Junos® OS

Services Interfaces Configuration Guide

Release

11.4

Published: 2011-11-14

Copyright © 2011, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Services Interfaces Configuration Guide Release 11.4 Copyright © 2011, Juniper Networks, Inc. All rights reserved. Revision History November 2011—R1 Junos OS 11.4 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

®

END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.

ii

Copyright © 2011, Juniper Networks, Inc.

Abbreviated Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii

Part 1
Chapter 1 Chapter 2

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5

Part 2
Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Chapter 26

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103 Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113 Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149 Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239 Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277 Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289 Summary of Intrusion Detection Service Configuration Statements . . . . 301 IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377 Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413 Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431 Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447 Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509 Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531 Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551 Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Copyright © 2011, Juniper Networks, Inc.

iii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 27 Chapter 28 Chapter 29 Chapter 30 Chapter 31 Chapter 32 Chapter 33 Chapter 34 Chapter 35 Chapter 36 Chapter 37 Chapter 38 Chapter 39

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585 Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625 PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649 Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751 Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753 Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761 PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843 Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883

Part 3
Chapter 40 Chapter 41 Chapter 42 Chapter 43 Chapter 44 Chapter 45 Chapter 46

Dynamic Application Awareness for Junos OS
Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893 Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901 Summary of Application Identification Configuration Statements . . . . . . 919 Application-Aware Access List Configuration Guidelines . . . . . . . . . . . . . 955 Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 963 Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . 975 Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 981

Part 4
Chapter 47 Chapter 48 Chapter 49

Encryption Services
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . 995 Summary of Encryption Configuration Statements . . . . . . . . . . . . . . . . . 1005

Part 5
Chapter 50 Chapter 51 Chapter 52 Chapter 53 Chapter 54 Chapter 55 Chapter 56 Chapter 57

Flow Monitoring and Discard Accounting Services
Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . 1015 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . 1019 Summary of Flow-Monitoring Configuration Statements . . . . . . . . . . . . . 1087 Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159 Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . 1171 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1189 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209

iv

Copyright © 2011, Juniper Networks, Inc.

Abbreviated Table of Contents

Part 6
Chapter 58 Chapter 59 Chapter 60

Link and Multilink Services
Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233 Summary of Multilink and Link Services Configuration Statements . . . . 1271

Part 7
Chapter 61 Chapter 62 Chapter 63

Real-Time Performance Monitoring Services
Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . 1297 Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . 1299 Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319

Part 8
Chapter 64 Chapter 65 Chapter 66

Tunnel Services
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . 1375

Part 9

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419

Copyright © 2011, Juniper Networks, Inc.

v

Junos 11.4 Services Interfaces Configuration Guide

vi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii
Junos Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii

Part 1
Chapter 1

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Services PIC Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2

Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5
[edit applications] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 [edit forwarding-options] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 [edit interfaces] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 [edit logical-systems] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 [edit services] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Part 2
Chapter 3

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Enabling Service Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . 43 Services Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Packet Flow Through the Adaptive Services or Multiservices PIC . . . . . . . . . . . . . 44 Stateful Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Stateful Firewall Support for Application Protocols . . . . . . . . . . . . . . . . . . . . 46 Stateful Firewall Anomaly Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Copyright © 2011, Juniper Networks, Inc.

vii

Junos 11.4 Services Interfaces Configuration Guide

Network Address Translation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Types of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 NAT Concept and Facilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 IPv4-to-IPv4 Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Static Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 IPv6 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 NAT-PT with DNS ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Dynamic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Stateful NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Dual-Stack Lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Tunneling Services for IPv4-to-IPv6 Transition Overview . . . . . . . . . . . . . . . . . . . 53 6to4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Basic 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Anycast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Provider-Managed Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 DS-Lite Softwires—IPv4 over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6rd Softwires—IPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 IPsec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Comparison of IPsec Services and ES Interface Configuration . . . . . . . . . . . . 58 Layer 2 Tunneling Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Voice Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Class of Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Examples: Services Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: Service Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration . . 64 Example: Dynamic Source NAT as a Next-Hop Service . . . . . . . . . . . . . . . . . 65 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Example: BOOTP and Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 4

Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring Application Protocol Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring an Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring the Network Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Configuring the ICMP Code and Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring Source and Destination Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring the Inactivity Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring an SNMP Command for Packet Matching . . . . . . . . . . . . . . . . . . 80 Configuring an RPC Program Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring the TTL Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring a Universal Unique Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ALG Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Basic TCP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Basic UDP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

viii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 DCE RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ONC RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 NetShow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RPC and RPC Portmap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RTSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SQLNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 UNIX Remote-Shell Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Verifying the Output of ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 RTSP ALG Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Junos Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Examples: Referencing the Preset Statement from the Junos Default Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Examples: Configuring Application Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 5

Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103
application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 application-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 application-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 learn-sip-register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 rpc-program-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 sip-call-hold-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 snmp-command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 ttl-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 uuid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Copyright © 2011, Juniper Networks, Inc.

ix

Junos 11.4 Services Interfaces Configuration Guide

Chapter 6

Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113
Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Match Direction for Stateful Firewall Rules . . . . . . . . . . . . . . . . . 114 Configuring Match Conditions in Stateful Firewall Rules . . . . . . . . . . . . . . . . 115 Configuring Actions in Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuring IP Option Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuring Stateful Firewall Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Examples: Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 7

Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123
allow-ip-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Chapter 8

Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Loading the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Configuring Memory for the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . 137 Configuring rsh, rlogin, rexec for Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 9

Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
control-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 data-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 data-flow-affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 extension-provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 forwarding-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 hash-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 object-cache-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 package (Loading on PIC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 policy-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 wired-process-mem-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

x

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Chapter 10

Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuring Addresses and Ports for Use in NAT Rules . . . . . . . . . . . . . . . . . . . . . 151 Configuring Pools of Addresses and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Preserve Range and Preserve Parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring Address Pools for Network Address Port Translation . . . . . . . . . 152 Round-Robin Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Port Block Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Sequential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Additional Options for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Specifying Destination and Source Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Requirements for NAT Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Configuring Match Direction for NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Configuring Match Conditions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Configuring Actions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring NAT Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Configuring Static Source Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . 162 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Configuring Static Source Translation in IPv6 Networks . . . . . . . . . . . . . . . . . . . . 165 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Dynamic Source Address and Port Translation in IPv4 Networks . . 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks . . . . . . 174 Configuring Static Destination Address Translation in IPv4 Networks . . . . . . . . . 177 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the DNS ALG Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the NAT Pool and NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 190 Examples: Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation in an IPv4 Network . . . 193 Example: Configuring Static Source Translation in an IPv6 Network . . . 194

Copyright © 2011, Juniper Networks, Inc.

xi

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Translation for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Example: Configuring Dynamic Address-only Source Translation . . . . . . . . . 197 Example: Configuring Dynamic Address-Only Source Translation . . . . 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Example: Configuring Static Destination Address Translation . . . . . . . . . . . 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks . . . . . . . . . . . . 199 Example: Configuring the Translation Type Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring Source Dynamic and Destination Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Example: Configuring Port Forwarding with Twice NAT . . . . . . . . . . . . . . . . . 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT . . . . . 216 Example: Configuring an Oversubscribed Pool with No Fallback . . . . . . . . . 217 Example: Assigning Addresses from a Dynamic Pool for Static Use . . . . . . . 217 Example: Configuring NAT Rules Without Defining a Pool . . . . . . . . . . . . . . 218 Example: Preventing Translation of Specific Addresses . . . . . . . . . . . . . . . . 219 Example: Configuring NAT for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 219 Rendezvous Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Router 1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Example: NAT 44 CGN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion . . . 229

Chapter 11

Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 address-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 destined-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

xii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

dns-alg-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 dns-alg-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 filtering-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 ipv6-multicast-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 mapping-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 no-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 overload-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 overload-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 pgcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 port-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 port-forwarding-mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 ports-per-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 remotely-controlled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 secured-port-block-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 translated-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translation-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 use-dns-map-for-destination-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Chapter 12

Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring Load Balancing on AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Load Balancing Network Address Translation Flows . . . . . . . . . . . . . . . . . . . 273 Example: Configuring Static Source Translation on AMS Infrastructure . . . . . . . 273

Chapter 13

Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277
drop-member-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . 277 enable-rejoin (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 family (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 high-availability-options (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 279 interfaces (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 load-balancing-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 281

Copyright © 2011, Juniper Networks, Inc.

xiii

Junos 11.4 Services Interfaces Configuration Guide

many-to-one (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 member-failure-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . 283 member-interface (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . 285 redistribute-all-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . 286 rejoin-timeout (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 unit (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 14

Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289
Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Configuring Match Direction for IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Configuring Match Conditions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Configuring Actions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Configuring IDS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Examples: Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Chapter 15

Summary of Intrusion Detection Service Configuration Statements . . . . 301
aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 by-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 by-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 by-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 force-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 ignore-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syn-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

xiv

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Chapter 16

IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Minimum Security Association Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Manual SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Dynamic SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Configuring Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Configuring Manual Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the Direction for IPsec Processing . . . . . . . . . . . . . . . . . . . . 328 Configuring the Protocol for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . 329 Configuring the Security Parameter Index . . . . . . . . . . . . . . . . . . . . . . . 329 Configuring the Auxiliary Security Parameter Index . . . . . . . . . . . . . . . . 329 Configuring Authentication for a Manual IPsec SA . . . . . . . . . . . . . . . . 329 Configuring Encryption for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . . 330 Configuring Dynamic Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Clearing Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring the Authentication Algorithm for an IKE Proposal . . . . . . . . . . . 333 Configuring the Authentication Method for an IKE Proposal . . . . . . . . . . . . 333 Configuring the Diffie-Hellman Group for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Encryption Algorithm for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Lifetime for an IKE SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Example: Configuring an IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring the IKE Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Mode for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Proposals in an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Preshared Key for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . 338 Configuring the Local Certificate for an IKE Policy . . . . . . . . . . . . . . . . . . . . 338 Configuring a Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring the Description for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation . . . . . . . . . . 339 Example: Configuring an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Configuring IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Configuring the Authentication Algorithm for an IPsec Proposal . . . . . . . . . 341 Configuring the Description for an IPsec Proposal . . . . . . . . . . . . . . . . . . . . 342 Configuring the Encryption Algorithm for an IPsec Proposal . . . . . . . . . . . . 342 Configuring the Lifetime for an IPsec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuring the Protocol for a Dynamic SA . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring IPsec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring the Description for an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring the Proposals in an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . 345 Example: Configuring an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 IPsec Policy for Dynamic Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring Match Direction for IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . 347 Configuring Match Conditions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring Actions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Enabling IPsec Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Configuring Destination Addresses for Dead Peer Detection . . . . . . . . 350

Copyright © 2011, Juniper Networks, Inc.

xv

Junos 11.4 Services Interfaces Configuration Guide

Configuring or Disabling IPsec Anti-Replay . . . . . . . . . . . . . . . . . . . . . . 352 Enabling System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Specifying the MTU for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Configuring IPsec Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Configuring Dynamic Endpoints for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 353 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Implicit Dynamic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Reverse Route Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring an IKE Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Referencing the IKE Access Profile in a Service Set . . . . . . . . . . . . . . . . . . . . 357 Configuring the Interface Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Default IKE and IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Tracing IPsec Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Disabling IPsec Tunnel Endpoint in Traceroute . . . . . . . . . . . . . . . . . . . . . . . 359 Tracing IPsec PKI Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Configuring IPSec on the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Examples: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Example: Configuring Statically Assigned Tunnels . . . . . . . . . . . . . . . . . . . . 362 Example: Configuring Dynamically Assigned Tunnels . . . . . . . . . . . . . . . . . 364 Multitask Example: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Policy (and Referencing the IKE Proposal) . . . . . . 370 Configuring the IPsec Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Configuring the IPsec Policy (and Referencing the IPsec Proposal) . . . . 371 Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Configuring IPsec Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Access Profile (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Chapter 17

Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377
anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 authentication-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 auxiliary-spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 backup-remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-ike-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 clear-ipsec-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 dh-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

xvi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 encryption-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 initiate-dead-peer-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec-inside-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 lifetime-seconds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 local-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-ipsec-tunnel-in-traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 perfect-forward-secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 pre-shared-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 traceoptions (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 version (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Chapter 18

Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413
L2TP Services Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 L2TP Minimum Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Configuring L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Configuring Access Profiles for L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . 419 Configuring the Local Gateway Address and PIC . . . . . . . . . . . . . . . . . . . . . . 419 Configuring Window Size for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Configuring Timers for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Hiding Attribute-Value Pairs for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . 420

Copyright © 2011, Juniper Networks, Inc.

xvii

Junos 11.4 Services Interfaces Configuration Guide

Configuring System Logging of L2TP Tunnel Activity . . . . . . . . . . . . . . . . . . . 421 Configuring the Identifier for Logical Interfaces that Provide L2TP Services . . . . 422 Example: Configuring Multilink PPP on a Shared Logical Interface . . . . . . . 423 AS PIC Redundancy for L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Tracing L2TP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Examples: Configuring L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Chapter 19

Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431
facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 hide-avps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 l2tp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 local-gateway address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 maximum-send-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 ppp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 receive-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 retransmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (L2TP System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 traceoptions (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 tunnel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 tunnel-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Chapter 20

Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447
Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . . . . 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Configuring the Association between LSQ and SONET Interfaces . . . . . . . 450 Configuring SONET APS Interoperability with Cisco Systems FRF.16 . . . . . . 451 Restrictions on APS Redundancy for LSQ Interfaces . . . . . . . . . . . . . . . . . . 452 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS . . 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Configuring Redundant Paired LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . 453 Restrictions on Redundant LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Configuring Link State Replication for Redundant Link PICs . . . . . . . . . . . . 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery . . . . 457 Configuring CoS Scheduling Queues on Logical LSQ Interfaces . . . . . . . . . . . . . 461 Configuring Scheduler Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Configuring Scheduler Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Scheduler Shaping Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces . . . . . . 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces . . . . . 466 Configuring Multiclass MLPPP on LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 467

xviii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Oversubscribing Interface Bandwidth on LSQ Interfaces . . . . . . . . . . . . . . . . . . 468 Examples: Oversubscribing an LSQ Interface . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuring Guaranteed Minimum Rate on LSQ Interfaces . . . . . . . . . . . . . . . . . 473 Example: Configuring Guaranteed Minimum Rate . . . . . . . . . . . . . . . . . . . . 476 Configuring Link Services and CoS on Services PICs . . . . . . . . . . . . . . . . . . . . . . 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP . . . . . . . . . . 480 Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP . . 483 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 . . . . . . . . . . . 485 Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16 . . 488 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Examples: Configuring an LSQ Interface for a Fractional T1 Interface Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15 . . . . . . . . . . . 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12 . . . . . . . . . . . . . 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP . . . . . . . . . . . . 506

Chapter 21

Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509
cisco-interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 hot-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 link-layer-overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 lsq-failure-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 multilink-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 multilink-max-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 no-fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-termination-request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 preserve-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 trigger-link-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 warm-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Chapter 22

Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configuring Services Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 522 Configuring the Logical Interface Address for the MLPPP Bundle . . . . . . . . 522 Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Configuring Delay-Sensitive Packet Interleaving . . . . . . . . . . . . . . . . . . . . . . 524

Copyright © 2011, Juniper Networks, Inc.

xix

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . 524 Configuring Encapsulation for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Network Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Voice Services Bundles with MLPPP Encapsulation . . . . . . . . . 526 Configuring the Compression Interface with PPP Encapsulation . . . . . . . . . 526 Examples: Configuring Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Chapter 23

Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 f-max-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 maximum-contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Chapter 24

Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Restrictions and Cautions for CoS Configuration on Services Interfaces . . . . . . 542 Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Direction for CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Conditions In CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . 544 Configuring Actions in CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Configuring Application Profiles for Use as CoS Rule Actions . . . . . . . . 546 Configuring Reflexive and Reverse CoS Rule Actions . . . . . . . . . . . . . . 546 Example: Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Configuring CoS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Examples: Configuring CoS on Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 548

Chapter 25

Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551
application-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 (reflexive | reverse) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

xx

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Chapter 26

Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Configuring Service Sets to be Applied to Services Interfaces . . . . . . . . . . . . . . 568 Configuring Interface Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Configuring Next-Hop Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Determining Traffic Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Interface Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Next-Hop Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Configuring Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Configuring IPsec Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Configuring the Local Gateway Address for IPsec Service Sets . . . . . . . . . . 574 IKE Addresses in VRF Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Configuring IKE Access Profiles for IPsec Service Sets . . . . . . . . . . . . . . . . . 575 Configuring Certification Authorities for IPsec Service Sets . . . . . . . . . . . . . 575 Configuring or Disabling Antireplay Service . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Clearing the Don’t-Fragment Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Configuring Passive-Mode Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring the Tunnel MTU Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring Service Set Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Configuring System Logging for Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Enabling Services PICs to Accept Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 580 Tracing Services PIC Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Configuring the Adaptive Services Log Filename . . . . . . . . . . . . . . . . . . . . . . 581 Configuring the Number and Size of Adaptive Services Log Files . . . . . . . . . 581 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 582 Configuring the Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Example: Configuring Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Chapter 27

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585
adaptive-services-pics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 allow-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 bypass-traffic-on-exceeding-flow-limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 bypass-traffic-on-pic-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 ids-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 ike-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 interface-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Copyright © 2011, Juniper Networks, Inc.

xxi

Junos 11.4 Services Interfaces Configuration Guide

ipsec-vpn-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 ipsec-vpn-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 local-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 max-flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 message-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 nat-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 next-hop-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 passive-mode-tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 pgcp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 port (syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 ptsp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 stateful-firewall-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 tcp-mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 trusted-ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Chapter 28

Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Services Interface Naming Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Configuring the Address and Domain for Services Interfaces . . . . . . . . . . . . . . . . 614 Configuring Default Timeout Settings for Services Interfaces . . . . . . . . . . . . . . . 614 Configuring System Logging for Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 616 Enabling Fragmentation on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Applying Filters and Services to Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Configuring AS or Multiservices PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . 620 Examples: Configuring Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Chapter 29

Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 cgn-pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 dial-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 maximum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

xxii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

open-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 post-service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 services-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 tcp-tickles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Chapter 30 Chapter 31

PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649
administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 application-data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 audit-observed-events-returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 base-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 bgf-core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 cancel-graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 cleanup-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 context-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 control-association-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 controller-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 delivery-function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 diffserv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disable-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Copyright © 2011, Juniper Networks, Inc.

xxiii

Junos 11.4 Services Interfaces Configuration Guide

event-timestamp-notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-cold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 fast-update-filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 gateway-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 gateway-controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 gateway-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 h248-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 h248-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 h248-properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 h248-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 h248-timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 hanging-termination-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 inactivity-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 inactivity-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 initial-average-ack-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 interim-ah-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ip-flow-stop-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ipsec-transport-security-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 latch-deadlock-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 max-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 max-concurrent-calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 maximum-fuf-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 maximum-inactivity-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 maximum-net-propagation-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-synchronization-mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 maximum-waiting-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 mg-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 mg-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 mg-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 mg-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 mgc-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 mgc-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 mgc-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 mgc-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

xxiv

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 network-operator-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 no-dscp-bit-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 no-rtcp-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 normal-mg-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 normal-mgc-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 notification-behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 overload-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 peak-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (RTCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 profile-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 profile-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 queue-limit-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-all-commands-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-new-calls-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 report-service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 request-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 rtcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 send-notification-on-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 service-change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual BGF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 state-loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 stop-detection-on-drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 sustained-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 timerx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 tmax-retransmission-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 traffic-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

Copyright © 2011, Juniper Networks, Inc.

xxv

Junos 11.4 Services Interfaces Configuration Guide

up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-lower-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-wildcard-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 virtual-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 virtual-interface-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 virtual-interface-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 virtual-interface-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750

Chapter 32

Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751
Configuring Service Interface Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Chapter 33

Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754 service-interface-pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

Chapter 34 Chapter 35

Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761
actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 accelerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (Border Signaling Gateway) . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . 765 availability-check-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 blacklist-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 default-media-realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 dialogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 egress-service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 embedded-spdf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 forward-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 from (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 from (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784 from (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 manipulation-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 media-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 media-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 message-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

xxvi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

maximum-records-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 maximum-time-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 message-manipulation-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 name-resolution-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 new-call-usage-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 new-call-usage-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 new-transaction-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 new-transaction-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 on-3xx-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 request-uri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 reverse-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 routing-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 service-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Service Point) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818 service-point-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 service-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 session-trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 signaling-realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 sip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 sip-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 term (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 then (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 timer-c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 transport-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840

Copyright © 2011, Juniper Networks, Inc.

xxvii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 36 Chapter 37

PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843
application-group-any . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 count-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 demux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 forward-rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846 forward-rule (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848 local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 local-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 local-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 remote-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853 remote-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 remote-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 rule (Including in Rule Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858 term (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859 term (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 then (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861 then (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862

Chapter 38

Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Configuring a DS-Lite Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring a 6rd Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring Softwire Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 Configuring Stateful Firewall Rules for 6rd Softwire . . . . . . . . . . . . . . . . . . . . . . 867 Configuring IPv6 Multicast Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Configuring Service Sets for Softwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Examples: Softwire Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic DS-Lite Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic 6rd Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Example: Configuring DS-Lite and 6rd in the Same Service Set . . . . . . . . . . 877

Chapter 39

Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883
ds-lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 rule (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 rule-set (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 softwire-concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

xxviii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

softwire-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 term (Softwire Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887 v6rd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 ipv6-multicast-interfaces (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889

Part 3
Chapter 40

Dynamic Application Awareness for Junos OS
Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893
IDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894 APPID Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895 AACL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 L-PDF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 Configuring Multiple IDP Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Identification of DPI-Serviced Flows . . . . . . . . . . . . . . . 897 Features that Support Application-Level Filtering . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898 APPID, AACL, and L-PDF Processing in Preconvergence Scenarios . . . . . . 898 Prior to a Final or Best-Effort Application Identification . . . . . . . . . . . . 898 Upon Best-Effort Application Identification . . . . . . . . . . . . . . . . . . . . . 899 While Application Identification Is on a Best-Effort Basis . . . . . . . . . . . 899 If a Flow Ends Before an Application Identification Is Made . . . . . . . . . 899 If a Flow Ends While Application Identification on a Best-Effort Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Chapter 41

Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901
Defining an Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 Configuring APPID Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 Using Stateful Firewall Rules to Identify Data Sessions . . . . . . . . . . . . . . . . . . . 906 Configuring Application Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Configuring Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Application Identification for Nested Applications . . . . . . . . . . . . . . . . . . . . . . . 909 Disabling Application Identification for Nested Applications . . . . . . . . . . . . . . . . 910 Configuring Global APPID Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Configuring Automatic Download of Application Package Updates . . . . . . . . . . 912 Configuring APPID Support for Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912 Configuring APPID Support for Unidirectional Traffic . . . . . . . . . . . . . . . . . . . . . . 913 Tracing APPID Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913 Configuring the APPID Log Filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Configuring the Number and Size of APPID Log Files . . . . . . . . . . . . . . . . . . 914 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 915 Configuring the Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Examples: Configuring Application Identification Properties . . . . . . . . . . . . . . . . 915

Chapter 42

Summary of Application Identification Configuration Statements . . . . . . 919
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Defining) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922 application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922

Copyright © 2011, Juniper Networks, Inc.

xxix

. . . 927 disable (APPID Application Group) . . . . . . . . 929 enable-heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . 926 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 enable-heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . 943 protocol . . . . . . . . 935 min-checked-bytes . . . . . . . . 942 port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938 no-application-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931 inactivity-non-tcp-timeout . . . . . . . . . . . . . . . 945 rule (Configuring) . . . . . . . . . . . . . . . . . 923 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947 xxx Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928 disable-global-timeout-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923 application-system-cache-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 port-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924 automatic . . . . . . . . . . . . . . . . . . . . 941 pattern . . . . . . . . . . . . . . . . 937 nested-application-settings . . . . . . . . . 946 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 enable-asymmetic-traffic-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945 rule (Including in Rule Set) . . . . . . . . . . . 940 no-protocol-method . . . . . . . . . . . . . . . . . . . . . . . 925 context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 idle-timeout . . . . . . . . . . . . . . . . . . . . . . 936 nested-application . . 941 order . . . . . . . . . . . . . . . . . . . . . . . . . . . 925 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 no-signature-based . . . . . . . . . . . . . . . . . . 931 ignore-errors . . . . . . . . . . . . . . . . . . . . . . . 932 index (Nested Applications) . . . . . . . . . 944 rule . . . . . . . . . . . . . . . . . 933 index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Port Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Application) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-nested-application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935 member . . . . . . . . . . . . . . . . . . 932 inactivity-tcp-timeout . . . . 928 download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-clear-application-system-cache . . . . 938 no-application-system-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 maximum-transactions . . . . . . . . . . . . . . . . . . 924 chain-order . . . . . . . 934 max-checked-bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . 943 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979 Chapter 46 Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 support-uni-directional-traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952 url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971 term . . . . . . . . . . . . . . . . . . . . . . . . . . 967 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 services . . . . . . . . . 975 Configuring Statistics Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . 959 Configuring Logging of AACL Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents session-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 application-group-any . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 session-timeout (Application Identification) . . . . . . . . . . . . . . . . 966 from . . . . . . . . . . . . . . . . . . . . . . . . 968 rule-set . . 953 Chapter 43 Application-Aware Access List Configuration Guidelines . . . . . . 948 session-timeout (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952 type-of-service . . . . . . . . . . . . . . 972 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981 aacl-fields . . . . . . . . . . . . . . . xxxi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 applications . . . . . 977 Applying L-PDF Profiles to Service Sets . . . . . 956 Configuring Match Conditions in AACL Rules . . . . . . . . 965 destination-prefix-list . . . . . . 957 Configuring Actions in AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982 aacl-statistics-profile . . . . . . . . . . . . . . . . 949 source . . . . . . . . . 983 application-aware-access-list-fields . . . . . . . 978 Tracing L-PDF Operations . . . . . . . . . . . . . . . . . . . . . 976 Configuring an AACL Statistics Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . 984 file . . . . . . . . . . . . . . . . . . 960 Chapter 44 Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 955 Configuring AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973 Chapter 45 Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956 Configuring Match Direction for AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 application-groups . . 958 Configuring AACL Rule Sets . . . . . . . 951 type . . . . . . . . . . . . . . 964 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975 Configuring an L-PDF Statistics Profile . . . . . . . . . . . . . . 960 Example: Configuring AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide local-policy-decision-function . . . . . . . . . . . . . . . . . policy-decision-statistics-profile statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Configuring an Inbound Traffic Filter . . . . . . . . . . 1009 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 Configuring an Outbound Traffic Filter . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Applying the Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996 Example: Configuring an Encryption Interface . . . . . . . . . . . . . . . . . . . . . . 1005 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997 Configuring the Security Association . . 1011 unit . . . . . . . 1005 backup-interface . . . . . . . . . . . . . . . . . . . . . . . 1003 Chapter 49 Summary of Encryption Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 es-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Configuring an Inbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995 Configuring Encryption Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Chapter 48 Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . 999 Example: Configuring an Outbound Traffic Filter . . . . . . 997 Traffic Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceoptions . . . . . . . 1006 destination . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Example: Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005 backup-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Example: Configuring ES PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989 Part 4 Chapter 47 Encryption Services Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996 Configuring Filters for Traffic Transiting the ES PIC . . . . . . . . 999 Applying the Outbound Traffic Filter . . . . . . . . . . . . . . 1010 tunnel . . . . . . . . . . . 995 Specifying the Security Association Name for Encryption Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 ipsec-sa . . . 1003 Configuring IPsec Tunnel Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Configuring ES PIC Redundancy . . . 1012 xxxii Copyright © 2011. 996 Configuring the MTU for Encryption Interfaces . . 986 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007 family . . . . . . . . . . . . . . . . . . . . . . 1001 Configuring an ES Tunnel Interface for a Layer 3 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051 Configuring Inline Flow Monitoring . . . . . . . . 1059 Configuring Port Mirroring . 1028 Tracing Traffic Sampling Operations . . . . . . . . . . . . . . . . . . . . . . 1035 Example: Configuring Flow Monitoring . . . . . . . . . . . . . . 1048 Configuring Sampling Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044 Configuring the Version 9 Template Properties . . . . . . . . . . . . . . 1058 Logging cflowd Flows Before Export . 1027 Configuring Traffic Sampling Output . . . . . . . . . 1044 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055 Directing Replicated Flows to Multiple Flow Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019 Configuring Traffic Sampling . . . . . . . . . . . . . 1025 Disabling Traffic Sampling . . . . . . . . . 1036 Example: Configuring Active Monitoring on Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024 Configuring Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035 Configuring Time Periods when Flow Monitoring is Active and Inactive . . . . . . . . . . 1057 Directing Replicated Version 9 Flow Aggregates to Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 Example: Sampling All Traffic from a Single IP Address . . . . . 1039 Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd . . . . . . . . . . . . . 1037 Enabling Flow Aggregation . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . 1030 Example: Sampling All FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . 1015 Active Flow Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . 1029 Traffic Sampling Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Directing Replicated Routing Engine–Based Sampling Flows to Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Part 5 Chapter 50 Flow Monitoring and Discard Accounting Services Flow Monitoring and Discard Accounting Overview . 1015 Passive Flow Monitoring Overview . . . . . . . 1016 Chapter 51 Flow Monitoring and Discard Accounting Configuration Guidelines . . 1040 Configuring Flow Aggregation to Use Version 9 Flow Templates . . . . . . . . . . . 1045 Fields Included in Each Template Type . . . . . . . . . . . . . . . . . . . . . . . 1062 Configuring Inline Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034 Exporting Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii . . . . . . 1026 Sampling Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043 Configuring the Traffic to Be Sampled . . . . . 1059 Configuring Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024 Minimum Configuration for Traffic Sampling . . . . . . . . . 1029 Example: Sampling a Single SONET/SDH Interface . . . . . . . 1034 Directing Traffic to Flow-Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063 Copyright © 2011. . . . . . . . 1053 Configuring Inline Flow Monitoring on MX80 Routers . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Interfaces . . . . . . . 1027 Traffic Sampling Output Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Examples: Configuring Version 9 Flow Templates . . . . . . . . . . . . . . . . . . 1061 Port Mirroring with Next-Hop Groups . . . . . . . 1046 MPLS Sampling Behavior . . . . . . . . . . . . . . . 1031 Configuring Flow Monitoring . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 filter . . . . . . . . . . . . . . 1089 aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1065 Examples: Configuring Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 file (Trace Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079 Removing MPLS Labels from Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 files . . . . . . 1088 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091 cflowd . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076 Enabling Passive Flow Monitoring . . . . . . . 1112 forwarding-options . . . . . . . . . . . . . . . . . . . . . . . . 1083 Configuring Services Interface Redundancy with Flow Monitoring . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide Filter-Based Forwarding with Multiple Monitoring Interfaces . . . . . . 1089 aggregate-export-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094 disable-all-instances . . . . . . . . . . . . . . . . . . . . . . . . 1099 family (Monitoring) . . . 1073 Configuring Discard Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 file (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066 Load Balancing Among Multiple Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092 cflowd (Flow Monitoring) . . . . . . . . . . . . . . . . . . .Junos 11. . . 1087 accounting . . . . . . . . . . . . . . . . . . . . 1101 family (Sampling) . . . . . . . . . . . . . . . 1108 flow-control-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097 export-format . . . . . . 1081 Example: Enabling IPv6 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092 cflowd (Discard Accounting) . . . . . . . . . . . . . . . . . . . . . 1093 core-dump . . . . . . . . . . . . 1106 flow-active-timeout . . . . . . 1095 engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1109 flow-inactive-timeout . . . . . . . . . . . . . . . 1064 Configuring Port Mirroring on Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Restrictions . . . . . . . 1102 file . . . . . . . . . . . . . . . . . . . . . . . . 1093 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 family (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079 Example: Enabling IPv4 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111 flow-server . . . . . . . . . . . . . . . . . . . . . . . . . 1107 flow-export-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096 extension-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Chapter 52 Summary of Flow-Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113 xxxiv Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108 flow-export-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098 family . . . . . . . . . 1077 Passive Flow Monitoring for MPLS Encapsulated Packets . . . . . . . . . . . . . . . . . . . . . . . 1094 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095 engine-type . . . . . . . . . . . . . . . . . . . . . . . . . 1110 flow-monitoring . . . . . . . . . 1090 autonomous-system-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1100 family (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 option-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 output (Monitoring) . . . . . . . . . 1140 receive-ttl-exceeded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123 maximum-packet-length . . . . . 1129 no-remote-trace (Trace Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 output (Accounting) . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131 output . . . . . . . . . 1122 match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents inline-jflow . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128 next-hop-group (Port Mirroring) . 1121 ipv6-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 output-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-world-readable . . . . . . . . . . . . . . . . . . . . . . 1133 output (Sampling) . . . . . . . . . . . . . . . . . 1138 port-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 mpls-ipv4-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 interface (Accounting or Sampling) . . . . . . . . . . . . . . . 1119 interface (Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . 1123 max-packets-per-second . . . . . 1122 local-dump . . . . 1120 interfaces . . . . . . . . . . . . . . . . 1115 instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 output (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120 interface (Port Mirroring) . . . . . . . . 1113 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-filter-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 pop-all-labels . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-stamp . . . . . . . . . . . . . . . . . . 1129 no-core-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117 interface . . . . . . . . . 1121 ipv4-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128 next-hop-group (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 no-syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 input (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114 input-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 multiservice-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1140 receive-options-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135 passive-monitor-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 no-local-dump . . . . . . . . . . . . 1114 input (Sampling) . . . . . . . . . . xxxv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 mpls-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 label-position . . . . . . . 1124 monitoring . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . 1163 Sending cflowd Records to Flow Collector Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1156 version-ipfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143 sampling (Forwarding Options) . . . . . . . . . . . . . . . . . . 1154 version9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159 Configuring Flow Collection . . . . . 1151 template-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . 1171 analyzer-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171 analyzer-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164 Example: Configuring Flow Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring Destination FTP Servers for Flow Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1163 Configuring Retry Attempts . . 1152 unit . . . . . . . . . . . . 1172 archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Interface Mappings . . Juniper Networks. . . . . . . . . . . . . . 1174 file-specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144 sampling (Interfaces) . . . . . . . . . . . . . . . . . . . . . . 1172 collector . . . . 1152 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 file-specification (Interface Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173 destinations . . . . . . . . . . . . 1174 filename-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 file-specification (File Format) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 sample-once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide required-depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . 1158 Chapter 53 Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Transfer Logs . . . . . . . . 1150 template (Services) . . . . . . . . . . . . . . . . . . . . 1150 template (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Services) . . . . . . . . . . . . 1146 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1158 world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142 sampling . . . . . . . . . . . . . . 1153 version . . . . 1161 Configuring a Packet Analyzer . . . . . . . . . . . . . . . . . . . . . . . 1147 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164 Configuring Flow Collection Mode and Interfaces on Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141 run-length . . . . . . . . . . . . . . . . . . . . . . . . . . 1149 template . . . . . 1173 data-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164 Chapter 54 Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Forwarding Options) . . . . 1175 xxxvi Copyright © 2011. . 1146 size . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii . . Juniper Networks. . 1210 capture-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 duplicates-dropped-periodicity . . . . . . 1190 Intercepting IPv6 Flows . . . . . . . . . . . . . . . . . . . . . . . . 1196 Example: Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Examples: Configuring Flow-Tap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Strengthening Flow-Tap Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 password (Transfer Log File Servers) . . . . . . . . . . . . . . . . . . . 1187 variant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 retry . . . . . . . . . . . . . . . . 1185 transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185 retry-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Content Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189 Dynamic Flow Capture Architecture . . 1214 flow-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191 Configuring the Capture Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1182 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Configuring FlowTapLite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Flow-Tap Architecture . . 1184 password (Flow Collector File Servers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1181 name-format . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180 interface-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189 Liberal Sequence Windowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207 Chapter 57 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . . . . . . . . . . 1187 Chapter 55 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193 Configuring the DFC PIC Interface . . . 1209 allowed-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1202 Configuring the Flow-Tap Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197 Chapter 56 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 dynamic-flow-capture . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 ftp (Transfer Log Files) . . . . . 1194 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . 1209 address . . . . . . . . . . . . . . . . 1186 username . . . . . . . . . . . . . . . . . . . . 1176 ftp . . . . 1212 control-source . . . . . . . 1203 Configuring the Flow-Tap Interface . . . . . . . . . . . . . . . . . . . . . . . 1196 Limiting the Number of Duplicates of a Packet . . . . . . . . . . . . . . . . . . . . . . . . . . 1195 Configuring Thresholds . . . . . 1178 ftp (Flow Collector Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 transfer-log-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180 maximum-age . . . . . . . . . 1211 content-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents flow-collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Control Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204 Restrictions on Flow-Tap Services . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222 service-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1242 Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Chapter 59 Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Bundles . . . . . 1217 hard-limit . . . . . . . . . . 1222 services . . . . . . . . . . . . . . . . . . . . . . . . 1225 Part 6 Chapter 58 Link and Multilink Services Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . 1218 input-packet-rate-threshold . . 1241 Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246 xxxviii Copyright © 2011. . . . . . . . . . . . . . 1224 source-addresses . . . . . . . 1245 Configuring LFI with DLCI Scheduling . . . . . . . . 1242 Configuring MRRU on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 soft-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1220 no-syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1244 Configuring Point-to-Point DLCIs for MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221 pic-memory-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246 Example: Configuring LFI with DLCI Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236 Multilink and Link Services Logical Interface Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235 Configuring the Links in a Multilink or Link Services Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks.16 and MLPPP Bundles . . . . 1220 minimum-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Link and Multilink Services Overview . . . . 1238 Configuring Encapsulation for Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1243 Configuring DLCIs on Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . 1244 Configuring Multicast-Capable DLCIs for MLFR FRF. . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . 1218 interface . . . . . . .4 Services Interfaces Configuration Guide g-duplicates-dropped-periodicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1240 Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . 1233 Multilink and Link Services PICs Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216 g-max-duplicates . . . . . . . . 1219 interfaces . . . . . . . 1225 ttl . . . . . . . . . . . . . . . . . . 1219 max-duplicates . 1234 Configuring the Number of Bundles on Link Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1237 Default Settings for Multilink and Link Services Logical Interfaces . . . . . . 1244 Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1239 Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . 1221 notification-targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224 soft-limit-clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 shared-key . . . . . . 1217 hard-limit-target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . 1287 multicast-dlci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1263 Example: Configuring a Link Services PIC with MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1279 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275 disable-mlppp-inner-ppp-pfc . . 1283 minimum-links . . . . . . . . . . . . 1258 Example: Configuring a Multilink Interface with MLFR FRF. 1257 Example: Configuring a Multilink Interface with MLPPP . . . . . . 1280 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1278 encapsulation (Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1257 Example: Configuring a Multilink Interface with MLPPP over ATM 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283 lmi-type . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271 acknowledge-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252 Example: Configuring CoS on Link Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1282 interfaces . . . . . . . . . . . . . . . . . . 1284 mlfr-uni-nni-bundle-options . 1250 Configuring Keepalives on Link Services Physical Interfaces . . . . . . . . . . . . . . . 1260 Example: Configuring a Link Services Interface with Two Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248 Configuring Encapsulation for Link Services Physical Interfaces . . . . . . . . . . . . . . . . .15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1272 action-red-differential-delay . . . . . 1281 hello-timer . . . . . . 1286 mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249 Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF. . . . . . . . . . . . . . . . . 1253 Examples: Configuring Multilink Interfaces . 1288 Copyright © 2011. . 1252 CoS for Link Services Interfaces on M Series and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276 drop-timeout . . . . . . . . . . . . . . . . . . . 1262 Example: Configuring a Link Services Interface with MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248 Default Settings for Link Services Interfaces . . . . . . . . . . . .16 . . . . . . . 1259 Examples: Configuring Link Interfaces . . . .16 . . . . . . . . . . . . . . . . . . 1251 Configuring CoS on Link Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1263 Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 address . . . . 1274 bundle . . . . . . . . . . . . . . . . . . . 1282 interleave-fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285 mrru . . . . . . . . . . . . . . . . . . . . . 1249 Configuring Acknowledgment Timers on Link Services Physical Interfaces . 1271 acknowledge-retries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix . . . . . . . . . . . . . . . . 1274 destination . . . . . . . . . . . . 1261 Example: Configuring a Link Services Interface with MLPPP . . . . . 1264 Chapter 60 Summary of Multilink and Link Services Configuration Statements . . . . . . 1278 encapsulation (Logical Interface) . . . . . . . . . . . . . . . . . . 1277 encapsulation . . . . . . . . . 1275 dlci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 n391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Configuring Link Services Physical Interfaces . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 short-sequence . . . . . . . . . . . . . . . . . . . . . . . . . . 1297 Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293 Part 7 Chapter 61 Real-Time Performance Monitoring Services Real-Time Performance Monitoring Services Overview . . . . . . . . 1319 bgp . . . . . . . . . . 1313 Examples: Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328 maximum-connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1314 Chapter 63 Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330 moving-average-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1300 Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 n393 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1321 data-size . . . . 1312 Examples: Configuring BGP Neighbor Discovery Through RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Configuring TWAMP Servers . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide n392 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1292 yellow-differential-delay . . . . . . . . . 1327 max-connection-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297 Chapter 62 Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1302 Configuring RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330 xl Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . 1328 maximum-connections-per-client . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 maximum-sessions . . . . . . . . . . . . 1329 maximum-sessions-per-connection . . . . . . . . . . . . . . . . . . . . . 1323 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 t391 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291 unit . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . 1307 Configuring TWAMP . . . . . . . . . . . . . 1319 authentication-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 red-differential-delay . . . . . . . . . . . . . . . . . . . . 1321 data-fill . . . . 1326 history-size . . 1310 Configuring TWAMP Interfaces . . . . . . . . . 1311 Enabling RPM for the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . 1322 destination-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 t392 . . . . . . . . 1307 Configuring RPM Timestamping . . . . . . . . . . . . . . . 1307 Limiting the Number of Concurrent RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299 Configuring BGP Neighbor Discovery Through RPM . . . . . . . . . . . . . . . . . . . . . . 1325 hardware-timestamp . 1320 client-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324 dscp-code-point . 1303 Configuring RPM Receiver Servers . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333 probe-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367 Copyright © 2011. . . . . . 1366 Configuring IPv4-over-IPv6 Tunnels . . . . . . . . . . 1360 Restricting Tunnels to Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1334 probe-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 probe . . . . . . . . . . . . . 1353 Chapter 65 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1345 twamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . xli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (RPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Configuring a Key Number on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1357 Enabling Fragmentation on GRE Tunnels . . . . . . 1346 udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring Packet Reassembly . . . . . . . . 1359 Configuring GRE Keepalive Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 test-interval . . . . . . . . . . . 1335 probe-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1340 source-address . . . 1355 Configuring Unicast Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 1347 Part 8 Chapter 64 Tunnel Services Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1336 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1334 probe-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (TWAMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346 twamp-server . . . . . . . . . . . . . . . . . . . . . . 1364 Configuring PIM Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1343 thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . 1335 probe-server . . . . 1367 Configuring Dynamic Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1363 Configuring Tunnel Interfaces for Routing Table Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1344 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358 Specifying an MTU Setting for the Tunnel . . . . . . . . . . . . . . . . . . . . 1362 Configuring Logical Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . 1339 server-inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 routing-instances . 1351 Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . 1362 Connecting Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1366 Configuring IPv6-over-IPv4 Tunnels . . . . . . . . . . 1340 target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339 services . . . . . . . . . 1337 rpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 GRE Keepalive Time Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents one-way-hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1331 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364 Configuring Virtual Loopback Tunnels for VRF Table Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1380 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384 source . . . . . . 1374 Chapter 66 Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370 Example: Configuring an IPv6-over-IPv4 Tunnel . . . 1382 reassemble-packets . . . . . . . 1383 routing-instance . . 1380 keepalive-time . . . . . . . 1385 ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375 allow-fragmentation . . . . . . . 1376 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. .4 Services Interfaces Configuration Guide Configuring Tunnel Interfaces on MX Series Routers . . . . . . . . . . . 1381 key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1385 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378 dynamic-tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373 Example: Configuring Keepalive for a GRE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369 Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup . . . . Inc. . . . . . . . . . . . . . . . . 1370 Example: Configuring an IPv4-over-IPv6 Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382 peer-unit . . . . . . . . . . . . . . . . . 1381 multicast-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368 Examples: Configuring Unicast Tunnels . 1388 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination (Tunnel Remote End) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination (Routing Instance) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376 copy-tos-to-outer-ip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371 Example: Configuring Logical Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419 xlii Copyright © 2011. . . . . . . . . . . 1379 hold-time . . . . . . . . . . . 1386 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378 do-not-fragment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Part 9 Index Index . . . . . . . . . . . . . 1375 backup-destination . . . . . . . . . . . . . . . . . . . . . 1384 routing-options . . . . . . . . . . . 1383 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1387 tunnel-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination-networks . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019 Figure 15: Configure Sampling Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1189 Figure 17: Dynamic Flow Capture Topology . . . . . . 219 Figure 8: NAT64 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995 Figure 11: Example: IPsec Tunnel Connecting Security Gateways . . . . . . . . . . . . . . 1026 Chapter 53 Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Figure 10: DS-Lite Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Figure 6: Configuring DNS ALGs with NAT-PT Network Topology . 1018 Chapter 51 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . . . . . . . . . Juniper Networks. . . . . 37 Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997 Figure 12: IPsec Tunnel Redundancy . . 323 Figure 9: IPsec Dynamic Endpoint Tunneling Topology . . . . . . . . . 53 Figure 5: 6rd Softwire Flow . 1201 Figure 18: Flow-Tap Topology . . . 1003 Part 5 Chapter 50 Flow Monitoring and Discard Accounting Services Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Copyright © 2011. . 203 Figure 7: Configuring NAT for Multicast Traffic . . . . . . . . . . . . . . . . . . . . .List of Figures Part 2 Chapter 3 Adaptive Services Adaptive Services Overview . . . . . 56 Chapter 10 Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . 230 Chapter 16 IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Figure 4: DS-Lite Flow . . . . . . . . . . . . . 1159 Figure 16: Flow Collector Interface Topology Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016 Figure 14: Active Monitoring Configuration Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Figure 2: Dynamic NAT Flow . . 52 Figure 3: Stateful NAT64 Flow . . . . . 365 Chapter 38 Softwire Configuration Guidelines . . . . . . . . . . . . . . . 870 Part 4 Chapter 48 Encryption Services Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . 1015 Figure 13: Passive Monitoring Application Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . 1165 Chapter 55 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Chapter 56 Flow-Tap Configuration Guidelines . . . xliii . . . .

. . . . . . . . . . . . . . . . . . 1233 Figure 19: Multilink Interface Configuration . . . . . . 1371 xliv Copyright © 2011. . . 1236 Part 8 Chapter 65 Tunnel Services Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . .Junos 11. Inc. . . . . . . . . . . . . 1355 Figure 20: IPv6 Tunnel Connecting Two IPv4 Networks Across an IPv6 Network . . . . . . . . .4 Services Interfaces Configuration Guide Part 6 Chapter 59 Link and Multilink Services Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . 616 Part 6 Chapter 59 Link and Multilink Services Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . 358 Chapter 18 Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Table 4: Statement Equivalents for ES and AS Interfaces . . . . . . . . . . . . . . . . 421 Chapter 26 Service Set Configuration Guidelines . . 77 Table 9: Supported RPC Services . . . . . . . . . 323 Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Table 11: Behavior of Member Interface After One Multiservices PIC Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Table 6: Network Protocols Supported by Services Interfaces . . . . . . . . . . . . . . . . . . . . 74 Table 7: ICMP Codes and Types Supported by Services Interfaces . 85 Chapter 6 Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235 Table 19: Multilink and Link Services Logical Interface Statements . . . . .16 . . 582 Chapter 28 Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . 1233 Table 18: Multilink and Link Services PIC Capacities . . . . . . . . . . . . . . . . . . 1238 Table 20: Link Services Physical Interface Statements for MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlv . . . . . . . . . . . 579 Table 16: Adaptive Services Tracing Flags . . li Part 2 Chapter 3 Adaptive Services Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . li Table 2: Text and Syntax Conventions . 76 Table 8: Port Names Supported by Services Interfaces . . . . . . . 283 Table 12: Behavior of Member Interface After Two Multiservices PICs Fail . . . . . . . . . . . . . . . . . 611 Table 17: System Log Message Severity Levels . . . . . . . . . . . . . . . . 113 Table 10: IP Option Values . . . . . . . . . . . . . . . . . . PIC. . . . . . . . . . .List of Tables About This Guide . . . . . 284 Chapter 16 IPsec Services Configuration Guidelines . . . . . . . . . . . 117 Chapter 13 Summary of Load Balancing Configuration Statements . . . . . . . . . 58 Chapter 4 Applications Configuration Guidelines . . . . . . . . . . . . . . . . 413 Table 14: System Log Message Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Table 5: Application Protocols Supported by Services Interfaces . . . . . . . . . . . . . . . . . . 567 Table 15: System Log Message Severity Levels . . . . . . . . . 37 Table 3: AS and Multiservices PIC Services by Service Package. . . . . . . . xlvii Table 1: Notice Icons . . . . . . . . . . . . . . and Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . 1252 Table 22: Link Services Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261 Part 8 Chapter 64 Tunnel Services Tunnel Services Overview . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Table 24: Methods for Configuring Egress Filtering . . . 1351 Chapter 65 Tunnel Interfaces Configuration Guidelines . . . . . . . 1364 xlvi Copyright © 2011. . . . . . . . . .Junos 11. . . . . . . 1351 Table 23: Tunnel Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide Table 21: Link Services CoS Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . .

These books go beyond the technical documentation to explore the nuances of network architecture.net/techpubs/software/junos/ . Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. In addition. and availability using Junos OS configuration techniques. If the information in the latest release notes differs from the information in the documentation. published in conjunction with O'Reilly Media. ® Copyright © 2011. Inc.net/books .About This Guide This preface provides the following guidelines for using the Junos OS Services Interfaces Configuration Guide: • • • • • • • • • ® Junos Documentation and Release Notes on page xlvii Objectives on page xlviii Audience on page xlviii Supported Platforms on page xlviii Using the Indexes on page xlix Using the Examples in This Manual on page xlix Documentation Conventions on page l Documentation Feedback on page lii Requesting Technical Support on page lii Junos Documentation and Release Notes For a list of related Junos documentation. explores improving network security. see the product documentation page on the Juniper Networks website at http://www.juniper. deployment. follow the Junos Release Notes. All the books are for sale at technical bookstores and book outlets around the world.juniper. Juniper Networks.net/techpubs/ . To obtain the most current version of all Juniper Networks technical documentation. see http://www. and administration using the Junos operating system (Junos OS) and Juniper Networks devices. reliability. The current list can be viewed at http://www. the Juniper Networks Technical Library. xlvii .juniper.

or J Series router or switch. you need a broad understanding of networks in general.4 Services Interfaces Configuration Guide Objectives This guide provides an overview of the services interfaces provided by Junos OS and describes how to configure these properties on the router. EX Series. . Inc. willfully negligent. or hostile manner.Junos 11. the Internet in particular.juniper. NOTE: For additional information about the Junos OS—either corrections to or information that might have been omitted from this guide—see the software release notes at http://www. MX Series. Supported Platforms For the features described in this manual. You must also be familiar with one or more of the following Internet routing protocols: • • • • • • • • • • • Border Gateway Protocol (BGP) Distance Vector Multicast Routing Protocol (DVMRP) Intermediate System-to-Intermediate System (IS-IS) Internet Control Message Protocol (ICMP) router discovery Internet Group Management Protocol (IGMP) Multiprotocol Label Switching (MPLS) Open Shortest Path First (OSPF) Protocol-Independent Multicast (PIM) Resource Reservation Protocol (RSVP) Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP) Personnel operating the equipment must be trained and competent. Audience This guide is designed for network administrators who are configuring and monitoring a Juniper Networks M Series. networking principles. To use this guide. and must abide by the instructions provided by the documentation. must not conduct themselves in a careless.net/ . Juniper Networks. the Junos OS currently supports the following platforms: • • J Series M Series xlviii Copyright © 2011. and network configuration. T Series.

copy a configuration example into a text file. the example is a full example.xsl. These procedures are described in the following sections. In this case. use the load merge command. In the index of statements and commands. and an index of statements and commands only. In this case. use the load merge relative command. In the complete index. usage guidelines. an entry refers to a statement summary section only. These commands cause the software to merge the incoming configuration into the current candidate configuration. the entry for a configuration statement or command contains at least two parts: • • The primary entry refers to the statement summary section. refers to the section in a configuration guidelines chapter that describes how to use the statement or command. copy the following configuration to a file and name the file ex-script. From the HTML or PDF version of the manual. } } } interfaces { fxp0 { Copyright © 2011. The example does not become active until you commit the candidate configuration. The secondary entry. Inc. Copy the ex-script. If the example configuration does not start at the top level of the hierarchy.conf.conf file to the /var/tmp directory on your routing platform.About This Guide • • • MX Series T Series EX Series Using the Indexes This reference contains two indexes: a complete index that includes topic entries. Merging a Full Example To merge a full example. you can use the load merge or the load merge relative command. the example is a snippet. follow these steps: 1. If the example configuration contains the top level of the hierarchy (or multiple hierarchies). For example. Juniper Networks. xlix . system { scripts { commit { file ex-script. Using the Examples in This Manual If you want to use the examples in this manual. and copy the file to a directory on your routing platform. save the file with a name.

unit 0 { family inet { address 10.xsl. Merge the contents of the file into your routing platform configuration by issuing the load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf load complete For more information about the load command. Inc. Juniper Networks.0. follow these steps: 1. } 2.conf file to the /var/tmp directory on your routing platform.conf load complete Merging a Snippet To merge a snippet. } } } } 2. From the HTML or PDF version of the manual. Documentation Conventions Table 1 on page li defines notice icons used in this guide. copy the following snippet to a file and name the file ex-script-snippet. . Copy the ex-script-snippet. and copy the file to a directory on your routing platform.0.4 Services Interfaces Configuration Guide disable. save the file with a name. Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: [edit] user@host# edit system scripts [edit system scripts] 3. copy a configuration snippet into a text file.conf. see the Junos OS CLI User Guide.1/24.Junos 11. commit { file ex-script-snippet. For example. Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script. l Copyright © 2011.

configuration hierarchy levels. The console port is labeled CONSOLE. Identifies book names.About This Guide Table 1: Notice Icons Icon Meaning Informational note Description Indicates important features or instructions. Copyright © 2011. Enclose optional keywords or variables. Examples To enter configuration mode. Table 2: Text and Syntax Conventions Convention Bold text like this Description Represents text that you type. Laser warning Alerts you to the risk of personal injury from a laser. Table 2 on page li defines the text and syntax conventions used in this guide. user@host> show chassis alarms No alarms currently active • Italic text like this • • • Introduces important new terms. Identifies RFC and Internet draft titles. files. Junos OS System Basics Configuration Guide RFC 1997. A policy term is a named structure that defines match conditions and actions. commands. include the stub statement at the [edit protocols ospf area area-id] hierarchy level. Caution Indicates a situation that might result in loss of data or hardware damage. Configure the machine’s domain name: [edit] root@# set system domain-name domain-name • Text like this Represents names of configuration statements. BGP Communities Attribute • • Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Juniper Networks. and directories. li . type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the terminal screen. interface names. Warning Alerts you to the risk of personal injury or death. Inc. • < > (angle brackets) stub <default-metric metric>. To configure a stub area. or labels on routing platform components.

Inc. Enclose a variable for which you can substitute one or more values. and suggestions so that we can improve the documentation.net/cgi-bin/docbugreport/ . You can send your comments to techpubs-comments@juniper. In the configuration editor hierarchy. • > (bold right angle bracket) Separates levels in a hierarchy of J-Web selections. Documentation Feedback We encourage you to provide feedback. select All Interfaces. • In the Logical Interfaces box. . Identifies a leaf statement at a configuration hierarchy level. lii Copyright © 2011.4 Services Interfaces Configuration Guide Table 2: Text and Syntax Conventions (continued) Convention | (pipe symbol) Description Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol.net. be sure to include the following information with your comments: • • • Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).juniper.Junos 11. comments. (semicolon) [edit] routing-options { static { route default { nexthop address. click Cancel. } } } J-Web GUI Conventions Bold text like this Represents J-Web graphical user interface (GUI) items you click or select. Indicates a comment specified on the same line as the configuration statement to which it applies. To cancel the configuration. If you are a customer with an active J-Care or JNASC support contract. Juniper Networks. Identify a level in the configuration hierarchy. Examples broadcast | multicast (string1 | string2 | string3) # (pound sign) rsvp { # Required for dynamic MPLS only [ ] (square brackets) community name members [ community-ids ] Indention and braces ( { } ) . If you are using e-mail. retain. The set of choices is often enclosed in parentheses for clarity. or fill out the documentation feedback form at https://www. select Protocols>Ospf.

net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper. visit us at http://www.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.pdf .juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.net/ Download the latest versions of software and review release notes: http://www.net/support/warranty/ .net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.About This Guide or are covered under warranty. Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • • • • Find CSC offerings: http://www.net/cm/ To verify service entitlement by product serial number. you can access our tools and resources online or open a case with JTAC. • • Self-Help Online Tools and Resources For quick and easy problem resolution. 365 days a year. • JTAC policies—For a complete understanding of our JTAC procedures and policies. visit http://www.juniper. and need postsales technical support.juniper.net/customers/support/ Find product documentation: http://www. and Mexico). For international or direct-dial options in countries without toll-free numbers.net/us/en/local/pdf/resource-guides/7100059-en. liii . • • Use the Case Management tool in the CSC at http://www. 7 days a week. review the JTAC User Guide located at http://www.juniper. use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.juniper.juniper. Juniper Networks.juniper. Canada.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www. JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA.net/cm/ .net/support/requesting-support.juniper.juniper. Product warranties—For product warranty information.html Copyright © 2011. Inc.juniper.

4 Services Interfaces Configuration Guide liv Copyright © 2011. Juniper Networks. Inc. .Junos 11.

Inc. Juniper Networks. 1 .PART 1 Overview • • Services Interfaces Overview on page 3 Services Interfaces Configuration Statements on page 5 Copyright © 2011.

4 Services Interfaces Configuration Guide 2 Copyright © 2011. .Junos 11. Juniper Networks. Inc.

see the Junos OS Network Interfaces Configuration Guide. and nonrepudiation of source. Copyright © 2011. The AS and Multiservices PICs offer a special range of services you configure in one or more service sets: stateful firewalls. Juniper Networks. confidentiality. data integrity.CHAPTER 1 Services Interfaces Overview Interfaces used in router networks fall into two categories: • Networking interfaces. such as Ethernet and SONET interfaces. Services interfaces that provide specific capabilities for manipulating traffic before it is delivered to its destination. The suite provides functionality such as authentication of origin. that primarily provide traffic connectivity. 3 . NOTE: On Juniper Networks MX Series 3D Universal Edge Routers. the Multiservices DPC provides essentially the same capabilities as the Multiservices PIC. The Juniper Networks Junos OS supports the following services PICs: • Adaptive services interfaces (Adaptive Services [AS] PICs and Multiservices PICs)—Enable you to perform multiple services on the same PIC by configuring a set of services and applications. and IP Security (IPsec). class-of-service functionality. • This chapter includes the following sections: • • Services PIC Types on page 3 Supported Platforms on page 4 Services PIC Types Services interfaces enable you to add services to your network incrementally. The interfaces on both platforms are configured in the same way. You can also configure voice services and Layer 2 Tunneling Protocol (L2TP) services. see “Adaptive Services Overview” on page 37. management of security associations. • ES PIC—Provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. For more information about these services. For more information on these interfaces. Network Address Translation (NAT). Inc. intrusion detection service (IDS). replay protection. It also defines mechanisms for key generation and exchange.

For information about services supported on Juniper Networks SRX Series Services Gateways and J Series Services Routers. Inc.Junos 11. or both. • Monitoring Services PICs—Enable you to monitor traffic flow and export the monitored traffic. Tunnels connect discontinuous subnetworks and enable encryption interfaces. secure path through an otherwise public network. For information about MS-DPC support on a specific MX Series router. For more information about multilink and link services interfaces. see “Configuring Encryption Interfaces” on page 995. intercepted IPv4 traffic. Monitoring traffic allows you to perform the following tasks: • Gather and export detailed information about IPv4 traffic flows between source and destination nodes in your network. recombine. For information about PIC support on a specific Juniper Networks M Series Multiservice Edge Router or T Series Core Router. and MPLS. see Link and Multilink Properties. Juniper Networks. Direct filtered traffic to different packet analyzers and present the data in its original format.4 Services Interfaces Configuration Guide and support for digital certificates. • Multilink Services and Link Services PICs—Enable you to split. The Junos OS supports two services PICs based on the Multilink Protocol: the Multilink Services PIC and the Link Services PIC. providing a virtual link with greater bandwidth than any of the members. 4 Copyright © 2011. and sequence datagrams across multiple logical data links. . see the appropriate PIC Guide for the platform. Perform discard accounting on an incoming traffic flow. Sample all incoming IPv4 traffic on the monitoring interface and present the data in cflowd record format. see Flow Monitoring. virtual private networks (VPNs). The goal of multilink operation is to coordinate multiple independent links between a fixed pair of systems. see “Enabling Service Packages” on page 39. provides a private. Encrypt or tunnel outgoing cflowd records. see the appropriate DPC Guide for the platform. For more information about tunnel interfaces. Tunnel Services PIC—By encapsulating arbitrary packets inside a transport protocol. see Tunnel Properties. For more information about encryption interfaces. • Supported Platforms For information about which platforms support Adaptive Services and MultiServices PICs and their features. • • • • For more information about flow monitoring interfaces. see the Junos OS Feature Support Reference for SRX Series and J Series Devices.

Copyright © 2011. icmp-code value. This chapter is organized as follows: • • • • • [edit applications] Hierarchy Level on page 5 [edit forwarding-options] Hierarchy Level on page 6 [edit interfaces] Hierarchy Level on page 8 [edit logical-systems] Hierarchy Level on page 12 [edit services] Hierarchy Level on page 12 [edit applications] Hierarchy Level To configure application protocols. sip-call-hold-timeout seconds. ttl-threshold value. snmp-command command.CHAPTER 2 Services Interfaces Configuration Statements This chapter shows the complete configuration statement hierarchies for configuring services interfaces. learn-sip-register. your current hierarchy level is shown in the banner on the line preceding the user@host# prompt. rpc-program-number number. see the Junos OS Hierarchy and RFC Reference. For a complete list of the Junos configuration statements. destination-port port-number. uuid hex-value. Inc. include the following statements at the [edit applications] hierarchy level of the configuration: application application-name { application-protocol protocol-name. inactivity-timeout value. When you are configuring the Junos OS. icmp-type value. 5 . It lists all the statements that pertain to configuring services and shows their level in the configuration hierarchy. Juniper Networks. source-port port-number. protocol type.

} flow-inactive-timeout seconds. flow-active-timeout seconds. 6 Copyright © 2011. source-destination-prefix { caida-compliant. interface interface-name { engine-id number. include the following statements at the [edit forwarding-options] hierarchy level: NOTE: For the complete [edit forwarding-options] hierarchy. source-address address. flow-inactive-timeout seconds. see the Junos OS Routing Policy Configuration Guide. version format. port port-number. flow-export-destination { collector-pic. Juniper Networks.4 Services Interfaces Configuration Guide } application-set application-set-name { application application-name. cflowd hostname { aggregation { autonomous-system. accounting name { output { aggregate-export-interval seconds. } } } monitoring name { family inet { output { cflowd hostname port port-number. } source-prefix. engine-type number. } flow-active-timeout seconds.Junos 11. interface interface-name { engine-id number. } autonomous-system-type (origin | peer). } [edit forwarding-options] Hierarchy Level To configure flow monitoring and accounting properties. protocol-port. This listing includes only the statements used in flow monitoring and accounting services. engine-type number. . destination-prefix. export-format format. Inc.

run-length number. cflowd hostname { aggregation { autonomous-system. } } port-mirroring { input { rate rate. } output { interface interface-name { next-hop address. Inc. } output { aggregate-export-interval seconds. } } traceoptions { file filename { files number.Chapter 2: Services Interfaces Configuration Statements input-interface-index number. source-destination-prefix { caida-compliant. Juniper Networks. protocol-port. rate number. } no-filter-check. } } } next-hop-group group-name { interface interface-name { next-hop address. output-interface-index number. size bytes. Copyright © 2011. } } } sampling { disable. family (inet | inet6 | mpls) { max-packets-per-second number. source-address address. } family (inet | inet6) { input { rate rate. 7 . (world-readable | no-world-readable). run-length number. run-length number. run-length number. } input { rate number. destination-prefix.

The statements can also be configured at the [edit logical-systems logical-system-name interfaces] hierarchy level. 8 Copyright © 2011. } flow-active-timeout seconds. port port-number. [edit interfaces] interface-name { (atm-options | fastether-options | gigether-options | sonet-options) { mpls { pop-all-labels { required-depth number. flow-inactive-timeout seconds. engine-type number. (world-readable | no-world-readable). } } } [edit interfaces] Hierarchy Level To configure services interfaces.Junos 11. source-address address. } file { disable. size bytes. files number. Inc. size bytes. (world-readable | no-world-readable). This listing includes only the statements used in configuring services. (stamp | no-stamp). . interface interface-name { engine-id number. version9 { template template-name. include the following statements at the [edit interfaces] hierarchy level of the configuration. NOTE: For the complete [edit interfaces] hierarchy. Juniper Networks. } autonomous-system-type (origin | peer). version format. } } traceoptions { file filename { files number. } (local-dump | no-local-dump). filename filename. see the Junos OS Network Interfaces Configuration Guide.4 Services Interfaces Configuration Guide } source-prefix. source-address address.

minimum-links number. lmi-type (ansi | itu). Inc. disable-mlppp-inner-ppp-pfc. acknowledge-timer milliseconds. n391 number. } mlfr-uni-nni-bundle-options { acknowledge-retries number. drop-timeout milliseconds. maximum port-number. dlci dlci-identifier. dial-options { ipsec-interface-id name. compression { rtp { f-max-period number. maximum-contexts number <force>. trigger-link-failure interface-name. mrru bytes. red-differential-delay milliseconds. yellow-differential-delay milliseconds. fragment-threshold bytes.Chapter 2: Services Interfaces Configuration Statements } } } encapsulation type. action-red-differential-delay (disable-tx | remove-link). unit logical-unit-number { clear-dont-fragment-bit. (dedicated | shared). } } compression-device interface-name. n393 number. Copyright © 2011. Juniper Networks. } passive-monitor-mode. family family { accounting { destination-class-usage. l2tp-interface-id name. } encapsulation type. t392 number. hello-timer milliseconds. } queues [ queue-numbers ]. cisco-interoperability send-lip-remove-link-for-link-reject. copy-tos-to-outer-ip-header. n392 number. port { minimum port-number. 9 . encapsulation type. t391 number. drop-timeout milliseconds. lsq-failure-options { no-termination-request.

peer-unit unit-number. } output { service-set service-set-names <service-filter filter-name>. } } } fragment-threshold bytes.4 Services Interfaces Configuration Guide source-class-usage direction. } bundle (ml-fpc/pic/port | ls-fpc/pic/port). tunnel { allow-fragmentation. interleave-fragments. service-domain (inside | outside). destination destination-address. mrru bytes. } multiservice-options { (core-dump | no-core-dump). minimum-links number. dump-on-flow-control. ipsec-sa ipsec-sa. reassemble-packets. 10 Copyright © 2011. flow-control-options { down-on-flow-control. routing-instance { destination routing-instance-name. rpm . do-not-fragment. Juniper Networks. Inc. post-service-filter filter-name. . } } services-options { cgn-pic. receive-options-packets. multicast-only. } source-address address. receive-ttl-exceeded. sampling direction. } twamp-server. reset-on-flow-control. multicast-dlci dlci-identifier. } address address { destination address. key number. (syslog | no-syslog). short-sequence. service { input { service-set service-set-name <service-filter filter-name>.Junos 11. backup-destination address. ttl number.

} session-timeout seconds. } } so-fpc/pic/port { unit logical-unit-number { passive-monitor-mode. } } rlsqnumber:number { redundancy-options { hot-standby | warm-standby. Juniper Networks. primary lsq-fpc/pic/port. rate new-sessions-per-second. ignore-errors <alg> <tcp>. services severity-level. } } rlsqnumber { redundancy-options { hot-standby | warm-standby. unit logical-unit-number { encapsulation multilink-frame-relay-end-to-end . secondary lsq-fpc/pic/port. Inc. session-limit { maximum number. log-prefix prefix-value. } } Copyright © 2011. } } encapsulation multilink-frame-relay-uni-nni. inactivity-non-tcp-timeout seconds. } } } rspnumber { redundancy-options { primary sp-fpc/pic/port. } tcp-tickles tcp-tickles. secondary lsq-fpc/pic/port. syslog { host hostname { facility-override facility-name. open-timeout seconds. secondary sp-fpc/pic/port. port port-number. } message-rate-limit messages-per-second. primary lsq-fpc/pic/port. inactivity-timeout seconds. inactivity-tcp-timeout seconds. 11 .Chapter 2: Services Interfaces Configuration Statements disable-global-timeout-override.

destination-address address <any-unicast>. source-address-range low minimum-value high maximum-value. application-groups [ application-group-names ]. additional statements are documented in the Junos OS Subscriber Access Configuration Guide. see the Junos OS Hierarchy and RFC Reference. term term-name { from { application-group-any. see the Junos OS Routing Protocols Configuration Guide. . } then { (accept | discard). aacl { rule rule-name { match-direction (input | output | input-output). policer policer-name. Juniper Networks. } } } rule-set rule-set-name { [ rule rule-names ]. logical-system-name { interfaces interface-name { interface-configuration.Junos 11. source-address address <any-unicast>. forwarding-class class-name. include the following statements at the [edit services] hierarchy level of the configuration: NOTE: For the complete [edit services] hierarchy. destination-address-range low minimum-value high maximum-value. source-prefix-list list-name. This listing includes only the statements documented in this manual. For more information about logical systems. count (application | application-group | application-group-any | none). } } [edit services] Hierarchy Level To configure services. } } adaptive-services-pics { traceoptions { 12 Copyright © 2011. applications [ application-names ].4 Services Interfaces Configuration Guide [edit logical-systems] Hierarchy Level The following lists the statements that can be configured at the [edit logical-systems] hierarchy level that are documented in this manual. destination-prefix-list list-name. Inc.

profile profile-name { [ rule-set rule-set-name ]. address address-name { destination { ip address</prefix-length>. } disable. Inc. application-groups { name [application-group-name]. } applications { name [application-name]. port-range { tcp [ ports-and-port-ranges ]. max-checked-bytes bytes. port-mapping { port-range { tcp (port | range). min-checked-bytes bytes.Chapter 2: Services Interfaces Configuration Statements file filename <files number> <size size> <world-readable | no-world-readable> <match regex>. 13 . no-remote-trace. type type. nested-application nested-application-settings no-application-identification. } } source { Copyright © 2011. } index number. type-of-service service-type. session-timeout seconds. no-signature-based. udp [ ports-and-port-ranges ]. } rule rule-name { disable. udp (port | range). no-application-system-cache. Juniper Networks. } application-system-cache-timeout seconds. } } application-group group-name { disable. index number. no-clear-application-system-cache. idle-timeout seconds. flag flag. enable-heuristics. } } application-identification { application application-name { disable.

