JUNOSe 8.0.x IP Services Configuration Guide > Table of Contents
Table of Contents
-
About This Guide
- Objectives
- E-series Routers
- Audience
- Documentation Conventions
- Related E-series and JUNOSe Documentation
- E-series and JUNOSe Documents
- JUNOSe Configuration Guides
- Obtaining Documentation
- Documentation Feedback
- Requesting Support
-
Configuring Routing Policy
- Overview
- Platform Considerations
- References
- Route Maps
- Route Map Configuration Example
- Multiple Values in a Match Entry
- Negating Match Clauses
- Matching a Community List Exactly
- Removing Community Lists from a Route Map
- Matching a Policy List
- Redistributing Access Routes
- Setting Multicast Bandwidths
- Match Policy Lists
- Access Lists
- Filtering Prefixes
- Configuration Example 1
- Configuration Example 2
- Configuration Example 3
- Filtering AS Paths
- Configuration Example 1
- Using Access Lists in a Route Map
- Configuration Example 1
- Using Access Lists for PIM Join Filters
- Clearing Access List Counters
- Creating Table Maps
- Using the Null Interface
- Prefix Lists
- Using a Prefix List
- Prefix Trees
- Using a Prefix Tree
- Community Lists
- Extended Community Lists
- Using Regular Expressions
- AS-path Lists
- Community Lists
- Community Numbers
- Metacharacters
- Using Metacharacters as Literal Tokens
- Regular Expression Examples
- Managing the Routing Table
- Troubleshooting Routing Policy
- Monitoring Routing Policy
-
Configuring Firewall
- Overview
- Denial-of-Service Attacks
- About Stateless Access Control
- Understanding Stateful Access Control
- TCP Support
- UDP Support
- ICMP Support
- Inspection List and Half-Open Connection Support
- Application-Level Inspection Support
- Audit Trails
- Safe IP Fragmentation
- DMZ Support
- Platform Considerations
- Line Module Requirements
- Configuring a Firewall License
- Configuring Stateless Firewall
- Configuring Stateful Access Control
- Defining Flow Timeout Values
- Limiting the Number of Half-Open Sessions
- Defining Alert Status and Audit Trails
- Creating and Adding to an Inspection List
- Associating an Inspection List with an Interface
- Monitoring Stateful Firewall
- System Event Logs
- Establishing a Baseline for Firewall Statistics
- Viewing Firewall Information
-
Configuring NAT
- Overview
- Platform Considerations
- Line Module Requirements
- References
- NAT Configurations
- Traditional NAT
- Basic NAT
- NAPT
- Bidirectional NAT
- Twice NAT
-
- Network and Address Terms
- Inside Local Addresses
- Inside Global Addresses
- Outside Local Addresses
- Outside Global Addresses
- Understanding Address Translation
- Inside Source Translation
- Outside Source Translation
- Address Assignment Methods
- Static Translations
- Dynamic Translations
- Order of Operations
- Inside-to-Outside Translation
- Outside-to-Inside Translation
- PPTP and GRE Tunneling Through NAT
- Packet Discard Rules
- Before You Begin
- Configuring a NAT License
- Limiting Translation Entries
- Specifying Inside and Outside Interfaces
- Defining Static Address Translations
- Creating Static Inside Source Translations
- Creating Static Outside Source Translations
- Defining Dynamic Translations
- Creating Access List Rules
- Defining Address Pools
- Defining Dynamic Translation Rules
- Creating Dynamic Inside Source Translation Rules
- Creating Dynamic Outside Source Translation Rules
- Defining Translation Timeouts
- Clearing Dynamic Translations
- NAT Configuration Examples
- NAPT Example
- Bidirectional NAT Example
- Twice NAT Example
- Cross-VRF Example
- Tunnel Configuration Through NAT Examples
- Clients on an Inside Network
- Clients on an Outside Network
- GRE Flows Through NAT
- Monitoring NAT
- Displaying the NAT License Key
- Displaying Translation Statistics
- Displaying Translation Entries
- Displaying Address Pool Information
- Displaying Inside and Outside Rule Settings
-
-
-
-
-
-
-
Configuring J-Flow Statistics
- Overview
- Interface Sampling
- Flow Collection
- Main Flow Cache Contents
- Cache Flow Export
- Aging Flows
- Operation with NAT
- Operation with High Availability
- Platform Considerations
- Before You Configure J-Flow Statistics
- Configuring Flow-Based Statistics Collection
- Enabling Flow-Based Statistics
- Enabling Flow-Based Statistics on an Interface
- Defining a Sampling Interval
- Setting Cache Size
- Defining Aging Timers
