Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service
marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which
you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license
is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web
site at www.juniper.net/techpubs.
ii■
End User License Agreement
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively “Juniper”), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller. “Embedded
Software” means Software which Juniper has embedded in the Juniper equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from
Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius software on multiple computers requires multiple licenses, regardless of whether such computers are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use the Embedded Software on non-Juniper equipment; (j) use the Software (or make it available for use) on Juniper equipment that the Customer
did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third
party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
■iii
7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively “Taxes”). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
iv■
Abbreviated Table of Contents
About This Guidexv
Part 1Configuring a Services Router for Administration
Chapter 1Managing User Authentication and Access3
Chapter 2Setting Up USB Modems for Remote Management29
Chapter 3Configuring SNMP for Network Management47
Chapter 4Configuring the Router as a DHCP Server63
Chapter 5Configuring Autoinstallation81
Chapter 6Automating Network Operations and Troubleshooting89
Part 2Monitoring a Services Router
Chapter 7Monitoring the Router and Routing Operations101
Chapter 8Monitoring Events and Managing System Log Files155
Chapter 9Configuring and Monitoring Alarms165
Part 3Managing Services Router Software
Chapter 10Performing Software Upgrades and Reboots179
Index ...........................................................................................................291
xiv■Table of Contents
About This Guide
This preface provides the following guidelines for using the J-series™ Services Router
Administration Guide:
■Objectives on page xv
■Audience on page xv
■How to Use This Guide on page xvi
■Document Conventions on page xvii
■Related Juniper Networks Documentation on page xviii
■Documentation Feedback on page xxi
■Requesting Technical Support on page xxi
Objectives
This guide contains instructions for managing users and operations, monitoring
network performance, upgrading software, and diagnosing common problems on
J-series Services Routers.
J-series Services Router operations are controlled by the JUNOS software. You direct
the JUNOS software through either a Web browser or a command-line interface (CLI).
Audience
NOTE: This guide documents Release 9.1 of the JUNOS software. For additional
information about J-series Services Routers—either corrections to or omissions from
this guide—see the J-series Services Router Release Notes at http://www.juniper.net.
This guide is designed for anyone who installs and sets up a J-series Services Router
or prepares a site for Services Router installation. The guide is intended for the
following audiences:
■Customers with technical knowledge of and experience with networks and the
Internet
■Network administrators who install, configure, and manage Internet routers but
are unfamiliar with the JUNOS software
■Network administrators who install, configure, and manage products of Juniper
Networks
Objectives■xv
J-series™ Services Router Administration Guide
Personnel operating the equipment must be trained and competent; must not conduct
themselves in a careless, willfully negligent, or hostile manner; and must abide by
the instructions provided by the documentation.
How to Use This Guide
J-series documentation explains how to install, configure, and manage J-series routers
by providing information about JUNOS implementation specifically on J-series routers.
(For comprehensive JUNOS information, see the JUNOS software manuals listed in
“Related Juniper Networks Documentation” on page xviii.) Table 1 on page xvi shows
the location of J-series information, by task type, in Juniper Networks documentation.
Table 1: Location of J-series Information
Location of InstructionJ-series Tasks
Getting Started Guide for your routerInstalling hardware and establishing basic connectivity
Configuring interfaces and routing protocols such as RIP, OSPF, BGP,
and IS-IS
Configuring advanced features such as virtual private networks (VPNs),
IP Security (IPSec), multicast, routing policies, firewall filters, and class
of service (CoS)
software, and diagnosing common problems
Typically, J-series documentation provides both general and specific information—for
example, a configuration overview, configuration examples, and verification methods.
Because you can configure and manage J-series routers in several ways, you can
choose from multiple sets of instructions to perform a task. To make best use of this
information:
■If you are new to the topic—Read through the initial overview information, keep
the related JUNOS guide handy for details about the JUNOS hierarchy, and follow
the step-by-step instructions for your preferred interface.
■If you are already familiar with the feature—Go directly to the instructions for the
interface of your choice, and follow the instructions. You can choose a J-Web
method, the JUNOS CLI, or a combination of methods based on the level of
complexity or your familiarity with the interface.
J-series Services Router Basic LAN and WAN Access
Configuration Guide
J-series Services Router Advanced WAN Access
Configuration Guide
J-Web Interface User GuideUsing the J-Web interface
JUNOS CLI User GuideUsing the CLI
For many J-series features, you can use J-Web Quick Configuration pages to configure
the router quickly and easily without configuring each statement individually. For
more extensive configuration, use the J-Web configuration editor or CLI configuration
mode commands.
xvi■How to Use This Guide
To monitor, diagnose, and manage a router, use the J-Web interface or CLI operational
mode commands.
Document Conventions
Table 2 on page xvii defines the notice icons used in this guide.
Table 2: Notice Icons
About This Guide
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Table 3 on page xvii defines the text and syntax conventions used in this guide.
Table 3: Text and Syntax Conventions
Bold text like this
Fixed-width text like this
Italic text like this
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Represents text that you type.
Represents output that appears on the
terminal screen.
Introduces important new terms.
■
Identifies book names.
■
Identifies RFC and Internet draft
■
titles.
ExamplesDescriptionConvention
To enter configuration mode, type the
configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
■
that defines match conditions and
actions.
JUNOS System Basics Configuration
■
Guide
RFC 1997, BGP Communities
■
Attribute
Italic text like this
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Document Conventions■xvii
J-series™ Services Router Administration Guide
Table 3: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
Plain text like this
| (pipe symbol)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Represents names of configuration
statements, commands, files, and
directories; IP addresses; configuration
hierarchy levels; or labels on routing
platform components.
Enclose optional keywords or variables.< > (angle brackets)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
Enclose a variable for which you can
substitute one or more values.
Identify a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
To configure a stub area, include
■
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
■
CONSOLE.
stub <default-metric metric>;
broadcast | multicast
(string1 | string2 | string3)
rsvp { # Required for dynamic MPLS only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
J-Web GUI Conventions
Bold text like this
Represents J-Web graphical user
interface (GUI) items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of J-Web
selections.
Related Juniper Networks Documentation
J-series Services Routers are documented in multiple guides. Although the J-series
guides provide instructions for configuring and managing a Services Router with the
JUNOS CLI, they are not a comprehensive JUNOS software resource. For complete
documentation of the statements and commands described in J-series guides, see
the JUNOS software manuals listed in Table 4 on page xix.
xviii■Related Juniper Networks Documentation
In the Logical Interfaces box, select
■
All Interfaces.
To cancel the configuration, click
■
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Table 4: J-series Guides and Related JUNOS Software Publications
Corresponding JUNOS Software ManualChapter in a J-series Guide
Getting Started Guide for Your Router
“Services Router User Interface Overview”
“Establishing Basic Connectivity”
JUNOS CLI User Guide
■
JUNOS System Basics Configuration Guide
■
J-series Services Router Basic LAN and WAN Access Configuration Guide
“Using Services Router Configuration Tools”
JUNOS CLI User Guide
■
JUNOS System Basics Configuration Guide
■
About This Guide
“Interfaces Overview”
“Configuring DS1, DS3, Ethernet, and Serial Interfaces”
“Configuring Channelized T1/E1/ISDN PRI Interfaces”
“Configuring Digital Subscriber Line Interfaces
“Configuring Point-to-Point Protocol over Ethernet”
“Configuring ISDN”
“Configuring Link Services Interfaces”
“Configuring VoIP”
“Configuring uPIMs as Ethernet Switches”
“Routing Overview”
“Configuring Static Routes”
“Configuring a RIP Network”
JUNOS Network Interfaces Configuration Guide
■
JUNOS Interfaces Command Reference
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS Interfaces Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS System Basics Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Routing Protocols Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
“Configuring an OSPF Network”
“Configuring the IS-IS Protocol”
“Configuring BGP Sessions”
J-series Services Router Advanced WAN Access Configuration Guide
“Multiprotocol Label Switching Overview”
“Configuring Signaling Protocols for Traffic Engineering”
JUNOS MPLS Applications Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS VPNs Configuration Guide
■
“Configuring Virtual Private Networks”
“Configuring CLNS VPNs”
Related Juniper Networks Documentation■xix
J-series™ Services Router Administration Guide
Table 4: J-series Guides and Related JUNOS Software Publications (continued)
Corresponding JUNOS Software ManualChapter in a J-series Guide
“Configuring IPSec for Secure Packet Exchange”
“Multicast Overview”
“Configuring a Multicast Network”
“Configuring Data Link Switching”
“Policy Framework Overview”
“Configuring Routing Policies”
“Configuring NAT”
“Configuring Stateful Firewall Filters and NAT”
“Configuring Stateless Firewall Filters”
“Class-of-Service Overview”
“Configuring Class of Service”
JUNOS System Basics Configuration Guide
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Multicast Protocols Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Policy Framework Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS Policy Framework Configuration Guide
■
JUNOS Services Interfaces Configuration Guide
■
Secure Configuration Guide for Common Criteria and
■
JUNOS-FIPS
JUNOS System Basics and Services Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Class of Service Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
J-series Services Router Administration Guide
“Managing User Authentication and Access”
“Configuring SNMP for Network Management”
“Configuring Autoinstallation”
“Monitoring the Router and Routing Operations”
“Monitoring Events and Managing System Log Files”
JUNOS System Basics Configuration Guide
■
Secure Configuration Guide for Common Criteria and
■
JUNOS-FIPS
JUNOS Network Management Configuration Guide“Setting Up USB Modems for Remote Management”
JUNOS System Basics Configuration Guide“Configuring the Router as a DHCP Server”
JUNOS Configuration and Diagnostic Automation Guide“Automating Network Operations and Troubleshooting”
JUNOS System Basics and Services Command Reference
■
JUNOS Interfaces Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS System Log Messages Reference
■
Secure Configuration Guide for Common Criteria and
■
JUNOS-FIPS
xx■Related Juniper Networks Documentation
Table 4: J-series Guides and Related JUNOS Software Publications (continued)
Corresponding JUNOS Software ManualChapter in a J-series Guide
JUNOS System Basics Configuration Guide“Configuring and Monitoring Alarms”
JUNOS Software Installation and Upgrade Guide“Performing Software Upgrades and Reboots”
JUNOS System Basics Configuration Guide“Managing Files”
About This Guide
“Using Services Router Diagnostic Tools”
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be sure
to include the following information with your comments:
■Document name
■Document part number
■Page number
■Software release version (not required for Network Operations Guides [NOGs])
Requesting Technical Support
JUNOS System Basics and Services Command Reference
■
JUNOS Interfaces Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
JUNOS System Basics and Services Command Reference“Configuring RPM Probes”
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need postsales technical support, you
can access our tools and resources online or open a case with JTAC.
■JTAC policies—For a complete understanding of our JTAC procedures and policies,
■JTAC Hours of Operation —The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
Documentation Feedback■xxi
J-series™ Services Router Administration Guide
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Manager: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Manager tool in the CSC at http://www.juniper.net/cm/ .
■Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.
xxii■Requesting Technical Support
Part 1
Configuring a Services Router for
Administration
■Managing User Authentication and Access on page 3
■Setting Up USB Modems for Remote Management on page 29
■Configuring SNMP for Network Management on page 47
■Configuring the Router as a DHCP Server on page 63
■Configuring Autoinstallation on page 81
■Automating Network Operations and Troubleshooting on page 89
Configuring a Services Router for Administration■1
J-series™ Services Router Administration Guide
2■Configuring a Services Router for Administration
Chapter 1
Managing User Authentication and Access
You can use either J-Web Quick Configuration or a configuration editor to manage
system functions, including RADIUS and TACACS+ servers, and user login accounts.
This chapter contains the following topics. For more information about system
management, see the JUNOS System Basics Configuration Guide.
If the router is operating in a Common Criteria environment, see the SecureConfiguration Guide for Common Criteria and JUNOS-FIPS.
■User Authentication Terms on page 3
■User Authentication Overview on page 4
■Before You Begin on page 8
■Managing User Authentication with Quick Configuration on page 8
■Managing User Authentication with a Configuration Editor on page 12
■Recovering the Root Password on page 21
■Securing the Console Port on page 23
■Accessing Remote Devices with the CLI on page 24
■Configuring Password Retry Limits for Telnet and SSH Access on page 26
User Authentication Terms
Before performing system management tasks, become familiar with the terms defined
in Table 5 on page 3.
Table 5: System Management Terms
Remote Authentication Dial-In User
Service (RADIUS)
Terminal Access Controller Access
Control System Plus (TACACS+)
DefinitionTerm
Authentication method for validating users who attempt to access one or more
Services Routers by means of Telnet. RADIUS is a multivendor IETF standard
whose features are more widely accepted than those of TACACS+ or other
proprietary systems. All one-time-password system vendors support RADIUS.
Authentication method for validating users who attempt to access one or more
Services Routers by means of Telnet.
User Authentication Terms■3
J-series™ Services Router Administration Guide
User Authentication Overview
This section contains the following topics:
■User Authentication on page 4
■User Accounts on page 4
■Login Classes on page 5
■Template Accounts on page 7
User Authentication
The JUNOS software supports three methods of user authentication: local password
authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal
Access Controller Access Control System Plus (TACACS+).
With local password authentication, you configure a password for each user allowed
to log into the Services Router.
User Accounts
RADIUS and TACACS+ are authentication methods for validating users who attempt
to access the router using Telnet. Both are distributed client/server systems—the
RADIUS and TACACS+ clients run on the router, and the server runs on a remote
network system.
You can configure the router to use RADIUS or TACACS+ authentication, or both,
to validate users who attempt to access the router. If you set up both authentication
methods, you also can configure which the router will try first.
User accounts provide one way for users to access the Services Router. Users can
access the router without accounts if you configured RADIUS or TACACS+ servers,
as described in “Managing User Authentication with Quick Configuration” on page
8 and “Managing User Authentication with a Configuration Editor” on page 12.
After you have created an account, the router creates a home directory for the user.
An account for the user root is always present in the configuration. For information
about configuring the password for the user root, see the Getting Started Guide for
your router. For each user account, you can define the following:
■Username—Name that identifies the user. It must be unique within the router.
Do not include spaces, colons, or commas in the username.
■User's full name—If the full name contains spaces, enclose it in quotation marks
(“”). Do not include colons or commas.