} rule-set rule-set-name { rule application-rule-name. service-point-type service-point-type. committed-attempts-rate transactions-per-second.4 Services Interfaces Configuration Guide ip address</prefix-length>. Juniper Networks. } } border-signaling-gateway { gateway gateway-name { admission-control admission-control-profile { dialogs { maximum-concurrent number. udp [ ports-and-port-ranges ].unit-number. new-call-usage-output-policies [policy-and-policy-set-names]. } transactions { maximum-concurrent number. dscp (alias | do-not-change | dscp-value). . committed-burst-size number-of-dialogs. port-range { tcp [ ports-and-port-ranges ]. service-policies { new-call-usage-input-policies [policy-and-policy-set-names]. } traceoptions { file filename <files number> <match regex> <size size> <world-readable | no-world-readable>. Inc. } } order number. 14 Copyright © 2011. } application application-name. } } embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video). committed-information-rate bytes-per-second.Junos 11. } then { committed-burst-size bytes. reject. flag flag. committed-attempts-rate dialogs-per-second. committed-burst-size number-of-transactions. no-remote-trace. } } } } service-point service-point-name { default-media-realm service-interface interface-name.

15 . reject-regular-expression regular-expression. Inc. source-address [ ip-addresses ]. } then { media-policy { data-inactivity-detection { inactivity-duration seconds. } new-transaction-policy policy-name { term term-name { from { contact { Copyright © 2011. } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value.Chapter 2: Services Interfaces Configuration Statements new-transaction-input-policies [policy-and-policy-set-names]. } request-uri [ uri-fields ]. method { method-invite. } trace. add field-value. add-missing field-value. add-overwrite field-value. } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]. service-class service-class-name. } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]. } sip { message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value. } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>. new-transaction-output-policies[policy-and-policy-set-names]. } no-anchoring. remove-all. Juniper Networks. remove-regular-expression regular-expression.

method-subscribe. regular-expression [ regular-expression ]. server-cluster cluster-name. } reverse-manipulation { manipulation-rule-name. } then { (accept | reject). message-manipulation { forward-manipulation { manipulation-rule-name. Juniper Networks. method-message. method-publish. method-refer. } 16 Copyright © 2011. } request-uri { registration-state [ registered | not-registered ]. method-register. keepalive-interval { available-server seconds. } source-address [ ip-addresses ]. method-options. uri-hiding [ hidden-uri | not-hidden-uri ]. uri-hiding [ hidden-uri | not-hidden-uri ]. unavailable-server seconds. regular-expression [ regular-expression ]. trace.4 Services Interfaces Configuration Guide registration-state [ registered | not-registered ]. next-hop (request-uri | address ipv4-address | <port port-number> <transport-protocol (udp | tcp)>). } } route { egress-service-point service-point-name.Junos 11. admission-control admission-control-profile. } routing-destinations { availability-check-profiles { profile-name. } method { method-invite. } } on-3xx-response{ recursion-limit number. } signaling-realm signaling-realm. Inc. . } } } new-transaction-policy-set policy-set-name { policy-name [ policy-names ].

sbc-utils { common trace-level. } clusters [ cluster-name. files number. match regex. memory-pool trace-level. transaction-timeout seconds. event trace-level. } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>. } } default-availability-check-profile profile-name. server server-name { priority priority-level. executor trace-level. device-monitor trace-level. } timers { inactive-callseconds. weight weight-level. } } traceoptions { file { filename filename. Juniper Networks. 17 . service-point service-point-name. ipc trace-level. } minimum trace-level. } flag { datastore { data trace-level. keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number). size size. Inc. admission-control profile-name. db trace-level. minimum trace-level. memory-management trace-level. availability-check-profile profile-name. configuration trace-level.Chapter 2: Services Interfaces Configuration Statements keepalive-method sip-options. timer-c seconds. Copyright © 2011. handle trace-level. freezer trace-level. } framework { action trace-level. minimum trace-level.

Juniper Networks. } } } rule rule-name { match-direction (input | output | input-output).4 Services Interfaces Configuration Guide message trace-level. pd-log-level (audit | exception | problem). sip-stack-wrapper trace-level. Inc. source-prefix-list list-name <except>. destination-prefix-list list-name <except>. 18 Copyright © 2011. forwarding-class class-name. topology-hiding trace-level. } sip-stack { dev-logging. minimum trace-level. event-tracing. forwarding-class class-name. } voice { dscp (alias | bits). policy trace-level. pd-log-detail (full | summary). term term-name { from { application-sets set-name. signaling { b2b trace-level. ips-tracing. } session-trace trace-level. } } sip { video { dscp (alias | bits). minimum trace-level. } } } } } cos { application-profile profile-name { ftp { data { dscp (alias | bits). b2b-wrapper trace-level. . per-tracing. verbose-logging. forwarding-class class-name.Junos 11. destination-address address. applications [ application-names ]. user-interface trace-level. ua trace-level. source-address address.

input-packet-rate-threshold rate. forwarding-class class-name. Juniper Networks. source-addresses [ address ]. analyzer-id name. destinations { ftp:url { password "password". forwarding-class class-name. } } } rule-set rule-set-name { rule rule-name. } syslog. no-syslog. } duplicates-dropped-periodicity seconds. pic-memory-threshold percentage percentage. hard-limit-target bandwidth. service-port port-number. shared-key value. ttl hops. notification-targets address port port-number. dscp (alias | bits). g-duplicates-dropped-periodicity seconds. } g-max-duplicates number. max-duplicates number. 19 . soft-limit-clear bandwidth. } } dynamic-flow-capture { capture-group client-name { content-destination identifier { address address. } flow-collector { analyzer-address address. interfaces interface-name. } control-source identifier { allowed-destinations [ destination ]. soft-limit bandwidth. dscp (alias | bits).Chapter 2: Services Interfaces Configuration Statements } then { application-profile profile-name. hard-limit bandwidth. minimum-priority value. Inc. syslog. (reflexive | reverse) { application-profile profile-name. } file-specification { variant variant-number { Copyright © 2011.

retry-delay seconds. transfer-log-archive { archive-sites { ftp:url { password "password".4 Services Interfaces Configuration Guide data-format format. } } flow-monitoring { version9 { template template-name { flow-active-timeout seconds. username username. } } } interface-map { collector interface-name. transfer { record-level number. flow-inactive-timeout seconds. 20 Copyright © 2011. . Juniper Networks.Junos 11. interface-name { collector interface-name. } } } flow-tap { (interface interface-name | tunnel-interface interface-name). mpls-template { label-position [ positions ]. file-specification variant-number. name-format format. timeout seconds. } mpls-ipv4-template { label-position [ positions ]. } } retry number. } option-refresh-rate packets packets seconds seconds. maximum-age minutes. Inc. term term-name { from { application-sets set-name. template-refresh-rate packets packets seconds seconds. } ids { rule rule-name { match-direction (input | output | input-output). } } filename-prefix prefix. ipv4-template. ipv6-template. file-specification variant-number.

packets number. rate number.Chapter 2: Services Interfaces Configuration Statements applications [ application-names ]. threshold rate. logging { syslog. destination-prefix-list list-name <except>. rate number. } by-pair { maximum number. Juniper Networks. source-prefix-list list-name <except>. rate number. clear-ipsec-sas-on-pic-restart. Inc. 21 . destination-address (address | any-unicast) <except>. source-address (address | any-unicast) <except>. destination-address-range low minimum-value high maximum-value<except>. Copyright © 2011. } then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-number. } } } } rule-set rule-set-name { rule rule-name. ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). threshold rate. } } ipsec-vpn { clear-ike-sas-on-pic-restart. packets number. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). } session-limit { by-destination { hold-time seconds. source-prefix prefix-number | source-prefix-ipv6 prefix-number. } } syn-cookie { mss value. maximum number. packets number. } by-source { hold-time seconds. maximum number. source-address-range low minimum-value high maximum-value <except>. description description. } (force-entry | ignore-entry).

} policy policy-name { description description. encryption-algorithm algorithm. key_id [ values ]. } then { anti-replay-window-size bits. mode (aggressive | main).4 Services Interfaces Configuration Guide dh-group (group1 | group2 | group5 |group14). pre-shared-key (ascii-text key | hexadecimal key). encryption-algorithm algorithm. version (1 | 2). term term-name { from { destination-address address. ipv6_addr [ values ]. } } rule rule-name { match-direction (input | output). Juniper Networks. 22 Copyright © 2011. lifetime-seconds seconds. Inc.Junos 11. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). ipsec-inside-interface interface-name. lifetime-seconds seconds. perfect-forward-secrecy { keys (group1 | group2). protocol (ah | esp | bundle). } proposals [ proposal-names ]. } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). description description. proposals [ proposal-names ]. } initiate-dead-peer-detection. . dynamic { ike-policy policy-name. remote-id { ipv4_addr [ values ]. source-address address. local-certificate identifier. ipsec-policy policy-name. } policy policy-name { description description. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). backup-remote-gateway address. clear-dont-fragment-bit.

23 . size bytes. traceoptions { file { files number. } } tunnel-timeout seconds. } auxiliary-spi spi-value. level level. retransmit-interval seconds. hide-avps. maximum-send-window packets. } no-ipsec-tunnel-in-traceroute.Chapter 2: Services Interfaces Configuration Statements key (ascii-text key | hexadecimal key ). } } l2tp { tunnel-group name { hello-interval seconds. } Copyright © 2011. key (ascii-text key | hexadecimal key ). tunnel-mtu bytes. l2tp-access-profile profile-name. local-gateway address address. syslog. } protocol (ah | bundle | esp). filter { protocol name. service-interface interface-name. encryption { algorithm algorithm. Juniper Networks. } flag flag. receive-window packets. Inc. syslog { host hostname { services severity-level. facility-override facility-name. spi spi-value. } } } rule-set rule-set-name { rule rule-name. ppp-access-profile profile-name. } } no-anti-replay. remote-gateway address. log-prefix prefix-value. } traceoptions { debug-level level.

source-address (address | any-unicast) <except>. translation-type { 24 Copyright © 2011. remotely-controlled. flag flag. } pool nat-pool-name { address ip-prefix</prefix-length>. source-pool nat-pool-name. applications [ application-names ]. } then { syslog.Junos 11. } } nat { ipv6-multicast-interfaces (all | interface-name) { disable. destination-address (address | any-unicast) <except>. overload-prefix overload-prefix. source-prefix source-prefix. destination-prefix destination-prefix. overload-pool overload-pool-name. transport. pgcp { hint [ hint-strings ]. term term-name { from { application-sets set-name. } } } logging { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>. source-prefix-list list-name <except>. . address-range low minimum-value high maximum-value. ports-per-session ports. Juniper Networks. } } rule rule-name { match-direction (input | output). dns-alg-prefix dns-alg-prefix. Inc. destination-address-range low minimum-value high maximum-value <except>. } port (automatic | range low minimum-value high maximum-value) { random-allocation. translated { destination-pool nat-pool-name. dns-alg-pool dns-alg-pool. source-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. flag flag. interfaces interface-name { debug-level level.4 Services Interfaces Configuration Guide flag flag.

interim-ah-scheme { algorithm algorithm. inactivity-duration seconds. Copyright © 2011. seconds. minimum milliseconds. } mgc-originated-pending-limit { default number-of-messages. 25 . } } h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify). report-service-change { service-change-type (forced-906) | forced-910). } } } } rule-set rule-set-name { rule rule-name. maximum-fuf-percentage percentage. maximum milliseconds. } use-dns-map-for-destination-translation. } gateway-controller gateway-controller-name { controller-address ip-address. } data-inactivity-detection { inactivity-delay seconds. no-rtcp-check stop-detection-on-drop. Inc. Juniper Networks. } } pgcp { gateway gateway-name { cleanup-timeout seconds. send-notification-on-delay. controller-port port-number. } } gateway-port gateway-port. gateway-address gateway-address. latch-deadlock-delay seconds. fast-update-filters { maximum-terms number-of-terms.Chapter 2: Services Interfaces Configuration Statements (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 |twice-dynamic-nat-44 |twice-napt-44). graceful-restart { maximum-synchronization-mismatches number-of-mismatches. } base-root { mg-provisional-response-timer-value { default milliseconds.

maximum milliseconds. maximum milliseconds. minimum milliseconds. } mgc-segmentation-timer { default milliseconds. } notification-behavior { notification-regulation default (once | 0 . maximum bytes. minimum bytes. } normal-mgc-execution-time { default milliseconds. } } traffic-management { max-burst-size { default bytes-per-second.100). maximum milliseconds. } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous).Junos 11. minimum number-of-messages. minimum bytes. minimum bytes-per-second. . } normal-mg-execution-time { default milliseconds. } mg-maximum-pdu-size { default bytes.4 Services Interfaces Configuration Guide maximum number-of-messages. rtcp { 26 Copyright © 2011. minimum milliseconds. minimum milliseconds. minimum milliseconds. Juniper Networks. } segmentation { mg-segmentation-timer { default milliseconds. { hanging-termination-detection { timerx seconds. Inc. maximum milliseconds. maximum bytes. } } diffserv { dscp { default (dscp-value | alias | do-not-change). } mgc-maximum-pdu-size { default bytes. maximum bytes-per-second.

reconnect (disconnected-900 | restart-902). rtcp { (fixed-value bytes-per-second | percentage percentage).Chapter 2: Services Interfaces Configuration Statements (fixed-value bytes-per-second | percentage percentage). maximum 10-millisecond-units. graceful (graceful-905 | none). } up { cancel-graceful (none | restart-918). failure (forced-904 | forced-908 | none). minimum bytes-per-second. rtcp { (fixed-value bytes-per-second | percentage percentage). failover-warm (failover-919 | restart-902). minimum 10-millisecond-units. } } inactivity-timer { inactivity-timeout { detect. Inc. minimum bytes-per-second. 27 . maximum bytes-per-second. } down { administrative (forced-905 | forced-908 | none). failover-cold (failover-920 | restart-901). } } sustained-data-rate { default bytes-per-second. maximum bytes-per-second. } rtcp-include. Juniper Networks. } control-association-indications { disconnect { controller-failure (failover-909 | restart-902). use-lower-case } service-change { context-indications { state-loss (forced-910 | forced-915 | none). } } peak-data-rate { default bytes-per-second. encoding { no-dscp-bit-mirroring. Copyright © 2011. } } } } h248-options { audit-observed-events-returns. maximum-inactivity-time { default 10-millisecond-units.

Inc. tmax-retransmission-delay milliseconds. Juniper Networks. source-address source-address. warm (none | restart-900).4 Services Interfaces Configuration Guide } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none). } disable-session-mirroring. session-mirroring { delivery-function delivery-function-name { destination-address destination-address. maximum-net-propagation-delay milliseconds. graceful (graceful-905 | none). } } nat-pool nat-pool-name. rule rule-name { gateway gateway-name. } use-wildcard-response. 28 Copyright © 2011. flag { bgf-core { common trace-level. maximum-waiting-delay milliseconds. failure (forced-904 | forced-906 | none). . virtual-interface-up { cancel-graceful (none | restart-918). } } service-state (in-service | out-of-service-forced | out-of-service-graceful). } rule-set rule-set-name { rule rule-name. source-port source-port. default trace-level. destination-port destination-port. nat-pool nat-pool-name. network-operator-id network-operator-id. } } } } h248-timers { initial-average-ack-delay milliseconds.Junos 11. rtp. } max-concurrent-calls number-of-calls. } traceoptions { file <filename filename> <files number> <match regex> <size size> <world-readable | no-world-readable>. monitor { media { rtcp.

} session-mirroring { delivery-function delivery-function-name { destination-address destination-address. Inc. 29 . } sbc-utils { common trace-level. } then { forwarding-instance forwarding-instance unit-number unit-number. applications [ application-name ]. } disable-session-mirroring. routing-instance instance-name { service-interface interface-name. local-address-range low low-value high high-value <except >. source-address source-address. policy trace-level.Chapter 2: Services Interfaces Configuration Statements firewall trace-level. h248-stack { control-association trace-level. media-gateway trace-level. } service-state (in-service | out-of-service-forced | out-of-service-graceful). device-monitor trace-level. memory-management trace-level. network-operator-id network-operator-id. default trace-level. } } } virtual-interface interface-number { nat-pool nat-pool-name. configuration trace-level. Copyright © 2011. ipc trace-level. local-address address <except>. user-interface trace-level. default trace-level. destination-port destination-port. Juniper Networks. service-interface interface-identifier.unit-number. source-port source-port. messages. } default trace-level. statistics trace-level. gate-logic trace-level. pic-broker trace-level. } } ptsp { forward-rule rule-name { term precedence { from { application-groups [ application-group-name ]. messaging trace-level. local-prefix-list prefix-list-name <except >.

Inc. moving-average-size number. remote-port-range low low-value high high-value. term precedence { from { application-group-any. applications [ application-name ]. application-groups [ application-group-name ]. remote-prefix-list prefix-list-name <except>. police policer-name.Junos 11. test-interval interval. destination-port port. . hardware-timestamp. demux (destination-address | source-address). 30 Copyright © 2011. destination-port port. destination-interface interface-name. logical-system logical-system-name <routing-instances routing-instance-name>. probe-count count. dscp-code-point dscp-bits. } } } rule-set rule-set-name { rule rule-name. Juniper Networks. local-port-range low low-value high high-value. } then { (accept | discard). local-ports [ value-list ]. remote-ports [ value-list ]. match-direction (input | input-output | output). probe-type type. count (application | application-group | application-group-any | rule | none). probe-interval seconds. protocol protocol-number. routing-instances instance-name. data-size size. forward-rule forward-rule-name. } } rpm { bgp { data-fill data. data-size size.4 Services Interfaces Configuration Guide } } } rule rule-name { count-type (application | rule). remote-address-range low low-value high high-value <except>. remote-address address <except>. history-size size. } probe owner { test test-name { data-fill data. forwarding-class forwarding-class.

extension-service service-name { provider-specific rules. port number.Chapter 2: Services Interfaces Configuration Statements history-size size. maximum-connections-per-client count. (ipsec-vpn-rules rule-names | ipsec-vpn-rule-sets rule-set-name). port number. client-list list-name { address address. one-way-hardware-timestamp. source-address address. } interface-service { service-interface interface-name. thresholds thresholds. maximum-sessions-per-connection count. (pgcp-rules rule-names | pgcp-rule-sets rule-set-name). (ptsp-rules rule-names | ptsp-rule-sets rule-set-name). policy-decision-statistics-profile profile-name. probe-server { tcp { destination-interface interface-name. (stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name). port number. } } } service-set service-set-name { aacl-rules rule-name. (nat-rules rule-names | nat-rule-sets rule-set-name). target (url | address). } } twamp { server { authentication-mode (authenticated | encrypted | none). } } probe-limit limit. Inc. probe-count count. 31 . probe-type type. probe-interval seconds. } Copyright © 2011. maximum-connections count. Juniper Networks. allow-multicast. } udp { destination-interface interface-name. routing-instance instance-name. (ids-rules rule-names | ids-rule-sets rule-set-name). test-interval interval. moving-average-size number. maximum-sessions count. traps traps. } inactivity-timeout seconds.

unit-number. port port-number. . next-hop-service { inside-service-interface interface-name. Inc. trusted-ca [ ca-profile-names ]. } } } softwire { softwire-concentrator { ds-lite ds-lite-softwire-concentrator { auto-update-mtu. v6rd-prefix ipv6-prefix. } } rulerule-name { match-direction (input | output). } max-flows number.unit-number. Juniper Networks. clear-dont-fragment-bit. } v6rdv6rd-softwire-concentator{ ipv4-prefix ipv4-prefix. 32 Copyright © 2011. tunnel-mtu bytes. mtu-v4 mtu-v4. } } } ipv6-multicast-filters } stateful-firewall { rule rule-name { match-direction (input | output | input-output).Junos 11. } syslog { host hostname { services severity-level. term term-name{ then { ds-lite name. no-anti-replay. ike-access-profile profile-name. facility-override facility-name. } service-order { forward-flow [ service-name1 service-name2 ]. flow-limit flow-limit. copy-dscp. reverse-flow [ service-name1 service-name2 ]. outside-service-interface interface-name.4 Services Interfaces Configuration Guide ipsec-vpn-options { anti-replay-window-size bits. service-interface-pool name. local-gateway address. mtu-v6 mtu-v6. softwire-address address. passive-mode-tunneling.

destination-address (address | any-unicast) <except>. source-prefix-list list-name <except>. } } } Copyright © 2011. 33 . Inc. allow-ip-options [ values ]. syslog.Chapter 2: Services Interfaces Configuration Statements term term-name { from { application-sets set-name. destination-address-range low minimum-value high maximum-value <except>. } then { (accept | discard | reject). applications [ application-names ]. source-address (address | any-unicast) <except>. destination-prefix-list list-name <except>. source-address-range low minimum-value high maximum-value<except>. } } } rule-set rule-set-name { rule rule-name. Juniper Networks.

4 Services Interfaces Configuration Guide 34 Copyright © 2011. Juniper Networks. . Inc.Junos 11.

Juniper Networks. 35 . Inc.PART 2 Adaptive Services • • • • • • Adaptive Services Overview on page 37 Applications Configuration Guidelines on page 71 Summary of Applications Configuration Statements on page 103 Stateful Firewall Services Configuration Guidelines on page 113 Summary of Stateful Firewall Configuration Statements on page 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines on page 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements on page 139 Carrier-Grade NAT Configuration Guidelines on page 149 Summary of Carrier-Grade NAT Configuration Statements on page 239 Load Balancing Configuration Guidelines on page 271 Summary of Load Balancing Configuration Statements on page 277 Intrusion Detection Service Configuration Guidelines on page 289 Summary of Intrusion Detection Service Configuration Statements on page 301 IPsec Services Configuration Guidelines on page 323 Summary of IPsec Services Configuration Statements on page 377 Layer 2 Tunneling Protocol Services Configuration Guidelines on page 413 Summary of Layer 2 Tunneling Protocol Configuration Statements on page 431 Link Services IQ Interfaces Configuration Guidelines on page 447 Summary of Link Services IQ Configuration Statements on page 509 Voice Services Configuration Guidelines on page 521 Summary of Voice Services Configuration Statements on page 531 Class-of-Service Configuration Guidelines on page 541 Summary of Class-of-Service Configuration Statements on page 551 Service Set Configuration Guidelines on page 567 Summary of Service Set Configuration Statements on page 585 Service Interface Configuration Guidelines on page 611 Summary of Service Interface Configuration Statements on page 625 • • • • • • • • • • • • • • • • • • • • • Copyright © 2011.

4 Services Interfaces Configuration Guide • • • • • • • • • • PGCP Configuration Guidelines for the BGF Feature on page 643 Summary of PGCP Configuration Statements on page 649 Service Interface Pools Configuration Guidelines on page 751 Summary of Service Interface Pools Statements on page 753 Border Signaling Gateway Configuration Guidelines on page 755 Summary of Border Signaling Gateway Configuration Statements on page 761 PTSP Configuration Guidelines on page 841 Summary of PTSP Configuration Statements on page 843 Softwire Configuration Guidelines on page 865 Summary of Softwire Configuration Statements on page 883 36 Copyright © 2011. Inc. . Juniper Networks.Junos 11.

an integrated version of the AS PIC as an optional component. Inc. The AS and MultiServices PICs offers a special range of services you configure in one or more service sets. The AS PIC is available in two versions that differ in memory size: • The Adaptive Services II PIC with 512 MB of memory is supported on all Juniper Networks M Series and T Series routers. including the M320 router. Juniper Networks. The Adaptive Services PIC with 256 megabytes (MB) of memory is supported on all M Series routers except the M320 router. 37 . which offers all the features of the standalone version at a reduced bandwidth.CHAPTER 3 Adaptive Services Overview This chapter discusses the following topics: • • • • • • • • • • • • Adaptive Services Overview on page 37 Enabling Service Packages on page 39 Services Configuration Procedure on page 44 Packet Flow Through the Adaptive Services or Multiservices PIC on page 44 Stateful Firewall Overview on page 45 Network Address Translation Overview on page 48 Tunneling Services for IPv4-to-IPv6 Transition Overview on page 53 IPsec Overview on page 57 Layer 2 Tunneling Protocol Overview on page 59 Voice Services Overview on page 60 Class of Service Overview on page 60 Examples: Services Interfaces Configuration on page 61 Adaptive Services Overview The Adaptive Services (AS) and MultiServices PICs provide adaptive services interfaces. which allow you to coordinate multiple services on a single PIC by configuring a set of services and applications. Copyright © 2011. • The M7i router includes the Adaptive Services Module (ASM).

4 Services Interfaces Configuration Guide NOTE: To take advantage of the features available on the AS PIC. Intrusion detection service (IDS)—A set of tools for detecting. active flow monitoring. as a result. it includes a subset of the functionality supported on the MultiServices PIC. The MultiServices DPC is available for MX Series routers. It is also possible to group several Multiservices PICs into an aggregated Multiservices (AMS) system. the MultiServices 400. a high value in the show chassis pic “Interrupt load average” field may not mean that the PIC has reached its maximum limit of processing. Juniper Networks. See “Configuring Load Balancing on AMS Infrastructure” on page 271 for more information. RPM. For more information about supported packages. The MultiServices PIC is available in three versions. and generic routing encapsulation (GRE) tunnels (including GRE key and fragmentation).4. Inc. it also supports graceful Routing Engine switchover (GRES) and Dynamic Applicaton Awareness for Junos OS. Currently the MultiServices DPC supports the following Layer 3 services: stateful firewall. or a similarly equipped T Series router. IDS.Junos 11. IPsec. All versions offer enhanced performance in comparison with AS PICs. and preventing certain kinds of network attack and intrusion. Network Address Translation (NAT)—A security procedure for concealing host addresses on a private network behind a pool of public addresses. . To find out whether your router hardware is suitably equipped. NAT. • • 38 Copyright © 2011. redirecting. Starting with Junos OS 11. you must install it in an Enhanced Flexible PIC Concentrator (FPC) in an M Series router equipped with an Internet Processor II application-specific integrated circuit (ASIC). The following services are configured within a service set and are available only on adaptive services interfaces: • Stateful firewall—A type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic. NOTE: The Adaptive Services and MultiServices PICs are polling based and not interrupt based. see “Enabling Service Packages” on page 39. see the Junos OS System Basics and Services Command Reference. which differ in memory size and performance. An AMS configuration eliminates the need for separate routers within a system. MultiServices PICs are supported on M Series and T Series routers except M20 routers. and the MultiServices 500. all MX Series routers will support high availability (HA) and Network Address Translation (NAT) on AMS infrastructure. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. use the show chassis hardware command. the MultiServices 100. For more information.

Instead. limited to DiffServ code point (DSCP) marking and forwarding-class assignment. you can enable both service packages by installing two or more PICs on the platform. Juniper Networks. • The configuration for these services comprises a series of rules that you can arrange in order of precedence as a rule set. Each rule follows the structure of a firewall filter. Enabling Service Packages For AS PICs. Class of service (CoS)—A subset of CoS functionality for services interfaces. access to an external server is supported on a Packet Forwarding Engine interface. Multilink Frame Relay (MLFR) user-to-network interface (UNI) network-to-network interface (NNI) (FRF. Multiservices PICs. and group the application definitions into application sets. with a from statement containing input or match conditions and a then statement containing actions to be taken if the match conditions are met. Junos OS includes the following tools for configuring services: • Application protocols definition—Allows you to configure properties of application protocols that are subject to processing by router services. The following services are also configured on the AS and MultiServices PICs. link fragmentation and interleaving (LFI) (FRF. Service-set definition—Allows you to configure combinations of directional rules and default settings that control the behavior of each service in the service set. but you can enable only one service package per PIC. Copyright © 2011.16). and Multilink PPP (MLPPP). CoS BA classification is not supported on services interfaces. with the exception of a combined package supported on the ASM.Chapter 3: Adaptive Services Overview • IP Security (IPsec)—A set of tools for configuring manual or dynamic security associations (SAs) for encryption of data traffic. 39 . Link Services Intelligent Queuing (LSQ)—Interfaces that support Junos OS class-of-service (CoS) components. Inc. On a single router. Both service packages are supported on all adaptive services interfaces. there are two service packages: Layer 2 and Layer 3. The architecture does not support system logging traffic out of a management interface.12). • NOTE: Logging of adaptive services interfaces messages to an external server by means of the fxp0 port is not supported on M Series routers. Multiservices DPCs. but do not use the rule set definition: • Layer 2 Tunneling Protocol (L2TP)—A tool for setting up secure tunnels using Point-to-Point Protocol (PPP) encapsulation across Layer 2 networks. Voice services—A feature that uses the Compressed Real-Time Transport Protocol (CRTP) to enable voice over IP traffic to use low-speed links more effectively. and the internal Adaptive Services Module (ASM) in the M7i router. • • In addition.

Juniper Networks. NOTE: The ASM has a default option (layer-2-3) that combines the features available in the Layer 2 and Layer 3 service packages. LFI (FRF. To determine which package an AS PIC supports. MLFR end-to-end (FRF. but Layer 2 services will restart. To determine which package a Multiservices PIC supports. NOTE: Changing the service package causes all state information associated with the previous service package to be lost.16). It is supported on all M Series. For IPsec services. link services support includes Junos OS CoS components. and multiclass MLPPP.12). and specify layer-2 or layer-3: [edit chassis fpc slot-number pic pic-number adaptive-services] service-package (layer-2 | layer-3).15). For more information. it is listed as Adaptive Services II. You do not need to manually take the PIC offline and online. MX Series. Table 3 on page 41 lists the services supported within each service package for each PIC and platform. You enable service packages per PIC. issue the show chassis pic fpc-slot slot-number pic-slot slot-number command. On the AS and Multiservices PICs. MLFR UNI NNI (FRF. and T Series routers except for TX Matrix routers. For information about services supported on SRX Series Services Gateways and J Series Services Routers. issue the show chassis hardware command: if the PIC supports the Layer 2 package. see the Junos OS Feature Support Reference for SRX Series and J Series Devices. For more information about GRES. 40 Copyright © 2011. the PIC is taken offline and then brought back online immediately. Layer 3 services should retain state after switchover. it is listed as Link Services II. and if it supports the Layer 3 package. Inc. After you commit a change in the service package. not per port.Junos 11. The services supported in each package differ by PIC and platform type. see the Junos OS High Availability Configuration Guide. see “Layer 2 Service Package Capabilities and Interfaces” on page 43 and “Layer 2 Service Package Capabilities and Interfaces” on page 448. . MLPPP (RFC 1990).4 Services Interfaces Configuration Guide NOTE: Graceful Routing Engine switchover (GRES) is automatically enabled on all services PICs and DPCs except the ES PIC. To enable a service package. Internet Key Exchange (IKE) negotiations are not stored and must be restarted after switchover. For example. include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level. You should change the service package only when there is no active traffic going to the PIC. the entire PIC uses the configured package. The Package field displays the value Layer-2 or Layer-3. if you configure the Layer 2 service package.

and T640 AS2 and Multiservices PICs TX Matrix Services Layer 2 Service Package (Only) Link Services: • ASM M7i Link services Multiclass MLPPP Yes Yes Yes Yes Yes Yes Yes Yes No No • Voice Services: • CRTP and LFI CRTP and MLPPP CRTP over PPP (without MLPPP) Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No • • Layer 3 Service Package (Only) Security Services: • M7i M7i. M10i. PIC. T320. Table 3: AS and Multiservices PIC Services by Service Package. and M20 M40e and M120 M320.Chapter 3: Adaptive Services Overview NOTE: The AS PIC II for Layer 2 Service is dedicated to supporting the Layer 2 service package only. 41 . see the Junos OS Feature Guides. M10i. For additional information about Layer 3 services. and T640 TX Matrix CoS Intrusion detection system (IDS) IPsec NAT Stateful firewall Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No • • • • Accounting Services: • Active monitoring Dynamic flow capture (Multiservices 400 PIC only) Yes No Yes No Yes No Yes Yes Yes No • Copyright © 2011. T320. and M20 AS/AS2 and Multiservices PICs M40e and M120 AS2 and Multiservices PICs M320. and Platform AS/AS2 PICs and Multiservices PICs M7i. Inc. Juniper Networks.

. PIC. T320. and M20 M40e and M120 M320.Junos 11. M10i.4 Services Interfaces Configuration Guide Table 3: AS and Multiservices PIC Services by Service Package. Juniper Networks. and Platform (continued) AS/AS2 PICs and Multiservices PICs Yes Services • ASM Yes AS/AS2 and Multiservices PICs Yes (M40e only) Yes (M40e only) Yes AS2 and Multiservices PICs Yes AS2 and Multiservices PICs No Flow-tap • Passive monitoring (Multiservices 400 PIC only) Port mirroring No Yes Yes No • Yes Yes Yes Yes LNS Services: • L2TP LNS Yes Yes (M7i and M10i only) Yes (M120 only) No No Voice Services: • BGF Yes Yes Yes Yes No Layer 2 and Layer 3 Service Package (Common Features) RPM Services: • M7i M7i. and T640 TX Matrix RPM probe timestamping Yes Yes Yes Yes No Tunnel Services: • GRE (gr-fpc/pic/port) GRE fragmentation (clear-dont-fragment-bit) GRE key IP-IP tunnels (ip-fpc/pic/port) Logical tunnels (lt-fpc/pic/port) Multicast tunnels (mt-fpc/pic/port) PIM de-encapsulation (pd-fpc/pic/port) PIM encapsulation (pe-fpc/pic/port) Virtual tunnels (vt-fpc/pic/port) Yes Yes Yes Yes Yes Yes Yes No Yes No • • Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes No Yes No Yes Yes Yes Yes • • • • • • 42 Copyright © 2011. Inc.

the following interfaces are automatically created: gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 .. pe. link services include support for the following: • Junos CoS components—“Layer 2 Service Package Capabilities and Interfaces” on page 448 describes how the Junos CoS components work on link services IQ (lsq) interfaces. These tunnel interfaces function the same way for both service packages. For detailed information about Junos CoS components.12 is defined in the specification FRF. LFI on Frame Relay links using FRF. MLFR UNI NNI (FRF. mt. When you enable the Layer 2 service package. Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF. Multilink Frame Relay UNI/NNI Implementation Agreement. the configuration syntax is almost the same as for Multilink and Link Services PICs. 43 . and vt are standard tunnel interfaces that are available on the AS and Multiservices PICs whether you enable the Layer 2 or the Layer 3 service package.12.12 end-to-end fragmentation—The standard for FRF. Interface type lsq-fpc/pic/port is the physical link services IQ (lsq) interface.16)—The standard for FRF. MLPPP (RFC 1990) MLFR end-to-end (FRF. you can configure link services. Copyright © 2011. Frame Relay Fragmentation Implementation Agreement. Juniper Networks. see the Junos OS Class of Service Configuration Guide. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] option. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls. lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port Interface types gr.. as shown in Table 3 on page 41. For more information.16 bundles. LFI on MLPPP links. see “Layer 2 Service Package Capabilities and Interfaces” on page 448 and Link and Multilink Properties. On the AS and Multiservices PICs and the ASM.16 is defined in the specification FRF. pd.16.Chapter 3: Adaptive Services Overview Layer 2 Service Package Capabilities and Interfaces When you enable the Layer 2 service package.15) • • • • • For the LSQ interface on the AS and Multiservices PICs. Inc. ip. except that the Layer 2 service package does not support some tunnel functions.1.

Apply the service set on an interface by including the service-set statement at the [edit interfaces interface-name unit logical-unit-number family inet service (input | output)] hierarchy level. Inc.Junos 11. these are all optional items in the configuration. Packets enter the router on the inbound interface. graphically displayed in Figure 1 on page 45. A policer. NAT. and stateful firewall service rules within the same service set. you can configure logical interfaces as a next-hop destination by including the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level. the packets are forwarded to the 44 Copyright © 2011.4 Services Interfaces Configuration Guide NOTE: Interface type sp is created because it is needed by the Junos OS. 3.) 1. For the Layer 2 service package. service filter. (You can configure a service set as either an interface service set or a next-hop service set. Group service rule sets under a service-set definition by configuring the service-set statement at the [edit services] hierarchy level. Alternatively. Services Configuration Procedure You follow these general steps to configure services: 1. Group the service rules by configuring the rule-set statement at the [edit services (ids | ipsec-vpn | nat | stateful-firewall)] hierarchy level. 4. A next-hop service set applied at the forwarding table. service set. but you should not disable it. 2. You must configure IPsec services in a separate service set. Define application objects by configuring statements at the [edit applications] hierarchy level. 2. NOTE: You can configure IDS. Juniper Networks. The packet flow is as follows. Packet Flow Through the Adaptive Services or Multiservices PIC You can optionally configure service sets to be applied at one of three points while the packets transit the router: • • • An interface service set applied at the inbound interface. the sp interface is not configurable. Define service rules by configuring statements at the [edit services (ids | ipsec-vpn | nat | stateful-firewall) rule] hierarchy level. filter. and input forwarding-table filter are applied sequentially to the traffic. An interface service set applied at the outbound interface. 5. postservice filter. although you can apply both service sets to the same PIC. . If an interface service set is applied.

For all other services. If it is applied. output policer. packets are sent to the PIC for services processing and sent back to the Packet Forwarding Engine. the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. A system log message at level LOG_ERR is generated. only packets matching the service filter are sent to the PIC. Adaptive Services and MultiServices PICs employ a type of firewall called a stateful firewall.0.0. NOTE: For NAT. 4. and interface service set can be applied sequentially to the traffic if you have configured any of these items. Juniper Networks. Inc. the next-hop service set can be applied to either the VRF table or to inet. 45 . Contrasted with a stateless firewall that inspects packets in isolation. This mechanism applies to both Layer 2 and Layer 3 service packages. if a service filter is also applied. the traffic is forwarded to the PIC for processing and sent back to the Packet Forwarding Engine. the next-hop service set can only be applied to the VRF table. Packets exit the router. which then forwards the traffic. A next-hop service set can be applied to the VPN routing and forwarding (VRF) table or to inet. 5. 3. a stateful firewall provides an extra Copyright © 2011.Chapter 3: Adaptive Services Overview AS or MultiServices PIC for services processing and then sent back to the Packet Forwarding Engine. Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds. Stateful Firewall Overview Routers use firewalls to track and control the flow of traffic. If an interface service set is applied. an output filter. On the output interface. The optional postservice filter is applied and postprocessing takes place.

the AS or MultiServices PIC firewall can intelligently enforce security policies and allow only the minimal required packet traffic to flow through the firewall. the router software checks the initiation flow matching the direction specified by the rule. However. the stateful firewall allows all sessions initiated from the hosts behind the interface to pass through the router. Stateful firewalls group relevant flows into conversations. By default. Juniper Networks. some conversations. all flows within the conversation are permitted. Rules still unchecked are ignored. which allows them to match any input value. which negates the result of the type-specific match. addresses. might consist of two control flows and many data flows. A flow is identified by the following five properties: • • • • • Source address Source port Destination address Destination port Protocol A typical Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) conversation consists of two flows: the initiation flow and the responder flow. The first time the firewall discovers a match. source port. The firewall rules are configured in relation to an interface. Stateful Firewall Support for Application Protocols By inspecting the application protocol data. and application protocol or service. Firewall rules are directional. Inc. source address. you can assign the value any to rule objects.4 Services Interfaces Configuration Guide layer of security by using state information derived from past communications and other applications to make dynamic control decisions for new communication attempts. including flows that are created during the life cycle of the conversation. you can optionally negate the rule objects. Stateful Firewall Anomaly Checking The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing: 46 Copyright © 2011. see “Configuring Stateful Firewall Rules” on page 114. such as an FTP conversation. or ports. A rule consists of direction. . For each new conversation. For more information. You configure stateful firewalls using a powerful rule-driven conversation handling path. Finally. In addition to the specific values you configure.Junos 11. Firewall rules govern whether the conversation is allowed to be established. destination address. Firewall rules are ordered. IP protocol value. destination port. the router implements the action specified by that rule. If a conversation is allowed. The software checks the rules in the order in which you include them in the configuration.

IP fragment length error. • IP address anomalies: • • IP packet source is a broadcast or multicast. UDP header length check failed. Packet has incorrect IP options. IP total length field is shorter than header length. Land attack (source IP equals destination IP). • UDP anomalies: • • • UDP source or destination port 0. • IP fragmentation anomalies: • • • • • IP fragment overlap. TCP sequence number 0 and FIN/PSH/RST flags set. IP packet length is more than 64 kilobytes (KB). Bad UDP checksum. Juniper Networks. Time-to-live (TTL) equals 0. • Anomalies found through stateful TCP or UDP checks: Copyright © 2011. IP header length field is too small. Tiny fragment attack. Inc. IP fragment missed. IP header length is set larger than the entire packet. TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST).Chapter 3: Adaptive Services Overview • IP anomalies: • • • • • • • • IP version is not correct. 47 . Bad TCP checksum. Internet Control Message Protocol (ICMP) packet length error. TCP sequence number 0 and flags 0. Bad header checksum. • TCP anomalies: • • • • • TCP port 0.

4 Services Interfaces Configuration Guide • • • • • • • SYN followed by SYN-ACK packets without ACK from initiator. Juniper Networks. including these: • • • TCP or UDP network probes and port scanning SYN flood attacks IP fragmentation-based attacks such as teardrop. SYN without SYN-ACK.Junos 11. bonk. including: • Concealing a set of host addresses on a private network behind a pool of public addresses. If you employ stateful anomaly detection in conjunction with stateless detection. Non-SYN first flow packet. IDS can provide early warning for a wide range of attacks. SYN followed by RST packets. . 48 Copyright © 2011. and boink Network Address Translation Overview • Types of NAT on page 48 Types of NAT The types of NAT supported by the Junos OS are described in the following sections: • • • • • • • • • • NAT Concept and Facilities Overview on page 48 IPv4-to-IPv4 Basic NAT on page 49 NAT-PT on page 50 Static Destination NAT on page 50 Twice NAT on page 50 IPv6 NAT on page 51 NAT-PT with DNS ALG on page 51 Dynamic NAT on page 52 Stateful NAT64 on page 52 Dual-Stack Lite on page 52 NAT Concept and Facilities Overview Network Address Translation (NAT) is a mechanism for translating IP addresses. NAT provides the technology used to support a wide range of networking goals. Packets dropped according to stateful firewall rules. ICMP unreachable errors for UDP packets. ICMP unreachable errors for SYN packets. Inc.

see “Basic NAT” on page 50. Inc.4. see “Tunneling Services for IPv4-to-IPv6 Transition Overview” on page 53. Providing a tool set for coping with IPv4 address depletion and IPV6 transition issues • The Junos OS provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks. referred to as traditional NAT. It features a one-to-one mapping between the translated address and the destination address. • • Static destination translation—Allows you to make selected private servers accessible. these two operations. “NAT-PT with DNS ALG” on page 51. IPv4-to-IPv4 Basic NAT Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another. Juniper Networks. For more information. see “Static Destination NAT” on page 50. For more information. Protocol translation—Allows you to assign addresses from a pool on a static or dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Encapsulation of IPv4 packets into IPv6 packets using softwires—Enables packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address. Network Address Port Translation or NAPT is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Dynamic-source translation—Includes two options: dynamic address-only source translation and network address and port translation (NAPT): • • Dynamic address-only source translation—A NAT address is picked up dynamically from a source NAT pool and the mapping from the original source address to the translated address is maintained as long as there is at least one active flow that uses this mapping. The multiservices Dense Port Concentrator (DPC) and multiservices PIC interfaces support the following types of traditional CGN: • Static-source translation—Allows you to hide a private network. see “Dynamic NAT” on page 52. Copyright © 2011. 49 . and “Stateful NAT64” on page 52. and facilitates the transit of traffic between different types of networks. Together. For more information. For more information. provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses. as shown in Supported NAT and SIP Standards in Standards Supported in Junos OS 11. For more information. the mapping is configured statically. NAPT—Both the original source address and the source port are translated. For more information. • • The Junos OS supports NAT functionality described in IETF RFCs and Internet drafts.. The translated address and port are picked up from the corresponding NAT pool. It features a one-to-one mapping between the original address and the translated address.Chapter 3: Adaptive Services Overview • Providing a security measure to protect the host addresses from direct targeting in network attacks. see “NAPT” on page 50. see “NAT-PT” on page 50. the mapping is configured statically. transparent to end users.

Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. For inbound packets. Twice NAT In Twice NAT. the destination transport identifier. see RFC 2663. specified in RFC 2766. is still supported by the the Junos OS. NAT64 is the newer. NAT-PT NAT-Protocol Translation (NAT-PT) is an obsolete IPv4-to-IPv6 transition mechanism and is no longer recommended. In addition. The destination pool contains one address and no port configuration. Basic NAT translates the destination IP address and the checksums listed above. IP Network Address Translator (NAT) Terminology and Considerations. NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. TCP.4 Services Interfaces Configuration Guide Traditional NAT. TCP port number.Junos 11. . For more information about static destination NAT. and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. is fully supported by the Junos OS. such as IP. a block of external addresses are set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. For packets outbound from the private network. Using a pool of IPv4 addresses. both the source and destination addresses are subject to translation as packets traverse the NAT router. UDP. specified in RFC 3022. and the IP and transport header checksums. The source information to be translated can be either 50 Copyright © 2011.Protocol Translation (NAT-PT) and obsoleted by RFC 2766. recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes. and ICMP header checksums. NAT-PT. or ICMP query ID) of the private network into a single external address. source transport identifier (TCP/UDP port or ICMP query ID). UDP. Network Address Translation . NAPT is supported for source addresses. TCP. NAPT can be combined with Basic NAT to use a pool of external addresses in conjunction with port translation. NAPT translates the transport identifier (for example. UDP port number. RFC 2766. Basic NAT translates source IP addresses and related fields such as IP. NAPT translates the destination IP address. NAPT Use NAPT to enable the components of the private network to share a single external address. For inbound packets. Basic NAT With Basic NAT. For packets outbound from the private network. Network Address Translation . Inc. and ICMP header checksums. Static Destination NAT Use static destination NAT to translate the destination address for external traffic to an address specified in a destination pool. Juniper Networks. NAPT translates the source IP address. Reasons to Move Network Address Translator Protocol Translator (NAT-PT) to Historic Status. Traditional IP Network Address Translator. and related fields. recommended solution.Protocol Translation (NAT-PT).

specified in RFC 2663. NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries.Chapter 3: Adaptive Services Overview address only or address and port. Using a pool of IPv4 addresses. 51 . you must specify both a destination address and a source address for the match direction. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. IPv6 name-to-address mappings are held in the DNS with "AAAA" queries. recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes. These ALGs cannot be applied to flows created by the Packet Gateway Control Protocol (PGCP). To configure Twice NAT. Twice NAT does not support other ALGs. and UDP headers embedded in the payload of ICMP error messages. Juniper Networks. In traditional NAT. NAT-PT with DNS ALG NAT-PT and Domain Name System (DNS) ALG are used to facilitate communication between IPv6 hosts and IPv4 hosts. pool or prefix. Inc. IP Network Address Translator (NAT) Terminology and Considerations. the DNS ALG translates IPv6 addresses in DNS queries and responses to the corresponding IPv4 addresses and vice versa. or class-of-service (CoS) rules when Twice NAT is configured in the same service set.Protocol Translation (NAT-PT). is fully supported by the Junos OS. The Junos OS provides the following for controlling the translation of IPv4 and IPv6 DNS queries: NOTE: For IPv6 DNS queries. NAT. or any resource connected to the Internet or a private network. defined in Internet draft draft-mrw-behave-nat66-01. By default. IPv6-to-IPv6 Network Address Translation (NAT66) is fully supported by the Junos OS. and translation type. Network Address Translation . The DNS ALG is an application-specific agent that allows an IPv6 node to communicate with an IPv4 node and vice versa. For example. TCP. When DNS ALG is employed with NAT-PT. Related Documentation • • Configuring NAT Rules on page 156 Configuring NAT-PT on page 187 Copyright © 2011. RFC 2766. DNS is a distributed hierarchical naming system for computers. Twice NAT. You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall. only one of the addresses is translated. the Twice NAT feature can affect IP. IPv4 name-to-address mappings are held in the DNS with "A" queries. use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level. you would use Twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). IPv6 NAT IPv6-to-IPv6 NAT (NAT66). services.

Inc. Stateful NAT64. is fully supported by the Junos OS. For more information about dynamic address translation. 52 Copyright © 2011. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP. IP Network Address Translator (NAT) Terminology and Considerations Stateful NAT64 Stateful NAT64 flow is shown in Figure 3 on page 52. Figure 3: Stateful NAT64 Flow IPv6 CPE Local host IPv6 CGN Public IPv4 aggregation IPv4 Destination host g017572 NAT64 Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. or ICMP.4 Services Interfaces Configuration Guide • Example: Configuring NAT-PT on page 202 Dynamic NAT Dynamic NAT flow is shown in Figure 2 on page 52. Juniper Networks. NAT addresses from the pool are assigned dynamically. TCP. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts. NAT64 translates incoming IPv6 packets into IPv4 (and vice versa). see RFC 2663. . specified in RFC 6146. DNS64 is out of scope of this document because it is normally implemented as an enhancement to currently deployed DNS servers. several IPv6-only clients can share the same public IPv4 server address. no changes are usually required in the IPv6 client or the IPv4 server. in contrast with an equal-sized pool required by source static NAT. Dual-Stack Lite Dual-stack lite (DS-Lite) flow is shown in Figure 4 on page 53. To allow sharing of the IPv4 server address. Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. Figure 2: Dynamic NAT Flow IPv4 CPE CGN Public IPv4 aggregation IPv4 Destination host g017571 Local host IPv4 end-user NAT dynamic NAT With dynamic NAT.Junos 11. When stateful NAT64 is used in conjunction with DNS64. you can map a private IP address (source) to a public IP address drawing from a pool of registered (public) IP addresses.

The softwire exists as long as the softwire concentrator is providing flows for routing.Chapter 3: Adaptive Services Overview Figure 4: DS-Lite Flow DS-Lite IPv4 in IPv6 tunnel IPv4 Destination host IPv4 end-user Local host IPv6 AFTR/CGN NAT44 IPv6 Destination host g017570 IPv6 end-user DS-Lite employs IPv4-over-IPv6 tunnels to cross an IPv6 access network to reach a carrier-grade IPv4-IPv4 NAT. Related Documentation • • DS-Lite Softwires—IPv4 over IPv6 Configuring a DS-Lite Softwire Concentrator on page 866 Tunneling Services for IPv4-to-IPv6 Transition Overview The Junos OS enables service providers to transition to IPv6 by using softwire encapsulation and decapsulation techniques. A softwire is a tunnel that is created between softwire CPE. A softwire CPE can share a unique common internal state for multiple softwires. you need not maintain an interface infrastructure for each softwire. Therefore. and scalability is independent of the number of interfaces. A softwire initiator at the customer end encapsulates native packets and tunnels them to a softwire concentrator at the service provider. unlike a typical mesh of generic routing encapsulation (GRE) tunnels that would require you to do so. This topic contains the following sections: • • • 6to4 Overview on page 54 DS-Lite Softwires—IPv4 over IPv6 on page 55 6rd Softwires—IPv6 over IPv4 on page 56 Copyright © 2011. 53 . Inc. making it a very light and scalable solution. When you use softwires. The scalability is only limited to the number of flows that the platform (services DPC or PIC) can support. The softwire concentrator decapsulates the packets and sends them to their destination. Juniper Networks. Softwire addresses are not specifically configured under any physical or virtual interface. This facilitates the phased introduction of IPv6 on the Internet by providing backward compatibility with IPv4. A softwire is created when a softwire concentrator receives the first tunneled packet of a flow and prepares for flow processing. when the number of active flows is 0. the number of established softwires does not affect throughput. the softwire is deleted. A flow counter is maintained. Statistics are kept for both flows and softwires.

native IPv6 connectivity. and route the prefix to their 6to4 relay.1 has been allocated to send packets to a 6to4 relay router. A 6to4 border router is an IPv6 router supporting a 6to4 pseudointerface.0/24 has been allocated for routes pointed at 6to4 relay routers that use this Anycast IP address. Note that when wrapped in 6to4 with the subnet and hosts fields set to zero. However. In order for a 6to4 host to communicate with the native IPv6 Internet. 6to4 sites must configure a relay router to carry the outbound traffic. From there they can then be sent over the IPv4 Internet to the destination. or by a local IPv6 network. 6to4 Anycast Router 6to4 assumes that 6to4 routers and relays are managed and configured cooperatively.4 Services Interfaces Configuration Guide 6to4 Overview • • • Basic 6to4 on page 54 6to4 Anycast on page 54 6to4 Provider-Managed Tunnels on page 55 Basic 6to4 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6. and It is normally the border router between an IPv6 site and a wide-area IPv4 network. There are two kinds of 6to4 virtual routers: border routers and relay routers. . the Anycast address of 192. Juniper Networks. often a local network. The objective of 54 Copyright © 2011.99. its IPv6 default gateway must be set to a 6to4 address which contains the IPv4 address of a 6to4 relay router.88.99. 6to4 is described in RFC 3056.88. and the host is responsible for the encapsulation of outgoing IPv6 packets and the decapsulation of incoming 6to4 packets. it is intended only as a transition mechanism and is not meant to be used permanently.Junos 11. Inc.88. it is then a router. which becomes the default IPv6 router (except for 2002::/16). a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. When used by a host. 6to4 can be used by an individual host.99. In particular. The specification states that such relay routers must only advertise 2002::/16 and not subdivisions of it to prevent IPv4 routes from polluting the routing tables of IPv6 routers. this IPv4 address (192. since IPv6 is not required on nodes between the host and the destination. Connection of IPv6 Domains via IPv4 Clouds. A relay router is a 6to4 router configured to support transit routing between 6to4 addresses and pure native IPv6 addresses. it must have a global IPv4 address connected. 6to4 is especially relevant during the initial phases of deployment to full. To ensure BGP routing propagation. Packets from the IPv6 Internet to 6to4 systems must be sent to a 6to4 relay router by normal IPv6 routing methods. Providers willing to provide 6to4 service to their clients or peers should advertise the Anycast prefix like any other IP prefix. If the host is configured to forward packets for other clients. a short prefix of 192. To avoid the need for users to set this up manually.1) becomes the IPv6 address 2002:c058:6301::.

dual-stack lite (DS-Lite) provides a method for the private IPv4 addresses behind the IPv6 customer edge (CE) WAN equipment to reach the IPv4 network. defined in RFC 3068. 55 . Anycast 6to4 implies a default configuration for the user site. 6to4 PMT enables service providers to improve 6to4 operation when network conditions provide suboptimal performance or break normal 6to4 operation. it does not require any particular user action. An Anycast Prefix for 6to4 Relay Routers. 6to4 PMT provides a stable provider prefix and forwarding environment by utilizing existing 6to4 relays with an added function of IPv6 prefix translation that controls the flow of return traffic.99.88. Advisory Guidelines for 6to4 Deployment. DS-Lite Softwires—IPv4 over IPv6 When an Internet service provider (ISP) begins to allocate new subscriber homes IPv6 addresses and IPv6-capable equipment. within an IPv4 packet. That document.Chapter 3: Adaptive Services Overview the Anycast variant. Juniper Networks. and 2002:c058:6301:: as the default IPv6 router prefix (“well-known prefix”) for a 6to4 site. It does require an IPv4 Anycast route to be in place to a relay at 192. The 6to4-PMT Relay shares properties with 6RD [RFC5969] by decapsulating and forwarding embedded IPv6 flows. 2011. RFC 6343. DS-Lite enables IPv4 customers to continue to access the Internet using their current hardware by using a softwire initiator. Traffic does not necessarily return to the same 6to4 gateway because of the the “well-known” 6to4 prefix used and advertised by all 6to4 traffic. Inc.1. to the IPv6 Internet. The 6to4-PMT relay provides a stateless (or stateful) mapping of the 6to4 prefix to a provider-supplied prefix by mapping the embedded IPv4 address in the 6to4 prefix to the provider prefix. referred to as a Basic Bridging Broadband (B4).” proposes a solution that allows providers to exercise greater control over the routing of 6to4 traffic. This makes the solution available for small or domestic users. 6to 4 Provider-Managed Tunnels (PMT). referred to as an Address Family Transition Router (AFTR). identifies a wide range of problems associated with the use of unmanaged 6to4 Anycast relay routers. published in August. even those with a single host or simple home gateway instead of a border router. for decapsulation.99. is to avoid the need for such configuration. The 6to4 managed tunnel model behaves like a standard 6to4 service between the customer IPv6 host or gateway and the 6ot4-PMT relay (within the provider domain).1 as the default IPv4 address for a 6to4 relay. 6to4 provider-managed tunnels (PMTs) facilitate the management of 6to4 tunnels using an Anycast configuration. at the customer edge to encapsulate IPv4 packets into IPv6 packets and tunnel them over an IPv6 network to a softwire concentrator. The model provides an additional function which translates the source 6to4 prefix to a provider assigned prefix which is not found in 6RD [RFC5969] or traditional 6to4 operation. This is achieved by defining 192. DS-Lite creates the IPv6 Copyright © 2011. a “work in progress.88. 6to4 Provider-Managed Tunnels A solution to many problems associated with unmanaged Anycast 6to4 is presented in IETF informational draft draft-kuarsingh-v6ops-6to4-provider-managed-tunnel-02.

4 Services Interfaces Configuration Guide softwires that terminate on the services PIC. is available for ISPs with MPLS-enabled networks. and 500 PICs on M Series routers and on MX Series routers equipped with Multiservices Dense Port Concentrator (DPCs). Packets coming out of the softwire can then have other services such as NAT applied on them.Junos 11. Inc. Figure 5: 6rd Softwire Flow IPv4 6rd Local host IPv6 end-user 6rd IPv4 in IPv6 tunnel Concentrator Destination host g017573 IPv6 The Junos OS supports a 6rd softwire concentrator on a service DPC or PIC to facilitate rapid deployment of IPv6 service to subscribers on native IPv4 CE WANs. . For more information on DS-Lite softwires. The term softwire concentrator has been replaced by AFTR. DS-Lite properly handles encapsulation and decapsulation despite the presence of additional MPLS header information. 6rd Softwires—IPv6 over IPv4 6rd softwire flow is shown in Figure 5 on page 56. DS-Lite is supported on Multiservices 100. 400. or MPLS-enabled IPv6. IPv6 packets are encapsulated in IPv4 packets by a softwire initiator at the CE WAN. NOTE: IPv6 Provider Edge (6PE). see the IETF draft Dual Stack Lite Broadband Deployments Following IPv4 Exhaustion. NOTE: The most recent IETF draft documentation for DS-Lite uses new terminology: • • The term softwire initiator has been replaced by B4. The Junos OS documentation generally uses the original terms when discussing configuration in order to be consistent with the command-line interface (CLI) statements used to configure DS-Lite. These packets are tunneled to a softwire concentrator residing on a multiservices DPC (branch relay). A softwire is created when IPv4 packets containing IPv6 destination information are received at the softwire concentrator. These networks now can use multi-protocol Border Gateway Protocol (MP-BGP) to provide connectivity between the DS-Lite B4 and AFTR (or any 2 IPv6 nodes). Juniper Networks. All of these functions are performed in a single pass of the Services PIC. 56 Copyright © 2011. which decapsulates IPv6 packets and forwards them for IPv6 routing.

and 500 PICs on M Series and T Series routers. IPv6 flows are also created for the encapsulated IPv6 payload. IPv6 packets are sent to the Services DPC where they are encapsulated in IPv4 packets corresponding to the proper softwire and sent to the CE WAN. The softwire concentrator creates softwires as the IPv4 packets are received from the CE WAN side or IPV6 packets are received from the Internet. This simplifies configuration and there is no need to create or manage tunnel interfaces. IPsec also defines a security association and key management framework that can be used with any network layer protocol. 6rd is supported on Multiservices 100. the softwire is deleted. 57 . Related Documentation • See Network Address Translation Overview on page 48. and manages security associations (SAs). A 6rd softwire on the Services DPC is identified by the 3-tuple containing the service set ID. IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -. the Junos OS also supports the Internet Key Exchange (IKE). replay protection. IPsec Overview The Juniper Networks Junos OS supports IPsec. When the last IPv6 flow associated with a softwire ends. Security Associations To use IPsec security services. confidentiality. The suite provides such functionality as authentication of origin. In addition to IPsec. For a list of the IPsec and IKE standards supported by the Junos OS. and softwire concentrator IPv4 address. There are two types of SAs: Copyright © 2011. 400. data integrity. and on MX Series platforms equipped with Multiservices DPCs. which defines mechanisms for key generation and exchange. IPsec provides secure tunnels between two peers. For more information on 6rd softwires. you create SAs between hosts. • • • • IPsec on page 57 Security Associations on page 57 IKE on page 58 Comparison of IPsec Services and ES Interface Configuration on page 58 IPsec The IPsec architecture provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers.Chapter 3: Adaptive Services Overview In the reverse path. Juniper Networks. CE softwire initiator IPv4 address. which provide background information about configuring IPsec. and nonrepudiation of source. see RFC 5969. This section discusses the following topics. and are associated with the specific softwire that carried them in the first place. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. The SA specifies what protection policy to apply to traffic between two IP-layer entities. see the Junos OS Hierarchy and RFC Reference. Inc.Protocol Specification.

. IKE creates dynamic security associations. Juniper Networks. • IKE IKE is a key management protocol that creates dynamic SAs. and require matching configurations on both ends of the tunnel. Each peer must have the same configured options for communication to take place. you configure IKE first and then the SA.} [edit services ipsec-vpn ipsec] policy {. The IKE SA is negotiated first and then used to protect the negotiations that determine the dynamic IPsec SAs. IKE negotiates security attributes and establishes shared secrets to form the bidirectional IKE SA. Comparison of IPsec Services and ES Interface Configuration Table 4 on page 58 compares the top-level configuration of IPsec features on the ES PIC interfaces and on the AS or MultiServices PIC interfaces. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. IKE also generates keying material.} AS and MultiServices PIC IPsec Configuration [edit services ipsec-vpn ipsec] proposal {. all values.4 Services Interfaces Configuration Guide • Manual SAs require no negotiation. With dynamic SAs.Junos 11. are static and specified in the configuration. MX Series. and keys to be used. Provides identity protection (in main mode). Provides mutual peer authentication by means of shared secrets (not passwords) and public keys. In IKE. both IKEv1 and IKEv2 are supported by default on all M Series. it negotiates SAs for IPsec... IKE performs the following tasks: • • • Negotiates and manages IKE and IPsec parameters. Starting with Junos OS Release 11.} 58 Copyright © 2011. .4. Authenticates secure key exchange. This connection is then used to dynamically agree upon keys and other data used by the dynamic IPsec SA. algorithms. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway. Dynamic SAs require additional configuration. inbound and outbound IPsec SAs are established and the IKE SA secures the exchanges. Manual SAs statically define the security parameter index (SPI) values. including the keys. • Two versions of the IKE protocol (IKEv1 and IKEv2) are supported now.} [edit security ipsec] policy {.... and T Series routers.. provides Perfect Forward Secrecy.. and exchanges identities. it negotiates SAs for IPsec. Inc. Table 4: Statement Equivalents for ES and AS Interfaces ES PIC Configuration [edit security ipsec] proposal {.

It employs access profiles for group and individual user access.. For more information about configuring encryption services on an ES PIC....} [edit services ipsec-vpn] service-set {... see IPsec Properties.} then dynamic {.. Inc. see “Configuring Encryption Interfaces” on page 995... 59 . The L2TP services are supported on the following routers only: • • M7i routers with AS PICs M10i routers with AS and MultiServices 100 PICs Copyright © 2011.. the configurations are not interchangeable. Multilink PPP functionality is also supported. Layer 2 Tunneling Protocol Overview L2TP is defined in RFC 2661..Layer Two Tunneling Protocol (L2TP)...} then manual {. and uses authentication to establish secure connections between the two ends of each tunnel.} [edit security ike] policy {..} [edit services ipsec-vpn] rule-set {. Juniper Networks..} Not available Not available [edit interfaces es-fpc/pic/port] tunnel source address [edit interfaces es-fpc/pic/port] tunnel destination address For more information about configuring IPsec services on an AS or MultiServices PIC..} AS and MultiServices PIC IPsec Configuration [edit services ipsec-vpn rule rule-name] term term-name match-conditions {..} [edit services ipsec-vpn service-set set-name ipsec-vpn local-gateway address] [edit services ipsec-vpn rule rule-name] remote-gateway address [edit security ike] proposal {.} [edit services ipsec-vpn ike] policy {.... L2TP facilitates the tunneling of PPP packets across an intervening network in a way that is as transparent as possible to both end users and applications. NOTE: Although many of the same statements and properties are valid on both platforms.}] [edit services ipsec-vpn rule rule-name] term term-name match-conditions {..}] [edit services ipsec-vpn ike] proposal {..Chapter 3: Adaptive Services Overview Table 4: Statement Equivalents for ES and AS Interfaces (continued) ES PIC Configuration [edit security ipsec] security-association sa-dynamic {. You must commit a complete configuration for the PIC type that is installed in your router..} [edit security ipsec] security-association sa-manual {..

An Architecture for Differentiated Services • NOTE: CoS BA classification is not supported on services interfaces. see “Configuring Link Services and CoS on Services PICs” on page 477. see “L2TP Services Configuration Overview” on page 415. Juniper Networks. CRTP enables VoIP traffic to use low-speed links more effectively. MCML greatly simplifies packet ordering issues that occur when multiple links are used. Voice services also support LFI on Juniper Networks M Series Multiservice Edge routers. you can assign voice traffic to a high-priority class. With MCML. E3. MultiServices 100. . see “Configuring Services Interfaces for Voice Services” on page 522. For more information about configuring voice services. Standards for Differentiated Services are described in the following documents: • RFC 2474.Junos 11. E1. 60 Copyright © 2011. Voice Services Overview Adaptive services interfaces include a voice services feature that allows you to specify interface type lsq-fpc/pic/port to accommodate voice over IP (VoIP) traffic. OC3. and you can use multiple links. You can configure the CoS service alongside the stateful firewall and NAT services. using a similar rule structure. For more information about configuring CoS services. The component structures are described in detail in the Junos OS Class of Service Configuration Guide. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 2475. including the channelized versions of these interfaces. STM1. and T1. DS3. which is defined in RFC 2508.4 Services Interfaces Configuration Guide • M120 routers with AS. and MultiServices 400 PICs For more information. Compressing IP/UDP/RTP Headers for Low-Speed Serial Links. all voice traffic belonging to a single flow is hashed to a single link in order to avoid packet ordering issues. Class of Service Overview The CoS configuration available for the AS PIC enables you to configure Differentiated Services (DiffServ) code point (DSCP) marking and forwarding-class assignment for packets transiting the AS PIC. you can configure CRTP with multiclass MLPPP (MCML). Voice services on the AS and MultiServices PICs support single-link PPP-encapsulated IPv4 traffic over the following physical interface types: ATM2. Inc. OC12. Voice services do not require a separate service rules configuration. For link services IQ interfaces (lsq) only. except the M320 router. Without MCML. see Class-of-Service Properties. For more information about MCML support on link services IQ interfaces. by compressing the 40-byte IP/UDP/RTP header down to 2 to 4 bytes in most cases. This interface uses compressed RTP (CRTP).

61 .1. } } } sp-1/0/0 { unit 0 { family inet { address 172.3. Juniper Networks. see the chapters that describe each service in detail. } } } fe-0/1/1 { unit 0 { family inet { filter { input Sample.2/24.2/24.16.16. Inc.3/24 { } } } } } Copyright © 2011. For examples showing individual service configurations.1.1.Chapter 3: Adaptive Services Overview Examples: Services Interfaces Configuration This section includes the following examples: • • • • • Example: Service Interfaces Configuration on page 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: NAT Between VRFs Configuration on page 67 Example: BOOTP and Broadcast Addresses on page 70 Example: Service Interfaces Configuration The following configuration includes all the items necessary to configure services on an interface. [edit] interfaces { fe-0/1/0 { unit 0 { family inet { service { input { service-set Firewall-Set. } address 172. } output { service-set Firewall-Set. } } address 10.

term 1 { from { application-sets Applications.3.Junos 11. term Local { from { source-address { 62 Copyright © 2011. } } term accept { then { accept. . accept. } } } rule Rule2 { match-direction output. } then { accept. Inc. sample. flow-active-timeout 60.1.3. } } output { cflowd 10. Juniper Networks.1. source-address 10.1 { port 2055.4 Services Interfaces Configuration Guide forwarding-options { sampling { input { family inet { rate 1. version 5. interface sp-1/0/0 { engine-id 1. } } } } services { stateful-firewall { rule Rule1 { match-direction input.2. } flow-inactive-timeout 15. engine-type 136. } } } } firewall { filter Sample { term Sample { then { count Sample.

stateful-firewall-rules Rule2.Chapter 3: Adaptive Services Overview 10. Juniper Networks.3.16. term Translate { then { translated { source-pool public. } rule Private-Public { match-direction input. } } } } } nat { pool public { address-range low 172.32. interface-service { service-interface sp-1/0/0.1 high 172. 63 . term Match { from { application-sets Applications. } } } } } service-set Firewall-Set { stateful-firewall-rules Rule1. ids-rules Attacks. nat-rules Private-Public.1. } } then { accept. } } } } ids { rule Attacks { match-direction output. } } } applications { application ICMP { application-protocol icmp.2/32. port automatic. Inc.16. } application FTP { Copyright © 2011.2. translation-type source dynamic. } then { logging { syslog.2.

output service-set nat-me. } unit 20 { family inet. route-distinguisher 10. service-domain inside. } application-set Applications { application ICMP. destination-port ftp.0/0 next-table inet. } } } [edit interfaces] ge-0/2/0 { unit 0 { family inet { service { input service-set nat-me.Junos 11. } unit 21 { family inet.0.4 Services Interfaces Configuration Guide application-protocol ftp.20. Inc. } } Example: VPN Routing and Forwarding (VRF) and Service Configuration The following example combines VPN routing and forwarding (VRF) and services configuration: [edit policy-options] policy-statement test-policy { term t1 { then reject.58. service-domain outside. vrf-import test-policy.0. vrf-export test-policy. interface sp-1/3/0.255. application FTP.0. instance-type vrf. } } [edit routing-instances] test { interface ge-0/2/0. 64 Copyright © 2011.0.1:37. Juniper Networks. } } } } sp-1/3/0 { unit 0 { family inet. . routing-options { static { route 0.

