JunosE 15.1.x IP Services Configuration Guide
Copyright and Trademark Information- Table of Contents
- List of Figures
- List of Tables
-
About the Documentation - Chapters
- Configuring Routing Policy
- Routing Policy Overview
- Routing Policy Platform Considerations
- Route Map Match and Set Clauses
- Understanding Route Map Match and Set Clauses
- Example: Configuring a Route Map to Filter Routes on the Basis
of the AS Path
- Multiple Values in a Route Map Match Entry Overview
- Negating Match Clauses on a Route Map
- Exactly Matching a Community List on a Route Map Overview
- Removing Community Lists from a Route Map Overview
- Policy List Matching Overview
- Redistributing Access or Access-Internal Routes
- Multicast Bandwidths Setting Overview
- Defining the Conditions for Redistributing Routes Using a Route
Map
- Configuring Match Clauses and Values for a Route Map
- Configuring Set Clauses for a Route Map
- Match Policy Lists
- Access Lists
- Filtering Prefixes
- Filtering AS Paths
- Example: Applying Access Lists Using a Route Map to Filter
Routes
- Defining IP Access Lists
- Configuring the Advertisement of the Default Route
- Defining AS-Path Access Lists
- Defining IPv6 Access Lists
- Filtering BGP Advertisements Using Distribute Lists
- Assigning an AS-Path Access List to Inbound or Outbound Advertisements
of a Neighbor
- Assigning an Inbound or Outbound Prefix List
- Assigning an Inbound or Outbound Prefix Tree
- Redistributing Routes Between Routing Domains
- Configuring Access Lists as PIM Sparse Mode Join Filters
- Clearing IP and IPv6 Access List Counters
- Table Maps
-
- Filtering Undesired Traffic Using the Null Interface
- Prefix Lists
- Prefix Lists Overview
- Creating or Configuring an IP or IPv6 Prefix List for Route
Filtering
- Clearing Hit Counts in the IP or IPv6 Prefix List
- Matching Routes on the Basis of the Destination IP or IPv6
Address Permitted by the Prefix List
- Matching Routes on the Basis of the Next-Hop Router IP or IPv6
Address Passed by the Prefix List
- Prefix Trees
- Prefix Tree Overview
- Creating or Configuring an IP Prefix Tree for Best Route Filtering
- Clearing Hit Counts in the IP Prefix Tree
- Matching Routes on the Basis of the Destination IP Address
Permitted by the Prefix Tree
- Matching Routes on the Basis of the Next-Hop Router IP Address
Passed by the Prefix Tree
- Summarizing Matched Routes on the Basis of the Network Base
Address Set in the Prefix Tree
- Community Lists
- Community List Overview
- Example: Setting Metrics for Routes Forwarded on the Basis
of Communities
- Configuring the Display Format for the Communities
- Creating an IP Community List for BGP
- Sending a Community Attribute to a BGP Neighbor
- Setting a BGP Community Attribute to a List of Community Numbers
- Extended Community Lists
- Using Regular Expressions
- Managing the Routing Table
- Troubleshooting Routing Policy Overview
- Monitoring Routing Policy
- Monitoring Extended Community Lists
- Monitoring Access Lists
- Monitoring the AS-Path Access Lists for IP
- Monitoring the Routes Permitted by IP Community Lists
- Monitoring Match Policy Lists
- Monitoring the Prefix Lists Configured on the Router
- Monitoring the Prefix Trees Configured on the Router
- Monitoring IP Protocols
- Monitoring IP Route Redistribution Policy
- Monitoring the Current State of IP Routing Tables
- Monitoring IP Routing Table Details for a Line Module
- Monitoring the Status of IP Static Routes in the Routing Table
- Monitoring IP Traffic Statistics
- Monitoring Route Map Details
- Configuring NAT
- Overview
- Platform Considerations
- References
- NAT Configurations
- Network and Address Terms
- Understanding Address Translation
- Address Assignment Methods
- Order of Operations
- PPTP and GRE Tunneling Through NAT
- Packet Discard Rules
- Before You Begin
- Configuring a NAT License
- Limiting Translation Entries
- Specifying Inside and Outside Interfaces
