Table of Contents

About the Documentation
E Series and JunosE Documentation and Release Notes
Audience
E Series and JunosE Text and Syntax Conventions
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Chapters
Configuring Routing Policy
Routing Policy Overview
Routing Policy Platform Considerations
Route Map Match and Set Clauses
Understanding Route Map Match and Set Clauses
Example: Configuring a Route Map to Filter Routes on the Basis of the AS Path
Multiple Values in a Route Map Match Entry Overview
Negating Match Clauses on a Route Map
Exactly Matching a Community List on a Route Map Overview
Removing Community Lists from a Route Map Overview
Policy List Matching Overview
Redistributing Access or Access-Internal Routes
Multicast Bandwidths Setting Overview
Defining the Conditions for Redistributing Routes Using a Route Map
Configuring Match Clauses and Values for a Route Map
Configuring Set Clauses for a Route Map
Match Policy Lists
Match Policy Lists Overview
Creating and Launching the Match Policy List
Access Lists
Filtering Prefixes
Filtering Routes on the Basis of Prefixes Overview
Example: Redistributing Static Routes to IS-IS Using a Route Map and an Access List
Example: Configuring Access Lists to Filter Routes Advertised to a BGP Device
Filtering AS Paths
Filtering Routes on the Basis of AS Paths Overview
Example: Configuring a Route Map to Filter Routes on the Basis of the AS Path
Example: Applying Access Lists Using a Route Map to Filter Routes
Defining IP Access Lists
Configuring the Advertisement of the Default Route
Defining AS-Path Access Lists
Defining IPv6 Access Lists
Filtering BGP Advertisements Using Distribute Lists
Assigning an AS-Path Access List to Inbound or Outbound Advertisements of a Neighbor
Assigning an Inbound or Outbound Prefix List
Assigning an Inbound or Outbound Prefix Tree
Redistributing Routes Between Routing Domains
Configuring Access Lists as PIM Sparse Mode Join Filters
Clearing IP and IPv6 Access List Counters
Table Maps
Understanding Table Maps
Creating Table Maps to Filter IP and IPv6 Access Routes
Creating Table Maps to Filter IP and IPv6 Static Routes
Filtering Undesired Traffic Using the Null Interface
Prefix Lists
Prefix Lists Overview
Creating or Configuring an IP or IPv6 Prefix List for Route Filtering
Clearing Hit Counts in the IP or IPv6 Prefix List
Matching Routes on the Basis of the Destination IP or IPv6 Address Permitted by the Prefix List
Matching Routes on the Basis of the Next-Hop Router IP or IPv6 Address Passed by the Prefix List
Prefix Trees
Prefix Tree Overview
Creating or Configuring an IP Prefix Tree for Best Route Filtering
Clearing Hit Counts in the IP Prefix Tree
Matching Routes on the Basis of the Destination IP Address Permitted by the Prefix Tree
Matching Routes on the Basis of the Next-Hop Router IP Address Passed by the Prefix Tree
Summarizing Matched Routes on the Basis of the Network Base Address Set in the Prefix Tree
Community Lists
Community List Overview
Example: Setting Metrics for Routes Forwarded on the Basis of Communities
Configuring the Display Format for the Communities
Creating an IP Community List for BGP
Sending a Community Attribute to a BGP Neighbor
Setting a BGP Community Attribute to a List of Community Numbers
Extended Community Lists
Extended Community List Overview
Creating an IP Extended Community List for BGP
Matching an Extended Community List on a Route Map
Setting a BGP Extended Community Attribute
Using Regular Expressions
AS-Path Lists
Community Lists
Community Numbers
Metacharacters
Using Metacharacters as Literal Tokens
Regular Expression Examples
Managing the Routing Table
Troubleshooting Routing Policy Overview
Monitoring Routing Policy
Monitoring Extended Community Lists
Monitoring Access Lists
Monitoring the AS-Path Access Lists for IP
Monitoring the Routes Permitted by IP Community Lists
Monitoring Match Policy Lists
Monitoring the Prefix Lists Configured on the Router
Monitoring the Prefix Trees Configured on the Router
Monitoring IP Protocols
Monitoring IP Route Redistribution Policy
Monitoring the Current State of IP Routing Tables
Monitoring IP Routing Table Details for a Line Module
Monitoring the Status of IP Static Routes in the Routing Table
Monitoring IP Traffic Statistics