} } } } } service-set nat-me { stateful-firewall-rules allow-any-input. } } } Example: Dynamic Source NAT as a Next-Hop Service The following example shows dynamic-source NAT applied as a next-hop service: [edit interfaces] ge-0/2/0 { unit 0 { family mpls. Juniper Networks. term t1 { then accept. } unit 20 { family inet. interface-service { service-interface sp-1/3/0. } } } nat { pool hide-pool { address 10.20. nat-rules hide-all-input.Chapter 3: Adaptive Services Overview } [edit services] stateful-firewall { rule allow-any-input { match-direction input. translation-type source dynamic. port automatic. } } sp-1/3/0 { unit 0 { family inet. } unit 32 { family inet. Inc. term t1 { then { translated { source-pool hide-pool. } Copyright © 2011. 65 .58. } rule hide-all-input { match-direction input.16.100.

17:37.58.32. routing-options { static { route 0. route-distinguisher 10. outside-service-interface sp-1/3/0.20.0. . vrf-export protected-domain-policy.Junos 11.16. translation-type source dynamic.58. } } } [edit policy-options] policy-statement protected-domain-policy { term t1 { then reject. } rule hide-all { match-direction input.20.0.100. Juniper Networks. } } } } nat { pool my-pool { address 10. term t1 { then { translated { source-pool my-pool. Inc. } 66 Copyright © 2011. } } } } } service-set null-sfw-with-nat { stateful-firewall-rules allow-all. } } [edit services] stateful-firewall { rule allow-all { match-direction input.255. port automatic.0. next-hop-service { inside-service-interface sp-1/3/0. term t1 { then { accept. interface sp-1/3/0. nat-rules hide-all.0/0 next-hop sp-1/3/0. vrf-import protected-domain-policy.4 Services Interfaces Configuration Guide } [edit routing-instances] protected-domain { interface ge-0/2/0.20. instance-type vrf.

101 to reach 10. } } [edit routing-instances] vrf-a { Copyright © 2011. using distinct public addresses for the source and destination NAT in this scenario: • • A host in vrf-a traverses 10.16.1/24. [edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10.58.58. service { input service-set vrf-b-svc-set. 67 .2 in vrf-b.58.0.16.0. A host in vrf-b traverses 10. } } } } ge-0/3/0 { unit 0 { family inet { address 10.58. service-domain inside. Juniper Networks.0.201 to reach 10. service-domain inside.0.2 in vrf-a.58. } unit 10 { family inet. } } } } sp-1/3/0 { unit 0 { family inet. } } [edit policy-options] policy-statement test-policy { term t1 { then reject. service { input service-set vrf-a-svc-set. } unit 20 { family inet. output service-set vrf-a-svc-set. output service-set vrf-b-svc-set.1/24.58. Inc.Chapter 3: Adaptive Services Overview } Example: NAT Between VRFs Configuration The following example configuration enables NAT between VRFs with overlapping private addresses.

Inc.2.1.Junos 11. } } } } rule vrf-a-output { 68 Copyright © 2011.100.0.20.1:1. instance-type vrf.0. instance-type vrf. route-distinguisher 10.2:2. . translation-type napt-44. term t1 { then { translated { source-pool vrf-a-src-pool. Juniper Networks. routing-options { static { route 0.0.0/0 next-table inet. } rule vrf-a-input { match-direction input.1.58.0.58.0. term t1 { then { accept. } } } [edit services] stateful-firewall { rule allow-all { match-direction input-output.10.0. } pool vrf-a-dst-pool { address 10.0/0 next-table inet. interface sp-1/3/0.0. } } } } nat { pool vrf-a-src-pool { address 10.2. } } } vrf-b { interface ge-0/3/0.0. routing-options { static { route 0.0. interface sp-1/3/0.16. port automatic.2. vrf-export test-policy. vrf-export test-policy.4 Services Interfaces Configuration Guide interface ge-0/2/0. vrf-import test-policy. vrf-import test-policy. route-distinguisher 10.

Inc. nat-rules vrf-a-output.0. nat-rules vrf-a-input.58. translation-type destination static. } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all. term t1 { from { destination-address 10. translation-type source dynamic. } then { translated { destination-pool vrf-b-dst-pool. 69 . interface-service { service-interface sp-1/3/0.2. term t1 { from { destination-address 10.101. } } } } pool vrf-b-src-pool { address 10. } } } } rule vrf-b-output { match-direction output. } rule vrf-b-input { match-direction input.10.16.58.58.16. translation-type destination static. Copyright © 2011. term t1 { then { translated { source-pool vrf-b-src-pool.16. } } service-set vrf-b-svc-set { stateful-firewall-rules allow-all. port automatic. } then { translated { destination-pool vrf-a-dst-pool. } pool vrf-b-dst-pool { address 10.201.200.Chapter 3: Adaptive Services Overview match-direction output.58. Juniper Networks.

Inc. protocol udp. } } } } 70 Copyright © 2011. } then { accept.20. . destination-port 67.255.255. nat-rules vrf-b-output. term bootp-allow { from { destination-address { any-unicast.Junos 11.255. interface-service { service-interface sp-1/3/0. } [edit services] stateful-firewall bootp-support { rule bootp-allow { direction input. 255. Juniper Networks. } } Example: BOOTP and Broadcast Addresses The following example supports Bootstrap Protocol (BOOTP) and broadcast addresses: [edit applications] application bootp { application-protocol bootp.4 Services Interfaces Configuration Guide nat-rules vrf-b-input. } application bootp.

} application-set application-set-name { application application-name. protocol type. include the following statements at the [edit applications] hierarchy level: [edit applications] application application-name { application-protocol protocol-name.323. Examples of such applications are FTP and H. Inc. defines application parameters using information from network Layer 3 and above. ttl-threshold value. or application layer gateway (ALG). icmp-type value. icmp-code value. uuid hex-value. rpc-program-number number. To configure applications that are used with services. sip-call-hold-timeout seconds. An application protocol. 71 . inactivity-timeout value. source-port port-number. snmp-command command. } This chapter includes the following sections: • • • • • • Configuring Application Protocol Properties on page 72 Configuring Application Sets on page 81 ALG Descriptions on page 81 Verifying the Output of ALG Sessions on page 88 Junos Default Groups on page 94 Examples: Configuring Application Protocols on page 101 Copyright © 2011. learn-sip-register.CHAPTER 4 Applications Configuration Guidelines You can define application protocols for the stateful firewall and Network Address Translation (NAT) services to use in match condition rules. destination-port port-number. Juniper Networks.

destination-port port-number. Table 5 on page 73 shows the list of supported protocols. Juniper Networks. see “ALG Descriptions” on page 81. . protocol type. snmp-command command. see “Configuring Application Sets” on page 81. for more information. icmp-code value.4 Services Interfaces Configuration Guide Configuring Application Protocol Properties To configure application properties. Inc. ttl-threshold value. To configure application protocols. include the application-protocol statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] application-protocol protocol-name. uuid hex-value. } You can group application objects by configuring the application-set statement. source-port port-number. This section includes the following tasks for configuring applications: • • • • • • • • • Configuring an Application Protocol on page 72 Configuring the Network Protocol on page 74 Configuring the ICMP Code and Type on page 75 Configuring Source and Destination Ports on page 77 Configuring the Inactivity Timeout Period on page 80 Configuring an SNMP Command for Packet Matching on page 80 Configuring an RPC Program Number on page 80 Configuring the TTL Threshold on page 80 Configuring a Universal Unique Identifier on page 81 Configuring an Application Protocol The application-protocol statement allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. icmp-type value. For more information about specific protocols. include the application statement at the [edit applications] hierarchy level: [edit applications] application application-name { application-protocol protocol-name. 72 Copyright © 2011. inactivity-timeout value. rpc-program-number number.Junos 11.

Requires a destination-port value. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires the protocol statement to have the value udp.Chapter 4: Applications Configuration Guidelines Table 5: Application Protocols Supported by Services Interfaces Protocol Name Bootstrap protocol (BOOTP) Distributed Computing Environment (DCE) remote procedure call (RPC) DCE RPC portmap CLI Value bootp dce-rpc Comments Supports BOOTP and dynamic host configuration protocol (DHCP). This application protocol closes the DNS flow as soon as the DNS response is received. Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port value. dce-rpc-portmap Domain Name System (DNS) dns Exec exec FTP ftp Internet Control Message Protocol (ICMP) IP Login NetBIOS icmp ip login netbios NetShow netshow Real-Time Streaming Protocol (RTSP) RPC User Datagram Protocol (UDP) or TCP rtsp rpc RPC port mapping rpc-portmap Shell shell SNMP snmp SQLNet sqlnet Copyright © 2011. Requires a rpc-program-number value. Requires the protocol statement to have the value tcp or to be unspecified. – – Requires the protocol statement to have the value udp or to be unspecified. Requires a destination-port or source-port value. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. You cannot specify destination-port or source-port values. Requires a destination-port value. Requires the protocol statement to have the value icmp or to be unspecified. 73 . Requires the protocol statement to have the value udp or tcp. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. You cannot specify destination-port or source-port values. Requires the protocol statement to have the value tcp or to be unspecified. Juniper Networks. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. Inc. Requires a uuid value. Requires a destination-port value. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. Requires the protocol statement to have the value tcp or to be unspecified.

Requires a destination-port value. To configure network protocols. NAT. include the protocol statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] protocol type. Requires the protocol statement to have the value udp or to be unspecified. Table 6: Network Protocols Supported by Services Interfaces Network Protocol Type IP Security (IPsec) authentication header (AH) External Gateway Protocol (EGP) IPsec Encapsulating Security Payload (ESP) Generic routing encapsulation (GR) ICMP CLI Value ah Comments – egp esp gre icmp – – – Requires an application-protocol value of icmp. . Inc. NAT applies only the IP address and TCP or UDP headers. Configuring the Network Protocol The protocol statement allows you to specify which of the supported network protocols to match in an application definition.4 Services Interfaces Configuration Guide Table 5: Application Protocols Supported by Services Interfaces (continued) Protocol Name Trace route CLI Value traceroute Comments Requires the protocol statement to have the value udp or to be unspecified. for the more commonly used protocols. These ALGs cannot be applied to flows created by the Packet Gateway Controller Protocol (PGCP). but not the payload. Trivial FTP (TFTP) tftp NOTE: You can configure application-level gateways (ALGs) for ICMP and trace route under stateful firewall. For more information about configuring twice NAT. Twice NAT does not support any other ALGs. or CoS rules when twice NAT is configured in the same service set. 74 Copyright © 2011. Table 6 on page 74 shows the list of the supported protocols. see Network Address Translation. Requires a destination-port value. Juniper Networks. You specify the protocol type as a numeric value.Junos 11. text names are also supported in the command-line interface (CLI).

include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level: [edit applications application application-name] icmp-code value. 75 . the twice NAT feature can affect IP. and UDP headers embedded in the payload of ICMP error messages. To configure ICMP settings.Chapter 4: Applications Configuration Guidelines Table 6: Network Protocols Supported by Services Interfaces (continued) Network Protocol Type Internet Group Management Protocol (IGMP) IP in IP OSPF Protocol Independent Multicast (PIM) Resource Reservation Protocol (RSVP) TCP CLI Value igmp Comments – ipip ospf pim rsvp tcp – – – – Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. Inc. You can include only one ICMP code and type value. Configuring the ICMP Code and Type The ICMP code and type provide additional specification. in conjunction with the network protocol. The application-protocol statement must have the value icmp. Juniper Networks. icmp-type value. Assigned Numbers (for the Internet Protocol Suite). Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations. TCP. for packet matching in an application definition. By default. see RFC 1700. – UDP udp Virtual Router Redundancy Protocol (VRRP) vrrp For a complete list of possible numeric values. Copyright © 2011. For more information about configuring twice NAT. see Network Address Translation. Table 7 on page 76 shows the list of supported ICMP values. NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions.

Because the value’s meaning depends upon the associated icmp-type value. destination-network-unknown (6). host-unreachable (1).4 Services Interfaces Configuration Guide Table 7: ICMP Codes and Types Supported by Services Interfaces CLI Statement icmp-code Description This value or keyword provides more specific information than icmp-type. or unreachable (3). For more information. redirect-for-tos-and-host (3). you must specify icmp-type along with icmp-code. precedence-cutoff-in-effect (15). see the Junos OS Routing Policy Configuration Guide. or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service. Inc. network-unreachable-for-TOS (11). . timestamp-reply (14). source-quench (4). see the Junos OS Routing Policy Configuration Guide. host-unreachable-for-TOS (12). As a result. fragmentation-needed (4). you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. mask-request (17). For more information. time-exceeded (11). destination-network-prohibited (9). 76 Copyright © 2011. In place of the numeric value. destination-host-prohibited (10). required-option-missing (1) redirect: redirect-for-host (1). parameter-problem (12). Juniper Networks. when the Packet Forwarding Engine sends an ICMP error message out through the interface. router-solicit (10). echo-request (8). the stateful firewall rules might drop the packet because it was not seen in the input direction. redirect-for-network (0). mask-reply (18). router-advertisement (9). destination-host-unknown (7). you can specify one of the following text synonyms (the field values are also listed).Junos 11. port-unreachable (3). In place of the numeric value. NOTE: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules. info-reply (16). protocol-unreachable (2). info-request (15). source-host-isolated (8). ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13). source-route-failed (5) icmp-type Normally. Possible workarounds are to include a forwarding-table filter to perform the reject action. timestamp (13). network-unreachable (0). you can specify one of the following text synonyms (the field values are also listed): echo-reply (0). redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1). redirect (5). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0). because this type of filter is executed after the stateful firewall in the input direction. host-precedence-violation (14). the router executes the input firewall filter before the stateful firewall rules are run on the packet.

You must define one source or destination port. To configure ports. Juniper Networks. You can specify either a numeric value or one of the text synonyms listed in Table 8 on page 77. include the destination-port and source-port statements at the [edit applications application application-name] hierarchy level: [edit applications application application-name] destination-port value.Chapter 4: Applications Configuration Guidelines Configuring Source and Destination Ports The TCP or UDP source and destination port provide additional specification. source-port value. in conjunction with the network protocol. for constraints. Normally. see Table 5 on page 73. for packet matching in an application definition. 77 . Table 8: Port Names Supported by Services Interfaces Port Name afs bgp biff bootpc bootps cmd cvspserver dhcp domain eklogin ekshell exec finger ftp ftp-data Corresponding Port Number 1483 179 512 68 67 514 2401 67 53 2105 2106 512 79 21 20 Copyright © 2011. Inc. you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.

4 Services Interfaces Configuration Guide Table 8: Port Names Supported by Services Interfaces (continued) Port Name http https ident imap kerberos-sec klogin kpasswd krb-prop krbupdate kshell ldap login mobileip-agent mobilip-mn msdp netbios-dgm netbios-ns netbios-ssn nfsd nntp ntalk ntp pop3 pptp Corresponding Port Number 80 443 113 143 88 543 761 754 760 544 389 513 434 435 639 138 137 139 2049 119 518 123 110 1723 78 Copyright © 2011. Inc. Juniper Networks. .Junos 11.

Copyright © 2011. 79 .Chapter 4: Applications Configuration Guidelines Table 8: Port Names Supported by Services Interfaces (continued) Port Name printer radacct radius rip rkinit smtp snmp snmptrap snpp socks ssh sunrpc syslog tacacs-ds talk telnet tftp timed who xdmcp zephyr-clt zephyr-hm Corresponding Port Number 515 1813 1812 520 2108 25 161 162 444 1080 22 111 514 65 517 23 69 525 513 177 2103 2104 For more information about matching criteria. Juniper Networks. see the Junos OS Routing Policy Configuration Guide. Inc.

4 Services Interfaces Configuration Guide Configuring the Inactivity Timeout Period You can specify a timeout period for application inactivity. for more information. You can configure only one value for matching. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value snmp. Juniper Networks. For information about specifying the application protocol. The supported values are get. If the software has not detected any activity during the duration.000 through 400. include the rpc-program-number statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] rpc-program-number number. include the ttl-threshold statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] ttl-threshold value. . the flow becomes invalid when the timer expires. Inc. The value you configure for an application overrides any global value configured at the [edit interfaces interface-name service-options] hierarchy level. Configuring the TTL Threshold You can specify a trace route time-to-live (TTL) threshold value.Junos 11. which controls the acceptable level of network penetration for trace routing. The range of values used for DCE or RPC is from 100. The default value is 30 seconds. see “Configuring an Application Protocol” on page 72. To configure a TTL value. see “Configuring Default Timeout Settings for Services Interfaces” on page 614.000. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value rpc. Configuring an SNMP Command for Packet Matching You can specify an SNMP command setting for packet matching. set. get-next. and trap. For information about specifying the application protocol. 80 Copyright © 2011. To configure an RPC program number. include the snmp-command statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] snmp-command value. Configuring an RPC Program Number You can specify an RPC program number for packet matching. see “Configuring an Application Protocol” on page 72. include the inactivity-timeout statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] inactivity-timeout seconds. To configure a timeout period. To configure SNMP.

Chapter 4: Applications Configuration Guidelines

The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value traceroute. For information about specifying the application protocol, see “Configuring an Application Protocol” on page 72.

Configuring a Universal Unique Identifier
You can specify a Universal Unique Identifier (UUID) for DCE RPC objects. To configure a UUID value, include the uuid statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] uuid hex-value;

The uuid value is in hexadecimal notation. The application-protocol statement at the [edit applications application application-name hierarchy level must have the value dce-rpc. For information about specifying the application protocol, see “Configuring an Application Protocol” on page 72. For more information on UUID numbers, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.

Configuring Application Sets
You can group the applications you have defined into a named object by including the application-set statement at the [edit applications] hierarchy level with an application statement for each application:
[edit applications] application-set application-set-name { application application; }

For an example of a typical application set, see “Examples: Configuring Application Protocols” on page 101.

ALG Descriptions
This section includes details about the ALGs. It includes the following:
• • • • • • • • • • • •

Basic TCP ALG on page 82 Basic UDP ALG on page 82 BOOTP on page 83 DCE RPC Services on page 83 ONC RPC Services on page 83 FTP on page 83 ICMP on page 84 NetShow on page 84 RPC and RPC Portmap Services on page 84 RTSP on page 86 SMB on page 86 SNMP on page 86

Copyright © 2011, Juniper Networks, Inc.

81

Junos 11.4 Services Interfaces Configuration Guide

• • • •

SQLNet on page 87 TFTP on page 87 Traceroute on page 87 UNIX Remote-Shell Services on page 87

Basic TCP ALG
This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates the following anomaly events and system log messages:
• • • • •

TCP source or destination port zero TCP header length check failed TCP sequence number zero and no flags are set TCP sequence number zero and FIN/PSH/RST flags are set TCP FIN/RST or SYN(URG|FIN|RST) flags set

The TCP ALG performs the following steps:
1.

When the router receives a SYN packet, the ALG creates TCP forward and reverse flows and groups them in a conversation. It tracks the TCP three-way handshake.

2. The SYN-defense mechanism tracks the TCP connection establishment state. It

expects the TCP session to be established within a small time interval (currently 4 seconds). If the TCP three-way handshake is not established in that period, the session is terminated.
3. A keepalive mechanism detects TCP sessions with nonresponsive endpoints. 4. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

Basic UDP ALG
This ALG performs basic sanity checking on UDP headers. If it finds errors. it generates the following anomaly events and system log messages:
• •

UDP source or destination port 0 UDP header length check failed

The UDP ALG performs the following steps:
1.

When it receives the first packet, the ALG creates bidirectional flows to accept forward and reverse UDP session traffic.

2. If the session is idle for more than the maximum allowed idle time (the default is

30 seconds), the flows are deleted.
3. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

82

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

BOOTP
The Bootstrap Protocol client retrieves its networking information from a server across the network. It sends out a general broadcast message to request the information, which is returned by the Bootstrap Protocol server. For the protocol specification, see ftp://ftp.isi.edu/in-notes/rfc951.txt. Stateful firewall support requires that you configure the BOOTP ALG on UDP server port 67 and client port 68. If the client sends a broadcast message, you should configure the broadcast address in the from statement of the service rule. NAT is not performed on the BOOTP traffic, even if the NAT rule matches the traffic. If the BOOTP relay feature is activated on the router, the remote BOOTP server is assumed to assign addresses for clients masked by NAT translation.

DCE RPC Services
DCE RPC services are mainly used by Microsoft applications. The ALG uses well-known TCP port 135 for port mapping services and uses the Universal Unique Identifier (UUID) instead of the program number to identify protocols. The main application-based DCE RPC is the Microsoft Exchange Protocol. Support for stateful firewall and NAT services requires that you configure the DCE RPC portmap ALG on TCP port 135. The DCE RPC ALG uses the TCP protocol with application-specific UUIDs.

ONC RPC Services
ONC RPC services function similarly to DCE RCP services. However, the ONC RPC ALG uses TCP/UDP port 111 for port mapping services and uses the program number to identify protocols rather than the UUID. Support for stateful firewall and NAT services requires that you configure the ONC RPC portmap ALG on TCP port 111. The ONC RPC ALG uses the TCP protocol with application-specific program numbers.

FTP
FTP is the File Transfer Protocol, specified in RFC 959. In addition to the main control connection, data connections are also made for any data transfer between the client and the server, and the host, port, and direction are negotiated through the control channel. For non-passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects. There is an additional complication: FTP represents these addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number

Copyright © 2011, Juniper Networks, Inc.

83

Junos 11.4 Services Interfaces Configuration Guide

might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets. Support for stateful firewall and NAT services requires that you configure the FTP ALG on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:

Automatically allocates data ports and firewall permissions for dynamic data connection Creates flows for the dynamically negotiated data connection Monitors the control connection in both active and passive modes Rewrites the control packets with the appropriate NAT address and port information

• • •

ICMP
The Internet Control Message Protocol (ICMP) is defined in RFC 792. The Junos stateful firewall service allows ICMP messages to be filtered by specific type or specific type code value. ICMP error packets that lack a specifically configured type and code are matched against any existing flow in the opposite direction to check for the legitimacy of the error packet. ICMP error packets that pass the filter matching are subject to NAT translation. The ICMP ALG always tracks ping traffic statefully using the ICMP sequence number. Each echo reply is forwarded only if there is an echo request with the corresponding sequence number. For any ping flow, only 20 echo requests can be forwarded without receiving an echo reply. When you configure dynamic NAT, the PING packet identifier is translated to allow additional hosts in the NAT pool to use the same identifier. Support for stateful firewall and NAT services requires that you configure the ICMP ALG if the protocol is needed. You can configure the ICMP type and code for additional filtering.

NetShow
The Microsoft protocol ms-streaming is used by NetShow, the Microsoft media server. This protocol supports several transport protocols: TCP, UDP, and HTTP. The client starts a TCP connection on port 1755 and sends the PORT command to the server. The server then starts UDP on that port to the client. Support for stateful firewall and NAT services requires that you configure the NetShow ALG on UDP port 1755.

RPC and RPC Portmap Services
The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying allowed program numbers. The ALG includes the RPC services listed in Table 9 on page 85:

84

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 9: Supported RPC Services
Name
rpc-mountd

Description
Network File Server (NFS) mount daemon for details, see the UNIX man page for rpc.mountd(8). Used as part of NFS. For details, see RFC 1094. See also RFC1813 for NFS v3. Network Information Service Plus (NIS+), designed to replace NIS; it is a default naming service for Sun Solaris and is not related to the old NIS. No protocol information is available. Network lock manager.

Comments
The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nfsprog

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nisplus

rpc-nlockmgr

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-nlockmgr service can be allowed or blocked based on RPC program 100021. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rstat service can be allowed or blocked based on RPC program 150001. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rwall service can be allowed or blocked based on RPC program 150008. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypbind service can be allowed or blocked based on RPC program 100007. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-yppasswd service can be allowed or blocked based on RPC program 100009. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypserv service can be allowed or blocked based on RPC program 100004. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypupdated service can be allowed or blocked based on RPC program 100028. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypxfrd service can be allowed or blocked based on RPC program 100069.

rpc-pcnfsd

Kernel statistics server. For details, see the UNIX man pages for rstatd and rpc.rstatd.

rpc-rwall

Used to write a message to users; for details, see the UNIX man page for rpc.rwalld.

rpc-ypbind

NIS binding process. For details, see the UNIX man page for ypbind.

rpc-yppasswd

NIS password server. For details, see the UNIX man page for yppasswd.

rpc-ypserv

NIS server. For details, see the UNIX man page for ypserv.

rpc-ypupdated

Network updating tool.

rpc-ypxfrd

NIS map transfer server. For details, see the UNIX man page for rpc.ypxfrd.

Copyright © 2011, Juniper Networks, Inc.

85

Junos 11.4 Services Interfaces Configuration Guide

Support for stateful firewall and NAT services that use port mapping requires that you configure the RPC portmap ALG on TCP/UDP destination port 111 and the RPC ALG for both TCP and UDP. You can specify one or more rpc-program-number values to further restrict allowed RPC protocols.

RTSP
The Real-Time Streaming Protocol (RTSP) controls the delivery of data with real-time properties such as audio and video. The streams controlled by RTSP may use RTP, but it is not required. Media may be transmitted on the same RTSP control stream. This is an HTTP-like text-based protocol, but client and server maintain session information. A session is established using the SETUP message and terminated using the TEARDOWN message. The transport (the media protocol, address, and port numbers) is negotiated in the setup and the setup-response. Support for stateful firewall and NAT services requires that you configure the RTSP ALG for TCP port 554. The ALG monitors the control connection, opens flows dynamically for media (RTP/RTSP) streams, and performs NAT address and port rewrites.

SMB
Server message block (SMB) is a popular PC protocol that allows sharing of files, disks, directories, printers, and in some cases, COM ports across a network. SMB is a client/server, request-response-based protocol. Though there are some exceptions to this, most of the communication takes place using the request reply paradigm. Servers make file systems and resources available to clients on the network. Clients can send commands (smbs) to the server that allow them to access these shared resources. SMB can run over multiple protocols, including TCP/IP, NetBEUI, and IPX/SPX. In almost all cases, the NetBIOS interface is used. Microsoft is trying to rename SMB-based networking to Windows Networking and the protocol to CIFS. The SMB protocol is undocumented, although there is a public CIFS group. For more information, refer to the following link on CIFS: ftp://ftp.microsoft.com/developr/drg/CIFS/. The SMB name service uses well-known UDP and TCP port 137, without requiring a special ALG. For NetBIOS data tunneled through UDP port 138 or TCP port 139, you must configure the NetBIOS ALG. Support for stateful firewall and NAT services requires that you configure the NetBIOS ALG on UDP port 138 and TCP port 139. For SMB name services, both TCP and UDP port 137 must be opened, without a special ALG.

SNMP
SNMP is a communication protocol for managing TCP/IP networks, including both individual network devices and aggregated devices. The protocol is defined by RFC 1157. SNMP runs on top of UDP. The Junos stateful firewall service implements the SNMP ALG to inspect the SNMP type. SNMP does not enforce stateful flow. Each SNMP type needs to be specifically enabled. Full SNMP support of stateful firewall services requires that you configure the SNMP ALG on UDP port 161. This enables the SNMP get and get-next commands, as well as their response traffic in the reverse direction: UDP port 161 enables the SNMP get-response

86

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

command. If SNMP traps are permitted, you can configure them on UDP port 162, enabling the SNMP trap command.

SQLNet
The SQLNet protocol is used by Oracle SQL servers to execute SQL commands from clients, including load balancing and application-specific services. Support of stateful firewall and NAT services requires that you configure the SQLNet ALG for TCP port 1521. The ALG monitors the control packets, opens flows dynamically for data traffic, and performs NAT address and port rewrites.

TFTP
The Trivial File Transfer Protocol (TFTP) is specified in RFC 1350. The initial TFTP requests are sent to UDP destination port 69. Additional flows can be created to get or put individual files. Support of stateful firewall and NAT services requires that you configure the TFTP ALG for UDP destination port 69.

Traceroute
Traceroute is a tool for displaying the route that packets take to a network host. It uses the IP TTL field to trigger ICMP time-exceeded messages from routers or gateways. It sends UDP datagrams to destination ports that are believed to be not in use; destination ports are numbered using the formula: + nhops – 1. The default base port is 33434. To support traceroute through the firewall, two types of traffic must be passed through:
1.

UDP probe packets (UDP destination port > 33000, IP TTL < 30)

2. ICMP response packets (ICMP type time-exceeded)

When NAT is applied, the IP address and port within the ICMP error packet also need to be changed. Support of stateful firewall and NAT services requires you to configure the Traceroute ALG for UDP destination port 33434 to 33450. In addition, you can configure the TTL threshold to prevent UDP flood attacks with large TTL values.

UNIX Remote-Shell Services
Three protocols form the basis for UNIX remote-shell services: Exec—Remote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 512. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. Login—Better known as rlogin; uses well-known TCP port 513. For details, see RFC 1282. No special firewall processing is required.

Copyright © 2011, Juniper Networks, Inc.

87

Junos 11.4 Services Interfaces Configuration Guide

Shell—Remote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 514. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. Support of stateful firewall services requires that you configure the Exec ALG on TCP port 512, the Login ALG on TCP port 513, and the Shell ALG on TCP port 514. NAT remote-shell services require that any dynamic source port assigned be within the port range 512 to 1023. If you configure a NAT pool, this port range is reserved exclusively for remote shell applications.

Verifying the Output of ALG Sessions
This section contains examples of successful output from ALG sessions and information on system log configuration. You can compare the results of your sessions to check whether the configurations are functioning correctly.
• • •

FTP Example on page 88 RTSP ALG Example on page 91 System Log Messages on page 93

FTP Example
This example analyzes the output during an active FTP session. It consists of four different flows; two are control flows and two are data flows. The example consists of the following parts:
• • • •

Sample Output on page 88 FTP System Log Messages on page 89 Analysis on page 90 Troubleshooting Questions on page 90

Sample Output
The following is a complete sample output from the show services stateful-firewall conversations application-protocol ftp operational mode command:
user@host>show services stateful-firewall conversations application-protocol ftp Interface: ms-1/3/0, Service set: CLBJI1-AAF001 Conversation: ALG protocol: ftp Number of initiators: 2, Number of responders: 2 Flow State Dir TCP 1.1.79.2:14083 -> 2.2.2.2:21 Watch I NAT source 1.1.79.2:14083 -> 194.250.1.237:50118 TCP 1.1.79.2:14104 -> 2.2.2.2:20 Forward I NAT source 1.1.79.2:14104 -> 194.250.1.237:50119 TCP 2.2.2.2:21 -> 194.250.1.237:50118 Watch O NAT dest 194.250.1.237:50118 -> 1.1.79.2:14083 TCP 2.2.2.2:20 -> 194.250.1.237:50119 Forward O NAT dest 194.250.1.237:50119 -> 1.1.79.2:14104

Frm count 13 3 12 5

88

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

For each flow, the first line shows flow information, including protocol (TCP), source address, source port, destination address, destination port, flow state, direction, and frame count.

The state of a flow can be Watch, Forward, or Drop:

A Watch flow state indicates that the control flow is monitored by the ALG for information in the payload. NAT processing is performed on the header and payload as needed. A Forward flow forwards the packets without monitoring the payload. NAT is performed on the header as needed. A Drop flow drops any packet that matches the 5 tuple.

• •

The frame count (Frm count) shows the number of packets that were processed on that flow.

The second line shows the NAT information.
• • •

source indicates source NAT. dest indicates destination NAT.

The first address and port in the NAT line are the original address and port being translated for that flow. The second address and port in the NAT line are the translated address and port for that flow.

FTP System Log Messages
System log messages are generated during an FTP session. For more information about system logs, see “System Log Messages” on page 93. The following system log messages are generated during creation of the FTP control flow:

Rule Accept system log:
Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, Match SFW accept rule-set:, rule: ftp, term: 1

Create Accept Flow system log:
Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, creating forward or watch flow

System log for data flow creation:
Oct 27 11:43:30 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_FTP_ACTIVE_ACCEPT: proto 6 (TCP) application: ftp, so-2/1/2.0:2.2.2.2:20 -> 1.1.1.2:50726, Creating FTP active mode forward flow

Copyright © 2011, Juniper Networks, Inc.

89

Junos 11.4 Services Interfaces Configuration Guide

Analysis
Control Flows The control flows are established after the three-way handshake is complete.

Control flow from FTP client to FTP server. TCP destination port is 21.
TCP 13 NAT source 1.1.79.2:14083 -> 1.1.79.2:14083 2.2.2.2:21 -> Watch I

194.250.1.237:50118

Control flow from FTP server to FTP client. TCP source port is 21.
TCP 12 NAT dest 2.2.2.2:21 -> 194.250.1.237:50118 Watch -> O

194.250.1.237:50118

1.1.79.2:14083

Data Flows A data port of 20 is negotiated for data transfer during the course of the FTP control protocol. These two flows are data flows between the FTP client and the FTP server:
TCP NAT source TCP NAT dest 1.1.79.2:14104 -> 2.2.2.2:20 Forward I 1.1.79.2:14104 -> 194.250.1.237:50119 2.2.2.2:20 -> 194.250.1.237:50119 Forward O 194.250.1.237:50119 -> 1.1.79.2:14104 3 5

Troubleshooting Questions
1.

How do I know if the FTP ALG is active?
• • •

The ALG protocol field in the conversation should display ftp. There should be a valid frame count (Frm count) in the control flows. A valid frame count in the data flows indicates that data transfer has taken place.

2. What do I need to check if the FTP connection is established but data transfer does

not take place?
• •

Most probably, the control connection is up, but the data connection is down. Check the conversations output to determine whether both the control and data flows are present.

3. How do I interpret each flow? What does each flow mean?
• • • •

FTP control flow initiator flow—Flow with destination port 21 FTP control flow responder flow—Flow with source port ;21 FTP data flow initiator flow—Flow with destination port 20 FTP data flow responder flow—Flow with source port 20

90

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

RTSP ALG Example
The following is an example of an RTSP conversation. The application uses the RTSP protocol for control connection. Once the connection is set up, the media is sent using UDP protocol (RTP). This example consists of the following:
• • •

Sample Output on page 91 Analysis on page 91 Troubleshooting Questions on page 91

Sample Output
Here is the output from the show services stateful-firewall conversations operational mode command:
user@host# show services stateful-firewall conversations Interface: ms-3/2/0, Service set: svc_set Conversation: ALG protocol: rtsp Number of initiators: 5, Number of responders: 5 Flow State Dir TCP 1.1.1.3:58795 -> 2.2.2.2:554 Watch I UDP 1.1.1.3:1028 -> 2.2.2.2:1028 Forward I UDP 1.1.1.3:1029 -> 2.2.2.2:1029 Forward I UDP 1.1.1.3:1030 -> 2.2.2.2:1030 Forward I UDP 1.1.1.3:1031 -> 2.2.2.2:1031 Forward I TCP 2.2.2.2:554 -> 1.1.1.3:58795 Watch O UDP 2.2.2.2:1028 -> 1.1.1.3:1028 Forward O UDP 2.2.2.2:1029 -> 1.1.1.3:1029 Forward O UDP 2.2.2.2:1030 -> 1.1.1.3:1030 Forward O UDP 2.2.2.2:1031 -> 1.1.1.3:1031 Forward O

Frm count 7 0 0 0 0 5 6 0 3 0

Analysis
An RTSP conversation should consist of TCP flows corresponding to the RTSP control connection. There should be two flows, one in each direction, from client to server and from server to client:
TCP TCP
• •

1.1.1.3:58795 -> 2.2.2.2:554 ->

2.2.2.2:554 Watch 1.1.1.3:58795 Watch

I O

7 5

The RTSP control connection for the initiator flow is sent from destination port 554. The RTSP control connection for the responder flow is sent from source port 554.

The UDP flows correspond to RTP media sent over the RTSP connection.

Troubleshooting Questions
1.

Media does not work when the RTSP ALG is configured. What do I do?
• •

Check RTSP conversations to see whether both TCP and UDP flows exist. The ALG protocol should be displayed as rtsp.

Copyright © 2011, Juniper Networks, Inc.

91

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The state of the flow is displayed as Watch, because the ALG processing is taking place and the client is essentially “watching” or processing payload corresponding to the application. For FTP and RTSP ALG flows, the control connections are always Watch flows.

2. How do I check for ALG errors?

You can check for errors by issuing the following command. Each ALG has a separate field for ALG packet errors.
user@host# show services stateful-firewall statistics extensive Interface: ms-3/2/0 Service set: svc_set New flows: Accepts: 1347, Discards: 0, Rejects: 0 Existing flows: Accepts: 144187, Discards: 0, Rejects: 0 Drops: IP option: 0, TCP SYN defense: 0 NAT ports exhausted: 0 Errors: IP: 0, TCP: 276 UDP: 0, ICMP: 0 Non-IP packets: 0, ALG: 0 IP errors: IP packet length inconsistencies: 0 Minimum IP header length check failures: 0 Reassembled packet exceeds maximum IP length: 0 Illegal source address: 0 Illegal destination address: 0 TTL zero errors: 0, Illegal IP protocol number (0 or 255): 0 Land attack: 0 Non-IPv4 packets: 0, Bad checksum: 0 Illegal IP fragment length: 0 IP fragment overlap: 0 IP fragment reassembly timeout: 0 Unknown: 0 TCP errors: TCP header length inconsistencies: 0 Source or destination port number is zero: 0 Illegal sequence number and flags combinations: 0 SYN attack (multiple SYN messages seen for the same flow): 276 First packet not a SYN message: 0 TCP port scan (TCP handshake, RST seen from server for SYN): 0 Bad SYN cookie response: 0 UDP errors: IP data length less than minimum UDP header length (8 bytes): 0 Source or destination port number is zero: 0 UDP port scan (ICMP error seen for UDP flow): 0 ICMP errors: IP data length less than minimum ICMP header length (8 bytes): 0 ICMP error length inconsistencies: 0 Duplicate ping sequence number: 0 Mismatched ping sequence number: 0 ALG errors: BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0 DNS: 0, Exec: 0, FTP: 0

92

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

ICMP: 0 Login: 0, NetBIOS: 0, NetShow: 0 RPC: 0, RPC portmap: 0 RTSP: 0, Shell: 0 SNMP: 0, SQLNet: 0, TFTP: 0 Traceroute: 0

System Log Messages
Enabling system log generation and checking the system log are also helpful for ALG flow analysis. This section contains the following:
• •

System Log Configuration on page 93 System Log Output on page 94

System Log Configuration
You can configure the enabling of system log messages at a number of different levels in the Junos OS CLI. As shown in the following sample configurations, the choice of level depends on how specific you want the event logging to be and what options you want to include. For details on the configuration options, see the Junos OS System Basics Configuration Guide (system level) or the Junos OS Services Interfaces Configuration Guide (all other levels).
1.

At the topmost global level:
user@host# show system syslog file messages { any any; }

2. At the service set level:

user@host# show services service-set svc_set syslog { host local { services any; } } stateful-firewall-rules allow_rtsp; interface-service { service-interface ms-3/2/0; }
3. At the service rule level:

user@host# show services stateful-firewall rule allow_rtsp match-direction input-output; term 0 { from { applications junos-rtsp; } then { accept; syslog; }

Copyright © 2011, Juniper Networks, Inc.

93

Junos 11.4 Services Interfaces Configuration Guide

}

System Log Output
System log messages are generated during flow creation, as shown in the following examples: The following system log message indicates that the ASP matched an accept rule:
Oct 25 16:11:37 (FPC Slot 3, PIC Slot 2) {svc_set}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: rtsp, ge-2/0/1.0:1.1.1.2:35595 -> 2.2.2.2:554, Match SFW accept rule-set: , rule: allow_rtsp, term: 0

For a complete listing of system log messages, see the Junos OS System Log Messages Reference.

Junos Default Groups
The Junos OS provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of your router. The junos-defaults group contains preconfigured statements that contain predefined values for common applications. Some of the statements must be referenced to take effect, such as applications like FTP or Telnet. Other statements are applied automatically, such as terminal settings. All of the preconfigured statements begin with the reserved name junos-.

NOTE: You can override the Junos default configuration values, but you cannot delete or edit them. If you delete a configuration, the defaults return when a new configuration is added. You cannot use the apply-groups statement with the Junos defaults group.

To view the full set of available preset statements from the Junos default group, issue the show groups junos-defaults configuration mode command. The following example displays a partial list of Junos default groups that use application protocols (ALGs).
user@host# show groups junos-defaults ... output for other groups defined at the [edit groups junos-defaults] hierarchy level ... applications { # File Transfer Protocol application junos-ftp { application-protocol ftp; protocol tcp; destination-port 21; } # Trivial File Transfer Protocol application junos-tftp { application-protocol tftp; protocol udp; destination-port 69; } # RPC port mapper on TCP

94

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-rpc-portmap-tcp { application-protocol rpc-portmap; protocol tcp; destination-port 111; } # RPC port mapper on UDP application junos-rpc-portmap-udp { application-protocol rpc-portmap; protocol udp; destination-port 111; } # IP Protocol application junos-ip { application-protocol ip; } # remote exec application junos-rexec { application-protocol exec; protocol tcp; destination-port 512; } # remote login application junos-rlogin { application-protocol login; protocol tcp; destination-port 513; } # remote shell application junos-rsh { application-protocol shell; protocol tcp; destination-port 514; } # Real-Time Streaming Protocol application junos-rtsp { application-protocol rtsp; protocol tcp; destination-port 554; } # Oracle SQL servers use this protocol to execute SQL commands # from clients, load balance, use application-specific servers, and so on. application junos-sqlnet { application-protocol sqlnet; protocol tcp; destination-port 1521; } # H.323 Protocol for audio/video conferencing protocol tcp; destination-port 1720; } # Internet Inter-ORB Protocol is used for CORBA applications. # The ORB protocol in Java virtual machine uses port 1975 as a default. protocol tcp; destination-port 1975; } # Internet Inter-ORB Protocol is used for CORBA applications.

Copyright © 2011, Juniper Networks, Inc.

95

Junos 11.4 Services Interfaces Configuration Guide

# ORBIX is a CORBA framework from Iona Technologies that uses # port 3075 as a default. protocol tcp; destination-port 3075; } # This was the original RealPlayer protocol. # RTSP is more widely used by RealPlayer, protocol tcp; destination-port 7070; } # Traceroute application application junos-traceroute { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 30; } # Traceroute application that stops at device supporting firewall # (packets with ttl > 1 will be discarded). application junos-traceroute-ttl-1 { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 1; } # The full range of known RPC programs using UDP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-udp { application-protocol rpc; protocol udp; rpc-program-number 100001-400000; } # The full range of known RPC programs using TCP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-tcp { application-protocol rpc; protocol tcp; rpc-program-number 100001-400000; } # All ICMP traffic # This can be made more restrictive by specifying ICMP type and code. application junos-icmp-all { application-protocol icmp; } # ICMP ping; the echo reply is allowed upon return. application junos-icmp-ping { application-protocol icmp; icmp-type echo-request; } # Protocol used by Windows Media Server and Windows Media Player application junos-netshow { application-protocol netshow; protocol tcp; destination-port 1755; } # NetBIOS, the networking protocol used on Windows networks;

96

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

# includes name service port, both UDP and TCP. application junos-netbios-name-udp { application-protocol netbios; protocol udp; destination-port 137; } application junos-netbios-name-tcp { protocol tcp; destination-port 137; } # NetBIOS, the networking protocol used on Windows networks; # includes datagram service port. application junos-netbios-datagram { application-protocol netbios; protocol udp; destination-port 138; } # NetBIOS, the networking protocol used on Windows networks; # includes session service port. application junos-netbios-session { protocol tcp; destination-port 139; } # DCE-RPC port mapper on TCP application junos-dce-rpc-portmap { application-protocol dce-rpc-portmap; protocol tcp; destination-port 135; } # MS Exchange requires these three UUID values. application junos-dcerpc-endpoint-mapper-service { application-protocol dce-rpc; protocol tcp; uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa; } application junos-ssh { protocol tcp; destination-port 22; } application junos-telnet { protocol tcp; destination-port 23; } application junos-smtp { protocol tcp; destination-port 25; } application junos-dns-udp { protocol udp; destination-port 53; } application junos-dns-tcp { protocol tcp; destination-port 53; } application junos-tacacs {

Copyright © 2011, Juniper Networks, Inc.

97

Junos 11.4 Services Interfaces Configuration Guide

protocol tcp; destination-port 49; } # TACACS Database Service application junos-tacacs-ds { protocol tcp; destination-port 65; } application junos-dhcp-client { protocol udp; destination-port 68; } application junos-dhcp-server { protocol udp; destination-port 67; } application junos-bootpc { protocol udp; destination-port 68; } application junos-bootps { protocol udp; destination-port 67; } application junos-http { protocol tcp; destination-port 80; } application junos-https { protocol tcp; destination-port 443; } # “ junos-algs-outbound” defines a set of all applications # requiring an ALG. Useful for defining a rule for an untrusted # network to allow trusted network users to use all the # Junos-supported ALGs initiated from the trusted network. application-set junos-algs-outbound { application junos-ftp; application junos-tftp; application junos-rpc-portmap-tcp; application junos-rpc-portmap-udp; application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-rexec; application junos-rlogin; application junos-rsh; application junos-rtsp; application junos-sqlnet; application junos-traceroute; application junos-rpc-services-udp; application junos-rpc-services-tcp; application junos-icmp-all; application junos-netshow; application junos-netbios-name-udp;

98

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-netbios-datagram; application junos-dce-rpc-portmap; application junos-dcerpc-msexchange-directory-rfr; application junos-dcerpc-msexchange-information-store; application junos-dcerpc-msexchange-directory-nsp; } # “ junos-management-inbound” represents the group of applications # that might need access to the trusted network from the untrusted # network for management purposes. # The set is intended for a UI to display management choices. # NOTE: It is not recommended that you use the entire set directly in # a firewall rule and open up firewall to all of these # applications. Also, you should always specify the source # and destination prefixes when using each application. application-set junos-management-inbound { application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-ssh; application junos-telnet; application junos-http; application junos-https; application junos-xnm-ssl; application junos-xnm-clear-text; application junos-icmp-ping; application junos-traceroute-ttl-1; } } } }

To reference statements available from the junos-defaults group, include the selected junos-default-name statement at the applicable hierarchy level. To configure application protocols, see “Configuring Application Protocol Properties” on page 72; for details about a specific protocol, see “ALG Descriptions” on page 81.

Examples: Referencing the Preset Statement from the Junos Default Group
The following example is a preset statement from the Junos default groups that is available for FTP in a stateful firewall:
[edit] groups { junos-defaults { applications { application junos-ftp { # Use FTP default configuration application-protocol ftp; protocol tcp; destination-port 21; } } }

To reference a preset Junos default statement from the Junos default groups, include the junos-default-name statement at the applicable hierarchy level. For example, to

Copyright © 2011, Juniper Networks, Inc.

99

Junos 11.4 Services Interfaces Configuration Guide

reference the Junos default statement for FTP in a stateful firewall, include the junos-ftp statement at the [edit services stateful-firewall rule rule-name term term-name from applications] hierarchy level.
[edit] services { stateful-firewall { rule my-rule { term my-term { from { applications junos-ftp; #Reference predefined statement, junos-ftp, } } } } }

The following example shows configuration of the default Junos IP ALG:
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications junos-ip; } then { accept; syslog; } } } } }

If you configure the IP ALG in the stateful firewall rule, it is matched by any IP traffic, but if there is any other more specific application that matches the same traffic, the IP ALG will not be matched. For example, in the following configuration, both the ICMP ALG and the IP ALG are configured, but traffic is matched for ICMP packets, because it is the more specific match.
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications [ junos-ip junos-icmp-all ]; } then { accept; syslog; }

100

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

} } } }

Examples: Configuring Application Protocols
The following example shows an application protocol definition describing a special FTP application running on port 78:
[edit applications] application my-ftp-app { application-protocol ftp; protocol tcp; destination-port 78; timeout 100; # inactivity timeout for FTP service }

The following example shows a special ICMP protocol (application-protocol icmp) of type 8 (ICMP echo):
[edit applications] application icmp-app { application-protocol icmp; protocol icmp; icmp-type icmp-echo; }

The following example shows a possible application set:
[edit applications] application-set basic { http; ftp; telnet; nfs; icmp; }

The software includes a predefined set of well-known application protocols. The set includes applications for which the TCP and UDP destination ports are already recognized by stateless firewall filters.

Copyright © 2011, Juniper Networks, Inc.

101

Junos 11.4 Services Interfaces Configuration Guide

102

Copyright © 2011, Juniper Networks, Inc.

CHAPTER 5

Summary of Applications Configuration Statements
The following sections explain each of the applications configuration statements. The statements are organized alphabetically.

application
Syntax
application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; protocol type; rpc-program-number number; snmp-command command; source-port port-number; ttl-threshold number; uuid hex-value; } [edit applications], [edit applications application-set application-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure properties of an application and whether to include it in an application set.
application-name—Identifier of the application.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See “Configuring Application Protocol Properties” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

103

Junos 11.4 Services Interfaces Configuration Guide

application-protocol
Syntax Hierarchy Level Release Information
application-protocol protocol-name; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. login options introduced in Junos OS Release 7.4. ip option introduced in Junos OS Release 8.2. Identify the application protocol name. Application protocols are also called application layer gateways (ALGs).
protocol-name—Name of the protocol. The following protocols are supported: bootp dce-rpc dce-rpc-portmap dns exec ftp icmp ip login netbios netshow rpc rpc-portmap rtsp shell snmp sqlnet tftp traceroute

Description

Options

Usage Guidelines Required Privilege Level

See “Configuring an Application Protocol” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

104

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

application-set
Syntax
application-set application-set-name { application application-name; } [edit applications]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure one or more applications to include in an application set.
application-set-name—Identifier of an application set.

See “Configuring Application Sets” on page 81. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
applications { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the applications used in services. See Application Properties. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

105

Junos 11.4 Services Interfaces Configuration Guide

destination-port
Syntax Hierarchy Level Release Information Description
destination-port port-value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) destination port number.
port-value—Identifier for the port. For a complete list, see “Configuring Source and

Options

Destination Ports” on page 77. Usage Guidelines Required Privilege Level See “Configuring Source and Destination Ports” on page 77. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

icmp-code
Syntax Hierarchy Level Release Information Description Options
icmp-code value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Internet Control Message Protocol (ICMP) code value.
value—The ICMP code value. For a complete list, see “Configuring the ICMP Code and

Type” on page 75. Usage Guidelines Required Privilege Level See “Configuring the ICMP Code and Type” on page 75. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

106

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

icmp-type
Syntax Hierarchy Level Release Information Description Options
icmp-type value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. ICMP packet type value.
value—The ICMP type value, such as echo or echo-reply. For a complete list, see

“Configuring the ICMP Code and Type” on page 75. Usage Guidelines Required Privilege Level See “Configuring the ICMP Code and Type” on page 75. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

inactivity-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-timeout seconds; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Inactivity timeout period, in seconds.
seconds—Length of time the application is inactive before it times out.

Default: 30 seconds Usage Guidelines Required Privilege Level See “Configuring the Inactivity Timeout Period” on page 80. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

107

Junos 11.4 Services Interfaces Configuration Guide

learn-sip-register
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
learn-sip-register; [edit applications application application-name]

Statement introduced in Junos OS Release 7.4. Activate SIP register to accept potential incoming SIP calls. See “Configuring SIP” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

108

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

protocol
Syntax Hierarchy Level Release Information Description Options
protocol type; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Networking protocol type or number.
type—Networking protocol type. The following text values are supported: ah egp esp gre icmp igmp ipip ospf pim rsvp tcp udp vrrp

NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions.

Usage Guidelines Required Privilege Level

See “Configuring the Network Protocol” on page 74. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

109

000 through 400.Junos 11.000 Usage Guidelines Required Privilege Level See “Configuring an RPC Program Number” on page 80.4 Services Interfaces Configuration Guide rpc-program-number Syntax Hierarchy Level Release Information Description Options rpc-program-number number. Remote procedure call (RPC) or Distributed Computing Environment (DCE) value. Inc. sip-call-hold-timeout Syntax Hierarchy Level Release Information Description Options sip-call-hold-timeout seconds. interface—To view this statement in the configuration. [edit applications application application-name] Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Default: 7200 seconds Range: 0 through 36. Juniper Networks. [edit applications application application-name] Statement introduced in Junos OS Release 7. Timeout period for SIP calls placed on hold. in seconds.4. seconds—Length of time the application holds a SIP call open before it times out. . number—RPC or DCE program value. Range: 100.4. interface-control—To add this statement to the configuration.000 seconds (10 hours) Usage Guidelines Required Privilege Level See “Configuring SIP” on page 72. interface—To view this statement in the configuration. 110 Copyright © 2011.

see “Configuring Source and Destination Ports” on page 77.4. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. and trap. See “Configuring an SNMP Command for Packet Matching” on page 80. 111 . Copyright © 2011. Usage Guidelines Required Privilege Level See “Configuring Source and Destination Ports” on page 77.4. command—Supported commands are SNMP get. Inc.Chapter 5: Summary of Applications Configuration Statements snmp-command Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level snmp-command command. Source port identifier. interface-control—To add this statement to the configuration. [edit applications application application-name] Statement introduced before Junos OS Release 7. set. Juniper Networks. port-value—Identifier for the port. source-port Syntax Hierarchy Level Release Information Description Options source-port port-number. SNMP command format. For a complete list. [edit applications application application-name] Statement introduced before Junos OS Release 7. get-next.

number—TTL threshold value.4 Services Interfaces Configuration Guide ttl-threshold Syntax Hierarchy Level Release Information Description ttl-threshold number. . Specify the traceroute time-to-live (TTL) threshold value. interface—To view this statement in the configuration. Specify the Universal Unique Identifier (UUID) for DCE RPC objects. [edit applications application application-name] Statement introduced before Junos OS Release 7. hex-value—Hexadecimal value. Options Usage Guidelines Required Privilege Level See “Configuring the TTL Threshold” on page 80. uuid Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level uuid hex-value. interface-control—To add this statement to the configuration. Inc. interface—To view this statement in the configuration. [edit applications application application-name] Statement introduced before Junos OS Release 7. See “Configuring a Universal Unique Identifier” on page 81.Junos 11. This value sets the acceptable level of network penetration for trace routing.4. Juniper Networks.4. interface-control—To add this statement to the configuration. 112 Copyright © 2011.

include the stateful-firewall statement at the [edit services] hierarchy level: [edit services] stateful-firewall { rule rule-name { match-direction (input | output | input-output). } } This chapter contains the following sections: • • • Configuring Stateful Firewall Rules on page 114 Configuring Stateful Firewall Rule Sets on page 118 Examples: Configuring Stateful Firewall Rules on page 118 Copyright © 2011. destination-prefix-list list-name <except>. source-address-range low minimum-value high maximum-value <except>. destination-address (address | any-unicast) <except>. Inc. source-prefix-list list-name <except>. destination-address-range low minimum-value high maximum-value <except>. source-address (address | any-unicast) <except>.CHAPTER 6 Stateful Firewall Services Configuration Guidelines To configure stateful firewall services. term term-name { from { application-sets set-name. Juniper Networks. applications [ application-names ]. syslog. 113 . } then { (accept | discard | reject). } } } rule-set rule-set-name { [ rule rule-names ]. allow-ip-options [ values ].

destination-prefix-list list-name <except>. syslog. To configure where the match is applied. include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level: [edit services stateful-firewall rule rule-name] match-direction (input | output | input-output). } then { (accept | discard | reject). A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. • then statement—Specifies the actions and action modifiers to be performed by the router software. } } } Each stateful firewall rule consists of a set of terms.4 Services Interfaces Configuration Guide Configuring Stateful Firewall Rules To configure a stateful firewall rule. destination-address address <except>. include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level: [edit services stateful-firewall] rule rule-name { match-direction (input | output | input-output).Junos 11. source-address address <except>. The from statement is optional in stateful firewall rules. destination-address-range low minimum-value high maximum-value <except>. term term-name { from { application-sets set-name. Inc. Juniper Networks. similar to a filter configured at the [edit firewall] hierarchy level. The then statement is mandatory in stateful firewall rules. The following sections explain how to configure the components of stateful firewall rules: • • • Configuring Match Direction for Stateful Firewall Rules on page 114 Configuring Match Conditions in Stateful Firewall Rules on page 115 Configuring Actions in Stateful Firewall Rules on page 116 Configuring Match Direction for Stateful Firewall Rules Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. 114 Copyright © 2011. source-prefix-list list-name <except>. source-address-range low minimum-value high maximum-value <except>. applications [ application-names ]. allow-ip-options [ values ]. .

If no flow is found.Chapter 6: Stateful Firewall Services Configuration Guidelines If you configure match-direction input-output. you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule. applications [ application-names ]. the packet direction is input. When a packet is sent to the PIC. a flow lookup is performed. which denotes matching all unicast addresses. If the outside interface is used to direct the packet to the PIC. rule processing is performed. With an interface service set. destination-address (address | any-unicast) <except>. Rules in this service set are considered in sequence until a match is found. in the same way that you would configure a firewall filter. On the PIC. With a next-hop service set. If you omit the from term. During rule processing. see the Junos OS Routing Policy Configuration Guide. } The source address and destination address can be either IPv4 or IPv6. source-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. Alternatively. direction information is carried along with it. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level: [edit services stateful-firewall rule rule-name term term-name] from { application-sets set-name. Only rules with direction information that matches the packet direction are considered. Juniper Networks. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. source-prefix-list list-name <except>. For more information on inside and outside interfaces. You can use the wildcard value any-unicast. see “Examples: Configuring Stateful Firewall Rules” on page 118. Most packets result in the creation of bidirectional flows. destination-address-range low minimum-value high maximum-value <except>. the packet direction is output. 115 . Inc. sessions initiated from both directions might match this rule. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. For an example. for more information. source-address (address | any-unicast) <except>. the stateful firewall accepts all traffic and the default protocol handlers take effect: Copyright © 2011. the packet direction is compared against rule directions. Configuring Match Conditions in Stateful Firewall Rules To configure stateful firewall match conditions. You can use either the source address or the destination address as a match condition. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. If the inside interface is used to route the packet.

Juniper Networks. and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow.4 Services Interfaces Configuration Guide • User Datagram Protocol (UDP). IP creates a unidirectional flow. • NOTE: If you include one of the statements that specifies application protocols. include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.Junos 11. syslog. you cannot specify these properties as match conditions. To apply one or more sets of application protocol definitions you have defined. 116 Copyright © 2011. This statement overrides any syslog setting included in the service set or interface default configuration. • You can also include application protocol definitions you have configured at the [edit applications] hierarchy level. Transmission Control Protocol (TCP). discard—The packet is not accepted and is not processed further. Rejected packets can be logged or sampled. . include the application-sets statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level. You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. Inc. for more information. Configuring Actions in Stateful Firewall Rules To configure stateful firewall actions. see “Configuring Application Protocol Properties” on page 72. } You must include one of the following three possible actions: • • • accept—The packet is accepted and sent on to its destination. include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level: [edit services stateful-firewall rule rule-name term term-name] then { (accept | discard | reject). the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. reject—The packet is not accepted and a rejection message is returned. • To apply one or more specific application protocol definitions. UDP sends an ICMP unreachable code and TCP sends RST. allow-ip-options [ values ].

in this case. When a packet is dropped because it fails the IP option inspection. Table 10 on page 117 lists the possible values for the allow-ip-options statement. When the IP header inspection fails.org/assignments/ip-parameters. the reject action has the same effect as discard. A packet is accepted only when all of its IP option types are configured as values in the allow-ip-options statement. If you do not configure allow-ip-options. If an IP option packet is accepted by the stateful firewall. The event type depends on the first IP option field rejected. or one or more of the predefined IP option settings. refer to http://www. You can include a range or set of numeric values. When you configure this statement. 117 . only packets without IP header options are accepted. reject frames are not sent. Inc. The additional IP header option inspection applies only to the accept and reject stateful firewall actions. this exception event generates both IDS event and system log messages. Network Address Translation (NAT) and intrusion detection service (IDS) are applied in the same way as to packets without IP option headers. This configuration has no effect on the discard action. all packets that match the criteria specified in the from statement are subjected to additional matching criteria. The IP option configuration appears only in the stateful firewall rules. Juniper Networks. For more information. You can enter either the option name or its numeric equivalent.iana. Table 10: IP Option Values IP Option Name any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp Numeric Value 0 130 136 131 7 148 137 68 Comment Any IP option – – – – – – – Copyright © 2011.Chapter 6: Stateful Firewall Services Configuration Guidelines Configuring IP Option Handling You can optionally configure the firewall to inspect IP header information by including the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. NAT applies to packets with or without IP options.

Then. } then { accept.1. Juniper Networks. processing continues to the next rule in the rule set. If a term in a rule matches the packet. you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule: [edit services stateful-firewall] rule-set rule-set-name { rule rule-name. term 1 { from { application-sets Applications. If no term in a rule matches the packet. You define each rule by specifying a rule name and configuring terms. . } The router software processes the rules in the order in which you specify them in the configuration. If none of the rules matches the packet.4 Services Interfaces Configuration Guide Configuring Stateful Firewall Rule Sets The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. the router performs the corresponding action and the rule processing stops. } } } rule Rule2 { match-direction output.Junos 11. 118 Copyright © 2011.3. } } term accept { then { accept. Examples: Configuring Stateful Firewall Rules The following example show a stateful firewall configuration containing two rules. one for input matching on a specified application set and the other for output matching on a specified source address: [edit services] stateful-firewall { rule Rule1 { match-direction input.2/32. the packet is dropped by default. Inc. } } then { accept. term Local { from { source-address { 10.

0/24. [edit services stateful-firewall] rule my-firewall-rule { match-direction input-output. Inc. and provides a detailed system log record of the rejected packets.3. 119 .2.2.3.2/32.2/32. The first term rejects all traffic in my-application-group that originates from the specified source address. } } You reference the configured prefix list in the stateful firewall rule: [edit] services { stateful-firewall { rule r1 { Copyright © 2011. } prefix-list p2 { 3.3.4. application-sets my-application-group. Juniper Networks. } } } The following example shows use of source and destination prefix lists.1.4.3/32.2. 4.1. applications http.1. You configure the prefix list at the [edit policy-options] hierarchy level: [edit] policy-options { prefix-list p1 { 1. } then { reject. term term1 { from { source-address 10. } } term term2 { from { destination-address 10. This requires two separate configuration items. 2.1/32. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address. syslog. } then { accept.3.Chapter 6: Stateful Firewall Services Configuration Guidelines } } } } The following example has a single rule with two terms.0/24.

0/24. 4.1/32. term t1 { from { source-address { 1. term t1 { from { source-prefix-list { p1.3. Inc. } } then { accept.4 Services Interfaces Configuration Guide match-direction input.4. the except qualifier applies to all prefixes included in prefix list p2. term t1 { from { source-prefix-list { p1.0/24.Junos 11. } destination-prefix-list { p2. } } then { accept. In this case.2. } } } } } This is equivalent to the following configuration: [edit] services { stateful-firewall { rule r1 { match-direction input.2. 120 Copyright © 2011. [edit] services { stateful-firewall { rule r1 { match-direction input. } destination-address { 3. as in the following example.3/32.1. .4. 2. } } } } } You can use the except qualifier with the prefix lists.1.3. Juniper Networks.

Related Documentation • • • • • • Example: BOOTP and Broadcast Addresses on page 70 Example: NAT Between VRFs Configuration on page 67 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Service Interfaces Configuration on page 61 Example: Configuring the uKernel Service and the Services SDK on Two PICs Copyright © 2011.Chapter 6: Stateful Firewall Services Configuration Guidelines } destination-prefix-list { p2 except. see the configuration examples. } } then { accept. } } } } } For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables. Inc. 121 . Juniper Networks.

4 Services Interfaces Configuration Guide 122 Copyright © 2011. Inc. Juniper Networks.Junos 11. .

Inc.CHAPTER 7 Summary of Stateful Firewall Configuration Statements The following sections explain each of the stateful firewall services statements. Copyright © 2011. 123 . Juniper Networks. The statements are organized alphabetically.

This statement is optional. interface-control—To add this statement to the configuration. value—Can be a set or range of numeric values. . Inc. You can enter either the option name or its numeric equivalent. Configure how the stateful firewall handles IP header information. Option Name any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp Numeric Value 0 130 8 3 7 148 9 4 Usage Guidelines Required Privilege Level See “Configuring Actions in Stateful Firewall Rules” on page 116. interface—To view this statement in the configuration. 124 Copyright © 2011. or one or more of the following predefined Options option types.4 Services Interfaces Configuration Guide allow-ip-options Syntax Hierarchy Level Release Information Description allow-ip-options [ values ].Junos 11. [edit services stateful-firewall rule rule-name term term-name then] Statement introduced before Junos OS Release 7.4. Juniper Networks.

[edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7.Chapter 7: Summary of Stateful Firewall Configuration Statements application-sets Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications-sets set-name. See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. 125 . interface-control—To add this statement to the configuration. Inc. applications Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications [ application-names ]. interface—To view this statement in the configuration. Define one or more applications to which the stateful firewall services apply. interface-control—To add this statement to the configuration. set-name—Name of the target application set.4. Define one or more target application sets. interface—To view this statement in the configuration. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Copyright © 2011.4. See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. application-name—Name of the target application. Juniper Networks.

interface-control—To add this statement to the configuration. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. except—(Optional) Exclude the specified address range from rule matching. minimum-value—Lower boundary for the IPv4 or IPv6 address range. maximum-value—Upper boundary for the IPv4 or IPv6 address range. any-unicast—Match all unicast packets. Specify the destination address range for rule matching. any-unicast and except options introduced in Junos OS Release 7.4. address—Destination IPv4 or IPv6 address or prefix value. prefix. destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>. except—(Optional) Exclude the specified address.Junos 11. or unicast packets from rule Description Options matching. Specify the destination address for rule matching. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 7.5. . 126 Copyright © 2011. Juniper Networks. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115.5.4 Services Interfaces Configuration Guide destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>. Inc.6. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7.6. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration.

Juniper Networks. interface—To view this statement in the configuration. • Junos OS Routing Policy Configuration Guide Copyright © 2011.2. interface-control—To add this statement to the configuration. list-name—Destination prefix list. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. 127 . Inc. except—(Optional) Exclude the specified prefix list from rule matching. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 8. Specify the destination prefix list for rule matching. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in Stateful Firewall Rules” on page 115.Chapter 7: Summary of Stateful Firewall Configuration Statements destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>.

output—Apply the rule match on the output side of the interface. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114. The remaining statements are explained separately. input—Apply the rule match on the input side of the interface. For information on match conditions.4.4. source-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. Juniper Networks. . interface—To view this statement in the configuration. Specify the direction in which the rule match is applied. } [edit services stateful-firewall rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. destination-address-range low minimum-value high maximum-value <except>. source-prefix-list list-name <except>. input-output—Apply the rule match bidirectionally. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output | input-output). source-address (address | any-unicast) <except>. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114.Junos 11.4 Services Interfaces Configuration Guide from Syntax from { application-sets set-name. 128 Copyright © 2011. interface—To view this statement in the configuration. destination-address (address | any-unicast) <except>. Inc. applications [ application-names ]. [edit services stateful-firewall rule rule-name] Statement introduced before Junos OS Release 7. Specify input conditions for a stateful firewall term.

Juniper Networks. syslog. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114. source-address-range low minimum-value high maximum-value <except>. source-address (address | any-unicast) <except>. interface-control—To add this statement to the configuration. 129 . destination-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. } } } [edit services stateful-firewall]. Copyright © 2011. rule-name—Identifier for the collection of terms that constitute this rule. applications [ application-names ]. The remaining statements are explained separately.Chapter 7: Summary of Stateful Firewall Configuration Statements rule Syntax rule rule-name { match-direction (input | output | input-output). Specify the rule the router uses when applying this service. } then { (accept | discard | reject). Inc.4. interface—To view this statement in the configuration. source-prefix-list list-name <except>. [edit services stateful-firewall rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. term term-name { from { application-sets set-name. destination-address (address | any-unicast) <except>.

Specify the rule set the router uses when applying this service. rule-set-name—Identifier for the collection of rules that constitute this rule set. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services stateful-firewall { . See Stateful Firewall. 130 Copyright © 2011.4. . See “Configuring Stateful Firewall Rule Sets” on page 118.4. Juniper Networks. interface—To view this statement in the configuration.. interface-control—To add this statement to the configuration.Junos 11.4 Services Interfaces Configuration Guide rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. } [edit services stateful-firewall] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. } [edit] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. Define the service rules to be applied to traffic.. stateful-firewall—Identifies the stateful firewall set of rules statements. Inc.

Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. any-unicast and except options introduced in Junos OS Release 7. Source address for rule matching. Juniper Networks. address—Source IPv4 or IPv6 address or prefix value. interface-control—To add this statement to the configuration. Inc. 131 . interface-control—To add this statement to the configuration. Source address range for rule matching.5. or unicast packets from rule Description Options matching.6. or unicast packets from rule Description Options matching. maximum-value—Upper boundary for the IPv4 or IPv6 address range. any-unicast—Any unicast packet. prefix. Copyright © 2011.4. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.5. interface—To view this statement in the configuration. except—(Optional) Exclude the specified address. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 7. except—(Optional) Exclude the specified address. prefix. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration.6. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.Chapter 7: Summary of Stateful Firewall Configuration Statements source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>. minimum-value—Lower boundary for the IPv4 or IPv6 address range.

This setting overrides any syslog statement setting included in the service set or interface default configuration. interface—To view this statement in the configuration. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Specify the source prefix list for rule matching.2. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. .Junos 11. list-name—Destination prefix list. [edit services stateful-firewall rule rule-name term term-name then] Statement introduced before Junos OS Release 7. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. Inc. • Junos OS Routing Policy Configuration Guide syslog Syntax Hierarchy Level Release Information Description syslog. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 8. interface-control—To add this statement to the configuration. See “Configuring Actions in Stateful Firewall Rules” on page 116. Juniper Networks. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. except—(Optional) Exclude the specified prefix list from rule matching.4 Services Interfaces Configuration Guide source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>.4. Enable system logging. Usage Guidelines Required Privilege Level 132 Copyright © 2011.

