Table of Contents

About the Documentation

E Series and JUNOSe Documentation and Release Notes

Audience

E Series and JUNOSe Text and Syntax Conventions

Obtaining Documentation

Documentation Feedback

Requesting Technical Support

Chapters

Configuring Routing Policy

Overview

Platform Considerations

References

Route Maps

Route Map Configuration Example

Multiple Values in a Match Entry

Negating Match Clauses

Matching a Community List Exactly

Removing Community Lists from a Route Map

Matching a Policy List

Redistributing Access Routes

Setting Multicast Bandwidths

Match Policy Lists

Access Lists

Filtering Prefixes

Configuration Example 1

Configuration Example 2

Configuration Example 3

Filtering AS Paths

Configuration Example 1

Using Access Lists in a Route Map

Configuration Example 1

Using Access Lists for PIM Join Filters

Clearing Access List Counters

Creating Table Maps

Using the Null Interface

Prefix Lists

Using a Prefix List

Prefix Trees

Using a Prefix Tree

Community Lists

Extended Community Lists

Using Regular Expressions

AS-path Lists

Community Lists

Community Numbers

Metacharacters

Using Metacharacters as Literal Tokens

Regular Expression Examples

Managing the Routing Table

Troubleshooting Routing Policy

Monitoring Routing Policy

Configuring NAT

Overview

Platform Considerations

Module Requirements

References

NAT Configurations

Traditional NAT

Basic NAT

NAPT

Bidirectional NAT

Twice NAT

Network and Address Terms

Inside Local Addresses

Inside Global Addresses

Outside Local Addresses

Outside Global Addresses

Understanding Address Translation

Inside Source Translation

Outside Source Translation

Address Assignment Methods

Static Translations

Dynamic Translations

Order of Operations

Inside-to-Outside Translation

Outside-to-Inside Translation

PPTP and GRE Tunneling Through NAT

Packet Discard Rules

Before You Begin

Configuring a NAT License

Limiting Translation Entries

Specifying Inside and Outside Interfaces

Defining Static Address Translations

Creating Static Inside Source Translations

Creating Static Outside Source Translations

Defining Dynamic Translations

Creating Access List Rules

Defining Address Pools

Defining Dynamic Translation Rules

Creating Dynamic Inside Source Translation Rules

Creating Dynamic Outside Source Translation Rules

Defining Translation Timeouts

Clearing Dynamic Translations

NAT Configuration Examples

NAPT Example

Bidirectional NAT Example

Twice NAT Example

Cross-VRF Example

Tunnel Configuration Through NAT Examples

Clients on an Inside Network

Clients on an Outside Network

GRE Flows Through NAT

Monitoring NAT

Displaying the NAT License Key

Displaying Translation Statistics

Displaying Translation Entries

Displaying Address Pool Information

Displaying Inside and Outside Rule Settings

Configuring J-Flow Statistics

Overview

Interface Sampling

Aggregation Caches

Flow Collection

Main Flow Cache Contents

Cache Flow Export

Aging Flows

Operation with NAT

Operation with High Availability

Platform Considerations

Before You Configure J-Flow Statistics

Configuring Flow-Based Statistics Collection

Enabling Flow-Based Statistics

Enabling Flow-Based Statistics on an Interface

Defining a Sampling Interval

Setting Cache Size

Defining Aging Timers

Specifying the Activity Timer

Specifying the Inactivity Timer

Specifying Flow Export

Configuring Aggregation Flow Caches

Monitoring J-Flow Statistics

Clearing J-Flow Statistics

J-Flow show Commands

Configuring BFD

Bidirectional Forwarding Detection Overview

How BFD Works

Negotiation of the BFD Liveness Detection Interval

BFD Platform Considerations

BFD References

Configuring a BFD License

BFD Version Support

Configuring BFD

Managing BFD Adaptive Timer Intervals

Clearing BFD Sessions

Monitoring BFD

System Event Logs

Viewing BFD Information

Configuring IPSec

Overview

IPSec Terms and Acronyms

Platform Considerations

References

IPSec Concepts

Secure IP Interfaces

RFC 2401 Compliance

IPSec Protocol Stack

Security Parameters

Manual Versus Signaled Interfaces

Operational Virtual Router

Transport Virtual Router

Transport VR Definition

Transport VR Definitions with an FQDN

Perfect Forward Secrecy

Lifetime

Inbound and Outbound SAs

Transform Sets

Encapsulation Protocols

Encapsulation Modes

Supported Transforms

Negotiating Transforms

Other Security Features

IP Security Policies

ESP Processing

AH Processing

IPSec Maximums Supported

DPD and IPSec Tunnel Failover

Tunnel Failover

IKE Overview

Main Mode and Aggressive Mode

Aggressive Mode Negotiations

IKE Policies

Priority

Encryption

Hash Function

Authentication Mode

Diffie-Hellman Group

Lifetime

IKE SA Negotiation

Generating Private and Public Key Pairs

Configuration Tasks

Configuring an IPSec License

Configuring IPSec Parameters

Creating an IPSec Tunnel

Configuring DPD and IPSec Tunnel Failover

Defining an IKE Policy

Refreshing SAs

Enabling Notification of Invalid Cookies

Configuration Examples

Configuration Notes

Monitoring IPSec

System Event Logs

show Commands

Configuring Dynamic IPSec Subscribers

Overview

Dynamic Connection Setup

Dynamic Connection Teardown

Dynamic IPSec Subscriber Recognition

Licensing Requirements

Inherited Subscriber Functionality

Using IPSec Tunnel Profiles

Relocating Tunnel Interfaces

User Authentication

Platform Considerations