- Defining Static Address Translations
- Defining Dynamic Translations
- Clearing Dynamic Translations
- NAT Configuration Examples
- Tunnel Configuration Through NAT Examples
- GRE Flows Through NAT
- Monitoring NAT
- Configuring J-Flow Statistics
- Configuring BFD
- Configuring IPsec
- Configuring Dynamic IPsec Subscribers
- Dynamic IPsec Subscribers Overview
- Dynamic IPsec Subscribers Platform Considerations
- Dynamic IPsec Subscribers References
- Creating an IPsec Tunnel Profile
- Configuring IPsec Tunnel Profiles
- Limiting Interface Instantiations on Each Profile
- Specifying IKE Settings for IPsec Tunnels
- Appending a Domain Suffix to a Username
- Overriding IPsec Local and Peer Identities for SA Negotiations
- Specifying an IP Profile for IP Interface Instantiations
- Defining the Server IP Address
- Specifying Local Networks
- Defining IPsec Security Association Lifetime Parameters
- Defining User Reauthentication Protocol Values
- Specifying IPsec Security Association Transforms
- Specifying IPsec Security Association PFS and DH Group Parameters
- Defining the Tunnel MTU
- Defining IKE Policy Rules for IPsec Tunnels
- Monitoring IPsec Tunnel Profiles
-
- Configuring ANCP
- Access Node Control Protocol Overview
- ANCP Platform Considerations
- ANCP References
- Configuring ANCP
- Configuring ANCP Interfaces
- Configuring ANCP Neighbors
- Configuring Topology Discovery
- Configuring ANCP for QoS Adaptive Mode
- Triggering ANCP Line Configuration
- Adjusting the Data Rate Reported by ANCP for DSL Lines Overview
- Configuring a QoS Adjustment Factor Applied to the ANCP Reported
Data Rate
- Example: Configuring Transactional Multicast for IGMP
- Overview of Triggering ANCP OAM
- Triggering ANCP OAM
-
- Monitoring
ANCP
- Configuring Digital Certificates
- Overview
- Platform Considerations
- References
- IKE Authentication with Digital Certificates
- IKE Authentication Using Public Keys Without Digital Certificates
- Configuring Digital Certificates Using the Offline Method
- Configuring Digital Certificates Using the Online Method
- Configuring Peer Public Keys Without Digital Certificates
- Monitoring Digital Certificates and Public Keys
-
- Configuring IP Tunnels
- Configuring Dynamic IP Tunnels
- Understanding Dynamic IP Tunnels
- Dynamic IP Tunnel Platform Considerations
- Dynamic IP Tunnel References
- Modifying the Configuration of the Default Destination Profile
- Configuring a Destination Profile for Dynamic GRE Tunnels
- Configuring a Destination Profile for Dynamic DVMRP Tunnels
- Monitoring DVMRP Destination Profiles
- Monitoring Dynamic DVMRP Tunnels
- Monitoring GRE Destination Profiles
- Monitoring Dynamic GRE Tunnels
-
- IP Reassembly for Tunnels
- Securing L2TP and IP Tunnels with IPsec
- Securing L2TP and IP Tunnels with IPsec Overview
- Securing L2TP and IP Tunnels with IPsec Platform Considerations
- Securing L2TP and IP Tunnels with IPsec References
- L2TP/IPsec Tunnels Overview
- Setting Up a Secure Connection Between the Client PC and an
E Series Router
- L2TP/IPsec Control and Data Frames Overview
- L2TP/IPsec Traffic Compatibility Issues and Requirements Overview
- NAT Passthrough Mode Overview
- NAT-Traversal Overview
- Single-Shot L2TP/IPsec Tunnels Overview
- Setting Up the Client PC for an L2TP/IPsec Tunnel
- Configuring E Series Routers to Set Up an L2TP/IPsec Tunnel
- Configuring an L2TP Destination Profile to Enable IPsec Support
for L2TP Tunnels
- Enabling IPsec Transport Mode
- Creating an L2TP Destination Profile
- Enabling NAT-T on a Virtual Router
- Configuring Single-Shot L2TP/IPsec Tunnels
- GRE/IPsec and DVMRP/IPsec Tunnels
- Configuring an IPsec Transport Profile
- Configuring the Type of Application Secured by Connections
Created with an IPsec Transport Profile
- Creating an IPsec Transport Profile
- Setting a Lifetime Range for an IPsec Transport Profile
- Configuring a Local Endpoint for an IPsec Transport Profile