The remaining statements are explained separately. 133 . destination-address (address | any-unicast) <except>. Juniper Networks. Define the stateful firewall term properties. term-name—Identifier for the term. interface—To view this statement in the configuration. destination-prefix-list list-name <except>. applications [ application-names ]. destination-address-range low minimum-value high maximum-value <except>. syslog. } } [edit services stateful-firewall rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114. Inc. Copyright © 2011. source-address-range low minimum-value high maximum-value <except>. source-prefix-list list-name <except>. source-address (address | any-unicast) <except>.4.Chapter 7: Summary of Stateful Firewall Configuration Statements term Syntax term term-name { from { application-sets set-name. } then { (accept | discard | reject).

Inc. Juniper Networks. Define the stateful firewall term actions. Usage Guidelines Required Privilege Level Related Documentation See “Configuring Actions in Stateful Firewall Rules” on page 116. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide then Syntax then { (accept | discard | reject). accept—Accept the traffic and send it on to its destination. interface—To view this statement in the configuration. You can configure the router to accept. • Junos OS Routing Policy Configuration Guide 134 Copyright © 2011. } [edit services stateful-firewall rule rule-name term term-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. syslog. Rejected traffic can be Options logged or sampled. The other actions are optional. The remaining statement is explained separately. .4. discard—Do not accept traffic or process it further. or reject the targeted traffic. reject—Do not accept the traffic and return a rejection message. discard.Junos 11.

package jservices—sfw. The stateful firewall plug-in described in the following sections supports many of the features of the existing stateful firewall service that runs on the Juniper microkernel. Starting with Junos OS Release 9. data-cores 7. } } } } } Copyright © 2011. a stateful firewall plug-in is provided as part of the jbundle package. include the package jservices-sfw statement at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. To load this plug-in on the PIC. For example: user@host# show chassis fpc 0 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1. rlogin. some services will now be deployed on the Embedded Junos software platform. This chapter contains the following sections: • • • Loading the Stateful Firewall Plug-In on page 135 Configuring Memory for the Stateful Firewall Plug-In on page 137 Configuring rsh. Inc.CHAPTER 8 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines Till now. object-cache-size 512. all services run only on the Juniper microkernel software platform. rexec for Stateful Firewall on page 137 Loading the Stateful Firewall Plug-In As of Junos OS Release 9. However. policy-db-size 64. 135 .5.5. This allows such services to be coupled with third-party applications. Juniper Networks. the stateful firewall service has been implemented using the embedded Junos Application Framework (eJAF). #Loads stateful firewall plug-in.

other statistics appear but do not populate correctly. In the extensive option. } then { accept. service-order { forward-flow [ stateful-firewall customer-plugin ]. term term1 { from { source-address { 192.4 Services Interfaces Configuration Guide You can load both the jservices-sfw package and a Junos SDK application package on the same PIC.Junos 11. those values are all zeroes. show services stateful-firewall statistics—Display stateful firewall statistics. The following example demonstrates the stateful firewall plug-in coexisting with a provider’s plug-in: [edit] services { service-set sset { stateful-firewall-rules rule1.interface: • • show services stateful-firewall flows—Display stateful firewall flow table entries. } } } rule rule2 { match-direction input. Inc.2/32. Juniper Networks. } } stateful-firewall { rule rule1 { match-direction input-output. 136 Copyright © 2011. } extension-service customer-plugin. } then { reject. For this command. } } } } } The following stateful firewall operational commands support the ms. only rule and ALG statistics are given. term term1 { from { applications junos-ftp. • clear services stateful-firewall flows—Remove established flows from the flow table.1. . interface-service { service-interface ms-0/0/0.1. syslog.

await additional review: • • Maximum number of terms (with one rule per term) per service set: 1200 Maximum number of service sets per Multiservices PIC: 4000 (Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers). rlogin. which are specific to the stateful firewall configuration. To open the authentication flow. By default. Inc. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. object-cache-size. Related Documentation • • Configuring Memory for the Stateful Firewall Plug-In on page 137 extension-provider on page 142 Configuring Memory for the Stateful Firewall Plug-In When configuring the stateful firewall internal plug-in. 512 MB (Multiservices 100 PICs) Maximum policy database size: Still to be determined. Juniper Networks. causing the total memory required to approach the size of the object cache configured. an error message is logged in the router message file even though the commit may appear to be successful. } Copyright © 2011. The remedial action is to increase the size of the policy database. • • If the policy database is set too small. Related Documentation • extension-provider on page 142 Configuring rsh. rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. applications junos-ident. The following limits. the stateful firewall does not allow this authentication flow to go through. some questions remain regarding the upper limit to specify for the policy-db-size. 6000 (Juniper Networks MX Series 3D Universal Edge Routers and M120 Multiservice Edge Routers) Maximum object cache size: 1280 MB (Multiservices 400 PICs and DPCs). rlogin. include the applications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level: [edit] services { stateful-firewall { rule rule1 { term term1 { from { (source-address | destination-address). rexec for Stateful Firewall Some implementations of the rsh.Chapter 8: Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines The commands are described in the Junos OS System Basics and Services Command Reference. and forwarding-db-size statements when the application needs to use a large number of rules. 137 .

} } } } } Related Documentation • Configuring Memory for the Stateful Firewall Plug-In on page 137 138 Copyright © 2011. destination-port klogin.Junos 11. } application test kerberos-klogin { protocol tcp.4 Services Interfaces Configuration Guide then { accept. rlogin. . } } services { stateful-firewall { rule rule1 { term term1 { from { applications [kerberos-klogin kerberos-kshell]. rexec through the stateful firewall. } } } } } To allow Kerberos-enabled rsh. Juniper Networks. configure the following additional applications and include them in the stateful firewall terms: [edit] applications { application test-kerberos-kshell { Protocol tcp. Inc. } then { accept. destination-port kshell.

CHAPTER 9 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements The following sections explain stateful firewall statements used in SDK applications. control-cores Syntax Hierarchy Level control-cores control-number. Configure control cores. The statements are organized alphabetically. Juniper Networks. When the number of control cores is changed. Any cores not configured as either control or data cores are treated as user cores. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. At least one core must be a control core. Options Range: 1 through 8 Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. the PIC reboots. Inc. • data-cores on page 140 Copyright © 2011. 139 . control-number—Number of control cores.0.

5. Configure data cores. interface-control—To add this statement to the configuration. the default behavior distributing data packets changes from a round-robin distribution to a flow affinity distribution based on a hash distribution. depending on the nature of the application. Required Privilege Level interface—To view this statement in the configuration. The statements are explained separately. to dedicate a minimum of five as data cores to achieve good performance.0. Any cores not configured as either data or control cores are treated as user cores.Junos 11. . interface-control—To add this statement to the configuration. Enable flow affinity distribution for packets over data CPUs on the PIC. it is advisable. the PIC reboots. When the number of data cores is changed. 140 Copyright © 2011.4 Services Interfaces Configuration Guide data-cores Syntax Hierarchy Level data-cores data-number. • control-cores on page 139 data-flow-affinity Syntax data-flow-affinity { hash-key (layer-3 | layer-4). Adding or deleting this statement causes the PIC to reboot. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9. Juniper Networks. data-number—Number of data cores. Although it is not mandatory to dedicate any cores Options as data cores. Once enabled. Inc. Range: 0 through 7 Required Privilege Level Related Documentation interface—To view this statement in the configuration.

a command available in the native Junos OS CLI. pic-console—Forward log messages to the console of the PIC. destination—Choose one of the following options: • • Options routing-engine—Forward log messages to the Routing Engine. By default. Configure where log messages go. interface-control—To add this statement to the configuration. When the syslog destination statement is configured to redirect the log messages. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-providersyslog facility] Release Information Description Statement introduced in Junos OS Release 10. Juniper Networks. to override the syslog settings made on the Multiservices PIC.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements destination Syntax Hierarchy Level destination destination. all messages go to the /var/log directory on the Routing Engine. 141 . Enhancements to the existing infrastructure make debugging on the Multiservices PIC easier by giving the user the option of redirecting log messages. Required Privilege Level Related Documentation interface—To view this statement in the configuration. you can use the set system syslog command. Inc.1. • extension-provider on page 142 Copyright © 2011.

When the extension-provider statement is first configured. 142 Copyright © 2011. Required Privilege Level interface—To view this statement in the configuration. data-cores data-number. package package-name. } forwarding-db-size size. syslog { facility { severity.4 Services Interfaces Configuration Guide extension-provider Syntax extension-provider { control-cores control-number. } [edit chassis fpc slot-number pic pic-number adaptive-services service-package] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9. data-flow-affinity { hash-key (layer-3 | layer-4). . interface-control—To add this statement to the configuration. object-cache-size size. } } wired-process-mem-size mem-size. Juniper Networks. the PIC reboots.0.Junos 11. The statements are explained separately. policy-db-size size. Inc. Configure an application on a PIC. destination destination.

143 . Juniper Networks. Range: 0 through 12879 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration. the PIC reboots. • • • policy-db-size on page 146 wired-process-mem-size on page 148 object-cache-size on page 145 Copyright © 2011. When this setting is changed. Inc. interface-control—To add this statement to the configuration. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. Configure the size of the forwarding database (FDB). NOTE: You need to enable the forwarding-options sampling statement for the FDB to be created. in megabytes (MB). The size of the FDB and the size of the policy database together must be smaller than the size of the object cache. Options size—Size of the FDB.2.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements forwarding-db-size Syntax Hierarchy Level forwarding-db-size size.

This is an optional setting. Juniper Networks. or layer-4. Once the data-flow-affinity statement is enabled.2. you may need to choose the hashing distribution.Junos 11. If you do not configure the hash-key statement. Set the hashing distribution of flow affinity. Modifying this statement causes the PIC to reboot. Inc. interface-control—To add this statement to the configuration. layer-3—3-tuple hashing (source IP address.4 Services Interfaces Configuration Guide hash-key Syntax Hierarchy Level hash-key (layer-3 | layer-4). and IP protocol). [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider data-flow-affinity] Release Information Description Statement introduced in Junos OS Release 10. . the hashing distribution is 5-tuple hashing. destination IP address. Default Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. • extension-provider on page 142 144 Copyright © 2011. layer-4—5-tuple hashing (3-tuple plus source and destination TCP or UDP ports).

however. the PIC reboots. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Options Configure the size of the object cache. Identify a package to be loaded on the PIC. package-name—Name of the package to be loaded on the PIC. Required Privilege Level interface—To view this statement in the configuration. the maximum value for this statement is 128 MB. the PIC reboots. There can be up to eight Options packages loaded on a PIC. If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB. 145 . Copyright © 2011. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. An error message is displayed if more than eight packages are specified. value—Amount of object cache. in MB.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements object-cache-size Syntax Hierarchy Level object-cache-size value. Juniper Networks. interface-control—To add this statement to the configuration. only one data package is allowed per PIC. When a package is added or removed. range is 128 MB through 1280 MB. Inc. the maximum value for this statement is 512 MB. Only values in increments of 128 MB are allowed. range is 128 MB through 512 MB. Range: For Multiservices 100 PIC. When this setting is changed. Required Privilege Level Related Documentation interface—To view this statement in the configuration.1. Range: For Multiservices 400 PIC. interface-control—To add this statement to the configuration. • • • forwarding-db-size on page 143 policy-db-size on page 146 wired-process-mem-size on page 148 package (Loading on PIC) Syntax Hierarchy Level package package-name. If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB.

4 Services Interfaces Configuration Guide policy-db-size Syntax Hierarchy Level policy-db-size size. • • • forwarding-db-size on page 143 object-cache-size on page 145 wired-process-mem-size on page 148 146 Copyright © 2011. Inc. NOTE: At least one data core must be configured to configure the size of the policy database. The size of the forwarding database and the size of the policy database together must be smaller than the size of the object cache. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Configure the size of the policy database.Junos 11. Range: 0 through 1279 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. in megabytes (MB). the PIC reboots. Options size—Size of the policy database. . When this setting is changed. Juniper Networks.

interface-control—To add this statement to the configuration.2. Options daemon and kernel (for facility) introduced in Junos OS Release 9. error—Error conditions that generally have less serious consequences than errors in the emergency. 147 . kernel.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements syslog Syntax syslog { facility { severity. notice—Conditions that are not errors but might warrant special handling.5. severity—Classification of effect on functioning. Copyright © 2011. none—Disable logging of the associated facility to a destination. Possible values are the following options: • • • any—Include all severity levels. alert. and pfe. info—Events or nonerror conditions of interest. facility—Group of messages that are either generated by the same software process or Description Options concern a similar condition or activity. • alert—Conditions that require immediate correction. destination destination. such as hard errors. external. } } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Hierarchy Level Release Information Statement introduced in Junos OS Release 9. The system log information is passed to the kernel for logging in the /var/log directory. Juniper Networks. • • • warning—Conditions that warrant monitoring. The remaining statement is explained separately. Required Privilege Level interface—To view this statement in the configuration. and critical levels. Inc. Possible values include the following: daemon. Enable PIC system logging to record or view system log messages on a specific PIC. emergency—System panic or other condition that causes the routing platform to stop functioning. • • critical—Critical conditions. such as a corrupted system database.

[edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Configure the size of the reserved wired process memory. Juniper Networks. If this setting is changed. . • • • • forwarding-db-size on page 143 object-cache-size on page 145 policy-db-size on page 146 wired-process-mem-size on page 148 148 Copyright © 2011. The only size you can set Options for this statement is 512 MB. megabytes—Size of the reserved wired process memory.Junos 11. Default: 512 MB Range: 0 through 512 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration. You can also configure object cache. Inc. the PIC reboots.4 Services Interfaces Configuration Guide wired-process-mem-size Syntax Hierarchy Level wired-process-mem-size mem-size. in MB. interface-control—To add this statement to the configuration.

destination-address-range low minimum-value high maximum-value <except>. pgcp { hint [ hint-strings ]. block-size block-size. max-blocks-per-user max-blocks. } pool nat-pool-name { address ip-prefix</prefix-length>. Juniper Networks. include the nat statement at the [edit services] hierarchy level: [edit services] nat { ipv6-multicast-interfaces (all | interface-name) { disable. preserve-range. address-range low minimum-value high maximum-value. } } random-allocation. Copyright © 2011. } port (automatic | range low minimum-value high maximum-value) { preserve-parity. } } rule rule-name { match-direction (input | output). 149 . term term-name { from { application-sets set-name. ports-per-session ports. remotely-controlled. Inc. transport [ transport-protocols ].CHAPTER 10 Carrier-Grade NAT Configuration Guidelines To configure Network Address Translation (NAT) services. applications [ application-names ]. destination-prefix-list list-name <except>. destination-address (address | any-unicast) <except>. mapping-timeout seconds. secured-port-block-allocation { active-block-timeout timeout-seconds.

destination-pool nat-pool-name. mapping-type endpoint-independent. dns-alg-prefix dns-alg-prefix. } } This chapter includes the following sections: • • • • • • • Configuring Addresses and Ports for Use in NAT Rules on page 151 Configuring NAT Rules on page 156 Configuring NAT Rule Sets on page 161 Configuring Static Source Translation in IPv4 Networks on page 162 Configuring Static Source Translation in IPv6 Networks on page 165 Configuring Dynamic Source Address and Port Translation in IPv4 Networks on page 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks on page 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks on page 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks on page 174 Configuring Static Destination Address Translation in IPv4 Networks on page 177 Configuring Port Forwarding for Static Destination Address Translation on page 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks on page 182 Configuring NAT-PT on page 187 • • • • • • 150 Copyright © 2011. } } } rule-set rule-set-name { [ rule rule-names ]. } then { no-translation. source-address-range low minimum-value high maximum-value <except>. translation-type { (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64). Juniper Networks. filtering-type ndpoint-independent. source-pool nat-pool-name. Inc. destination-prefix destination-prefix. source-prefix source-prefix. . overload-prefix overload-prefix. translated { address-pooling paired. dns-alg-pool dns-alg-pool.Junos 11.4 Services Interfaces Configuration Guide source-address (address | any-unicast) <except>. overload-pool overload-pool-name. } use-dns-map-for-destination-translation. source-prefix-list list-name <except>. } syslog.

Chapter 10: Carrier-Grade NAT Configuration Guidelines • Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 189 Configuring Port Forwarding for Static Destination Address Translation on page 190 Examples: Configuring NAT Rules on page 193 Example: NAT 44 CGN Configurations on page 223 Example: NAT Between VRFs Configuration on page 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion on page 229 • • • • • Configuring Addresses and Ports for Use in NAT Rules For information about configuring translated addresses. specify either a destination pool or a source pool. see “Configuring Actions in NAT Rules” on page 159. For constraints on specific translation types. preserve-parity. address-range low minimum-value high maximum-value. address ranges. To configure the information. With static source NAT and dynamic source NAT. Juniper Networks. the netmask or range for the from address must be smaller than or equal to the netmask or range for the destination pool address. 151 . some addresses will not be used. you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. preserve-range { } } To configure pools for traditional NAT. see the following sections: • • • • Configuring Pools of Addresses and Ports on page 151 Configuring Address Pools for Network Address Port Translation on page 152 Specifying Destination and Source Prefixes on page 155 Requirements for NAT Addresses on page 155 Configuring Pools of Addresses and Ports You can use the pool statement to define the addresses (or prefixes). Copyright © 2011. Inc. For example. Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool. Multiple destination NAT terms can share a destination NAT pool. If you define the pool to be larger than required. you can also specify multiple address prefixes and address ranges in a single term. the last 20 addresses in the pool are not used. include the pool statement at the [edit services nat] hierarchy level: [edit services nat] pool nat-pool-name { address ip-prefix</prefix-length>. port (automatic | range low minimum-value high maximum-value). if you define the pool size as 100 addresses and the rule specifies only 80 addresses. With static destination NAT. and ports used for Network Address Translation (NAT). However.

and 1024 through 65.535. you can configure up to 32 address ranges with up to 65. The port statement specifies port assignment for the translated addresses. the session is not created. When you specify a port for dynamic source NAT. The failure is reflected on counters and system logging. The exception is some application-level gateways (ALGs). Network Address Translation (NAT) Behavioral Requirements for Unicast UDP. address ranges are limited to a maximum of 65. To configure automatic assignment of ports. and the packet is dropped.535) or 4. If this knob is not configured. the prefixes and address ranges cannot overlap between separate pools. You can configure the preserve parity and preserve range options under the NAT pool definition by including the preserve-range and preserve-parity configuration statements at the [edit services nat pool poolname port hierarchy level. • Configuring Address Pools for Network Address Port Translation With Network Address Port Translation (NAPT). CGN allocates a port with the same even or odd parity as the incoming port. If the incoming port number is odd or even.000 addresses. Preserve Range and Preserve Parity You can configure your carrier-grade NAT (CGN) to preserve the range or parity of the packet source port when it allocates a source port for an outbound connection.259. the port allocation request fails.775.Junos 11. the low value must be a lower number than the high value. There is no limit on the pool size for static source NAT.4 Services Interfaces Configuration Guide With source static NAT. for a total of (65. such as hello. When multiple address ranges and prefixes are configured. When the preserve-range knob is configured and the incoming port falls into one of these ranges. the prefixes are depleted first. include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level. However. Preserve parity—When the preserve-parity knob is configured. the outgoing port number should correspondingly be odd or even. include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. that have special zones. defines two ranges: 0 through 1023. • Preserve range—RFC 4787. followed by the address ranges.536 addresses each. A dynamic NAT pool with no address port translation supports up to 65.535 addresses. 152 Copyright © 2011. To configure a specific range of port numbers. but no Internet Control Message Protocol (ICMP) message is generated. Inc. . If a port number of the desired parity is not available.000 flows.000 x 65. CGN allocates a port from that range only. Juniper Networks. In an address range. if there is no available port in the range. the port allocation request fails and that session is not created. allocation is based on the configured port range without regard to the port range that contains the incoming port.

99.5:3333.9. which is part of the NAT log.2:3333. Inc. The most recently allocated block is the current active block.9. After ports have been allocated for all addresses in the last range.9. and the carrier must track the IP address and port.99. The third connection is allocated to the address:port 9. one port is allocated from each address in a range before repeating the process for each address in the next range.12:3333.1:3334.4:3333.9.3:3333. Because ports are used and reused at a very high rate.99.1:3333. The second connection is allocated to the address:port 9. If they use CGN. The eleventh connection is allocated to the address:port 9. The ninth connection is allocated to the address:port 9.99. The seventh connection is allocated to the address:port 9.9. include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. carriers track their subscribers using the IP address (RADIUS or DHCP log). The tenth connection is allocated to the address:port 9. Juniper Networks.9.99.99. which are difficult to archive and correlate.7:3333.9.9. New requests for NAT ports are served from the active block.9:3333.10:3333.99. The twelfth connection is allocated to the address:port 9.6:3333.11:3333.8:3333.99.9.99. The sixth connection is allocated to the address:port 9. Wraparound occurs and the thirteenth connection is allocated to the address:port 9.9. making it easier to track subscribers. The fifth connection is allocated to the address:port 9. The fourth connection is allocated to the address:port 9. port block allocation can significantly reduce the number of logs.9.99.9. an IP address is shared by multiple subscribers. Ports are allocated randomly from the current active block.99. the allocation process wraps around and allocates the next unused port for addresses in the first range. Copyright © 2011. Port Block Allocation With port block allocation.99. • • • • • • • • • • • • • The first connection is allocated to the address:port 9. By enabling the allocation of ports in blocks.99. 153 . tracking subscribers using the log becomes difficult due to the large number of messages.Chapter 10: Carrier-Grade NAT Configuration Guidelines The Junos OS provides several alternatives for allocating ports: • • • • Round-Robin Allocation on page 153 Port Block Allocation on page 153 Sequential on page 154 Additional Options for NAPT on page 154 Round-Robin Allocation To configure round-robin allocation for NAT pools. The eighth connection is allocated to the address:port 9.9. When you use round-robin allocation.

99.99. address-range low 9. the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed. Inc. NOTE: This legacy implementation provides backward compatibility.6.99. . The NAT pool called napt in the following configuration example uses the sequential implementation: pool napt { address-range low 9. Additional Options for NAPT The following options are available for NAPT.9.99.2:3334. port { range low 3333 high 3334.3. } } In this example. is allocated only when all ports for all the addresses in the first range have been used. In the case of the example napt pool.9.9.9.4 Services Interfaces Configuration Guide To configure port block allocation.1 high 9.8 high 9.Junos 11.9.9.99. address-range low 9. The fourth connection is allocated to the address:port 9.13.99.99.4:3333.1:3333. include the secured-port-block-allocation statement at the [edit services nat pool pool-name port hierarchy level. Juniper Networks. the tuple address.99. port 9. The second connection is allocated to the address:port 9.9.99. and so on. The third connection is allocated to the address:port 9. the ports are allocated starting from the first address in the first address-range. • • • • The first connection is allocated to the address:port 9. and allocation continues from this address until all available ports have been used.4 high 9.9.9. You can then specify the following configurable options: • • • block-size max-blocks-per-user active-block-timeout Sequential With sequential allocation.9.99. address-range low 9. When all available ports have been used. • Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.99.99.9.12 high 9. 154 Copyright © 2011. the next available address in the NAT pool is selected only when all the ports available from an address are exhausted.9.1:3334.9.10.99.2:3333.

This appleis to control sessions.0.. When you configure static source NAT.0.0. 155 .255. not data sessions.0.255.0.255.255 (broadcast) • You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term.0/24 (martian) 223.0.0/32 127.0.0. Specifying Destination and Source Prefixes You can directly specify the destination or source prefix used in NAT without configuring a pool.0/16 (martian) 191.0/24 (martian) 224.0. Juniper Networks. see Examples: Configuring NAT Rules.0/8 (loopback) 128. For more information.255. cannot be used for NAT translation: • • • • • • • • • 0. or the address-range boundaries: • The following addresses. while valid in inet.0.0.255. assuming the original packet contains a source port in the reserved range. the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address • Copyright © 2011. a prefix. Inc.Chapter 10: Carrier-Grade NAT Configuration Guidelines • Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023. include the rule statement at the [edit services nat] hierarchy level: [edit services nat] rule rule-name { term term-name { then { translated { destination-prefix prefix. } } } } Requirements for NAT Addresses You must configure a specific address. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet. To configure the information.0/16 (martian) 192.0.0/4 (reserved) 255.0.0.0/4 (multicast) 240. Destination translation cannot be configured by this method.

dns-alg-pool dns-alg-pool. include the rule rule-name statement at the [edit services nat] hierarchy level: [edit services nat] rule rule-name { match-direction (input | output). filter-based forwarding. source-prefix-list list-name <except>. overload-prefix overload-prefix. Juniper Networks. Pools cannot be shared. Any pool addresses that are not used by the source-address prefix range are left unused. overload-pool overload-pool-name.4 Services Interfaces Configuration Guide prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. destination class usage (DCU). dns-alg-prefix dns-alg-prefix. neighbor. NAT configuration might also affect routing protocols operation. source-pool nat-pool-name. NOTE: When you include a NAT configuration that changes IP addresses.Junos 11. source-address-range low minimum-value high maximum-value <except>. } then { no-translation. term term-name { from { application-sets set-name. or other features that target specific IP addresses or prefixes. destination-address-range low minimum-value high maximum-value <except>. source-prefix source-prefix. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. source-address (address | any-unicast) <except>. translation-type { 156 Copyright © 2011. destination-prefix destination-prefix. mapping-type endpoint-independent. filtering-type endpoint-independent. Configuring NAT Rules To configure a NAT rule. applications [ application-names ]. Inc. destination-pool nat-pool-name. . it might affect forwarding path features elsewhere in your router configuration. and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC. translated { address-pooling paired. because the protocol peering. such as source class usage (SCU). destination-prefix-list list-name <except>. destination-address (address | any-unicast) <except>.

} } } Each rule must include a match-direction statement that specifies the direction in which the match is applied. direction information is carried along with it. The following sections explain how to configure the components of NAT rules: • • • Configuring Match Direction for NAT Rules on page 157 Configuring Match Conditions in NAT Rules on page 158 Configuring Actions in NAT Rules on page 159 Configuring Match Direction for NAT Rules Each rule must include a match-direction statement that specifies the direction in which the match is applied. To configure where the match is applied. } syslog. The match direction is used with respect to the traffic flow through the Multiservices DPC and Multiservices PICs. When a packet is sent to the PIC. include the match-direction statement at the [edit services nat rule rule-name] hierarchy level: [edit services nat rule rule-name] match-direction (input | output). Juniper Networks. A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. similar to a firewall filter. Inc. } use-dns-map-for-destination-translation. 157 . each NAT rule consists of a set of terms. • then statement—Specifies the actions and action modifiers to be performed by the router software.Chapter 10: Carrier-Grade NAT Configuration Guidelines (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). The packet direction is determined based on the following criteria: Copyright © 2011. In addition.

a flow lookup is performed. Alternatively. in the same way that you would configure a firewall filter. For more information about inside and outside interfaces. packet direction is determined by the interface used to route the packet to the Multiservices DPC or Multiservices PIC. rule processing is performed. To apply one or more sets of application protocol definitions that you have defined. a range of destination addresses. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level. Juniper Networks. source-prefix-list list-name <except>. Inc. • 158 Copyright © 2011. you can use the destination address. the packet direction is output. or a range of source addresses as a match condition. the source address. With a next-hop service set. During rule processing. see ““Configuring Service Sets to be Applied to Services Interfaces” on page 568”. for more information. the packet direction is compared against rule directions. } To configure traditional NAT. . include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level. If the outside interface is used to direct the packet to the PIC or DPC. You can include application protocol definitions that you have configured at the [edit applications] hierarchy level. On the Multiservices DPC and Multiservices PIC. • • Configuring Match Conditions in NAT Rules To configure NAT match conditions. If no flow is found. destination-address (address | any-unicast) <except>. destination-prefix-list list-name <except>. include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level: [edit services nat rule rule-name term term-name] from { application-sets set-name. Only rules with direction information that matches the packet direction are considered. the packet direction is input. for more information. source-address-range low minimum-value high maximum-value <except>.Junos 11. you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. destination-address-range low minimum-value high maximum-value <except>. see ““Examples: Configuring Stateful Firewall Rules” on page 118”.4 Services Interfaces Configuration Guide • With an interface service set. All rules in the service set are considered. see “Configuring Application Protocol Properties” on page 72: • To apply one or more specific application protocol definitions. applications [ application-names ]. see the Junos OS Routing Policy Configuration Guide. If the inside interface is used to route the packet. For an example. source-address (address | any-unicast) <except>.

NAT can restore IP. for example. 159 . Configuring Actions in NAT Rules To configure NAT actions. The translation-type statement specifies the type of NAT used for source or destination traffic. the more specific ALG takes effect. } } } The no-translation statement allows you to specify addresses that you want excluded from NAT. for more information. TCP. translated { destination-pool nat-pool-name. and stateful-nat64 . include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level: [edit services nat rule rule-name term term-name] then { no-translation. dynamic-nat44. and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level. the NAT rule takes precedence. You can include the protocol tcp and protocol udp statements with the application statement for NAT configurations. Inc. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). source-pool nat-pool-name. if the stateful firewall rule includes TCP and the NAT rule includes FTP. Copyright © 2011. For more information. When matched rules include more than one ALG. destination-prefix. and UDP headers embedded in the payload of ICMP error messages. syslog. The syslog statement enables you to record an alert in the system logging facility. source-prefix source-prefix. You can configure ALGs for ICMP and trace route under stateful firewall and NAT. see “Network Address Translation Overview” on page 48. see “Configuring Addresses and Ports for Use in NAT Rules” on page 151. napt-44. source-pool. dnat-44. you cannot specify these properties as match conditions. destination-prefix destination-prefix. basic-nat66. napt-66. The options are basic-nat-pt. the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. The destination-pool.Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: If you include one of the statements that specifies application protocols. napt-pt. basic-nat44. By default. Juniper Networks.

The referenced pool can contain multiple addresses. if it is a prefix. The size of the address range specified in the statement must be the same as or smaller than the source pool. the size must be less than or equal to the pool prefix size. This option is always implemented with DNS ALG.216 addresses to a smaller size pool. The dynamic-nat44 address-only option supports translating up to 16. even if no service set is associated with the interface. You must specify a source-pool name. You must include exactly one destination-address value at the [edit services nat rule rule-name term term-name from] hierarchy level. A NAT address assigned to a host is used for all concurrent sessions from that host. but with IPv6 addresses. Juniper Networks. The address is released to the pool only after all the sessions for that host expire. 160 Copyright © 2011. You must define the source and destination pools of IPv4 addresses. • basic-nat-pt—This option implements translation of addresses of IPv6 hosts.4 Services Interfaces Configuration Guide The implementation details of the nine options of the translation-type statement are as follows: • basic-nat44—This option implements the static translation of source IP addresses without port mapping. You must specify a name for the destination pool statement. ranges. The configuration is similar to the basic-nat44 implementation. • basic-nat66—This option implements the static translation of source IP addresses without port mapping in IPv6 networks. as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. Inc. Any addresses in the pool that are not matched in the destination-address value remain unused. You must configure one rule and define two terms. • dynamic-nat44—This option implements dynamic translation of source IP addresses without port mapping. This feature enables the router to share a few public IP addresses between several private hosts. You must specify either a source pool or a destination prefix. Configure the source prefix in the then statement of the second term within the same rule. The referenced pool must include an address configuration (for address-only translation). they can share a few public IP addresses. and any additional requests are rejected. all packets destined for the source address specified in the match condition are automatically routed to the services PIC. The referenced pool can contain multiple addresses but you cannot specify ports for translation. In the then statement of the first term within the rule.777. You must configure the from source-address statement in the match condition for the rule.Junos 11. because a pool cannot be shared among multiple terms or rules. The requests from the source address range are assigned to the addresses in the pool until the pool is used up. reference both the source and destination pools and configure dns-alg-prefix. NOTE: In an interface service set. . • dnat-44—This option implements static translation of destination IP addresses without port mapping. The size of the pool address space must be greater than or equal to the destination address space. as they originate sessions to the IPv4 hosts in an external domain and vice versa. Because all the private hosts might not simultaneously create sessions. Configure the IPv6 addresses in the from statement in both the term statements. or prefixes.

You must specify a name for the source-pool statement. you specify the order of the rules by including the rule-set statement at the [edit services nat] hierarchy level with a rule statement for each rule: rule-set rule-set-name { rule rule-name. the traffic is dropped: • Addresses specified in the from destination-address statement when you are using destination translation Addresses specified in the source NAT pool when you are using source translation • For more information on NAT methods. Moreover. • napt-66—This option implements dynamic address translation of source IP addresses with port mapping for IPv6 addresses. the prefix configured in the dns-alg-prefix statement must be used in the second rule to translate the destination IPv6 addresses to IPv4 addresses. but with IPv6 addresses. then it implies that network address and port translation (NAPT) is used. • napt-pt—This option implements dynamic address and port translation for source and static translation of destination IP address. you must configure two rules. see RFC 2663. Juniper Networks. Inc. • stateful-nat64—This option implements dynamic address and port translation for source IP addresses and prefix removal translation for destination IP addresses. If a term in a rule matches the packet. You must specify a name for the source-pool statement. IP Network Address Translator (NAT) Terminology and Considerations.Chapter 10: Carrier-Grade NAT Configuration Guidelines • napt-44—This option implements dynamic translation of source IP addresses with port mapping. Configuring NAT Rule Sets The rule-set statement defines a collection of NAT rules that determine what actions the router software performs on packets in the data stream. Then. The rule meant for the DNS traffic should be DNS ALG enabled and the dns-alg-prefix statement should be configured. Additionally. The referenced pool must include a port configuration (for NAPT). You must specify the IPv4 addresses used for translation at the [edit services nat pool] hierarchy level. This pool must be referenced in the rule that translates the IPv6 addresses to IPv4. the router performs the corresponding Copyright © 2011. NOTE: When configuring NAT. if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule. } The router software processes the rules in the order in which you specify them in the configuration. one for the DNS traffic and the other for the rest of the traffic. The referenced pool must include a port configuration. You define each rule by specifying a rule name and configuring terms. If the port is configured as automatic or a port range is specified. 161 . The configuration is similar to the napt-44 implementation.

Configure the NAT rule and the match direction.1. Configuring Static Source Translation in IPv4 Networks To configure the translation type as basic-nat44.2/32 5. processing continues to the next rule in the rule set. Juniper Networks. the pool name is src_pool and the address is 10. In configuration mode.10.2/32. Configure the NAT term action and properties of the translated traffic.1. . If no term in a rule matches the packet.10. [edit services nat] user@host# set pool pool name address address In the following example. If a packet is destined to a NAT pool address. Configuring the Service Set for NAT on page 163 3. [edit services nat] user@host# set rule rule-basic-nat44 term t1 from source-address 3. Configuring the NAT Pool and Rule on page 162 2. go to the [edit services nat] hierarchy level. [edit services nat] 162 Copyright © 2011. [edit services nat] user@host# set rule rule-basic-nat44 match-direction input 4.1. it is dropped. and trace options.10.10. If none of the rules match the packet.Junos 11. Configure the NAT pool with an address. and term: 1.1. the term name is t1 and the input condition is source-address 3. rule. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. no NAT action is performed on the packet. Configuring Trace Options on page 164 Configuring the NAT Pool and Rule To configure the NAT pool. [edit services nat] user@host# set pool src_pool address 10.2/32 3. you must configure the NAT pool and rule. the NAT rule name is rule-basic-nat44 and the match direction is input. [edit services nat] user@host# set rule rule-basic-nat44 term term-name from from In the following example. Configure the source address in the from statement. Inc. This topic includes the following tasks: 1.4 Services Interfaces Configuration Guide action and the rule processing stops. service set with service interface.2/32. [edit] user@host# edit services nat 2.

translation-type { basic-nat44. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated source-pool src_pool 6.1. [edit] user@host# edit services 2.10. Verify the configuration by using the show command at the [edit services nat] hierarchy level. the translation type is basic-nat44. [edit services] user@host# show nat { pool src_pool { address 10.2/32. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type translation-type In the following example. the term action is translated and the property of the translated traffic is source-pool src_pool. Configure the service set. Copyright © 2011.2/32. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type basic-nat44 7.10. Juniper Networks. Configure the translation type.1. } rule rule-basic-nat44 { match-direction input. } } then { translated { source-pool src_pool. term t1 { from { source-address { 3. } } } } } } Configuring the Service Set for NAT To configure the service set for NAT: 1. Inc. In configuration mode.Chapter 10: Carrier-Grade NAT Configuration Guidelines user@host# set rule rule-basic-nat44 term t1 then term-action translated-property In the following example. go to the [edit services] hierarchy level. 163 .

the service set name is s1.Junos 11. 164 Copyright © 2011. [edit services] user@host# edit service-set s1 3. go to the [edit services adaptive-services-pics] hierarchy level. [edit services] user@host# show service-set s1 { nat-rules rule-basic-nat44. Juniper Networks. [edit] user@host# edit services adaptive-services-pics 2. set the reference to the NAT rules configured at the [edit services nat] hierarchy level. interface-service { service-interface ms-1/2/0. [edit services service-set s1] user@host# set nat-rules rule-name In the following example. the rule name is rule-basic-nat44. you can configure an inline-services interface on that card: [edit] user@host# set interfaces si-0/0/0 [edit services service-set s1] user@host# set interface-service service-interface si-0/0/0 5. the service interface name is ms-1/2/0. For the s1 service set. .4 Services Interfaces Configuration Guide [edit services] user@host# edit service-set service-set-name In the following example. } } Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. Configure the trace options. Configure the service interface. In configuration mode. [edit services service-set s1] user@host# set interface-service service-interface ms-1/2/0 NOTE: If you have a Trio-based line card. Verify the configuration by using the show command at the [edit services] hierarchy level. [edit services service-set s1] user@host# set interface-service service-interface service-interface-name In the following example. Inc. [edit services service-set s1] user@host# set nat-rules rule-basic-nat44 4.

[edit services] user@host# show adaptive-services-pics { traceoptions { flag all. and trace options. Configure the NAT rule and the match direction. rule. 165 .Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example.10.2/32 3. service set with service interface. the tracing parameter is all. you must configure the NAT pool and rule. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. [edit] user@host# edit services nat 2.2/32. This topic includes the following tasks: 1. Verify the configuration by using the show command at the [edit services] hierarchy level. go to the [edit services nat] hierarchy level.10. Configure the NAT pool with an address. and term: 1. Juniper Networks. In configuration mode. Configuring Trace Options on page 167 Configuring the NAT Pool and Rule To configure the NAT pool. [edit services nat] user@host# set rule rule-basic-nat66 match-direction input 4. Configure the source address in the from statement. Configuring the NAT Pool and Rule on page 165 2. Configuring the Service Set for NAT on page 167 3. the rule name is rule-basic-nat66 and the match direction is input. [edit services nat] user@host# set pool src_pool address 10.10.10. Inc. Copyright © 2011. [edit services nat] user@host# set pool pool name address address In the following example. the pool name is src_pool and the address is 10. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3. } } Configuring Static Source Translation in IPv6 Networks To configure the translation type as basic-nat66.

term t1 { from { source-address { 10:10:10::0/96. } } then { translated { source-pool src_pool.4 Services Interfaces Configuration Guide [edit services nat] user@host# set rule rule-basic-nat66 term term-name from from In the following.Junos 11.2/32. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type basic-nat66 7. Configure the NAT term action and properties of the translated traffic. the translation type is basic-nat66. Inc.10. Verify the configuration by using the show command at the [edit services] hierarchy level. } rule rule-basic-nat66 { match-direction input. . the term action is translated and the property of the translated traffic is source-pool src_pool. Configure the translation type. translation-type { basic-nat66. } } } } } } 166 Copyright © 2011. [edit services] user@host# show nat { pool src_pool { address 10. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated source-pool src_pool 6. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then term-action translated-property In the following example.10. the term name is t1 and the input condition is source-address 10:10:10::0/96. [edit services nat] user@host# set rule rule-basic-nat66 term t1 from source-address 10:10:10::0/96 5. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type translation-type In the following example. Juniper Networks.

the rule name is rule-basic-nat66. [edit services] user@host# show service-set s1 { nat-rules rule-basic-nat66. [edit services service-set s1] user@host# set interface-service service-interface service-interface-name In the following example. For the s1 service set. Inc. In configuration mode. [edit services] user@host# edit service-set s1 3. [edit services] user@host# edit service-set service-set-name In the following example. Configure the service set. In configuration mode. [edit] user@host# edit services adaptive-services-pics Copyright © 2011. go to the [edit services adaptive-services-pics] hierarchy level. } } Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. [edit services service-set s1] user@host# set nat-rules rule-name In the following example. Configure the service interface. [edit services service-set s1] user@host# set nat-rules rule-basic-nat66 4. set the reference to the NAT rules configured at the [edit services nat] hierarchy level. the service set name is s1.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the Service Set for NAT To configure the service set for NAT: 1. the service interface name is sp-1/2/0. interface-service { service-interface sp-1/2/0. Juniper Networks. [edit services service-set s1] user@host# set interface-service service-interface sp-1/2/0 5. 167 . go to the [edit services] hierarchy level. [edit] user@host# edit services 2. Verify the configuration by using the show command at the [edit services] hierarchy level.

Verify the configuration by using the show command at the [edit services] hierarchy level. the tracing parameter is all. [edit services] user@host# show adaptive-services-pics { traceoptions { flag all. [edit services] user@host# set service-set s1 nat-rules rule-napt-44 3. [edit services] user@host# edit service-set s1 interface-service 4. In configuration mode. the name of the service set is s1 and the name of the NAT rule is rule-napt-44. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3.4 Services Interfaces Configuration Guide 2. 168 Copyright © 2011. [edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example. Juniper Networks. you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv4 addresses. Configure the service interface. To configure the NAPT in IPv4 networks: 1. } } Configuring Dynamic Source Address and Port Translation in IPv4 Networks Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Configure the trace options. To configure NAPT.Junos 11. . the name of the service interface is ms-0/1/0. This translation can be configured in both IPv4 and IPv6 networks. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. Go to the [interface-service] hierarchy level of the service set. This section describes the steps for configuring NAPT in IPv4 networks. [edit services service-set s1 interface service] user@host# set service-interface service-interface-name In the following example. go to the [edit services] hierarchy level. [edit] user@host# edit services 2. Configure the service set and NAT rule. Inc.

Go to the [edit services nat] hierarchy level. [edit services service-set s1 interface service] user@host# top edit services nat 6.0. Issue the command from the top of the services hierarchy.0 7. the name of the term is t1. Copyright © 2011. the following command can result in an error. Configure the port. the top keyword ensures that the command is run from the top of the hierarchy. Configure the NAT pool with an address. or the specified interface is not functional. the action for the translated traffic is translated. In the command.10.Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: If the service interface is not present in the router. the port type is selected as automatic. the name of the pool is napt-pool and the address is 10.type In the following example. Configure the rule and the match direction. [edit services nat] user@host# set pool pool-name address address In the following example. [edit services nat] user@host# set pool pool-name port port-type In the following example.10. and the translation type. Go to the [edit services adaptive-services-pics] hierarchy level. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. [edit services nat] user@host# set rule rule-name term term-name then translated translated-action translation-type translation. [edit services nat] user@host# set pool napt-pool address 10. Juniper Networks. the name of the source pool is napt-pool. [edit services service-set s1 interface service] user@host# set service-interface ms-0/1/0 5. the action for the translated traffic. Configure the term.10. [edit services nat] user@host# set rule rule-napt-44 match-direction input 9.10. and the translation type is napt-44. the name of the rule is rule-napt-44 and the match direction is input. [edit services nat] user@host# set pool napt-pool port automatic 8. [edit services nat] user@host# set rule rule-napt-44 match-direction input term t1 then translated source-pool napt-pool translation-type napt-44 10. or use the top keyword. Inc. 169 .

Configure the trace options. } } } } } } adaptive-services-pics { traceoptions { flag all.0/32.Junos 11. . The include the following: 170 Copyright © 2011. } } nat { pool napt-pool { address 10. port { automatic. term t1 { then { translated { source-pool napt-pool. Verify the configuration by using the show command at the [edit services] hierarchy level. Juniper Networks. [edit services] user@host# show service-set s1 { nat-rules rule-napt-44.10. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12. the tracing parameter is configured as all.4 Services Interfaces Configuration Guide [edit services nat] user@host# top edit services adaptive-services-pics 11. Inc. translation-type { napt-44.10. } } Related Documentation • Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks A number of configuration options provide you with greater flexibility and control when you configure dynamic source address and port translation. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. } } rule rule-napt-44 { match-direction input. interface-service { service-interface ms-0/1/0.

SSL—Certain websites such as online banking require that all connections from a given host (SSL or not) come from the same IP address. Address pooling applies when you use a pool of addresses. When the user starts a chat window. even after they go through NAT. Inc. the server rejects the chat session. Juniper Networks. it authenticates with the chat server to identify the user. If the chat session originates from a source address that is different from the authentication session. EIF Copyright © 2011.Chapter 10: Carrier-Grade NAT Configuration Guidelines • address pooling—Assigning the same external address for all sessions originating from the same internal host. • Configuration with Address Pooling Enabled rule r1-address-pooling { match-direction input. the server will reject them. it is not recognized as an authenticated session. } address-pooling paired. } } } } • endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF)—EIM creates address and port mapping from a private network to the public network. an alternate scheme should have been negotiated beforehand. translation-type { napt-44. Use Cases for Address Pooling • Instant Messaging—The chat and control sessions of some IM clients should arrive from the same public source address. it is expected that they come from the same IP address. If RTP and RTCP IP addresses are different. the receiving endpoint might drop packets. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) will benefit from address pooling paired. BEST PRACTICE: If a Session Initiation Protocol (SIP) client is sending Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets. 171 . when a particular chat client is first started. a new session is established. term t1 { from { applications [junos-sip junos-rtsp]. Otherwise. } then { translated { source-pool p1. If they don’t. It does not imply anything about with port assignment and does not specify what connections to accept from the outside. For example.

a host in private network opens an internet connection with source IP address and port as P1:p1 to a server. rule sip-eim { match-direction input. term t1 { from { applications junos-sip. the following mapping is created: P1:p1 ---> N1:n1 Any new connections to same or different server in the outside network that re-use same private address and port are translated to N1:n1.4 Services Interfaces Configuration Guide is the exact opposite. Juniper Networks. because EIF is configured. } mapping-type endpoint-independent. In addition. } then { translated { source-pool p1. For example. it should be on a per application basis.Junos 11. translation-type { source dynamic. Inc. NOTE: EIF can be configured only when EIM is configured. we also create another mapping for the inbound traffic: N1:n1 ---> P1:p1 BEST PRACTICE: EIM is no longer widely used because many applications can now traverse NAT and receive inbound connections over the same outbound connection and applications that need ALGs are still prevalent. In other words. is allocated to this session and because EIM is enabled. only enable EIM for the applications that need it. When a napt-44 rule with EIM and EIF enabled is matched for this session. it creates mappings from a public IP and port address to a private IP address and port. N1:n1. as shown in the following example. . a translated address and port. } } } } 172 Copyright © 2011. If EIM is needed.

For information about configuring NAPT in IPv4 networks. set the match-direction statement of the rule as input. see “Configuring Dynamic Source Address and Port Translation in IPv4 Networks” on page 168. Enter the up command to navigate to the [edit services] hierarchy level. Define the pool of IPv6 source addresses that must be used for dynamic translation. define a term that uses napt-66 as the translation type for translating the addresses of the pool defined in the previous step. [edit] user@host# edit services nat 2. In configuration mode. 173 . Juniper Networks. For NAPT. [edit services nat] user@host# set pool pool name address IPv6 source addresses user@host# set pool pool name port source ports For example: [edit services nat] user@host# set pool IPV6-NAPT-Pool address 2002::1/96 user@host# set pool IPV6-NAPT-Pool port automatic 3. [edit services nat] user@host# up 5. To configure NAPT in IPv6 networks: 1. Inc. This translation can be configured in both IPv4 and IPv6 networks. To configure NAPT. and reference the NAT rule implemented for NAPT translation. go to the [edit services nat] hierarchy level. To do this. you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv6 addresses.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Dynamic Source Address and Port Translation for IPv6 Networks Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Copyright © 2011. also specify port numbers when configuring the source pool. [edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated translation-type napt-66 For example: [edit services nat] user@host# set rule IPV6-NAPT-Rule match-direction input user@host# set rule IPV6-NAPT-Rule term t1 then translated source-pool IPV6-NAPT-Pool user@host# set rule IPV6-NAPT-Rule term t1 then translated translation-type napt-66 4. Define a NAT rule for translating the source addresses. This section describes the steps for configuring NAPT in IPv6 networks. In addition. Define a service set to specify the services interface that must be used.

[edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example. [edit] user@host# edit services 2.service service-interface services interface user@host# set service-set service-set name nat-rules rule name For example: [edit services] user@host# set service-set IPV6-NAPT-ServiceSet interface. Go to the [interface-service] hierarchy level for the service set. Define the trace options for the adaptive services PIC. the name of the service set is s1.service service-interface ms-0/1/0 user@host# set service-set IPV6-NAPT-ServiceSet nat-rules IPV6-NAPT-Rule 6. Configure the service interface. To configure dynamic NAT in IPv4 networks: 1. go to the [edit services] hierarchy level.Junos 11. Inc. [edit services] user@host# set adaptive-services-pics traceoptions flag tracing parameter For example: [edit services] user@host# set adaptive-services-pics traceoptions flag all Related Documentation • Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197 Configuring Dynamic Address-Only Source Translation in IPv4 Networks In IPv4 networks. dynamic address translation (dynamic NAT) is a mechanism to dynamically translate the destination traffic without port mapping. Configure the service set and NAT rule. . which includes an address configuration. [edit services service-set s1 interface-service] user@host# set service-interface service-interface-name 174 Copyright © 2011.4 Services Interfaces Configuration Guide [edit services] user@host# set service-set service-set name interface. [edit services] user@host# edit service-set s1 interface-service 4. [edit services] user@host# set service-set s1 nat-rules rule-dynamic-nat44 3. Juniper Networks. and the name of the NAT rule is rule-dynamic-nat44. you must specify a source pool name. In configuration mode. To use dynamic NAT.

[edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool source-dynamic-pool translation-type dynamic-nat44 10. and source address. Go to the [edit rule rule-dynamic-nat-44 term t1] hierarchy level. Configure the source pool and the translation type. or the specified interface is not functional. term.10. the name of the service interface is ms-0/1/0.10. In the following command.0. NOTE: If the service interface is not present in the router. the name of the term is t1. and the address is 10. the name of the rule is rule-dynamic-nat44. the match direction is input.1. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from source-address address In the following example.1. or use the top keyword. Go to the [edit services nat] hierarchy level. [edit services nat] user@host# set pool source-dynamic-pool address 10. [edit services nat] user@host# edit rule rule-dynamic-nat44 term t1 9. the name of the source pool is source-dynamic-pool and the translation type is dynamic-nat44. [edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool src-pool-name translation-type translation-type In the following example. and the source address is 3.1.10.0.10. Configure the rule. [edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0 5. Copyright © 2011. the name of the pool is source-dynamic-pool. 175 . [edit services nat] user@host# set pool pool-name address address In the following example. Inc. the following command can result in an error. [edit services nat] user@host# set rule rule-dynamic-nat44 match-direction input term t1 from source-address 3.Chapter 10: Carrier-Grade NAT Configuration Guidelines In the following example.0 8. match direction. Issue the following command from the top of the services hierarchy. the top keyword ensures that the command is run from the top of the hierarchy. Go to the [edit services adaptive-services-pics] hierarchy level. [edit services service-set s1 interface-service] user@host# top edit services nat 6. Juniper Networks.0 7.1. Configure the NAT pool with an address.

Junos 11. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12. interface-service { service-interface ms-0/1/0. Juniper Networks. Inc. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example.0/24. } rule rule-dynamic-nat44 { match-direction input. } } then { translated { destination-pool source-dynamic-pool. Configure the trace options. [edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44.1. . translation-type { dynamic-nat44.0/24. the tracing parameter is configured as all.1. } } Related Documentation • Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198 176 Copyright © 2011. term t1 { from { source-address { 3. } } } } } } adaptive-services-pics { traceoptions { flag all.4 Services Interfaces Configuration Guide [edit services nat rule rule-dynamic-nat44 term t1] user@host# top edit services adaptive-services-pics 11.1. Verify the configuration by using the show command at the [edit services] hierarchy level. } } nat { pool source-dynamic-pool { address 10.1.

Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Static Destination Address Translation in IPv4 Networks In IPv4 networks. [edit services] user@host# set service-set s1 nat-rules rule-dnat44 3. Configure the service interface. destination address translation is a mechanism used to implement address translation for destination traffic without port mapping. or use the top keyword. as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. Juniper Networks. [edit services] user@host# edit service-set s1 interface-service 4. Go to the [edit services nat] hierarchy level. Issue the following command from the top of the services hierarchy. [edit services service-set s1] user@host# top edit services nat 6. [edit services nat] user@host# set pool pool-name address address Copyright © 2011. or the specified interface is not functional. To configure destination address translation in IPv4 networks: 1. Configure the NAT pool with an address. 177 . ranges. Configure the service set and the NAT rule. the following command can result in an error. the size of the pool address space must be greater than or equal to the destination address space. [edit services service-set s1 interface-service] user@host# set service-interface service-interface-name In the following example. [edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example. the name of the service set is s1 and the name of the NAT rule is rule-dnat44. Go to the [interface-service] hierarchy level of the service set. which can contain multiple addresses. NOTE: If the service interface is not present in the router. go to the [edit services] hierarchy level. You must specify a name for the destination-pool statement. the name of the service interface is ms-0/1/0. [edit] user@host# edit services 2. or prefixes. [edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0 5. Inc. In configuration mode. To use destination address translation.

20. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name translation-type translation-type In the following example. the match direction is input. match direction.1. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.20. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example. Inc. term. [edit services nat] user@host# edit rule rule-dnat44 term t1 9.1. the name of the rule is rule-dnat44. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool translation-type dnat-44 10. } } nat { 178 Copyright © 2011. dest-pool is used as the pool name and 4. interface-service { service-interface ms-0/1/0. Configure the destination pool and the translation type.20. Configure the rule. the top keyword ensures that the command is run from the top of the hierarchy. In the following command. Verify the configuration by using the show command at the [edit services] hierarchy level. and the address is 20. .1.20. the tracing parameter is configured as all. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20. and destination address.20. Go to the [edit services adaptive-services-pics] hierarchy level.20 8.1. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12.2 7. user@host# set pool dest-pool address 4.4 Services Interfaces Configuration Guide In the following example. Juniper Networks. [edit services] user@host# show service-set s1 { nat-rules rule-dnat44. the destination pool name is dest-pool. the name of the term is t1. [edit services nat rule rule-dnat44 term t1] user@host# top edit services adaptive-services-pics 11.Junos 11. Configure the trace options. and the translation type is dnat-44.2 as the address.

20/32.4.1.Chapter 10: Carrier-Grade NAT Configuration Guidelines pool dest-pool { address 4.2 Copyright © 2011. This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway. } rule rule-dnat44 { match-direction input.1. user@host# set pool dest-pool address 4. translation-type { dnat-44. } } } } } } adaptive-services-pics { traceoptions { flag all.20. } } Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Configuring Port Forwarding for Static Destination Address Translation Starting with Junos OS Release 11. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. dest-pool is used as the pool name and 4. term t1 { from { destination-address { 20. endpoint-independent filtering (EIF). [edit] user@host# edit services nat 2. or address pooling-paired (AP-P).2 as the address.20. Inc.1. you can map an external IP address and port with an IP address and port in a private network.1. Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure. To configure destination address translation in IPv4 networks: 1. [edit services nat] user@host# set pool pool-name address address In the following example.1. Juniper Networks. } } then { translated { destination-pool dest-pool.1. Port forwarding works only with the FTP application-level gateway (ALG).2/32. In configuration mode. Port forwarding is not supported with endpoint-independent mapping (EIM). Configure the NAT pool with an address. go to the [edit services nat] hierarchy level. 179 .

term.20.20. the destination pool name is dest-pool. Go to the [edit services nat port-forwarding map1] hierarchy level. the name of the term is t1. Configure the mapping for port forwarding and the translation type. [edit services nat] user@host# edit port-forwarding map1 9. and the translation type is dnat-44. . and the translation type is dnat-44. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low In the following example. Configure the destination port range. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type In the following example. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.20. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44 8.20 4. the upper port range is 50 and the lower port range is 20.Junos 11. Juniper Networks. Configure the rule. Inc. and destination address. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20. [edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id 180 Copyright © 2011.20. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool 7. Configure the destination pool.20. [edit services nat] user@host# edit rule rule-dnat44 term t1 6. Configure the mapping for port forwarding. the match direction is input. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name In the following example. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20 5. match direction. the name of the rule is rule-dnat44. the port forwarding map name is map1.4 Services Interfaces Configuration Guide 3. and the address is 20.

} } Copyright © 2011. [edit services] user@host# show nat { pool dest-pool { address 4. } destination-port { range low 20 high 50. Verify the configuration by using the show command at the [edit services nat] hierarchy level. Inc.Chapter 10: Carrier-Grade NAT Configuration Guidelines In the following example. } } then { port-forwarding-mappings map1. term t1 { from { destination-address { 20. [edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45 NOTE: • Multiple port mappings are supported with port forwarding. translated-port 23.2/32. } rule rule-dnat44 { match-direction input. translation-type { dnat-44. • The destination port should not overlap the port range configured for NAT. 10.1.20.20. } } } } } port-forwarding map1 { destined-port 45. translated { destination-pool dest-pool.20/32. Juniper Networks. the destination port is 45 and the translated port is 23. 181 . Up to 32 port maps can be configured for port forwarding.1.

you must configure the DNS ALG application. } 182 Copyright © 2011. Configuring the DNS ALG Application on page 182 2. This topic includes the following tasks: 1. the application name is dns-alg and application protocol is dns. and trace options. [edit applications] user@host# show application dns-alg { application-protocol dns. Configuring the Service Set for NAT on page 186 4. Verify the configuration by using the show command at the [edit applications] hierarchy level. go to the [edit applications] hierarchy level. Configuring Trace Options on page 187 Configuring the DNS ALG Application To configure the DNS ALG application: 1. . • Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks To configure the translation type as basic-nat-pt. Inc. Juniper Networks. a service set with a service interface.4 Services Interfaces Configuration Guide NOTE: • A similar configuration is possible with twice NAT for IPv4. [edit] user@host# edit applications 2. Stateful firewall has precedence over port forwarding.Junos 11. Configuring the NAT Pool and NAT Rule on page 183 3. [edit applications] user@host# set application dns-alg application-protocol dns 3. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term. Configure the ALG to which the DNS traffic is destined at the [edit applications] hierarchy level. NAT pools and rules. [edit applications] user@host# set application application-name application-protocol application-protocol In the following example. Port forwarding and stateful firewall can be configured together. In configuration mode. See “Example: Configuring Port Forwarding with Twice NAT” on page 215.

1. [edit] user@host# edit services nat 2.2/32. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. go to the [edit services nat] hierarchy level. Configure the NAT pool and its address.1. Configure the term and the input conditions for the NAT term. [edit services nat] user@host# set rule rule-basic-nat-pt term term from from In the following example. 183 .Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the NAT Pool and NAT Rule To configure the NAT pool and NAT rule: 1. the name of the NAT pool is p1 and the address is 10. Configure the source pool and its address.1. the name of the destination pool is dst_pool0 and the destination pool address is 50. [edit services nat] Copyright © 2011.1/32 4. [edit services nat] user@host# set rule basic-nat-pt match-direction input 6.1. Configure the destination pool and its address.10.1. the name of the source pool is src_pool0 and the source pool address is 20. [edit services nat] user@host# set pool destination-pool-name address address In the following example.1. [edit services nat] user@host# set pool source-pool-name address address In the following example. destination-address 4000::2/128.1. [edit services nat] user@host# set pool src_pool0 address 20.10.1/32. [edit services nat] user@host# set pool p1 address 10. [edit services nat] user@host# set pool dst_pool0 address 50.2/32 5.2/32 3. Juniper Networks. the rule name is rule-basic-nat-pt and the match direction is input. Inc.10. In configuration mode.2/32. and applications dns_alg.10. [edit services nat] user@host# set pool pool-name address address In the following example. Configure the rule and the match direction. the term is t1 and the input conditions are source-address 2000::2/128.1.

Junos 11. Configure the NAT term action and the properties of the translated traffic.1/32 184 Copyright © 2011. the term name is t2 and the input conditions are source-address 2000::2/128 and destination-address 10:10:10::0/96. Configure the translation type.19. destination-pool dst_pool0. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated source-prefix 19. [edit services nat] user@host# set rule rule-basic-nat-pt term term-name from from In the following example. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then term-action translated-property In the following example. . and dns-alg-prefix 10:10:10::0/96.4 Services Interfaces Configuration Guide user@host# set rule rule-basic-nat-pt term t1 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from destination-address 4000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from applications dns_alg 7. Configure the NAT term action and the property of the translated traffic.19. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type translation-type In the following example.19. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated source-pool src_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated destination-pool dst_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated dns-alg-prefix 10:10:10::0/96 8. the term action is translated and the property of the translated traffic is source-prefix 19.1/32. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type basic-nat-pt 9. Juniper Networks. Inc. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t2 from destination-address 10:10:10::0/96 10. the term action is translated and the properties of the translated traffic are source-pool src_pool0. Configure another term and the input conditions for the NAT term. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then term-action translated-property In the following example.19. the translation type is basic-nat-pt.

2/32. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type translation-type In the following example. destination-pool dst_pool0. } } then { translated { source-prefix 19.10. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type basic-nat-pt 12. the translation type is basic-nat-pt. } applications dns_alg. Inc.1. term t1 { from { source-address { 2000::2/128.2/32.1. } pool src_pool0 { address 20. Configure the translation type. } rule rule-basic-nat-pt { match-direction input.19. translation-type { basic-nat-pt. Juniper Networks.19. dns-alg-prefix 10:10:10::0/96.10.1/32. } then { translated { source-pool src_pool0.1/32. } destination-address { 10:10:10::0/96. Copyright © 2011. } } } } term t2 { from { source-address { 2000::2/128.1. [edit services nat] user@host# show pool p1 { address 10.Chapter 10: Carrier-Grade NAT Configuration Guidelines 11. Verify the configuration by using the show command at the [edit services nat] hierarchy level. } pool dst_pool0 { address 50.1. } destination-address { 4000::2/128. 185 .

. [edit] user@host# edit services 2.4 Services Interfaces Configuration Guide translation-type { basic-nat-pt. [edit services service-set ss_dns] user@host# set interface-service service-interface sp-1/2/0 5. Configure the service set with NAT rules. Configure the service interface. [edit services] user@host# edit service-set service-set-name In the following example. the rule name is rule-basic-nat-pt. Juniper Networks. Inc. [edit services service-set ss_dns] user@host# set nat-rules rule-basic-nat-pt 4. the name of the service set is ss_dns. [edit services service-set ss_dns] user@host# set nat-rules rule-name In the following example. In configuration mode. [edit services service-set ss_dns] user@host# set interface-service service-interface service-interface-name In the following example. Verify the configuration by using the show services command from the [edit] hierarchy level. [edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt. [edit services] user@host# edit service-set ss_dns 3. } } } } } Configuring the Service Set for NAT To configure the service set for NAT: 1.Junos 11. Configure the service set. go to the [edit services] hierarchy level. interface-service { service-interface sp-1/2/0. the name of service interface is sp-1/2/0. } } 186 Copyright © 2011.

The Junos OS implementation is described in RFC 2766 and RFC 2694. network address translation can either be an address-only translation or an address and port translation. [edit] user@host# edit services adaptive-services-pics 2. Juniper Networks. The first NAT rule or term ensures that the DNS query and response packets are translated correctly. } } Configuring NAT-PT To configure Network Address Translation–Protocol Translation (NAT-PT). [edit services] user@host# show adaptive-services-pics { traceoptions { flag all.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. you must configure a Domain Name System application-level gateway (DNS ALG) application to map addresses returned in the DNS response to an IPv6 address. the tracing parameter is all. Before you begin configuring NAT-PT with DNS ALG. Verify the configuration by using the show command at the [edit services] hierarchy level. DNS ALG is used with NAT-PT to facilitate name-to-address mapping. When configuring NAT-PT. Configure the trace options. you must have the following configured: • NAT with two rules or one rule and two terms. In configuration mode. For this rule to work. A service set that references the first NAT rule or term and a multiservices interface. Inc. The second rule or term is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG application. go to the [edit services adaptive-services-pics] hierarchy level. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3. • Copyright © 2011. 187 . you must configure a DNS ALG application and reference it in the first rule.

[edit applications] user@host# show application dns_alg { application-protocol dns. Inc.4 Services Interfaces Configuration Guide To configure NAT-PT with DNS ALG: 1. Define the DNS ALG pool or prefix for mapping IPv4 addresses to IPv6 addresses. Configure the DNS session that processes packets to the DNS server: a. } then { translated { dns-alg-prefix 10:10:10::0/96.Junos 11. [edit services nat rule rule-name term term-name] user@host# set from applications application-name In the following example. Reference the ALG in the first NAT rule or term. Juniper Networks. [edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix user@host# set then translated dns-alg-pool dns-alg-pool The following example shows the configuration of the 96-bit prefix for mapping IPv4 address to IPv6 addresses. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term. [edit services nat rule rule1 term term1] user@host# set from applications dns_alg c. [edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96 The following sample output shows the minimum configuration of the application. the application name is dns_alg. Configure the ALG to which the DNS traffic is destined at the [edit applications] hierarchy level. . } The following sample output shows the minimum configuration of the first NAT rule. } } } 188 Copyright © 2011. [edit services nat] user@host# show rule rule1 { applications dns_alg. [edit applications] user@host# set application application-name application-protocol application-protocol For example: [edit applications] user@host# set application dns_alg application-protocol dns b.

Inc. Define the pool of source addresses to be used for dynamic translation. To configure stateful NAT64. To allow sharing of the IPv4 server address. To configure stateful NAT64: 1. stateful NAT64 translates incoming IPv6 packets into IPv4. and vice versa. Juniper Networks. } } } } } Related Documentation • • • • Network Address Translation Overview on page 48 Example: Configuring NAT-PT on page 202 dns-alg-prefix on page 246 dns-alg-pool on page 246 Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. 189 . [edit services nat] user@host# set pool pool name address source addresses user@host# set pool pool name port source ports For example: Copyright © 2011. or ICMP. TCP. go to the [edit services nat] hierarchy level: [edit] user@host# edit services nat 2. [edit services nat] user@host# show rule rule2 { term term1 { from { destination-address { 10:10:10::c0a8:108/128. several IPv6-only clients can share the same public IPv4 server address.1/32.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } The following sample output shows the minimum configuration of the second NAT rule.19. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP. you must configure a rule at the [edit services nat] hierarchy level for translating the source address dynamically and the destination address statically. } } then { translated { source-prefix 19.19. In configuration mode.

This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway. Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure.4 Services Interfaces Configuration Guide [edit services nat] user@host# set pool src-pool-nat64 address 203. Configure the NAT pool with an address. Port forwarding is not supported with endpoint-independent mapping (EIM). To configure destination address translation in IPv4 networks: 1.0. Define a NAT rule for translating the source addresses. or address pooling-paired (AP-P). [edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name from source-address source address user@host# set rule rule name term term name from destination-address destination address user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated destination-prefix destination prefix user@host# set rule rule name term term name then translated translation-type stateful-nat64 For example: [edit services nat] user@host# set rule stateful-nat64 match-direction input user@host# set rule stateful-nat64 term t1 from source-address 2001:DB8::0/96 user@host# set rule stateful-nat64 term t1 from destination-address 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated source-pool src-pool-nat64 user@host# set rule stateful-nat64 term t1 then translated destination-prefix 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated translation-type stateful-nat64 Related Documentation • Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201 Configuring Port Forwarding for Static Destination Address Translation Starting with Junos OS Release 11.Junos 11. Juniper Networks. . go to the [edit services nat] hierarchy level. Port forwarding works only with the FTP application-level gateway (ALG). 190 Copyright © 2011.113. Set the match-direction statement of the rule as input. Inc.0/24 user@host# set pool src-pool-nat64 port automatic 3.4. In configuration mode. endpoint-independent filtering (EIF). [edit] user@host# edit services nat 2. you can map an external IP address and port with an IP address and port in a private network. Then define a term that uses stateful-nat64 as the translation type for translating the addresses of the pool defined in the previous step. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks.

and destination address. the match direction is input.20. Inc. and the translation type is dnat-44.20. the name of the rule is rule-dnat44. Configure the rule. [edit services nat] user@host# edit port-forwarding map1 Copyright © 2011.1. and the translation type is dnat-44. Juniper Networks. the name of the term is t1.2 as the address.20 4. Configure the destination pool.1. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type In the following example.2 3. Go to the [edit services nat port-forwarding map1] hierarchy level. user@host# set pool dest-pool address 4. 191 . and the address is 20.20. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44 8. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool 7. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example. [edit services nat] user@host# edit rule rule-dnat44 term t1 6. the port forwarding map name is map1.20. match direction. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name In the following example. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low In the following example. dest-pool is used as the pool name and 4. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20 5. term. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.1. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20. Configure the destination port range. Configure the mapping for port forwarding and the translation type.1.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services nat] user@host# set pool pool-name address address In the following example.20. the destination pool name is dest-pool. the upper port range is 50 and the lower port range is 20.

} } } } } port-forwarding map1 { destined-port 45.20. term t1 { from { destination-address { 20. Verify the configuration by using the show command at the [edit services nat] hierarchy level. } destination-port { range low 20 high 50. Juniper Networks. 10. . Up to 32 port maps can be configured for port forwarding. [edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id In the following example.1. } rule rule-dnat44 { match-direction input.20/32. [edit services] user@host# show nat { pool dest-pool { address 4.1. • The destination port should not overlap the port range configured for NAT.20. } } then { port-forwarding-mappings map1.Junos 11. the destination port is 45 and the translated port is 23. Inc.4 Services Interfaces Configuration Guide 9. translation-type { dnat-44.2/32. Configure the mapping for port forwarding. } } 192 Copyright © 2011. translated-port 23. translated { destination-pool dest-pool. [edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45 NOTE: • Multiple port mappings are supported with port forwarding.