■User identifier (UID)—Numeric identifier that is associated with the user account
name. The identifier must be in the range 100 through 64000 and must be unique
within the router. If you do not assign a UID to a username, the software assigns
one when you commit the configuration, preferring the lowest available number.
■User's access privilege—You can create login classes with specific permission
bits or use one of the default classes listed in Table 6 on page 5.
■Authentication method or methods and passwords that the user can use to access
the router—You can use SSH or an MD5 password, or you can enter a plain-text
4■User Authentication Overview
Login Classes
Chapter 1: Managing User Authentication and Access
password that the JUNOS software encrypts using MD5-style encryption before
entering it in the password database. If you configure the plain-text-password
option, you are prompted to enter and confirm the password.
All users who log into the Services Router must be in a login class. You can define
any number of login classes. With login classes, you define the following:
■Access privileges users have when they are logged into the router. For more
information, see “Permission Bits” on page 5.
■Commands and statements that users can and cannot specify. For more
information, see “Denying or Allowing Individual Commands” on page 7.
■How long a login session can be idle before it times out and the user is logged
off.
You then apply one login class to an individual user account. The software contains
a few predefined login classes, which are listed in Table 6 on page 5. The predefined
login classes cannot be modified.
Table 6: Predefined Login Classes
unauthorized
Permission Bits
Each top-level command-line interface (CLI) command and each configuration
statement has an access privilege level associated with it. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. The access privileges for each login class are defined by one or
more permission bits (see Table 7 on page 6).
Permission Bits SetLogin Class
clear, network, reset, trace, viewoperator
viewread-only
allsuper-user and superuser
None
Two forms for the permissions control the individual parts of the configuration:
■"Plain" form—Provides read-only capability for that permission type. An example
is interface.
■
Form that ends in -control—Provides read and write capability for that permission
type. An example is interface-control.
User Authentication Overview■5
J-series™ Services Router Administration Guide
Table 7: Permission Bits for Login Classes
AccessPermission Bit
admin
access
all
clear
configure
control
field
firewall
floppy
Can view user account information in configuration mode and with the show configuration
command.
Can view user accounts and configure them (at the [edit system login] hierarchy level).admin-control
Can view the access configuration in configuration mode and with the show configuration
operational mode command.
Can view and configure access information (at the [edit access] hierarchy level).access-control
Has all permissions.
Can clear (delete) information learned from the network that is stored in various network
databases (using the clear commands).
Can enter configuration mode (using the configure command) and commit configurations
(using the commit command).
Can perform all control-level operations (all operations configured with the -control
permission bits).
Reserved for field (debugging) support.
Can view the firewall filter configuration in configuration mode.
Can view and configure firewall filter information (at the [edit firewall] hierarchy level).firewall-control
Can read from and write to the removable media.
interface
interface-control
maintenance
reset
rollback
routing
Can view the interface configuration in configuration mode and with the show
configuration operational mode command.
Can view chassis, class of service, groups, forwarding options, and interfaces
configuration information. Can configure chassis, class of service, groups, forwarding
options, and interfaces (at the [edit] hierarchy).
Can perform system maintenance, including starting a local shell on the router and
becoming the superuser in the shell (by issuing the su root command), and can halt and
reboot the router (using the request system commands).
Can access the network by entering the ping, ssh, telnet, and traceroute commands.network
Can restart software processes using the restart command and can configure whether
software processes are enabled or disabled (at the [edit system processes] hierarchy
level).
Can use the rollback command to return to a previously committed configuration other
than the most recently committed one.
Can view general routing, routing protocol, and routing policy configuration information
in configuration and operational modes.
6■User Authentication Overview
Table 7: Permission Bits for Login Classes (continued)
AccessPermission Bit
Chapter 1: Managing User Authentication and Access
routing-control
secret
secret-control
security
snmp
snmp-control
system
system-control
trace
Can view general routing, routing protocol, and routing policy configuration information
and configure general routing (at the [edit routing-options] hierarchy level), routing
protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit
policy-options] hierarchy level).
Can view passwords and other authentication keys in the configuration.
Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.
Can view security configuration in configuration mode and with the show configuration
operational mode command.
Can view and configure security information (at the [edit security] hierarchy level).security-control
Can start a local shell on the router by entering the start shell command.shell
Can view SNMP configuration information in configuration and operational modes.
Can view SNMP configuration information and configure SNMP (at the [edit snmp]
hierarchy level).
Can view system-level information in configuration and operational modes.
Can view system-level configuration information and configure it (at the [edit system]
hierarchy level).
Can view trace file settings in configuration and operational modes.
trace-control
view
Template Accounts
Can view trace file settings and configure trace file properties.
Can use various commands to display current systemwide, routing table, and
protocol-specific values and statistics.
Denying or Allowing Individual Commands
By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they
have access privileges. For each login class, you can explicitly deny or allow the use
of operational and configuration mode commands that are otherwise permitted or
not allowed by a permission bit.
You use local user template accounts when you need different types of templates.
Each template can define a different set of permissions appropriate for the group of
users who use that template. These templates are defined locally on the Services
Router and referenced by the TACACS+ and RADIUS authentication servers.
User Authentication Overview■7
J-series™ Services Router Administration Guide
When you configure local user templates and a user logs in, the JUNOS software
issues a request to the authentication server to authenticate the user's login name.
If a user is authenticated, the server returns the local username to the router, which
then determines whether a local username is specified for that login name
(local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the router selects
the appropriate local user template locally configured on the router. If a local user
template does not exist for the authenticated user, the router defaults to the remote
template.
For more information, see “Setting Up Template Accounts” on page 18.
Before You Begin
Before you perform any system management tasks, you must perform the initial
Services Router configuration described in the Getting Started Guide for your router.
Managing User Authentication with Quick Configuration
This section contains the following topics:
■Adding a RADIUS Server for Authentication on page 8
■Adding a TACACS+ Server for Authentication on page 9
■Configuring System Authentication on page 10
■Adding New Users on page 11
Adding a RADIUS Server for Authentication
You can use the Users Quick Configuration page for RADIUS servers to configure a
RADIUS server for system authentication. This Quick Configuration page allows you
to specify the IP address and secret (password) of the RADIUS server.
Figure 1 on page 8 shows the Users Quick Configuration page for RADIUS servers.
Figure 1: Users Quick Configuration Page for RADIUS Servers
ERROR: Unresolved graphic fileref="s020241.gif" not found in
To configure a RADIUS server with Quick Configuration:
1.In the J-Web interface, select Configuration>Quick Configuration>Users.
2.Under RADIUS servers, click Add to configure a RADIUS server.
8■Before You Begin
3.Enter information into the Users Quick Configuration page for RADIUS servers,
as described in Table 8 on page 9.
4.Click one of the following buttons on the Users Quick Configuration page for
RADIUS servers:
■To apply the configuration and return to the Users Quick Configuration page,
click OK.
■To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Table 8: Users Quick Configuration for RADIUS Servers Summary
RADIUS Server
RADIUS Server Address
(required)
Identifies the IP address of the RADIUS
server.
Chapter 1: Managing User Authentication and Access
Your ActionFunctionField
Type the RADIUS server’s 32-bit IP address, in
dotted decimal notation.
RADIUS Server Secret (required)
Verify RADIUS Server Secret
(required)
The secret (password) of the RADIUS
server.
RADIUS server is entered correctly.
Adding a TACACS+ Server for Authentication
You can use the Users Quick Configuration page for TACACS+ servers to configure
a TACACS+ server for system authentication. This Quick Configuration page allows
you to specify the IP address and secret of the TACACS+ server.
Figure 2 on page 9 shows the Users Quick Configuration page for TACACS+ servers.
Figure 2: Users Quick Configuration Page for TACACS+ Servers
ERROR: Unresolved graphic fileref="s020242.gif" not found in
To configure a TACACS+ server with Quick Configuration:
1.In the J-Web interface, select Configuration>Quick Configuration>Users.
2.Under TACACS+ servers, click Add to configure a TACACS+ server.
Type the secret (password) of the RADIUS server.
Secrets can contain spaces. The secret used must
match that used by the RADIUS server.
Retype the secret of the RADIUS server.Verifies the secret (password) of the
3.Enter information into the Users Quick Configuration page for TACACS+ servers,
as described in Table 9 on page 10.
4.Click one of the following buttons on the Users Quick Configuration page for
TACACS+ servers:
■To apply the configuration and return to the Users Quick Configuration page,
click OK.
■To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Managing User Authentication with Quick Configuration■9
J-series™ Services Router Administration Guide
Table 9: Users Quick Configuration for TACACS+ Servers Summary
TACACS+ Server
TACACS+ Server Address
(required)
Identifies the IP address of the
TACACS+ server.
Your ActionFunctionField
Type the TACACS+ server’s 32-bit IP address, in
dotted decimal notation.
TACACS+ Server Secret
(required)
Verify TACACS+ Server Secret
(required)
The secret (password) of the TACACS+
server.
TACACS+ server is entered correctly.
Configuring System Authentication
On the Users Quick Configuration page, you can configure the authentication methods
the Services Router uses to verify that a user can gain access. For each login attempt,
the router tries the authentication methods in order, starting with the first one, until
the password matches.
If you do not configure system authentication, users are verified based on their
configured local passwords.
Figure 3 on page 10 shows the Users Quick Configuration page.
Type the secret (password) of the TACACS+
server. Secrets can contain spaces. The secret
used must match that used by the TACACS+
server.
Retype the secret of the TACACS+ server.Verifies the secret (password) of the
ERROR: Unresolved graphic fileref="s020243.gif" not found in
To configure system authentication with Quick Configuration:
1.In the J-Web interface, select Configuration>Quick Configuration>Users.
2.Under Authentication Servers, select the check box next to each authentication
method the router must use when users log in:
■RADIUS
■TACACS+
■Local Password
3.Click one of the following buttons on the Users Quick Configuration page:
■To apply the configuration and stay in the Users Quick Configuration page,
click Apply.
■To apply the configuration and return to the Quick Configuration page, click
OK.
■To cancel your entries and return to the Quick Configuration page, click
Cancel.
10■Managing User Authentication with Quick Configuration
Adding New Users
Chapter 1: Managing User Authentication and Access
You can use the Users Quick Configuration page for user information to add new
users to a Services Router. For each account, you define a login name and password
for the user and specify a login class for access privileges.
Figure 4 on page 11 shows the Quick Configuration page for adding a user.
Figure 4: Add a User Quick Configuration Page
ERROR: Unresolved graphic fileref="s020244.gif" not found in
1.In the J-Web interface, select Configuration>Quick Configuration>Users.
2.Under Users, click Add to add a new user.
3.Enter information into the Add a User Quick Configuration page, as described
in Table 10 on page 11.
4.Click one of the following buttons on the Add a User Quick Configuration page:
■To apply the configuration and return to the Users Quick Configuration page,
click OK.
■To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Table 10: Add a User Quick Configuration Page Summary
Your ActionFunctionField
User Information
Type the username. It must be unique within the router. Do not
include spaces, colons, or commas in the username.
Type the user's full name. If the full name contains spaces, enclose
it in quotation marks. Do not include colons or commas.
From the list, select the user's login class:
operator
■
read-only
■
super-user/superuser
■
unauthorized
■
Login Class (required)
Name that identifies the user.Username (required)
The user's full name.Full Name
Defines the user's access
privilege.
This list also includes any user-defined login classes. For more
information, see “Login Classes” on page 5.
Managing User Authentication with Quick Configuration■11
J-series™ Services Router Administration Guide
Table 10: Add a User Quick Configuration Page Summary (continued)
Your ActionFunctionField
Login Password
(required)
Verify Login Password
(required)
The login password for this
user.
for this user.
Type the login password for this user. The login password must
meet the following criteria:
The password must be at least 6 characters long.
■
You can include most character classes in a password
■
(alphabetic, numeric, and special characters), except control
characters.
The password must contain at least one change of case or
■
character class.
Retype the login password for this user.Verifies the login password
Managing User Authentication with a Configuration Editor
This section contains the following topics:
■Setting Up RADIUS Authentication on page 12
■Setting Up TACACS+ Authentication on page 13
■Configuring Authentication Order on page 15
■Controlling User Access on page 16
■Setting Up Template Accounts on page 18
Setting Up RADIUS Authentication
To use RADIUS authentication, you must configure at least one RADIUS server.
The procedure provided in this section identifies the RADIUS server, specifies the
secret (password) of the RADIUS server, and sets the source address of the Services
Router's RADIUS requests to the loopback address of the router. The procedure uses
the following sample values:
■
The RADIUS server's IP address is 172.16.98.1.
■
The RADIUS server's secret is Radiussecret1.
■
The loopback address of the router is 10.0.0.1.
To configure RADIUS authentication:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 11 on page 13.
3.If you are finished configuring the network, commit the configuration.
To completely set up RADIUS authentication, you must create user template
accounts and specify a system authentication order.
12■Managing User Authentication with a Configuration Editor
4.Go on to one of the following procedures:
■To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
■To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 11: Setting Up RADIUS Authentication
Chapter 1: Managing User Authentication and Access
Navigate to the System level in the
configuration hierarchy.
Add a new RADIUS server
Specify the shared secret (password) of
the RADIUS server. The secret is stored
as an encrypted value in the
configuration database.
Specify the source address to be
included in the RADIUS server requests
by the router. In most cases, you can
use the loopback address of the router.
In the J-Web interface, select
1.
Configuration>View and Edit>Edit
Configuration.
Next to System, click Configure or
2.
Edit.
In the Radius server box, click Add
1.
new entry.
In the Address box, type the IP
2.
address of the RADIUS server:
172.16.98.1
In the Secret box, type the shared secret of
the RADIUS server:
Radiussecret1
In the Source address box, type the
loopback address of the router:
10.0.0.1
From the [edit] hierarchy level, enter
edit system
Set the IP address of the RADIUS
server:
set radius-server address 172.16.98.1
Set the shared secret of the RADIUS
server:
set radius-server 172.16.98.1 secret
Radiussecret1
Set the router's loopback address as
the source address:
set radius-server 172.16.98.1
source-address 10.0.0.1
Setting Up TACACS+ Authentication
To use TACACS+ authentication, you must configure at least one TACACS+ server.
