JUNOSe 9.1.x IP Services Configuration Guide > Table of Contents

Table of Contents

About This Guide
Objectives
Audience
E-series Routers
Documentation Conventions
Related E-series and JUNOSe Documentation
E-series and JUNOSe Documents
JUNOSe Configuration Guides
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Self-Help Online Tools and Resources
Opening a Case with JTAC
Configuring Routing Policy
Overview
Platform Considerations
References
Route Maps
Route Map Configuration Example
Multiple Values in a Match Entry
Negating Match Clauses
Matching a Community List Exactly
Removing Community Lists from a Route Map
Matching a Policy List
Redistributing Access Routes
Setting Multicast Bandwidths
Match Policy Lists
Access Lists
Filtering Prefixes
Configuration Example 1
Configuration Example 2
Configuration Example 3
Filtering AS Paths
Configuration Example 1
Using Access Lists in a Route Map
Configuration Example 1
Using Access Lists for PIM Join Filters
Clearing Access List Counters
Creating Table Maps
Using the Null Interface
Prefix Lists
Using a Prefix List
Prefix Trees
Using a Prefix Tree
Community Lists
Extended Community Lists
Using Regular Expressions
AS-path Lists
Community Lists
Community Numbers
Metacharacters
Using Metacharacters as Literal Tokens
Regular Expression Examples
Managing the Routing Table
Troubleshooting Routing Policy
Monitoring Routing Policy
Configuring Firewall
Overview
Denial-of-Service Attacks
About Stateless Access Control
Understanding Stateful Access Control
TCP Support
UDP Support
ICMP Support
Inspection List and Half-Open Connection Support
Application-Level Inspection Support
Audit Trails
Safe IP Fragmentation
DMZ Support
Platform Considerations
Module Requirements
Configuring a Firewall License
Configuring Stateless Firewall
Configuring Stateful Access Control
Defining Flow Timeout Values
Limiting the Number of Half-Open Sessions
Defining Alert Status and Audit Trails
Creating and Adding to an Inspection List
Associating an Inspection List with an Interface
Monitoring Stateful Firewall
System Event Logs
Establishing a Baseline for Firewall Statistics
Viewing Firewall Information
Configuring NAT
Overview
Platform Considerations
Module Requirements
References
NAT Configurations
Traditional NAT
Basic NAT
NAPT
Bidirectional NAT
Twice NAT
Network and Address Terms
Inside Local Addresses
Inside Global Addresses
Outside Local Addresses
Outside Global Addresses
Understanding Address Translation
Inside Source Translation
Outside Source Translation
Address Assignment Methods
Static Translations
Dynamic Translations
Order of Operations
Inside-to-Outside Translation
Outside-to-Inside Translation
PPTP and GRE Tunneling Through NAT
Packet Discard Rules
Before You Begin
Configuring a NAT License
Limiting Translation Entries
Specifying Inside and Outside Interfaces
Defining Static Address Translations
Creating Static Inside Source Translations
Creating Static Outside Source Translations
Defining Dynamic Translations
Creating Access List Rules
Defining Address Pools
Defining Dynamic Translation Rules
Creating Dynamic Inside Source Translation Rules
Creating Dynamic Outside Source Translation Rules
Defining Translation Timeouts
Clearing Dynamic Translations
NAT Configuration Examples
NAPT Example
Bidirectional NAT Example
Twice NAT Example
Cross-VRF Example
Tunnel Configuration Through NAT Examples
Clients on an Inside Network
Clients on an Outside Network
GRE Flows Through NAT
Monitoring NAT
Displaying the NAT License Key
Displaying Translation Statistics
Displaying Translation Entries
Displaying Address Pool Information
Displaying Inside and Outside Rule Settings
Configuring J-Flow Statistics
Overview
Interface Sampling
Aggregation Caches
Flow Collection
Main Flow Cache Contents
Cache Flow Export
Aging Flows
Operation with NAT
Operation with High Availability
Platform Considerations
