Single-Shot Tunnels ...............................................................................295
Configuration Tasks for Client PC .........................................................296
Configuration Tasks for E Series Routers ..............................................297
Enabling IPSec Support for L2TP ...........................................................297
Configuring NAT-T ................................................................................298
Configuring Single-Shot Tunnels ...........................................................299
GRE/IPSec and DVMRP/IPSec Tunnels .........................................................300
Setting Up the Secure GRE or DVMRP Connection ................................301
Configuration Tasks ..............................................................................301
Enabling IPSec Support for GRE and DVMRP Tunnels ...........................301
Configuring IPSec Transport Profiles ...........................................................302
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels ...................307
System Event Logs ................................................................................307
show Commands ..................................................................................307
Chapter 13 Configuring the Mobile IP Home Agent 315
Mobile IP Overview .....................................................................................315
Mobile IP Agent Discovery ....................................................................316
Mobile IP Registration ...........................................................................316
Mobile IP Routing and Forwarding ........................................................318
Mobile IP Platform Considerations ..............................................................319
Mobile IP References ...................................................................................319
Before You Configure the Mobile IP Home Agent ........................................319
Configuring the Mobile IP Home Agent .......................................................320
Monitoring the Mobile IP Home Agent ........................................................325
Part 2 Index
Index ...........................................................................................................333
Home Address Assignment ............................................................316
Authentication ................................................................................316
AAA ................................................................................................317
Subscriber Management .................................................................318
Table of Contents ■ xvii
JUNOSe 11.1.x IP Services Configuration Guide
xviii ■ Table of Contents
List of Figures
Part 1 Chapters
Chapter 1 Configuring Routing Policy 3
Figure 1: Applying Route Maps to Routes ........................................................6
Figure 2: Filtering with Access Lists ...............................................................23
Figure 3: Filtering with AS-Path Access Lists ..................................................24
Figure 4: Route Map Filtering ........................................................................25
Figure 5: Community Lists ............................................................................40
Chapter 2 Configuring NAT 63
Figure 6: NAPT Example ...............................................................................80
Figure 7: Bidirectional NAT Example .............................................................82
Figure 8: Twice NAT Example .......................................................................83
Figure 9: Cross-VRF Example ........................................................................85
Figure 10: PPTP Tunnels on an Inside Network .............................................87
Figure 11: PPTP Tunnels on an Outside Network ..........................................87
Chapter 5 Configuring IPSec 125
Figure 12: IPSec Tunneling Stack ................................................................129
Figure 13: IPSec Tunneling Packet Encapsulation ........................................130
Figure 14: IPSec Security Parameters in Relation to the Secure IP
Interface ...............................................................................................131
Figure 15: Customer A's Corporate Frame Relay Network ...........................160
Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the
Internet .................................................................................................161
Figure 17: Connecting Customers Who Use Similar Address Schemes ........164
Chapter 7 Configuring ANCP 193
Figure 18: Using ANCP with an Access Node ...............................................204
Chapter 9 Configuring IP Tunnels 245
Figure 19: IP Tunneling ...............................................................................245
Figure 20: Transport and Tunnel Networks Using Different Routing
Protocols ...............................................................................................253
Chapter 11 IP Reassembly for Tunnels 279
Figure 21: Tunneling Through an IP Network That Fragments Packets ........280
Chapter 12 Securing L2TP and IP Tunnels with IPSec 287
Figure 22: L2TP with IPSec Application .......................................................290
Figure 23: L2TP/IPSec Connection ...............................................................290
Figure 24: L2TP Control Frame Encapsulated by IPSec ...............................291
Figure 25: L2TP Data Frame Encapsulated by IPSec ....................................291
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation ..................294
Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation ......................294
Figure 28: IKE Packet with NAT-T UDP Encapsulation .................................294
Figure 29: GRE/IPSec Connection ................................................................301
List of Figures ■ xix
JUNOSe 11.1.x IP Services Configuration Guide
xx ■ List of Figures
List of Tables
About the Documentation xxiii
Table 1: Notice Icons ..................................................................................xxiv
Table 2: Text and Syntax Conventions ........................................................xxiv
Part 1 Chapters
Chapter 1 Configuring Routing Policy 3
Table 3: Match and Set Policy Values ............................................................32
Table 4: Action Based on Well-Known Community Membership ...................38
Table 5: Supported Regular Expression Metacharacters ................................45
Table 6: Sample Regular Expressions ............................................................47
Chapter 4 Configuring BFD 113
Table 7: Determining BFD Versions .............................................................117
Chapter 5 Configuring IPSec 125
Table 8: IPSec Terms and Abbreviations .....................................................125
Table 9: Security Parameters Used on Secure IP Interfaces .........................130
Table 10: Security Parameters per IPSec Policy Type ..................................132
Table 11: Supported Transforms .................................................................136
Table 12: Supported Security Transform Combinations ...............................137
Table 13: Initiator Proposals and Policy Rules .............................................142
Chapter 8 Configuring Digital Certificates 213
Table 14: Digital Certificate Terms and Acronyms .......................................213
Table 15: Outcome of IKE Phase 1 Negotiations ..........................................219
Table 16: File Extensions (Offline Configuration) .........................................219
Chapter 12 Securing L2TP and IP Tunnels with IPSec 287
Table 17: Configuration and Monitoring Tasks for NAT-T ............................295
Table 18: Differences in Handling Timeout Periods for L2TP/IPSec
Tunnels .................................................................................................296
List of Tables ■ xxi
JUNOSe 11.1.x IP Services Configuration Guide
xxii ■ List of Tables
About the Documentation
■ E Series and JUNOSe Documentation and Release Notes on page xxiii
■ Audience on page xxiii
■ E Series and JUNOSe Text and Syntax Conventions on page xxiii
■ Obtaining Documentation on page xxv
■ Documentation Feedback on page xxv
■ Requesting Technical Support on page xxv
E Series and JUNOSe Documentation and Release Notes
For a list of related JUNOSe documentation, see
http://www.juniper.net/techpubs/software/index.html .
If the information in the latest release notes differs from the information in the
documentation, follow the JUNOSe Release Notes.
To obtain the most current version of all Juniper Networks® technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
Audience
This guide is intended for experienced system and network specialists working with
Juniper Networks E Series Broadband Services Routers in an Internet access
environment.
E Series and JUNOSe Text and Syntax Conventions
Table 1 on page xxiv defines notice icons used in this documentation.
E Series and JUNOSe Documentation and Release Notes ■ xxiii
JUNOSe 11.1.x IP Services Configuration Guide
Table 1: Notice Icons
Table 2 on page xxiv defines text and syntax conventions that we use throughout the
E Series and JUNOSe documentation.
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2: Text and Syntax Conventions
Represents commands and keywords in text.Bold text like this
Bold text like this
Fixed-width text like this
Represents text that the user must type.
Represents information as displayed on your
terminal’s screen.
Italic text like this
Emphasizes words.
■
Identifies variables.
■
Identifies chapter, appendix, and book
■
names.
Plus sign (+) linking key names
keys simultaneously.
Syntax Conventions in the Command Reference Guide
ExamplesDescriptionConvention
Issue the clock source command.
■
Specify the keyword exp-msg.
■
host1(config)#traffic class low-loss1
host1#show ip ospf 2
Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an Area Border Router
(ABR)
There are two levels of access: user and
■
privileged.
clusterId, ipAddress.
■
Appendix A, System Specifications
■
Press Ctrl + b.Indicates that you must press two or more
terminal lengthRepresents keywords.Plain text like this
| (pipe symbol)
or variable to the left or to the right of this
symbol. (The keyword or variable can be
either optional or required.)
xxiv ■ E Series and JUNOSe Text and Syntax Conventions
mask, accessListNameRepresents variables.Italic text like this
diagnostic | lineRepresents a choice to select one keyword
Table 2: Text and Syntax Conventions (continued)
About the Documentation
ExamplesDescriptionConvention
[ internal | external ]Represent optional keywords or variables.[ ] (brackets)
[ ]* (brackets and asterisk)
that can be entered more than once.
Represent required keywords or variables.{ } (braces)
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation,
see the Technical Documentation page on the Juniper Networks Web site at
http://www.juniper.net/.
To download complete sets of technical documentation to create your own
documentation CD-ROMs or DVD-ROMs, see the Offline Documentation page at
http://www.juniper.net/techpubs/resources/cdrom.html
Copies of the Management Information Bases (MIBs) for a particular software release
are available for download in the software image bundle from the Juniper Networks
Web site athttp://www.juniper.net/.