- Specifying the Activity Timer
- Specifying the Inactivity Timer
- Specifying Flow Export
- Monitoring J-Flow Statistics
- Clearing J-Flow Statistics
- J-Flow show Commands
-
Configuring BFD
- Overview
- How BFD Works
- Negotiation of the BFD Liveness Detection Interval
- Platform Considerations
- References
- Configuring a BFD License
- BFD Version Support
- Configuring BFD
- Managing BFD Adaptive Timer Intervals
- Clearing BFD Sessions
- Monitoring BFD
- System Event Logs
- Viewing BFD Information
-
Configuring IPSec
- Overview
- IPSec Terms and Acronyms
- Platform Considerations
- References
- IPSec Concepts
- Secure IP Interfaces
- RFC 2401 Compliance
- IPSec Protocol Stack
- Security Parameters
- Manual Versus Signaled Interfaces
- Operational Virtual Router
-
-
- Transport Virtual Router
- Transport VR Definition
- Transport VR Definitions with an FQDN
- Perfect Forward Secrecy
- Lifetime
- Inbound and Outbound SAs
- Transform Sets
- Encapsulation Protocols
- Encapsulation Modes
- Supported Transforms
- Negotiating Transforms
- Other Security Features
- IP Security Policies
- ESP Processing
- AH Processing
- IPSec Maximums Supported
- DPD and IPSec Tunnel Failover
- Tunnel Failover
- IKE Overview
- Main Mode and Aggressive Mode
- Aggressive Mode Negotiations
- IKE Policies
- Priority
- Encryption
- Hash Function
- Authentication Mode
- Diffie-Hellman Group
- Lifetime
- IKE SA Negotiation
- Generating Private and Public Key Pairs
- Configuration Tasks
- Configuring an IPSec License
- Configuring IPSec Parameters
- Creating an IPSec Tunnel
- Configuring DPD and IPSec Tunnel Failover
- Defining an IKE Policy
- Refreshing SAs
- Configuration Examples
- Configuration Notes
- Monitoring IPSec
- System Event Logs
- show Commands
-
Configuring Dynamic IPSec Subscribers
- Overview
- Dynamic Connection Setup
- Dynamic Connection Teardown
- Dynamic IPSec Subscriber Recognition
- Licensing Requirements
- Inherited Subscriber Functionality
- Using IPSec Tunnel Profiles
- Relocating Tunnel Interfaces
- User Authentication
- Platform Considerations
- References
- Creating an IPSec Tunnel Profile
- Configuring IPSec Tunnel Profiles
- Limiting Interface Instantiations on Each Profile
- Specifying IKE Settings
- Setting the IKE Local Identity
- Setting the IKE Peer Identity
- Appending a Domain Suffix to a Username
- Overriding IPSec Local and Peer Identities for SA Negotiations
- Specifying an IP Profile for IP Interface Instantiations
- Defining the Server IP Address
- Specifying Local Networks
- Defining IPSec Security Association Lifetime Parameters
- Defining User Reauthentication Protocol Values
- Specifying IPSEC Security Association Transforms
- Specifying IPSec Security Association PFS and DH Group Parameters
- Defining the Tunnel MTU
- Defining IKE Policy Rules for IPSec Tunnels
- Specifying a Virtual Router for an IKE Policy Rule
- Defining Aggressive Mode for an IKE Policy Rule
- Monitoring IPSec Tunnel Profiles
- System Event Logs
- show Commands
-
Configuring L2C
- Overview
- Access Topology Discovery
- Line Configuration
- Transactional Multicast
- OAM
- Platform Considerations
- References
- Configuring L2C
- Creating a Listening TCP Socket for L2C
- Accessing L2C Configuration Mode
- Defining the L2C Session Timeout
- Configuring L2C Interfaces
- Configuring L2C Neighbors
- Accessing L2C Neighbor Configuration Mode
- Defining an L2C Neighbor
- Limiting Discovery Table Entries
- Clearing L2C Neighbors
- Configuring Topology Discovery
- Configuring L2C for QoS Adaptive Mode
- Triggering L2C Line Configuration
- Configuring Transactional Multicast for IGMP
- Creating an IGMP Session for L2C
- L2C IGMP Configuration Example
- Complete Configuration Example
- Triggering L2C OAM
- Monitoring L2C
-
Configuring Digital Certificates
- Overview
- Digital Certificate Terms and Acronyms
- Platform Considerations
- References
- IKE Authentication with Digital Certificates
- Signature Authentication
- Generating Public/Private Key Pairs
- Obtaining a Root CA Certificate
- Obtaining a Public Key Certificate
- Offline Certificate Enrollment
- Online Certificate Enrollment
- Authenticating the Peer
- Verifying CRLs
- File Extensions
- Certificate Chains
- IKE Authentication Using Public Keys Without Digital Certificates
- Configuration Tasks
- Public Key Format