Stateful firewall has precedence over port forwarding. For additional examples that combine NAT configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables. • Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Examples: Configuring NAT Rules This section provides the following configuration examples. See “Example: Configuring Port Forwarding with Twice NAT” on page 215. 193 .Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: • A similar configuration is possible with twice NAT for IPv4. see Examples: Services Interfaces Configuration. Juniper Networks. Inc. Copyright © 2011. Port forwarding and stateful firewall can be configured together. • • • • • • Example: Configuring Static Source Translation on page 193 Example: Configuring Dynamic Source Address and Port Translation on page 195 Example: Configuring Dynamic Address-only Source Translation on page 197 Example: Configuring Static Destination Address Translation on page 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks on page 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201 Example: Configuring Source Dynamic and Destination Static Translation on page 201 Example: Configuring NAT-PT on page 202 Example: Configuring Port Forwarding with Twice NAT on page 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT on page 216 Example: Configuring an Oversubscribed Pool with No Fallback on page 217 Example: Assigning Addresses from a Dynamic Pool for Static Use on page 217 Example: Configuring NAT Rules Without Defining a Pool on page 218 Example: Preventing Translation of Specific Addresses on page 219 Example: Configuring NAT for Multicast Traffic on page 219 • • • • • • • • • Example: Configuring Static Source Translation • • • Example: Configuring Static Source Translation in an IPv4 Network on page 193 Example: Configuring Static Source Translation in an IPv6 Network on page 194 Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges on page 195 Example: Configuring Static Source Translation in an IPv4 Network The following configuration sets up one-to-one mapping between a private subnet and a public subnet.

Junos 11. term t1 { from { source-address { 3. translation-type { basic-nat44. Inc.2/32.10. } rule rule-basic-nat44 { match-direction input.2/32.10.1. } } nat { pool src_pool { address 10. } rule rule-basic-nat66 { match-direction input. . interface-service { service-interface ms-1/2/0. 194 Copyright © 2011. } } Example: Configuring Static Source Translation in an IPv6 Network The following example configures the translation type as basic-nat66.2/32.4 Services Interfaces Configuration Guide [edit] user@host# show services service-set s1 { nat-rules rule-basic-nat44. term t1 { from { source-address { 10:10:10::0/96.1. } } then { translated { source-pool src_pool. } } nat { pool src_pool { address 10. interface-service { service-interface sp-1/2/0. } } } } } } adaptive-services-pics { traceoptions { flag all.10. [edit] user@host# show services service-set s1 { nat-rules rule-basic-nat66. Juniper Networks.10.

10.30.252/30.2. } } Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges The following configuration creates a static pool with an address prefix and an address range and uses static source NAT translation. 195 . term { from { source-address { 10.20.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } then { translated { source-pool src_pool.20. } rule r1 { match-direction input.10. } } then { translated { source-pool p1. address-range low 20. Inc. } } } } } } adaptive-services-pics { traceoptions { flag all. translation-type { basic-nat66.20.20. translation-type basic-nat44. } } } } Example: Configuring Dynamic Source Address and Port Translation • Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network on page 196 Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197 • • Copyright © 2011. [edit services nat] pool p1 { address 30. Juniper Networks.252/30.1 high 20.30.

term t1 { then { translated { source-pool napt-pool. port { automatic. Juniper Networks.1 high 192. translation-type { napt-44. [edit services] user@host# show service-set s1 { nat-rules rule-napt-44.10. Example: Configuring Dynamic Source Translation for an IPv4 Network The following example configures the translation type as napt-44.32. interface-service { service-interface ms-0/1/0. port automatic. or NAPT. [edit services nat] pool public { address-range low 192. Inc. } 196 Copyright © 2011. } } } } NOTE: The only difference between the configurations for dynamic address-only source translation and NAPT is the inclusion of the port statement for NAPT.0/32.16.10.2. } rule Private-Public { match-direction input. . term Translate { then { translated { source-pool public.4 Services Interfaces Configuration Guide Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network The following example configures dynamic source (address and port) translation.16. } } rule rule-napt-44 { match-direction input. } } nat { pool napt-pool { address 10. translation-type napt-44.Junos 11.2.

} } } Example: Configuring Dynamic Address-only Source Translation • • Example: Configuring Dynamic Address-Only Source Translation on page 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198 Copyright © 2011. term term1 { then { translated { source-pool IPV6-NAPT-Pool.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } } } } adaptive-services-pics { traceoptions { flag all. port automatic. translation-type { napt-66. interface-service { service-interface ms-0/1/0. 197 . } } Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network The following example configures dynamic source (address and port) translation or NAPT for an IPv6 network. } } nat { pool IPV6-NAPT-Pool { address 2002::1/96. [edit services] user@host# show service-set IPV6-NAPT-ServiceSet { nat-rules IPV6-NAPT-Rule. Inc. } } } } } } adaptive-services-pics { traceoptions { flag all. Juniper Networks. } rule IPV6-NAPT-Rule { match-direction input.

2.0/24.1. 198 Copyright © 2011.1. } rule Private-Public { match-direction input. translation-type dynamic-nat44 .Junos 11. } } then { translated { destination-pool source-dynamic-pool. Juniper Networks.4 Services Interfaces Configuration Guide Example: Configuring Dynamic Address-Only Source Translation The following example configures dynamic address-only source translation.0/24. [edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44. term Translate { then { translated { source-pool public.16. Inc. . } rule rule-dynamic-nat44 { match-direction input. } } nat { pool source-dynamic-pool { address 10. [edit services nat] pool public { address-range low 192. translation-type { dynamic-nat44.1.2. } } } } Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network The following example configures the translation type as dynamic-nat44. term t1 { from { source-address { 3.1 high 192.1. interface-service { service-interface ms-0/1/0. } } } } } } adaptive-services-pics { traceoptions { flag all.32.16.

20.1. } } Example: Configuring NAT in Mixed IPv4 and IPv6 Networks • Example: Configuring the Translation Type Between IPv6 and IPv4 Networks on page 199 Example: Configuring the Translation Type Between IPv6 and IPv4 Networks The following example configures the translation type as basic-nat-pt. } } then { translated { destination-pool dest-pool. translation-type { dnat-44. [edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } Example: Configuring Static Destination Address Translation The following example configures the translation type as dnat-44. term t1 { from { destination-address { 20.20/32. [edit services] user@host# show service-set s1 { nat-rules rule-dnat44. interface-service { service-interface ms-0/1/0. } Copyright © 2011.1. } rule rule-dnat44 { match-direction input. 199 . Inc. } } } } } } adaptive-services-pics { traceoptions { flag all. interface-service { service-interface sp-1/2/0. Juniper Networks.20.2/32. } } nat { pool dest-pool { address 4.

} } then { translated { source-prefix 19. Juniper Networks.2/32. } applications dns_alg. translation-type { basic-nat-pt. } pool dst_pool0 { address 50. term t1 { from { source-address { 2000::2/128. } destination-address { 4000::2/128.1. } rule rule-basic-nat-pt { match-direction input. } then { translated { source-pool src_pool0.1/32.10.10. } } } } } } adaptive-services-pics { traceoptions { flag all.Junos 11. } destination-address { 10:10:10::0/96.2/32. destination-pool dst_pool0.1.1/32.19.1. } } } } term t2 { from { source-address { 2000::2/128.4 Services Interfaces Configuration Guide } nat { pool p1 { address 10. } } 200 Copyright © 2011. . Inc. translation-type { basic-nat-pt. } pool src_pool0 { address 20. dns-alg-prefix 10:10:10::0/96.19.1.

} then { translated { Copyright © 2011. } } } } } } Example: Configuring Source Dynamic and Destination Static Translation In the following configuration. translation-type { stateful-nat64. 201 . port { automatic. The virtual server IP address is translated to an internal IP address. } } rule stateful-nat64 { match-direction input. term t1 { from { source-address { 2001:db8::0/96.113.0. Inc. } destination-address { 64:ff9b::/96. } } then { translated { source-pool src-pool-nat64. term my-term1 { from { source-address private. Juniper Networks.Chapter 10: Carrier-Grade NAT Configuration Guidelines Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) The following example configures dynamic source address (IPv6-to-IPv4) and static destination address (IPv6-to-IPv4) translation: [edit services] user@host# show nat { pool src-pool-nat64 { address 203. destination-prefix 64:ff9b::/96. The translation is applied for all services.0/24. term1 configures source address translation for traffic from any private address to any public address. term2 performs destination address translation for Hypertext Transfer Protocol (HTTP) traffic from any public address to the server’s virtual IP address. destination-address public. [edit services nat] rule my-nat-rule { match-direction input.

you must configure a service set. # pick address from a pool translation-type napt-44. You can configure the DNS ALG to map addresses returned in the DNS response to an IPv6 address.2 A multiservices interface (ms-) Overview and Topology The following scenario shows the process of NAT-PT with DNS ALG when a laptop in an IPv6-only domain requests access to a server in an IPv4-only domain. Juniper Networks. you must configure two NAT rules or one rule with two terms. you configure two rules. When you configure NAT-PT with DNS ALG support. and then apply the service set to the interfaces.4 Services Interfaces Configuration Guide source-pool my-pool. In this example.3. . } then { translated { destination-pool nat-pool-name. This example describes how to configure NAT-PAT with DNS ALG: • • • Requirements on page 202 Overview and Topology on page 202 Configuration of NAT-PT with DNS ALGs on page 204 Requirements This example uses the following hardware and software components: • • Junos OS Release 11. you must configure a DNS ALG application and reference it in the rule. # static destination NAT } } } } Example: Configuring NAT-PT A Domain Name System application-level gateway (DNS ALG) is used with Network Address Translation-Protocol Translation (NAT-PT) to facilitate name-to-address mapping. # dynamic NAT with port translation } } } term my-term2 { from { destination-address 192. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG. translation-type dnat-44. For this rule to work. Then. 202 Copyright © 2011. # my server’s virtual address application http.168. Inc.137.Junos 11. The first NAT rule ensures that the DNS query and response packets are translated correctly.

1.1.1.1. When the DNS server responds with the A request.com 6 Step 1: SA: 2000::2/128 translated to 40.example.1/32 Payload: A response www.com 1. Copyright © 2011. the laptop initiates a second session using the 96-bit IPv6 address to access that server.1 www.com = 1.1.example.1.example. After the laptop receives the IPv6 version of the www. Translates the A request back into a AAAA request so that the laptop now has the 96-bit IPv6 address of the www.Chapter 10: Carrier-Grade NAT Configuration Guidelines Figure 6: Configuring DNS ALGs with NAT-PT Network Topology Packet header: SA: 2000::2/128 DA: 4000::2/128 Payload: Request AAAA record for www.1/32 Payload: The AAAA request is translated to an A request Step 2: SA: 50.1.1. The Juniper Networks router performs the following: • • Translates the laptop IPv4 address directly into its IPv4 address.1.1/32 NAT DNS ALG session http: session SA = source address DA = destination address The Juniper Networks router in the center of the illustration performs address translation in two steps. Translates the 96-bit IPv6 www.com server.1 translated to 1.1.1/32 DA: 4000::2/128 translated to 50. the Juniper Networks router performs the following: • • Translates the IPv4 DNS server address back into an IPv6 address.1/32 DA: 40.example.1.1.example.1. Translates the AAAA request from the laptop into an A request so that the DNS server can provide the IPv4 address. 203 g017486 .example.com server address into its IPv4 address. When the laptop requests a session with the www.10::1.1 IPv4 Domain IPv6 Domain DNS Server 50.1/32 translated to 2000:2/128 Laptop address: 2000::2/128 DNS server address: 4000::2/128 Payload: The A response translated to an IPv6 address Step 3: SA: 2000::2/128 translated to 40.com server address.1.1.10.1.1/32 translated to 4000::2/128 DA: 40.1.com server that is in an IPv4-only domain.example.1 Packet header: SA: 50. the Juniper Networks router performs the following: • • Translates the IPv6 laptop and DNS server addresses into IPv4 addresses.1.1. Juniper Networks.1.1.1. Inc.1.1/32 DA: 10.1.

. To configure the DNS application: 1. Define the UDP destination port for additional packet matching.Junos 11. perform the following tasks: • • • • • • • Configuring the Application-Level Gateway on page 204 Configuring the NAT Pools on page 205 Configuring the DNS Server Session: First NAT Rule on page 206 Configuring the HTTP Session: Second NAT Rule on page 209 Configuring the Service Set on page 211 Configuring the Stateful Firewall Rule on page 212 Configuring Interfaces on page 213 Configuring the Application-Level Gateway Step-by-Step Procedure Configure the DNS application as the ALG to which the DNS traffic is destined. in this case the domain port. go to the [edit applications] hierarchy level: user@host# edit applications 2. you must specify the UDP protocol as the network protocol to match in the application definition. The DNS application protocol closes the DNS flow as soon as the DNS response is received. [edit applications] user@host# set application application-name protocol type For example: [edit applications] user@host# set application dns_alg protocol udp 4.4 Services Interfaces Configuration Guide Configuration of NAT-PT with DNS ALGs To configure NAT-PT with DNS ALG . Specify the protocol to match. In configuration mode. [edit applications] user@host# set application application-name destination-port value For example: [edit applications] user@host# set application dns_alg destination-port 53 204 Copyright © 2011. When you configure the DNS application protocol. in this case UDP. Inc. Juniper Networks. Define the application name and specify the application protocol to use in match conditions in the first NAT rule. [edit applications] user@host# set application application-name application-protocol protocol-name For example: [edit applications] user@host# set application dns_alg application-protocol dns 3.

1.1/32. protocol udp. In configuration mode. go to the [edit services nat] hierarchy level.1. [edit services nat] user@host# set pool nat-pool-name address ip-prefix For example: [edit services nat] user@host# set pool pool2 address 50. To configure NAT pools: 1.1.Chapter 10: Carrier-Grade NAT Configuration Guidelines Results [edit applications] user@host# show application dns_alg { application-protocol dns. 205 . Inc.1/32. } Configuring the NAT Pools Step-by-Step Procedure In this configuration. you configure two pools that define the addresses (or prefixes) used for NAT.1.1. [edit services nat] user@host# set pool nat-pool-name address ip-prefix For example: [edit services nat] user@host# set pool pool1 address 40. destination-port 53. The second pool defines the IPv4 address of the DNS server.1. user@host# edit services nat 2. } pool pool2 { address 50. } Copyright © 2011.1. Specify the name of the first pool and the IPv4 source address (laptop). Specify the name of the second pool and the IPv4 address of the DNS server.1/32 3.1/32 Results The following sample output shows the configuration of NAT pools: [edit services nat] user@host# show pool pool1 { address 40. The first pool includes the IPv4 address of the source.1. These pools define the IPv4 addresses that are translated into IPv6 addresses. Juniper Networks.

The DNS application was configured in “Configuring the DNS ALG Application” on page 182. Specify the name of the NAT term. Specify the name of the NAT rule. you must specify the direction in which traffic is matched. Juniper Networks. [edit services nat rule rule-name] user@host# edit term term-name For example: [edit services nat rule rule1] user@host# edit term term1 4.4 Services Interfaces Configuration Guide Configuring the DNS Server Session: First NAT Rule Step-by-Step Procedure The first NAT rule is applied to DNS traffic going to the DNS server. Define the match conditions for this rule. [edit services nat] user@host# edit rule rule-name For example: [edit services nat] user@host# edit rule rule1 3. user@host# edit services nat 2. Inc. This rule ensures that the DNS query and response packets are translated correctly. In addition. the destination address of the DNS server. you must configure a DNS ALG application and reference it in the rule. 206 Copyright © 2011. • Specify the IPv6 source address of the device (laptop) attempting to access an IPv4 address. go to the {edit services nat] hierarchy level.Junos 11. In configuration mode. and the actions to take when the match conditions are met. [edit services nat rule rule-name term term-name] user@host# set from destination-address prefix For example: [edit services nat rule rule1 term term1] user@host# set from destination-address 4000::2/128 • Reference the DNS application to which the DNS traffic destined for port 53 is applied. the source address of the laptop. For this rule to work. To configure the first NAT rule: 1. [edit services nat rule rule-name term term-name] user@host# set from source-address source-address For example: [edit services nat rule rule1 term term1] user@host# set from source-address 2000::2/128 • Specify the IPv6 destination address of the DNS server. .

[edit services nat rule rule-name term term-name] user@host# set then translated destination-pool nat-pool-name For example: [edit services nat rule rule1 term term1] user@host# set then translated source-pool pool2 6. Define the actions to take when the match conditions are met. Inc. Define the DNS ALG 96-bit prefix for IPv4-to-IPv6 address mapping. [edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix For example: [edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96 7. • Apply the NAT pool configured for source translation. since NAT is achieved using address-only translation. the application name configured in the Configuring the DNS Application step is dns_alg: [edit services nat rule rule1 term term1] user@host# set from applications dns_alg 5. Specify the type of NAT used for source and destination traffic. [edit services nat rule rule-name term term-name] user@host# set then translated source-pool nat-pool-name For example: [edit services nat rule rule1 term term1] user@host# set then translated source-pool pool1 • Apply the NAT pool configured for destination translation. The source and destination pools you configured in Configuring the NAT Pools are applied here. Copyright © 2011. Juniper Networks.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services nat rule rule1 term term1] user@host# set from applications application-name In this example. 207 . To achieve NAT using address and port translation (NAPT). Specify the direction in which to match traffic that meets the rule conditions. use the napt-pt translation type. 8. [edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt For example: [edit services nat rule rule1 term term1] user@host# set then translated translation-type basic-nat-pt NOTE: In this example. the basic-nat-pt translation type is used.

4 Services Interfaces Configuration Guide [edit services nat rule rule-name] user@host# set match-direction (input | output) For example: [edit services nat rule rule1] user@host# set match-direction input 9. destination-pool pool2. . } destination-address { 4000::2/128. } } } 208 Copyright © 2011. Juniper Networks. dns-alg-prefix 10:10:10::0/96. [edit services nat rule rule-name term term-name] user@host# set then syslog For example: [edit services nat rule rule1 term term1] user@host# set then syslog Results The following sample output shows the configuration of the first NAT rule that goes to the DNS server.Junos 11. } then { translated { source-pool pool1. } } syslog. [edit services nat] user@host# show rule rule1 { match-direction input. term term1 { from { source-address { 2000::2/128. } applications dns_alg. Inc. Configure system logging to record information from the services interface to the /var/log directory. translation-type { basic-nat-pt.

To configure the second NAT rule: 1. In addition.example. you must specify the direction in which traffic is matched: the IPv4 address for the IPv6 source address (laptop). [edit services nat rule rule-name term term-name] user@host# set from destination-address prefix For example: [edit services nat rule rule2 term term1] user@host# set from destination-address 10:10:10::c0a8:108/128 4. [edit services nat] user@host# edit rule rule-name term term-name For example: [edit services nat] user@host# edit rule rule2 term term1 3.19. [edit services nat rule rule-name term term-name] user@host# set from source-address source-address For example: [edit services nat rule rule2 term term1] user@host# set from source-address 2000::2/128 • Specify the 96-bit IPv6 prefix to prepend to the IPv4 server address. Define the actions to take when the match conditions are met.1/32 Copyright © 2011. and the translation type.com).Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the HTTP Session: Second NAT Rule Step-by-Step Procedure The second NAT rule is applied to destination traffic going to the IPv4 server www. Juniper Networks.example. Inc. For this rule to work. user@host# edit services nat 2. This rule ensures that NAT sessions are destined to the address mapped by the DNS ALG. go to the following hierarchy level. Define the match conditions for this rule: • Specify the IPv6 address of the device attempting to access the IPv4 server. you must configure the DNS ALG address map that correlates the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule. 209 .com). • Specify the prefix for the translation of the IPv6 source address. the 96-bit prefix to prepend to the IPv4 destination address (www.19. Specify the name of the NAT rule and term. [edit services nat rule rule-name term term-name] user@host# set then translated source-prefix source-prefix For example: [edit services nat rule rule2 term term1] user@host# set then translated source-prefix 19. In configuration mode.

Junos 11.19. Specify the direction in which to match traffic that meets the conditions in the rule. . you must use the napt-pt translation type. 6. [edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt For example: [edit services nat rule rule2 term term1] user@host# set then translated translation-type basic-nat-pt NOTE: In this example. term term1 { from { source-address { 2000::2/128. translation-type { basic-nat-pt. [edit services nat rule rule-name] user@host# set match-direction (input | output) For example: [edit services nat rule rule2] user@host# set match-direction input Results The following sample output shows the configuration of the second NAT rule: [edit services nat] user@host# show rule rule2 { match-direction input.1/32. Juniper Networks.4 Services Interfaces Configuration Guide 5. since NAT is achieved using address-only translation. Specify the type of NAT used for source and destination traffic. } } } } } 210 Copyright © 2011. } } then { translated { source-prefix 19.19. Inc. } destination-address { 10:10:10::c0a8:108/128. the basic-nat-pt translation type is used. To achieve NAT using address and port translation (NAPT).

[edit services service-set ss] user@host# set stateful-firewall-rules rule1 severity-level The example below references the stateful firewall rule defined in Configuring the Stateful Firewall Rule. To configure the service set: 1. [edit services service-set ss] user@host# set nat-rules rule-name The example below references the two rules defined in this configuration example. [edit services service-set ss] user@host# set syslog host local services severity-level The example below includes all severity levels.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the Service Set Step-by-Step Procedure This service set is an interface service set used as an action modifier across the entire services (ms-) interface. [edit services service-set ss user@host# set stateful-firewall-rules rule1 5. go to the [edit services] hierarchy level. Specify the stateful firewall rule included in this service set. Inc. user@host# edit services 2. [edit services service-set ss user@host# set syslog host local services any 4. [edit services service-set ss] user@host# set interface-service service-interface interface-name For example: [edit services service-set ss Copyright © 2011. Define a service set. Juniper Networks. [edit services service-set ss user@host# set nat-rules rule1 user@host# set nat-rules rule2 6. Specify properties that control how system log messages are generated for the service set. Configure an adaptive services interface on which the service is to be performed. In configuration mode. Stateful firewall and NAT rule sets are applied to traffic processed by the services interface. 211 . Define the NAT rules included in this service set. [edit services] user@host# edit service-set service-set-name For example: [edit services] user@host# edit service-set ss 3.

nat-rules rule1. The NAT-PT router checks the traffic flow matching the direction specified by the rule. To configure the stateful firewall rule: 1. } } stateful-firewall-rules rule1. in this case both input and output.4 Services Interfaces Configuration Guide user@host# interface-service service-interface ms-2/0/0 Only the device name is needed. Juniper Networks. Specify the name of the stateful firewall term. [edit services stateful-firewall rule rule-name] user@host# set match-direction (input | input-output | output) For example: [edit services stateful-firewall rule rule1] user@host# set match-direction input-output 4. 212 Copyright © 2011. [edit services stateful-firewall] user@host# edit rule rule-name For example: [edit services stateful-firewall] user@host# edit rule rule1 3. Results The following sample output shows the configuration of the service set: [edit services] user@host# show service-set ss { syslog { host local { services any. because the router software manages logical unit numbers automatically. When a packet is sent to the services (ms-) interface. user@host# edit services stateful firewall 2. . } } Configuring the Stateful Firewall Rule Step-by-Step Procedure This example uses a stateful firewall to inspect packets for state information derived from past communications and other applications. nat-rules rule2. Specify the name of the stateful firewall rule. interface-service { service-interface ms-2/0/0. Specify the direction in which traffic is to be matched. direction information is carried along with it.Junos 11. In configuration mode. The services interface must be an adaptive services interface for which you have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level in the Configuring Interfaces step. Inc. go to the [edit services stateful firewall] hierarchy level.

specify the IPv4 address. In this example. you must apply services to one or more interfaces installed on the router. In configuration mode.1. [edit services stateful-firewall rule rule-name term term-name] user@host# set then accept For example: [edit services stateful-firewall rule rule1 term term1] user@host# set then accept Results The following sample output shows the configuration of the services stateful firewall. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet address 30. 213 . term term1 { then { accept. Configure the interface on which the service set is applied to automatically ensure that packets are directed to the services (ms-) interface. • For IPv4 traffic. To configure the interfaces: 1. [edit services] user@host# show stateful-firewall { rule rule1 { match-direction input-output.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services stateful-firewall rule rule-name] user@host# edit term term-name For example: [edit services stateful-firewall rule rule1] user@host# edit term term1 5. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 service input service-set ss user@host# set ge-1/0/9 unit 0 family inet6 service output service-set ss Copyright © 2011. Inc. Juniper Networks. it automatically ensures that packets are directed to the services (ms-) interface. user@host# edit interfaces 2.1/24 • Apply the service set defined in the Configuring the Service Set step. go to the [edit interfaces] hierarchy level. Define the terms that make up this rule. When you apply the service set to an interface. you configure one interface on which you apply the service set for input and output traffic.1. } } } } Configuring Interfaces Step-by-Step Procedure After you have defined the service-set.

} } } ms-2/0/0 { services-options { syslog { host local { services any. } } address 2000::1/64. [edit interfaces] user@host# set ms-2/0/0 services-options syslog host local services any user@host# set ms-2/0/0 unit 0 family inet user@host# set ms-2/0/0 unit 0 family inet6 Results The following sample output shows the configuration of the interfaces for this example. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 address 2000::1/64 3. Inc. [edit interfaces] user@host# show ge-1/0/9 { unit 0 { family inet { address 30. specify the IPv6 address.4 Services Interfaces Configuration Guide • For IPv6 traffic. family inet6.1. } } } unit 0 { family inet. . Specify the interface properties for the services interface that performs the service. } } Related Documentation • • • • • Network Address Translation Overview on page 48 Configuring NAT-PT on page 187 Configuring Service Sets to be Applied to Services Interfaces on page 568 Example: Configuring the uKernel Service and the Services SDK on Two PICs dns-alg-prefix on page 246 214 Copyright © 2011.1.Junos 11.1/24. } output { service-set ss. Juniper Networks. } family inet6 { service { input { service-set ss.

[edit services] user@host# show service-set in { syslog { host local { services any.2/32. term t { from { destination-address { 14.0. Inc.2/32. 215 . } } then { reject.0. } destination-port { range low 10 high 20000.0. Juniper Networks. translated { destination-pool x. } } stateful-firewall { rule r { match-direction input. interface-service { service-interface sp-10/0/0. The example also has stateful firewall and multiple port maps configured. translation-type { twice-napt-44.0. } } } } nat { pool x { address 12. } rule r { match-direction input. } } then { port-forwarding-mappings y.0.Chapter 10: Carrier-Grade NAT Configuration Guidelines • dns-alg-pool on page 246 Example: Configuring Port Forwarding with Twice NAT The following example configures port forwarding with twice-napt-44 as the translation type. } } stateful-firewall-rules r. } } Copyright © 2011. nat-rules r. term t { from { destination-port { range low 1 high 57000.

translated-port 43.16. } rule myrule { match-direction input.1. • Related Documentation • Configuring Port Forwarding for Static Destination Address Translation on page 179 Example: Configuring an Oversubscribed Pool with Fallback to NAPT The following configuration shows dynamic address translation from a large prefix to a small pool. overload-pool pat-pool. } pool pat-pool { address-range low 192. translated-port 23. destined-port 65. translated-port 33.2.10. destined-port 55.2. Up to 32 port maps can be configured. 216 Copyright © 2011.2. for instance.1 high 192. flag all. [edit services nat] pool src-pool { address-range low 192.12.2.11 high 192. Juniper Networks. } } adaptive-services-pics { traceoptions { file sp-trace. translating a /24 subnet to a pool of 10 addresses.0/24. } then { translated { source-pool src-pool.Junos 11. no traffic destined to any port between 1 and 57000 will be translated. term myterm { from { source-address 10. Inc.150. NAT is provided by the NAPT overload pool (pat-pool).16. port automatic. When the addresses in the source pool (src-pool) are exhausted. In this example. } } NOTE: • Stateful firewall has precedence over port forwarding.16.4 Services Interfaces Configuration Guide } } } port-forwarding y { destined-port 45. .

10.10. Juniper Networks.Chapter 10: Carrier-Grade NAT Configuration Guidelines translation-type napt-44. } then { translated { translation-type dynamic-nat44. Each host with an assigned NAT can participate in multiple sessions. } pool static-pool2 { address 20. } pool static-pool { address-range low 20.1 high 10.10. term t1 { from { source-address 30.0/24.20.10. 217 .0/24.168.30.12.0/24.10. } } } } Example: Configuring an Oversubscribed Pool with No Fallback The following configuration shows dynamic address translation from a large prefix to a small pool. } } } } Example: Assigning Addresses from a Dynamic Pool for Static Use The following configuration statically assigns a subset of addresses that are configured as part of a dynamic pool (dynamic-pool) to two separate static pools (static-pool and static-pool2).10 high 10.10. } rule src-nat { match-direction input.30. first-served basis.1.10. } Copyright © 2011.15/32. translating a /24 subnet to a pool of 10 addresses. [edit services nat] pool dynamic-pool { address 20.10. [edit services nat] pool my-pool { address-range low 10.20. and any additional requests are rejected. Inc. } rule src-nat { match-direction input.20.10.20. source-pool my-pool. Sessions from the first 10 host sessions are assigned an address from the pool on a first-come. term t1 { from { source-address 192.

} } } Example: Configuring NAT Rules Without Defining a Pool The following configuration performs NAT using the source prefix 20. source-pool static-pool2.2.10.10.0/24.Junos 11.10. source-pool dynamic-pool.10.20. term t1 { from { destination-address 10.0/32 without defining a pool.0/24 without defining a pool. } } } The following configuration performs NAT using the destination prefix 20. then { translation-type dnat44.10/32.10.10. source-pool static-pool. .0/24. destination-prefix 20.10.20.20. } } } 218 Copyright © 2011.20.10.10.10. } then { translation-type basic-nat44. Juniper Networks.4 Services Interfaces Configuration Guide then { translation-type dynamic-nat44. term t1 { then { translation-type dynamic-nat44.10. Inc. } } term t2 { from { source-address 10. [edit services nat] rule src-nat { match-direction input. source-prefix 20. [edit services nat] rule src-nat { match-direction input. } then { translation-type basic-nat44. } } term t3 { from { source-address 10.

24/32. source-pool my-pool.20.0/27 is sent to the static NAT pool mcast_pool. Inc. [edit services nat] pool my-pool { address-range low 10.Chapter 10: Carrier-Grade NAT Configuration Guidelines } Example: Preventing Translation of Specific Addresses The following configuration specifies that NAT is not performed on incoming traffic from the source address 192. } } term t1 { then { translated { translation-type dynamic-nat44. Dynamic NAT is performed on all other incoming traffic. which allows IP multicast traffic to be sent to the Multiservices PIC.10.1 high 10. The service set nat_ss is a next-hop service set that allows IP multicast Copyright © 2011.10.20. } rule src-nat { match-direction input. } then { no-translation. Juniper Networks.254.10. 219 . Figure 7: Configuring NAT for Multicast Traffic • • Rendezvous Point Configuration on page 219 Router 1 Configuration on page 222 Rendezvous Point Configuration On the rendezvous point (RP). all incoming traffic from the multicast source at 192.168. term t0 { from { source-address 192.168.16.20. } } } } Example: Configuring NAT for Multicast Traffic Figure 7 on page 219 illustrates the network setup for the following configuration.20. port-automatic.168.10.24/32.0/27. where its source is translated to 20.

1 and the outside interface is ms-1/1/0. which has the firewall filter fbf applied to incoming traffic. .10. Inc. } } then { translated { source-pool mcast_pool.2. The inside interface on the PIC is ms-1/1/0.168. } 220 Copyright © 2011. Multicast source traffic comes in on the Fast Ethernet interface fe-1/2/1. nat-rules nat_rule_1.254. term 1 { from { source-address 192. [edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10.2.0/27. } unit 1 { family inet.1.4 Services Interfaces Configuration Guide traffic to be sent to the Multiservices DPC or Multiservices PIC. translation-type basic-nat44. [edit services] nat { pool mcast_pool { address 20. next-hop-service { inside-service-interface ms-1/1/0. } } } ms-1/1/0 { unit 0 { family inet. service-domain inside. } syslog. } } The Gigabit Ethernet interface ge-0/3/0 carries traffic out of the RP to Router 1. outside-service-interface ms-1/1/0.Junos 11.0/27. Juniper Networks.20.1/30.20. The multiservices interface ms-1/1/0 has two logical interfaces: unit 1 is the inside interface for next-hop services and unit 2 is the outside interface for next-hop services.1. } rule nat_rule_1 { match-direction input. } } } service-set nat_ss { allow-multicast.

Copyright © 2011. which is applied to the incoming interface fe-1/2/1. Juniper Networks.0/4 next-hop ms-1/1/0. you configure filter-based forwarding through a firewall filter called fbf. Therefore. } } } You enable OSPF and Protocol Independent Multicast (PIM) on the Fast Ethernet and Gigabit Ethernet logical interfaces over which IP multicast traffic enters and leaves the RP.1. [edit protocols] ospf { area 0.inet. } address 192. service-domain outside.1 on the Multiservices DPC or Multiservices PIC: [edit] routing-instances stage { instance-type forwarding.Chapter 10: Carrier-Grade NAT Configuration Guidelines unit 2 { family inet.0.2) of the next-hop service set. Inc. } } fe-1/2/1 { unit 0 { family inet { filter { input fbf.0 { passive. In the case of NAT. you must also configure a VRF.0. You also enable PIM on the outside interface (ms-1/1/0. } } } Multicast packets can only be directed to the Multiservices DPC or the Multiservices PIC using a next-hop service set.0. routing-options { static { route 224.254. the routing instance stage is created as a “dummy” forwarding instance. All multicast traffic matching this route is sent to the PIC.0 { interface fe-1/2/1. To direct incoming packets to stage. } } } The routing instance stage forwards IP multicast traffic to the inside interface ms-1/1/0.0. 221 . [edit firewall] filter fbf { term 1 { then { routing-instance stage.168.27/27. which has a multicast static route that is installed with the next hop pointing to the PIC’s inside interface.0. A lookup is performed in stage.

255.0.4 Services Interfaces Configuration Guide } interface lo0. } } Router 1 Configuration The Internet Group Management Protocol (IGMP). interface lo0.0. In this case. in order for the static route in the forwarding instance stage to have a reachable next hop. so that all interface routes are imported into both tables.0 ]. } Reverse path forwarding (RPF) checking must be disabled for the multicast group on which source NAT is applied. traffic is forwarded out fe-3/0/0. the no_rpf policy disables RPF check for multicast groups belonging to 224. Inc. interface ms-1/1/0. You configure routing tables inet.0/4. } multicast { rpf-check-policy no_rpf. } rib-groups fbf_rib_group { import-rib [ inet.0.0.Junos 11. } As with any filter-based forwarding configuration.14.0 and stage. } } interface fe-1/2/1.0/4 orlonger.inet.0.0 stage. and PIM configuration on Router 1 is as follows.2. } then reject. . you must configure routing table groups so that all interface routes are copied from inet. Juniper Networks.inet. interface ge-0/3/0. [edit policy-options] policy-statement no_rpf { term 1 { from { route-filter 224. Because of IGMP static group configuration.0. 222 Copyright © 2011. OSPF.160. [edit routing-options] interface-routes { rib-group inet fbf_rib_group. interface ge-0/3/0.0 as members of fbf_rib_group.0.0. You can disable RPF checking for specific multicast groups by configuring a policy similar to the one in the example that follows. } } pim { rp { local { address 10.0 to the multicast receiver without receiving membership reports from host members.0.0 to the routing table in the forwarding instance.

0 { passive. on the RP. • • • Hardware and Software Requirements on page 223 Overview on page 224 Basic NAT44 Configuration on page 224 Hardware and Software Requirements This example requires the following hardware: • An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A domain name server (DNS) • Copyright © 2011.20. Inc.10.0 { } } ospf { area 0.0. 223 .Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit protocols] igmp { interface fe-3/0/0.0. } pim { rp { static { address 10. } Example: NAT 44 CGN Configurations This example describes how to implement several NAT configurations.0.1.0 { interface fe-3/0/0. Juniper Networks. interface ge-7/2/0. interface lo0.1. } } The routing option creates a static route to the NAT pool.255.160.0. mcast_pool.0/27 next-hop 10. } } interface fe-3/0/0.14.0.0. interface ge-7/2/0. } interface lo0.20. [edit routing-options] static { route 20.0.

0. Define the interface to the public Internet.1/24 3.Junos 11. . Define the interface to the private network.0. user@host# edit chassis 2. user@host# edit interfaces ge-1/3/5 [edit interfaces ge-1/3/5] user@host# set description “Private” user@host# edit unit 0 family inet [edit interfaces ge-1/3/5 unit 0 family inet] user@host# set service input service-set ss2 user@host# set service output service-set ss2 user@host# set address 9.0. Basic NAT44 Configuration Chassis Configuration Step-by-Step Procedure To configure the service PIC (FPC 5 Slot 0) with the Layer 3 service package: 1. Inc. 224 Copyright © 2011.1/24 2. unit 0 { family inet { service { input { service-set sset2. 1.4 or higher Overview This example shows a complete CGN NAT44 configuration and advanced options.0. Juniper Networks. Go to the edit chassis hierarchy level. Define the service interface for NAT processing. user@host# edit interfaces ge-1/3/6 [edit interfaces ge-1/3/6] user@host# set description “Public” user@host# set unit 0 family inet address 128. user@host# edit interfaces ge-5/0/0 [edit interfaces ge-5/0/0] user@host# set unit 0 family inet Results user@host# show interfaces ge-1/3/5 description Private. [edit chassis] user@host# set fpc 5 pic 0 adaptive-services service-package layer-3 Configuring the Interfaces Step-by-Step Procedure To configure interfaces to the private network and the public Internet.4 Services Interfaces Configuration Guide This example uses the following software: • Junos OS Release 11. Configure the layer 3 service package.

0.0. } } user@host# show interfaces ge-5/0/0 unit 0 { family inet. [edit services nat] host# edit rule r1 host# set match-direction input host# set term t1 from source-address 10.0/16 host# set term t1 from source-address 10.0. } Configuring NAT with Port Translation Step-by-Step Procedure To configure source-only dynamic NAT with port translation: 1. unit 0 { family inet { address 128.1. } Copyright © 2011.0.1/24.0/16 host# set term t1 then translated source-pool p1 translation-type dynamic-nat44 Results user@host# show services nat pool p1 { address 129.0. } } address 9.1.0/16.0. Configure the NAT pool. Inc. 10.0/24 user@host# set pool p1 port automatic random-allocation 2.0.0/16. user@host# edit services nat [edit services nat] user@host# set pool p1 address 129.0.0.Chapter 10: Carrier-Grade NAT Configuration Guidelines } output { service-set sset2.0. term t1 { from { source-address { 10. } rule r1 { match-direction input. Juniper Networks.0/24. Configure the NAT rule.0.1/24.0. 225 .0.0. } } } user@host# show interfaces ge-1/3/6 description Public:.

[edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10. Specify the interface service.1/24.58.16. } Example: NAT Between VRFs Configuration The following example configuration enables NAT between VRFs with overlapping private addresses.58. Juniper Networks.16. using distinct public addresses for the source and destination NAT in this scenario: • • A host in vrf-a traverses 10. output service-set vrf-a-svc-set. service { input service-set vrf-a-svc-set.58. user@host# edit services service-set ss2 2. [edit services service-set ss2} host# set nat-rules r1 3.101 to reach 10. [edit services service-set ss2} host# set interface-service service-interface sp-5/0/0 Results user@host# show services service-sets sset2 nat-rules r1.0. Inc. interface-service { service-interface sp-5/0/0.Junos 11. A host in vrf-b traverses 10. } } } } } Configuring the Service Set Step-by-Step Procedure To configure the service set: 1. Specify the NAT rule to be used.58. translation-type { dynamic-nat44.58.2 in vrf-a. } } 226 Copyright © 2011.0.2 in vrf-b. Configure a service set.201 to reach 10.4 Services Interfaces Configuration Guide } then { translated { source-pool p1.0. .

service { input service-set vrf-b-svc-set.0.0.0. } } } } sp-1/3/0 { unit 0 { family inet.10. Copyright © 2011. } unit 20 { family inet. interface sp-1/3/0.1/24.1. Inc. } } [edit policy-options] policy-statement test-policy { term t1 { then reject. route-distinguisher 10. service-domain inside. interface sp-1/3/0. service-domain inside. } } } vrf-b { interface ge-0/3/0.2:2. route-distinguisher 10. vrf-import test-policy.0. vrf-export test-policy.0. output service-set vrf-b-svc-set. Juniper Networks. 227 .58.0/0 next-table inet.1:1. instance-type vrf.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } ge-0/3/0 { unit 0 { family inet { address 10. vrf-import test-policy.0.20. } unit 10 { family inet.1.0. routing-options { static { route 0.0. routing-options { static { route 0.2. } } [edit routing-instances] vrf-a { interface ge-0/2/0.0/0 next-table inet.2. vrf-export test-policy. instance-type vrf.0.

16.58.16. Juniper Networks.Junos 11. translation-type destination static.58. } } } } nat { pool vrf-a-src-pool { address 10.100. } then { translated { destination-pool vrf-a-dst-pool. } } } } pool vrf-b-src-pool { address 10.16.2. } pool vrf-a-dst-pool { address 10. port automatic. } rule vrf-b-input { match-direction input. } rule vrf-a-input { match-direction input. } } } } rule vrf-a-output { match-direction output.200. 228 Copyright © 2011. term t1 { then { translated { source-pool vrf-a-src-pool.2.4 Services Interfaces Configuration Guide } } } [edit services] stateful-firewall { rule allow-all { match-direction input-output. Inc. term t1 { then { accept.0. } pool vrf-b-dst-pool { address 10. .58.58.0. port automatic.101. translation-type napt-44.58. term t1 { from { destination-address 10.

Juniper Networks. Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. } } } } rule vrf-b-output { match-direction output.20. interface-service { service-interface sp-1/3/0. term t1 { from { destination-address 10.16. nat-rules vrf-b-output.201. nat-rules vrf-a-input. } } Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion This example configures Stateful NAT64 on an MX Series 3D Universal Edge router with a Services DPC. Inc.58. nat-rules vrf-a-output. } } service-set vrf-b-svc-set { stateful-firewall-rules allow-all. } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all. translation-type destination static. This example contains the following sections: • • Requirements on page 230 Implementation on page 230 Copyright © 2011. nat-rules vrf-b-input. July 2010. translation-type source dynamic.Chapter 10: Carrier-Grade NAT Configuration Guidelines term t1 { then { translated { source-pool vrf-b-src-pool. } then { translated { destination-pool vrf-b-dst-pool. The configuration replicates the example flow found in draft-ietf-behave-v6v4-xlate-stateful-12.10. 229 . interface-service { service-interface sp-1/3/0.

2.2. The local name server is configured with the /96 prefix assigned to the local NAT64 router.4 Services Interfaces Configuration Guide • • Configuration on page 230 Verifying NAT64 Operation on page 234 Requirements This functionality requires the following hardware: • An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A name server with DNS64 • Implementation In Junos OS Release 10. In the reverse path. Configuration Overview and Topology Figure 8 on page 230 shows an MX Series router. . Also shown is a local name server with DNS64 functionality. the system sends IPv4 packets to the Services DPC where additional system processes reverse the translation and send the corresponding IPv6 packet back to the client. Juniper Networks. The system steers IPv6 packets coming from IPv6-only hosts to a Services DPC where the packets are translated to IPv4 according to the configuration. which the system uses as part of the translation process.0. implementing NAT64 with two Gigabit Ethernet interfaces and a Services DPC.1 ge-1/3/6 g040627 NAT64 Configuration To configure stateful NAT64 involves the following tasks: • • • Configuring the PIC and the Interfaces on page 231 Configuring the NAT64 Pool on page 232 Configuring the Service Set on page 233 230 Copyright © 2011. and the interface connected to the IPv6 network is ge-1/3/5. Inc.Junos 11. Juniper Networks implemented stateful NAT64 in its Services Physical Interface Card (PIC) and Services Dense Port Concentrator (DPC). R2. Figure 8: NAT64 Topology Name server (with DNS64) IPv6 network IPv4 network Host 1 R2 Host 2 2001: DB8::1 ge-1/3/5 192. The interface connected to the IPv4 network is ge-1/3/6.

} } address 2001:DB8::1/64. Copyright © 2011. [edit chassis] fpc 5 { pic 0 { adaptive-services { service-package layer-3. c. The service package with its associated service package (sp-) interface is used to manipulate traffic before it is delivered to its destination. a. Include the family inet (IPv4) and family inet6 (IPv6) statements at the [edit interfaces interface-name unit unit-number] hierarchy level. Configure the ge-1/3/5 interface connected to the IPv6 network. a. Edit the chassis configuration to enable a Layer 3 service package. For details about configuring packages. Configure the service package at the [edit chassis fpc pic adaptive-services] hierarchy level. family inet6 { service { input { service-set set_0. b. } } } 2. [edit interfaces] ge-1/3/5 { description "IPv6-only domain". Configure a service set at the [edit interfaces interface-name unit unit-number family service input service-set] and the [edit interfaces interface-name unit unit-number family service output service-set] hierarchy levels. Include the family inet statement at the [edit interfaces unit unit-number] hierarchy level. see the Junos OS Services Interfaces Configuration Guide. 3.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the PIC and the Interfaces Step-by-Step Procedure To configure the PIC and interfaces on Router R2: 1. } } } 4. Configure the ge-1/3/6 interface connected to the IPv4 network. Inc. } output { service-set set_0. Juniper Networks. 231 . This example assumes that the PIC is in FPC 5. unit 0 { family inet. Include the IPv6 address at the [edit interfaces unit unit-number family inet6 address] hierarchy level. slot 0.

} } } 5.0. The service package associated with this interface was configured in Step 2.0. sp-5/0/0. unit 0 { family inet { address 192.Junos 11. } 232 Copyright © 2011. Juniper Networks. Inc. This example shows how to configure the network address translation for the IPv4 address 203. You also configure one or more IPv4 transport addresses for the NAT pool. IPv6 packets addressed to a destination address containing the /96 prefix are then routed to the IPv6 interface of the NAT router.4 Services Interfaces Configuration Guide b. Specify both the IPv4 and IPv6 address families at the [edit interfaces interface-name unit unit-number] hierarchy level. with the /96 prefix to represent IPv4 addresses in the IPv6 address space. The service set you configure in “Configuring the Service Set” on page 233 is associated with this interface. in this example. log-prefix XXXXXXXX. It also shows how to configure the IPv6 prefix 64:FF9B::/96. [edit services nat] pool src-pool-nat64 { address 203. . family inet6. Router R2. Include the IPv4 address at the [edit interfaces unit unit-number family inet] hierarchy level. [edit interfaces] sp-5/0/0 { services-options { syslog { host local { services any. port automatic. Configure the services interface. Configure an IPv4 transport address for the pool at the [edit services nat pool pool-name] hierarchy level. } } Configuring the NAT64 Pool Step-by-Step Procedure Use this procedure to configure the NAT64 router.1/16. This example configures a system log for any services on the local host.113.0. 1.1/32.113.0/24.1. [edit interfaces] ge-1/3/6 { description "Internet-IPv4 domain". } } } unit 0 { family inet.

Configure the rule at the [edit services nat rule rule-name] hierarchy level as follows: [edit services nat rule] rule nat64 { match-direction input. In this example. } } then { translated { source-pool src-pool-nat64. term t1 { from { source-address { 2001:DB8::0/96. } } } } } Configuring the Service Set Step-by-Step Procedure To configure the service set for the NAT service on Router R2. destination-prefix 64:FF9B::/96. The rule selects all traffic coming from the source address on the IPv6 network. Juniper Networks. Configure the system log. translation-type { stateful-nat64. NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. You also include a system log configuration. you must associate the previously configured rule (nat64) and service interface (sp-5/0/0) with the service set. To configure these settings at the [edit services service-set service-set-name] hierarchy level: 1. only one rule is required to accomplish the address translation. Configure a NAT rule to translate the packets from the IPv6 network. } destination-address { 64:FF9B::/96. 233 . [edit services service-set set_0] syslog { host local { services any. The transport address configured in Step 1 is then specified for the translation using the /96 prefix. Inc. log-prefix XXXSVC-SETYYY.Chapter 10: Carrier-Grade NAT Configuration Guidelines 2. 2001:DB8::1/128. } } Copyright © 2011.

On Router R2. commit the configuration. • To confirm the NAT64 configuration. In the reverse or output direction. Among others.Junos 11.4 Services Interfaces Configuration Guide 2. Associate the NAT rule and the service interface with the service set at the [edit services service-set service-set-name] hierarchy level. Inc. [edit services ] service-set { nat-rules nat64. NAT64-related commands leverage the existing commands for NAPT44. perform these tasks: • • • Display NAT64 Flows on page 235 Display NAT64 Conversations on page 236 Display Global NAT Pool-Related Statistics on page 237 234 Copyright © 2011. you can use the following CLI commands to verify your NAT64 configuration: • • • • show services stateful-firewall flows show services stateful-firewall conversations show services nat pool detail show services stateful-firewall statistics extensive In this example: • In the input direction. interface-service { service-interface sp-5/0/0. the IPv4 address is suffixed to the destination-prefix at the prefix length specified. Juniper Networks. user@R2> commit check configuration check succeeds user@R2> commit Verifying NAT64 Operation You can use the following features to verify your NAT64 configuration: • • CLI commands on the router Logging You can also use a test tool that can generate IPv6 flows directed to the MX Series router. the IPv4 destination address is fetched from the IPv6 destination address whose prefix matches the destination-prefix configured from the specified prefix length. . using the well-known prefix (64:FF9B::/96) as the destination. } } 3.

1:80 TCP 192.113.0.0.0.0.1:1363 Forward Dir I Frm count 5 I 5 O 4 I 5 O 4 I 5 I 5 I 5 O 4 O 4 O 4 I 5 O 4 Meaning In the sample output. Service set: set_0 Flow State TCP 2001:db8::4:1160 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1160 -> 203.0.0.0.1:1428 Forward NAT source 192. the NAT source and NAT destination addresses of the Input (I) and Output (O) directions are displayed.1:1420 NAT dest 64:ff9b::c000:201:80 -> 192. use the show services stateful-firewall flows command.2.113.1:1346 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.2.1:1424 NAT dest 64:ff9b::c000:201:80 -> 192.0.2.2.1:80 TCP 192.113.1:1376 -> 2001:db8::3:1120 TCP 2001:db8::3:1136 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1136 -> 203. Inc.0.113.1:80 TCP 2001:db8::2:1166 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1166 -> 203.113.1:1393 Forward NAT source 192.1:1428 -> 2001:db8::4:1172 TCP 192.1: NAT dest 64:ff9b::c000:201:80 -> 192.2. Action user@R2> show services stateful-firewall flows Interface: sp-5/0/0.0.0.1:80 TCP 2001:db8::4:1146 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1146 -> 203.113.0.0.0.1:80 -> 203.2.113.2.1:80 -> 203.2.113.1:80 TCP 192.0.113.0.0.1:1346 Forward NAT source 192.0.2.113.2.1:1346 -> 2001:db8::3:1110 TCP 2001:db8::2:1148 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1148 -> 203.1:1413 Forward NAT source 192.0.0.113.1:80 -> 203.1:1393 -> 2001:db8::2:1157 TCP 192.1:1376 Forward NAT source 192.113.113.2.0.0.1:80 -> 203.0.0.113.113.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203.2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.2.0.1:1350 NAT dest 64:ff9b::c000:201:80 -> 192.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.0. Copyright © 2011.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.2.1:80 -> 203.1:80 -> 203.1:80 TCP 192.0.1:80 TCP 2001:db8::3:1110 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1110 -> 203.2.2.0. The NAT64 flows listed in this output are in no specific order. To display the NAT64 flows on Router R2.113.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0. Juniper Networks.1:1366 NAT dest 64:ff9b::c000:201:80 -> 192. 235 .0.2.0.0.113.Chapter 10: Carrier-Grade NAT Configuration Guidelines • • Check System Logs on page 237 Verify That NAT64 Conversations Take Place on page 238 Display NAT64 Flows Purpose Display and verify that the NAT64 flows are created and contain correct network address translation.113.0.0.1:1413 -> 2001:db8::4:1167 TCP 2001:db8::3:1123 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1123 -> 203.1:1385 NAT dest 64:ff9b::c000:201:80 -> 192.

2.113.0.0. To display NAT64 conversations on Router R2.113.1:80 TCP 192.113.113.1:1621 NAT dest 64:ff9b::c000:201:80 -> 192.113.Junos 11. Number of responders: 1 Flow State Dir TCP 2001:db8::3:1169 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1169 -> 203.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.1:80 TCP 192.0.0.0.0.1:80 -> 203.0.2.1:80 -> 203.0.2.113.1:80 TCP 192.0.0.1:1551 Forward O NAT source 192.1:1575 Frm count 5 4 Frm count 5 4 Frm count 5 4 Frm count 5 4 Frm count 5 236 Copyright © 2011.0.0.0. Inc.2. Juniper Networks. Number of responders: 1 Flow State Dir TCP 2001:db8::4:1213 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1213 -> 203.2.1:1523 -> 2001:db8::3:1169 Conversation: ALG protocol: tcp Number of initiators: 1. .0. use the show services stateful-firewall conversations command.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.2.0.0. user@R2> show services stateful-firewall conversations Interface: sp-5/0/0. Service set: set_0 Conversation: ALG protocol: tcp Number of initiators: 1.113.2.0.0.0.1:80 -> 203. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1233 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1233 -> 203.2.1:1580 NAT dest 64:ff9b::c000:201:80 -> 192.113.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.4 Services Interfaces Configuration Guide Display NAT64 Conversations Purpose Action Display and verify that the NAT64 conversations (collections of related flows) are correct.113. In contrast to the flows command that reports all flows in no specific order.1:80 -> 203. Number of responders: 1 Flow State Dir TCP 2001:db8::3:1188 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1188 -> 203.1:1621 Forward O NAT source 192.2.0.1:1551 -> 2001:db8::4:1213 Conversation: ALG protocol: tcp Number of initiators: 1.113.1:1621 -> 2001:db8::2:1233 Conversation: ALG protocol: tcp Number of initiators: 1.1:1551 NAT dest 64:ff9b::c000:201:80 -> 192.0.113.1:1523 Forward O NAT source 192.113.2.1:80 TCP 192.0. the output of the conversations command groups the flows that belong to a conversation for easy troubleshooting of communication between a specific pair of hosts.1:1580 -> 2001:db8::3:1188 Conversation: ALG protocol: tcp Number of initiators: 1.1:80 -> 64:ff9b::c000:201:21303 NAT dest 203.113.1:1580 Forward O NAT source 192.0.1:1523 NAT dest 64:ff9b::c000:201:80 -> 192.0. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1218 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1218 -> 203.0.2.2.

2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.0.1:1575 -> 2001:db8::2:1218 4 Conversation: ALG protocol: tcp Number of initiators: 1.0.113.1-203. user@R2> show services nat pool detail Interface: sp-5/0/0.1:80 -> 203.1:80 -> 203.0.100.113.2. Check System Logs Purpose Check the system logs because the system creates detailed logs as sessions are created and deleted.0.113. Translation type: dynamic Address range: 203.2.2.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203.Chapter 10: Carrier-Grade NAT Configuration Guidelines NAT dest TCP 64:ff9b::c000:201:80 -> 192.255. 237 .1:1554 Forward O NAT source 192.113.113.0.2. Out of port errors: 0.0. Ports in use: 102.0.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0.2.1:1572 Forward O NAT source 192.0.254 Port range: 512-65535.2.113.1:1554 -> 2001:db8::2:1211 Frm count 5 4 Frm count 5 4 Meaning The sample output displays the NAT64 conversations between specific pairs of hosts.113.0. use the show services nat pool detail command. To display global NAT pool-related statistics on Router R2.113.0.0.1:1575 Forward O NAT source 192.1:80 TCP 192.155-0.255. Inc.1:80 -> 203.0.154 Meaning The sample output displays relevant statistics and information about the NAT64 pools. Juniper Networks.0. Display Global NAT Pool-Related Statistics Purpose Action Display and verify global NAT statistics related to pool usage.113.1:1572 -> 2001:db8::4:1220 Conversation: ALG protocol: tcp Number of initiators: 1.113.0.0. Translation type: static Address range: 0.1:80 192. Copyright © 2011.1:1554 NAT dest 64:ff9b::c000:201:80 -> 192.1:1572 NAT dest 64:ff9b::c000:201:80 -> 192.1:80 TCP 192. You normally use this command in conjunction with the show services stateful-firewall flows command used in “Display NAT64 Flows” on page 235. Service set: set_0 NAT pool: src-pool-nat64. which displays the source and output of the translation.100.2. Max ports used: 192 NAT pool: _jpool_nat64_t1_.2. Number of responders: 1 Flow State Dir TCP 2001:db8::4:1220 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1220 -> 203.0.0. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1211 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1211 -> 203.

Junos 11. destination address translates to 192.1 NAT dest 64:ff9b::c000:201 -> 192. Action user@R2> show services stateful-firewall conversations Interface: sp-5/0/0. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_DELETE_FLOW: proto 6 (TCP) application: any. The first log indicates the rule and term that the packet matched. use the show services stateful-firewall conversations command. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: any. (null)(null)2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80.1:1593[1] Oct 21 22:14:17 H1 (FPC Slot 5. Related Documentation • • Stateful NAT64 Overview Example: Configuring Dual-Stack Lite for IPv6 Access 238 Copyright © 2011. as follows: Oct 21 22:14:17 H1 (FPC Slot 5.2.1 When the sessions end.0:2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80. user@R2> show log messages Oct 21 22:14:14 H1 (FPC Slot 5.1 ICMP 192. source address and port translate to 203. Current support for application-layer gateway (ALG) is limited to ICMP and traceroute. Juniper Networks.1 -> 2001:db8::2 Dir I Frm count 21 O 21 Meaning The sample output displays the results of the ICMP echo test.0.0. The following is sample output for an ICMP echo test (ping).1 Meaning The sample output displays the log messages that can be seen when a session is created and when a session ends.0.1 -> 64:ff9b::c000:201 NAT dest 203.2. Service set: set_0 Conversation: ALG protocol: icmpv6 Number of initiators: 1.1 -> 203.0.113.113.0.1:1593 . deleting forward or watch flow .2.0. To verify that the NAT64 conversations are occuring on Router R2.0. source address and port translate to 203. two logs are provided. the system creates a log indicating the NAT pool address and port release in addition to the delete flow log.113. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]:ASP_NAT_POOL_RELEASE: natpool release 203.4 Services Interfaces Configuration Guide Action When a session is created based on the example setup.113. Number of responders: 1 Flow State ICMPV6 2001:db8::2 ->64:ff9b::c000:201 Watch NAT source 2001:db8::2 -> 203.0.0. ge-1/3/5.113. Inc. The second log indicates the flow creation.2. creating forward or watch flow .113.1 Watch NAT source 192.0.1:1593 . . Verify That NAT64 Conversations Take Place Purpose Verify that the NAT64 conversations are taking place. destination address translates to 192.0.2.

prefix—Specify an IPv4 or IPv6 prefix value. Inc. prefix option enhanced to support IPv6 addresses in Junos OS Release 8. The statements are organized alphabetically.4. Specify the NAT pool prefix value. Juniper Networks. [edit services nat pool nat-pool-name] Statement introduced before Junos OS Release 7. • Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration.CHAPTER 11 Summary of Carrier-Grade NAT Configuration Statements The following sections explain each of the Network Address Translation (NAT) statements. 239 .5. address Syntax Hierarchy Level Release Information address ip-prefix</prefix-length>. interface-control—To add this statement to the configuration.

Specify the NAT address pooling behavior. When you use round-robin allocation. [edit services nat pool pool-name] Statement introduced in Junos OS Release 11. the only valid setting specifies paired address pooling behavior. . the allocation process wraps around and allocates the next unused port for addresses in the first range. interface—To view this statement in the configuration. paired—Currently. • Configuring Actions in NAT Rules on page 159 240 Copyright © 2011. • Required Privilege Level Related Documentation Configuring Addresses and Ports for Use in NAT Rules on page 151 address-pooling Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation address-pooling paired. After ports have been allocated for all addresses in the last range. one port is allocated from each address in a range before repeating the process for each address in the next range. interface—To view this statement in the configuration.1.Junos 11. interface-control—To add this statement to the configuration.2.4 Services Interfaces Configuration Guide address-allocation Syntax Hierarchy Level Release Information Description address-allocation round-robin. Inc. Juniper Networks. [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10. interface-control—To add this statement to the configuration.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements address-range Syntax Hierarchy Level Release Information address-range low minimum-value high maximum-value. • Configuring Match Conditions in NAT Rules on page 158 Copyright © 2011. Juniper Networks. Inc. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8. set-name—Name of the target application set.5. interface—To view this statement in the configuration.4. maximum-value—Upper boundary for the IPv4 or IPv6 address range. minimum-value—Lower boundary for the IPv4 or IPv6 address range. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. • Configuring Addresses and Ports for Use in NAT Rules on page 151 application-sets Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation applications-sets set-name. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Define one or more target application sets. 241 .4. [edit services nat pool nat-pool-name] Statement introduced before Junos OS Release 7. Specify the NAT pool address range.

except—(Optional) Prevent the specified address. interface-control—To add this statement to the configuration. any-unicast—Any unicast packet. . address option enhanced to support IPv6 and addresses in Junos OS Release 8. Inc. • Configuring Match Conditions in NAT Rules on page 158 242 Copyright © 2011.5. address—Destination IPv4 or IPv6 address or prefix value. Define one or more application protocols to which the NAT services apply. Juniper Networks. interface-control—To add this statement to the configuration.Junos 11. Specify the destination address for rule matching.4. • Configuring Match Conditions in NAT Rules on page 158 destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>.4 Services Interfaces Configuration Guide applications Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation applications [ application-names ]. interface—To view this statement in the configuration. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. prefix.6. any-unicast and except options introduced in Junos OS Release 7. or unicast packets from being Description Options translated. application-name—Name of the target application. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7.

except—(Optional) Prevent the specified address range from being translated. • Configuring Match Conditions in NAT Rules on page 158 destination-pool Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation destination-pool nat-pool-name. Specify the destination address range for rule matching. minimum-value—Lower boundary for the IPv4 or IPv6 address range. interface—To view this statement in the configuration. Specify the destination address pool for translated traffic. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. Juniper Networks. maximum-value—Upper boundary for the IPv4 or IPv6 address range.6. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. Inc. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.5. [edit services nat rule rule-name term term-name then translated] Statement introduced before Junos OS Release 7. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 7. nat-pool-name—Destination pool name.4. 243 .

high—Upper limit of port range for matching.4. Inc. low—Lower limit of port range for matching. interface-control—To add this statement to the configuration. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Specify the destination port range for rule matching. Juniper Networks. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 11.6.Junos 11. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide destination-port range Syntax Hierarchy Level Release Information Description Options destination-port range high | low. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. • Configuring Port Forwarding for Static Destination Address Translation on page 179 destination-prefix Syntax Hierarchy Level Release Information destination-prefix destination-prefix. destination-prefix—IPv4 or IPv6 destination prefix value. . • Configuring Actions in NAT Rules on page 159 244 Copyright © 2011. destination-prefix option enhanced to support IPv6 addresses in Junos OS Release 8. interface-control—To add this statement to the configuration. Specify the destination prefix for translated traffic.5.

Inc. [edit services nat port-forwarding map-name] Statement introduced in Junos OS Release 11. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. • • Configuring Match Conditions in NAT Rules on page 158 Junos OS Routing Policy Configuration Guide destined-port Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation destined-port port id. list-name—Destination prefix list. Juniper Networks. Specify the destination prefix list for rule matching. except—(Optional) Exclude the specified prefix list from rule matching. port id—The destination port number from where traffic will be forwarded. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 8. Specify the port from where traffic has to be forwarded. interface-control—To add this statement to the configuration. 245 .4. • • port-forwarding on page 255 translated-port on page 266 Copyright © 2011.2. interface-control—To add this statement to the configuration.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>. interface—To view this statement in the configuration. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration.

Required Privilege Level filtering-type Syntax Hierarchy Level Release Information Description Options filtering-type endpoint-independent.4. dns-alg-prefix Syntax Hierarchy Level Release Information Description dns-alg-prefix dns-alg-prefix. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide dns-alg-pool Syntax Hierarchy Level Release Information Description Required Privilege Level dns-alg-pool dns-alg-pool. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10. interface—To view this statement in the configuration. Specify the NAT filtering behavior for sessions initiated from outside to inside. endpoint-independent—Currently. Set the Domain Name System (DNS) application-level gateway (ALG) 96-bit prefix for mapping IPv4 addresses to IPv6 addresses. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10.4. the only valid setting specifies endpoint-independent filtering behavior.Junos 11. [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Specify the Network Address Translation (NAT) pool for destination translation. • Configuring Actions in NAT Rules on page 159 246 Copyright © 2011. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Inc.1. Juniper Networks. . interface-control—To add this statement to the configuration.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements from Syntax from { application-sets set-name. Juniper Networks. } [edit services nat rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Specify input conditions for the NAT term. 247 . applications [ application-names ]. The remaining statements are explained separately. For information on match conditions. source-address address (address | any-unicast) <except>.4. Inc. • Configuring NAT Rules on page 156 Copyright © 2011. destination-address-range low minimum-value high maximum-value <except>. source-address-range low minimum-value high maximum-value <except>. interface-control—To add this statement to the configuration. destination-address (address | any-unicast) <except>. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide.

use the format: [ hint xx hint yy ]. The BGF matches the configured hint with a termination hint located in the Direction field of a nonstandard termination ID. Inc. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 9. the BGF can choose any NAT pool associated with the virtual interface.0. To specify a list of hints. . Juniper Networks. Configure a hint that enables the border gateway function (BGF) to choose a NAT pool by direction rather than by virtual interface. When no hint is configured.Junos 11. hint-string—Alphanumeric string of up to three characters that the BGF uses to match Default Options with a termination hint located in the Direction field of a nonstandard termination ID. You can also include underscores (_) and hyphens (-) within the string. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide hint Syntax Hierarchy Level Release Information Description hint [ hint-strings ]. Required Privilege Level Related Documentation interface—To view this statement in the configuration. • Session Border Control Solutions Guide Using BGF and IMSG 248 Copyright © 2011.

249 . the only valid setting specifies endpoint-independent mapping behavior. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Enable multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery. Juniper Networks. [edit services softwire] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9.1. interface-control—To add this statement to the configuration. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. disable—Disable filters on the specified interfaces. endpoint-independent—Currently. interface-control—To add this statement to the configuration. all—Enable filters on all interfaces. • • Configuring IPv6 Multicast Filters on page 151 Configuring IPv6 Multicast Interfaces on page 868 mapping-type Syntax Hierarchy Level Release Information Description Options mapping-type endpoint-independent.1. Specify the source NAT mapping type.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements ipv6-multicast-interfaces Syntax ipv6-multicast-interfaces (all | interface-name) { disable. interface-name—Enable filters on a specific interface only. } [edit services nat]. Inc. [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10.

• Configuring Actions in NAT Rules on page 159 250 Copyright © 2011.4 Services Interfaces Configuration Guide match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output).4. Specify the direction in which the rule match is applied.Junos 11. output—Apply the rule match on output.6. interface-control—To add this statement to the configuration. Specify that traffic is not to be translated. Juniper Networks. Required Privilege Level Related Documentation interface—To view this statement in the configuration. input—Apply the rule match on input. [edit services nat rule rule-name term term-name then] Statement introduced in Junos OS Release 7. interface-control—To add this statement to the configuration. • Configuring NAT Rules on page 156 no-translation Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation no-translation. Inc. . none interface—To view this statement in the configuration. [edit services nat rule rule-name] Statement introduced before Junos OS Release 7.

Chapter 11: Summary of Carrier-Grade NAT Configuration Statements overload-pool Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation overload-pool overload-pool-name. interface—To view this statement in the configuration. Specify an address pool that can be used if the source pool becomes exhausted. Specify the prefix that can be used if the source pool becomes exhausted. Inc.6. interface-control—To add this statement to the configuration. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. • Configuring Actions in NAT Rules on page 159 overload-prefix Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation overload-prefix overload-prefix. Juniper Networks. interface-control—To add this statement to the configuration. overload-pool-name—Name of the overload pool. overload-prefix—Prefix value. interface—To view this statement in the configuration. 251 .6.

. interface-control—To add this statement to the configuration. Inc.4 Services Interfaces Configuration Guide pgcp Syntax pgcp { hint [ hint-strings ]. hint statement added in Junos OS Release 9. Specify that the NAT pool is used exclusively by the BGF. } [edit services nat pool nat-pool-name] Hierarchy Level Release Information Statement introduced in Junos OS Release 8. remotely-controlled. ports-per-session ports. remotely-controlled and ports-per-session statements added in Junos OS Release 8. • Description Required Privilege Level Related Documentation Session Border Control Solutions Guide Using BGF and IMSG 252 Copyright © 2011. Juniper Networks.Junos 11.4.0. transport [ transport-protocols ].5. interface—To view this statement in the configuration.

• Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. } } } [edit services nat] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. hint statement added in Junos OS Release 9.2. ports-per-session ports. address-allocation statement added in Junos OS Release 11.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements pool Syntax pool nat-pool-name { address ip-prefix</prefix-length>. secured-port-block-allocation { active-block-timeout timeout-seconds. remotely-controlled and ports-per-session statements added in Junos OS Release 8. Specify the NAT name and properties. 253 . } port (automatic | range low minimum-value high maximum-value) { preserve-parity. preserve-range. interface-control—To add this statement to the configuration. nat-pool-name—Identifier for the NAT address pool. Juniper Networks. mapping-timeout seconds. address-range low minimum-value high maximum-value. Required Privilege Level Related Documentation interface—To view this statement in the configuration. remotely-controlled: transport [ transport-protocols ].0. Inc.4. address-allocation round-robin.5. pgcp statement added in Junos OS Release 8.4. block-size block-size. pgcp { hint [ hint-strings ]. Description Options The remaining statements are explained separately. max-blocks-per-user max-blocks.

secured-port-block-allocation { active-block-timeout timeout-seconds. max-blocks-per-user max-blocks.4. . You can configure an automatically assigned port or specify a range with minimum and maximum values. automatic—Router-assigned port.3. • Configuring Addresses and Ports for Use in NAT Rules on page 151 254 Copyright © 2011. random-allocation statement introduced in Junos OS Release 9. Hierarchy Level Release Information Description Specify the NAT pool port or range. minimum-value—Lower boundary for the port range. maximum-value—Upper boundary for the port range. block-size block-size. Options Other options are described separately. } } [edit services nat pool nat-pool-name] port statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. preserve-range.Junos 11. Juniper Networks.4 Services Interfaces Configuration Guide port Syntax port (automatic | range low minimum-value high maximum-value) { preserve-parity. Inc. Required Privilege Level Related Documentation interface—To view this statement in the configuration. preserve-parity—Allocate ports with same parity as the original port. preserve-range—Preserve privileged port range after translation.

interface-control—To add this statement to the configuration. Inc. interface-control—To add this statement to the configuration. Options Required Privilege Level interface—To view this statement in the configuration. Copyright © 2011. port-forwarding-mappings Syntax Hierarchy Level Release Information Description port-forwarding-mappings map-name.4. translated-port. map-name—Identifier for the port forwarding map. } [edit services nat] Hierarchy Level Release Information Description Options Required Privilege Level Statement introduced in Junos OS Release 11. [edit services nat rule rule-name term term-name then] Statement introduced in Junos OS Release 11.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements port-forwarding Syntax port-forwarding map-name { destined-port.4. map-name—Identifier for the port forwarding mapping. Specify the name for mapping port forwarding in a Network Address Translation configuration. 255 . Specify the mapping for port forwarding. interface—To view this statement in the configuration. Juniper Networks.