Documentation Feedback
[ level1 | level2 | l1 ]*Represent optional keywords or variables
{ permit | deny } { in | out }
{ clusterId | ipAddress }
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
■ Document or topic name
■ URL or page number
■ Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you
can access our tools and resources online or open a case with JTAC.
■ JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/7100059-EN.pdf .
Obtaining Documentation ■ xxv
JUNOSe 11.1.x IP Services Configuration Guide
■ Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
■ JTAC hours of operation—The JTAC centers have resources available 24 hours a
day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
Find CSC offerings: http://www.juniper.net/customers/support/
■
Search for known bugs: http://www2.juniper.net/kb/
■
Find product documentation: http://www.juniper.net/techpubs/
■ Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■ Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■ Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting support.html .
xxvi ■ Requesting Technical Support
Part 1
Chapters
■ Configuring Routing Policy on page 3
■ Configuring NAT on page 63
■ Configuring J-Flow Statistics on page 95
■ Configuring BFD on page 113
■ Configuring IPSec on page 125
■ Configuring Dynamic IPSec Subscribers on page 177
■ Configuring ANCP on page 193
■ Configuring Digital Certificates on page 213
■ Configuring IP Tunnels on page 245
■ Configuring Dynamic IP Tunnels on page 261
■ IP Reassembly for Tunnels on page 279
■ Securing L2TP and IP Tunnels with IPSec on page 287
■ Configuring the Mobile IP Home Agent on page 315
Chapters ■ 1
JUNOSe 11.1.x IP Services Configuration Guide
2 ■ Chapters
Chapter 1
Configuring Routing Policy
This chapter provides information about configuring routing policy for your E Series
router. It describes routing policy configuration in general as it might be used with
various routing protocols, such as Border Gateway Protocol (BGP), Intermediate
System to Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Routing
Information Protocol (RIP).
This chapter contains the following sections:
■ Overview on page 3
■ Platform Considerations on page 4
■ References on page 4
■ Route Maps on page 4
■ Match Policy Lists on page 20
■ Access Lists on page 21
■ Using the Null Interface on page 33
■ Prefix Lists on page 33
■ Prefix Trees on page 36
■ Community Lists on page 38
■ Using Regular Expressions on page 44
■ Managing the Routing Table on page 49
■ Troubleshooting Routing Policy on page 50
■ Monitoring Routing Policy on page 50
Overview
Routing policy determines how the system handles the routes it receives from and
sends to neighboring routers. In many cases, routing policy consists of the following:
■ Filtering routes
■ Accepting certain routes
■ Accepting and modifying other routes
■ Rejecting some routes
■ Determining the routing protocol used to distribute the routes
Overview ■ 3
JUNOSe 11.1.x IP Services Configuration Guide
You can think of routing policy as a way to control the flow of routes into and out of
the router.
The decision about which routes to accept from and advertise to various neighbors
has an important impact on the traffic that crosses a network. Routing policy is used
to enforce business agreements between two or more Internet service providers
(ISPs) concerning the amount and type of traffic that is allowed to pass between
them.
You can use one or more of the following mechanisms to configure routing policy:
■ “Route Maps” on page 4
■ “Match Policy Lists” on page 20
■ “Access Lists” on page 21
■ “Prefix Lists” on page 33
■ “Prefix Trees” on page 36
■ “Community Lists” on page 38
Platform Considerations
Configuring routing policies is supported on all E Series routers.
For information about the modules supported on E Series routers:
■ See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx
models, and the Juniper Networks ERX310 Broadband Services Router.
■ See the E120 and E320 Module Guide for modules supported on the Juniper
Networks E120 and E320 Broadband Services Routers.
References
For more information about the protocols discussed in this chapter, see their
respective chapters in this guide and other guides within the JUNOSe documentation
set, and to the References sections within those chapters.
Route Maps
You can use route maps to control and modify routing information and to define
conditions for redistributing routes between routing domains. You can apply route
maps to inbound, outbound, or redistribution routes. A route map consists of match
clauses and set clauses.
Match clauses specify the attribute values that determine whether a route matches
the route map. A route that has the same attribute values passes the match condition.
Routes that pass all the match conditions match the route map. You issue match
commands to define the match conditions for a route map. You can specify the
match conditions in any order. If you do not specify any match conditions in a route
map, that route map matches all routes.
4 ■ Platform Considerations
Loading...