The procedure provided in this section identifies the TACACS+ server, specifies the
secret (password) of the TACACS+ server, and sets the source address of the Services
Router's TACACS+ requests to the loopback address of the router. This procedure
uses the following sample values:
■
The TACACS+ server's IP address is 172.16.98.24.
■
The TACACS+ server's secret is Tacacssecret1.
■
The loopback address of the router is 10.0.0.1.
Managing User Authentication with a Configuration Editor■13
J-series™ Services Router Administration Guide
To configure TACACS+ authentication:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 12 on page 14.
3.If you are finished configuring the network, commit the configuration.
To completely set up TACACS+ authentication, you must create user template
accounts and specify a system authentication order.
4.Go on to one of the following procedures:
■To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
■To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 12: Setting Up TACACS+ Authentication
Navigate to the System level in the
configuration hierarchy.
Add a new TACACS+ server
Specify the shared secret (password) of
the TACACS+ server. The secret is
stored as an encrypted value in the
configuration database.
Specify the source address to be
included in the TACACS+ server
requests by the router. In most cases,
you can use the loopback address of the
router.
In the J-Web interface, select
1.
Configuration>View and Edit>Edit
Configuration.
Next to System, click Configure or
2.
Edit.
In the Tacplus server box, click Add
1.
new entry.
In the Address box, type the IP
2.
address of the TACACS+ server:
172.16.98.24
In the Secret box, type the shared secret of
the TACACS+ server:
Tacacssecret1
In the Source address box, type the
loopback address of the router:
set tacplus-server 172.16.98.24 secret
Tacacssecret1
Set the router's loopback address as
the source address:
set tacplus-server 172.16.98.24
source-address 10.0.0.1
14■Managing User Authentication with a Configuration Editor
Configuring Authentication Order
The procedure provided in this section configures the Services Router to attempt
user authentication with the local password first, then with the RADIUS server, and
finally with the TACACS+ server.
To configure authentication order:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 13 on page 15.
3.If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and create user template accounts.
4.Go on to one of the following procedures:
■To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
Chapter 1: Managing User Authentication and Access
■To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 13: Configuring Authentication Order
Navigate to the System level in
the configuration hierarchy.
Add RADIUS authentication to
the authentication order.
Add TACACS+ authentication to
the authentication order.
Insert the radius statement in the
authentication order:
insert system authentication-order radius
after password
Insert the tacplus statement in the
authentication order:
insert system authentication-order tacplus
after radius
Managing User Authentication with a Configuration Editor■15
J-series™ Services Router Administration Guide
Controlling User Access
This section contains the following topics:
■Defining Login Classes on page 16
■Creating User Accounts on page 17
Defining Login Classes
You can define any number of login classes. You then apply one login class to an
individual user account, as described in “Creating User Accounts” on page 17 and
“Setting Up Template Accounts” on page 18.
The procedure provided in this section creates a sample login class named
operator-and-boot with the following privileges:
■
The operator-and-boot login class can reboot the Services Router using the request
system reboot command.
■
The operator-and-boot login class can also use commands defined in the clear,
network, reset, trace, and view permission bits. For more information, see
“Permission Bits” on page 5.
To define login classes:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 14 on page 16.
3.If you are finished configuring the network, commit the configuration.
4.Go on to one of the following procedures:
■To create user accounts, see “Creating User Accounts” on page 17.
■To create shared user accounts, see “Setting Up Template
Give the operator-and-boot
login class operator
privileges.
Next to Class, click Add new entry.
1.
Type the name of the login class:
2.
operator-and-boot
In the Allow commands box, type the request system
3.
reboot command enclosed in quotation marks:
“request system reboot”
Click OK.
4.
Next to Permissions, click Add new entry.
1.
In the Value list, select clear.
2.
Click OK.
3.
Next to Permissions, click Add new entry.
4.
In the Value list, select network.
5.
Click OK.
6.
Next to Permissions, click Add new entry.
7.
In the Value list, select reset.
8.
Click OK.
9.
Next to Permissions, click Add new entry.
10.
In the Value list, select trace.
11.
Click OK.
12.
Next to Permissions, click Add new entry.
13.
In the Value list, select view.
14.
Click OK.
15.
Set the name of the login class and
the ability to use the request system
reboot command:
set class operator-and-boot
allow-commands “request system
reboot”
Set the permission bits for the
operator-and-boot login class:
set class operator-and-boot
permissions [clear network reset
trace view]
Creating User Accounts
User accounts provide one way for users to access the Services Router. (Users can
access the router without accounts if you configured RADIUS or TACACS+ servers,
as described in “Setting Up RADIUS Authentication” on page 12 and “Setting Up
TACACS+ Authentication” on page 13.)
The procedure provided in this section creates a sample user named cmartin with
the following characteristics:
■
The user cmartin belongs to the superuser login class.
■
The user cmartin uses an encrypted password, $1$14c5.$sBopasdFFdssdfFFdsdfs0.
Managing User Authentication with a Configuration Editor■17
J-series™ Services Router Administration Guide
To create user accounts:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 15 on page 18.
3.If you are finished configuring the network, commit the configuration.
Navigate to the System Login level in
the configuration hierarchy.
Create a user named cmartin who
belongs to the superuser login class.
Define the encrypted password for
cmartin.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to System, click Configure or
2.
Edit.
Next to Login, click Configure or
3.
Edit.
Next to User, click Add new entry.
1.
In the User name box, type cmartin.
2.
In the Class box, type superuser.
3.
Click OK.
4.
Next to Authentication, click
1.
Configure.
In the Encrypted password box,
2.
type
$1$14c5.$sBopasdFFdssdfFFdsdfs0
Click OK.
3.
From the [edit] hierarchy level, enter
edit system login
Set the username and the login class for
the user:
set user cmartin class superuser
Set the encrypted password for cmartin.
set user cmartin authentication
encrypted-password
$1$14c5.$sBopasdFFdssdfFFdsdfs0
Setting Up Template Accounts
You can create template accounts that are shared by a set of users when you are
using RADIUS or TACACS+ authentication. When a user is authenticated by a
template account, the CLI username is the login name, and the privileges, file
ownership, and effective user ID are inherited from the template account.
This section contains the following topics:
■Creating a Remote Template Account on page 19
■Creating a Local Template Account on page 20
18■Managing User Authentication with a Configuration Editor
Chapter 1: Managing User Authentication and Access
Creating a Remote Template Account
You can create a remote template that is applied to users authenticated by RADIUS
or TACACS+ that do not belong to a local template account.
By default, the JUNOS software uses the remote template account when
■The authenticated user does not exist locally on the Services Router.
■The authenticated user's record in the RADIUS or TACACS+ server specifies
local user, or the specified local user does not exist locally on the router.
The procedure provided in this section creates a sample user named remote that
belongs to the operator login class.
To create a remote template account:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 16 on page 19.
3.If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and specify a system authentication
order.
4.Go on to one of the following procedures:
■To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
■To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
Table 16: Creating a Remote Template Account
Navigate to the System Login
level in the configuration
hierarchy.
Create a user named remote who
belongs to the operator login class.
Next to User, click Add new entry.
1.
In the User name box, type remote.
2.
In the Class box, type operator.
3.
Click OK.
4.
Managing User Authentication with a Configuration Editor■19
Set the username and the login
class for the user:
set user remote class operator
J-series™ Services Router Administration Guide
Creating a Local Template Account
You can create a local template that is applied to users authenticated by RADIUS or
TACACS+ that are assigned to the local template account. You use local template
accounts when you need different types of templates. Each template can define a
different set of permissions appropriate for the group of users who use that template.
The procedure provided in this section creates a sample user named admin that
belongs to the superuser login class.
To create a local template account:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 17 on page 20.
3.If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and specify a system authentication
order
4.Go on to one of the following procedures:
■To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
■To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■To configure a system authentication order, see “Configuring Authentication
Order” on page 15.
Table 17: Creating a Local Template Account
Navigate to the System Login
level in the configuration
hierarchy.
Create a user named admin who
belongs to the superuser login
class.
Set the username and the login
class for the user:
set user admin class superuser
20■Managing User Authentication with a Configuration Editor
Recovering the Root Password
If you forget the root password for the router, you can use the password recovery
procedure to reset the root password.
NOTE: You need console access to recover the root password.
To recover the root password:
1.Power off the router by pressing the power button on the front panel.
2.Turn off the power to the management device, such as a PC or laptop computer,
that you want to use to access the CLI.
3.Plug one end of the Ethernet rollover cable supplied with the router into the
RJ-45 to DB-9 serial port adapter supplied with the router (see Figure 5 on page
21 and Figure 6 on page 22).
Chapter 1: Managing User Authentication and Access
4.Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management
device (see Figure 5 on page 21 and Figure 6 on page 22).
5.Connect the other end of the Ethernet rollover cable to the console port on the
router (see Figure 5 on page 21 and Figure 6 on page 22).
Figure 5: Connecting to the Console Port on the J2300 Services Router
Recovering the Root Password■21
J-series™ Services Router Administration Guide
Figure 6: Connecting to the Console Port on the J4350 or J6350 Services Router
6.Turn on the power to the management device.
7.On the management device, start your asynchronous terminal emulation
application (such as Microsoft Windows Hyperterminal) and select the appropriate
COM port to use (for example, COM1).
8.Configure the port settings as follows:
■Bits per second: 9600
■Data bits: 8
■Parity: None
■Stop bits: 1
■Flow control: None
9.Power on the router by pressing the power button on the front panel. Verify that
the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the router's
boot sequence.
10. When the following prompt appears, press the Spacebar to access the router's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
11.
At the following prompt, enter boot -s to start up the system in single-user mode.
22■Recovering the Root Password
ok boot -s
Chapter 1: Managing User Authentication and Access
12.
At the following prompt, enter recovery to start the root password recovery
procedure.
Enter full pathname of shell or 'recovery' for root password recovery or
RETURN for /bin/sh: recovery
13. Enter configuration mode in the CLI.
14. Set the root password. For example:
user@host# set system root-authentication plain-text-password
For more information about configuring the root password, see the JUNOS System
Basics Configuration Guide.
15. At the following prompt, enter the new root password. For example:
New password: juniper1
Retype new password:
16. At the second prompt, reenter the new root password.
17. If you are finished configuring the network, commit the configuration.
root@host# commit
commit complete
18. Exit configuration mode in the CLI.
19. Exit operational mode in the CLI.
20.
At the prompt, enter y to reboot the router.
Reboot the system? [y/n] y
Securing the Console Port
You can use the console port on the Services Router to connect to the Routing Engine
through an RJ-45 serial cable. From the console port, you can use the CLI to configure
the router. By default, the console port is enabled. To secure the console port, you
can configure the Services Router to do the following:
■Log out the console session when you unplug the serial cable connected to the
console port.
■Disable root login connections to the console.
■Disable the console port. We recommend disabling the console port to prevent
unauthorized access to the Services Router, especially when the router is used
as customer premises equipment (CPE).
Securing the Console Port■23
J-series™ Services Router Administration Guide
In a Common Criteria environment, you must disable the console port. For more
information, see the Secure Configuration Guide for Common Criteria andJUNOS-FIPS.
To secure the console port:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 18 on page 24.
3.If you are finished configuring the network, commit the configuration.
To escape from the Telnet session to the Telnet command prompt, press Ctrl-]. To
exit from the Telnet session and return to the CLI command prompt, enter quit.
Table 19 on page 25 describes the telnet command options. For more information,
see the JUNOS System Basics and Services Command Reference.
Table 19: CLI telnet Command Options
DescriptionOption
Chapter 1: Managing User Authentication and Access
8bit
bypass-routing
host
inet
interface source-interface
no-resolve
port port
routing-instance routing-instance-name
source address
Using the ssh Command
You can use the CLI ssh command to use the secure shell (SSH) program to open a
connection to a remote device:
Use an 8-bit data path.
Bypass the routing tables and open a Telnet session only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is
returned.
Open a Telnet session to the specified hostname or IP address.
Force the Telnet session to an IPv4 destination.
Open a Telnet session to a host on the specified interface. If you do not include this
option, all interfaces are used.
Suppress the display of symbolic names.
Specify the port number or service name on the host.
Use the specified routing instance for the Telnet session.
Use the specified source address for the Telnet session.
Table 20 on page 25 describes the ssh command options. For more information,
see the JUNOS System Basics and Services Command Reference.
Table 20: CLI ssh Command Options
bypass-routing
host
inet
DescriptionOption
Bypass the routing tables and open an SSH connection only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is
returned.
Open an SSH connection to the specified hostname or IP address.
Force the SSH connection to an IPv4 destination.
Accessing Remote Devices with the CLI■25
J-series™ Services Router Administration Guide
Table 20: CLI ssh Command Options (continued)
DescriptionOption
interface source-interface
routing-instance routing-instance-name
source address
v1
v2
Open an SSH connection to a host on the specified interface. If you do not include this
option, all interfaces are used.
Use the specified routing instance for the SSH connection.
Use the specified source address for the SSH connection.
Force SSH to use version 1 for the connection.
Force SSH to use version 2 for the connection.
Configuring Password Retry Limits for Telnet and SSH Access
To prevent brute force and dictionary attacks, the Services Router takes the following
actions for Telnet or SSH sessions by default:
■Disconnects a session after a maximum of 10 consecutive password retries.
■After the second password retry, introduces a delay in multiples of 5 seconds
between subsequent password retries.
For example, the Services Router introduces a delay of 5 seconds between the
third and fourth password retry, a delay of 10 seconds between the fourth and
fifth password retry, and so on.
■Enforces a minimum session time of 20 seconds during which a session cannot
be disconnected. Configuring the minimum session time prevents malicious
users from disconnecting sessions before the password retry delay goes into
effect, and attempting brute force and dictionary attacks with multiple logins.
You can configure the password retry limits for Telnet and SSH access. In this
example, you configure the Services Router to take the following actions for Telnet
and SSH sessions:
■Allow a maximum of 4 consecutive password retries before disconnecting a
session.
■Introduce a delay in multiples of 5 seconds between password retries that occur
after the second password retry.
■Enforce a minimum session time of 40 seconds during which a session cannot
be disconnected.
To configure password retry limits for Telnet and SSH access:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 21 on page 27.
3.If you are finished configuring the network, commit the configuration.