References

Creating an IPSec Tunnel Profile

Configuring IPSec Tunnel Profiles

Limiting Interface Instantiations on Each Profile

Specifying IKE Settings

Setting the IKE Local Identity

Setting the IKE Peer Identity

Appending a Domain Suffix to a Username

Overriding IPSec Local and Peer Identities for SA Negotiations

Specifying an IP Profile for IP Interface Instantiations

Defining the Server IP Address

Specifying Local Networks

Defining IPSec Security Association Lifetime Parameters

Defining User Reauthentication Protocol Values

Specifying IPSec Security Association Transforms

Specifying IPSec Security Association PFS and DH Group Parameters

Defining the Tunnel MTU

Defining IKE Policy Rules for IPSec Tunnels

Specifying a Virtual Router for an IKE Policy Rule

Defining Aggressive Mode for an IKE Policy Rule

Monitoring IPSec Tunnel Profiles

System Event Logs

show Commands

Configuring ANCP

Overview

Access Topology Discovery

Line Configuration

Transactional Multicast

OAM

Retrieval of DSL Line Rate Parameters

Platform Considerations

References

Configuring ANCP

Creating a Listening TCP Socket for ANCP

Accessing L2C Configuration Mode for ANCP

Defining the ANCP Session Timeout

Configuring ANCP Interfaces

Configuring ANCP Neighbors

Accessing L2C Neighbor Configuration Mode for ANCP

Defining an ANCP Neighbor

Limiting Discovery Table Entries

Clearing ANCP Neighbors

Configuring Topology Discovery

Configuring ANCP for QoS Adaptive Mode

Triggering ANCP Line Configuration

Adjusting the Data Rate Reported by ANCP for DSL Lines

Configuring Transactional Multicast for IGMP

Creating an IGMP Session for ANCP

ANCP IGMP Configuration Example

Complete Configuration Example

Triggering ANCP OAM

Monitoring ANCP

Configuring Digital Certificates

Overview

Digital Certificate Terms and Acronyms

Platform Considerations

References

IKE Authentication with Digital Certificates

Signature Authentication

Generating Public/Private Key Pairs

Obtaining a Root CA Certificate

Obtaining a Public Key Certificate

Offline Certificate Enrollment

Online Certificate Enrollment

Authenticating the Peer

Verifying CRLs

File Extensions

Certificate Chains

IKE Authentication Using Public Keys Without Digital Certificates

Configuration Tasks

Public Key Format

Configuring Digital Certificates Using the Offline Method

Configuring Digital Certificates Using the Online Method

Configuring Peer Public Keys Without Digital Certificates

Monitoring Digital Certificates and Public Keys

Configuring IP Tunnels

Overview

GRE Tunnels

DVMRP Tunnels

Platform Considerations

Module Requirements

ERX7xx Models, ERX14xx Models, and the ERX310 Router

E120 Router and E320 Router

Redundancy and Tunnel Distribution

References

Configuration Tasks

Configuration Example

Configuring IP Tunnels to Forward IP Frames

Preventing Recursive Tunnels

Creating Multicast VPNs Using GRE Tunnels

Monitoring IP Tunnels

Configuring Dynamic IP Tunnels

Dynamic IP Tunnel Overview

Data MDT for Multicast VPNs and Dynamic IP Tunnels

Mobile IP and Dynamic IP Tunnels

Combining Dynamic and Static IP Tunnels in the Same Chassis

Changing and Removing Existing Dynamic IP Tunnels

Platform Considerations

Module Requirements

ERX7xx Models, ERX14xx Models, and the ERX310 Router

E120 Router and E320 Router

Redundancy and Tunnel Distribution

References

Configuring a Destination Profile for Dynamic IP Tunnels

Modifying the Default Destination Profile

Modifying the Configuration of the Default Destination Profile

Configuring a Destination Profile for GRE Tunnels

Creating a Destination Profile for DVMRP Tunnels

Monitoring Dynamic IP Tunnels

IP Reassembly for Tunnels

Overview

Platform Considerations

Module Requirements

ERX7xx Models, ERX14xx Models, and the ERX310 Router

E120 Router and E320 Router

Configuring IP Reassembly

Monitoring IP Reassembly

Setting Statistics Baselines

Displaying Statistics

Securing L2TP and IP Tunnels with IPSec

Overview

Tunnel Creation

IPSec Secured-Tunnel Maximums

Platform Considerations

Module Requirements

References

L2TP/IPSec Tunnels

Setting Up the Secure L2TP Connection

L2TP with IPSec Control and Data Frames

Compatibility and Requirements

Client Software Supported

Interactions with NAT

Interaction Between IPSec and PPP

LNS Change of Port

Group Preshared Key

NAT Passthrough Mode

NAT Traversal

How NAT-T Works

UDP Encapsulation

UDP Statistics

NAT Keepalive Messages

Configuring and Monitoring NAT-T

Single-Shot Tunnels

Configuration Tasks for Client PC

Configuration Tasks for E Series Routers

Enabling IPSec Support for L2TP

Configuring NAT-T

Configuring Single-Shot Tunnels

GRE/IPSec and DVMRP/IPSec Tunnels

Setting Up the Secure GRE or DVMRP Connection

Configuration Tasks

Enabling IPSec Support for GRE and DVMRP Tunnels

Configuring IPSec Transport Profiles

Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels

System Event Logs

show Commands

Configuring the Mobile IP Home Agent

Mobile IP Overview

Mobile IP Agent Discovery

Mobile IP Registration

Home Address Assignment

Authentication

AAA

Subscriber Management

Mobile IP Routing and Forwarding

Mobile IP Platform Considerations

Mobile IP References

Before You Configure the Mobile IP Home Agent

Configuring the Mobile IP Home Agent

Monitoring the Mobile IP Home Agent

Index

Index

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.