- Configuring Digital Certificates Using the Offline Method
- Configuring Digital Certificates Using the Online Method
- Configuring Peer Public Keys Without Digital Certificates
- Monitoring Digital Certificates and Public Keys
-
Configuring IP Tunnels
- Overview
- GRE Tunnels
- DVMRP Tunnels
- Platform Considerations
- Module Requirements
- ERX-7xx Models, ERX-14xx Models, and the ERX-310 Router
- E320 Router
- Redundancy and Tunnel Distribution
- References
- Configuration Tasks
- Configuration Example
- Configuring IP Tunnels to Forward IP Frames
- Preventing Recursive Tunnels
- Creating Multicast VPNs Using GRE Tunnels
- Monitoring IP Tunnels
-
IP Reassembly for Tunnels
- Overview
- Platform Considerations
- Module Requirements
- ERX-7xx Models, ERX-14xx Models, and the ERX-310 Router
- E320 Router
- Configuring IP Reassembly
- Monitoring IP Reassembly
- Setting Statistics Baselines
- Displaying Statistics
-
Configuring Layer 2 Services over GRE
- Overview
- Platform Considerations
- Module Requirements
- Interface Specifiers
- References
- How Layer 2 Services over GRE Work
- Link Status Mapping
- DLCI Mapping
- GRE Encapsulation
- GRE Sequence Numbers
- Configuring Frame Relay over GRE
- Configuration Example
- Monitoring Layer 2 Services over GRE
-
Configuring Layer 2 Services over MPLS
- Overview
- Platform Considerations
- Module Requirements
- Interface Specifiers
- References
- How Layer 2 Services over MPLS Work
- Local Cross-Connects Between Layer 2 Interfaces Using MPLS
- MPLS Shim Interfaces
- Multiservice with Layer 2 Services
- ATM Layer 2 Services
- AAL5 Encapsulation
- OAM Cells
- QoS Classification
- Limitations
- Control Word Support
- VCC Cell Relay Encapsulation
- AAL0 Raw Cell Mode
- Cell Concatenation Parameters
- Cell Concatenation and Latency
- Control Word Support
- Unsupported Features
- HDLC Layer 2 Services
- Interface Stacking
- Encapsulation
- Control Word Support
- Local Cross-Connects
- Configuring Layer 2 Services over MPLS
- Configuring Frame Relay Layer 2 Services
- Configuring Ethernet/VLAN Layer 2 Services
- Configuring S-VLAN Tunnels for Layer 2 Services
- Configuring Local Cross-Connects Between Ethernet/VLAN Interfaces
- Configuring Local ATM Cross-Connects with AAL5 Encapsulation
- Configuring an MPLS Pseudowire with VCC Cell Relay Encapsulation
- Configuring HDLC Layer 2 Services
- Configuring Local Cross-Connects for HDLC Layer 2 Services
- Configuration Commands
-
- CE-Side Load Balancing for Martini Layer 2 Transport
- Configuring Many Shim Interfaces with the Same Peer, VC Type, and VC ID
- Configuring Load-Balancing Groups
- MPLS Interfaces and Labels
- Configuring Load-Balancing Groups
- Adding a Member Interface to a Group Circuit
- Removing Member Subinterfaces from a Circuit
- Frame Relay over MPLS Configuration Example
- Monitoring Layer 2 Services over MPLS
-
Securing L2TP and IP Tunnels with IPSec
- Overview
- Line Module Requirements
- Tunnel Creation
- IPSec Secured-Tunnel Maximums
- Platform Considerations
- References
- L2TP/IPSec Tunnels
- Setting Up the Secure L2TP Connection
- L2TP with IPSec Control and Data Frames
- Compatibility and Requirements
- Client Software Supported
- Interactions with NAT
- Interaction Between IPSec and PPP
- LNS Change of Port
- Group Preshared Key
- NAT Passthrough Mode
- NAT Traversal
- How NAT-T Works
- UDP Encapsulation
- UDP Statistics
- NAT Keepalive Messages
- Configuring and Monitoring NAT-T
- Single-Shot Tunnels
- Configuration Tasks for Client PC
- Configuration Tasks for E-series Routers
- Enabling IPSec Support for L2TP
- Configuring NAT-T
- Configuring Single-Shot Tunnels
- GRE/IPSec and DVMRP/IPSec Tunnels
- Setting Up the Secure GRE or DVMRP Connection
- Configuration Tasks
- Enabling IPSec Support for GRE and DVMRP Tunnels
- Configuring IPSec Transport Profiles
- Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
- System Event Logs
- show Commands
-
-
-
-
Configuring VRRP
- Overview
- VRRP Terms
- Platform Considerations
- References
- How VRRP Works
- Configuration Examples
- Basic VRRP Configuration
- Commonly Used VRRP Configuration
- VRRP Configuration Without the Real Address Owner
- How VRRP Is Implemented in E-series Routers
- Router Election Rules
- Configuring VRRP
- Configuring the IP Interface
- Creating VRIDs
- Configuration Steps
- Changing Object Priority
- Monitoring VRRP
-
Index