26■Configuring Password Retry Limits for Telnet and SSH Access
Chapter 1: Managing User Authentication and Access
Table 21: Configuring Password Retry Limits for Telnet and SSH Access
Navigate to the Retry options level in the configuration
hierarchy.
Configure password retry limits for Telnet and SSH access.
Tries—Maximum number of consecutive password
■
retries before a SSH or Telnet sessions is disconnected.
The default number is 10, but you can set a number
between 1 and 10.
Backoff threshold—Threshold number of password
■
retries after which a delay is introduced between two
consecutive password retries. The default number is
2, but you can set a number between 1 and 3.
Backoff factor—Delay (in seconds) between
■
consecutive password retries after the threshold
number of password retries. The default delay is in
multiples of 5 seconds, but you can set a delay
between 5 and 10 seconds.
Minimum time—Minimum length of time (in seconds)
■
during which a Telnet or SSH session cannot be
disconnected. The default is 20 seconds, but you can
set a time between 20 and 60 seconds.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to System, click Edit.
2.
Next to Login, click Configure
3.
or Edit.
Next to Retry options, click
4.
Configure or Edit.
In the Tries before disconnect
1.
box, type 4.
In the Backoff threshold box,
2.
type 2.
In the Backoff factor box, type
3.
5.
In the Minimum time box, type
4.
40.
Click OK.
5.
From the [edit] hierarchy
level, enter
edit system login
retry-options
Enter
1.
set
tries-before-disconnect
4
Enter
2.
set backoff-threshold
2
Enter
3.
set backoff-factor 5
Enter
4.
set minimum-time 40
Configuring Password Retry Limits for Telnet and SSH Access■27
J-series™ Services Router Administration Guide
28■Configuring Password Retry Limits for Telnet and SSH Access
Chapter 2
Setting Up USB Modems for Remote
Management
J-series Services Routers support the use of USB modems for remote management.
You can use Telnet or SSH to connect to the router from a remote location through
two modems over a telephone network. The USB modem is connected to the USB
port on the Services Router, and a second modem is connected to a remote
management device such as a PC or laptop computer.
NOTE: We recommend using a Multi-Tech MultiModem MT5634ZBA-USB-V92 USB
modem with J-series Services Routers.
You use either the J-Web configuration editor or CLI configuration editor to configure
the USB modem and its supporting dialer interfaces.
This chapter contains the following topics:
■USB Modem Terms on page 29
■USB Modem Overview on page 30
■Before You Begin on page 33
■Connecting the USB Modem to the Services Router's USB Port on page 33
■Configuring USB Modem Interfaces with a Configuration Editor on page 33
■Connecting to the Services Router from the User End on page 39
■Administering USB Modems on page 40
■Verifying the USB Modem Configuration on page 42
USB Modem Terms
Before configuring USB modems and their supporting dialer interfaces, become
familiar with the terms defined in Table 22 on page 30.
USB Modem Terms■29
J-series™ Services Router Administration Guide
Table 22: USB Modem Terminology
DefinitionTerm
caller ID
dialer interface (dl)
dial-in
Microcom Networking Protocol (MNP)
USB Modem Overview
A USB modem connects to a Services Router through modem interfaces that you
configure. The router applies its own modem AT commands to initialize the attached
modem. Modem setup requires that you connect and configure the USB modem at
the router and the modem at the user end of the network.
Telephone number of the caller on the remote end of a USB modem
connection, used to dial in and also to identify the caller. Multiple caller
IDs can be configured on a dialer interface. During dial-in, the router
matches the incoming call's caller ID against the caller IDs configured
on its dialer interfaces. Each dialer interface accepts calls from only
callers whose caller IDs are configured on it.
Logical interface for configuring dialing properties for a USB modem
connection.
Feature that enables J-series Services Routers to receive calls from the
remote end of a USB modem connection. The remote end of the USB
modem call might be a service provider, a corporate central location,
or a customer premises equipment (CPE) branch office. All incoming
calls can be verified against caller IDs configured on the router's dialer
interface.
Protocol that provides error correction and data compression for
asynchronous modem transmission.
■USB Modem Interfaces on page 30
■How a Services Router Initializes USB Modems on page 31
■USB Modem Connection and Configuration Overview on page 32
USB Modem Interfaces
You configure two types of interfaces for USB modem connectivity: a physical
interface and a logical interface called the dialer interface:
■
■
See the interface naming conventions in the J-series Services Router Basic LAN and
WAN Access Configuration Guide.
The following rules apply when you configure dialer interfaces for USB modem
connections:
The USB modem physical interface uses the naming convention umd0. The
Services Router creates this interface when a USB modem is connected to the
USB port.
The dialer interface, dln, is a logical interface for configuring dialing properties
for USB modem connections.
30■USB Modem Overview
■The dialer interface must be configured to use PPP encapsulation. You cannot
configure Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP)
encapsulation on dialer interfaces.
■The dialer interface cannot be configured as a constituent link in a multilink
bundle.
■If you are using the same dialer interface for ISDN connections and USB modem
connections, the dialer interface cannot be configured simultaneously in the
following modes:
■As a backup interface and a dialer filter
■As a backup interface and dialer watch interface
■As a dialer watch interface and a dialer filter
■As a backup interface for more than one primary interface
How a Services Router Initializes USB Modems
Chapter 2: Setting Up USB Modems for Remote Management
When you connect the USB modem to the USB port on the Services Router, the router
applies the modem AT commands configured in the init-command-string command
to the initialization commands on the modem. For more information about configuring
modem commands for the init-command-string command, see “Modifying USB Modem
Initialization Commands” on page 41.
If you do not configure modem AT commands for the init-command-string command,
the router applies the following default sequence of initialization commands to the
modem: AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. Table 23 on page 31 describes
the commands. For more information about these commands, see the documentation
for your modem.
When the Services Router applies the modem AT commands in the init-command-string
command or the default sequence of initialization commands to the modem, it
compares them to the initialization commands already configured on the modem
and makes the following changes:
■If the commands are the same, the router overrides existing modem values that
do not match. For example, if the initialization commands on the modem include
S0=0 and the router’s init-command-string command includes S0=2, the Services
Router applies S0=2.
■If the initialization commands on the modem do not include a command in the
router’s init-command-string command, the router adds it. For example, if the
init-command-string command includes the command L2, but the modem
commands do not include it, the router adds L2 to the initialization commands
configured on the modem.
USB Modem Connection and Configuration Overview
To use USB modems to remotely manage a Services Router, you perform the tasks
listed in Table 24 on page 32. For instructions, see the cross-references in the table.
Table 24: USB Modem Connection and Configuration Overview
On the Services Router
1. Connect a modem to the router.
2. Configure the modem interfaces on the router.
4. Perform administrative tasks as necessary.
At the User End
1. Configure the modem at your remote location.
InstructionsTask
“Before You Begin” on page 33Perform prerequisite tasks.
“Connecting the USB Modem to the Services Router's USBPort” on page 33
“Configuring USB Modem Interfaces with a ConfigurationEditor” on page 33
“Verifying the USB Modem Configuration” on page 423. Verify the modem configuration on the router.
Modifying USB Modem Initialization Commands on page 41
■
Resetting USB Modems on page 42
■
“Configuring a Dial-Up Modem Connection at the User
End” on page 39
“Connecting to the Services Router from the User End” on page 402. Dial in to the router.
32■USB Modem Overview
Before You Begin
Chapter 2: Setting Up USB Modems for Remote Management
Before you configure USB modems, you need to perform the following tasks:
■Install Services Router hardware. For more information, see the Getting Started
Guide for your router.
■Establish basic connectivity. For more information, see the Getting Started Guide
for your router.
■Order a Multi-Tech MultiModem MT5634ZBA-USB-V92 USB modem from
Multi-Tech Systems (http://www.multitech.com/).
■Order a dial-up modem for the PC or laptop computer at the remote location
from where you want to connect to the Services Router.
■Order a public switched telephone network (PSTN) line from your
telecommunications service provider. Contact your service provider for more
information.
■If you do not already have a basic understanding of physical and logical interfaces
and Juniper Networks interface conventions, see the J-series Services Router Basic
LAN and WAN Access Configuration Guide.
Connecting the USB Modem to the Services Router's USB Port
NOTE: J4350 and J6350 Services Routers have two USB ports. However, you can
connect only one USB modem to the USB ports on these routers. If you connect USB
modems to both ports, the router detects only the first modem connected.
To connect the USB modem to the USB port on the router:
1.Plug the modem into the USB port.
2.Connect the modem to your telephone network.
Configuring USB Modem Interfaces with a Configuration Editor
To configure USB modem interfaces, perform the following tasks marked (Required).
Perform other tasks if needed on your network.
■Configuring a USB Modem Interface (Required) on page 33
■Configuring a Dialer Interface (Required) on page 35
■Configuring Dial-In (Required) on page 36
■Configuring CHAP on Dialer Interfaces (Optional) on page 37
Configuring a USB Modem Interface (Required)
To configure a USB modem interface for the Services Router:
Before You Begin■33
J-series™ Services Router Administration Guide
1.Navigate to the top of the interfaces configuration hierarchy in either the J-Web
or CLI configuration editor.
2.Perform the configuration tasks described in Table 25 on page 34.
3.Go on to “Configuring a Dialer Interface (Required)” on page 35.
Navigate to the Interfaces level in the
configuration hierarchy.
Create the new interface umd0.
Configure dialer options.
Name the dialer pool configured on
■
the dialer interface you want to use
for USB modem connectivity—for
example, usb-modem-dialer-pool. For
more information, see “Configuring
a Dialer Interface
(Required)” on page 35.
Set the dialer pool priority—for
■
example, 25.
Dialer pool priority has a range from 1
to 255, with 1 designating
lowest-priority interfaces and 255
designating the highest-priority
interfaces.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to Interfaces, click Configure
2.
or Edit.
Next to Interface, click Add new
1.
entry.
In the Interface name box, type the
2.
name of the new interface, umd0.
Click OK.
3.
In the Encapsulation column, next
1.
to the new interface, click Edit.
Next to Dialer options, select Yes,
2.
and then click Configure.
Next to Pool, click Add new entry.
3.
In the Pool identifier box, type
4.
usb-modem-dialer-pool.
In the Priority box, type 25.
5.
Click OK until you return to the
6.
Interface page.
From the [edit] hierarchy level, enter
edit interfaces umd0
Enter
set dialer-options pool
usb-modem-dialer-pool priority 25
The S0=0 command in the default
modem initialization sequence AT S7=45
S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0,
disables the modem from automatically
answering calls.
Configure the modem to automatically
answer calls after a specified number of
rings. For more information about
modem initialization commands, see
“How a Services Router Initializes USB
Modems” on page 31 and “Modifying
USB Modem Initialization
Commands” on page 41.
Next to Modem options, click
1.
Configure.
In the Init command string box,
2.
type ATS0=2 to configure the
modem to automatically answer
after two rings.
Click OK.
3.
34■Configuring USB Modem Interfaces with a Configuration Editor
Enter
set modem-options init-command-string
"ATS0=2 \n"
Configuring a Dialer Interface (Required)
The dialer interface (dl) is a logical interface configured to establish USB modem
connectivity. You can configure multiple dialer interfaces for different functions on
the Services Router.
To configure a logical dialer interface for the Services Router:
1.Navigate to the top of the interfaces configuration hierarchy in either the J-Web
or CLI configuration editor.
2.Perform the configuration tasks described in Table 26 on page 35.
3.Go on to “Configuring Dial-In (Required)” on page 36.
Table 26: Adding a Dialer Interface to a Services Router
Chapter 2: Setting Up USB Modems for Remote Management
NOTE: You cannot configure Cisco
High-Level Data Link Control (HDLC)
or Multilink PPP (MLPPP) encapsulation
on dialer interfaces used in USB
modem connections.
Create the logical unit 0.
NOTE: The logical unit number must
be 0.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to Interfaces, click Configure
2.
or Edit.
Next to Interface, click Add new
1.
entry.
In the Interface name box, type dl0.
2.
In the Description box, type
3.
USB-modem-remote-management.
Click OK.
4.
In the Encapsulation column, next
1.
to the new interface, click Edit.
From the Encapsulation list, select
2.
ppp.
Next to Unit, click Add new entry.
1.
In the Interface unit number box,
2.
type 0.
Next to Dialer options, select Yes,
3.
and then click Configure.
From the [edit] hierarchy level, enter
edit interfaces
Create and name the interface:
edit dl0
1.
set description
2.
USB-modem-remote-management
Enter
set encapsulation ppp
Enter
set unit 0
Configuring USB Modem Interfaces with a Configuration Editor■35
J-series™ Services Router Administration Guide
Table 26: Adding a Dialer Interface to a Services Router (continued)
Configure the name of the dialer pool
to use for USB modem
connectivity—for example,
usb-modem-dialer-pool.
Configure source and destination IP
addresses for the dialer interface—for
example, 172.20.10.2 and
172.20.10.1.
NOTE: If you configure multiple dialer
interfaces, ensure that the same IP
subnet address is not configured on
different dialer interfaces. Configuring
the same IP subnet address on multiple
dialer interfaces can result in
inconsistency in the route and packet
loss. The router might route packets
through another dialer interface with
the IP subnet address instead of
through the dialer interface to which
the USB modem call is mapped.
In the Pool box, type
1.
usb-modem-dialer-pool.
Click OK.
2.
Select Inet under Family, and click
1.
Configure.
Next to Address, click Add new
2.
entry.
In the Source box, type
3.
172.20.10.2.
In the Destination box, type
4.
172.20.10.1.
Click OK.
5.
Enter
1.
edit unit 0
Enter
2.
set dialer-options pool
usb-modem-dialer-pool
Enter
set family inet address 172.20.10.2
destination 172.20.10.1
Configuring Dial-In (Required)
To enable connections to the USB modem from a remote location, you must configure
the dialer interfaces set up for USB modem use to accept incoming calls. You can
configure a dialer interface to accept all incoming calls or accept only calls from one
or more caller IDs.
If the dialer interface is configured to accept only calls from a specific caller ID, the
Services Router matches the incoming call's caller ID against the caller IDs configured
on its dialer interfaces. If an exact match is not found and the incoming call's caller
ID has more digits than the configured caller IDs, the Services Router performs a
right-to-left match of the incoming call's caller ID with the configured caller IDs and
accepts the incoming call if a match is found. For example, if the incoming call's
caller ID is 4085550115 and the caller ID configured on a dialer interface is 5550115,
the incoming call is accepted. Each dialer interface accepts calls from only callers
whose caller IDs are configured on it.