Before You Configure J-Flow Statistics
Configuring Flow-Based Statistics Collection
Enabling Flow-Based Statistics
Enabling Flow-Based Statistics on an Interface
Defining a Sampling Interval
Setting Cache Size
Defining Aging Timers
Specifying the Activity Timer
Specifying the Inactivity Timer
Specifying Flow Export
Configuring Aggregation Flow Caches
Monitoring J-Flow Statistics
Clearing J-Flow Statistics
J-Flow show Commands
Configuring BFD
Overview
How BFD Works
Negotiation of the BFD Liveness Detection Interval
Platform Considerations
References
Configuring a BFD License
BFD Version Support
Configuring BFD
Managing BFD Adaptive Timer Intervals
Clearing BFD Sessions
Monitoring BFD
System Event Logs
Viewing BFD Information
Configuring IPSec
Overview
IPSec Terms and Acronyms
Platform Considerations
References
IPSec Concepts
Secure IP Interfaces
RFC 2401 Compliance
IPSec Protocol Stack
Security Parameters
Manual Versus Signaled Interfaces
Operational Virtual Router
Transport Virtual Router
Transport VR Definition
Transport VR Definitions with an FQDN
Perfect Forward Secrecy
Lifetime
Inbound and Outbound SAs
Transform Sets
Encapsulation Protocols
Encapsulation Modes
Supported Transforms
Negotiating Transforms
Other Security Features
IP Security Policies
ESP Processing
AH Processing
IPSec Maximums Supported
DPD and IPSec Tunnel Failover
Tunnel Failover
IKE Overview
Main Mode and Aggressive Mode
Aggressive Mode Negotiations
IKE Policies
Priority
Encryption
Hash Function
Authentication Mode
Diffie-Hellman Group
Lifetime
IKE SA Negotiation
Generating Private and Public Key Pairs
Configuration Tasks
Configuring an IPSec License
Configuring IPSec Parameters
Creating an IPSec Tunnel
Configuring DPD and IPSec Tunnel Failover
Defining an IKE Policy
Refreshing SAs
Enabling Notification of Invalid Cookies
Configuration Examples
Configuration Notes
Monitoring IPSec
System Event Logs
show Commands
Configuring Dynamic IPSec Subscribers
Overview
Dynamic Connection Setup
Dynamic Connection Teardown
Dynamic IPSec Subscriber Recognition
Licensing Requirements
Inherited Subscriber Functionality
Using IPSec Tunnel Profiles
Relocating Tunnel Interfaces
User Authentication
Platform Considerations
References
Creating an IPSec Tunnel Profile
Configuring IPSec Tunnel Profiles
Limiting Interface Instantiations on Each Profile
Specifying IKE Settings
Setting the IKE Local Identity
Setting the IKE Peer Identity
Appending a Domain Suffix to a Username
Overriding IPSec Local and Peer Identities for SA Negotiations
Specifying an IP Profile for IP Interface Instantiations
Defining the Server IP Address
Specifying Local Networks
Defining IPSec Security Association Lifetime Parameters
Defining User Reauthentication Protocol Values
Specifying IPSEC Security Association Transforms
Specifying IPSec Security Association PFS and DH Group Parameters
Defining the Tunnel MTU
Defining IKE Policy Rules for IPSec Tunnels
Specifying a Virtual Router for an IKE Policy Rule
Defining Aggressive Mode for an IKE Policy Rule
Monitoring IPSec Tunnel Profiles
System Event Logs
show Commands
Configuring ANCP
Overview
Access Topology Discovery
Line Configuration
Transactional Multicast
OAM
Platform Considerations
References
Configuring ANCP
Creating a Listening TCP Socket for ANCP
Accessing L2C Configuration Mode for ANCP
Defining the ANCP Session Timeout
Configuring ANCP Interfaces
Configuring ANCP Neighbors
Accessing L2C Neighbor Configuration Mode for ANCP
Defining an ANCP Neighbor
Limiting Discovery Table Entries
Clearing ANCP Neighbors
Configuring Topology Discovery
Configuring ANCP for QoS Adaptive Mode
Triggering ANCP Line Configuration
Adjusting the Data Rate Reported by ANCP for DSL Lines
Configuring Transactional Multicast for IGMP
Creating an IGMP Session for ANCP
ANCP IGMP Configuration Example
Complete Configuration Example
Triggering ANCP OAM
Monitoring ANCP
Configuring Digital Certificates