- Configuring Perfect Forward Secrecy for an IPsec Transport
Profile
- Configuring an Unencrypted Preshared Key for a Local IPsec
Transport Profile
- Configuring an Encrypted Preshared Key for a Local IPsec Transport
Profile
- Configuring Transform Sets for an IPsec Transport Profile
- Using a System Event Log to Troubleshoot IPsec-Secured L2TP
and IP Tunnels
-
- Monitoring L2TP and IP Tunnels Secured by IPsec
- Monitoring the IPsec Transport Interface Used to Secure DVMRP
Tunnels
- Monitoring the IPsec Transport Interface Used to Secure GRE
Tunnels
- Monitoring the IKE Phase 1 SAs
- Monitoring the Status of IPsec Options
- Monitoring the IPsec Transport Connections Information
- Monitoring the Summary of All IPsec Transport Connections
- Monitoring the Configuration Information of an IPsec Transport
Profile
- Monitoring Configured L2TP Destination Profiles or Host Profiles
- Configuring the Mobile IP Home Agent
- Mobile IP Overview
- Mobile IP Platform Considerations
- Mobile IP References
- Before You Configure the Mobile IP Home Agent
- Configuring the Mobile IP Home Agent on a Virtual Router
- Configuring the License Key to Enable a Mobile IP Home Agent
- Configuring the Mobile IP Home Agent Settings
- Configuring the IP Mobile Host
- Configuring the Mobile IP Security Associations for a Mobile
Host
- Configuring the Mobile IP Security Associations for a Foreign
Agent
- Configuring or Associating a Preconfigured Interface Profile
with the Mobile IP Home Agent
- Setting a Baseline for Mobile IP Home Agent Statistics
- Clearing the IP Mobile Binding Details from the Binding Table
-
- Monitoring the Mobile IP Home Agent
- Monitoring the Binding Table Information of the Mobile IP Home
Agent
- Monitoring the Configuration Information of the Mobile IP Home
Agent
- Monitoring the Configuration of Mobile Hosts or Domain Users
- Monitoring the Interface Profile Name Associated with the Mobile
IP Home Agent
- Monitoring the Mobile IP Security Associations Configured for
Foreign Agents
- Monitoring the Mobile IP Security Associations Configured on
Mobile Hosts
- Monitoring the Protocol Statistics for the Mobile IP Home Agent
Traffic
- Monitoring the License Key for the Mobile IP Home Agent
-
- Index
A
- AAA
- access lists, IP
- access-list command 1, 2, 3
- adjustment-factor command
- aggregation flow caches 1
- ANCP (Access Node Control Protocol)
- adjusting downstream rates 1, 2, 3
- monitoring
- overview
- ANCP commands
- clear l2c neighbor 1, 2
- id
- l2c 1, 2, 3, 4
- l2c end-user-id
- l2c max-branches
- l2c peer-attachment-id
- max-branches
- neighbor
- qos-adaptive-mode 1, 2, 3
- session-timeout 1, 2, 3, 4
- authentication
- authentication commands
B
- baseline commands
- baseline ip
- baseline ip mobile home-agent 1, 2
- baseline ip tunnel-reassembly
- baseline, setting
- Mobile IP home agent 1, 2
- tunnel reassembly
- BFD (Bidirectional Forwarding Detection)
- BFD commands
- BGP (Border Gateway Protocol)
- Bidirectional Forwarding Detection. See BFD
C
- cache flow, IP
- certificate revocation list. See CRL
- checksum computation
- clear commands
- clear ip commands
- community lists, BGP
- conventions
- CRL (certificate revocation list) 1
- customer support 1
D
- dead peer detection. See DPD
- default-information originate command
- destruct timeout period for single-shot tunnels
- digital certificates
- authenticating the peer
- base64
- CA hierarchy
- certificate chains
- checking CRLs
- configuring
- file extensions
- generating private/public key pairs
- monitoring
- obtaining a public key certificate
- obtaining a root CA certificate
- obtaining public keys without 1, 2
- offline configuration
- offline enrollment
- online configuration
- online enrollment
- overview
- signature authentication
- standards
- viewing 1, 2, 3, 4
- X.509v3
- documentation set
- DPD (dead peer detection)
- DVMRP (Distance Vector Multicast Routing Protocol)
- DVMRP with IPsec
- dynamic IP tunnels