To configure a dialer interface for dial-in:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 27 on page 37.
36■Configuring USB Modem Interfaces with a Configuration Editor
3.If you are finished configuring the router, commit the configuration.
4.To verify that the network interface is configured correctly, see “Verifying the
USB Modem Configuration” on page 42.
Table 27: Configuring the Dialer Interface for Dial-In
Chapter 2: Setting Up USB Modems for Remote Management
Navigate to the Interfaces level in the
configuration hierarchy, and select a dialer
interface—for example, dl0.
On logical interface 0 configure the incoming
map options for the dialer interface.
■
accept-all—Dialer interface accepts all
incoming calls.
You can configure the accept-all option for
only one of the dialer interfaces associated
with a USB modem physical interface. The
router uses the dialer interface with the
accept-all option configured only if the
incoming call's caller ID does not match
the caller IDs configured on other dialer
interfaces.
■
caller—Dialer interface accepts calls from
a specific caller ID—for example,
4085550115. You can configure a
maximum of 15 caller IDs per dialer
interface.
The same caller ID must not be configured
on different dialer interfaces. However,
you can configure caller IDs with more or
fewer digits on different dialer interfaces.
For example, you can configure the caller
IDs 14085550115, 4085550115, and
5550115 on different dialer interfaces.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to Interfaces, click Edit.
2.
Next to dl0, click Edit.
3.
In the Unit section, for logical
1.
unit number 0, click Dialeroptions under Nested
Configuration.
Next to Incoming map, click
2.
Configure.
From the Caller type menu,
3.
select Caller.
Next to Caller, click Add new
4.
entry.
In the Caller id box, type
5.
4085550115.
Click OK.
6.
Repeat Steps 4 through 6 for
7.
each caller ID to be accepted on
the dialer interface.
From the [edit] hierarchy level, enter
edit interfaces dl0
Enter
1.
edit unit 0
Enter
2.
edit dialer-options
Enter
3.
set incoming-map caller
4085550115
Repeat Step 3 for each caller ID
4.
to be accepted on the dialer
interface.
Configuring CHAP on Dialer Interfaces (Optional)
You can optionally configure dialer interfaces to support the PPP Challenge Handshake
Authentication Protocol (CHAP). When you enable CHAP on a dialer interface, the
Services Router can authenticate the remote locations connecting to the USB modem.
For more information about CHAP, see the J-series Services Router Basic LAN and
WAN Access Configuration Guide and the JUNOS Network Interfaces Configuration
Guide.
To configure CHAP on the dialer interface:
Configuring USB Modem Interfaces with a Configuration Editor■37
J-series™ Services Router Administration Guide
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 28 on page 38.
3.If you are finished configuring the router, commit the configuration.
4.To verify the CHAP configuration, see “Verifying the USB Modem
Define a CHAP access profile—for
example, usb-modem-access-profile with
a client (username) named
usb-modem-user and the secret
(password) my-secret.
Navigate to the appropriate dialer
interface level in the configuration
hierarchy—for example, dl0 unit 0.
In the J-Web interface, select
1.
Configuration>View and
Edit>Edit Configuration.
Next to Access, click Configure or
2.
Edit.
Next to Profile, click Add new
3.
entry.
In the Profile name box, type
4.
usb-modem-access-profile.
Next to Client, click Add new
5.
entry.
In the Name box, type
6.
usb-modem-user.
In the Chap secret box, type
7.
my-secret.
Click OK.
8.
Repeat Steps 5 through 8 for each
9.
client to be included in the CHAP
profile.
Click OK until you return to the
10.
Configuration page.
On the Configuration page next to
1.
Interfaces, click Edit.
In the Interface name column, click
2.
dl0.
Under Unit, in the Interface unit
3.
number column, click 0.
From the [edit] hierarchy level,
1.
enter
edit access
Enter
2.
set profile usb-modem-access-profile
client usb-modem-user chap-secret
my-secret
Repeat Step 2 for each client to be
3.
included in the CHAP profile.
From the [edit] hierarchy level, enter
edit interfaces dl0 unit 0
Configure CHAP on the dialer interface
and specify a unique profile name
containing a client list and access
parameters—for example,
usb-modem-access-profile.
NOTE: Do not configure the passive
option from the [edit interfaces dl0 unit
0 ppp-options chap] hierarchy level.
Next to Ppp options, click
1.
Configure.
Next to Chap, click Configure.
2.
In the Access profile box, type
3.
usb-modem-access-profile.
Click OK.
4.
38■Configuring USB Modem Interfaces with a Configuration Editor
Enter
set ppp-options chap access-profile
usb-modem-access-profile
Chapter 2: Setting Up USB Modems for Remote Management
Connecting to the Services Router from the User End
NOTE: These instructions describe connecting to the Services Router from a remote
PC or laptop computer running Microsoft Windows XP. If your remote PC or laptop
computer does not run Microsoft Windows XP, see the documentation for your
operating system and enter equivalent commands.
This section contains the following topics:
■Configuring a Dial-Up Modem Connection at the User End on page 39
■Connecting to the Services Router from the User End on page 40
Configuring a Dial-Up Modem Connection at the User End
To remotely connect to the USB modem connected to the USB port on the Services
Router, you must configure a dial-up modem connection on the PC or laptop computer
at your remote location. Configure the dial-up modem connection properties to
disable IP header compression.
To configure a dial-up modem connection at the user end:
1.At your remote location, connect a modem to a management device such as a
PC or laptop computer.
2.Connect the modem to your telephone network.
3.On the PC or laptop computer, select Start>Settings>Control Panel>Network
Connections.
The Network Connections page is displayed.
4.Click Create a new connection.
The New Connection Wizard is displayed.
5.Click Next.
The New Connection Wizard: Network Connection Type page is displayed.
6.Select Connect to the network at my workplace, and then click Next.
The New Connection Wizard: Network Connection page is displayed.
7.Select Dial-up connection, and then click Next.
The New Connection Wizard: Connection Name page is displayed.
8.In the Company Name box, type the dial-up connection name—for example,
USB-modem-connect—and then click Next.
The New Connection Wizard: Phone Number to Dial page is displayed.
9.In the Phone number box, type the telephone number of the PSTN line connected
to the USB modem at the router end.
10. Click Next twice, and then click Finish.
Connecting to the Services Router from the User End■39
J-series™ Services Router Administration Guide
The Connect USB-modem-connect page is displayed.
11. If CHAP is configured on the dialer interface used for the USB modem interface
at the router end, type the username and password configured in the CHAP
configuration in the User name and Password boxes. For information about
configuring CHAP on dialer interfaces, see “Configuring CHAP on Dialer Interfaces
(Optional)” on page 37.
12. Click Properties.
The USB-modem-connect Properties page is displayed.
13. In the Networking tab, select Internet Protocol (TCP/IP), and then click
Properties.
The Internet Protocol (TCP/IP) Properties page is displayed.
14. Click Advanced.
The Advanced TCP/IP Settings page appears.
15. Clear the Use IP header compression check box.
Connecting to the Services Router from the User End
To remotely connect to the Services Router through a USB modem connected to the
USB port on the router:
1.On the PC or laptop computer at your remote location, select
Start>Settings>Control Panel>Network Connections.
The Network Connections page is displayed.
2.Double-click the USB-modem-connect dial-up connection configured in
“Configuring a Dial-Up Modem Connection at the User End” on page 39.
The Connect USB-modem-connect page is displayed.
3.Click Dial to connect to the Services Router.
When the connection is complete, you can use Telnet or SSH to connect to the
router.
Administering USB Modems
This section contains the following topics:
■Modifying USB Modem Initialization Commands on page 41
■Resetting USB Modems on page 42
40■Administering USB Modems
Modifying USB Modem Initialization Commands
NOTE: These instructions use Hayes-compatible modem commands to configure the
modem. If your modem is not Hayes-compatible, see the documentation for your
modem and enter equivalent modem commands.
You can use the J-Web or CLI configuration editor to override the value of an
initialization command configured on the USB modem or configure additional
commands for initializing USB modems.
NOTE: If you modify modem initialization commands when a call is in progress, the
new initialization sequence is applied on the modem only when the call ends.
In this example, you override the value of the S0=0 command in the initialization
sequence configured on the modem and add the L2 command.
Chapter 2: Setting Up USB Modems for Remote Management
To modify the initialization commands on a USB modem:
1.Navigate to the top of the interfaces configuration hierarchy in either the J-Web
or CLI configuration editor.
2.Perform the configuration tasks described in Table 29 on page 41.
3.If you are finished configuring the router, commit the configuration.
4.To verify that the initialization commands are configured correctly, see “Verifying
the USB Modem Configuration” on page 42.
Table 29: Modifying USB Modem Initialization Commands
Navigate to the Interfaces level in the
configuration hierarchy.
Configure the modem AT commands to
initialize the USB modem. For example:
■
The command S0=2 configures the
modem to automatically answer
calls on the second ring.
■
The command L2 configures
medium speaker volume on the
modem.
You can insert spaces between
commands.
When you configure modem commands
in the CLI configuration editor, you must
follow these conventions:
■
Use the newline character \n to
indicate the end of a command
sequence.
Enclose the command string in
■
double quotation marks.
Resetting USB Modems
If the USB modem does not respond, you can reset the modem.
Next to Modem options, click
1.
Configure.
In the Init command string box,
2.
type AT S0=2 L2.
Click OK.
3.
From the [edit interfaces umd0] hierarchy,
enter
set modem-options init-command-string
"AT S0=2 L2 \n"
CAUTION: If you reset the modem when a call is in progress, the call is terminated.
To reset the USB modem:
1.Enter operational mode in the CLI.
2.To reset the USB modem, enter the following command:
user@host> request interface modem reset umd0
Verifying the USB Modem Configuration
To verify a USB modem configuration, perform the following tasks:
■Verifying a USB Modem Interface on page 43
■Verifying Dialer Interface Configuration on page 44
42■Verifying the USB Modem Configuration
Verifying a USB Modem Interface
PurposeVerify that the USB modem interface is correctly configured and display the status
of the modem.
ActionFrom the CLI, enter the show interfaces extensive command.
user@host> show interfaces umd0 extensive
Physical interface: umd0, Enabled, Physical link is Up
Interface index: 64, SNMP ifIndex: 33, Generation: 1
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 21672
Output bytes : 22558
Input packets: 1782
Output packets: 1832
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 63, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
MODEM status:
Modem type : LT V.92 1.0 MT5634ZBA-USB-V92 Data/Fax Modem
Chapter 2: Setting Up USB Modems for Remote Management
(Dual Config) Version 2.27m
Initialization command string : ATS0=2
Initialization status : Ok
Call status : Connected to 4085551515
Call duration : 13429 seconds
Call direction : Dialin
Baud rate : 33600 bps
Most recent error code : NO CARRIER
MeaningThe output shows a summary of interface information and displays the modem
status.
Verify the following information:
■The physical interface is Enabled. If the interface is shown as Disabled, do either
of the following:
■In the CLI configuration editor, delete the disable statement at the [edit
interfaces interface-name] level of the configuration hierarchy.
Verifying a USB Modem Interface■43
J-series™ Services Router Administration Guide
■In the J-Web configuration editor, clear the Disable check box on the
Interfaces>interface-name page.
■The physical link is Up. A link state of Down indicates a problem with the interface
module, interface port, or physical connection (link-layer errors).
■The Last Flapped time is an expected value. The Last Flapped time indicates the
last time the physical interface became unavailable and then available again.
Unexpected flapping indicates likely link-layer errors.
■The traffic statistics reflect expected input and output rates. Verify that the
number of inbound and outbound bytes and packets matches expected
throughput for the physical interface. To clear the statistics and see only new
changes, use the clear interfaces statistics interface-name command.
■The modem initialization command string has a nonzero value for the S0=n
modem command. A nonzero value is required to configure the modem to
automatically answer calls. For example, the command S0=2 configures the
modem to automatically answer calls on the second ring.
For more information, see “Modifying USB Modem Initialization
Commands” on page 41.
■The modem initialization status is Ok. If the initialization status is shown as Error
or Not Initialized, do the following:
1.Verify that the modem initialization commands are valid. If the modem
initialization sequence includes invalid commands, correct them, as described
in “Modifying USB Modem Initialization Commands” on page 41.
2.If the modem initialization commands are valid, reset the modem. For more
information, see “Resetting USB Modems” on page 42.
Determine the following information:
■The call status
■The duration of the call
Related TopicsFor a complete description of show interfaces extensive output, see the JUNOS
Interfaces Command Reference.
Verifying Dialer Interface Configuration
PurposeVerify that the dialer interface is correctly configured.
ActionFrom the CLI, enter the show interfaces extensive command.
user@host> show interfaces dl0 extensive
Physical interface: dl0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 24, Generation: 129
Type: 27, Link-level type: PPP, MTU: 1504, Clocking: Unspecified, Speed:
Unspecified
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
44■Verifying Dialer Interface Configuration
Chapter 2: Setting Up USB Modems for Remote Management
Link flags : Keepalives
Physical info : Unspecified
Hold-times : Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
MeaningThe output shows a summary of dialer interface information. Verify the following
information:
Verifying Dialer Interface Configuration■45
J-series™ Services Router Administration Guide
■The physical interface is Enabled. If the interface is shown as Disabled, do either
of the following:
■In the CLI configuration editor, delete the disable statement at the [edit
interfaces interface-name] level of the configuration hierarchy.
■In the J-Web configuration editor, clear the Disable check box on the
Interfaces>interface-name page.
■The physical link is Up. A link state of Down indicates a problem with the interface
module, interface port, or physical connection (link-layer errors).
■The Last Flapped time is an expected value. The Last Flapped time indicates the
last time the physical interface became unavailable and then available again.
Unexpected flapping indicates possible link-layer errors.
■The traffic statistics reflect expected input and output rates. Verify that the
number of inbound and outbound bytes and packets matches expected
throughput for the physical interface. To clear the statistics and see only new
changes, use the clear interfaces statistics interface-name command.
■The dialer state is Active when a USB modem call is in progress.