Inc.4 Services Interfaces Configuration Guide ports-per-session Syntax Hierarchy Level Release Information Description ports-per-session ports. and forward error correction (FEC) for voice and video flows on the Multiservices PIC. Juniper Networks. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 8. .5. interface–control—To add this statement to the configuration. • Session Border Control Solutions Guide Using BGF and IMSG remotely-controlled Syntax Hierarchy Level Release Information Description remotely-controlled. Configure the number of ports required to support Real-Time Transport Protocol (RTP).Junos 11. Real-Time Control Protocol (RTCP). interface—To view this statement in the configuration. • Required Privilege Level Related Documentation Session Border Control Solutions Guide Using BGF and IMSG 256 Copyright © 2011. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 8. Options Default: 2 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Real-Time Streaming Protocol (RTSP). number-of-ports—Number of ports to enable: 2 or 4 for combined voice and video services. interface–control—To add this statement to the configuration. Configure the addresses and ports in a NAT pool to be remotely controlled by the gateway controller.4.

Required Privilege Level Related Documentation interface—To view this statement in the configuration. translated { address-pooling paired. overload-pool overload-pool. Specify the rule the router uses when applying this service. filtering-type endpoint-independent. applications [ application-names ]. [edit services nat rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. dns-alg-pool dns-alg-pool. • Configuring NAT Rules on page 156 Copyright © 2011. 257 . mapping-type endpoint-independent. rule-name—Identifier for the collection of terms that make up this rule. } } } [edit services nat]. source-pool nat-pool-name.4. source-address (address | any-unicast) <except>. Juniper Networks. destination-address (address | any-unicast) <except>. destination-prefix destination-prefix. source-address-range low minimum-value high maximum-value <except>. dns-alg-prefix dns-alg-prefix. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). overload-prefix overload-prefix. destination-address-range low minimum-value high maximum-value <except>.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements rule Syntax rule rule-name { match-direction (input | output). Inc. term term-name { from { application-sets set-name. destination-prefix. source-prefix source-prefix. interface-control—To add this statement to the configuration. destination-pool nat-pool-name. } } syslog. } then { no-translation. The remaining statements are explained separately.

} [edit services nat] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7.4. . Inc. Specify the rule set the router uses when applying this service.Junos 11. rule-set-name—Identifier for the collection of rules that constitute this rule set. Juniper Networks. • Configuring NAT Rule Sets on page 161 258 Copyright © 2011. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. interface—To view this statement in the configuration.

In this case. 259 . a new block is allocated.2. When you use block allocation. block-size—Number of ports included in a block. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Default: 8 Range: 1 to 2. Any inactive block without any ports in use will be freed to the NAT pool. Default: 0—The default timeout of the active block is 0 (infinite). in seconds. Inc. the active block transitions to inactive only when it runs out of ports and a new block is allocated. Juniper Networks.048 timeout-seconds—Interval. one or more blocks of ports in a NAT pool address range are available for assignment to a subscriber. After timeout. • Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. block-size block-size.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements secured-port-block-allocation Syntax secured-port-block-allocation { active-block-timeout timeout-seconds. } [edit services nat pool pool-name port] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. during which a block is active. max-blocks-per-user max-blocks. interface-control—To add this statement to the configuration.512 max-blocks—Maximum number of blocks that can be allocated to a user. Range: Any value greater than or equal to 120. Options Default: 128 Range: 64 to 64. even if ports are available in the active block.

Junos 11.. interface-control—To add this statement to the configuration.6. nat—Identifies the NAT set of rules statements. except—(Optional) Prevent the specified address or unicast packets from being translated. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Specify the source address for rule matching. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide services Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation services nat { . address option enhanced to support IPv6 addresses in Junos OS Release 8.5. . any-unicast—Any unicast packet.4. Juniper Networks. • Network Address Translation source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>.4. Inc. Define the service rules to be applied to traffic. interface-control—To add this statement to the configuration. } [edit] Statement introduced before Junos OS Release 7. any-unicast and except options introduced in Junos OS Release 7. • Configuring Match Conditions in NAT Rules on page 158 260 Copyright © 2011. interface—To view this statement in the configuration. address—Source IPv4 or IPv6 address or prefix value.

maximum-value—Upper boundary for the IPv4 or IPv6 address range. • Configuring Match Conditions in NAT Rules on page 158 source-pool Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation source-pool nat-pool-name. minimum-value—Lower boundary for the IPv4 or IPv6 address range. interface—To view this statement in the configuration.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 7. Inc. Specify the source address range for rule matching.6.5. [edit services nat rule rule-name term term-name then translated] Statement introduced before Junos OS Release 7. 261 . Juniper Networks. interface-control—To add this statement to the configuration. Specify the source address pool for translated traffic. interface-control—To add this statement to the configuration. • Configuring Actions in NAT Rules on page 159 Copyright © 2011.4. except—(Optional) Prevent the specified address range from being translated. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.

list-name—Destination prefix list.2. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. • Configuring Actions in NAT Rules on page 159 source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>.5. except—(Optional) Exclude the specified prefix list from rule matching. . Inc. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 8. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. source-prefix option enhanced to support IPv6 addresses in Junos OS Release 8. source-prefix—IPv4 or IPv6 source prefix value.4 Services Interfaces Configuration Guide source-prefix Syntax Hierarchy Level Release Information source-prefix source-prefix. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.Junos 11. Specify the source prefix list for rule matching.6. Juniper Networks. Specify the source prefix for translated traffic. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. • • Configuring Match Conditions in NAT Rules on page 158 Junos OS Routing Policy Configuration Guide 262 Copyright © 2011.

[edit services nat rule rule-name term term-name then] Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Inc. Juniper Networks. • Required Privilege Level Related Documentation Configuring Actions in NAT Rules on page 159 Copyright © 2011. interface—To view this statement in the configuration.4. Enable system logging. The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory. 263 .Chapter 11: Summary of Carrier-Grade NAT Configuration Statements syslog Syntax Hierarchy Level Release Information Description syslog.

destination-address (address | any-unicast) <except>. destination-address-range low minimum-value high maximum-value <except>. destination-prefix destination-prefix. applications [ application-names ]. } } syslog. . translated { address-pooling paired. Required Privilege Level Related Documentation interface—To view this statement in the configuration. dns-alg-prefix dns-alg-prefix. The remaining statements are explained separately. } } [edit services nat rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7.Junos 11. destination-pool nat-pool-name. dns-alg-pool dns-alg-pool. } then { no-translation.4 Services Interfaces Configuration Guide term Syntax term term-name { from { application-sets set-name. • Configuring NAT Rules on page 156 264 Copyright © 2011. Juniper Networks. source-prefix source-prefix. Inc. filtering-type endpoint-independent. term-name—Identifier for the term. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). source-pool nat-pool-name. interface-control—To add this statement to the configuration.4. mapping-type endpoint-independent. Define the NAT term properties. source-address (address | any-unicast) <except>. source-address-range low minimum-value high maximum-value <except>.

dns-alg-prefix dns-alg-prefix. mapping-type endpoint-independent. Inc. } [edit services nat rule rule-name term term-name] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7. dns-alg-pool dns-alg-pool. 265 . destination-pool nat-pool-name.4. interface—To view this statement in the configuration. } } syslog. interface-control—To add this statement to the configuration. translated { address-pooling paired. Define the NAT term actions. source-prefix source-prefix. source-pool nat-pool-name. Juniper Networks. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). The remaining statements are explained separately. filtering-type endpoint-independent. destination-prefix destination-prefix. • Configuring NAT Rules on page 156 Copyright © 2011.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements then Syntax then { no-translation.

Junos 11. Define properties for translated traffic. destination-pool nat-pool-name. interface-control—To add this statement to the configuration. • Configuring Actions in NAT Rules on page 159 266 Copyright © 2011. dns-alg-pool dns-alg-pool. Inc. interface-control—To add this statement to the configuration. The remaining statements are explained separately. • • port-forwarding on page 255 destined-port on page 245 translated Syntax translated { address-pooling paired. mapping-type endpoint-independent. dns-alg-prefix dns-alg-prefix. port id—The port number to which traffic will be translated. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) } } [edit services nat rule rule-name term term-name then] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7.4 Services Interfaces Configuration Guide translated-port Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation translated-port port id. filtering-type endpoint-independent. interface—To view this statement in the configuration.4. .4. source-pool nat-pool-name. interface—To view this statement in the configuration. Specify the port to which all traffic will be translated. [edit services nat port-forwarding map-name] Statement introduced in Junos OS Release 11. Juniper Networks.

4 Description Options Specify the NAT translation types. The basic-nat-pt option is always implemented with DNS ALG. • napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address. The following options introduced in Junos OS Release 11.4 twice-napt-44—Option introduced in Junos OS Release 11. Juniper Networks. Inc. Copyright © 2011. • • • basic-nat44—Translate the source address statically (IPv4 to IPv4).4. 267 . basic-nat66—Translate the source address statically (IPv6 to IPv6).Chapter 11: Summary of Carrier-Grade NAT Configuration Statements translation-type Syntax translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | nat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) [edit services nat rule rule-name term term-name then translated] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. • • dnat-44—Translate the destination address statically (IPv4 to IPv4). dynamic-nat44—Translate only the source address by dynamically choosing the NAT address from the source address pool.4 twice-dynamic-nat-44—Option introduced in Junos OS Release 11. basic-nat-pt—Translate the addresses of IPv6 hosts as they originate sessions to the IPv4 hosts in the external domain. • napt-66—Translate the transport identifier of the IPv6 private network to a single IPv6 external address.2. replacing all previous options: • • • • • • • • • basic-nat44 basic-nat66 basic-nat-pt dnat-44 dynamic-nat44 napt-44 napt-66 napt-pt stateful-nat64 twice-basic-nat-44—Option introduced in Junos OS Release 11.

• Session Border Control Solutions Guide Using BGF and IMSG 268 Copyright © 2011. Required Privilege Level Related Documentation interface—To view this statement in the configuration. • twice-basic-nat-44—Translate the source and destination addresses statically (IPv4 to IPv4). Required Privilege Level Related Documentation interface—To view this statement in the configuration. Translate the destination address statically. • twice-dynamic-nat-44—Translate the source address by dynamically choosing the NAT address from the source address pool. • twice-dynamic-napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address. Configure the BGF to select a NAT pool based on transport protocol type.Junos 11. If you specify more than one protocol. [ transport-protocol ]—One or more transport protocols. udp Syntax: One or more protocols. you must enclose all protocols in brackets. • Configuring Actions in NAT Rules on page 159 transport Syntax Hierarchy Level Release Information Description Options transport [ transport-protocols ].4 Services Interfaces Configuration Guide • napt-pt—Bind addresses in an IPv6 network with addresses in an IPv4 network and vice versa to provide transparent routing for the datagrams traversing between the address realms. tcp. Translate the destination address statically. interface-control—To add this statement to the configuration. . Juniper Networks. interface-control—To add this statement to the configuration. Inc. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 9.2. • stateful-nat64—Implement dynamic address and port translation for source IP addresses (IPv6-to-IPv4) and prefix removal translation for the destination IP addresses (IPv6-to-IPv4). Values: rtp-avp.

Inc. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10. 269 . Juniper Networks. Copyright © 2011.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements use-dns-map-for-destination-translation Syntax Hierarchy Level Release Information Description use-dns-map-for-destination-translation.4. Required Privilege Level interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. NOTE: This statement is deprecated and might be removed completely in a future release. Enable the Domain Name System (DNS) application-level gateway (ALG) address map for destination translation.

Junos 11. .4 Services Interfaces Configuration Guide 270 Copyright © 2011. Juniper Networks. Inc.

• • Configuring Load Balancing on AMS Infrastructure on page 271 Example: Configuring Static Source Translation on AMS Infrastructure on page 273 Configuring Load Balancing on AMS Infrastructure Configuring load balancing requires an aggregated Multiservices (AMS) system. This leads to inefficient use of networking resources within a system. Each service set directs traffic to a specific preconfigured services PIC only. most router services are provisioned using service sets in Junos OS. AMS involves grouping several Multiservices PICs together. Inc. Juniper Networks. Load balancing resolves this situation by allowing distribution of ingress and egress traffic across multiple services PICs.CHAPTER 12 Load Balancing Configuration Guidelines As of now. An AMS configuration eliminates the need for separate routers within a system. 271 . Load balancing can be accomplished only on MX Series 3D Universal Edge routers because services PICs require symmetric hashing to ensure that ingress and egress traffic are directed properly. To enable load balancing. Load balancing works by hashing each packet and then redirecting the packet to the appropriate services PIC. you have to configure an aggregate interface with existing services interfaces. To configure failure behavior in AMS. Starting with Junos OS 11. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. All ingress or egress traffic for a service set can be load balanced across different services PICs. AMS has several benefits: • Support for configuring behavior if a Multiservices PIC that is part of the AMS configuration fails Support for specifying hash keys for each service set in either direction Support for adding routes to individual PICs within the AMS system • • Configuring AMS Infrastructure AMS supports load balancing across multiple service sets.4. high availability (HA) is supported on AMS infrastructure on all MX Series 3D Universal Edge routers. include the member-failure-options statement: [edit interfaces ams1] load-balancing-options { member-failure-options { Copyright © 2011.

Presently. include the high-availability-options statement: [edit interfaces ams1] load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. 272 Copyright © 2011. After an AMS interface has been configured. If the drop-member-traffic statement is used. . Network Address Translation (NAT) is the only application that runs on AMS infrastructure at this time. Only mams. Configuring High Availability In an AMS system configured with high availability. NOTE: Unit 0 on an AMS interface cannot be configured. It is not possible to configure addresses on an AMS interface. the constituent mams.Junos 11. the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. all traffic to the failed PIC is dropped. the traffic to the failed PIC can be configured to be redistributed by using the redistribute-all-traffic statement at the [edit interfaces interface-name load-balancing-options member-failure-options] hierarchy level. To support multiple applications and different types of translation. A mams.interfaces (services interfaces that are part of AMS) can be aggregated. only one PIC is available as backup for all other active PICs. destination IP. Both options are mutually exclusive. AMS supports only IPv4.4 Services Interfaces Configuration Guide drop-member-traffic { rejoin-timeout rejoin-timeout. Inc. and the protocol for hashing. } redistribute-all-traffic { enable-rejoin. a designated Multiservices PIC acts as a backup for other active PICs that are part of the AMS system. The hash keys can be configured separately for ingress and egress. The default configuration uses source IP. inet6 family is not supported. Juniper Networks. only N:1 backup for high availability is supported.interface cannot be used as an rms interface. NOTE: If member-failure-options is not explicitly configured. High availability for load balancing is configured by adding the high-availability-options statement at the [edit interfaces interface-name load-balancing-options] hierarchy level. incoming-interface for ingress and outgoing-interface for egress are also available. AMS infrastructure supports configuring hashing for each service set.interfaces cannot be individually configured. To configure high availability. } } } If a PIC fails.

273 . In case of failure of an active Multiservices PIC. Using NAT on AMS infrastructure has a few limitations: • • • NAT flows to failed PICs cannot be restored. The plug-in runs on AMS infrastructure. The flows will be load balanced across member interfaces with this example. } Configure hashing for the service set for both ingress and egress traffic. The hashing method selected depends on the type of NAT. Network Address Translation (NAT) has been programmed as a plug-in and is a function of load balancing and high availability. Juniper Networks.1. member-interface mams-5/1/0. [edit services service-set ss1] interface-service { service-interface ams0. All flows for translation are automatically distributed to different services PICs that are part of the AMS infrastructure. load-balancing-options { hash-keys { ingress-key destination-ip. [edit interfaces ams0] load-balancing-options { member-interface mams-5/0/0.4.Chapter 12: Load Balancing Configuration Guidelines } } } Load Balancing Network Address Translation Flows Starting with Junos OS Release 11. Inc. Configure the AMS interface ams0 with load balancing options. Twice NAT is not supported for load balancing. } unit 2 { family inet. There is no support for IPv6 flows. See “Example: Configuring Static Source Translation on AMS Infrastructure” on page 273 for more details on configuring NAT flows for load balancing. } unit 1 { family inet. egress-key source-ip. } } } Copyright © 2011. Example: Configuring Static Source Translation on AMS Infrastructure This example shows a static source translation configured on an AMS interface. the configured backup Multiservices PIC wiIl take over the NAT pool resources of the failed PIC.

1.1. term t1 { from { source-address { 20. .1.1.81/32. Juniper Networks.1. [edit services] nat { pool p1 { address-range low 20.80 high 20.Junos 11.2/32.80. translation-type { basic-nat44. } } } term t1 { from { source-address { 40.1.1. Configure two NAT pools because you have configured two member interfaces for the AMS interface. } } then { translated { source-pool p2.4 Services Interfaces Configuration Guide NOTE: Hashing is determined based on whether the service set is applied on the ingress or egress interface.1. translation-type { basic-nat44. } } then { translated { source-pool p1. } } Configure the NAT rule and translation. [edit services] nat { rule r1 { match-direction input. Inc.2/32.1.1. } pool p2 { address 20. } } } } } 274 Copyright © 2011.

Juniper Networks. Inc.Chapter 12: Load Balancing Configuration Guidelines NOTE: A similar configuration can be applied for translation types dynamic-nat44 and napt-44. Related Documentation • Configuring Load Balancing on AMS Infrastructure on page 271 Copyright © 2011. Twice NAT cannot run on AMS infrastructure at this time. 275 .

. Juniper Networks.Junos 11. Inc.4 Services Interfaces Configuration Guide 276 Copyright © 2011.

interface-control—To add this statement to the configuration. Specify whether the broadband gateway should drop traffic to a Multiservices PIC when it fails. interface—To view this statement in the configuration. drop-member-traffic (Aggregated Multiservices) Syntax drop-member-traffic { rejoin-timeout rejoin-timeout. then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. The remaining statement is explained separately. The statements are organized alphabetically. For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT). this configuration is valid only when two or more Multiservices PICs have failed. Juniper Networks. Inc. Default If this statement is not configured. • Required Privilege Level Related Documentation member-failure-options (Aggregated Multiservices) on page 283 Copyright © 2011.CHAPTER 13 Summary of Load Balancing Configuration Statements The following sections explain each of the load balancing and aggregated Multiservices (AMS) statements.4. } [edit interfaces interface-name load-balancing-options member-failure-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. 277 .

Default If you do not configure this option. interface-control—To add this statement to the configuration. • Required Privilege Level Related Documentation redistribute-all-traffic (Aggregated Multiservices) on page 286 family (aggregated Multiservices) Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation family family. Enable the failed member to rejoin the aggregated Multiservices (AMS) interface after the member comes back online. [edit interfaces interface-name unit interface-unit-number] Statement introduced in Junos OS Release 11. family—Protocol family. [edit interfaces interface-name load-balancing-options member-failure-options redistribute-all-traffic] Release Information Description Statement introduced in Junos OS Release 11. For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT). interface—To view this statement in the configuration. only one option. interface—To view this statement in the configuration.4. Configure protocol family information for the logical interface.4. is supported. . inet (IP version 4 suite). Juniper Networks. interface-control—To add this statement to the configuration.Junos 11. then the failed members do not automatically rejoin the ams interface even after coming back online. this configuration allows the failed members to rejoin the pool of active members automatically. • unit (Aggregated Multiservices) on page 287 278 Copyright © 2011.4 Services Interfaces Configuration Guide enable-rejoin (aggregated Multiservices) Syntax Hierarchy Level enable-rejoin. Currently. Inc.

Required Privilege Level Related Documentation interface—To view this statement in the configuration. For many-to-one (N:1) high availability support for service applications like Network Address Translation (NAT). 279 . Juniper Networks. } } [edit interfaces interface-name load-balancing-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. • load-balancing-options on page 281 Copyright © 2011. if only the load-balancing feature is being used. then the backup replaces it as the active Multiservices PIC. interface-control—To add this statement to the configuration. backs up one or more (N) active Multiservices PICs. The remaining statements are explained separately. it becomes the new backup. Configure the high availability options for the aggregated Multiservices (AMS) interface. Inc.4.Chapter 13: Summary of Load Balancing Configuration Statements high-availability-options (aggregated Multiservices) Syntax high-availability-options { many-to-one { preferred-backup preferred-backup. This is called floating backup. then this configuration is optional. in hot standby mode. For service applications. the preferred backup Multiservices PIC. if one of the active Multiservices PICs goes down. NOTE: In both cases. When the failed PIC comes back up.

ams0 or ams1. Options interface-name—Name of the aggregated Multiservices interface (ams)—for example. The ams infrastructure is supported only in chassis with Trio-based modules and Multiservices Dense Port Concentrators (MS-DPCs). interface-control—To add this statement to the configuration. } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout.Junos 11. The remaining statements are explained separately. and so on. The AMS interface provides the infrastructure for load balancing and high availability (HA). and so on. } } member-interface interface-name. } } [edit] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. Inc.4. } unit interface-unit-number { family family. NOTE: The interfaces must be valid aggregated Multiservices interfaces (ams)—for example. • Configuring Load Balancing on AMS Infrastructure on page 271 280 Copyright © 2011. Configure the aggregated Multiservices (AMS) interface. . } redistribute-all-traffic { enable-rejoin. ams0 or ams1.4 Services Interfaces Configuration Guide interfaces (Aggregated Multiservices) Syntax interfaces interface-name { load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks.

281 . then the backup replaces it as the active Multiservices PIC. one Multiservices PIC is the backup (in hot standby mode) for one or more (N) active Multiservices PICs.Chapter 13: Summary of Load Balancing Configuration Statements load-balancing-options (Aggregated Multiservices) Syntax load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4. Configure the high availability (HA) options for the aggregated Multiservices (AMS) interface. When the failed PIC comes back online. } redistribute-all-traffic { enable-rejoin. This is called floating backup mode. } } member-interface interface-name. Many-to-one (N:1) high availability mode for service applications like Network Address Translation (NAT) is supported. The remaining statements are explained separately. it becomes the new backup. In this case. interface-control—To add this statement to the configuration. • interfaces on page 280 Copyright © 2011. Inc. } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout. Juniper Networks. If one of the active Multiservices PICs goes down. } [edit interfaces interface-name] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11.

4. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc.Junos 11. Even in the case of mobile control plane redundancy. where a is the Flexible PIC Concentrator (FPC) slot number and b is the PIC slot number. interface-control—To add this statement to the configuration. the initial preferred backup is configured at this hierarchy level. • high-availability-options (aggregated Multiservices) on page 279 282 Copyright © 2011. . } [edit interfaces interface-name load-balancing-options high-availability-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. The member interface format is mams-a/b/0. The remaining statements are explained separately. which is one-to-one (1:1). NOTE: The preferred backup must be one of the member interfaces (mams–) that have already been configured at the [edit interfaces interface-name load-balancing-options] hierarchy level.4 Services Interfaces Configuration Guide many-to-one (Aggregated Multiservices) Syntax many-to-one { preferred-backup preferred-backup. Juniper Networks. Options preferred-backup preferred-backup—Name of the preferred backup member interface. Configure the initial preferred backup for the aggregated Multiservices (AMS) interface.

Configure the possible behavior for the aggregated Multiservices (AMS) interface in case of failure of more than one active member. Juniper Networks. in the unlikely event that more than one Multiservices PIC fails.4. NOTE: The drop-member-traffic configuration and the redistribute-all-traffic configuration are mutually exclusive. Table 12 on page 284 displays the behavior of the member interface after the failure of two Multiservices PICs. } } [edit interfaces interface-name load-balancing-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. } redistribute-all-traffic { enable-rejoin. the AMS infrastructure provides configuration options to minimize the impact on existing traffic flows. However. Table 11 on page 283 displays the behavior of the member interface after the failure of the first Multiservices PIC. Table 11: Behavior of Member Interface After One Multiservices PIC Fails High Availability Mode Many-to-one (N:1) high availability support for service applications Member Interface Behavior Automatically handled by the AMS infrastructure Copyright © 2011. NOTE: The AMS infrastructure has been designed to handle one failure automatically.Chapter 13: Summary of Load Balancing Configuration Statements member-failure-options (Aggregated Multiservices) Syntax member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout. Inc. 283 .

4 Services Interfaces Configuration Guide Table 12: Behavior of Member Interface After Two Multiservices PICs Fail High Availability Mode Many-to-one (N:1) high availability support for service applications Configuration drop-member-traffic rejoin-timeout Behavior when member rejoins before rejoin-timeout expires The existing traffic for the second failed member will not be redistributed to the other members. • Required Privilege Level Related Documentation load-balancing-options (Aggregated Multiservices) on page 281 284 Copyright © 2011. After a failed member rejoins. Inc. The remaining statements are explained separately.Junos 11. Juniper Networks. Configured Many-to-one (N:1) high availability support for service applications redistribute-all-traffic Not applicable Before rejoin. then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. the traffic is redistributed to existing active members. Default If member-failure-options are not configured. This may impact existing traffic flows. . interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Behavior when member rejoins after rejoin-timeout expires The existing traffic for the second failed member will not be redistributed to the other members. This behavior is handled automatically by the AMS infrastructure. The first member to rejoin becomes an active member. the traffic is load-balanced afresh. the other members who are rejoining will be moved to the discard state. However. The second member to rejoin becomes the backup. The first member will rejoin the AMS automatically.

The member interface format is mams-a/b/0. Options interface-name—Name of the member interface.4. you can specify two or more interfaces. Inc. Required Privilege Level Related Documentation interface—To view this statement in the configuration. [edit interfaces interface-name load-balancing-options] Statement introduced in Junos OS Release 11. For high availability service applications like Network Address Translation (NAT) that support many-to-one (N:1) redundancy. Specify the member interfaces for the aggregated Multiservices (AMS) interface.Chapter 13: Summary of Load Balancing Configuration Statements member-interface (Aggregated Multiservices) Syntax Hierarchy Level Release Information Description member-interface interface-name. You can configure multiple interfaces by specifying each interface in a separate statement. where a is the Flexible PIC Concentrator (FPC) slot number and b is the PIC slot number. NOTE: The member interfaces that you specify must be members of aggregated Multiservices interfaces (mams-). Juniper Networks. The remaining statements are explained separately. 285 . • load-balancing-options (Aggregated Multiservices) on page 281 Copyright © 2011. interface-control—To add this statement to the configuration.

Required Privilege Level Related Documentation interface—To view this statement in the configuration. the traffic for the failed member is automatically redistributed to the other active members. The remaining statement is explained separately.4.4 Services Interfaces Configuration Guide redistribute-all-traffic (Aggregated Multiservices) Syntax redistribute-all-traffic { enable-rejoin.4. [edit interfaces interface-name load-balancing-options member-failure-options drop-member-traffic] Release Information Description Statement introduced in Junos OS Release 11. in seconds. } [edit interfaces interface-name load-balancing-options member-failure-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. interface-control—To add this statement to the configuration. Default Options Default: 120 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. • member-failure-options (Aggregated Multiservices) on page 283 rejoin-timeout (Aggregated Multiservices) Syntax Hierarchy Level rejoin-timeout rejoin-timeout. If the failed member does not rejoin by the configured time. by which a failed member must rejoin. • drop-member-traffic (Aggregated Multiservices) on page 277 286 Copyright © 2011. If you do not configure a value. Inc. For many-to-one (N:1) high availability support for Network Address Translation (NAT).Junos 11. interface-control—To add this statement to the configuration. the default value of 120 seconds is used. rejoin-timeout—Time. Juniper Networks. then the member is moved to the “inactive” state and the traffic meant for this member is dropped. Enable the option to redistribute traffic of a failed active member to the other active members. . Configure the time by when a failed member should rejoin the aggregated Multiservices (AMS) interface automatically.

Chapter 13: Summary of Load Balancing Configuration Statements unit (Aggregated Multiservices) Syntax unit interface-unit-number { family family. • interfaces on page 280 Copyright © 2011. 287 . } [edit interfaces interface-name] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. NOTE: Unit 0 is reserved and cannot be configured under the aggregated Multiservices interface (ams). Juniper Networks.4.384 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc. You must configure a logical interface to be able to use the physical device. The remaining statements are explained separately. Configure the logical interface on the physical device. Options interface-unit-number—Number of the logical unit. Range: 1 through 16. interface-control—To add this statement to the configuration.

. Juniper Networks.4 Services Interfaces Configuration Guide 288 Copyright © 2011.Junos 11. Inc.

} then { aggregation { Copyright © 2011. source-prefix-list list-name <except>. You can use IDS to perform the following tasks: • Detect various types of denial-of-service (DoS) and directed denial-of-service (DDoS) attacks. destination-address-range low minimum-value high maximum-value <except>. Signature detection is not supported. • • • • • IDS enables you to focus attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. To configure IDS. and the session rate. the packet rate. such as sudden bursts or a decline in bandwidth. Detect anomalies in traffic patterns. Juniper Networks. term term-name { rule { application-sets set-name. Specify thresholds for limiting the number of flows. destination-address (address | any-unicast) <except>. 289 . Inc. Prevent some types of attacks. destination-prefix-list list-name <except>. source-address-range low minimum-value high maximum-value <except>. Detect attempts at network scanning and probing.CHAPTER 14 Intrusion Detection Service Configuration Guidelines The Adaptive Services (AS) or Multiservices PIC supports a limited set of intrusion detection services (IDS) to perform attack detection. applications [ application-names ]. include the ids statement at the [edit services] hierarchy level: [edit services] ids { rule rule-name { match-direction (input | output | input-output). Redirect attack traffic to a collector for analysis. source-address (address | any-unicast) <except>.

rate number. This chapter contains the following sections: • • • Configuring IDS Rules on page 291 Configuring IDS Rule Sets on page 297 Examples: Configuring IDS Rules on page 297 290 Copyright © 2011. } session-limit { by-destination { hold-time seconds. maximum number. packets number. threshold rate. packets number. threshold rate. maximum number. } } NOTE: The Junos OS uses stateful firewall settings as a basis for performing IDS. rate number. } } } } rule-set rule-set-name { [ rule rule-names ]. } (force-entry | ignore-entry). rate number. source-prefix prefix-value | source-prefix-ipv6 prefix-value. Inc. packets number.4 Services Interfaces Configuration Guide destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. maximum number. } by-pair { hold-time seconds. logging { syslog.Junos 11. Juniper Networks. . } } syn-cookie { mss value. } by-source { hold-time seconds. You must commit a stateful firewall configuration in the same service set for IDS to function properly.

Inc. rate number. To configure an IDS rule. destination-prefix-list list-name <except>. Because IDS is based on stateful firewall properties. } by-source { hold-time seconds. 291 . source-address-range low minimum-value high maximum-value <except>. see “Configuring Stateful Firewall Rules” on page 114. rate number. destination-address-range low minimum-value high maximum-value <except>.Chapter 14: Intrusion Detection Service Configuration Guidelines Configuring IDS Rules IDS rules identify traffic for which you want the router software to count events. include the rule rule-name statement at the [edit services ids] hierarchy level: [edit services ids] rule rule-name { match-direction (input | output | input-output). source-prefix prefix-value | source-prefix-ipv6 prefix-value. maximum number. source-address (address | any-unicast) <except>. Juniper Networks. packets number. applications [ application-names ]. } } Copyright © 2011. } (force-entry | ignore-entry). } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. } session-limit { by-destination { hold-time seconds. you must configure at least one stateful firewall rule and include it in the service set with the IDS rules. } by-pair { hold-time seconds. threshold rate. packets number. for more information. term term-name { from { application-sets set-name. maximum number. maximum number. rate number. packets number. logging { syslog. destination-address (address | any-unicast) <except>. source-prefix-list list-name <except>.

If you configure match-direction input-output.Junos 11. If the outside interface is used to direct the packet to the PIC. Inc. If the inside interface is used to route the packet. All rules in the service set are considered. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. a flow lookup is performed. A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. With an interface service set. For more information on inside and outside interfaces. During rule processing. } } } } Each IDS rule consists of a set of terms. the packet direction is compared against rule directions. If no flow is found. threshold rate. On the AS or Multiservices PIC. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. When a packet is sent to the PIC. With a next-hop service set. • then statement—Specifies the actions and action modifiers to be performed by the router software.4 Services Interfaces Configuration Guide syn-cookie { mss value. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. similar to a filter configured at the [edit firewall] hierarchy level. rule processing is performed. include the match-direction (input | input-output | output) statement at the [edit services ids rule rule-name] hierarchy level: [edit services ids rule rule-name] match-direction (input | output | input-output). 292 Copyright © 2011. the packet direction is input. bidirectional rule creation is allowed. To configure where the match is applied. Juniper Networks. direction information is carried along with it. . the packet direction is output. The following sections describe IDS rule content in more detail: • • • Configuring Match Direction for IDS Rules on page 292 Configuring Match Conditions in IDS Rules on page 293 Configuring Actions in IDS Rules on page 294 Configuring Match Direction for IDS Rules Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. Only rules with direction information that match the packet direction are considered.

destination-prefix-list list-name <except>.Chapter 14: Intrusion Detection Service Configuration Guidelines Configuring Match Conditions in IDS Rules To configure IDS match conditions. • To apply one or more specific application protocol definitions. see the Junos OS System Basics and Services Command Reference. for more information. include the applications statement at the [edit services ids rule rule-name term term-name from] hierarchy level. see “Examples: Configuring Stateful Firewall Rules” on page 118. you cannot specify these properties as match conditions. Juniper Networks. a source address. Inc. see “Configuring Application Protocol Properties” on page 72. 293 . source-address (address | any-unicast) <except>. the software accepts all events and places them in the IDS cache for processing. source-address-range low minimum-value high maximum-value <except>. for more information. To apply one or more sets of application protocol definitions that you have defined. Alternatively. or a range of source addresses as a match condition. a range of destination addresses. Copyright © 2011. include the from statement at the [edit services ids rule rule-name term term-name] hierarchy level: [edit services ids rule rule-name term term-name] from { application-sets set-name. the application protocol is displayed separately in the show services ids command output. you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the IDS rule. For an example. You can use the destination address. destination-address (address | any-unicast) <except>. applications [ application-names ]. see the Junos OS Routing Policy Configuration Guide. If a match occurs on an application. include the application-sets statement at the [edit services ids rule rule-name term term-name from] hierarchy level. } If you omit the from statement. The source address and destination address can be either IPv4 or IPv6. the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. You can also include application protocol definitions that you have configured at the [edit applications] hierarchy level. • NOTE: If you include one of the statements that specifies application protocols. in the same way that you would configure a firewall filter. For more information. destination-address-range low minimum-value high maximum-value <except>. source-prefix-list list-name <except>.

To collect traffic with some other marker. configure that value in the match conditions. packets number. rate number. } (force-entry | ignore-entry). maximum number. logging { syslog. include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level: [edit services ids rule rule-name term term-name] then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. To configure aggregation prefixes. This is helpful if you want to examine all the traffic connected with a particular source or destination host.Junos 11. or destination-prefix-ipv6: [edit services ids rule rule-name term term-name then] 294 Copyright © 2011. maximum number. } by-pair { hold-time seconds. destination-prefix source-prefix-ipv6. rate number. source-prefix prefix-value | source-prefix-ipv6 prefix-value. } } You can configure the following possible actions: • aggregation—The router aggregates traffic labeled with the specified source or destination prefixes before passing the events to IDS processing. include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix. Inc. } by-source { hold-time seconds. . packets number. packets number. rate number. } session-limit { by-destination { hold-time seconds. maximum number. } } syn-cookie { mss value. threshold rate. threshold rate. Juniper Networks.4 Services Interfaces Configuration Guide Configuring Actions in IDS Rules To configure IDS actions. such as a particular application or port.

packets number. To configure logging. maximum number. To configure a threshold. ignore-entry ensures that all IDS events are ignored. include the session-limit statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] session-limit { by-destination { hold-time seconds. • logging—The event is logged in the system log file. To configure an entry behavior different from the default. The threshold rate is specified in events per second. Copyright © 2011. even traffic that would not otherwise be counted. include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] logging { syslog. The value of source-prefix-ipv6 and destination-prefix-ipv6 must be an integer between 1 and 128. the IDS software does not record information about “good” packets that do not exhibit suspicious behavior. } by-pair { hold-time seconds. • (force-entry | ignore-entry)—force-entry provides a permanent spot in IDS caches for subsequent events after one event is registered. } You can optionally include a threshold rate to trigger the generation of system log messages. include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] (force-entry | ignore-entry). threshold rate. rate number. IDS logs are generated once every 60 seconds for each anomaly that is reported. maximum number. } The value of source-prefix and destination-prefix must be an integer between 1 and 32. You can use this statement to disregard all traffic from a host you trust. • session-limit—The router limits open sessions when the specified threshold is reached. By default. including any temporary anomalies that IDS would otherwise count as events. Inc.Chapter 14: Intrusion Detection Service Configuration Guidelines aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. You can use the force-entry statement to record all traffic from a suspect host. source-prefix prefix-value | source-prefix-ipv6 prefix-value. Juniper Networks. 295 . The logs are generated as long as the events continue.

[edit services ids rule rule-name term term-name] from { source-address 10. the following configuration allows 20 connections from each source address (10. stop all new flows for the specified number of seconds. Once hold-time is in effect. To limit the number of sessions between a pair of IP addresses.1 and 10. If you include more than one source address in the match conditions configured at the [edit services ids rule rule-name term term-name from] hierarchy level.1. To limit the number of incoming sessions to one external public IP address or subnet. limits are applied for each source address independently. you can configure the following threshold values: • hold-time seconds—When the rate or packets measurement reaches the threshold value. } 296 Copyright © 2011. or applications. rate number. the traffic is blocked for the specified time even if the rate subsides below the specified limit. source-address 10. } by-source { hold-time seconds.1.1. For example.647.147. the range is 0 through 60 seconds.1. configure the by-pair statement. rate number.1. • rate number—Maximum number of sessions per second per IP address or subnet per application. By default. The range is 4 through 2. • packets number—Maximum number of packets per second (pps) per IP address or subnet per application. The range is 4 through 32. packets number. The same logic applies to the applications and destination-address match conditions. not 20 connections total. maximum number.767. • maximum number—Maximum number of open sessions per IP address or subnet per application. } then { session-limit by-source { maximum 20. configure the by-destination statement.Junos 11.4 Services Interfaces Configuration Guide packets number.1.1.2).767. Inc. .2. } } You configure the thresholds for flow limitation based on traffic direction: • To limit the number of outgoing sessions from one internal host or subnet. subnets. hold-time has a value of 0. Juniper Networks.483. configure the by-source statement.1. The range is 1 through 32. • • For each direction.1.

} The router software processes the rules in the order in which you specify them in the configuration. For example. To configure SYN-cookie values. You define each rule by specifying a rule name and configuring terms. include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] syn-cookie { mss value. They are not applied to packets discarded or rejected by stateful firewall rules. If none of the rules matches the packet. The threshold rate is specified in SYN attacks per second. the TCP MSS value is 1500. Juniper Networks. processing continues to the next rule in the rule set.Chapter 14: Intrusion Detection Service Configuration Guidelines } NOTE: IDS limits are applied to packets that are accepted by stateful firewall rules.2: [edit services ids] rule simple_ids { term 1 { Copyright © 2011. By default. Examples: Configuring IDS Rules The following configuration adds a permanent entry to the IDS anomaly table when it encounters a flow with the destination address 10. you must include both a threshold rate to trigger SYN-cookie activity and a Transmission Control Protocol (TCP) maximum segment size (MSS) value for TCP delayed binding. 297 . threshold rate. the router performs the corresponding action and the rule processing stops.6. you specify the order of the rules by including the rule-set statement at the [edit services ids] hierarchy level with a rule statement for each rule: [edit services ids] rule-set rule-set-name { rule rule-name. • syn-cookie—The router activates SYN-cookie defensive mechanisms. Configuring IDS Rule Sets The rule-set statement defines a collection of IDS rules that determine what actions the router software performs on packets in the data stream. the range is from 128 through 8192.410. If a term in a rule matches the packet. the IDS limit applies only to 75 percent of the traffic. the packet is dropped by default. If no term in a rule matches the packet. Inc. if the stateful firewall accepts 75 percent of the incoming traffic and the remaining 25 percent is rejected or discarded. } If you enable SYN-cookie defenses. Then.

30. } } } match-direction input. .30.30. Inc. } } } term default { then { aggregation { source-prefix 24. } The IDS configuration works in conjunction with the stateful firewall mechanism and relies heavily on the anomalies reported by the stateful firewall. } then { force-entry.2/32.4 Services Interfaces Configuration Guide from { destination-address 10. The following configuration example shows this relationship: [edit services ids] rule simple_ids { term 1 { from { source-address 10.Junos 11. destination-address { 10. logging { threshold 5. } } } match-direction input. } The following example shows configuration of flow limits: [edit services ids] rule ids-all { match-direction input.1.2/32.410. Juniper Networks. } applications appl-ftp.20.2/32. syslog. logging { threshold 1. term t1 { 298 Copyright © 2011. } then { force-entry. syslog.6. 10.10. } syn-cookie { threshold 10.2/32 except.

Inc. } } } } } Copyright © 2011. } by-pair { hold-time 0. rate 100. Juniper Networks. } then { aggregation { destination-prefix 30. maximum 10. rate 100. /* IDS action aggregation */ } logging { threshold 10. } by-source { hold-time 5. rate 100. packets 200. maximum 10. packets 200. 299 . } session-limit { by-destination { hold-time 0.Chapter 14: Intrusion Detection Service Configuration Guidelines from { application-sets alg-set. maximum 10. packets 200.

Junos 11. . Juniper Networks.4 Services Interfaces Configuration Guide 300 Copyright © 2011. Inc.

Juniper Networks. The remaining statements are explained separately. aggregation Syntax aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. The statements are organized alphabetically. interface-control—To add this statement to the configuration. See “Configuring IDS Rules” on page 291.4. Specify the type of data to be aggregated. Inc. 301 . source-prefix prefix-value | source-prefix-ipv6 prefix-value.CHAPTER 15 Summary of Intrusion Detection Service Configuration Statements The following sections explain each of the intrusion detection service (IDS) statements. Copyright © 2011. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration.

[edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Define one or more target application sets. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. See “Configuring Match Conditions in IDS Rules” on page 293. See “Configuring Match Conditions in IDS Rules” on page 293.4. . interface-control—To add this statement to the configuration. Juniper Networks.Junos 11. 302 Copyright © 2011. Define one or more applications to which IDS applies. set-name—Name of the target application set. applications Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications [ application-names ]. Inc.4. application-name—Name of the target application.4 Services Interfaces Configuration Guide application-sets Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level application-sets set-name. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration.

rate number—Maximum number of sessions per second per application or IP address. maximum number—Maximum number of open sessions per application or IP address. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration.4. hold-time seconds—Length of time for which to stop all new flows once the rate of events Options exceeds the threshold set by one or more of the maximum. } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. packets number—Maximum peak packets per second per application or IP address. packets number. Inc. Juniper Networks. maximum number. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. Apply limit to sessions based on numbers generated from the configured destination (IP or subnet) or application. or rate statements.Chapter 15: Summary of Intrusion Detection Service Configuration Statements by-destination Syntax by-destination { hold-time seconds. rate number. Copyright © 2011. 303 . packets.

or rate statements.4. . Inc. maximum number—Maximum number of open sessions per application or IP address. rate number—Maximum number of sessions per second per application or IP address.4 Services Interfaces Configuration Guide by-pair Syntax by-pair { hold-time seconds. interface-control—To add this statement to the configuration. Apply limit to paired stateful firewall and NAT flows (forward and reverse). interface—To view this statement in the configuration. Juniper Networks. maximum number. } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. packets number—Maximum peak packets per second per application or IP address.Junos 11. packets number. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. rate number. packets. 304 Copyright © 2011. hold-time seconds—Length of time for which to stop all new flows once the rate of events exceeds the threshold set by one or more of the maximum.

maximum number. } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. Apply limit to sessions based on numbers generated from the configured source (IP or subnet) or application. Juniper Networks. rate number. packets number—Maximum peak packets per second per application or IP address. interface—To view this statement in the configuration. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. packets. packets number. or rate statements. Copyright © 2011.Chapter 15: Summary of Intrusion Detection Service Configuration Statements by-source Syntax by-source { hold-time seconds. maximum number—Maximum number of open sessions per application or IP address. interface-control—To add this statement to the configuration. Inc.4. 305 . rate number—Maximum number of sessions per second per application or IP address. hold-time seconds—Length of time for which to stop all new flows once the rate of events Options exceeds the threshold set by one or more of the maximum.

interface-control—To add this statement to the configuration. Inc. prefix.5. Juniper Networks. destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>. .6. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. interface—To view this statement in the configuration. Specify the destination address for rule matching. interface-control—To add this statement to the configuration. except—(Optional) Exempt the specified address. maximum-value—Upper boundary for the IPv4 or IPv6 address range. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. address—Destination IPv4 or IPv6 address or prefix value. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 7. any-unicast—Any unicast packet. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293.Junos 11. or unicast packets from rule Description Options matching.4. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7.5. 306 Copyright © 2011.4 Services Interfaces Configuration Guide destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>. minimum-value—Lower boundary for the IPv4 or IPv6 address range. except—(Optional) Exempt the specified address range from rule matching. interface—To view this statement in the configuration. Specify the destination address range for rule matching.

prefix-value—Integer value. Range: 1 through 32 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. [edit services ids rule rule-name term term-name then aggregation] Statement introduced in Junos OS Release 8. Inc. Juniper Networks. interface—To view this statement in the configuration. destination-prefix-ipv6 Syntax Hierarchy Level Release Information Description Options destination-prefix-ipv6 prefix.5. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Copyright © 2011. interface-control—To add this statement to the configuration. Specify the prefix value for destination IPv6 address aggregation. 307 .4. [edit services ids rule rule-name term term-name then aggregation] Statement introduced before Junos OS Release 7. prefix-value—Integer value. Range: 1 through 128 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. Specify the prefix value for destination IPv4 address aggregation.Chapter 15: Summary of Intrusion Detection Service Configuration Statements destination-prefix Syntax Hierarchy Level Release Information Description Options destination-prefix prefix-value.

Specify handling of entries in the IDS events cache: • force-entry—Ensure that the entry has a permanent place in the IDS cache after one event is registered. • Junos OS Routing Policy Configuration Guide force-entry Syntax Hierarchy Level Release Information Description (force-entry | ignore-entry).4 Services Interfaces Configuration Guide destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>. list-name—Destination prefix list. . Specify the destination prefix list for rule matching. interface—To view this statement in the configuration. 308 Copyright © 2011.2. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in IDS Rules” on page 293. interface—To view this statement in the configuration.Junos 11. Inc. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. [edit services ids rule rule-name term term-name then] Statement introduced before Junos OS Release 7. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. • ignore-entry—Ensure that all IDS events are ignored. Juniper Networks. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. except—(Optional) Exclude the specified prefix list from rule matching.4. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 8.

Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293.Chapter 15: Summary of Intrusion Detection Service Configuration Statements from Syntax from { application-sets set-name. interface-control—To add this statement to the configuration. Set logging values for this IDS term.4. } [edit services ids rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. destination-address-range low minimum-value high maximum-value <except>. Juniper Networks. Copyright © 2011. interface—To view this statement in the configuration. applications [ application-names ]. The remaining statements are explained separately. See “Configuring Actions in IDS Rules” on page 294. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. ignore-entry See force-entry logging Syntax logging { syslog. Inc. interface-control—To add this statement to the configuration. source-address (address | any-unicast) <except>. interface—To view this statement in the configuration.4. Specify input conditions for the IDS term. threshold rate. 309 . The remaining statements are explained separately. source-address-range low minimum-value high maximum-value <except>. For information on match conditions. destination-address (address | any-unicast) <except>. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide.

interface-control—To add this statement to the configuration. interface—To view this statement in the configuration.4. Specify the maximum segment size (MSS) value used in Transmission Control Protocol (TCP) delayed binding. 310 Copyright © 2011. input-output—Apply the rule match bidirectionally. value—MSS value. output—Apply the rule match on output. [edit services ids rule rule-name] Statement introduced before Junos OS Release 7. Inc. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293.4. mss Syntax Hierarchy Level Release Information Description mss value. interface-control—To add this statement to the configuration. Specify the direction in which the rule match is applied. Options Default: 1500 Range: 128 through 8192 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. interface—To view this statement in the configuration. [edit services ids rule rule-name term term-name then syn-cookie] Statement introduced before Junos OS Release 7. Juniper Networks.Junos 11.4 Services Interfaces Configuration Guide match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output | input-output). input—Apply the rule match on input. .

source-address (address | any-unicast) <except>.Chapter 15: Summary of Intrusion Detection Service Configuration Statements rule Syntax rule rule-name { match-direction (input | output | input-output). destination-address (address | any-unicast) <except>. maximum number. packets number. rate number. threshold rate. } session-limit { by-destination { hold-time seconds. rate number. } by-source { hold-time seconds. maximum number. } (force-entry | ignore-entry). } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. 311 . packets number. source-address-range low minimum-value high maximum-value <except>. } by-pair { hold-time seconds. logging { syslog. } } } } [edit services ids]. Inc. applications [ application-names ]. term term-name { from { application-sets set-name. source-prefix prefix-value | source-prefix-ipv6 prefix-value. rate number. maximum number. packets number. Juniper Networks. threshold rate. } } syn-cookie { mss value. [edit services ids rule-set rule-set-name] Hierarchy Level Copyright © 2011. destination-address-range low minimum-value high maximum-value <except>.

ids—Identifies the IDS set of rules statements. See “Configuring IDS Rules” on page 291.. interface-control—To add this statement to the configuration.4.Junos 11. } [edit services ids] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. Specify the rule set the router uses when applying this service.4. rule-name—Identifier for the collection of terms that constitute this rule. 312 Copyright © 2011. See “Configuring IDS Rules” on page 291. rule-set-name—Identifier for the collection of rules that constitute this rule set. rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. interface—To view this statement in the configuration. Specify the rule the router uses when applying this service.. interface—To view this statement in the configuration. interface—To view this statement in the configuration. Define the service rules to be applied to traffic.4. Juniper Networks.4 Services Interfaces Configuration Guide Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. . Inc. interface-control—To add this statement to the configuration. } [edit] Statement introduced before Junos OS Release 7. See “Configuring IDS Rule Sets” on page 297. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services ids { .

packets number. maximum number. packets number.Chapter 15: Summary of Intrusion Detection Service Configuration Statements session-limit Syntax session-limit { by-destination { hold-time seconds. or stateful firewall and network address translation (NAT) paired traffic flows. Juniper Networks. destination. packets number. See “Configuring Actions in IDS Rules” on page 294. } } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. } by-source { hold-time seconds.4. Inc. maximum number. The remaining statements are described separately. Enable flow limitation by configuring thresholds on source. maximum number. rate number. 313 . rate number. Options Usage Guidelines Required Privilege Level Copyright © 2011. rate number. } by-pair { hold-time seconds. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

maximum-value—Upper boundary for the IPv4 or IPv6 address range. Specify the source address range for rule matching. interface—To view this statement in the configuration. 314 Copyright © 2011. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. interface-control—To add this statement to the configuration. prefix. any-unicast—Any unicast packet. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. minimum-value—Lower boundary for the IPv4 or IPv6 address range. address—Source IPv4 or IPv6 address or prefix value. Juniper Networks. except—(Optional) Exempt the specified address. . Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293.4 Services Interfaces Configuration Guide source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>.5. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 7. or unicast packets from rule Description Options matching. Inc.4.5. interface—To view this statement in the configuration. except—(Optional) Exempt the specified address range from rule matching. interface-control—To add this statement to the configuration. Specify the source address for rule matching.Junos 11.6. source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>.

Specify the prefix value for source IPv6 address aggregation. prefix-value—Integer value. interface-control—To add this statement to the configuration. Range: 1 through 128 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. 315 . interface—To view this statement in the configuration. source-prefix-ipv6 Syntax Hierarchy Level Release Information Description Options source-prefix-ipv6 prefix-value.4. Inc.5. Specify the prefix value for source IPv4 address aggregation. Juniper Networks. Range: 1 through 32 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. [edit services ids rule rule-name term term-name then aggregation] Statement introduced before Junos OS Release 7. Copyright © 2011. interface-control—To add this statement to the configuration. prefix-value—Integer value. interface—To view this statement in the configuration.Chapter 15: Summary of Intrusion Detection Service Configuration Statements source-prefix Syntax Hierarchy Level Release Information Description Options source-prefix prefix-value. [edit services ids rule rule-name term term-name then aggregation] Statement introduced in Junos OS Release 8.

SYN-cookie techniques are not applied.Junos 11. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 8. Inc. Enable SYN-cookie defenses against SYN attacks. except—(Optional) Exclude the specified prefix list from rule matching. Specify the source prefix list for rule matching. Options Usage Guidelines Required Privilege Level 316 Copyright © 2011.2. By default. interface—To view this statement in the configuration. • Junos OS Routing Policy Configuration Guide syn-cookie Syntax syn-cookie { mss value. Juniper Networks. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. interface-control—To add this statement to the configuration. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in IDS Rules” on page 293. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. . See “Configuring Actions in IDS Rules” on page 294.4 Services Interfaces Configuration Guide source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>. threshold rate. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. list-name—Destination prefix list. The remaining statements are described separately.4.

Chapter 15: Summary of Intrusion Detection Service Configuration Statements syslog Syntax Hierarchy Level Release Information Description syslog. See “Configuring Actions in IDS Rules” on page 294. Inc. [edit services ids rule rule-name term term-name then logging] Statement introduced before Junos OS Release 7. Enable system logging. Usage Guidelines Required Privilege Level Copyright © 2011. 317 . Juniper Networks. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration.4. The system log information from the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory.

Inc. source-address (address | any-unicast) <except>. source-prefix prefix-value | source-prefix-ipv6 prefix-value. } } syn-cookie { mss value. maximum number. maximum number. destination-address (address | any-unicast) <except>.4. packets number. } by-source { hold-time seconds. destination-address-range low minimum-value high maximum-value <except>. . applications [ application-names ]. maximum number. 318 Copyright © 2011. threshold rate. } (force-entry | ignore-entry). } by-pair { hold-time seconds. logging { syslog.Junos 11. rate number. } session-limit { by-destination { hold-time seconds. } } } [edit services ids rule rule-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. packets number. Juniper Networks. rate number. } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. threshold rate.4 Services Interfaces Configuration Guide term Syntax term term-name { from { application-sets set-name. source-address-range low minimum-value high maximum-value <except>. rate number. packets number. Define the IDS term properties.

interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Usage Guidelines Required Privilege Level See “Configuring IDS Rules” on page 291. Juniper Networks. Inc. Copyright © 2011. The remaining statements are explained separately.Chapter 15: Summary of Intrusion Detection Service Configuration Statements Options term-name—Identifier for the term. 319 .

Inc. logging { syslog. packets number. Define the IDS term actions. interface—To view this statement in the configuration. maximum number. threshold rate.Junos 11. rate number. rate number. } } [edit services ids rule rule-name term term-name] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. } by-source { hold-time seconds. } } syn-cookie { mss value.4. maximum number. } session-limit { by-destination { hold-time seconds. The remaining statements are explained separately. packets number. Juniper Networks. interface-control—To add this statement to the configuration. } by-pair { hold-time seconds. rate number.4 Services Interfaces Configuration Guide then Syntax then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-value. } (force-entry | ignore-entry). threshold rate. See “Configuring IDS Rules” on page 291. . packets number. maximum number. source-prefix prefix-number | source-prefix-ipv6 prefix-value. 320 Copyright © 2011.

Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. [edit services ids rule rule-name term term-name then logging]. [edit services ids rule rule-name term term-name then syn-cookie] Release Information Description Options Statement introduced before Junos OS Release 7. Copyright © 2011. rate—SYN-cookie defense number of SYN attacks per second.Chapter 15: Summary of Intrusion Detection Service Configuration Statements threshold Syntax Hierarchy Level threshold rate. 321 . Inc. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.4. rate—Logging threshold number of events per second. Juniper Networks. Specify the threshold for logging or applying SYN-cookie defenses.

.Junos 11. Juniper Networks.4 Services Interfaces Configuration Guide 322 Copyright © 2011. Inc.

encryption-algorithm algorithm. description description. key_id [ values ]. mode (aggressive | main). remote-id { any-remote-id. dh-group (group1 | group2 | group5 | group14). proposals [ proposal-names ]. perfect-forward-secrecy { Copyright © 2011. } policy policy-name { description description. Juniper Networks. lifetime-seconds seconds. clear-ipsec-sas-on-pic-restart. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). local-certificate identifier. version (1 | 2). ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). ipv4_addr [ values ]. encryption-algorithm algorithm. ipv6_addr [ values ]. pre-shared-key (ascii-text key | hexadecimal key). } policy policy-name { description description. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). Inc. description description. protocol (ah | esp | bundle). 323 . lifetime-seconds seconds. } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96).CHAPTER 16 IPsec Services Configuration Guidelines To configure IP Security (IPsec) services. include the following statements at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] clear-ike-sas-on-pic-restart.

} proposals [ proposal-names ]. level level. remote-gateway address. size bytes. source-address address. backup-remote-gateway address. } initiate-dead-peer-detection. } } rule rule-name { match-direction (input | output). tunnel-mtu bytes. traceoptions { file { files number. ipsec-inside-interface interface-name. } then { anti-replay-window-size bits. encryption { algorithm algorithm. } } } rule-set rule-set-name { [ rule rule-names ]. } protocol (ah | bundle | esp). Juniper Networks.4 Services Interfaces Configuration Guide keys (group1 | group2). spi spi-value. } 324 Copyright © 2011. term term-name { from { destination-address address. ipsec-policy policy-name. } no-ipsec-tunnel-in-traceroute. } } no-anti-replay. clear-dont-fragment-bit. dynamic { ike-policy policy-name. Inc. key (ascii-text key | hexadecimal key). } flag flag.Junos 11. . } auxiliary-spi spi-value. key (ascii-text key | hexadecimal key). manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). syslog.

Chapter 16: IPsec Services Configuration Guidelines This chapter includes the following sections: • • • • • • • • • • • • • Minimum Security Association Configurations on page 325 Configuring Security Associations on page 326 Configuring IKE Proposals on page 332 Configuring IKE Policies on page 335 Configuring IPsec Proposals on page 341 Configuring IPsec Policies on page 343 IPsec Policy for Dynamic Endpoints on page 346 Configuring IPsec Rules on page 346 Configuring IPsec Rule Sets on page 353 Configuring Dynamic Endpoints for IPsec Tunnels on page 353 Tracing IPsec Operations on page 358 Configuring IPSec on the Services SDK on page 360 Examples: Configuring IPsec Services on page 361 Minimum Security Association Configurations The following sections show the minimum configurations necessary to set up security associations (SAs) for IPsec services: • • Minimum Manual SA Configuration on page 325 Minimum Dynamic SA Configuration on page 325 Minimum Manual SA Configuration To define a manual SA configuration. key (ascii-text key | hexadecimal key). } encryption { algorithm algorithm. } Minimum Dynamic SA Configuration To define a dynamic SA configuration. } protocol (ah | esp | bundle). Inc. key (ascii-text key | hexadecimal key). 325 . you must include at least the following statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). you must include at least the following statements at the [edit services ipsec-vpn] hierarchy level: Copyright © 2011. spi spi-value. Juniper Networks.

see “Configuring Manual Security Associations” on page 327. mode (aggressive | main). all values. For information about how to configure a manual SA. Inc. and T Series routers. are static and specified in the configuration. both IKEv1 and IKEv2 are supported by default on all M Series. encryption-algorithm algorithm. protocol (ah | esp | bundle). An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec.4. MX Series. which allow • 326 Copyright © 2011.Junos 11. Juniper Networks. The mode statement under the [edit services ipsec-vpn ike policy name] hierarchy is required only if the version option is set to 1. authentication-method pre-shared-keys. Configuring Security Associations To use IPsec services. pre-shared-key (ascii-text key | hexadecimal key). The version statement under the [edit services ipsec-vpn ike policy name] hierarchy allows you to configure the specific IKE version to be supported. you create an SA between hosts. each peer must have the same configured options for communication to take place. As a result. You can configure two types of SAs: • Manual—Requires no negotiation. } } NOTE: • Starting with Junos OS Release 11. including the keys. } } ipsec { policy policy-name { proposals [ ipsec-proposal-names ]. dh-group (group1 | group2 | group5 |group14). The dynamic SA includes one or more proposal statements. . Dynamic—Specifies proposals to be negotiated with the tunnel peer. encryption-algorithm algorithm.4 Services Interfaces Configuration Guide [edit services ipsec-vpn] ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. } proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). } policy policy-name { proposals [ ike-proposal-names ]. • You must also include the ipsec-policy statement at the [edit services ipsec-vpn rule rule-name term term-name then dynamic] hierarchy level. version (1 | 2).

see the Junos OS Routing Protocols Configuration Guide. Configuring Manual Security Associations Manual SAs require no negotiation. Juniper Networks. If you add SAs into OSPFv3 by including the ipsec-sa statement at the [edit protocols ospf3 area area-number interface interface-name] hierarchy level. include statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). Inc. } protocol (ah | esp | bundle). including the keys. your configuration fails to commit. For more information about OSPF authentication and other OSPF properties. As a result. However. do the following: • • • • Configuring the Direction for IPsec Processing on page 328 Configuring the Protocol for a Manual IPsec SA on page 329 Configuring the Security Parameter Index on page 329 Configuring the Auxiliary Security Parameter Index on page 329 Copyright © 2011. encryption { algorithm algorithm. dynamic or tunnel mode IPsec SAs are not supported for OSPFv3. For information about how to configure a dynamic SA. } To configure manual SA statements. key (ascii-text key | hexadecimal key). spi spi-value. see “Configuring Dynamic Security Associations” on page 331. each peer must have the same configured options for communication to take place. To configure a manual IPsec security association. 327 . } auxiliary-spi auxiliary-spi-value.Chapter 16: IPsec Services Configuration Guidelines you to prioritize a list of protocols and algorithms to be negotiated with the peer. key (ascii-text key | hexadecimal key). This section includes the following topics: • • • Configuring Manual Security Associations on page 327 Configuring Dynamic Security Associations on page 331 Clearing Security Associations on page 332 NOTE: Both OSPFv2 and OSPFv3 support IPsec authentication. all values. are static and specified in the configuration.

. keys. authentication { algorithm hmac-md5-96.Junos 11. you configure the inbound and outbound options. If you want the same attributes in both directions. include the direction statement at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { . and security parameter index values for each direction: [edit services ipsec-vpn rule rule-name term term-name then manual] direction inbound { protocol esp. and security parameter index values that is valid in both directions: [edit services ipsec-vpn rule rule-name term term-name then manual] direction bidirectional { protocol ah. spi 16384. Juniper Networks. encryption { algorithm 3des-cbc. key ascii-text 23456789012345678901234. key ascii-text 12345678901234567890abcd. } } 328 Copyright © 2011. keys. } Example: Using Different Configuration for the Inbound and Outbound Directions Define different algorithms. } } Example: Using the Same Configuration for the Inbound and Outbound Directions Define one set of algorithms. keys. encryption { algorithm 3des-cbc. spi 24576. If you want to define different algorithms. key ascii-text 123456789012abcd. } } direction outbound { protocol esp. use the bidirectional option.. To configure the direction of IPsec processing.. spi 20001.4 Services Interfaces Configuration Guide • • Configuring Authentication for a Manual IPsec SA on page 329 Configuring Encryption for a Manual IPsec SA on page 330 Configuring the Direction for IPsec Processing The direction statement specifies inbound or outbound IPsec processing. or security parameter index (SPI) values for each direction. Inc.

Chapter 16: IPsec Services Configuration Guidelines Configuring the Protocol for a Manual IPsec SA IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). include the auxiliary-spi statement and specify a value (from 256 through 16. uses AH authentication and ESP encryption. The AH protocol is used for strong authentication. Use the auxiliary SPI when you configure the protocol statement to use the bundle option. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. 329 . NOTE: Each manual SA must have a unique SPI and protocol combination.639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] spi spi-value. include the authentication statement and specify an authentication algorithm and a key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: Copyright © 2011. it does not use ESP authentication because AH provides stronger authentication of IP packets. esp. Configuring the Auxiliary Security Parameter Index Use the auxiliary SPI when you configure the protocol statement to use the bundle option.639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] auxiliary-spi auxiliary-spi-value. or bundle option at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] protocol (ah | bundle | esp). To configure the IPsec protocol. include the spi statement and specify a value (from 256 through 16. include the protocol statement and specify the ah. A third option. Configuring the Security Parameter Index An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. To configure the SPI. Inc. Configuring Authentication for a Manual IPsec SA To configure an authentication algorithm. NOTE: Each manual SA must have a unique SPI and protocol combination. Juniper Networks. To configure the auxiliary SPI. bundle. The sending host uses the SPI to identify and select which SA to use to secure every packet.

its key size is 64 bits long. key (ascii-text key | hexadecimal key). Juniper Networks. With the hmac-md5-96 option. include the encryption statement and specify an algorithm and key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] encryption { algorithm algorithm. The key can be one of the following: • ascii-text—ASCII text key. its key size is 192 bits long. key (ascii-text key | hexadecimal key). With the hmac-md5-96 option. With the hmac-sha1-96 option. • 3des-cbc—Encryption algorithm that has a block size of 24 bytes. the key contains 40 hexadecimal characters.Junos 11. It produces a 160-bit authenticator value and a 96-bit digest.4 Services Interfaces Configuration Guide [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] authentication { algorithm (hmac-md5-96 | hmac-sha1-96). aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. } The algorithm can be one of the following: • hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and a 96-bit digest. • hexadecimal—Hexadecimal key. the key contains 16 ASCII characters. • hmac-sha1-96—Hash algorithm that authenticates packet data. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. } The algorithm can be one of the following: • des-cbc—Encryption algorithm that has a block size of 8 bytes. Configuring Encryption for a Manual IPsec SA To configure IPsec encryption. the key contains 32 hexadecimal characters. Inc. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. the key contains 20 ASCII characters. 330 Copyright © 2011. . With the hmac-sha1-96 option.

The AES-CBC Cipher Algorithm and Its Use with IPsec. which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer. see RFC 2409. Configure IPsec proposals and an IPsec policy associated with these proposals. the result is NULL encryption. NOTE: You cannot configure encryption when you use the AH protocol. With the 3des-cbc option. Configure Internet Key Exchange (IKE) proposals and IKE policies associated with these proposals. The dynamic SA includes one or more proposals. • hexadecimal—Hexadecimal key. and the second 8 bytes should be the same as the third 8 bytes.Chapter 16: IPsec Services Configuration Guidelines NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. Associate an SA with an IPsec policy by configuring the dynamic statement. the key contains 16 hexadecimal characters. so DES remains the recommended option. Configuring Dynamic Security Associations You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. For reference information on AES encryption. With the des-cbc option. With the 3des-cbc option. The AES encryption algorithms use a software implementation that has much lower throughput. follow these steps: 1. The key can be one of the following: • ascii-text—ASCII text key. For more information about IKE policies and proposals. The Internet Key Exchange (IKE). the key contains 24 ASCII characters. 331 . the first 8 bytes should differ from the second 8 bytes. see RFC 3602. If you configure an authentication proposal but do not include the encryption statement. Juniper Networks. the key contains 8 ASCII characters. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. For 3des-cbc. see “Configuring IKE Policies” on page 335 and “Configuring IKE Proposals” on page 332. To enable a dynamic SA. 3. If you configure no specific authentication or encryption values. see “Configuring IPsec Policies” on page 343. 2. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. With the des-cbc option. the key contains 48 hexadecimal characters. Certain applications expect this result. For more information about IPsec policies and proposals. Copyright © 2011. Inc.

include the clear-ike-sas-on-pic-restart or clear-ipsec-sas-on-pic-restart statement at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] clear-ike-sas-on-pic-restart. ipsec-policy policy-name. . include the dynamic statement and specify an IPsec policy name at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. To configure an IKE proposal. authentication-method (dsa-signatures | pre-shared-key | rsa-signatures). Configuring IKE Proposals Dynamic security associations (SAs) require IKE configuration. The ike-policy statement is optional unless you use the preshared key authentication method.4 Services Interfaces Configuration Guide To configure a dynamic SA. After you add this statement to the configuration. and then the SA. } 332 Copyright © 2011. [edit services ipsec-vpn rule rule-name term term-name then] dynamic { ike-policy policy-name. encryption-algorithm algorithm. With dynamic SAs. Inc. dh-group (group1 | group2 | group5 |group14). clear-ipsec-sas-on-pic-restart. you configure IKE first.Junos 11. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. all the IKE or IPsec SAs corresponding to the tunnels in the PIC will be cleared when the PIC restarts or goes offline. lifetime-seconds seconds. include the proposal statement and specify a name at the [edit services ipsec-vpn ike] hierarchy level: [edit services ipsec-vpn ike] proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). Juniper Networks. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. You can configure one or more IKE proposals. To configure this property. Clearing Security Associations You can set up the router software to clear IKE or IPsec SAs automatically when the corresponding services PIC restarts or is taken offline. IKE creates the dynamic SAs and negotiates them for IPsec. } NOTE: If you want to establish a dynamic SA. the attributes in at least one configured IPsec and IKE proposal must match those of its peer.