Monitoring Route Map Details
Configuring NAT
Overview
Platform Considerations
Module Requirements
References
NAT Configurations
Traditional NAT
Basic NAT
NAPT
Bidirectional NAT
Twice NAT
Network and Address Terms
Inside Local Addresses
Inside Global Addresses
Outside Local Addresses
Outside Global Addresses
Understanding Address Translation
Inside Source Translation
Outside Source Translation
Address Assignment Methods
Static Translations
Dynamic Translations
Order of Operations
Inside-to-Outside Translation
Outside-to-Inside Translation
PPTP and GRE Tunneling Through NAT
Packet Discard Rules
Before You Begin
Configuring a NAT License
Limiting Translation Entries
Specifying Inside and Outside Interfaces
Defining Static Address Translations
Creating Static Inside Source Translations
Creating Static Outside Source Translations
Defining Dynamic Translations
Creating Access List Rules
Defining Address Pools
Defining Dynamic Translation Rules
Creating Dynamic Inside Source Translation Rules
Creating Dynamic Outside Source Translation Rules
Defining Translation Timeouts
Clearing Dynamic Translations
NAT Configuration Examples
NAPT Example
Bidirectional NAT Example
Twice NAT Example
Cross-VRF Example
Tunnel Configuration Through NAT Examples
Clients on an Inside Network
Clients on an Outside Network
GRE Flows Through NAT
Monitoring NAT
Displaying the NAT License Key
Displaying Translation Statistics
Displaying Translation Entries
Displaying Address Pool Information
Displaying Inside and Outside Rule Settings
Configuring J-Flow Statistics
Overview
Interface Sampling
Aggregation Caches
Flow Collection
Main Flow Cache Contents
Cache Flow Export
Aging Flows
Operation with NAT
Operation with High Availability
Platform Considerations
Before You Configure J-Flow Statistics
Configuring Flow-Based Statistics Collection
Enabling Flow-Based Statistics
Enabling Flow-Based Statistics on an Interface
Defining a Sampling Interval
Setting Cache Size
Defining Aging Timers
Specifying the Activity Timer
Specifying the Inactivity Timer
Specifying Flow Export
Configuring Aggregation Flow Caches
Monitoring J-Flow Statistics
Clearing J-Flow Statistics
J-Flow show Commands
Configuring BFD
Bidirectional Forwarding Detection Overview
How BFD Works
Negotiation of the BFD Liveness Detection Interval
BFD Platform Considerations
BFD References
Configuring a BFD License
BFD Version Support
Configuring BFD
Managing BFD Adaptive Timer Intervals
Clearing BFD Sessions
Monitoring BFD
System Event Logs
Viewing BFD Information
Configuring IPsec
Overview
IPsec Terms and Acronyms
Platform Considerations
References
IPsec Concepts
Secure IP Interfaces
RFC 2401 Compliance
IPsec Protocol Stack
Security Parameters
Manual Versus Signaled Interfaces
Operational Virtual Router
Transport Virtual Router
Transport VR Definition
Transport VR Definitions with an FQDN
Perfect Forward Secrecy
Lifetime
Inbound and Outbound SAs
Transform Sets
Encapsulation Protocols
Encapsulation Modes
Supported Transforms
Negotiating Transforms
Other Security Features
IP Security Policies
ESP Processing
AH Processing
IPsec Maximums Supported
DPD and IPsec Tunnel Failover
Tunnel Failover
IKE Overview
Main Mode and Aggressive Mode
Aggressive Mode Negotiations
IKE Policies
Priority
Encryption
Hash Function
Authentication Mode
Diffie-Hellman Group
Lifetime
IKE SA Negotiation
Generating Private and Public Key Pairs
Configuration Tasks
Configuring an IPsec License
Configuring IPsec Parameters
Creating an IPsec Tunnel
Configuring DPD and IPsec Tunnel Failover
Defining an IKE Policy
Refreshing SAs
Enabling Notification of Invalid Cookies
Configuration Examples
Configuration Notes
Monitoring IPsec
System Event Logs
show Commands
Configuring Dynamic IPsec Subscribers
Dynamic IPsec Subscribers Overview
Dynamic Connection Setup
Dynamic Connection Teardown
Dynamic IPsec Subscriber Recognition
Licensing Requirements
Inherited Subscriber Functionality
Using IPsec Tunnel Profiles
Relocating Tunnel Interfaces
User Authentication
Dynamic IPsec Subscribers Platform Considerations
Dynamic IPsec Subscribers References
Creating an IPsec Tunnel Profile
Configuring IPsec Tunnel Profiles
Limiting Interface Instantiations on Each Profile
Specifying IKE Settings for IPsec Tunnels
Setting the IKE Local Identity