Overview
Digital Certificate Terms and Acronyms
Platform Considerations
References
IKE Authentication with Digital Certificates
Signature Authentication
Generating Public/Private Key Pairs
Obtaining a Root CA Certificate
Obtaining a Public Key Certificate
Offline Certificate Enrollment
Online Certificate Enrollment
Authenticating the Peer
Verifying CRLs
File Extensions
Certificate Chains
IKE Authentication Using Public Keys Without Digital Certificates
Configuration Tasks
Public Key Format
Configuring Digital Certificates Using the Offline Method
Configuring Digital Certificates Using the Online Method
Configuring Peer Public Keys Without Digital Certificates
Monitoring Digital Certificates and Public Keys
Configuring IP Tunnels
Overview
GRE Tunnels
DVMRP Tunnels
Platform Considerations
Module Requirements
ERX-7xx Models, ERX-14xx Models, and the ERX-310 Router
E120 Router and E320 Router
Redundancy and Tunnel Distribution
References
Configuration Tasks
Configuration Example
Configuring IP Tunnels to Forward IP Frames
Preventing Recursive Tunnels
Creating Multicast VPNs Using GRE Tunnels
Monitoring IP Tunnels
Configuring Dynamic IP Tunnels
Dynamic IP Tunnel Overview
Data MDT for Multicast VPNs and Dynamic IP Tunnels
Mobile IP and Dynamic IP Tunnels
Combining Dynamic and Static IP Tunnels in the Same Chassis
Changing and Removing Existing Dynamic IP Tunnels
Platform Considerations
Module Requirements
ERX-7xx Models, ERX-14xx Models, and the ERX-310 Router
E120 Router and E320 Router
Redundancy and Tunnel Distribution
References
Configuring a Destination Profile for Dynamic IP Tunnels
Modifying the Default Destination Profile
Modifying the Configuration of the Default Destination Profile
Configuring a Destination Profile for GRE Tunnels
Creating a Destination Profile for DVMRP Tunnels
Monitoring Dynamic IP Tunnels
IP Reassembly for Tunnels
Overview
Platform Considerations
Module Requirements
ERX-7xx Models, ERX-14xx Models, and the ERX-310 Router
E120 Router and E320 Router
Configuring IP Reassembly
Monitoring IP Reassembly
Setting Statistics Baselines
Displaying Statistics
Securing L2TP and IP Tunnels with IPSec
Overview
Tunnel Creation
IPSec Secured-Tunnel Maximums
Platform Considerations
Module Requirements
References
L2TP/IPSec Tunnels
Setting Up the Secure L2TP Connection
L2TP with IPSec Control and Data Frames
Compatibility and Requirements
Client Software Supported
Interactions with NAT
Interaction Between IPSec and PPP
LNS Change of Port
Group Preshared Key
NAT Passthrough Mode
NAT Traversal
How NAT-T Works
UDP Encapsulation
UDP Statistics
NAT Keepalive Messages
Configuring and Monitoring NAT-T
Single-Shot Tunnels
Configuration Tasks for Client PC
Configuration Tasks for E-series Routers
Enabling IPSec Support for L2TP
Configuring NAT-T
Configuring Single-Shot Tunnels
GRE/IPSec and DVMRP/IPSec Tunnels
Setting Up the Secure GRE or DVMRP Connection
Configuration Tasks
Enabling IPSec Support for GRE and DVMRP Tunnels
Configuring IPSec Transport Profiles
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
System Event Logs
show Commands
Configuring VRRP
Overview
VRRP Terms
Platform Considerations
References
How VRRP Works
Configuration Examples
Basic VRRP Configuration
Commonly Used VRRP Configuration
VRRP Configuration Without the Real Address Owner
How VRRP Is Implemented in E-series Routers
Router Election Rules
Configuring VRRP
Configuring the IP Interface
Creating VRIDs
Configuration Steps
Changing Object Priority
Monitoring VRRP
Configuring the Mobile IP Home Agent
Mobile IP Overview
Mobile IP Agent Discovery
Mobile IP Registration
Home Address Assignment
Authentication
AAA
Subscriber Management
Mobile IP Routing and Forwarding
Mobile IP Platform Considerations
Mobile IP References
Before You Configure the Mobile IP Home Agent
Configuring the Mobile IP Home Agent
Monitoring the Mobile IP Home Agent
Index