■The LCP state is Opened when a USB modem call is in progress. An LCP state of
Closed or Not Configured indicates a problem with the dialer configuration that
needs to be debugged with the monitor traffic interface interface-name command.
For information about the monitor traffic command, see “Using the monitor traffic
Command” on page 246.
Related TopicsFor a complete description of show interfaces dl0 extensive output, see the JUNOS
Interfaces Command Reference.
46■Verifying Dialer Interface Configuration
Chapter 3
Configuring SNMP for Network
Management
The Simple Network Management Protocol (SNMP) enables the monitoring of network
devices from a central location.
You can use either J-Web Quick Configuration or a configuration editor to configure
SNMP.
NOTE: SNMP is not supported on Gigabit Ethernet interfaces on J-series Services
Routers.
This chapter contains the following topics. For more information about SNMP, see
the JUNOS Network Management Configuration Guide.
■SNMP Architecture on page 47
■Before You Begin on page 50
■Configuring SNMP with Quick Configuration on page 50
■Configuring SNMP with a Configuration Editor on page 54
■Verifying the SNMP Configuration on page 58
SNMP Architecture
Use SNMP to determine where and when a network failure is occurring, and to gather
statistics about network performance in order to evaluate the overall health of the
network and identify bottlenecks.
Because SNMP is a client/server protocol, SNMP nodes can be classified as either
clients (SNMP managers) or servers (SNMP agents). SNMP managers, also called
network management systems (NMSs), occupy central points in the network and
actively query and collect messages from SNMP agents in the network. SNMP agents
are individual processes running on network nodes that gather information for a
particular node and transfer the information to SNMP managers as queries are
processed. The agent also controls access to the agent’s Management Information
Base (MIB), the collection of objects that can be viewed or changed by the SNMP
manager. Because SNMP agents are individual SNMP processes running on a host,
multiple agents can be active on a single network node at any given time.
SNMP Architecture■47
J-series™ Services Router Administration Guide
Communication between the agent and the manager occurs in one of the following
forms:
■Get, GetBulk, and GetNext requests—The manager requests information from
the agent, and the agent returns the information in a Get response message.
■Set requests—The manager changes the value of a MIB object controlled by the
agent, and the agent indicates status in a Set response message.
■Traps notification—The agent sends traps to notify the manager of significant
events that occur on the network device.
Management Information Base
Agents store information in a hierarchical database called the Structure of
Management Information (SMI). The SMI resembles a file system. Information is
stored in individual files that are hierarchically arranged in the database. The individual
files that store the information are known as Management Information Bases (MIBs).
Each MIB contains nodes of information that are stored in a tree structure. Information
branches down from a root node to individual leaves in the tree, and the individual
leaves comprise the information that is queried by managers for a given MIB. The
nodes of information are identified by an object ID (OID). The OID is a dotted integer
identifier (1.3.6.1.2.1.2, for instance) or a subtree name (such as interfaces) that
corresponds to an indivisible piece of information in the MIB.
SNMP Communities
MIBs are either standard or enterprise-specific. Standard MIBs are created by the
Internet Engineering Task Force (IETF) and documented in various RFCs. Depending
on the vendor, many standard MIBs are delivered with the NMS software. You can
also download the standard MIBs from the IETF Web site, http://www.ietf.org, and
compile them into your NMS, if necessary.
For a list of standard and enterprise-specific supported MIBS, see the JUNOS NetworkManagement Configuration Guide.
Enterprise-specific MIBs are developed and supported by a specific equipment
manufacturer. If your network contains devices that have enterprise-specific MIBs,
you must obtain them from the manufacturer and compile them into your network
management software.
To download enterprise MIBs for a Services Router, go to
You can grant access to only specific SNMP managers for particular SNMP agents by
creating SNMP communities. The community is assigned a name that is unique on
the host. All SNMP requests that are sent to the agent must be configured with the
same community name. When multiple agents are configured on a particular host,
the community name process ensures that SNMP requests are sorted to only those
agents configured to handle the requests.
48■SNMP Architecture
Additionally, communities allow you to specify one or more addresses or address
prefixes to which you want to either allow or deny access. By specifying a list of
SNMP Traps
Chapter 3: Configuring SNMP for Network Management
clients, you can control exactly which SNMP managers have access to a particular
agent.
The get and set commands that SNMP uses are useful for querying hosts within a
network. However, the commands do not provide a means by which events can
trigger a notification. For instance, if a link fails, the health of the link is unknown
until an SNMP manager next queries that agent.
SNMP traps are unsolicited notifications that are triggered by events on the host.
When you configure a trap, you specify the types of events that can trigger trap
messages, and you configure a set of targets to receive the generated messages.
SNMP traps enable an agent to notify a network management system (NMS) of
significant events. You can configure an event policy action that uses system log
messages to initiate traps for events. The traps enable an SNMP trap-based application
to be notified when an important event occurs. You can convert any system log
message that has no corresponding traps into a trap. This feature helps you to use
NMS traps rather than system log messages to monitor the network.
Spoofing SNMP Traps
SNMP Health Monitor
You can use the request snmp spoof-trap operational mode command to mimic SNMP
trap behavior. The contents of the traps (the values and instances of the objects
carried in the trap) can be specified on the command line or they can be spoofed
automatically. This feature is useful if you want to trigger SNMP traps from routers
and ensure they are processed correctly within your existing network management
infrastructure, but find it difficult to simulate the error conditions that trigger many
of the traps on the router. For more information, see the JUNOS System Basics andServices Command Reference.
The SNMP health monitor feature uses existing SNMP remote monitoring (RMON)
alarms and traps to monitor a select set of Services Router characteristics (object
instances) like the CPU usage, memory usage, and file system usage. The health
monitor feature also monitors the CPU usage of the J-series Services Router forwarding
process (also called a daemon)—for example, the chassis process and forwarding
process microkernel. You can configure the SNMP health monitor options rising
threshold, falling threshold, and interval using the SNMP Quick Configuration page.
A threshold is a test of some SNMP variable against some value, with a report when
the threshold value is exceeded. The rising threshold is the upper threshold for a
monitored variable. When the current sampled value is greater than or equal to this
threshold, and the value at the last sampling interval is less than this threshold, the
SNMP health monitor generates an alarm. After the rising alarm, the health monitor
cannot generate another alarm until the sampled value falls below the rising threshold
and reaches the falling threshold.
The falling threshold is the lower threshold for the monitored variable. When the
current sampled value is less than or equal to this threshold, and the value at the last
SNMP Architecture■49
J-series™ Services Router Administration Guide
sampling interval is greater than this threshold, the SNMP health monitor generates
an alarm. After the falling alarm, the health monitor cannot generate another alarm
until the sampled value rises above the falling threshold and reaches the rising
threshold.
The interval represents the period of time, in seconds, over which the object instance
is sampled and compared with the rising and falling thresholds.
At present, you do not have to configure a separate trap for the SNMP health monitor,
because it uses the already existing RMON traps. For more information about RMON
events and alarms, see the JUNOS Network Management Configuration Guide.
To display the information collected by the SNMP health monitor, use the following
CLI show snmp health-monitor commands:
■
show snmp health-monitor
■
show snmp health-monitor alarms
■
show snmp health-monitor alarms detail
■
show snmp health-monitor logs
For more information, see the JUNOS System Basics and Services Command Reference.
Before You Begin
Before you begin configuring SNMP, complete the following tasks:
■Establish basic connectivity. See the Getting Started Guide for your router.
■Configure network interfaces. See the J-series Services Router Basic LAN and WAN
Access Configuration Guide.
Configuring SNMP with Quick Configuration
J-Web Quick Configuration allows you to define system identification information,
create SNMP communities, create SNMP trap groups, and configure health monitor
options. Figure 7 on page 50 shows the Quick Configuration page for SNMP.
Figure 7: Quick Configuration Page for SNMP
ERROR: Unresolved graphic fileref="s020248.gif" not found in
Chapter 3: Configuring SNMP for Network Management
Your ActionFunctionField
Enable Health Monitoring
Interval
Enables the SNMP health monitor on the
router. The health monitor periodically
(the time you specify in the interval field)
checks the following key indicators of
router health:
Percentage of file storage used
■
Percentage of Routing Engine CPU
■
used
Percentage of Routing Engine
■
memory used
Percentage of memory used for
■
each system process
Percentage of CPU used by the
■
forwarding process
Percentage of memory used for
■
temporary storage by the
forwarding process
Determines the sampling frequency, in
seconds, over which the key health
indicators are sampled and compared
with the rising and falling thresholds.
For example, if you configure the
interval as 100 seconds, the values are
checked every 100 seconds.
Select the check box to enable the health
monitor and configure options. If you
do not select the check box, the health
monitor is disabled.
NOTE: If you select only the Enable
Health Monitoring check box and do not
specify the options, then SNMP health
monitoring is enabled with the default
values for the options.
Enter an interval time, in seconds,
between 1 and 2147483647.
The default value is 300 seconds (5
minutes).
Rising Threshold
Falling Threshold
Value at which you want SNMP to
generate an event (trap and system log
message) when the value of a sampled
indicator is increasing.
For example, if the rising threshold is 90
(the default), SNMP generates an event
when the value of any key indicator
reaches or exceeds 90 percent.
Value at which you want SNMP to
generate an event (trap and system log
message) when the value of a sampled
indicator is decreasing.
For example, if the falling threshold is
80 (the default), SNMP generates an
event when the value of any key
indicator falls back to 80 percent or less.
Enter a value between 0 and 100.
The default value is 90.
Enter a value between 0 and 100.
The default value is 80.
NOTE: The falling threshold value must
be less than the rising threshold value.
Configuring SNMP with Quick Configuration■53
J-series™ Services Router Administration Guide
Configuring SNMP with a Configuration Editor
To configure SNMP on a Services Router, you must perform the following tasks
marked (Required). For information about using the J-Web and CLI configuration
editors, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.
■Defining System Identification Information (Required) on page 54
■Configuring SNMP Agents and Communities (Required) on page 55
■Managing SNMP Trap Groups (Required) on page 56
■Controlling Access to MIBs (Optional) on page 57
Defining System Identification Information (Required)
Basic system identification information for a Services Router can be configured with
SNMP and stored in various MIBs. This information can be accessed through SNMP
requests and either queried or reset. Table 31 on page 54 identifies types of basic
system identification and the MIB object into which each type is stored.
Table 31: System Identification Information and Corresponding MIB Objects
MIBSystem Information
Contact
System location
System description
System name override
sysContact
sysLocation
sysDescr
sysName
To configure basic system identification for SNMP:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.To configure basic system information using SNMP, perform the configuration
tasks described in Table 32 on page 54.
3.If you are finished configuring the network, commit the configuration.
4.To check the configuration, see “Verifying the SNMP Configuration” on page 58.
Table 32: Configuring Basic System Identification
Navigate to the SNMP level in the
configuration hierarchy.
Configure the system contact information
(such as a name and phone number).
Configure the system location information
(such as a lab name and a rack name).
Configure the system description (J4300with 4 PIMs, for example).
Configure a system name to override the
system hostname defined in the Getting
Started Guide for your router.
Configure the local engine ID to use the
MAC address of Ethernet management
port 0 as the engine ID suffix.
In the Contact box, type the contact
information as a free-form text string.
In the Location box, type the location
information as a free-form text string.
In the Description box, type the description
information as a free-form text string.
In the System Name box, type the system
name as a free-form text string.
Select Engine id.
1.
In the Engine id choice box, select Use
2.
mac address from the list.
Click OK.
3.
Configuring SNMP Agents and Communities (Required)
Set the contact information:
set contact “contact-information”
Set the location information:
set location “location-information”
Set the description information:
set description
“description-information”
Set the system name:
set name name
Set the engine ID to use the MAC
address:
set engine-id use-mac-address
To configure the SNMP agent, you must enable and authorize the network
management system access to the Services Router, by configuring one or more
communities. Each community has a community name, an authorization, which
determines the kind of access the network management system has to the router,
and, when applicable, a list of valid clients that can access the router.
To configure SNMP communities:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.To configure SNMP communities, perform the configuration tasks described in
Table 33 on page 56.
3.If you are finished configuring the network, commit the configuration.
4.To check the configuration, see “Verifying the SNMP Configuration” on page 58.
Navigate to the SNMP level in the
configuration hierarchy.
Create and name a community.
Grant read-write access to the
community.
Allow community access to a
client at a particular IP
address—for example, at IP
address 10.10.10.10.
Allow community access to a
group of clients—for example, all
addresses within the
10.10.10.0/24 prefix, except
those within the 10.10.10.10/29
prefix.
In the J-Web interface, select
1.
Configuration>View and Edit>Edit
Configuration.
Next to Snmp, click Configure or Edit.
2.
Next to Community, click Add new entry.
1.
In the Community box, type the name of
2.
the community as a free-form text string.
In the Authorization box, select read-write from
the list.
Next to Clients, click Add new entry.
1.
In the Prefix box, type the IP address, in
2.
dotted decimal notation.
Click OK.
3.
Next to Clients, click Add new entry.
1.
In the Prefix box, type the IP address
2.
prefix 10.10.10.0/24, and click OK.
Next to Clients, click Add new entry.
3.
In the Prefix box, type the IP address
4.
prefix 10.10.10.10/29.
Select the Restrict check box.
5.
Click OK.
6.
From the [edit] hierarchy level, enter
edit snmp
Create a community:
set community community-name
Set the authorization to read-write:
set community community-name
authorization read-write
Configure client access for the IP
address 10.10.10.10:
set community community-name clients
10.10.10.10
Configure client access for the IP
1.
address 10.10.10.0/24:
set community community-name
clients 10.10.10.0/24
Configure client access to restrict
2.
the IP addresses 10.10.10.10/29:
set community community-name
clients 10.10.10.10/29 restrict
Managing SNMP Trap Groups (Required)
SNMP traps are unsolicited notifications that are generated by conditions on the
Services Router. When events trigger a trap, a notification is sent to the configured
clients for that particular trap group. To manage a trap group, you must create the
group, specify the types of traps that are included in the group, and define one or
more targets to receive the trap notifications.
To configure SNMP trap groups:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.To configure SNMP trap groups, perform the configuration tasks described in
Table 34 on page 57.
56■Configuring SNMP with a Configuration Editor
3.If you are finished configuring the network, commit the configuration.