Setting the IKE Peer Identity
Appending a Domain Suffix to a Username
Overriding IPsec Local and Peer Identities for SA Negotiations
Specifying an IP Profile for IP Interface Instantiations
Defining the Server IP Address
Specifying Local Networks
Defining IPsec Security Association Lifetime Parameters
Defining User Reauthentication Protocol Values
Specifying IPsec Security Association Transforms
Specifying IPsec Security Association PFS and DH Group Parameters
Defining the Tunnel MTU
Defining IKE Policy Rules for IPsec Tunnels
Specification of a Virtual Router for an IKE Policy Rule Overview
Configuring a Virtual Router for an IKE Policy Rule
Defining Aggressive Mode for an IKE Policy Rule
Monitoring IPsec Tunnel Profiles
System Event Logs Used to Troubleshoot and Monitor Dynamic IPsec Subscribers
Monitoring IPsec Tunnel Profiles
Monitoring Active Subscribers
Configuring ANCP
Access Node Control Protocol Overview
Access Topology Discovery
Line Configuration
Transactional Multicast
OAM
Retrieval of DSL Line Rate Parameters
Learning the Partition ID from an Access Node
ANCP Platform Considerations
ANCP References
Configuring ANCP
Creating a Listening TCP Socket for ANCP
Accessing L2C Configuration Mode for ANCP
Defining the ANCP Session Timeout
Learning the Access Node Partition ID
Configuring ANCP Interfaces
Creating GSMP Output Labels
Configuring the Maximum Number of Branches for the ANCP User
Creating GSMP Input Labels
Configuring ANCP Neighbors
Accessing L2C Neighbor Configuration Mode for ANCP
Defining an ANCP Neighbor
Storing Topology Discovery Table Data in Mirrored Storage
Limiting Topology Discovery Table Entries
Clearing ANCP Neighbors
Configuring Topology Discovery
Configuring ANCP for QoS Adaptive Mode
Overview of Configuring ANCP for QoS Adaptive Mode
Clearing Entries from the Topology Discovery Table
Enabling QoS Adaptive Mode for ANCP
Triggering ANCP Line Configuration
Adjusting the Data Rate Reported by ANCP for DSL Lines Overview
Configuring a QoS Adjustment Factor Applied to the ANCP Reported Data Rate
Example: Configuring Transactional Multicast for IGMP
Overview of Triggering ANCP OAM
Triggering ANCP OAM
Monitoring ANCP
Monitoring ANCP Configuration
Monitoring ANCP Discovery Table Entries
Monitoring Configured Values for the Adjustment Rate
Monitoring ANCP Labels
Monitoring ANCP Neighbors
Monitoring ANCP Statistics
Configuring Digital Certificates
Overview
Digital Certificate Terms and Acronyms
Platform Considerations
References
IKE Authentication with Digital Certificates
Signature Authentication
Generating Public/Private Key Pairs
Obtaining a Root CA Certificate
Obtaining a Public Key Certificate
Offline Certificate Enrollment
Online Certificate Enrollment
Authenticating the Peer
Verifying CRLs
File Extensions
Certificate Chains
IKE Authentication Using Public Keys Without Digital Certificates
Configuration Tasks
Public Key Format
Configuring Digital Certificates Using the Offline Method
Configuring Digital Certificates Using the Online Method
Configuring Peer Public Keys Without Digital Certificates
Monitoring Digital Certificates and Public Keys
Configuring IP Tunnels
Overview
GRE Tunnels
DVMRP Tunnels
Platform Considerations
Module Requirements
ERX7xx Models, ERX14xx Models, and the ERX310 Router
E120 Router and E320 Router
Redundancy and Tunnel Distribution
References
Configuration Tasks
Configuration Example
Configuring IP Tunnels to Forward IP Frames
Preventing Recursive Tunnels
Creating Multicast VPNs Using GRE Tunnels
Monitoring IP Tunnels
Configuring Dynamic IP Tunnels
Understanding Dynamic IP Tunnels
Data MDT for Multicast VPNs and Dynamic IP Tunnels
Mobile IP and Dynamic IP Tunnels
Combining Dynamic and Static IP Tunnels in the Same Chassis
Changing and Removing Existing Dynamic IP Tunnels
Dynamic IP Tunnel Platform Considerations
Module Requirements
ERX7xx Models, ERX14xx Models, and the ERX310 Router
E120 Router and E320 Router
Redundancy and Tunnel Distribution
Dynamic IP Tunnel References
Modifying the Configuration of the Default Destination Profile
Configuring a Destination Profile for Dynamic GRE Tunnels
Configuring a Destination Profile for Dynamic DVMRP Tunnels
Monitoring DVMRP Destination Profiles
Monitoring Dynamic DVMRP Tunnels
Monitoring GRE Destination Profiles