333 .Chapter 16: IPsec Services Configuration Guidelines This section includes the following topics: • • • • • • Configuring the Authentication Algorithm for an IKE Proposal on page 333 Configuring the Authentication Method for an IKE Proposal on page 333 Configuring the Diffie-Hellman Group for an IKE Proposal on page 334 Configuring the Encryption Algorithm for an IKE Proposal on page 334 Configuring the Lifetime for an IKE SA on page 335 Example: Configuring an IKE Proposal on page 335 Configuring the Authentication Algorithm for an IKE Proposal To configure the authentication algorithm for an IKE proposal. see Internet draft draft-eastlake-sha2-02. the key authenticates the exchanges • rsa-signatures—Public key algorithm (supports encryption and digital signatures) Copyright © 2011. Secure Hash Algorithms (SHA and HMAC-SHA) (expires July 2006). sha-256—Produces a 256-bit digest. include the authentication-method statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). The authentication algorithm can be one of the following: • • • md5—Produces a 128-bit digest.txt. sha1—Produces a 160-bit digest. NOTE: For reference information on Secure Hash Algorithms (SHAs). include the authentication-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] authentication-algorithm (md5 | sha1 | sha-256). Inc. Configuring the Authentication Method for an IKE Proposal To configure the authentication method for an IKE proposal. Juniper Networks. The authentication method can be one of the following: • • dsa-signatures—Digital Signature Algorithm pre-shared-keys—A key derived from an out-of-band mechanism.

its key size is 56 bits long. To configure the Diffie-Hellman group for an IKE proposal.Junos 11. Juniper Networks. The group can be one of the following: • group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. • group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. include the dh-group statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] dh-group (group1 | group2 | group5 |group14). However. The encryption algorithm can be one of the following: • 3des-cbc—Cipher block chaining encryption algorithm with a key size of 24 bytes. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. • group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. . 334 Copyright © 2011.4 Services Interfaces Configuration Guide Configuring the Diffie-Hellman Group for an IKE Proposal Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. this additional security entails additional processing time. its key size is 192 bits long. include the encryption-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] encryption-algorithm algorithm. • group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. It is also used within IKE to establish session keys. • des-cbc—Cipher block chaining encryption algorithm with a key size of 8 bytes. Using a Diffie-Hellman group based on a greater number of bits results a more secure IKE tunnel than using a group based on fewer bits. Inc. Configuring the Encryption Algorithm for an IKE Proposal To configure the encryption algorithm for an IKE proposal.

By default. so DES remains the recommended option. it defines the preshared Copyright © 2011. If you configure no specific authentication or encryption values. It defines a peer address and the proposals needed for that connection. When the IKE SA expires. dh-group group1.400 seconds. see “Configuring the Lifetime for an IPsec SA” on page 342. Juniper Networks. it is replaced by a new SA (and SPI) or the IPsec connection is terminated.Chapter 16: IPsec Services Configuration Guidelines NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. The AES encryption algorithms use a software implementation that has much lower throughput. } Configuring IKE Policies An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. For 3des-cbc. for more information. IPsec proposals use a different mechanism. NOTE: For IKE proposals. To configure the lifetime for an IKE SA. authentication-algorithm sha1. and the second 8 bytes should be the same as the third 8 bytes. The Internet Key Exchange (IKE). the IKE SA lifetime is 3600 seconds. see RFC 2409. the first 8 bytes should differ from the second 8 bytes. If you configure an authentication proposal but do not include the encryption statement. there is only one SA lifetime value. the result is NULL encryption. specified by the Junos OS. The range is from 180 through 86. 335 . Depending on which authentication method is used. Inc. Certain applications expect this result. include the lifetime-seconds statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] lifetime-seconds seconds. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. Example: Configuring an IKE Proposal Configure an IKE proposal: [edit services ipsec-vpn ike] proposal ike-proposal { authentication-method pre-shared-keys. encryption-algorithm 3des-cbc. Configuring the Lifetime for an IKE SA The lifetime-seconds statement sets the lifetime of an IKE SA.

then you associate these proposals with an IKE policy. proposals [ proposal-names ]. key_id [ values ].4. the Junos OS rejects IKEv2 negotiations. Similarly. and T Series routers. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). The key management process (kmd) daemon determines which version of IKE is used in a negotiation. If kmd is the IKE responder. Starting with Junos OS Release 11. To configure an IKE policy. it accepts connections from both IKEv1 and IKEv2. You can create multiple. } } This section includes the following topics: • • • • Configuring the IKE Phase on page 337 Configuring the Mode for an IKE Policy on page 337 Configuring the Proposals in an IKE Policy on page 337 Configuring the Preshared Key for an IKE Policy on page 338 336 Copyright © 2011. if only IKEv2 is supported. . if only IKEv1 is supported. Juniper Networks. If the lifetimes are not identical. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use. ipv6_addr [ values ]. both IKEv1 and IKEv2 are supported by default on all M Series. remote-id { any-remote-id. ipv4_addr [ values ]. include the policy statement and specify a policy name at the [edit services ipsec-vpn ike] hierarchy level: [edit services ipsec-vpn ike] policy policy-name { description description. The peer that initiates the negotiation sends all its policies to the remote peer. it uses IKEv1 by default and retains the configured version for negotiations. Inc. the Junos OS rejects all IKEv1 negotiations. If kmd is the IKE initiator. mode (aggressive | main).Junos 11.4 Services Interfaces Configuration Guide key for the given peer or the local certificate. During the IKE negotiation. local-certificate identifier. First. version (1 | 2). However. you configure one or more IKE proposals. You can configure the specific IKE phase to be supported for the negotiation. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. pre-shared-key (ascii-text key | hexadecimal key). MX Series. and the remote peer tries to find a match. The configured preshared key must also match its peer. the shorter lifetime between the two policies (from the host and peer) is used. prioritized proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal. from first to last. IKE looks for an IKE policy that is the same on both peers.

337 . The peer can use the aggressive or main mode to start IKE negotiation. However. Similarly. has less negotiation power. By default. Inc. include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: Copyright © 2011.Chapter 16: IPsec Services Configuration Guidelines • • • • Configuring the Local Certificate for an IKE Policy on page 338 Configuring the Description for an IKE Policy on page 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation on page 339 Example: Configuring an IKE Policy on page 340 For an example of an IKE policy configuration. However. include the version statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] version (1 | 2). the remote peer accepts the mode sent by the peer. Aggressive mode also establishes an authenticated IKE SA and keys. if only IKEv2 is supported. the Junos OS rejects all IKEv1 negotiations. To configure the IKE phase used. Juniper Networks. Configuring the Proposals in an IKE Policy The IKE policy includes a list of one or more proposals associated with an IKE policy. and authentication of the peer. both IKEv1 and IKEv2 are supported by default on all M Series. To configure the proposals in an IKE policy. main mode is enabled. (These three steps are IKE SA negotiation. MX Series. and does not provide identity protection. include the mode statement and specify aggressive or main at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] mode (aggressive | main).) Main mode also allows a peer to hide its identity. to establish the IKE SA. NOTE: The mode configuration is required only if the version option is set to 1. the Junos OS rejects IKEv2 negotiations. You can configure the specific IKE phase to be supported for the negotiation. Main mode uses six messages. if only IKEv1 is supported. To configure the mode for an IKE policy. in three exchanges. Configuring the IKE Phase Starting with Junos OS Release 11. and T Series routers. a Diffie-Hellman exchange.4. Configuring the Mode for an IKE Policy IKE policy has two modes: aggressive and main. aggressive mode uses half the number of messages. see “Example: Configuring an IKE Policy” on page 340.

To configure the local certificate for an IKE policy. Configuring it in an IKE policy allows you the flexibility of using a separate certificate with each remote peer if that is needed. see “Configuring the Authentication Method for an IKE Proposal” on page 333. This enables you to configure separate service sets for individual clients to whom you are providing IP services. include 338 Copyright © 2011. the key contains 24 ASCII characters. You must manually configure a preshared key. Juniper Networks.4 Services Interfaces Configuration Guide proposals [ proposal-names ]. Configuring the Local Certificate for an IKE Policy When you include the authentication-method rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level. To configure the set of trusted certification authorities. the distinct service sets provide logical separation of one set of IKE sessions from another. • hexadecimal—Hexadecimal key. public key infrastructure (PKI) digital certificates authenticate peers. see the Junos OS System Basics Configuration Guide.Junos 11. Inc. the key contains 16 hexadecimal characters. the key contains 48 hexadecimal characters. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key. You must also specify the identity of the certification authority by configuring the ca-profile statement at the [edit security pki] hierarchy level. using different local gateway addresses. The key can be one of the following: • ascii-text—ASCII text key. You must identify a local certificate that is sent to the peer during the IKE authentication phase. With the des-cbc option. The local-certificate statement specifies the identifier used to obtain the end entity’s certificate from the certification authority. With the 3des-cbc option. Configuring the Preshared Key for an IKE Policy When you include the authentication-method pre-shared-keys statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level. see the Junos OS Feature Guides. You can use the configured profiles to establish a set of trusted certification authorities for use with a particular service set. To configure the preshared key in an IKE policy. for more information. include the pre-shared-key statement and a key at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] pre-shared-key (ascii-text key | hexadecimal key). With the 3des-cbc option. see “Configuring the Authentication Method for an IKE Proposal” on page 333. IKE policy preshared keys authenticate peers. For complete examples of digital certificate configuration. the key contains 8 ASCII characters. With the des-cbc option. . or virtualization. for more information. include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] local-certificate identifier. for more information. which must match that of its peer.

Juniper Networks. certificate verification fails and the IPsec tunnel is not established. include the description statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] description description. To override this behavior and permit the authentication of the IPsec peer when the CRL is not downloaded. certificate revocation list verification is enabled. If the local-id statement is omitted. The remote gateway address in which this policy is defined is added by default. Configuring Local and Remote IDs for IKE Phase 1 Negotiation You can optionally specify local identifiers for use in IKE phase 1 negotiation. you include statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. see “Configuring IPsec Service Sets” on page 573. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. To use the CA certificate revocation list. By default.Chapter 16: IPsec Services Configuration Guidelines the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level: [edit services service-set service-set-name ipsec-vpn-options] trusted-ca ca-profile. Configuring a Certificate Revocation List A certificate revocation list (CRL) contains a list of digital certificates that have been cancelled before their expiration date. include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level. Inc. To specify one or more local IDs. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL. the local gateway address is used. Copyright © 2011. if the router either cannot access the Lightweight Directory Access Protocol (LDAP) URL or retrieve a valid certificate revocation list. You can also specify remote gateway identifiers for which the IKE policy is used. Configuring the Description for an IKE Policy To specify an optional text description for an IKE policy. see the Junos OS System Basics Configuration Guide. NOTE: By default. include the local-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). it checks the certificate signature and validity. For details. For more information. When a participating peer uses a digital certificate. 339 .

For more information about dynamic endpoint configurations.1. local-key-pair private-public-key-file. lifetime-seconds 1000.1.1. lifetime-seconds 10000. key_id [ values ]. The following configuration uses only IKEv1 for negotiation. dh-group group1.1 { local-certificate certificate-file-name. dh-group group2. This option is supported only in dynamic endpoints configurations and cannot be configured along with specific values. encryption-algorithm des-cbc. include the remote-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] remote-id { any-remote-id. Juniper Networks. ipv4_addr [ values ]. ipv6_addr [ values ].1. encryption-algorithm des-cbc. } policy 10. } policy 10. [edit services ipsec-vpn] ike { proposal proposal-1 { authentication-method pre-shared-keys.1. authentication-algorithm md5.Junos 11. Inc.1. mode aggressive. Example: Configuring an IKE Policy Define two IKE policies: policy 10.1.2 and policy 10. authentication-algorithm sha1. dh-group group2. pre-shared-key ascii-text example-pre-shared-key. } 340 Copyright © 2011. encryption-algorithm 3des-cbc. proposals [ proposal-2 proposal-3 ] pre-shared-key hexadecimal 0102030abbcd.4 Services Interfaces Configuration Guide To specify one or more remote IDs.2 { mode main.1. } The any-remote-id option allows any remote address to connect. } proposal proposal-2 { authentication-method pre-shared-keys. see “Configuring Dynamic Endpoints for IPsec Tunnels” on page 353. } proposal proposal-3 { authentication-method rsa-signatures.1. Each policy is associated with proposal-1 and proposal-2. proposals [ proposal-1 proposal-2 ]. . lifetime-seconds 10000. authentication-algorithm md5.

341 . lifetime-seconds seconds.Chapter 16: IPsec Services Configuration Guidelines } NOTE: Updates to the current IKE proposal and policy configuration are not applied to the current IKE SA. For information about how to clear the current IKE security association. Juniper Networks. To configure an IPsec proposal. Only 96 bits are used for authentication. It produces a 128-bit digest. updates are applied to new IKE SAs. If you want the new updates to take immediate effect. Copyright © 2011. see the Junos OS System Basics and Services Command Reference. } This section discusses the following topics: • • • • • Configuring the Authentication Algorithm for an IPsec Proposal on page 341 Configuring the Description for an IPsec Proposal on page 342 Configuring the Encryption Algorithm for an IPsec Proposal on page 342 Configuring the Lifetime for an IPsec SA on page 342 Configuring the Protocol for a Dynamic SA on page 343 Configuring the Authentication Algorithm for an IPsec Proposal To configure the authentication algorithm for an IPsec proposal. protocol (ah | esp | bundle). you must clear the existing IKE security associations so that they will be reestablished with the changed configuration. The authentication algorithm can be one of the following: • hmac-md5-96—Hash algorithm that authenticates packet data. Configuring IPsec Proposals An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer. Inc. encryption-algorithm algorithm. include the proposal statement and specify an IPsec proposal name at the [edit services ipsec-vpn ipsec] hierarchy level: [edit services ipsec-vpn ipsec] proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). include the authentication-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] authentication-algorithm (hmac-md5-96 | hmac-sha1-96). description description.

include the encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] encryption-algorithm algorithm. 342 Copyright © 2011. Only 96 bits are used for authentication. and the second 8 bytes should be the same as the third 8 bytes. Inc. the result is NULL encryption. NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. If you configure an authentication proposal but do not include the encryption statement. its key size is 48 bits long. Juniper Networks. The AES encryption algorithms use a software implementation that has much lower throughput.4 Services Interfaces Configuration Guide • hmac-sha1-96—Hash algorithm that authenticates packet data. informs the IPsec key management system that the SA is about to expire. If you configure no specific authentication or encryption values. so DES remains the recommended option. Configuring the Encryption Algorithm for an IPsec Proposal To configure encryption algorithm for an IPsec proposal. It produces a 160-bit digest. include the description statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] description description.Junos 11. • des-cbc—Encryption algorithm that has a block size of 8 bytes. the first 8 bytes should differ from the second 8 bytes. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. see RFC 2409. Configuring the Description for an IPsec Proposal To specify an optional text description for an IPsec proposal. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. For 3des-cbc. . The soft lifetime. its key size is 192 bits long. which is derived from the hard lifetime. The hard lifetime specifies the lifetime of the SA. Certain applications expect this result. Configuring the Lifetime for an IPsec SA When a dynamic IPsec SA is created. The Internet Key Exchange (IKE). two types of lifetimes are used: hard and soft. The encryption algorithm can be one of the following: • 3des-cbc—Encryption algorithm that has a block size of 24 bytes.

Copyright © 2011. you configure one or more IPsec proposals. IPsec uses two protocols to protect IP traffic: ESP and AH. encryption. If the lifetimes are not identical. or both. The ESP protocol can support authentication. To configure the protocol for a dynamic SA. AH also authenticates the IP packet. The AH protocol is used for strong authentication. it does not use ESP authentication because AH provides stronger authentication of IP packets. the shorter lifetime between the two policies (from the host and peer) is used. include the lifetime-seconds statement and specify the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] lifetime-seconds seconds. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. from first to last. Inc. Configuring IPsec Policies An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. The default lifetime is 28. IPsec looks for a proposal that is the same on both peers. and the remote peer tries to find a match. The peer that initiates the negotiation sends all its policies to the remote peer. You can create multiple. then you associate these proposals with an IPsec policy. To configure the hard lifetime value. The soft lifetime values are as follows: • • Initiator: Soft lifetime = Hard lifetime – 135 seconds. First. You can prioritize a list of proposals used by IPsec in the policy statement by listing the proposals you want to use. Configuring the Protocol for a Dynamic SA The protocol statement sets the protocol for a dynamic SA. The bundle option uses AH authentication and ESP encryption. Responder: Soft lifetime = Hard lifetime – 90 seconds. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. The range is from 180 through 86.Chapter 16: IPsec Services Configuration Guidelines This allows the key management system to negotiate a new SA before the hard lifetime expires. esp. include the protocol statement and specify the ah. During the IPsec negotiation. or bundle option at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] protocol (ah | esp | bundle).400 seconds. Juniper Networks.800 seconds. 343 . prioritized IPsec proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal.

include the perfect-forward-secrecy statement and specify a Diffie-Hellman group at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] perfect-forward-secrecy { keys (group1 | group2 | group5 | group14). 344 Copyright © 2011. previous and subsequent keys are secure because they are not derived from previous keys. } proposals [ proposal-names ]. if one key is compromised. include the description statement at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] description description. With PFS. . To configure PFS. Inc.Junos 11. at the [edit services ipsec-vpn ipsec] hierarchy level: [edit services ipsec-vpn ipsec] policy policy-name { description description. Juniper Networks. This statement is optional. Configuring Perfect Forward Secrecy PFS provides additional security by means of a Diffie-Hellman shared secret value. } The key can be one of the following: • group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.4 Services Interfaces Configuration Guide To configure an IPsec policy. include the policy statement. • group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. perfect-forward-secrecy { keys (group1 | group2 | group5 | group14). and specify the policy name and one or more proposals to associate with the policy. } This section includes the following topics related to configuring an IPsec policy: • • • • Configuring the Description for an IPsec Policy on page 344 Configuring Perfect Forward Secrecy on page 344 Configuring the Proposals in an IPsec Policy on page 345 Example: Configuring an IPsec Policy on page 345 Configuring the Description for an IPsec Policy To specify an optional text description for an IPsec policy.

authentication-algorithm hmac-sha1-96.. Juniper Networks. encryption-algorithm 3des-cbc. If you want the new updates to take immediate effect. that is associated with two proposals (dynamic-1 and dynamic-2): [edit services ipsec-vpn ipsec] proposal dynamic-1 { protocol esp. } proposals [ dynamic-1 dynamic-2 ]. encryption-algorithm 3des-cbc. } policy dynamic-policy-1 { perfect-forward-secrecy { keys group1. 345 . dynamic policy-1. see the Junos OS System Basics and Services Command Reference. Copyright © 2011. Inc. To configure the proposals in an IPsec policy. The higher numbered groups provide more security than the lowered numbered groups.Chapter 16: IPsec Services Configuration Guidelines • group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. lifetime-seconds 6000. but require more processing time. you must clear the existing IPsec security associations so that they will be reestablished with the changed configuration. For information about how to clear the current IPsec security association. lifetime-seconds 6000. authentication-algorithm hmac-md5-96. updates are applied to new IPsec SAs. } proposal dynamic-2 { protocol esp. include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] proposals [ proposal-names ]. } NOTE: Updates to the current IPsec proposal and policy configuration are not applied to the current IPsec SA. • group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Configuring the Proposals in an IPsec Policy The IPsec policy includes a list of one or more proposals associated with an IPsec policy. Example: Configuring an IPsec Policy Define an IPsec policy.

key (ascii-text key | hexadecimal key). see “Configuring IPsec Policies” on page 343. theIPsec policy looks for an IPsec proposal that is the same on both peers. 346 Copyright © 2011. The peer that initiates the negotiation sends all its policies to the remote peer. If no policy is set. source-address address. If the lifetimes are not identical.4 Services Interfaces Configuration Guide IPsec Policy for Dynamic Endpoints An IPsec policy for dynamic endpoints defines a combination of security parameters (IPsec proposals) used during IPsec negotiation between dynamic peer security gateways. dynamic { ike-policy policy-name. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). . and the remote peer tries to find a match. in which the remote ends of tunnels do not have a statically assigned IP address. term term-name { from { destination-address address. backup-remote-gateway address. } auxiliary-spi spi-value. encryption { algorithm algorithm. For more information about configuring IPsec policy. ipsec-inside-interface interface-name. any policy proposed by the dynamic peer is accepted. A match is made when the policies from the two peers have a proposal that contains the same configured attributes. During the IPsec negotiation. clear-dont-fragment-bit.Junos 11. ipsec-policy policy-name. Inc. the shorter lifetime between the two policies (from the host and peer) is used. Juniper Networks. } initiate-dead-peer-detection. } then { anti-replay-window-size bits. Related Documentation • Configuring IPsec Policies on page 343 Configuring IPsec Rules To configure an IPsec rule. include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] rule rule-name { match-direction (input | output).

When a packet is sent to the PIC. To configure where the match is applied. } } no-anti-replay. If the outside interface is used to direct the packet to the PIC. With a next-hop service set. } protocol (ah | bundle | esp). Copyright © 2011. rule processing is performed. On the AS or Multiservices PIC. With an interface service set. Inc. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. similar to a firewall filter. syslog. remote-gateway address. include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level: [edit services ipsec-vpn rule rule-name] match-direction (input | output). The following sections explain how to configure the components of IPsec rules: • • • Configuring Match Direction for IPsec Rules on page 347 Configuring Match Conditions in IPsec Rules on page 348 Configuring Actions in IPsec Rules on page 349 Configuring Match Direction for IPsec Rules Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface. If the inside interface is used to route the packet. All rules in the service set are considered.Chapter 16: IPsec Services Configuration Guidelines key (ascii-text key | hexadecimal key). A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. spi spi-value. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. Juniper Networks. During rule processing. direction information is carried along with it. • then statement—Specifies the actions and action modifiers to be performed by the router software. For more information on inside and outside interfaces. the packet direction is output. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. the packet direction is input. tunnel-mtu bytes. a flow lookup is performed. 347 . If no flow is found. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. } } } Each IPsec rule consists of a set of terms.

in the same way that you would configure a firewall filter. This strategy saves some flow resources on the PIC. . However. NOTE: When you configure the ipsec-inside-interface statement. The Junos OS evaluates the criteria you configure in the from statement. see the Junos OS Routing Policy Configuration Guide. the default value 0.0. To use IPv6 ANY (0::0/128) as either source or destination address.2 as inside and outside interfaces. For next-hop-style service sets only. Inc. source-address address. Only rules with direction information that match the packet direction are considered. the ipsec-inside-interface statement allows you to assign a logical interface to the tunnels established as a result of this match condition. If there is an any-any match in a tunnel. for more information. IPsec services support both IPv4 and IPv6 address formats. A special situation is provided by a term containing an “any-any” match condition (usually because the from statement is omitted). because all flows within this tunnel use the same security association (SA) and packet selectors do not play a significant role. 348 Copyright © 2011. For more information. which can be used for other tunnels that need a flow-based service.0. } You can use either the source address or the destination address as a match condition.0/0 (IPv4 ANY) is used. As a result. these tunnels will use packet-based IPsec.1 and . you must configure it explicitly.0/0 (ANY-ANY). you can configure multiple adaptive services logical interfaces with the service-domain inside statement and use one of them to configure the ipsec-inside-interface statement.0. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568 and Interface Properties. If you do not specifically configure either the source address or destination address. include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name] from { destination-address address. interface-style service sets are not supported.Junos 11. If multiple link-type tunnels are configured within the same next-hop-style service set. Configuring Match Conditions in IPsec Rules To configure the match conditions in an IPsec rule. Juniper Networks. a flow is not needed. the ipsec-inside-interface value enables the rule lookup module to distinguish a particular tunnel from other tunnels in case the source and destination addresses for all of them are 0.4 Services Interfaces Configuration Guide the packet direction is compared against rule directions. The inside-service-interface statement that you can configure at the [edit services service-set name next-hop-service] hierarchy level allows you to specify .0. ipsec-inside-interface interface-name.

dynamic { ike-policy policy-name. clear-dont-fragment-bit. if a service set contains both any-any terms and selector-based terms. } } } match-direction input. 349 . encryption { Copyright © 2011. dynamic { ike-policy ike_policy. include the then statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name] then { anti-replay-window-size bits. } Flowless IPsec service is provided to link-type tunnels with an any-any matching. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). } initiate-dead-peer-detection. Missing selectors in the from clause result in a packet-based IPsec service. Juniper Networks.0. For non link-type tunnels. } auxiliary-spi spi-value. a mixture of flowless and flow-based IPsec is supported within a service set.Chapter 16: IPsec Services Configuration Guidelines The following configuration example shows an any-any tunnel configuration with no from statement in term-1. services { ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10. For link-type tunnels.1. Inc...1. ipsec-policy policy-name. backup-remote-gateway address. flow-based service is provided to all the tunnels. If a service set includes some terms with any-any matching and some terms with selectors in the from clause.. } . key (ascii-text key | hexadecimal key).. Configuring Actions in IPsec Rules To configure actions in an IPsec rule. packet-based service is provided for the any-any tunnels and flow-based service is provided for the other tunnels with selectors. as well as to dynamic tunnels with any-any matching in both dedicated and shared mode. ipsec-policy ipsec_policy.

see “Configuring Dynamic Security Associations” on page 331. You configure a manual SA by including the manual statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. the packet is fragmented before encapsulation. Juniper Networks. . • You can configure the following additional properties: • • • • • Enabling IPsec Packet Fragmentation on page 350 Configuring Destination Addresses for Dead Peer Detection on page 350 Configuring or Disabling IPsec Anti-Replay on page 352 Enabling System Log Messages on page 352 Specifying the MTU for IPsec Tunnels on page 352 Enabling IPsec Packet Fragmentation To enable fragmentation of IP version 4 (IPv4) packets in IPsec tunnels. remote-gateway address. } The principal IPsec actions are to configure a dynamic or manual SA: • You configure a dynamic SA by including the dynamic statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn ike] hierarchy levels.Junos 11. the default MTU value is 1500 regardless of the interface MTU setting. Inc. Configuring Destination Addresses for Dead Peer Detection To specify the remote address to which the IPsec traffic is directed. include the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] clear-dont-fragment-bit.4 Services Interfaces Configuration Guide algorithm algorithm. for more information. } protocol (ah | bundle | esp). Setting the clear-dont-fragment-bit statement clears the Don’t Fragment (DF) bit in the packet header. } } no-anti-replay. spi spi-value. If the packet size exceeds the tunnel maximum transmission unit (MTU) value. key (ascii-text key | hexadecimal key). syslog. see “Configuring Manual Security Associations” on page 327. for more information. tunnel-mtu bytes. regardless of the packet size. For IPsec tunnels. include the remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] 350 Copyright © 2011.

If there is no incoming traffic from a peer during a defined interval of 10 seconds. it tries the failover six times. These two statements support both IPv4 and IPv6 address formats. You can also enable triggering of DPD Hello messages without configuring a backup remote gateway by including the initiate-dead-peer-detection statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] initiate-dead-peer-detection. the router switches back to the primary tunnel. However. The monitoring behavior is the same as described for the backup-remote-gateway statement. which monitors the tunnel state and remote peer availability.Chapter 16: IPsec Services Configuration Guidelines remote-gateway address. 351 . If no acknowledgment is received. It then stops failing over and reverts to the original configuration. 3. a new tunnel is established to the backup address. Copyright © 2011. Inc. If both peers are down. Configuring the backup-remote-gateway statement enables the dead peer detection (DPD) protocol. with the primary tunnel active and the backup in standby mode. when you configure initiate-dead-peer-detection without a backup remote gateway address and the DPD protocol determines that the primary remote gateway address is no longer reachable. If a tunnel becomes inactive. This configuration enables the router to initiate DPD Hellos when a backup IPsec gateway does not exist and clean up the IKE and IPsec SAs in case the IKE peer is not reachable. 4. 2. and then the tunnel is declared dead. the router takes the following steps to failover to the backup address: 1. A global timer polls all tunnels every 10 seconds and the Adaptive Services (AS) or Multiservices Physical Interface Card (PIC) sends a message listing any inactive tunnels. a new tunnel is established to the backup address. the backup tunnel is in standby mode. The primary tunnel is put in standby mode and the backup becomes active. If the negotiation to the backup tunnel times out. Juniper Networks. the tunnel is declared dead and IKE and IPsec SAs are cleaned up. the router detects a tunnel as inactive. If the DPD protocol determines that the primary remote gateway address is no longer reachable. When the primary tunnel defined by the remote-gateway statement is active. Failover takes place if the tunnel is declared dead or there is an IPsec Phase 1 negotiation timeout. If the DPD protocol determines that the primary remote gateway address is no longer reachable. include the backup-remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] backup-remote-gateway address. two retries are sent at 2-second intervals. To specify a backup remote address. The adaptive services message triggers the DPD protocol to send a hello message to the peer.

antireplay service is enabled. When the software is committing an IPsec configuration . Inclusion of an mtu setting at the [edit interfaces sp-fpc/pic/port unit logical-unit-number family inet] hierarchy level is not supported. include the syslog statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] syslog. By default. Inc. Specifying the MTU for IPsec Tunnels To configure a specific maximum transmission unit (MTU) value for IPsec tunnels. include the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] anti-replay-window-size bits. . To disable the IPsec antireplay feature. As a result. AS PICs can support a maximum replay window size of 1024 bits. 352 Copyright © 2011.4 Services Interfaces Configuration Guide For more information on the DPD protocol. Enabling System Log Messages To record an alert in the system logging facility. Configuring or Disabling IPsec Anti-Replay To configure the size of the IPsec antireplay window. if the maximum antireplay window size exceeds 1024 for AS PICs. Occasionally this can cause interoperability issues with other vendors’ equipment.Junos 11. A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers. the software internally sets the antireplay window size for AS PICs to 1024 bits even if the configured value of the anti-replay-window-size is larger. whereas Multiservices PICs and DPCs can support a maximum replay window size of 4096 bits. the commit succeeds and no error message is produced. see RFC 3706. the key management process (kmd) is unable to differentiate between the service interface types. include the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] no-anti-replay. However. Juniper Networks. NOTE: The tunnel-mtu setting is the only place you need to configure an MTU value for IPsec tunnels. The default value is 64 bits for AS PICs and 128 bits for Multiservices PICs and DPCs. include the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] tunnel-mtu bytes. anti-replay-window-size can take values in the range from 64 through 4096 bits.

see “Configuring the Mode for an IKE Policy” on page 337. Juniper Networks. Since the remote address is not known and might be pulled from an address pool each time the remote host reboots. the packet is dropped by default. If a term in a rule matches the packet. Each tunnel allocates a service interface from a pool of interfaces configured for the dynamic peers. Link-type or routed tunnels use dedicated mode. If none of the rules matches the packet. Configuring Dynamic Endpoints for IPsec Tunnels IPsec tunnels can also be established using dynamic peer security gateways. For more information on IKE policy modes. 353 . Inc. You define each rule by specifying a rule name and configuring terms. Then.Chapter 16: IPsec Services Configuration Guidelines Configuring IPsec Rule Sets The rule-set statement defines a collection of IPsec rules that determine what actions the router software performs on packets in the data stream. in which the remote ends of tunnels do not have a statically assigned IP address. Routing protocols can be configured to run on these service interfaces to learn routes over the IPsec tunnel that is used as a link in this scenario. establishment of the tunnel relies on using IKE main mode with either preshared global keys or digital certificates that accept any remote identification value. the router performs the corresponding action and the rule processing stops. you specify the order of the rules by including the rule-set statement at the [edit services ipsec-vpn] hierarchy level with a rule statement for each rule: [edit services ipsec-vpn] rule-set rule-set-name { rule rule-name. If no term in a rule matches the packet. Both policy-based and link-type tunnels are supported: • • Policy-based tunnels used shared mode. } The router software processes the rules in the order in which you specify them in the configuration. This section includes the following topics: • • • • • • • Authentication Process on page 354 Implicit Dynamic Rules on page 354 Reverse Route Insertion on page 355 Configuring an IKE Access Profile on page 355 Referencing the IKE Access Profile in a Service Set on page 357 Configuring the Interface Identifier on page 357 Default IKE and IPsec Proposals on page 358 Copyright © 2011. processing continues to the next rule in the rule set.

The source-address and destination-address values are accepted from the proxy ID. This rule is used to encrypt traffic directed to one of the end hosts in the phase 2 proxy identity. You can configure proxy identities by including the allowed-proxy-pair statement in the IKE access profile. Phase 2 of the authentication matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. Dynamic rules are matched after the rule match for static rules has failed.4 Services Interfaces Configuration Guide Authentication Process The remote (dynamic peer) initiates the negotiations with the local (Juniper Networks) router. and the local router accepts any proxy identities sent by the peer. the local router matches the peer’s source address against any explicitly configured preshared keys in that service set. The match-direction value is input for next-hop-style service sets. which is the interface name assigned to the dynamic tunnel. Juniper Networks. Implicit Dynamic Rules After successful negotiation with the dynamic peer. Implicit proposals contain a list of all the supported transforms that the local router expects from all the dynamic peers. but you must configure all IPv6 addresses manually. static rules are always matched first. the preshared key is global for a service set. If you do not configure the allowed-proxy-pair statement. . it is performed in the order configured. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic.0. The source and destination addresses are specified by the accepted proxy. Once the phase 2 negotiation completes successfully. NOTE: You do not configure this rule. the negotiation is rejected. it is created by the key management process (kmd). When seeking the preshared key for the peer. When a packet is received for a service set. If preshared key authentication is used. Inc. the default value ANY(0. Both IPv4 and IPv6 addresses are accepted. 354 Copyright © 2011. Rule lookup for static tunnels is unaffected by the presence of a dynamic rule.0/0)-ANY is applied. This key is the one configured in the IKE access profile referenced by the service set. the local router uses the global preshared key for authentication.Junos 11. the key management process (kmd) creates a dynamic rule for the accepted phase 2 proxy and applies it on the local AS or Multiservices PIC.0. If no entry matches. The dynamic rule includes an ipsec-inside-interface value. The local router uses the default IKE and IPsec policies to match the proposals sent by the remote peer to negotiate the security association (SA) values. If a match is not found. the router builds the dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.

see “Configuring IKE Policies” on page 335. NOTE: Reverse route insertion takes place only for tunnels to dynamic peers.0. The route table in which to insert these routes depends on where the inside-service-interface location is listed. Alternatively. but only one client configuration is allowed for each profile. then routes are added to the corresponding VRF table. In this case you can run routing protocols over the IPsec tunnel to learn routes and add static routes for the traffic you want to be protected over this tunnel. otherwise.Chapter 16: IPsec Services Configuration Guidelines Response to dead peer detection (DPD) hello messages takes place the same way with dynamic peers as with static peers. For next-hop-style service sets. 355 . Each route is created based on the remote proxy network and mask sent by the peer and is inserted in the relevant route table after successful phase 1 and phase 2 negotiations. No routes are added if the accepted remote proxy address is the default (0. These protected hosts and networks are known as remote proxy identities. see the Junos OS System Basics Configuration Guide. the routes are added to inet.0. see “Configuring Destination Addresses for Dead Peer Detection” on page 350. Initiating DPD hello messages from dynamic peers is not supported. for more information.0/0). Reverse Route Insertion Static routes are automatically inserted into the route table for those networks and hosts protected by a remote tunnel endpoint. Juniper Networks. Inc. The configured preshared key in the profile is used for IKE authentication of all dynamic peers terminating in that service set. the reverse routes include next hops pointing to the locations specified by the inside-service-interface statement. you can include the ike-policy statement to reference an IKE policy you define with either specific identification values or a wildcard (the any-remote-id option). The following is the configuration at the [edit access] hierarchy level.0. for more information on access profiles. If these interfaces are present in a VPN routing and forwarding (VRF) instance. For more information on DPD. Configuring an IKE Access Profile You can configure only one tunnel profile per service set for all dynamic peers. These routes are added only for next-hop-style service sets. You configure the IKE policy at the [edit services ipsec-vpn ike] hierarchy level. [edit access] profile profile-name { client * { ike { Copyright © 2011. Each protocol has its own statement hierarchy within the client statement to configure protocol-specific attribute value pairs. The route preference for each static reverse route is 1. The IKE tunnel profile specifies all the information needed to complete the IKE negotiation. This value is necessary to avoid conflict with similar routes that might be added by the routing protocol process (rpd).

4 Services Interfaces Configuration Guide allowed-proxy-pair { remote remote-proxy-address local local-proxy-address. Since multiple dynamic tunnels are authenticated through the same mechanism. see “Configuring IKE Policies” on page 335. ike-policy policy-name. If no policy is set.0.Junos 11. the phase 2 IKE negotiation fails. the IP address is used to identify a tunnel peer to get the preshared key information. a mandatory attribute used to derive the logical service interface information for the session. Juniper Networks. By default.0. the remote peer supplies its network address (remote) and its peer’s network address (local). Both IPv4 and IPv6 address formats are supported in this configuration. the Junos OS supports the IKE main mode with either the preshared key method of authentication or an IKE access profile that uses a local digital certificate. • interface-id—Interface identifier. can contain a wildcard value any-remote-id for use in dynamic endpoint configurations only. ipsec-policy ipsec-policy. It is a mandatory value. any policy proposed by the dynamic peer is accepted. . • pre-shared-key—Key used to authenticate the dynamic peer during IKE phase 1 negotiation. You must specify even 0::0/0. You can configure the value either in hexadecimal or ascii-text format. If the dynamic peer does not present a valid combination. this statement must include the list of possible combinations. for more information. The client value * (wildcard) means that configuration within this profile is valid for all dynamic peers terminating within the service set accessing this profile.0. 356 Copyright © 2011. You define the IPsec policy at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level. • In preshared key mode.0/0 local 0. In digital certificate mode. but there are no default IPv6 addresses. • ike-policy—Policy that defines the remote identification values corresponding to the allowed dynamic peers. } } } NOTE: For dynamic peers. } pre-shared-key (ascii-text key-string | hexadecimal key-string). remote 0.0. This key is known to both ends through an out-of-band secure mechanism.0/0 is used if no values are configured. • ipsec-policy—Name of the IPsec policy that defines the IPsec policy information for the session. interface-id <string-value>. Inc. the IKE policy defines which remote identification values are allowed. • The following statements make up the IKE profile: • allowed-proxy-pair—During phase 2 IKE negotiation.

By assigning the same interface identifier to multiple logical interfaces. 357 . To configure an interface identifier. include the ipsec-interface-id statement and the dedicated or shared statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level: [edit interfaces interface-name unit logical-unit-number dial-options] ipsec-interface-id identifier. (dedicated | shared). Also. Juniper Networks. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF instance. no other service set can share the same local-gateway address. ike-access-profile profile-name. Inc. You can reference only one access profile in each service set. Configuring the Interface Identifier You can configure an interface identifier for a group of dynamic peers. Specifying the interface identifier in the dial-options statement makes this logical interface part of the pool identified by the ipsec-interface-id statement. you must configure a separate service set for each VRF instance. You can include the ipsec-interface-id statement or the l2tp-interface-id statement. NOTE: Only one interface identifier can be specified at a time. but not both. outside-service-interface interface-name. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only. you can create a pool of interfaces for this purpose. which specifies which adaptive services logical interface(s) take part in the dynamic IPsec negotiation. NOTE: If you configure an IKE access profile in a service set. } The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. } next-hop-service { inside-service-interface interface-name. To do this. Copyright © 2011.Chapter 16: IPsec Services Configuration Guidelines Referencing the IKE Access Profile in a Service Set To complete the configuration. you need to reference the IKE access profile configured at the [edit access] hierarchy level. include the ike-access-profile statement at the [edit services service-set name ipsec-vpn-options] hierarchy level: [edit services service-set name] ipsec-vpn-options { local-gateway address.

ah.4 Services Interfaces Configuration Guide If you configure shared mode. if more than one value is shown. this file is named /var/log/kmd. group14 sha1. The dedicated statement specifies that the logical interface is used in a dedicated mode. the first value is the default. des-cbc. The values are shown in Table 13 on page 358. sha-256 3des-cbc. group2. Juniper Networks. md5. . For more information on IKE proposals. it enables one logical interface to be shared across multiple tunnels. which is necessary when you are configuring an IPsec link-type tunnel. include the traceoptions statement at the [edit services ipsec-vpn] hierarchy level: 358 Copyright © 2011. Inc. You must include the dedicated statement when you specify an ipsec-interface-id value. des-cbc. bundle hmac-sha1-96. aes-128. see “Configuring IPsec Proposals” on page 341. hmac-md5-96 3des-cbc. aes-192. aes-192. group5. for more information on IPsec proposals.Junos 11. To trace IPsec operations. Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations Statement Name Implicit IKE Proposal authentication-method dh-group authentication-algorithm encryption-algorithm lifetime-seconds pre-shared keys group1. NOTE: RSA certificates are not supported with dynamic endpoint configuration. aes-128. see “Configuring IKE Proposals” on page 332. aes-256 3600 seconds Values Implicit IPsec Proposal protocol authentication-algorithm encryption-algorithm lifetime-seconds esp. aes-256 28. Default IKE and IPsec Proposals The software includes implicit default IKE and IPsec proposals to match the proposals sent by the dynamic peers.800 seconds (8 hours) Tracing IPsec Operations Trace operations track IPsec events and record them in a log file in the /var/log directory. By default.

error—Match error conditions. parse—Trace configuration processing. database—Trace security associations database events. policy-manager—Trace policy manager processing. Copyright © 2011. flag flag.Chapter 16: IPsec Services Configuration Guidelines [edit services ipsec-vpn] traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>. Disabling IPsec Tunnel Endpoint in Traceroute If you include the no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level. The following values are supported: • • • • • • all—Match all levels. ike—Trace IKE module processing. } You can specify the following IPsec tracing flags: • • • • • • • • • • all—Trace everything. the IPsec tunnel is not treated as a next hop and TTL is not decremented. routing-socket—Trace routing socket messages. level level. an ICMP time exceeded message is not generated. timer—Trace internal timer events. Juniper Networks. Also. if the TTL reaches zero. info–Match informational messages. general—Trace general events. Inc. certificates—Trace certificates events. 359 . notice—Match conditions that should be handled specially. [edit services ipsec-vpn] no-ipsec-tunnel-in-traceroute. snmp—Trace SNMP operations. The level statement sets the key management process (kmd) tracing level. warning—Match warning messages. no-remote-trace. verbose—Match verbose messages.

snmp—Trace SNMP operations. Multiservices 400 PICs. general—Trace general events. IPSec on the Services SDK is supported on all M Series. To trace IPsec PKI operations. Configuring IPSec on the Services SDK Starting with Junos OS Release 11.Junos 11. timer—Trace internal timer events. routing-socket—Trace routing socket messages. Juniper Networks. ike—Trace IKE module processing. 360 Copyright © 2011. IPSec is supported by the Services SDK. . By default. IPSec on the Services SDK has the following limitations: • IPSec on the Services SDK supports only policies negotiated between dynamic peer security gateways in which the remote ends of tunnels do not have a statically assigned IP address (Dynamic Endpoints). certificates—Trace certificates events. T Series and MX Series routers with Multiservices 100.4 Services Interfaces Configuration Guide NOTE: This functionality is also provided by the passive-mode-tunneling statement described in “Configuring IPsec Service Sets” on page 573. include the traceoptions statement at the [edit security pki] hierarchy level: [edit security pki] traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>. Tracing IPsec PKI Operations Trace operations track IPsec PKI events and record them in a log file in the /var/log directory. Inc. You can use the no-ipsec-tunnel-in-traceroute statement in specific scenarios in which the IPsec tunnel should not be treated as a next hop and passive mode is not desired. this file is named /var/log/pkid. database—Trace security associations database events. policy-manager—Trace policy manager processing. and Multiservices DPCs. } You can specify the following PKI tracing flags: • • • • • • • • • • all—Trace everything.4. flag flag (all | certificate-verification | enrollment | online-crl-check). parse—Trace configuration processing.

} } } } } Configure the inside and outside interfaces for next-hop-style service sets: service-set abc { next-hop-service { inside-service-interface ms-0/2/0. • To enable IPSec for the Services SDK on the adaptive services interface. outside-service-interface ms-0/2/0. # Name and logical unit number of the service interface associated with the service set applied inside the network. # Name and logical unit number of the service interface associated with the service set applied outside the network. IPSec on the Services SDK does not support IPv6. data-cores 7. Inc.Chapter 16: IPsec Services Configuration Guidelines • Encapsulating Security Payload (ESP) is the only protocol that is supported for protecting IP traffic. 361 . policy-db-size 64. For the IPSec plugin on the Services SDK. package-name in the package package-name statement is jservices-ipsec. configure the object-cache-size. } } Examples: Configuring IPsec Services See the following sections: • • • Example: Configuring Statically Assigned Tunnels on page 362 Example: Configuring Dynamically Assigned Tunnels on page 364 Multitask Example: Configuring IPsec Services on page 369 Copyright © 2011. For more information about the Services SDK. see the SDK Applications Configuration Guide and Command Reference. Juniper Networks. object-cache-size 1280.1. The following example shows how to enable IPSec for the Services SDK on the adaptive services interface: chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1. policy-db-size. and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. package jservices-crypto-base. package jservices-ipsec.2.

} } policy-statement vpn-import { term a { from community vpn-comm. } } [edit policy-options] policy-statement vpn-export { then { community add vpn-comm.4 Services Interfaces Configuration Guide Example: Configuring Statically Assigned Tunnels Following is the configuration of the provider edge (PE) router.7/32. encapsulation cisco-hdlc. [edit routing-instances] 362 Copyright © 2011. demonstrating the usage of next-hop service sets and dynamic SA configuration: [edit interfaces] so-0/0/0 { no-keepalives. Juniper Networks. Inc. service-domain outside. then accept. no-keepalives.6. service-domain inside. .6/32. } unit 2 { family inet. } } } so-2/2/0 { description "teller so-0/2/0". } } } sp-3/1/0 { unit 0 { family inet { address 10. accept. unit 0 { family inet { address 10. } } community vpn-comm members target:100:20.1/16. unit 0 { family inet { address 10.Junos 11.6.7.7.1.21. encapsulation cisco-hdlc. } } unit 1 { family inet.

2. route 10. route 10.0.0. } } } match-direction input. } ipsec-vpn-rules rule-1.Chapter 16: IPsec Services Configuration Guidelines vrf { instance-type vrf. } } } [edit services] ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10.21.1/32 next-hop so-0/0/0.0.1.0. routing-options { static { route 10.1/32 next-hop sp-3/1/0.1. 363 . interface sp-3/1/0.2.8.1. next-hop-service { inside-service-interface sp-3/1/0.1. } } } service-set service-set-1 { ipsec-vpn { local-gateway 10.1.21.8. Juniper Networks. dynamic { ike-policy ike-policy.168.0/0 next-hop so-0/0/0.0. Copyright © 2011.2. } } Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set: services ipsec-vpn { rule demo-rule { term term-0 { from { ipsec-inside-interface sp-0/0/0.0. Inc.1. } then { remote-gateway 10. vrf-export vpn-export. route-distinguisher 192. # Inside sp interface interface so-0/0/0.11.11.2. outside-service-interface sp-3/1/0.2. } ike { policy ike-policy { pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI". vrf-import vpn-import.1.1:1.

3. } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-0/0/0. dynamic { ike-policy demo-ike-policy.4 Services Interfaces Configuration Guide dynamic { ike-policy demo-ike-policy. Inc. } ipsec-rules demo-rule. } } interfaces sp-0/0/0 { unit 0 { family inet. } } } } match-direction input.1.3. } unit 4 { family inet. outside-service-interface sp-0/0/0. } then { remote-gateway 10. } ipsec-vpn-options { local-gateway 10. } } } term term-1 { from { ipsec-inside-interface sp-0/0/0.Junos 11.1.1. } unit 2 { family inet. Juniper Networks.3. } unit 3 { family inet. service-domain inside. service-domain inside. } } Example: Configuring Dynamically Assigned Tunnels The following examples are based on this network configuration (see Figure 9 on page 365): 364 Copyright © 2011. } unit 1 { family inet.3. .2. service-domain inside. service-domain outside.1.

3.1.0. Remote network N-3 has address 172.0/0 local 0.2.16.2. ike-access-profile demo-ike-access-profile. } interface-id demo-ipsec-interface-id.1.0. } ipsec-vpn-options { local-gateway 10.0.3.0/0. Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE.2.0.1. Remote network N-2 has address 172.2. 365 . } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0. Copyright © 2011.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.3. The tunnel termination address on SG-1 is 10. Juniper Networks. # ANY to ANY } pre-shared-key { ascii-text keyfordynamicpeers.1. a Juniper Networks router terminating static as well as dynamic peer endpoints.1.16.3.1 and the local network address is 172.2. Inc.1.1.Chapter 16: IPsec Services Configuration Guidelines • A local network N-1 behind security gateway SG-1. Configuring a Next-Hop Style Service Set with Link-Type Tunnels access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 0. • Figure 9: IPsec Dynamic Endpoint Tunneling Topology The examples in this section show the following configurations: • • Configuring a Next-Hop Style Service Set with Link-Type Tunnels on page 365 Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels on page 367 NOTE: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections. outside-service-interface sp-1/0/0.16.0/24.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.

} unit 3 { family inet. dial-options { ipsec-interface-id demo-ipsec-interface-id. interfaces { sp-0/0/0 { unit 0 { family inet. } } } } The following results are obtained: • Reverse routes inserted after successful negotiation: None • Routes learned by routing protocol: 172. Juniper Networks. Inc. } unit 2 { family inet. } } unit 4 { family inet.16. service-domain inside. service-domain inside. service-domain inside.Junos 11. You do not need to configure IKE or IPsec proposals explicitly. dial-options { ipsec-interface-id demo-ipsec-interface-id. .4 Services Interfaces Configuration Guide } } } } NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. } unit 1 { family inet.2.16. dedicated. service-domain outside. dedicated.0/24 • Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 366 Copyright © 2011.3.0/24 172.

3.0/24 local 172.0/24. 367 .0/0 destination-address : 0.0. } ipsec-vpn-options { local-gateway 10.0.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3.0. } } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.16.3 #Tunnel termination address on SG-3 source-address : 0.1.2. You do not need to configure IKE or IPsec proposals explicitly.16. } unit 1 { family inet. } } NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication.3 term: term-1 local-gateway-address : 10.1.16. outside-service-interface sp-1/0/0.0/0 ipsec-inside-interface: sp-0/0/0. Juniper Networks.0.2. Inc.2.0/0 destination-address : 0. service-domain inside. } ike-access-profile demo-ike-access-profile.2 #Tunnel termination address on SG-2 source-address : 0. #N-3 <==> #N-1 } pre-shared-key { ascii-text keyfordynamicpeers.16.1.0.1.0/0 ipsec-inside-interface: sp-0/0/0.1.3.1.2.0.0/24 local 172.4 match-direction: input Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 172. Copyright © 2011. interfaces { sp-0/0/0 { unit 0 { family inet.1.0.0/24. } interface-id demo-ipsec-interface-id.Chapter 16: IPsec Services Configuration Guidelines term: term-0 local-gateway-address : 10.1.1. #N-2 <==> #N-1 remote 172.1.0.

1..0/24 ipsec-inside-interface: sp-0/0/0. } unit 3 { family inet.inet.0/24 *[Static/1]. interface sp-0/0/0.3. if not inet...11.4 Services Interfaces Configuration Guide } unit 2 { family inet. > via sp-0/0/0.1.3 #Tunnel termination address on SG-3 source-address : 172.2..1. interface sp-0/0/0.1.3 172. } } } } # VRF configuration.12.1. service-domain outside.1.0/24 *[Static/1].16.2.3.Junos 11. . service-domain inside.3 match-direction: input 368 Copyright © 2011.3..2... mode shared.2 #Tunnel termination address on SG-2 source-address : 172.0/24 destination-address : 172.1..3. Inc.3 • Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 term: term-0 local-gateway-address : 10.3 term: term-1 local-gateway-address : 10. dial-options { ipsec-interface-id demo-ipsec-interface-id.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.16. Juniper Networks.1 #Tunnel termination address on SG-1 remote-gateway-address: 10. } } The following results are obtained: • Reverse routes injected after successful negotiation: demo-vrf.0.0/24 destination-address : 172.0 routing-instances { demo-vrf { instance-type vrf. .16.. # Routing instance 172.0/24 ipsec-inside-interface: sp-0/0/0. > via sp-0/0/0.0.16.0: .

Configure the authentication algorithm. an IPsec policy. Configuring the IKE Policy (and Referencing the IKE Proposal) on page 370 3. which is aes-256-cbc in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal encryption-algorithm aes-256-cbc The following sample output shows the configuration of the IKE proposal: [edit services ipsec-vpn] user@host# show ike proposal test-IKE-proposal { Copyright © 2011. To define the IKE proposaI: 1. This topic includes the following tasks: 1. In configuration mode. Configuring the IPsec Proposal on page 370 4. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) on page 372 6. group1: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal dh-group group1 4. IPsec rules. which is sha1 in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-algorithm sha1 5. Configure the Diffie-Hellman Group and specify a name—for example. The configuration involves defining an IKE policy. Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) on page 374 Configuring the IKE Proposal The IKE proposal configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. Juniper Networks. Configuring the Access Profile (and Referencing the IKE and IPsec Policies) on page 373 8. which is pre-shared keys in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-method pre-shared-keys 3. Configure the authentication method. Configuring IPsec Trace Options on page 373 7.Chapter 16: IPsec Services Configuration Guidelines Multitask Example: Configuring IPsec Services The following example-based instructions show how to configure IPsec services. Configure the encryption algorithm. 369 . and service sets. see “Configuring IKE Proposals” on page 332. trace options. Configuring the IPsec Policy (and Referencing the IPsec Proposal) on page 371 5. Configuring the IKE Proposal on page 369 2. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. Inc. For more information about IKE proposals.

encryption-algorithm aes-256-cbc. dh-group group1.2: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy local-id ipv4_addr 192. Configure the proposal.255. pre-shared-key ascii-text TEST. 192. To define the IPsec proposal: 1. main: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy mode main 3. go to the following hierarchy level: user@host# edit services ipsec-vpn 370 Copyright © 2011. see “Configuring IPsec Proposals” on page 341.4 Services Interfaces Configuration Guide authentication-method pre-shared-keys. For more information about IKE policies. proposals test-IKE-proposal. . In configuration mode. Inc.2 5. } Configuring the IKE Policy (and Referencing the IKE Proposal) The IKE policy configuration defines the proposal. which is TEST in this example: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy pre-shared-key ascii-text TEST The following sample output shows the configuration of the IKE policy: [edit services ipsec-vpn] user@host# show ike policy test-IKE-policy { mode main. Configure the preshared key in ASCII text format. In configuration mode. authentication-algorithm sha1.2. For more information about IPsec proposals. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. Juniper Networks.168.255. Configure the local identification with an IPv4 address—for example.Junos 11. local-id ipv4_addr 192. Configure the IKE first phase mode—for example. see “Configuring IKE Policies” on page 335.168. To define the IKE policy and reference the IKE proposal: 1. and other security parameters used during IKE negotiation.255. which is test-IKE-proposal in this example: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy proposals test-IKE-proposal 4.168. addresses. mode. } Configuring the IPsec Proposal The IPsec proposal configuration defines the protocols and algorithms (security services) that are required to negotiate with the remote IPsec peer.

Copyright © 2011. 371 . Configure the authentication algorithm for the proposal. group1: [edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy perfect-forward-secrecy keys group1 3. esp: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal protocol esp 3. Configure a set of IPsec proposals in the IPsec policy—for example. Configure the IPsec protocol for the proposal—for example. which is hmac-sha1-96 in this example: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal authentication-algorithm hmac-sha1-96 4. see “Configuring IPsec Policies” on page 343. To define the IPsec policy and reference the IPsec proposal: 1. authentication-algorithm hmac-sha1-96. For more information about IPsec policies. Inc. Juniper Networks. It defines PFS and the proposals needed for the connection. Configure the encryption algorithm for the proposal.Chapter 16: IPsec Services Configuration Guidelines 2. In configuration mode. } Configuring the IPsec Policy (and Referencing the IPsec Proposal) The IPsec policy configuration defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. which is aes-256-cbc in this example: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal encryption-algorithm aes-256-cbc The following sample output shows the configuration of the IPsec proposal: [edit services ipsec-vpn] user@host# show ike proposal test-IPsec-proposal { protocol esp. Configure the keys for perfect forward secrecy in the IPsec policy—for example. test-IPsec-proposal: [edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy proposals test-IPsec-proposal The following sample output shows the configuration of the IPsec policy: [edit services ipsec-vpn] user@host# show ipsec policy test-IPsec-policy perfect-forward-secrecy { keys group1. encryption-algorithm aes-256-cbc. go to the following hierarchy level: user@host# edit services ipsec-vpn 2.

0. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) The IPsec rule configuration defines the direction that specifies whether the match is applied on the input or output side of the interface.168.0: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then remote-gateway 0. Configure the remote gateway address for the IPsec term in the IPsec rule—for example.0. Configure a dynamic security association for IKE policy for the IPsec term in the IPsec rule. which is test-IPsec-proposal in this example: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ipsec-policy test-IPsec-policy 6.168. Juniper Networks. 192.0 4.0. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. Configure the IP destination address for the IPsec term in the IPsec rule—for example. } } then { 372 Copyright © 2011.255. see “Configuring IPsec Rules” on page 346. To define the IPsec rule and reference the IKE and IPsec policies: 1. The configuration also consists of a set of terms that specify the match conditions and applications that are included and excluded and also specify the actions and action modifiers to be performed by the router software. Configure a dynamic security association for IKE proposal for the IPsec term in the IPsec rule. In configuration mode. 0. For more information about IPsec rules.4 Services Interfaces Configuration Guide } proposals test-IPsec-proposal. .255. which is test-IKE-policy in this example: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ike-policy test-IKE-policy 5.Junos 11.168.0. input: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule match-direction input The following sample output shows the configuration of the IPsec rule: [edit services ipsec-vpn] user@host# show rule test-IPsec-rule term 10 { from { destination-address { 192.2/32 3. Inc.255. Configure a direction for which the rule match is being applied in the IPsec rule—for example.2/32: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 from destination-address 192.2/32.

0/24 3.1. 373 . Configuring IPsec Trace Options The IPsec trace options configuration tracks IPsec events and records them in a log file in the /var/log directory.0. Configure all the tracing parameters with the option all in this example: [edit services ipsec-vpn] user@host# set traceoptions flag all The following sample output shows the configuration of the IPsec trace options: [edit services ipsec-vpn] user@host# show traceoptions file ipsec. ipsec-policy test-IPsec-policy. dynamic { ike-policy test-IKE-policy. Configuring the Access Profile (and Referencing the IKE and IPsec Policies) The access profile configuration defines the access profile and references the IKE and IPsec policies. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. this file is named /var/log/kmd. which is ipsec. see Configuring an IKE Access Profile.0/24 is the IP address for remote proxy identity: [edit access] user@host# set profile IKE-profile-TEST client * ike allowed-proxy-pair local 10. 10. For more information about IPsec rules.0.log. To define the access profile and reference the IKE and IPsec policies: 1.0. Configure the list of local and remote proxy identity pairs with the allowed-proxy-pair option. see “Tracing IPsec Operations” on page 358. In this example. In configuration mode. Juniper Networks. To define the IPsec trace options: 1.0.1.log in this example: [edit services ipsec-vpn] user@host# set traceoptions file ipsec. } } } match-direction input.0. By default.0. flag all.log 3.Chapter 16: IPsec Services Configuration Guidelines remote-gateway 0.0/24 is the IP address for local proxy identity and 10. Configure the IKE policy—for example.0.0.0/24 remote 10. In configuration mode. go to the following hierarchy level: user@host# [edit access] 2. Configure the trace file. For more information about access profile.0. test-IKE-policy: Copyright © 2011. Inc.

2 374 Copyright © 2011. ike-policy test-IKE-policy. test-IPsec-policy: [edit access] user@host# set profile IKE-profile-TEST client * ike ipsec-policy test-IPsec-policy 5.0.1. go to the following hierarchy level: user@host# [edit services] 2. To define the service set configuration with the next-hop service sets and IPsec VPN options: 1.168.255. In configuration mode. which is TEST-intf in this example: [edit access] user@host# set profile IKE-profile-TEST client * ike interface-id TEST-intf The following sample output shows the configuration of the access profile: [edit access] user@host# show profile IKE-profile-TEST { client * { ike { allowed-proxy-pair local 10.0/24 remote 10. see “Configuring IPsec Service Sets” on page 573. Configure a service set with parameters for next hop service interfaces for the inside network—for example. .2 4.1: [edit services] user@host# set service-set TEST next-hop-service inside-service-interface sp-1/2/0.0/24. Inc. # new statement interface-id TEST-intf. Juniper Networks. sp-1/2/0. For more information about IPsec service sets. } } } Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) The service set configuration defines IPsec service sets that require additional specifications and references the IKE profile and the IPsec rule. Configure a service set with parameters for next hop service interfaces for the outside network—for example. ipsec-policy test-IPsec-policy. Configure the identity of logical service interface pool.4 Services Interfaces Configuration Guide [edit access] user@host# set profile IKE-profile-TEST client * ike ike-policy test-IKE-policy 4.0. Configure the IPsec VPN options with the address and routing instance for the local gateway—for example.255.0. Configure the IPsec policy—for example. 192.2: [edit services] user@host# set service-set TEST ipsec-vpn-options local-gateway 192. sp-1/2/0.2: [edit services] user@host# set service-set TEST next-hop-service outside-service-interface sp-1/2/0.1 3.168.Junos 11.

255. } ipsec-vpn-options { local-gateway 192. outside-service-interface sp-1/2/0. Inc. } ipsec-vpn-rules test-IPsec-rule. ike-access-profile IKE-profile-TEST. Copyright © 2011.2.1. which is test-IPsec-rule in this example: [edit services] user@host# set service-set TEST ipsec-vpn-rules test-IPsec-rule The following sample output shows the configuration of the service set configuration referencing the IKE profile and the IPsec rule: [edit services]user@host# show service-set TEST next-hop-service { inside-service-interface sp-1/2/0.Chapter 16: IPsec Services Configuration Guidelines 5. Configure a service set with IPsec VPN rules.168. Juniper Networks. 375 .2. Configure the IPsec VPN options with the IKE access profile for dynamic peers. which is IKE-profile-TEST in this example: [edit services] user@host# set service-set TEST ipsec-vpn-options ike-access-profile IKE-profile-TEST 6.

4 Services Interfaces Configuration Guide 376 Copyright © 2011. Inc. Juniper Networks.Junos 11. .

Inc. Default: 64 bits (AS PICs). 128 bits (Multiservices PICs and DPCs) Range: 64 through 4096 bits Usage Guidelines Required Privilege Level See “Configuring or Disabling IPsec Anti-Replay” on page 352. admin—To view this statement in the configuration. Specify the size of the IPsec antireplay window. The statements are organized alphabetically. 377 . bits—Size of the antireplay window.0. Copyright © 2011. anti-replay-window-size Syntax Hierarchy Level Release Information Description Options anti-replay-window-size bits. in bits. Juniper Networks.CHAPTER 17 Summary of IPsec Services Configuration Statements The following sections explain each of the IP Security (IPsec) services statements. admin-control—To add this statement to the configuration. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 10.

4 Services Interfaces Configuration Guide authentication Syntax authentication { algorithm (hmac-md5-96 | hmac-sha1-96). Juniper Networks. The algorithm can be one of the following: • • hmac-md5-96—Produces a 128-bit digest. algorithm—Hash algorithm that authenticates packet data. 378 Copyright © 2011. } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. the key is 16 ASCII characters. Configure IPsec authentication parameters for a manual security association (SA). The key can be one of the following: • ascii-text key—ASCII text key.Junos 11. Inc. the key is 20 ASCII characters. For hmac-md5-96. Usage Guidelines Required Privilege Level See “Configuring Authentication for a Manual IPsec SA” on page 329. admin—To view this statement in the configuration. the key is 40 hexadecimal characters. For hmac-md5-96. for hmac-sha1-96. key—Type of authentication key. hmac-sha1-96—Produces a 160-bit digest. key (ascii-text key | hexadecimal key). . • hexadecimal key—Hexadecimal key. admin-control—To add this statement to the configuration. the key is 32 hexadecimal characters.4. for hmac-sha1-96.

Inc. Usage Guidelines Required Privilege Level See “Configuring the Authentication Algorithm for an IPsec Proposal” on page 341.6. admin-control—To add this statement to the configuration. [edit services ipsec-vpn ipsec proposal ipsec-proposal-name] Statement introduced before Junos OS Release 7. sha-256 option added in Junos OS Release 7.4. authentication-algorithm (IPsec) Syntax Hierarchy Level Release Information Description Options authentication-algorithm (hmac-md5-96 | hmac-sha1-96).4. Configure the Internet Key Exchange (IKE) hash algorithm that authenticates packet data. Copyright © 2011. admin—To view this statement in the configuration. Configure the IPsec hash algorithm that authenticates packet data. Description Options Usage Guidelines Required Privilege Level See “Configuring the Authentication Algorithm for an IKE Proposal” on page 333. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. sha-256—Produces a 256-bit digest. admin-control—To add this statement to the configuration. sha1—Produces a 160-bit digest. 379 . admin—To view this statement in the configuration. hmac-md5-96—Produces a 128-bit digest. md5—Produces a 128-bit digest.Chapter 17: Summary of IPsec Services Configuration Statements authentication-algorithm See the following sections: • • authentication-algorithm (IKE) on page 379 authentication-algorithm (IPsec) on page 379 authentication-algorithm (IKE) Syntax Hierarchy Level Release Information authentication-algorithm (md5 | sha1 | sha-256). Juniper Networks. hmac-sha1-96—Produces a 160-bit digest.

see “Configuring the Security Parameter Index” on page 329 and spi. . admin—To view this statement in the configuration. dsa-signatures—Digital signature algorithm (DSA). pre-shared-keys—A key derived from an out-of-band mechanism. Required Privilege Level 380 Copyright © 2011.639 Usage Guidelines See “Configuring the Auxiliary Security Parameter Index” on page 329. spi-value—An arbitrary value that uniquely identifies which SA to use at the receiving host Options (the destination address in the packet).4.Junos 11. Use the auxiliary SPI when you configure the protocol statement to use the bundle option. admin—To view this statement in the configuration. Configure an auxiliary Security Parameter Index (SPI) for a manual SA.4. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. Range: 256 through 16. the key authenticates the exchange. Configure an IKE authentication method. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Statement introduced before Junos OS Release 7. Inc. rsa-signatures—Public key algorithm (supports encryption and digital signatures). admin-control—To add this statement to the configuration. For information about SPI. auxiliary-spi Syntax Hierarchy Level Release Information Description auxiliary-spi spi-value. admin-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide authentication-method Syntax Hierarchy Level Release Information Description Options authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). Juniper Networks. Usage Guidelines Required Privilege Level See “Configuring the Authentication Method for an IKE Proposal” on page 333.

Usage Guidelines Required Privilege Level Copyright © 2011. Options Usage Guidelines Required Privilege Level See “Configuring Destination Addresses for Dead Peer Detection” on page 350. Inc. admin—To view this statement in the configuration. interface-control—To add this statement to the configuration.4. the packet is fragmented before encapsulation. 381 .4. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU). Juniper Networks. admin-control—To add this statement to the configuration.Chapter 17: Summary of IPsec Services Configuration Statements backup-remote-gateway Syntax Hierarchy Level Release Information Description backup-remote-gateway address. Clear the Don’t Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. Configuring this statement also enables the dead peer detection (DPD) protocol. clear-dont-fragment-bit Syntax Hierarchy Level Release Information Description clear-dont-fragment-bit. Define the backup remote address to which the IPsec traffic is directed when the primary remote gateway is down. address—Backup remote IPv4 or IPv6 address. See “Configuring Actions in IPsec Rules” on page 349.

[edit services ipsec-vpn] Statement introduced in Junos OS Release 9. interface-control—To add this statement to the configuration. Juniper Networks. See “Clearing Security Associations” on page 332. Clear IKE security associations (SAs) when the corresponding PIC restarts or is taken offline. .2. Usage Guidelines Required Privilege Level 382 Copyright © 2011.5.4 Services Interfaces Configuration Guide clear-ike-sas-on-pic-restart Syntax Hierarchy Level Release Information Description clear-ike-sas-on-pic-restart. Usage Guidelines Required Privilege Level clear-ipsec-sas-on-pic-restart Syntax Hierarchy Level Release Information Description clear-ipsec-sas-on-pic-restart. Inc. See “Clearing Security Associations” on page 332. interface-control—To add this statement to the configuration.Junos 11. [edit services ipsec-vpn] Statement introduced in Junos OS Release 8. Clear IPsec security associations (SAs) when the corresponding PIC restarts or is taken offline. interface—To view this statement in the configuration. interface—To view this statement in the configuration.

Specify the destination address for rule matching. Copyright © 2011. [edit services ipsec-vpn ipsec policy policy-name]. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced before Junos OS Release 7. and “Configuring the Description for an IPsec Policy” on page 344. admin—To view this statement in the configuration. Specify the text description for an IKE or IPsec policy or proposal. admin-control—To add this statement to the configuration. interface—To view this statement in the configuration. address—Destination IP address.4.Chapter 17: Summary of IPsec Services Configuration Statements description Syntax Hierarchy Level description description. “Configuring the Description for an IPsec Proposal” on page 342. interface-control—To add this statement to the configuration. [edit services ipsec-vpn ike proposal proposal-name]. See “Configuring Match Conditions in IPsec Rules” on page 348.4. 383 . Juniper Networks. Required Privilege Level destination-address Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level destination-address address. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Description Usage Guidelines Statement introduced before Junos OS Release 7. [edit services ipsec-vpn ike policy policy-name]. See “Configuring the Description for an IKE Policy” on page 339. Inc.

group1—768-bit. group2—1024-bit. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. . Configure the IKE Diffie-Hellman prime modulus group to use for performing the new Diffie-Hellman exchange. admin-control—To add this statement to the configuration. Inc. Options Usage Guidelines Required Privilege Level See “Configuring the Diffie-Hellman Group for an IKE Proposal” on page 334.4. admin—To view this statement in the configuration.4 Services Interfaces Configuration Guide dh-group Syntax Hierarchy Level Release Information Description dh-group (group1 | group2 | group5 |group14). 384 Copyright © 2011.Junos 11. group5—1536-bit. group14—2048-bit. Juniper Networks.

Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. The remaining statements are explained separately. Juniper Networks. authentication { algorithm (hmac-md5-96 | hmac-sha1-96). inbound—Apply the SA on inbound traffic. } } [edit services ipsec-vpn rule rule-name term term-name then manual] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. key (ascii-text key | hexadecimal key). bidirectional—Apply the SA in both directions. Inc. 385 . outbound—Apply the SA on outbound traffic. interface-control—To add this statement to the configuration. spi spi-value. interface—To view this statement in the configuration. key (ascii-text key | hexadecimal key). Specify the direction in which manual SAs are applied. Copyright © 2011.Chapter 17: Summary of IPsec Services Configuration Statements direction Syntax direction (inbound | outbound | bidirectional) { protocol (ah | bundle | esp). } encryption { algorithm algorithm.4. auxiliary-spi spi-value.