- dynamic tunnels
E
- enable commands
- endpoints, tunnel
F
- filter lists, BGP
- filtering
- flow statistics commands
- FQDN (fully qualified domain name) 1, 2, 3
- fully qualified domain name. See FQDN
G
- GRE (Generic Routing Encapsulation)
- GRE with IPsec
H
- home agent, Mobile IP. See Mobile IP home agent
I
- idle timeout period for single-shot tunnels
- IKE (Internet Key Exchange)
- aggressive mode characteristics
- aggressive mode negotiations
- authentication without digital certificates 1, 2
- initiator proposals and policy rules
- main mode characteristics
- overview
- SA negotiation
- using digital certificates
- IKE commands 1
- IKE message notification type
- IKE policies 1
- authentication mode
- Diffie-Hellman group
- encryption algorithms
- hash function
- IPsec tunnels
- lifetime
- priority
- instance, route map
- interface commands
- interface null
- interface tunnel 1, 2
- interfaces
- Internet Key Exchange. See IKE
- invalid cookies, IPsec
- IP
- ip commands
- IP flow
- IP fragmentation
- ip mobile commands
- ip nat commands 1, See also show ip nat commands
- IP reassembly of tunnel packets 1
- IP security policies
- IP tunnels 1, 2
- IP-in-IP tunnels 1, 2
- IPsec (IP Security) 1, 2, See also L2TP with IPsec
- AH
- AH processing
- concepts
- configuration
- configuring
- digital certificates
- encapsulation modes
- encapsulation protocols
- ESP
- ESP processing
- invalid cookies
- L2TP with IPsec 1, 2
- license
- monitoring
- overview
- packet encapsulation
- protocol stack
- reassembly of tunnel packets
- remote access 1, 2
- secure IP interfaces
- security parameters
- security parameters per policy type
- tunnel destination endpoint
- tunnel failover 1, 2
- tunnel source endpoint
- IPsec CA identity commands
- ipsec certificate commands
- ipsec commands 1, See also show ipsec commands
- ipsec ca authenticate
- ipsec ca enroll
- ipsec ca identity
- ipsec clear
- ipsec crl 1, 2
- ipsec identity
- ipsec ike-policy-rule
- ipsec isakmp-policy-rule
- ipsec key generate 1, 2, 3
- ipsec key manual pre-share
- ipsec key pubkey-chain rsa
- ipsec key zeroize 1, 2
- ipsec lifetime
- ipsec local-endpoint
- ipsec option dpd
- ipsec option tx-invalid-cookie
- ipsec transform-set
- key
- masked-key
- IPsec identity commands
- IPsec IKE policy commands
- IPsec security parameters
- in relation to IPsec interface
- inbound SAs 1, 2
- lifetime
- lifetime for user SAs
- manual versus signaled
- negotiating transforms
- operational VR
- outbound SAs 1, 2
- per IPsec policy type
- perfect forward secrecy (PFS) 1, 2
- transform combinations supported
- transform sets 1, 2
- transforms supported
- transport VR 1, 2
- IPsec transport local profile commands
- IPsec transport profile commands 1, See also show ipsec transport commands
- IPsec tunnel profile commands
- IPsec tunnel profiles
- IPv6
J
K
- keepalive messages, NAT-T
- key-string command
- keys, public
- displaying on router
- format of
- obtaining without digital certificates 1, 2
L
- L2C (Layer 2 Control) See ANCP (Access Node Control Protocol)
- L2F, reassembly of tunnel packets
- L2TP (Layer 2 Tunneling Protocol)
- l2tp commands
- l2tp destination profile 1, 2
- l2tp ignore-receive-data-sequencing
- L2TP RWS (receive window size)
- L2TP with IPsec 1, 2
- client software supported
- compatibility
- configuring
- client PC
- E Series router 1, 2
- IPsec transport profiles
- L2TP destination profiles 1, 2
- single-shot tunnels
- control and data frames
- group preshared key
- how it works
- LNS change of port
- monitoring
- NAT interactions
- overview 1, 2
- references
- requirements
- setting up secure connection
- tunnel creation
- with PPP
- license commands
- lifetime, IPsec 1, 2
- limiting translation entries
- loopback interfaces 1, 2
M
- manual IPsec interfaces
- manuals
- map tag, route map
- match commands 1
- max-interfaces command 1, 2
- Mobile IP home agent
- AAA
- agent discovery
- authentication