Monitoring Dynamic GRE Tunnels
IP Reassembly for Tunnels
Overview
Platform Considerations
Module Requirements
ERX7xx Models, ERX14xx Models, and the ERX310 Router
E120 Router and E320 Router
Configuring IP Reassembly
Monitoring IP Reassembly
Setting Statistics Baselines
Displaying Statistics
Securing L2TP and IP Tunnels with IPsec
Securing L2TP and IP Tunnels with IPsec Overview
Tunnel Creation
IPsec Secured-Tunnel Maximums
Securing L2TP and IP Tunnels with IPsec Platform Considerations
Module Requirements
Securing L2TP and IP Tunnels with IPsec References
L2TP/IPsec Tunnels Overview
Setting Up a Secure Connection Between the Client PC and an E Series Router
L2TP/IPsec Control and Data Frames Overview
L2TP/IPsec Traffic Compatibility Issues and Requirements Overview
Client Software Supported
Interactions with NAT
Interaction Between IPsec and PPP
LNS Change of Port
Group Preshared Key
NAT Passthrough Mode Overview
NAT-Traversal Overview
How NAT-T Works
UDP Encapsulation
UDP Statistics
NAT Keepalive Messages
Configuring and Monitoring NAT-T
Single-Shot L2TP/IPsec Tunnels Overview
Setting Up the Client PC for an L2TP/IPsec Tunnel
Configuring E Series Routers to Set Up an L2TP/IPsec Tunnel
Configuring an L2TP Destination Profile to Enable IPsec Support for L2TP Tunnels
Enabling IPsec Transport Mode
Creating an L2TP Destination Profile
Enabling NAT-T on a Virtual Router
Configuring Single-Shot L2TP/IPsec Tunnels
GRE/IPsec and DVMRP/IPsec Tunnels
GRE/IPsec and DVMRP/IPsec Tunnels Overview
Setting Up a Secure GRE or DVMRP Connection Between E Series Routers
Configuring E Series Routers to Set Up GRE or DVMRP over IPsec
Enabling IPsec Support for GRE and DVMRP Tunnels
Configuring an IPsec Transport Profile
Configuring the Type of Application Secured by Connections Created with an IPsec Transport Profile
Creating an IPsec Transport Profile
Setting a Lifetime Range for an IPsec Transport Profile
Configuring a Local Endpoint for an IPsec Transport Profile
Configuring Perfect Forward Secrecy for an IPsec Transport Profile
Configuring an Unencrypted Preshared Key for a Local IPsec Transport Profile
Configuring an Encrypted Preshared Key for a Local IPsec Transport Profile
Configuring Transform Sets for an IPsec Transport Profile
Using a System Event Log to Troubleshoot IPsec-Secured L2TP and IP Tunnels
Monitoring L2TP and IP Tunnels Secured by IPsec
Monitoring the IPsec Transport Interface Used to Secure DVMRP Tunnels
Monitoring the IPsec Transport Interface Used to Secure GRE Tunnels
Monitoring the IKE Phase 1 SAs
Monitoring the Status of IPsec Options
Monitoring the IPsec Transport Connections Information
Monitoring the Summary of All IPsec Transport Connections
Monitoring the Configuration Information of an IPsec Transport Profile
Monitoring Configured L2TP Destination Profiles or Host Profiles
Configuring the Mobile IP Home Agent
Mobile IP Overview
Mobile IP Agent Discovery
Mobile IP Registration
Home Address Assignment
Authentication
AAA
Subscriber Management
Mobile IP Routing and Forwarding
Mobile IP Platform Considerations
Mobile IP References
Before You Configure the Mobile IP Home Agent
Configuring the Mobile IP Home Agent on a Virtual Router
Configuring the License Key to Enable a Mobile IP Home Agent
Configuring the Mobile IP Home Agent Settings
Configuring the IP Mobile Host
Configuring the Mobile IP Security Associations for a Mobile Host
Configuring the Mobile IP Security Associations for a Foreign Agent
Configuring or Associating a Preconfigured Interface Profile with the Mobile IP Home Agent
Setting a Baseline for Mobile IP Home Agent Statistics
Clearing the IP Mobile Binding Details from the Binding Table
Monitoring the Mobile IP Home Agent
Monitoring the Binding Table Information of the Mobile IP Home Agent
Monitoring the Configuration Information of the Mobile IP Home Agent
Monitoring the Configuration of Mobile Hosts or Domain Users
Monitoring the Interface Profile Name Associated with the Mobile IP Home Agent
Monitoring the Mobile IP Security Associations Configured for Foreign Agents
Monitoring the Mobile IP Security Associations Configured on Mobile Hosts
Monitoring the Protocol Statistics for the Mobile IP Home Agent Traffic
Monitoring the License Key for the Mobile IP Home Agent
Index
Index