4.To check the configuration, see “Verifying the SNMP Configuration” on page 58.
Table 34: Configuring SNMP Trap Groups
Chapter 3: Configuring SNMP for Network Management
Navigate to the SNMP level in the
configuration hierarchy.
Create a trap group.
Configure the trap group to send all trap
notifications to a target IP address—for
example, to the IP address 192.174.6.6.
Configure the trap group to generate
SNMP notifications on authentication
failures, environment alarms, and
changes in link state for any of the
interfaces.
In the J-Web interface, select
1.
Configuration>View and Edit>Edit
Configuration.
Next to Snmp, click Configure or Edit.
2.
Next to Trap group, click Add new entry.
1.
In the Group name box, type the name
2.
of the group as a free-form text string.
Next to Targets, click Add new entry.
1.
In the Target box, type the IP address
2.
192.174.6.6, and click OK.
Click Categories.
1.
Select the Authentication, Chassis, and
2.
Link check boxes.
Click OK.
3.
Controlling Access to MIBs (Optional)
By default, an SNMP community is granted access to all MIBs. To control the MIBs
to which a particular community has access, configure SNMP views that include the
MIBs you want to explicitly grant or deny access to.
From the [edit] hierarchy level,
enter
edit snmp
Create a community:
set trap-group trap-group-name
Set the trap-group target to
192.174.6.6:
set trap-group trap-group-name
targets 192.174.6.6
Configure the trap group categories:
set trap-group trap-group-name
categories authentication chassis link
To configure SNMP views:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.To configure SNMP views, perform the configuration tasks described in
Table 35 on page 58.
3.If you are finished configuring the network, commit the configuration.
4.To check the configuration, see “Verifying the SNMP Configuration” on page 58.
Navigate to the SNMP level
in the configuration
hierarchy.
Create a view.
Configure the view to include
a MIB—for example, pingMIB.
Configure the view to
exclude a MIB—for example,
jnxPingMIB.
Associate the view with a
community.
In the J-Web interface, select Configuration>View
1.
and Edit>Edit Configuration.
Next to Snmp, click Configure or Edit.
2.
Next to View, click Add new entry.
1.
In the Name box, type the name of the view as a
2.
free-form text string.
Next to Oid, click Add new entry.
1.
In the Name box, type the OID of the pingMIB, in
2.
either dotted integer or subtree name format.
In the View action box, select include from the list,
3.
and click OK.
Next to Oid, click Add new entry.
1.
In the Name box, type the OID of the jnxPingMIB, in
2.
either dotted integer or subtree name format.
In the View action box, select exclude from the list,
3.
and click OK twice.
On the Snmp page, under Community, click the
1.
name of the community to which you want to apply
the view.
In the View box, type the view name.
2.
Click OK.
3.
From the [edit] hierarchy level,
enter
edit snmp
Create a view:
set view view-name
Set the pingMIB OID value and
mark it for inclusion:
set view view-name oid
1.3.6.1.2.1.80 include
Set the jnxPingMIB OID value and
mark it for exclusion:
set view view-name oid jnxPingMIB
exclude
Set the community view:
set community community-name view
view-name
Verifying the SNMP Configuration
To verify the SNMP configuration, perform the following verification task.
Verifying SNMP Agent Configuration
PurposeVerify that SNMP is running and that requests and traps are being properly
transmitted.
ActionFrom the CLI, enter the show snmp statistics command.
user@host> show snmp statistics
SNMP statistics:
Input:
Packets: 246213, Bad versions: 12 , Bad community names: 12,
Bad community uses: 0, ASN parse errors: 96,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 227084, Total set varbinds: 67,
58■Verifying the SNMP Configuration
Chapter 3: Configuring SNMP for Network Management
Get requests: 44942, Get nexts: 190371, Set requests: 10712,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0,
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 1
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 44, Wrong digests: 23, Decryption errors: 0
Output:
Packets: 246093, Too bigs: 0, No such names: 31561,
Bad values: 0, General errors: 2,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 246025, Traps: 0
MeaningThe output shows a list of the SNMP statistics, including details about the number
and types of packets transmitted. Verify the following information:
■The number of requests and traps is increasing as expected with the SNMP client
configuration.
■Under Bad community names, the number of bad (invalid) communities is not
increasing. A sharp increase in the number of invalid community names generally
means that one or more community strings are configured incorrectly.
Related TopicsFor a complete description of show snmp statistics output, see the JUNOS System
Basics and Services Command Reference.
Verifying SNMP Health Monitor Configuration
PurposeVerify that the SNMP health monitor thresholds are set correctly and that the health
monitor is operating properly.
ActionFrom the CLI, enter the show snmp health-monitor command.
user@host> show snmp health-monitor
Alarm
Index Variable description Value State
32768 Health Monitor: root file system utilization
jnxHrStoragePercentUsed.1 70 active
32769 Health Monitor: /config file system utilization
jnxHrStoragePercentUsed.2 0 active
32770 Health Monitor: RE 0 CPU utilization
jnxOperatingCPU.9.1.0.0 20 active
32772 Health Monitor: RE 0 memory utilization
jnxOperatingBuffer.9.1.0.0 95 rising threshold
32774 Health Monitor: jkernel daemon memory usage
Init daemon 912 active
Chassis daemon 93356 active
Firewall daemon 2244 active
Verifying SNMP Health Monitor Configuration■59
J-series™ Services Router Administration Guide
Interface daemon 3340 active
SNMP daemon 4412 active
MIB2 daemon 3920 active
VRRP daemon 2724 active
Alarm daemon 1868 active
PFE daemon 2656 active
CRAFT daemon 2064 active
Traffic sampling control daemon 3320 active
Remote operations daemon 3020 active
CoS daemon 3044 active
Inet daemon 1304 active
Syslog daemon 1344 active
Web management daemon 3264 active
USB Supervise Daemon 1100 active
PPP daemon 2076 active
DLSWD daemon 10240 active
32775 Health Monitor: jroute daemon memory usage
Routing protocol daemon 8952 active
Management daemon 14516 active
Management daemon 14556 active
Management daemon 14556 active
Command line interface 10312 active
Command line interface 10312 active
Periodic Packet Management daemon 1640 active
Bidirectional Forwarding Detection daemon 1912 active
L2 Address Learning daemon 2080 active
32776 Health Monitor: jcrypto daemon memory usage
IPSec Key Management daemon 5672 active
32778 Health Monitor: FWDD Micro-Kernel threads total CPU Utilization
jnxFwddMicroKernelCPUUsage.0 0 active
32779 Health Monitor: FWDD Real-Time threads total CPU Utilization
jnxFwddRtThreadsCPUUsage.0 15 active
32780 Health Monitor: FWDD DMA Memory utilization
jnxFwddDmaMemUsage.0 16 active
32781 Health Monitor: FWDD Heap utilization
jnxFwddHeapUsage.0 54 active
---(more)---
MeaningThe output shows a summary of SNMP health monitor alarms and corresponding
log entries:
■Alarm Index—Alarm identifier.
■Variable description—Object instance being monitored.
■Value—Current value of the monitored variable in the most recent sample interval.
■State—Status of the alarm. For example:
■active—Entry is fully configured and activated.
■falling threshold crossed—Variable value has crossed the lower threshold
limit.
60■Verifying SNMP Health Monitor Configuration
Chapter 3: Configuring SNMP for Network Management
■rising threshold crossed—Variable value has crossed the upper threshold
limit.
Verify that any rising threshold values are greater than the configured rising threshold,
and that any falling threshold values are less than the configured falling threshold.
Related TopicsFor a complete description of show snmp health-monitor output, see the JUNOS System
Basics and Services Command Reference.
Verifying SNMP Health Monitor Configuration■61
J-series™ Services Router Administration Guide
62■Verifying SNMP Health Monitor Configuration
Chapter 4
Configuring the Router as a DHCP Server
A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP
addresses and also deliver configuration settings to client hosts on a subnet. DHCP
is particularly useful for managing a pool of IP addresses among hosts. An IP address
can be leased to a host for a limited period of time, allowing the DHCP server to
share a limited number of IP addresses among a group of hosts that do not need
permanent IP addresses.
The Services Router acts as the DHCP server, providing IP addresses and settings to
hosts, such as PCs, that are connected to router interfaces. The DHCP server is
compatible with the DHCP servers of other vendors on the network.
NOTE: Currently, the DHCP server does not support IPv6 address assignment, user
class-specific configuration, DHCP failover protocol, or dynamic Domain Name
System (DNS) updates. You cannot use DHCP for virtual private network (VPN)
connections.
You can use either J-Web Quick Configuration or a configuration editor to configure
the DHCP server.
DHCP Terms
This chapter contains the following topics. For more information about DHCP, see
the JUNOS System Basics Configuration Guide.
■DHCP Terms on page 63
■DHCP Overview on page 64
■Before You Begin on page 66
■Configuring the DHCP Server with Quick Configuration on page 66
■Configuring the DHCP Server with a Configuration Editor on page 72
■Verifying a DHCP Server Configuration on page 75
Before configuring the DHCP server on J-series Services Routers, become familiar
with the terms defined in Table 36 on page 64.
DHCP Terms■63
J-series™ Services Router Administration Guide
Table 36: DHCP Terms
DefinitionTerm
binding
conflict
DHCP options
DHCP server
Dynamic Host
Configuration Protocol
(DHCP)
gateway router
IP address pool
lease
Collection of configuration parameters, including at least an IP address, assigned by a DHCP
server to a DHCP client. A binding can be dynamic (temporary) or static (permanent). Bindings
are stored in the DHCP server's binding database.
Problem that occurs when an address within the IP address pool is being used by a host that
does not have an associated binding in the DHCP server's database. Addresses with conflicts
are removed from the pool and logged in a conflicts list until you clear the list.
Host that uses DHCP to obtain an IP address and configuration settings.DHCP client
Configuration settings sent within a DHCP message from a DHCP server to a DHCP client. For
a list of DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.
Host that provides an IP address and configuration settings to a DHCP client. The Services Router
is a DHCP server.
Configuration management protocol you can use to supervise and automatically distribute IP
addresses and deliver configuration settings to client hosts from a central DHCP server. An
extension of BOOTP, DHCP is defined in RFC 2131, Dynamic Host Configuration Protocol (DHCP).
Router that passes DHCP messages between DHCP clients and DHCP servers. A gateway router
is sometimes referred to as a relay agent.
Collection of IP addresses maintained by the DHCP server for assignment to DHCP clients. The
address pool is associated with a subnet on either a logical or physical interface.
Period of time during which an IP address is allocated, or bound, to a DHCP client. A lease can
be temporary (dynamic binding) or permanent (static binding).
Windows Name Service
(WINS) server
DHCP Overview
IP address to which a DHCP client can transmit router solicitation requests.router solicitation address
Server running the Microsoft Windows name resolution service for network basic input/output
system (NetBIOS) names. WINS is used by hosts running NetBIOS over TCP/IP (NetBT) to register
NetBIOS names and to resolve NetBIOS names to IP addresses.
DHCP is based on BOOTP, a bootstrap protocol that allows a client to discover its
own IP address, the IP address of a server host, and the name of a bootstrap file.
DHCP servers can handle requests from BOOTP clients, but provide additional
capabilities beyond BOOTP, such as the automatic allocation of reusable IP addresses
and additional configuration options.
NOTE: You cannot configure the Services Router as both a DHCP server and a BOOTP
relay agent.
DHCP provides two primary functions:
■Allocate temporary or permanent IP addresses to clients.
64■DHCP Overview
DHCP Options
Chapter 4: Configuring the Router as a DHCP Server
■Store, manage, and provide client configuration parameters.
As a DHCP server, a Services Router can provide temporary IP addresses from an
IP address pool to all clients on a specified subnet, a process known as dynamic
binding. Services Routers can also perform static binding, assigning permanent IP
addresses to specific clients based on their media access control (MAC) addresses.
Static bindings take precedence over dynamic bindings.
In addition to its primary DHCP functions, you can also configure the Services Router
to send configuration settings like the following to clients through DHCP:
■IP address of the DHCP server (Services Router).
■List of Domain Name System (DNS) and NetBIOS servers
■List of gateway routers
■IP address of the boot server and the filename of the boot file to use
■DHCP options defined in RFC 2132, DHCP Options and BOOTP Vendor Extensions
Compatibility with Autoinstallation
Services Router DHCP server functions are compatible with the autoinstallation
feature. The DHCP server automatically checks any autoinstallation settings for
conflicts and gives the autoinstallation settings priority over corresponding DHCP
settings. For example, an IP address set by autoinstallation takes precedence over
an IP address set by the DHCP server.
(To configure autoinstallation, see “Configuring Autoinstallation” on page 81.)
Conflict Detection and Resolution
A client that receives an IP address from the Services Router operating as a DHCP
server performs a series of Address Resolution Protocol (ARP) tests to verify that the
address is available and no conflicts exist. If the client detects an address conflict, it
informs the DHCP server about the conflict and can request another IP address from
the DHCP server.
The Services Router maintains a log of all client-detected conflicts and removes
addresses with conflicts from the DHCP address pool. To display the conflicts list,
you use the show system services dhcp conflict command. The addresses in the
conflicts list remain excluded until you use the clear system services dhcp conflict
command to manually clear the list.
Interface Restrictions
The Services Router supports DHCP client requests received on Fast Ethernet
interfaces only. However, DHCP requests received from a relay agent are supported
on all interface types.
DHCP Overview■65
J-series™ Services Router Administration Guide
DHCP is not supported on interfaces that are part of a virtual private network (VPN).
Before You Begin
Before you begin configuring the Services Router as a DHCP server, complete the
following tasks:
■Determine the IP address pools and the lease durations to use for each subnet.
■Obtain the MAC addresses of the clients that require permanent IP addresses.
Determine the IP addresses to use for these clients.
■List the IP addresses that are available for the servers and routers on your
network—DNS, NetBIOS servers, boot servers, and gateway routers, for example.
■Determine the DHCP options required by the subnets and clients in your network.
Configuring the DHCP Server with Quick Configuration
The DHCP Quick Configuration pages allow you to configure DHCP pools for subnets
and static bindings for DHCP clients. If DHCP pools or static bindings are already
configured, you can use the Configure Global DHCP Parameters Quick Configuration
page to add settings for these pools and static bindings. Settings that have been
previously configured for DHCP pools or static bindings are not overridden when
you use the Configure Global DHCP Parameters Quick Configuration page.