- clearing the binding details from binding table
- configuration prerequisites
- configuring
- home address assignment
- licensing
- monitoring
- monitoring the binding table information
- monitoring the configuration information
- monitoring the configuration of all or specified mobile nodes or domain users
- monitoring the interface profile name
- monitoring the license key
- monitoring the protocol statistics
- monitoring the security associations configured for all foreign agents
- monitoring the security associations configured on all mobile node hosts
- overview
- platform considerations
- references
- registration
- routing and forwarding
- security associations
- subscriber management
- MTU (maximum transmission unit)
N
- NAT (Network Address Translation)
- access list rules, creating
- address pools, defining
- address translation
- bidirectional
- configuration examples
- configuration types
- configuring
- dynamic address translation, defining
- dynamic inside source translation, creating
- dynamic outside source translation, creating
- interfaces, specifying inside and outside
- license
- monitoring
- NAT-T
- overview
- passthrough mode
- references
- static address translation, defining
- terms 1
- timeouts, defining
- translation entries, limiting
- translation rules, defining
- translations, clearing
- NAT-T (Network Address Translation Traversal)
- neighbor commands
- Network Address Translation Traversal. See NAT-T
- Network Address Translation. See NAT
- next-hop routers
- notice icons
- null interface
O
- OSPF (Open Shortest Path First)
P
- peer public keys
- displaying on router
- obtaining without digital certificates 1, 2
- perfect forward secrecy
- platform considerations
- preventing recursive tunnels
- public keys
- displaying on router
- format of
- obtaining without digital certificates 1, 2
Q
R
- recursive tunnels, preventing
- redistribute command
- redistribution policy (IP), monitoring 1, 2
- redundancy 1
- RIP (Routing Information Protocol)
- route maps
- routing policy
- routing policy, BGP
- routing table
- routing, IP 1, See also IP
S
- secure IP interfaces
- security parameters
- sequence number, route map
- Service Modules. See SMs
- set commands 1
- shared tunnel-server ports 1, 2, 3, 4, 5, 6
- show access-list command 1, 2
- show adjustment-factor command
- show bfd session command
- show dvmrp commands
- show gre commands
- show ike commands
- show ike policy-rule
- show ike sa 1, 2
- show ip commands
- show ip flow sampling command 1, 2
- show ip mobile commands
- show ip nat commands
- show ip nat inside rule
- show ip nat outside rule
- show ip nat statistics
- show ip nat translations 1, 2
- show ipsec commands
- show ike certificates
- show ike configuration
- show ike identity
- show ipsec ca identity
- show ipsec certificates
- show ipsec identity 1, 2
- show ipsec ike-configuration
- show ipsec ike-policy-rule
- show ipsec ike-sa 1, 2
- show ipsec key mypubkey rsa
- show ipsec key pubkey-chain rsa
- show ipsec lifetime
- show ipsec local-endpoint
- show ipsec option 1, 2
- show ipsec transform-set
- show ipsec tunnel detail
- show ipsec tunnel summary
- show ipsec tunnel virtual-router
- show license ipsec-tunnels
- show ipsec transport commands
- show ipv6 commands
- show l2c commands
- show l2c
- show l2c label
- show l2c neighbor
- show l2c statistics 1, 2
- show route-map command
- single-shot tunnels
- SMs (Service modules)
- source, tunnel
- static routes 1
- static tunnels
- statistics, tunnel reassembly
- subscriber management
- support, technical See technical support
T
- table-map command
- technical support
- text and syntax conventions
- timeout periods for single-shot tunnels
- transform sets, IPsec
- transport network
- tunnel commands, IP
- tunnel commands, IPsec
- tunnel-server ports
- tunnels, IP
- tunnels, IPsec monitoring
- tunnels, single-shot
U
- UDP (User Datagram Protocol)
- updates, BGP
X