Figure 8 on page 67 through Figure 10 on page 69 show the DHCP Quick
Configuration pages.
66■Before You Begin
Chapter 4: Configuring the Router as a DHCP Server
Figure 8: DHCP Quick Configuration Main Page
Configuring the DHCP Server with Quick Configuration■67
J-series™ Services Router Administration Guide
Figure 9: DHCP Quick Configuration Pool Page
68■Configuring the DHCP Server with Quick Configuration
Chapter 4: Configuring the Router as a DHCP Server
To configure the DHCP server with Quick Configuration:
1.In the J-Web interface, select Configuration>Quick Configuration>DHCP.
2.Access a DHCP Quick Configuration page:
■To configure a DHCP pool for a subnet, click Add in the DHCP Pools box.
■To configure a static binding for a DHCP client, click Add in the DHCP Static
Binding box.
■To globally configure settings for existing DHCP pools and static bindings,
click Configure Global DHCP Parameters.
Configuring the DHCP Server with Quick Configuration■69
J-series™ Services Router Administration Guide
3.Enter information into the DHCP Quick Configuration pages, as described in
Table 37 on page 70.
4.Click one of the following buttons on the DHCP Quick Configuration page:
■To apply the configuration and return to the Quick Configuration page, click
OK.
■To cancel your entries and return to the Quick Configuration page, click
Cancel.
5.Go on to one of the following procedures:
■To display the configuration, see Displaying a DHCP Server
Configuration on page 75.
■To verify DHCP operation, see “Verifying a DHCP Server
Configuration” on page 75.
Table 37: DHCP Server Quick Configuration Pages Summary
DHCP Pool Information
DHCP Subnet (required)
Address Range (Low)
(required)
Address Range (High)
(required)
Exclude Addresses
Lease Time
Maximum Lease Time
(Seconds)
configured.
Specifies the lowest address in the IP address
pool range.
Specifies the highest address in the IP address
pool range.
Specifies addresses to exclude from the IP
address pool.
Specifies the maximum length of time a client
can hold a lease. (Dynamic BOOTP lease
lengths can exceed this maximum time.)
Your ActionFunctionField
Type an IP address prefix.Specifies the subnet on which DHCP is
Type an IP address that is part of the subnet
specified in DHCP Subnet.
Type an IP address that is part of the subnet
specified in DHCP Subnet. This address must
be greater than the address specified in Address
Range (Low).
Do either of the following:
To add an excluded address, type the
■
address next to the Add button, and click
Add.
To delete an excluded address, select the
■
address in the Exclude Addresses box, and
click Delete.
Type a number between 60 and 4,294,967,295
(seconds). You can also type infinite to specify
a least that never expires.
Default Lease Time
(Seconds)
Specifies the length of time a client can hold a
lease, for clients that do not request a specific
lease length.
Server Information
70■Configuring the DHCP Server with Quick Configuration
Type a number between 60 and 2,147,483,647
(seconds). You can also type infinite to specify
a least that never expires.
Chapter 4: Configuring the Router as a DHCP Server
Table 37: DHCP Server Quick Configuration Pages Summary (continued)
Your ActionFunctionField
Server Identifier
Domain Name
Domain Search
DNS Name Servers
Gateway Routers
Specifies the IP address of the DHCP server
reported to a client.
use to resolve hostnames.
Specifies the order—from top to bottom—in
which clients must append domain names
when resolving hostnames using DNS.
Defines a list of DNS servers the client can use,
in order of preference—from top to bottom.
Defines a list of relay agents on the subnet, in
order of preference—from top to bottom.
Type the IP address of the Services Router. If
you do not specify a server identifier, the
primary address of the interface on which the
DHCP exchange occurs is used.
Type the name of the domain.Specifies the domain name that clients must
Do either of the following:
To add a domain name, type the name
■
next to the Add button, and click Add.
To delete a domain name, select the name
■
in the Domain Search box, and click
Delete.
Do either of the following:
To add a DNS server, type an IP address
■
next to the Add button, and click Add.
To remove a DNS server, select the IP
■
address in the DNS Name Servers box,
and click Delete.
Do either of the following:
To add a relay agent, type an IP address
■
next to the Add button, and click Add.
To remove a relay agent, select the IP
■
address in the Gateway Routers box, and
click Delete.
WINS Servers
Defines a list of NetBIOS name servers, in order
of preference—from top to bottom.
Boot Options
Boot File
boot file to be used by the client.
Boot Server
Specifies the TFTP server that provides the
initial boot file to the client.
DHCP Static Binding Information
DHCP MAC Address
(required)
Specifies the MAC address of the client to be
permanently assigned a static IP address.
Do either of the following:
To add a NetBIOS name server, type an
■
IP address next to the Add button, and
click Add.
To remove a NetBIOS name server, select
■
the IP address in the WINS Servers box,
and click Delete.
Type a path and filename.Specifies the path and filename of the initial
Type the IP address or hostname of the TFTP
server.
Type the hexadecimal MAC address of the
client.
Configuring the DHCP Server with Quick Configuration■71
J-series™ Services Router Administration Guide
Table 37: DHCP Server Quick Configuration Pages Summary (continued)
Your ActionFunctionField
Fixed IP Addresses
(required)
Defines a list of IP addresses permanently
assigned to the client. A static binding must
have at least one fixed address assigned to it,
but multiple addresses are also allowed.
Do either of the following:
To add an IP address, type it next to the
■
Add button, and click Add.
To remove an IP address, select it in the
■
Fixed IP Addresses box, and click Delete.
Host Name
Type a client hostname.Specifies the name of the client used in DHCP
messages exchanged between the server and
the client. The name must be unique to the
client within the subnet on which the client
resides.
Client Identifier
Type a client identifier in string form.Specifies the name of the client used by the
DHCP server to index its database of address
bindings. The name must be unique to the
client within the subnet on which the client
resides.
Hexadecimal Client
Identifier
hexadecimal, used by the DHCP server to index
Type a client identifier in hexadecimal form.Specifies the name of the client, in
its database of address bindings. The name
must be unique to the client within the subnet
on which the client resides.
Configuring the DHCP Server with a Configuration Editor
A typical DHCP server configuration provides the following configuration settings for
a particular subnet on a Services Router interface:
■An IP address pool, with one address excluded from the pool.
■Default and maximum lease times.
■Domain search suffixes. These suffixes specify the domain search list used by a
client when resolving hostnames with DNS. See RFC 3397, Dynamic Host
Configuration Protocol (DHCP) Domain Search Option, for more information.
■A DNS name server.
■A DHCP option—Router solicitation address option (option 32). The IP address
excluded from the IP address pool is reserved for this option.
In addition, the DHCP server might assign a static address to at least one client on
the subnet. Table 38 on page 72 provides the settings and values for the sample
DHCP server configuration used in this section.
Table 38: Sample DHCP Server Configuration Settings
Sample Value or ValuesSettings
DHCP Subnet Configuration
72■Configuring the DHCP Server with a Configuration Editor
Chapter 4: Configuring the Router as a DHCP Server
Table 38: Sample DHCP Server Configuration Settings (continued)
Sample Value or ValuesSettings
Address pool subnet address
High address in the pool range
Low address in the pool range
Address pool default lease time, in seconds
Address pool maximum lease time, in seconds
Domain search suffixes
Address to exclude from the pool
DNS server address
Identifier code for router solicitation address option
Type choice for router solicitation address option
IP address for router solicitation address option
DHCP MAC Address Configuration
Static binding MAC address
192.168.2.0/24
192.168.2.254
192.168.2.2
1,209,600 (14 days)
2,419,200 (28 days)
mycompany.net
mylab.net
192.168.2.33
192.168.10.2
32
Ip address
192.168.2.33
01:03:05:07:09:0B
Fixed address
192.168.2.50
To configure the Services Router as a DHCP server for a subnet and a single client:
1.Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.Perform the configuration tasks described in Table 39 on page 74.
3.If you are finished configuring the router, commit the configuration.
4.To verify DHCP server configuration and operation, see “Verifying a DHCP Server
Configuration” on page 75.
Configuring the DHCP Server with a Configuration Editor■73
Assign a static IP address
of 192.168.2.50 to MAC
address
01:03:05:07:09:0B.
Next to Name server, click Add new
1.
entry.
In the Address box, type 192.168.10.2.
2.
Click OK.
3.
Next to Option, click Add new entry.
1.
In the Option identifier code box, type 32.
2.
From the Option type choice list, select
3.
Ip address.
In the Ip address box, type 192.168.2.33.
4.
Click OK twice.
5.
Next to Static binding, click Add new
1.
entry.
In the Mac address box, type
2.
01:03:05:07:09:0B.
Next to Fixed address, click Add new
3.
entry.
In the Address box, type 192.168.2.50.
4.
Click OK until you return to the
5.
Configuration page.
Set the DNS server IP address:
set pool 192.168.2.0/24
name-server 192.168.10.2
Set the router solicitation IP address:
set pool 192.168.2.0/24 option 32
ip-address 192.168.2.33
Associate a fixed IP address with the MAC
address of the client:
set static-binding 01:03:05:07:09:0B
fixed-address 192.168.2.50
Verifying a DHCP Server Configuration
To verify a DHCP server configuration, perform the following tasks:
■Displaying a DHCP Server Configuration on page 75
■Verifying the DHCP Binding Database on page 76
■Verifying DHCP Server Operation on page 77
■Displaying DHCP Statistics on page 79
Displaying a DHCP Server Configuration
PurposeVerify the configuration of a DHCP server.
ActionFrom the J-Web interface, select
Configuration>View and Edit>View Configuration Text. Alternatively, from
configuration mode in the CLI, enter the show system services dhcp command from
the top level.
You can also view the IP address pool from the CLI in operational mode by entering
the show system services dhcp pool command.
Verifying a DHCP Server Configuration■75
J-series™ Services Router Administration Guide
[edit]
user@host# show system services dhcp
pool 192.168.2.0/24 {
address-range low 192.168.2.2 high 192.168.2.254;
exclude-address {
MeaningVerify that the output shows the intended configuration of the DHCP server.
Related TopicsFor more information about the format of a configuration file, see the J-series Services
Router Basic LAN and WAN Access Configuration Guide.
Verifying the DHCP Binding Database
PurposeVerify that the DHCP binding database reflects your DHCP server configuration.
ActionFrom operational mode in the CLI, to display all active bindings in the database,
enter the show system services dhcp binding command. To display all bindings in the
database, including their current binding state, enter the show system services dhcp
binding detail command. To display more information about a client, including its
DHCP options, enter the show system services dhcp binding ip-address detail command,
replacing ip-address with the IP address of the client.
The DHCP binding database resulting from the configuration defined in “Configuring
the DHCP Server with a Configuration Editor” on page 72 is displayed in the following
sample output.
To clear the DHCP binding database, enter the clear system services dhcp binding
command. To remove a specific entry from the DHCP binding database, enter the
clear system services dhcp binding ip-address command, replacing ip-address with the
IP address of the client.
You can also use the J-Web interface to view information in the DHCP binding
database. For more information, see “Monitoring DHCP” on page 143.
user@host> show system services dhcp binding
76■Verifying the DHCP Binding Database
Chapter 4: Configuring the Router as a DHCP Server
user@host> show system services dhcp binding 192.168.2.2 detail
IP address 192.168.2.2
Hardware address 02:04:06:08:0A:0C
Pool 192.168.2.0/24
Request received on fe-0/0/0
Lease information:
Type DHCP
Obtained at 2005-01-24 8:48:59 PDT
Expires at 2005-02-07 8:48:59 PDT
State active
■For each dynamic binding, verify that the IP address is within the range of the
configured IP address pool. Under Lease Expires, verify that the difference
between the date and time when the lease expires and the current date and time
is less than the maximum configured lease time.
■For each static binding, verify that the IP address corresponds to the MAC address
displayed under Hardware Address (as defined in the static-binding statement in
the configuration). Under Lease Expires, verify that the lease expiration is never.
■In the output displayed by the show system services dhcp binding ip-address detail
command, verify that the options under DHCP options are correct for the subnet.
■Verify that the show system services dhcp conflict command does not display
any conflicts.
Related TopicsFor complete descriptions of show system services dhcp binding and show system
services dhcp conflict commands and output, see the JUNOS System Basics and Services
Command Reference.
Verifying DHCP Server Operation
PurposeVerify that the DHCP server is operating as configured.
ActionTake the following actions:
■Use the ping command to verify that a client responds to ping packets containing
the destination IP address assigned by the Services Router.
■Display the IP configuration on the client. For example, on a PC running Microsoft
Windows, enter ipconfig /all at the command prompt to display the PC's IP
configuration.
Verifying DHCP Server Operation■77
J-series™ Services Router Administration Guide
user@host> ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
64 bytes from 192.168.2.2: icmp_seq=0 ttl=255 time=8.856 ms
64 bytes from 192.168.2.2: icmp_seq=1 ttl=255 time=11.543 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=255 time=10.315 ms
...
C:\Documents and Settings\user> ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : my-pc
Primary DNS Suffix . . . . . . . : mycompany.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycompany.net
mylab.net
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : mycompany.net mylab.net
Description . . . . . . . . . . . : 10/100 LAN Fast Ethernet Card
Lease Obtained. . . . . . . . . . : Monday, January 24, 2005 8:48:59 AM
Lease Expires . . . . . . . . . . : Monday, February 7, 2005 8:48:59 AM
MeaningVerify the following:
■The client returns a ping response.
■The client IP configuration displayed contains the configured values. For example,
for the DHCP configuration in “Configuring the DHCP Server with a Configuration
Editor” on page 72, you can verify the following settings:
■DNS Suffix Search List is correct.
■IP address is within the IP address pool you configured.
■DHCP Server is the primary IP address of the Services Router interface on
which the DHCP message exchange occurs. If you include the server-identifier
statement in your configuration, the DHCP server IP address specified in
this statement is displayed.
■Lease Obtained and Lease Expires times are correct.
The ipconfig command also displays other DHCP client settings that can be
configured on the Services Router, including the client's hostname, default
gateways, and WINS servers.
78■Verifying DHCP Server Operation
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.