Usage Guidelines Required Privilege Level See “Configuring Dynamic Security Associations” on page 331. admin-control—To add this statement to the configuration. } [edit services ipsec-vpn rule rule-name term term-name then] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. For digital signature-based authentication. This statement is optional for the non-preshared-key authentication method. 386 Copyright © 2011. this statement is optional and the default policy is used if none is supplied. Define a dynamic IPsec SA.4 Services Interfaces Configuration Guide dynamic Syntax dynamic { ike-policy policy-name. Inc. ipsec-policy policy-name—Name of the IPsec policy. . Juniper Networks. This statement is optional and the default policy is used if none is supplied.Junos 11. ipsec-policy policy-name. ike-policy policy-name—Name of the IKE policy. admin—To view this statement in the configuration.4.

the first 8 bytes should differ from the second 8 bytes. 32 ASCII characters hexadecimal—Hexadecimal key. The algorithm can be one of the following: • • • • • Description Options des-cbc—Has a block size of 8 bytes (64 bits). NOTE: For 3des-cbc. aes-192-cbc.4. 24 ASCII characters aes-256-cbc option. 32 hexadecimal characters Copyright © 2011. and the second 8 bytes should be the same as the third 8 bytes.Chapter 17: Summary of IPsec Services Configuration Statements encryption Syntax encryption { algorithm algorithm. The key can be one of the following: • ascii-text—ASCII text key. key—Type of encryption key. algorithm—Type of encryption algorithm. aes-128-cbc. Inc. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. 24 ASCII characters aes-128-cbc option. in ASCII characters.6. Following are the key lengths. the key size is 192 bits long. for the different encryption options: • • • • • • des-cbc option. 16 ASCII characters aes-192-cbc option. Following are the key lengths. for the different encryption options: • • • des-cbc option. key (ascii-text key | hexadecimal key). 387 . 8 ASCII characters 3des-cbc option. Configure an encryption algorithm and key for manual SA. and aes-256-cbc options added in Junos OS Release 7. in hexadecimal characters. 48 hexadecimal characters aes-128-cbc option. the key size is 48 bits long. Juniper Networks. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. 3des-cbc—Has a block size of 8 bytes (64 bits). } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. 16 hexadecimal characters 3des-cbc option. aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.

admin—To view this statement in the configuration. the key size is 192 bits long. aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. system—To view this statement in the configuration. Inc. Required Privilege Level 388 Copyright © 2011. 3des-cbc—Has a block size of 24 bytes.Junos 11. encryption-algorithm Syntax Hierarchy Level encryption-algorithm algorithm.4. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.6. Description Options Usage Guidelines See “Configuring the Encryption Algorithm for an IKE Proposal” on page 334 and “Configuring the Encryption Algorithm for an IPsec Proposal” on page 342. aes-128-cbc. 64 hexadecimal characters Usage Guidelines Required Privilege Level See “Configuring Encryption for a Manual IPsec SA” on page 330. 48 hexadecimal characters aes-256-cbc option. Juniper Networks.4 Services Interfaces Configuration Guide • • aes-192-cbc option. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Statement introduced before Junos OS Release 7. system-control—To add this statement to the configuration. and aes-256-cbc options added in Junos OS Release 7. Configure an IKE or IPsec encryption algorithm. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. aes-192-cbc. the key size is 48 bits long. admin-control—To add this statement to the configuration. . [edit services ipsec-vpn ike proposal proposal-name]. des-cbc—Has a block size of 8 bytes.

interface-control—To add this statement to the configuration. source-address address. } [edit services ipsec-vpn rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347.4. Inc. Specify input conditions for the IPsec term. ipsec-inside-interface interface-name. Copyright © 2011. Juniper Networks. The remaining statements are explained separately.Chapter 17: Summary of IPsec Services Configuration Statements from Syntax from { destination-address address. interface—To view this statement in the configuration. 389 . For information on match conditions. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide.

lifetime-seconds seconds. Juniper Networks. system—To view this statement in the configuration. } } } [edit services ipsec-vpn] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. . encryption-algorithm algorithm. } policy policy-name { description description. version (1 | 2). proposals [ proposal-names ]. Configure IKE.4. local-certificate identifier. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). ipv6_addr [ values ]. Inc. pre-shared-key (ascii-text key | hexadecimal key). key_id [ values ]. system-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide ike Syntax ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). dh-group (group1 | group2 | group5 |group14). mode (aggressive | main). remote-id { any-remote-id. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). The statements are explained separately. 390 Copyright © 2011. Usage Guidelines Required Privilege Level See “Configuring IKE Proposals” on page 332 and “Configuring IKE Policies” on page 335. description description. ipv4_addr [ values ].Junos 11.

} policy policy-name { description description. • Usage Guidelines Required Privilege Level Related Documentation backup-remote-gateway on page 381 ipsec Syntax ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). system-control—To add this statement to the configuration. Juniper Networks. perfect-forward-secrecy { keys (group1 | group2). The statements are explained separately. system-control—To add this statement to the configuration. Inc. description description. system—To view this statement in the configuration. } proposals [ proposal-names ]. protocol (ah | esp | bundle). Configure IPsec. encryption-algorithm algorithm. lifetime-seconds seconds. system—To view this statement in the configuration. Usage Guidelines Required Privilege Level See “Configuring Security Associations” on page 326. Copyright © 2011. Enable triggering of dead peer detection (DPD) Hello messages to the remote peer for the specified tunnel.4. 391 . See “Configuring Destination Addresses for Dead Peer Detection” on page 350.Chapter 17: Summary of IPsec Services Configuration Statements initiate-dead-peer-detection Syntax Hierarchy Level Release Information Description initiate-dead-peer-detection.2. } } [edit services ipsec-vpn] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 9.

Options Usage Guidelines See “Configuring Match Conditions in IPsec Rules” on page 348 or “Configuring Dynamic Endpoints for IPsec Tunnels” on page 353. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Description Options Statement introduced before Junos OS Release 7. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced in Junos OS Release 7. .4 Services Interfaces Configuration Guide ipsec-inside-interface Syntax Hierarchy Level Release Information Description ipsec-inside-interface interface-name. Specify the interface name for next-hop-style service sets. system-control—To add this statement to the configuration. 28. seconds—Lifetime Default: 3600 seconds (IKE). Required Privilege Level 392 Copyright © 2011.800 seconds (IPsec) Range: 180 through 86. interface-control—To add this statement to the configuration. Juniper Networks. [edit services ipsec-vpn ike proposal proposal-name].Junos 11. Configure the lifetime of an IKE or IPsec SA. system—To view this statement in the configuration.4.4.400 Usage Guidelines See “Configuring the Lifetime for an IKE SA” on page 335 and “Configuring the Lifetime for an IPsec SA” on page 342. This statement is optional. This value is also implicitly generated in dynamic endpoint tunneling. interface—To view this statement in the configuration. interface-name—Service interface for internal network. Inc. Required Privilege Level lifetime-seconds Syntax Hierarchy Level lifetime-seconds seconds.

ipv6_addr ipv6-address—IPv6 address identification value. This statement is optional. system-control—To add this statement to the configuration. ipv6_addr option added in Junos OS Release 7. [edit services ipsec-vpn ike policy policy-name] Statement introduced before Junos OS Release 7.4. Specify local identifiers for IKE Phase 1 negotiation. ipv4_addr ipv4-address—IPv4 address identification value. system—To view this statement in the configuration. 393 . Copyright © 2011. system—To view this statement in the configuration. Options Usage Guidelines Required Privilege Level See “Configuring the Local Certificate for an IKE Policy” on page 338. system-control—To add this statement to the configuration. Name of the certificate that needs to be sent to the peer during the IKE authentication phase. Description Options Usage Guidelines Required Privilege Level See “Configuring Local and Remote IDs for IKE Phase 1 Negotiation” on page 339. [edit services ipsec-vpn ike policy policy-name] Statement introduced in Junos OS Release 7. Juniper Networks. Inc. local-id Syntax Hierarchy Level Release Information local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier).6.Chapter 17: Summary of IPsec Services Configuration Statements local-certificate Syntax Hierarchy Level Release Information Description local-certificate identifier. identifier—Name of certificate. key_id identifier—Key identification value.5.

Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. [edit services ipsec-vpn rule rule-name] Statement introduced before Junos OS Release 7. . match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output). Usage Guidelines Required Privilege Level See “Configuring Manual Security Associations” on page 327. Specify the direction in which the rule match is applied. key (ascii-text key | hexadecimal key).Junos 11. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Define a manual IPsec SA. } auxiliary-spi spi-value. The remaining statements are explained separately. 394 Copyright © 2011. Juniper Networks. encryption { algorithm algorithm. protocol (ah | esp | bundle). input—Apply the rule match on input.4. Inc. admin-control—To add this statement to the configuration. output—Apply the rule match on output. } spi spi-value. key (ascii-text key | hexadecimal key). admin—To view this statement in the configuration.4 Services Interfaces Configuration Guide manual Syntax manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). } } [edit services ipsec-vpn rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7.4.

[edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. admin—To view this statement in the configuration. 395 . Define an IKE policy mode. which occasionally causes interoperability issues for security associations. See “Configuring or Disabling IPsec Anti-Replay” on page 352. [edit services ipsec-vpn ike policy policy-name] Statement introduced before Junos OS Release 7. a Diffie-Hellman exchange. has less negotiation power. in three peer-to-peer exchanges. no-anti-replay Syntax Hierarchy Level Release Information Description no-anti-replay. and does not provide identity protection. main—Uses six messages. Juniper Networks. admin-control—To add this statement to the configuration.4. main aggressive—Takes half the number of messages of main mode. Also provides identity protection. and authentication of the peer. These three steps include the IKE SA negotiation.4. system—To view this statement in the configuration. Usage Guidelines Required Privilege Level See “Configuring the Mode for an IKE Policy” on page 337. to establish the IKE SA. Inc. Usage Guidelines Required Privilege Level Copyright © 2011. system-control—To add this statement to the configuration.Chapter 17: Summary of IPsec Services Configuration Statements mode Syntax Hierarchy Level Release Information Description Default Options mode (aggressive | main). Disable IPsec antireplay service.

0. If the TTL becomes zero. admin-control—To add this statement to the configuration. } [edit services ipsec-vpn ipsec policy policy-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. . The IPsec tunnel is not treated as a next hop and TTL is not decremented. See “Configuring or Disabling IPsec Anti-Replay” on page 352. Usage Guidelines Required Privilege Level perfect-forward-secrecy Syntax perfect-forward-secrecy { keys (group1 | group2 |group5 |group14).4 Services Interfaces Configuration Guide no-ipsec-tunnel-in-traceroute Syntax Hierarchy Level Release Information Description no-ipsec-tunnel-in-traceroute. This statement is optional. 396 Copyright © 2011. [edit services ipsec-vpn] Statement introduced in Junos OS Release 10. keys—Type of Diffie-Hellman prime modulus group that IKE uses when performing the new Diffie-Hellman exchange.Junos 11. admin-control—To add this statement to the configuration. group2—1024-bit. group5—1536-bit. Usage Guidelines Required Privilege Level See “Configuring Perfect Forward Secrecy” on page 344. admin—To view this statement in the configuration. the ICMP time exceeded message will not be generated. Inc. Juniper Networks.4. Define Perfect Forward Secrecy (PFS). group14—2048-bit. Disables displaying the IPsec tunnel endpoint in the trace route output. admin—To view this statement in the configuration. The key can be one of the following: • • • • group1—768-bit. Creates single-use keys.

admin—To view this statement in the configuration. proposals [ proposal-names ].4. Copyright © 2011. Inc. ipv4_addr [ values ]. Juniper Networks. ipv6_addr [ values ]. admin-control—To add this statement to the configuration. key_id [ values ]. mode (aggressive | main). remote-id { any-remote-id. The remaining statements are explained separately. pre-shared-key (ascii-text key | hexadecimal key). 397 . local-certificate identifier.Chapter 17: Summary of IPsec Services Configuration Statements policy See the following sections: • • policy (IKE) on page 397 policy (IPsec) on page 398 policy (IKE) Syntax policy policy-name { description description. Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). version (1 | 2). policy-name—IKE policy name. } } [edit services ipsec-vpn ike] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Define an IKE policy.

[edit services ike policy policy-name] Statement introduced before Junos OS Release 7. Inc. perfect-forward-secrecy { keys (group1 | group2). 398 Copyright © 2011.Junos 11. } [edit services ipsec-vpn ipsec] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Define an IPsec policy. Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335. hexadecimal—Hexadecimal key.4 Services Interfaces Configuration Guide policy (IPsec) Syntax policy policy-name { description description. policy-name—IPsec policy name. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration. pre-shared-key Syntax Hierarchy Level Release Information Description Options pre-shared-key (ascii-text key | hexadecimal key). . admin—To view this statement in the configuration. key—Value of preshared key.4. The key can be one of the following: • • ascii-text—ASCII text key. Usage Guidelines Required Privilege Level See “Configuring IPsec Policies” on page 343. admin-control—To add this statement to the configuration. } proposals [ proposal-names ]. Define a preshared key for an IKE policy. Juniper Networks.4. The remaining statements are explained separately.

Usage Guidelines Required Privilege Level See “Configuring IKE Proposals” on page 332. Juniper Networks. } [edit services ipsec-vpn ike] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. encryption-algorithm algorithm. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration. dh-group (group1 | group2 | group5 |group14). proposal-name—IKE proposal name. lifetime-seconds seconds.4. Copyright © 2011. The remaining statements are explained separately. Define an IKE proposal for a dynamic SA. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). Inc. 399 . description description.Chapter 17: Summary of IPsec Services Configuration Statements proposal See the following sections: • • proposal (IKE) on page 399 proposal (IPsec) on page 400 proposal (IKE) Syntax proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256).

} [edit services ipsec-vpn ipsec] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Required Privilege Level 400 Copyright © 2011. [edit services ipsec-vpn ipsec policy policy-name] Release Information Description Options Usage Guidelines Statement introduced before Junos OS Release 7. proposal-name—IPsec proposal name. admin—To view this statement in the configuration. description description. See “Configuring the Proposals in an IKE Policy” on page 337 and “Configuring the Proposals in an IPsec Policy” on page 345. [edit services ipsec-vpn ike policy policy-name]. Juniper Networks. Inc. Define an IPsec proposal for a dynamic SA. admin—To view this statement in the configuration. protocol (ah | esp | bundle).Junos 11. admin-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide proposal (IPsec) Syntax proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96).4. admin-control—To add this statement to the configuration. proposals Syntax Hierarchy Level proposals [ proposal-names ]. Define a list of proposals to include in the IKE or IPsec policy. The remaining statements are explained separately. Usage Guidelines Required Privilege Level See “Configuring IPsec Proposals” on page 341. encryption-algorithm algorithm.4. proposal-names—List of IKE or IPsec proposal names. . lifetime-seconds seconds.

esp—Encapsulating Security Payload protocol. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. [edit services ipsec-vpn ipsec proposal proposal-name]. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. address—Remote IPv4 or IPv6 address. See “Configuring Actions in IPsec Rules” on page 349. admin—To view this statement in the configuration. admin-control—To add this statement to the configuration. 401 . Usage Guidelines Required Privilege Level See “Configuring the Protocol for a Manual IPsec SA” on page 329. Define an IPsec protocol for a dynamic or manual SA.Chapter 17: Summary of IPsec Services Configuration Statements protocol Syntax Hierarchy Level protocol (ah | esp | bundle).4. ah—Authentication Header protocol. Juniper Networks. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Release Information Description Options Statement introduced before Junos OS Release 7. bundle—AH and ESP protocol.4. Inc. remote-gateway Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level remote-gateway address. Define the remote address to which the IPsec traffic is directed. Copyright © 2011.

Define the remote identification values to which the IKE policy applies. admin-control—To add this statement to the configuration.Junos 11. This option is supported only in Description Options dynamic endpoints configurations and cannot be configured along with specific values.4. key_id [ values ].4 Services Interfaces Configuration Guide remote-id Syntax remote-id { any-remote-id.2. ipv6_addr option added in Junos OS Release 7. Juniper Networks. Inc. Usage Guidelines Required Privilege Level See “Configuring Local and Remote IDs for IKE Phase 1 Negotiation” on page 339. ipv4_addr [ values ]—Define one or more IPv4 address identification values. . any-remote-id—Allow any remote address to connect. any-remote-id option added in Junos OS Release 8. 402 Copyright © 2011. ipv4_addr [ values ]. } [edit services ipsec-vpn ikepolicy policy-name] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. ipv6_addr [ values ]—Define one or more IPv6 address identification values. key_id [ values ]—Define one or more key identification values. ipv6_addr [ values ]. admin—To view this statement in the configuration.6.

Inc. } initiate-dead-peer-detection. } } no-anti-replay. Juniper Networks. 403 . spi spi-value. } } } [edit services ipsec-vpn]. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). remote-gateway address. dynamic { ike-policy policy-name. encryption { algorithm algorithm.4. } protocol (ah | bundle | esp). clear-dont-fragment-bit.Chapter 17: Summary of IPsec Services Configuration Statements rule Syntax rule rule-name { match-direction (input | output). } auxiliary-spi spi-value. backup-remote-gateway address. Copyright © 2011. [edit services ipsec-vpn rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. ipsec-inside-interface interface-name. tunnel-mtu bytes. syslog. } then { anti-replay-window-size bits. The remaining statements are explained separately. term term-name { from { destination-address address. rule-name—Identifier for the collection of terms that comprise this rule. ipsec-policy policy-name. key (ascii-text key | hexadecimal key). source-address address. Specify the rule the router uses when applying this service. key (ascii-text key | hexadecimal key).

See “Configuring IPsec Rule Sets” on page 353. Define the service rules to be applied to traffic.Junos 11. See IPsec Properties. } [edit] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration.. interface-control—To add this statement to the configuration.. ipsec-vpn—IPsec set of rules statements.4. Inc. interface—To view this statement in the configuration. Juniper Networks. rule-set Syntax rule-set rule-set-name { [ rule rule-names ].4. Specify the rule set the router uses when applying this service. rule-set-name—Identifier for the collection of rules that constitute this rule set. } [edit services ipsec-vpn] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. 404 Copyright © 2011.4 Services Interfaces Configuration Guide Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services ipsec-vpn { . interface—To view this statement in the configuration. .

Usage Guidelines Required Privilege Level See “Configuring the Security Parameter Index” on page 329. system-control—To add this statement to the configuration. address—Source IP address.639 NOTE: Use the auxiliary SPI when you configure the protocol statement to use the bundle option. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Statement introduced before Junos OS Release 7. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Juniper Networks. interface—To view this statement in the configuration. Copyright © 2011. Configure the SPI for an SA.Chapter 17: Summary of IPsec Services Configuration Statements source-address Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level source-address address.4.4. 405 . interface-control—To add this statement to the configuration. Inc. Specify the source address for rule matching. See “Configuring Match Conditions in IPsec Rules” on page 348. system—To view this statement in the configuration. spi Syntax Hierarchy Level Release Information Description Options spi spi-value. Range: 256 through 16. spi-value—An arbitrary value that uniquely identifies which SA to use at the receiving host (the destination address in the packet).

interface—To view this statement in the configuration. Enable system logging. interface-control—To add this statement to the configuration. Inc. The system log information for the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory. See “Configuring Actions in IPsec Rules” on page 349.4. .4 Services Interfaces Configuration Guide syslog Syntax Hierarchy Level Release Information Description syslog. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7.Junos 11. Juniper Networks. Usage Guidelines Required Privilege Level 406 Copyright © 2011.

dynamic { ike-policy policy-name. spi spi-value. } then { anti-replay-window-size bits. Define the IPsec term properties. } auxiliary-spi spi-value. ipsec-inside-interface interface-name. Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. The remaining statements are explained separately.Chapter 17: Summary of IPsec Services Configuration Statements term Syntax term term-name { from { destination-address address.4. key (ascii-text key | hexadecimal key). manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). clear-dont-fragment-bit. } } [edit services ipsec-vpn rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. 407 . } initiate-dead-peer-detection. Inc. encryption { algorithm algorithm. syslog. key (ascii-text key | hexadecimal key). backup-remote-gateway address. } } no-anti-replay. ipsec-policy policy-name. Copyright © 2011. remote-gateway address. Juniper Networks. interface-control—To add this statement to the configuration. source-address address. term-name—Identifier for the term. } protocol (ah | bundle | esp). tunnel-mtu bytes. interface—To view this statement in the configuration.

4. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96).Junos 11. clear-dont-fragment-bit. Juniper Networks. Define the IPsec term actions. } initiate-dead-peer-detection. interface—To view this statement in the configuration. ipsec-policy policy-name. The remaining statements are explained separately. syslog. key (ascii-text key | hexadecimal key). } [edit services ipsec-vpn rule rule-name term term-name] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. backup-remote-gateway address. tunnel-mtu bytes. interface-control—To add this statement to the configuration. spi spi-value. key (ascii-text key | hexadecimal key). See “Configuring Match Direction for IPsec Rules” on page 347. . remote-gateway address. encryption { algorithm algorithm. } } no-anti-replay. } auxiliary-spi spi-value.4 Services Interfaces Configuration Guide then Syntax then { anti-replay-window-size bits. 408 Copyright © 2011. dynamic { ike-policy policy-name. } protocol (ah | bundle | esp). Inc.

policy-manager—Trace policy manager processing. level level. Configure IPsec tracing operations. ike—Trace IKE module processing.Chapter 17: Summary of IPsec Services Configuration Statements traceoptions Syntax traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>. } [edit services ipsec-vpn] Hierarchy Level Release Information Statement introduced in Junos OS Release 7. files number—Maximum number of trace data files. error—Match error conditions. The following values are supported: • • • • • • all—Match all levels. level option added in Junos OS Release 10. routing-socket—Trace routing socket messages. database—Trace security associations database events. 409 . verbose—Match verbose messages. timer—Trace internal timer events. Description Options Range: 2 through 1000 flag flag—Tracing operation to perform: • • • • • • • • • • all—Trace everything. certificates—Trace certificates that apply to the IPsec service set. warning—Match warning messages. general—Trace general events. messages are written to /var/log/kmd. Inc. no-remote-trace. info–Match informational messages.0. Copyright © 2011.5. By default. snmp—Trace SNMP operations. notice—Match conditions that should be handled specially. flag flag. level level—Key management process (kmd) tracing level. Juniper Networks. parse—Trace configuration processing.

Juniper Networks. Inc. .4 Services Interfaces Configuration Guide size bytes—Maximum trace file size. Usage Guidelines Required Privilege Level See “Tracing IPsec Operations” on page 358. 410 Copyright © 2011. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.Junos 11.

Range: 2 through 1000 files Default: 2 files flag—Trace operation to perform. When a trace file (for example. If you specify a maximum file size. Inc. include multiple flag statements. When the maximum number is reached. The world-readable option enables any user to read the file. flag flag. log files can be accessed only by the user who configures the tracing operation. it is renamed pkid. include multiple flag statements: all—Trace with all flags enabled. Copyright © 2011. To include the file statement. files number—(Optional) Maximum number of trace files. you must also specify a maximum file size with the size option. size maximum-file-size—(Optional) Maximum size of each trace file. use the no-world-readable option. To explicitly set the default behavior. then pkid. 411 . the oldest trace file is overwritten. Juniper Networks. Default: 1024 KB world-readable | no-world-readable—(Optional) By default. match regular-expression—(Optional) Refine the output to include lines that contain the regular expression.0. Enclose the Options name within quotation marks. enrollment—PKI certificate enrollment tracing.Chapter 17: Summary of IPsec Services Configuration Statements traceoptions (PKI) Syntax traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>. Trace option output is recorded in the /var/log/pkid file. you must specify a filename. To specify more than one trace operation. online-crl-check—Trace PKI online certificate revocation list (CRL) events. until the maximum number of trace files is reached. To specify more than one trace option. } [edit security pki] Hierarchy Level Description Configure security public key infrastructure (PKI) trace options. and so on. If you specify a maximum number of files. in kilobytes (KB). certificate-verification—Trace PKI certificate verification events.1. you also must specify a maximum number of trace files with the files number option. file filename—Name of the file to receive the output of the tracing operation. pkid) reaches its maximum size.

4. tunnel-mtu Syntax Hierarchy Level Release Information Description Options tunnel-mtu bytes. 1—Uses IKEv1.5. [edit services ipsec-vpn ike policy policy-name]. Inc. • mtu on page 1287 version (IKE) Syntax Hierarchy Level Release Information Description version ( 1 | 2). admin-control—To add this statement to the configuration. 412 Copyright © 2011. admin—To view this statement in the configuration.Junos 11. Juniper Networks. trace-control—To add this statement to the configuration. interface—To view this statement in the configuration. Statement introduced in Junos OS Release 11. Default: 1500 bytes Range: 256 through 9192 bytes Usage Guidelines Required Privilege Level Related Documentation See “Specifying the MTU for IPsec Tunnels” on page 352. bytes—MTU size. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide Required Privilege Level trace—To view this statement in the configuration. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 7. 2—Uses IKEv2. Configure the Internet Key Exchange (IKE) version that is used to negotiate dynamic SAs for IPSec. . Options Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335. Maximum transmission unit (MTU) size for IPsec tunnels.

retransmit-interval seconds. multiple sessions can share the same remote IP address. facility-override facility-name. if four sessions or bundles labeled A. service-interface interface-name.CHAPTER 18 Layer 2 Tunneling Protocol Services Configuration Guidelines The Layer 2 Tunneling Protocol (L2TP) enables you to set up client services for establishing Point-to-Point Protocol (PPP) tunnels across a network and negotiating Multilink PPP if it is implemented. If another session or bundle E subsequently comes up and has the same address. If D goes down. Inc. receive-window packets. B. include the l2tp statement at the [edit services] hierarchy level: [edit services] l2tp { tunnel-group group-name { hello-interval seconds. the traffic switches to the next-to-last session or bundle to come up. the traffic switches over to it. For example. ppp-access-profile profile-name. maximum-send-window packets. 413 . When this session or bundle goes down. because the IP address negotiation takes place on the bundle rather than on each session. • The last session or bundle to come up accomplishes the traffic transfer. Copyright © 2011. which enables you to set up redundant sessions between the same links. To configure L2TP services. Juniper Networks. and D share the same remote IP address and come up in alphabetical order. the same remote IP address can be shared across multiple bundles. D initially handles the data transfer. l2tp-access-profile profile-name. traffic switches over to C. Multiple L2TP PPP sessions can share the same remote peer IP address. and so forth. hide-avps. syslog { host hostname { services severity-level. If Multilink PPP is not configured. C. • If you configure Multilink PPP. local-gateway address address.

Junos 11.4 Services Interfaces Configuration Guide log-prefix prefix-value. see the Junos OS System Basics Configuration Guide or the Junos OS Network Interfaces Configuration Guide. interfaces interface-name { debug-level level. filter { protocol name. } } } NOTE: L2TP configurations on Adaptive Services and Multiservices PICs are supported only on M7i. } } tunnel-timeout seconds. This chapter contains the following sections: • • • • • • • L2TP Services Configuration Overview on page 415 L2TP Minimum Configuration on page 416 Configuring L2TP Tunnel Groups on page 418 Configuring the Identifier for Logical Interfaces that Provide L2TP Services on page 422 AS PIC Redundancy for L2TP Services on page 424 Tracing L2TP Operations on page 424 Examples: Configuring L2TP Services on page 426 414 Copyright © 2011. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access. Juniper Networks. and M120 routers. . M10i. flag flag. Inc. } traceoptions { debug-level level. Those configurations are summarized in this chapter. see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide. for more information. You configure other components of this feature at the [edit access] and [edit interfaces] hierarchy levels. } flag flag.

and other attributes for configuring window sizes and timer values. • [edit access profile profile-name client name l2tp] Tunnel profiles are defined at the [edit access] hierarchy level. • [edit interfaces sp-fpc/pic/port unit logical-unit-number dial-options] The dial-options statement includes configuration for the l2tp-interface-id statement and the shared/dedicated flag. 415 . Juniper Networks. Copyright © 2011. Inc. you must configure a RADIUS service at the [edit access radius-server] hierarchy level. the Adaptive Services (AS) Physical Interface Card (PIC) that processes data for the sessions in this tunnel group. references to L2TP and PPP access profiles. multilink negotiation and fragmentation. see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide. • [edit access profile profile-name client name ppp] User profiles are defined at the [edit access] hierarchy level. These client profiles are used when local authentication is specified. a session must use a dedicated logical interface. The interface identifier associates a user session with a logical interface. Tunnel clients are defined with authentication. and other L2TP attributes in these profiles. Associated statements specify the local gateway address on which incoming tunnels and sessions are accepted.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines L2TP Services Configuration Overview The statements for configuring L2TP services are found at the following hierarchy levels: • [edit services l2tp tunnel-group group-name] The L2TP tunnel-group statement identifies an L2TP instance or L2TP server. see the Junos OS System Basics Configuration Guide. Sessions can use either shared or dedicated logical interfaces. To run routing protocols. • [edit access radius-server address] When you configure authentication-order radius at the [edit access profile profile-name] hierarchy level. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access. User clients are defined with authentication and other PPP attributes in these profiles. NOTE: For more information about configuring properties at the [edit access] hierarchy level.

Junos 11.255. .129. local-gateway—Address for the L2TP tunnel. service-interface—AS PIC interface for the L2TP service. } } 416 Copyright © 2011. and configure another logical interface with family inet and the dial-options statement. } } • At the [edit interfaces] hierarchy level: • Identify the physical interface at which L2TP tunnel packets enter the router. } traceoptions { flag all. Optionally. for example ge-0/3/0. Inc. protocol ppp. protocol radius. } service-interface sp-1/3/0. local-gateway { address 10. protocol l2tp. filter { protocol udp.58.255. you can configure traceoptions for debugging purposes. Configure the AS PIC interface with unit 0 family inet defined for IP service.4 Services Interfaces Configuration Guide L2TP Minimum Configuration To configure L2TP services.129/28. The following example shows a minimum configuration for a tunnel group with trace options: [edit services l2tp] tunnel-group finance-lns-server { l2tp-access-profile westcoast_bldg_1_tunnel.21. ppp-access-profile westcoast_bldg_1. Juniper Networks. • The following example shows a minimum interfaces configuration for L2TP: [edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10. you must perform at least the following tasks: • Define a tunnel group at the [edit services l2tp] hierarchy level with the following attributes: • • • • • l2tp-access-profile—Profile name for the L2TP tunnel. ppp-access-profile—Profile name for the L2TP user.

and authentication data shared between the router and the RADIUS server. } unit 20 { dial-options { l2tp-interface-id test. # SECRET-DATA } user-group-profile westcoast_users. Define the RADIUS server with an IP address. it needs to be defined. shared. If RADIUS is used as the authentication method.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines } sp-1/3/0 { unit 0 { family inet. } } Copyright © 2011. shared-secret is authentication between the LAC and the L2TP Network Server (LNS). shared-secret "$9$n8HX6A01RhlvL1R". Previously. The following example shows a minimum profiles configuration for L2TP: [edit access] group-profile westcoast_users { ppp { keepalive 0. the default behavior was to accept and install the nonzero peer IP address that came into the IP-Address option of the IPCP Configuration Request packet. Juniper Networks. } family inet. the default behavior is to accept the preferred RADIUS-assigned IP address. Each client specifies a unique L2TP Access Concentrator (LAC) name with an interface-id value that matches the one configured on the AS PIC interface unit. • • NOTE: When the L2TP Network Server (LNS) is configured with RADIUS authentication. Inc. 417 . port. } } profile westcoast_bldg_1_tunnel { client production { l2tp { interface-id test. Configure a user profile. • Optionally. } } • At the [edit access] hierarchy level: • Configure a tunnel profile. you can define a group profile for common attributes. for example keepalive 0 to turn off keepalive messages.

} } tunnel-timeout seconds. If you change or delete other statements at the [edit services l2tp tunnel-group group-name] hierarchy level. } NOTE: If you delete a tunnel group or mark it inactive. # SECRET-DATA } } Configuring L2TP Tunnel Groups To establish L2TP service on a router. maximum-send-window packets.168. Juniper Networks. syslog { host hostname { services severity-level. interface addresses. To identify the tunnel group. hide-avps.Junos 11. ppp-access-profile profile-name.65. new tunnels you establish will use the updated values but existing tunnels and sessions are not affected. This following sections explain how to configure L2TP tunnel groups: • • • Configuring Access Profiles for L2TP Tunnel Groups on page 419 Configuring the Local Gateway Address and PIC on page 419 Configuring Window Size for L2TP Tunnels on page 420 418 Copyright © 2011. receive-window packets. secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5". l2tp-access-profile profile-name. Inc. } radius-server { 192. If you change the value of the local-gateway address or the service-interface statement. log-prefix prefix-value.4 Services Interfaces Configuration Guide profile westcoast_bldg_1 { authentication-order radius. all L2TP sessions in that tunnel group are terminated. facility-override facility-name. and other properties to use in creating a tunnel. you need to identify an L2TP tunnel group and specify a number of values that define which access profiles. local-gateway address address. retransmit-interval seconds. all L2TP sessions using those settings are terminated. include the tunnel-group statement at the [edit services l2tp] hierarchy level: tunnel-group group-name { hello-interval seconds. . service-interface interface-name.63 { port 1812.

ppp-access-profile profile-name. To associate the profiles with a tunnel group. include the local-gateway statement at the [edit services l2tp tunnel-group group-name] hierarchy level: local-gateway address address. which validates all PPP session requests through L2TP tunnels established to the local gateway address • For more information on configuring the profiles. the unit is used as a logical interface representing PPP sessions negotiated using this profile. NOTE: If you change the local gateway address or the service interface configuration. If specified. You can optionally specify the logical unit number along with the service interface. Configuring the Local Gateway Address and PIC When you configure an L2TP group. as long as the L2TP session is configured to use an IQ2 PIC on Copyright © 2011. you must also define a local address for the L2TP tunnel connections and the AS PIC that processes the requests: • To configure the local gateway IP address. Juniper Networks. which validates all L2TP connection requests to the specified local gateway address PPP access profile. include the l2tp-access-profile and ppp-access-profile statements at the [edit services l2tp tunnel-group group-name] hierarchy level: l2tp-access-profile profile-name. include the service-interface statement at the [edit services l2tp tunnel-group group-name] hierarchy level: service-interface sp-fpc/pic/port.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines • • • Configuring Timers for L2TP Tunnels on page 420 Hiding Attribute-Value Pairs for L2TP Tunnels on page 420 Configuring System Logging of L2TP Tunnel Activity on page 421 Configuring Access Profiles for L2TP Tunnel Groups To validate L2TP connections and session requests. see the Junos OS System Basics Configuration Guide. Dynamic class-of-service (CoS) functionality is supported on L2TP LNS sessions or L2TP sessions with ATM VCs. • To configure the AS PIC. Inc. A profile example is included in “Examples: Configuring L2TP Services” on page 426. You need to configure two types of profiles: • L2TP tunnel access profile. all L2TP sessions using those settings are terminated. you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. 419 .

By default. Configuring Window Size for L2TP Tunnels You can configure the maximum window size for packet processing at each end of the L2TP tunnel: • The receive window size limits the number of concurrent packets the server processes. To configure a different value. the maximum is 16 packets. Juniper Networks. include the hello-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level: hello-interval seconds. include the retransmit-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level: retransmit-interval seconds. By default. By default. see the Junos OS Class of Service Configuration Guide. By default. it assumes that the connection with the remote peer has been lost and deletes the tunnel. the maximum is 32 packets. no hello messages are sent. include the tunnel-timeout statement at the [edit services l2tp tunnel-group group-name] hierarchy level: tunnel-timeout seconds. If you configure a value of 0. . • The maximum-send window size limits the other end’s receive window size. • Tunnel timeout—If the server cannot send any data through the tunnel within a specified time interval. Configuring Timers for L2TP Tunnels You can configure the following timer values that regulate L2TP tunnel processing: • Hello interval—If the server does not receive any messages within a specified time interval. To change the window size. the router software sends a hello message to the tunnel’s remote peer. For more information. information is encoded by means of attribute-value pairs. Hiding Attribute-Value Pairs for L2TP Tunnels Once an L2TP tunnel has been established and the connection authenticated. the retransmit interval length is 30 seconds. The information is transmitted in the receive window size attribute-value pair. By default. To change the window size. To configure a different value. the interval length is 120 seconds. the interval length is 60 seconds. include the maximum-send-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level: maximum-send-window packets.Junos 11. this information is not hidden. To configure a different value. • Retransmit interval—By default. include the hide-avps statement at the [edit services l2tp tunnel-group group-name] hierarchy level: 420 Copyright © 2011. include the receive-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level: receive-window packets. Inc. To hide the attribute-value pairs once the shared secret is known.4 Services Interfaces Configuration Guide the egress interface.

To gather information about an Copyright © 2011. log-prefix prefix-value. To monitor PIC resource usage. 421 . such as hard drive errors Error conditions that generally have less serious consequences than errors in the emergency. such as a corrupted system database Critical conditions. Table 14: System Log Message Severity Levels Severity Level any emergency alert Description Includes all severity levels System panic or other condition that causes the router to stop functioning Conditions that require immediate correction. Juniper Networks. facility-override facility-name. Configuring System Logging of L2TP Tunnel Activity You can specify properties that control how system log messages are generated for L2TP services. To configure interface-wide default system logging values. set the level to warning.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines hide-avps. Table 14 on page 421 lists the severity levels that you can specify in configuration statements at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level. and critical levels Conditions that warrant monitoring Conditions that are not errors but might warrant special handling Events or nonerror conditions of interest critical error warning notice info We recommend setting the system logging severity level to error during normal operation. Inc. For external system log servers. include the syslog statement at the [edit services l2tp tunnel-group group-name] hierarchy level: syslog { host hostname { services severity-level. } } Configure the host statement with a hostname or IP address that specifies the system log target server. You can specify only one system logging hostname. the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. The hostname local directs system log messages to the Routing Engine. alert. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest.

to be used as a pool for several users. see the Junos OS System Basics Configuration Guide. Juniper Networks. it can represent only one session at a time. Inc. If a logical interface is dedicated. and local0 through local7. (dedicated | shared). set the level to info. user. You must configure the logical interface to be dedicated or shared. daemon. NOTE: If you delete the dial-options statement settings configured on a logical interface. The l2tp-interface-id name configured on the logical interface must be replicated at the [edit access profile name] hierarchy level: • For a user-specific identifier. To use one particular facility code for all logging to the specified system log host. include the facility-override statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level: facility-override facility-name. To debug a configuration or log Network Address Translation (NAT) events. set the level to notice for a specific service set. For more information on configuring access profiles. . For more information about system log messages.4 Services Interfaces Configuration Guide intrusion attack when an intrusion detection system error is detected. include the l2tp-interface-id statement at the [edit access profile name l2tp] hierarchy level. M10i. To configure the logical interface. all L2TP sessions running on that interface are terminated.Junos 11. and M120 routers only. include the l2tp-interface-id statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level: l2tp-interface-id name. include the l2tp-interface-id statement at the [edit access profile name ppp] hierarchy level. For a group identifier. • You can configure multiple logical interfaces with the same interface identifier. A shared logical interface can have multiple sessions. To specify a text prefix for all logging to this system log host. Configuring the Identifier for Logical Interfaces that Provide L2TP Services You can configure L2TP services on adaptive services interfaces on M7i. include the log-prefix statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level: log-prefix prefix-text. kernel. ftp. 422 Copyright © 2011. The supported facilities include: authorization. see the Junos OS System Log Messages Reference.

1. } radius-server { 192. } service-interface sp-1/3/0. } unit 20 { dial-options { l2tp-interface-id test.1. local-gateway { address 10.70. 423 . Inc. # SECRET-DATA } } } services { l2tp { tunnel-group 1 { l2tp-access-profile t. shared. multilink. debug-level packet-dump. } traceoptions { flag all. Copyright © 2011. } } } access { profile t { client test { l2tp { interface-id test.168.65. # SECRET-DATA } } } profile u { authentication-order radius. The following example can be used to configure many multilink bundles on a single shared interface: interfaces { sp-1/3/0 { traceoptions { flag all.63 { port 1812.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines Example: Configuring Multilink PPP on a Shared Logical Interface Multilink PPP is supported on either shared or dedicated logical interfaces. Juniper Networks. ppp-access-profile u. shared-secret "$9$n8HX6A01RhlvL1R". secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5". } unit 0 { family inet. } family inet.

include the traceoptions statement at the [edit services l2tp] hierarchy level: 424 Copyright © 2011. For information on operational mode commands. the only service option supported is warm standby. although the protocol state needs to be reestablished. Juniper Networks. For more information.Junos 11. . see “Configuring AS or Multiservices PIC Redundancy” on page 620. because the configuration must be completely restored on the backup PIC after a failure is detected. Tracing L2TP Operations Tracing operations track all AS PIC operations and record them in a log file in the /var/log directory. it remains in standby and does not preempt the secondary AS PIC. issue the show interfaces redundancy command. For an example configuration. To trace L2TP operations. Recovery times are not guaranteed. If the primary AS PIC is restored. NOTE: On L2TP. The tunnels and sessions are torn down upon switchover and need to be restarted by the LAC and PPP client. you specify a redundancy services PIC (rsp) interface in which the primary AS PIC is active and a secondary AS PIC is on standby. To configure redundancy. the secondary PIC becomes active. this file is named /var/log/l2tpd. configuration is preserved and available on the new active PIC. see “Examples: Configuring L2TP Services” on page 426. By default. If the primary AS PIC fails. protocol ppp. To trace L2TP LAC operations on MX Series routers. Inc. To determine which PIC is currently active. in which one backup PIC supports multiple working PICs. protocol radius. you need to manually restore the services to the primary PIC. see Tracing L2TP Operations for Subscriber Access. you can issue the request interfaces (revert | switchover) command to manually switch between primary and secondary L2TP interfaces. As with the other AS PIC services that support warm standby. respectively.4 Services Interfaces Configuration Guide filter { protocol l2tp. see the Junos OS Interfaces Command Reference. } } } } AS PIC Redundancy for L2TP Services L2TP services support AS PIC redundancy. However. and all service processing is transferred to it. NOTE: This topic refers to tracing L2TP LNS operations on M Series routers.

RADIUS. To configure filters. To configure a trace level. } flag flag. file <filename> <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>. include the debug-level statement at the [edit services l2tp traceoptions] hierarchy level and specify one of the following values: • • • detail—Detailed debug information error—Errors only packet-dump—Packet decoding information You can filter by protocol. } You can specify the following L2TP tracing flags: • • • • • all—Trace everything. flag flag. You can also configure traceoptions for L2TP on a specific adaptive services interface. You can specify a trace level for PPP. and User Datagram Protocol (UDP) tracing. Juniper Networks. include the filter protocol statement at the [edit services l2tp traceoptions] hierarchy level and specify one or more of the following protocol values: • • • • ppp l2tp radius udp To implement filtering by protocol name. protocol—Trace routing protocol events. To configure per-interface tracing. Inc.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines traceoptions { debug-level level. filter { protocol name. user-name username. 425 . no-remote-trace. rpd—Trace routing protocol process events. L2TP. interfaces interface-name { debug-level severity. routing-socket—Trace routing socket events. you must also configure either flag protocol or flag all. include the interfaces statement at the [edit services l2tp traceoptions] hierarchy level: Copyright © 2011. } level (all | error | info | notice | verbose | warning). configuration—Trace configuration events.

2. secondary-dns 192. and multilink handling. idle-timeout 15.65. You specify the debug level as detail. idle-timeout 20. 426 Copyright © 2011.3.7.3.Junos 11. primary-dns 192. The following flags are available: • • all—Trace everything.65.1. but the options are slightly different from the general L2TP traceoptions. protocol—Trace L2TP. ipc—Trace L2TP Inter-Process Communication (IPC) messages between the PIC and the Routing Engine. which provides complete PIC debug information. system—Trace packet processing on the PIC. } } group-profile eastcoast_users { ppp { framed-pool customer_b. secondary-wins 192. or extensive.1 high 10.6.4 Services Interfaces Configuration Guide interfaces interface-name { debug-level level. error.2.65. } address-pool customer_b { address-range low 10.65. Juniper Networks. primary-dns 192. } NOTE: Implementing traceoptions consumes CPU resources and affects the packet processing performance.2.1/32.168. flag flag. interface-id west.168.65. Inc. } group-profile sunnyvale_users { ppp { framed-pool customer_a.168.2. primary-wins 192.1.2. primary-wins 192.65. .168.65. • • • packet-dump—Dump each packet’s content based on debug level. You can specify the debug-level and flag statements for the interface.4. PPP.168. secondary-dns 192.168.168.1. Examples: Configuring L2TP Services Configure L2TP with multiple group and user profiles and a pool of logical interfaces for concurrent tunnel sessions: [edit access] address-pool customer_a { address 10.5.

# SECRET-DATA ppp { idle-timeout 22. interface-id east. } } group-profile east_tunnel { l2tp { maximum-sessions-per-tunnel 125. interface-id west_shared. interface-id east.168. } group-profile sunnyvale_users. } } profile sunnyvale_bldg_1 { client white { chap-secret "$9$3s2690IeK8X7VKM7VwgaJn/Ctu1hclv87Ct87".65. } profile sunnyvale_bldg_1_tunnel { client test { l2tp { shared-secret "$9$r3HKvLg4ZUDkX7JGjif5p0BIRS8LN". Juniper Networks.65. ppp-authentication chap. } group-profile sunnyvale_tunnel. } client production { l2tp { shared-secret "$9$R2QErv8X-goGylVwg4jiTz36/t0BEleWFnRhrlXxbs2aJDHqf3nCP5".168.12.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines secondary-wins 192. ppp-authentication chap. Inc. interface-id east_shared. } group-profile sunnyvale_tunnel. framed-ip-address 10. # SECRET-DATA maximum-sessions-per-tunnel 75.1. } client blue { chap-secret "$9$eq1KWxbwgZUHNdjqmTF3uO1Rhr-dsoJDNd".8. Copyright © 2011.12/32. } } [edit services] l2tp { tunnel-group finance-lns-server { l2tp-access-profile sunnyvale_bldg_1_tunnel. } } group-profile sunnyvale_tunnel { l2tp { maximum-sessions-per-tunnel 100. } authentication-order password. 427 . # SECRET-DATA group-profile sunnyvale_users. interface-id west_shared. primary-dns 192.12.

} unit 30 { dial-options { l2tp-interface-id west_shared.1. } family inet. } unit 40 { dial-options { 428 Copyright © 2011. } } [edit interfaces sp-1/3/0] unit0 { family inet. } unit 21 { dial-options { l2tp-interface-id west.4 Services Interfaces Configuration Guide ppp-access-profile sunnyvale_bldg_1. dedicated. Juniper Networks. dedicated. maximum-send-window 1200. hello-interval 15. tunnel-timeout 55. } family inet. } service-interface sp-1/3/0.117. receive-window 1500.3. } unit 12 { dial-options { l2tp-interface-id east. } family inet.Junos 11. dedicated. Inc. } family inet. } traceoptions { flag all. . } unit 11 { dial-options { l2tp-interface-id east. retransmit-interval 5. dedicated. } family inet. shared. local-gateway { address 10. } unit 10 { dial-options { l2tp-interface-id foo-user.

Inc. } unit 11 { dial-options { l2tp-interface-id east_shared. shared. } unit 0 { family inet. } family inet. shared. } } } Copyright © 2011. } family inet. 429 .Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines l2tp-interface-id east_shared. Juniper Networks. secondary sp-1/3/0. } Configure L2TP redundancy: interfaces { rsp0 { redundancy-options { primary sp-0/0/0.

Inc. .4 Services Interfaces Configuration Guide 430 Copyright © 2011.Junos 11. Juniper Networks.

Copyright © 2011. facility-name—Name of the facility that overrides the default assignment. facility-override Syntax Hierarchy Level Release Information Description Options facility-override facility-name. Override the default facility for system log reporting. The statements are organized alphabetically. 431 . Valid entries include: authorization daemon ftp kernel local0 through local7 user Usage Guidelines Required Privilege Level See “Configuring System Logging of L2TP Tunnel Activity” on page 421. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration.4. interface-control—To add this statement to the configuration. Inc.CHAPTER 19 Summary of Layer 2 Tunneling Protocol Configuration Statements The following sections explain each of the Layer 2 Tunneling Protocol (L2TP) statements. Juniper Networks.

interface—To view this statement in the configuration. A value of 0 means that no hello messages are sent.4.4. Default: 60 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. NOTE: This statement is not supported for L2TP LNS on MX Series routers. . interface-control—To add this statement to the configuration. even if the secret information is known. in seconds. Inc.4.4 Services Interfaces Configuration Guide hello-interval Syntax Hierarchy Level Release Information hello-interval seconds. • Required Privilege Level Related Documentation Hiding Attribute-Value Pairs for L2TP Tunnels on page 420 432 Copyright © 2011. Default Attribute-value pairs that can be hidden are exposed. seconds—Interval. interface-control—To add this statement to the configuration. Juniper Networks.Junos 11. after which the server sends a hello message if no messages Description Options are received. Hide L2TP attribute-value pairs if the secret shared between the two ends of the tunnel is known. Support for MX Series routers introduced in Junos OS Release 11. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. • • (M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces hide-avps Syntax Hierarchy Level Release Information Description hide-avps. Specify the keepalive timer for L2TP tunnels. Not all subordinate statements are supported for L2TP LNS on MX Series routers. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7.

l2tp-access-profile Syntax Hierarchy Level Release Information l2tp-access-profile profile-name.4.4. interface—To view this statement in the configuration. hostname—Name of the system logging utility host machine. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc. 433 . } [edit services l2tp tunnel-group group-name syslog] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Juniper Networks. The remaining statements are explained separately. • • (M Series routers) Configuring Access Profiles for L2TP Tunnel Groups on page 419 (MX Series routers) Configuring an L2TP Access Profile on the LNS Copyright © 2011. Specify the profile used to validate all L2TP connection requests to the local gateway address. Specify the hostname for the system logging utility. Usage Guidelines Required Privilege Level See “Configuring System Logging of L2TP Tunnel Activity” on page 421. Support for MX Series routers introduced in Junos OS Release 11. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. profile-name—Identifier for the L2TP connection profile.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements host Syntax host hostname { services severity-level. facility-override facility-name. This can be the local Routing Engine or an external server address. interface-control—To add this statement to the configuration. log-prefix prefix-value.4.

See “Configuring System Logging of L2TP Tunnel Activity” on page 421. (M Series routers) Configuring L2TP Tunnel Groups on page 418 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces log-prefix Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level log-prefix prefix-value. When the LAC is an MX Series router. address—Local IP address. interface-control—To add this statement to the configuration.4. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. Support for MX Series routers introduced in Junos OS Release 11. Set the system logging prefix value. • • • (M7i.Junos 11. Specify the local (LNS) IP address for L2TP tunnel. prefix-value—System logging prefix value. corresponds to the IP address that is used by LACs to identify Description Options the LNS. Required Privilege Level Related Documentation interface—To view this statement in the configuration. this address matches the remote gateway address configured in the LAC tunnel profile. Juniper Networks. Inc. 434 Copyright © 2011. . interface—To view this statement in the configuration. M120 routers) Configuring the Local Gateway Address and PIC on page 419. M10i.4 Services Interfaces Configuration Guide local-gateway address Syntax Hierarchy Level Release Information local-gateway address address.4.4. interface-control—To add this statement to the configuration. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7.

Juniper Networks. Specify the profile used to validate all Point-to-Point Protocol (PPP) session requests through L2TP tunnels established to the local gateway address. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. NOTE: This statement is not supported for L2TP LNS on MX Series routers. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Options Required Privilege Level Related Documentation profile-name—Identifier for the PPP profile. NOTE: This statement is not supported for L2TP LNS on MX Series routers. Default: 32 Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. which limits the remote end’s receive window size. Options packets—Maximum number of packets the send window can hold at one time. • Configuring Access Profiles for L2TP Tunnel Groups on page 419 Copyright © 2011. Inc. Specify the size of the send window for L2TP tunnels. • Configuring Window Size for L2TP Tunnels on page 420 ppp-access-profile Syntax Hierarchy Level Release Information Description ppp-access-profile profile-name.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements maximum-send-window Syntax Hierarchy Level Release Information Description maximum-send-window packets.4. 435 .4. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7.

4. after which the server retransmits data if no acknowledgment is received. • Configuring Window Size for L2TP Tunnels on page 420 retransmit-interval Syntax Hierarchy Level Release Information Description retransmit-interval seconds. Default: 30 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. • Configuring Timers for L2TP Tunnels on page 420 436 Copyright © 2011. Specify the maximum retransmit interval for L2TP tunnels. NOTE: This statement is not supported for L2TP LNS on MX Series routers. .4 Services Interfaces Configuration Guide receive-window Syntax Hierarchy Level Release Information Description receive-window packets. Default: 16 Required Privilege Level Related Documentation interface—To view this statement in the configuration. in seconds. interface-control—To add this statement to the configuration. Options packets—Maximum number of packets the receive window can hold at one time. interface-control—To add this statement to the configuration.Junos 11. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. Juniper Networks. Options seconds—Interval. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. Inc. Specify the size of the receive window for L2TP tunnels.4. which limits the number of packets the server processes concurrently. NOTE: This statement is not supported for L2TP LNS on MX Series routers.

Either the service interface configuration or the service device pool configuration can be used for dynamic LNS sessions.4. M10i. Option si-fpc/pic/port introduced in Junos OS Release 11. and M120 routers. Specify the service interface responsible for handling L2TP processing. • (M7i. Inc. Options interface-name—Name of the service interface. M10i.4. The interface type depends on the line card as follows: • • sp-fpc/pic/port—On AS or Multiservices PICs on M7i. Juniper Networks. si-fpc/pic/port—On MPCs on MX Series routers. and M120 routers)Configuring the Local Gateway Address and PIC on page 419 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces • Copyright © 2011. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. 437 . interface-control—To add this statement to the configuration. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Description NOTE: On MX Series routers. the service interface configuration is required for static LNS sessions.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements service-interface Syntax Hierarchy Level Release Information service-interface interface-name.

4 Services Interfaces Configuration Guide services See the following sections: • • services (Hierarchy) on page 438 services (L2TP System Logging) on page 439 services (Hierarchy) Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services l2tp { . Inc.Junos 11. interface—To view this statement in the configuration. Juniper Networks. See “L2TP Services Configuration Overview” on page 415.4.. } [edit] Statement introduced before Junos OS Release 7. 438 Copyright © 2011. l2tp—Identifies the L2TP set of services statements. .. interface-control—To add this statement to the configuration. Define the service properties to be applied to traffic.

• Configuring System Logging of L2TP Tunnel Activity on page 421 Copyright © 2011. 439 . Inc. interface-control—To add this statement to the configuration. emergency—Panic conditions. info—Informational messages. Valid entries include: • • • • • • • • alert—Conditions that should be corrected immediately. Specify the system logging severity level. any—Matches any level. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements services (L2TP System Logging) Syntax Hierarchy Level Release Information Description Options services severity-level. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7. severity-level—Assigns a severity level to the facility.4. error—Error conditions. critical—Critical conditions. warning—Warning messages. notice—Conditions that require special handling.

facility-override facility-name. • Configuring System Logging of L2TP Tunnel Activity on page 421 440 Copyright © 2011. Juniper Networks. Options Required Privilege Level Related Documentation The remaining statements are described separately. interface—To view this statement in the configuration. Inc.4. . } } [edit services l2tp tunnel-group group-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. log-prefix prefix-value. System log information is passed to the kernel for logging in the /var/log/l2tpd directory.4 Services Interfaces Configuration Guide syslog Syntax syslog { host hostname { services severity-level. NOTE: This statement is not supported for L2TP LNS on MX Series routers.Junos 11. interface-control—To add this statement to the configuration. Configure the generation of system log messages for L2TP services.

interfaces interface-name { debug-level level. file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>. } [edit services l2tp] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. Juniper Networks.4. If you specify a maximum number of files. error—Trace error information. } level (all | error | info | notice | verbose | warning). debug-level level—Trace level for PPP. Support for L2TP LNS on MX Series routers introduced in Junos OS Release 11.4. you also must specify a maximum file size with the size option. Range: 2 through 1000 Default: 3 files filter protocol name—Additional filter for the specified protocol. this option does not Description Options apply to L2TP on MX Series routers: • • • detail—Trace detailed debug information. All files are placed in the directory /var/log. this option does not apply to L2TP on MX Series routers: • • • l2tp ppp radius Copyright © 2011.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements traceoptions (L2TP) Syntax traceoptions { debug-level level. and UDP. } flag flag. Inc. file filename—Name of the file to receive the output of the tracing operation. files number—(Optional) Maximum number of trace files to create before overwriting the oldest one. no-remote-trace. Enclose the name within quotation marks. 441 . filter { protocol name. RADIUS. Define tracing operations for L2TP processes.4. flag flag. L2TP. user-name username. Support for L2TP LAC on MX Series routers introduced in Junos OS Release 10. packet-dump—Trace packet decoding information.

states—Trace state machine events. memory—Trace memory management code. transmit-packets—Trace transmitted L2TP packets. timer—Trace timer events. configuration—Trace configuration events. general—Trace general events. flag flag—Tracing operation to perform. this option does not apply to L2TP on MX Series routers. session-db—Trace session database interactions. init—Trace daemon initialization. events—Trace interface events. . routing-process—Trace routing process interactions. ipc-tx—Trace IPC transmit events. routing-socket—Trace routing socket events.Junos 11. tunnel—Trace tunnel events. packet-error—Trace packet error events. message—Trace message processing code. Juniper Networks. protocol—Trace L2TP events. gres—Trace GRES events. ipc-rx—Trace IPC receive events. receive-packets—Trace received L2TP packets. parse—Trace parsing events. Inc. include multiple flag statements. 442 Copyright © 2011. You can include the following flags: • • • • • • • • • • • • • • • • • • • • • all—Trace all operations.4 Services Interfaces Configuration Guide • udp filter user-name username—Additional filter for the specified username. To specify more than one tracing operation.

Alternatively. notice—Match notice messages about conditions requiring special handling. To specify more than one tracing operation. or sizeg to specify GB Range: 10240 through 1073741824 world-readable—(Optional) Enable unrestricted file access. and multilink handling. flag flag—Tracing operation to perform for the interface. You can specify any of the following levels: • • • • • • all—Match all levels. error—Match error conditions. no-world-readable—(Optional) Disable unrestricted file access. Juniper Networks. This option does not apply to L2TP on MX Series routers. you also must specify a maximum number of trace files with the files option. include multiple flag statements. or gigabytes (GB). megabytes (MB). • • • packet-dump—Dump each packet content based on debug level. 443 . extensive—Trace all PIC debug information. verbose—Match verbose messages. match regular-expression—(Optional) Refine the output to include lines that contain the regular expression. size maximum-file-size—(Optional) Maximum size of each trace file. Copyright © 2011. This option does not apply to L2TP on MX Series routers. system—Trace packet processing on the PIC. Inc. sizem to specify MB. By default. you can include a suffix to the number to indicate kilobytes (KB). You can include the following flags: • • all—Trace everything. no-remote-trace—Disable remote tracing. level—Specify level of tracing to perform. protocol—Trace L2TP. the number entered is treated as bytes. If you specify a maximum file size. PPP. ipc—Trace L2TP Inter-Process Communication (IPC) messages between the PIC and the Routing Engine. warning—Match warning messages. this option does not apply to L2TP on MX Series routers: • • • • detail—Trace detailed debug information. info—Match informational messages. Syntax: sizek to specify KB. • debug-level level—Trace level for the interface. error—Trace error information.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements interfaces interface-name—Apply L2TP traceoptions to a specific services interface.

see Tracing L2TP Operations on page 424 • 444 Copyright © 2011. • For information about L2TP tracing on MX Series routers. .4 Services Interfaces Configuration Guide Required Privilege Level Related Documentation trace—To view this statement in the configuration.Junos 11. Inc. see Tracing L2TP Operations for Subscriber Access For information about L2TP tracing on M Series routers. Juniper Networks. trace-control—To add this statement to the configuration.

syslog { host hostname { services severity-level. hello-interval seconds. 445 . See individual statement topics for more detailed support information. Inc. } [edit services l2tp] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. retransmit-interval seconds. ppp-access-profile profile-name. hide-avps. tunnel-timeout seconds. and tos-reflect statements introduced in Junos OS Release 11. service-device-pool pool-name. } } tos-reflect. dynamic-profile. service-device-pool.4 Specify the L2TP tunnel properties. Options group-name—Identifier for the tunnel group. dynamic-profile profile-name. Description NOTE: Subordinate statement support depends on the platform.4. maximum-send-window packets. Support for MX Series routers and the aaa-access-profile. and M120 routers) Configuring L2TP Tunnel Groups on page 418 MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces Copyright © 2011. log-prefix prefix-value. Juniper Networks. M10i. receive-window packets. The remaining statements are explained separately. Required Privilege Level Related Documentation interface—To view this statement in the configuration. service-interface interface-name. interface-control—To add this statement to the configuration. l2tp-access-profile profile-name. local-gateway address address. • • (M71.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements tunnel-group Syntax tunnel-group group-name { aaa-access-profile profile-name. facility-override facility-name.

. Support for MX Series routers introduced in Junos OS Release 11. • • (M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces 446 Copyright © 2011.4. seconds—Interval after which the tunnel is terminated if no data can be sent. Specify the maximum downtime for an L2TP tunnel. Juniper Networks. Description Options Default: 120 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. after which the tunnel is terminated because the connection is presumed to have been lost.4.4 Services Interfaces Configuration Guide tunnel-timeout Syntax Hierarchy Level Release Information tunnel-timeout seconds.Junos 11.

the Link Services II PIC. or an FRF. LSQ interfaces are similar to link services interfaces. Each logical interface is a Multilink Point-to-Point Protocol (MLPPP) bundle. For detailed information about Layer 3 services. an FRF. NOTE: The Link Services II PIC offers the same functionality as the Layer 2 service package on AS or Multiservices PICs.15 bundle. Juniper Networks. This chapter describes the Layer 2 service package and the CoS and failure recovery capabilities of LSQ interfaces.16 DLCI. 447 . The important difference is that LSQ interfaces fully support Junos class of service (CoS) components. the internal Adaptive Services Module in the M7i platform. see other chapters in this manual and the Junos OS Feature Guides. which are described in “Multilink and Link Services Logical Interface Configuration Overview” on page 1237. The AS or Multiservices PIC has a limit of 1023 logical interfaces. Inc.CHAPTER 20 Link Services IQ Interfaces Configuration Guidelines You can configure link services intelligent queuing (IQ) (LSQ or lsq-) interfaces on the Adaptive Services (AS) PIC. and the Multiservices PIC. This chapter contains the following sections: • • Layer 2 Service Package Capabilities and Interfaces on page 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS on page 450 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS on page 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453 Configuring CoS Scheduling Queues on Logical LSQ Interfaces on page 461 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces on page 466 Configuring Multiclass MLPPP on LSQ Interfaces on page 467 Oversubscribing Interface Bandwidth on LSQ Interfaces on page 468 • • • • • • • Copyright © 2011.

Data compression using the compressed Real-Time Transport Protocol (CRTP) for use in voice over IP (VoIP) transmission. On the AS or Multiservices PIC and the ASM. • 448 Copyright © 2011. • Link fragment interleaving (LFI) on Frame Relay links using FRF.12. all multilink traffic for a single bundle is sent to a single processor. When you enable the Layer 2 service package.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506 • • • • • Layer 2 Service Package Capabilities and Interfaces As described in “Enabling Service Packages” on page 39.12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.Junos 11. the AS or Multiservices PIC supports link services. see “Configuring Delay-Sensitive Packet Interleaving” on page 524 and “Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces” on page 465.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF. make sure you configure a fragmentation map for compressed traffic on these interfaces and specify the no-fragmentation option. it adds overhead to the CPU. Because T3 network interfaces support only one link per bundle.4 Services Interfaces Configuration Guide • • • • • Configuring Guaranteed Minimum Rate on LSQ Interfaces on page 473 Configuring Link Services and CoS on Services PICs on page 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.12 is defined in the specification FRF.12 end-to-end fragmentation—The standard for FRF. Frame Relay Fragmentation Implementation Agreement. you can configure the AS or Multiservices PIC and the internal ASM in the M7i platform to use either the Layer 2 or the Layer 3 service package. link services include the following: • Junos CoS components—“Configuring CoS Scheduling Queues on Logical LSQ Interfaces” on page 461 describes how the Junos CoS components work on link services IQ (lsq) interfaces.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF. If CRTP is enabled on the bundle. see the Junos OS Class of Service Configuration Guide. LFI on Multilink Point-to-Point Protocol (MLPPP) links. For detailed information about Junos CoS components. . For more information. Inc. Juniper Networks. • NOTE: On LSQ interfaces.

16)—The standard for FRF. For more information about tunnel interfaces. pd.15 is defined in the specification FRF.. except that the Layer 2 service package does not support some tunnel functions. MLPPP—The standard for MLPPP is defined in the specification RFC 1990. Multilink Frame Relay UNI/NNI Implementation Agreement.16. but you should not disable it.1. For more information. For the Layer 2 service package. The Multi-Class Extension to Multi-Link PPP. Inc.Chapter 20: Link Services IQ Interfaces Configuration Guidelines • Multilink Frame Relay (MLFR) end-to-end (FRF. Interface type lsq-fpc/pic/port is the physical link services IQ interface (lsq). the following interfaces are automatically created: gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 . 449 .15. • • • For the LSQ interface on the AS or Multiservices PIC. mt. lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port Interface types gr.15)—The standard for FRF. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level. ip. These tunnel interfaces function the same way for both service packages. pe. NOTE: Interface type sp is created because it is needed by the Junos OS.16 is defined in the specification FRF. see Tunnel Properties. Multilink Frame Relay (MLFR) UNI NNI (FRF. Multiclass extension to MLPPP—The standard is defined in the specification RFC 2686. The PPP Multilink Protocol (MP). the configuration syntax is almost the same as for Multilink and Link Services PICs. When you enable the Layer 2 service package on the AS or Multiservices PIC. End-to-End Multilink Frame Relay Implementation Agreement. see “Configuring CoS Scheduling Queues on Logical LSQ Interfaces” on page 461. as shown in Table 5 on page 24. Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF. and vt are standard tunnel interfaces that are available on the AS or Multiservices PIC whether you enable the Layer 2 or the Layer 3 service package. Copyright © 2011. the sp interface is not configurable. Juniper Networks..16 bundles. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls.

450 Copyright © 2011.4 Services Interfaces Configuration Guide NOTE: On DS0. the associated SONET PIC triggers recovery to the backup circuit and its associated AS or Multiservices PIC.16 on page 451 Restrictions on APS Redundancy for LSQ Interfaces on page 452 Configuring the Association between LSQ and SONET Interfaces To configure the association between AS or Multiservices PICs hosting link services IQ interfaces and the SONET interfaces. consider the following network scenario: • • Primary router includes interfaces oc3-0/2/0 and lsq-1/1/0. Backup router includes interfaces oc3-2/2/0 and lsq-3/2/0. you can configure the bandwidth statement. or T1 interfaces in LSQ bundles. SONET APS provides stateless failure recovery. but the router does not use the bandwidth value if the interfaces are included in an MLPPP or MLFR bundle. include the lsq-failure-options statement at the [edit interfaces] hierarchy level: lsq-fpc/pic/port { lsq-failure-options { no-termination-request. [ trigger-link-failure interface-name ]. Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS Link services IQ (lsq-) interfaces that are paired with SONET PICs can use the Automatic Protection Switching (APS) configuration already available on SONET networks to provide failure recovery. The bandwidth is calculated internally according to the time slots. E1. If one of the following conditions for APS failure is met. For more information about these properties. framing. Inc. Juniper Networks. The failure conditions are: • • • • Failure of Link Services IQ PIC Failure of FPC that hosts the Link Services IQ PIC Failure of Packet Forwarding Engine Failure of chassis The guidelines for configuring SONET APS are described in the Junos OS Network Interfaces Configuration Guide. The following sections describe how to configure failover properties: • • • Configuring the Association between LSQ and SONET Interfaces on page 450 Configuring SONET APS Interoperability with Cisco Systems FRF. . and byte-encoding of the interface. see the Junos OS Network Interfaces Configuration Guide.Junos 11. if it is configured on SONET interfaces in separate chassis and each SONET PIC is paired with an AS or Multiservices PIC in the same chassis. } } For example.

To inhibit the router from sending PPP termination-request messages to the remote host if the Link Services IQ PIC fails. PPP over Frame Relay. Include the trigger-link-failure statement to extend failure to the LSQ PICs: interfaces lsq-1/1/0 { lsq-failure-options { trigger-link-failure oc3-0/2/0. This functionality is supported on link PICs as well. and MLPPP interfaces only.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configure SONET APS. include the cisco-interoperability statement at the [edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] hierarchy level: [edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] cisco-interoperability send-lip-remove-link-for-link-reject.16 Juniper Networks routers configured with APS might not interoperate correctly with Cisco FRF.16. with oc3-0/2/0 as the working circuit and oc3-2/2/0 as the protect circuit. Inc. To inhibit the router from sending PPP termination-request messages to the remote host if a link PIC fails. Juniper Networks. include the no-termination-request statement at the [edit interfaces interface-name ppp-options] hierarchy level. on the following PICs: • • • • Channelized OC3 IQ PICs Channelized OC12 IQ PICs Channelized STM1 IQ PICs Channelized STM4 IQ PICs Configuring SONET APS Interoperability with Cisco Systems FRF. [edit interfaces interface-name ppp-options] no-termination-request. The send-lip-remove-link-for-link-reject option prompts the router to send a Link Integrity Protocol remove link when it receives an add-link rejection message. include the no-termination-request statement at the [edit interfaces lsq-fpc/pic/port lsq-failure-options] hierarchy level: [edit interfaces lsq-fpc/pic/port lsq-failure-options] no-termination-request. 451 . Copyright © 2011. The no-termination-request statement is supported only with MLPPP and SONET APS configurations and works with PPP. The configuration is not supported on the backup router. } } NOTE: You must configure the lsq-failure-options statement on the primary router only. To enable interoperation.

but PIC failover results in PPP renegotiation. Normal APS switchover and PIC-triggered APS switchover can be distinguished only by checking the system log messages. route flapping and loss of link state is expected in interchassis recovery. the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. both interchassis and intrachassis recovery are supported Failure recovery is stateless. not on MLFR channelized units. except for M320 routers. in other words. NOTE: For complete intrachassis recovery. You must configure the failure-options statement on physical LSQ interfaces. Configuring LSQ Interface Redundancy in a Single Router Using SONET APS Stateless switchover from one Link Services IQ PIC to another within the same router can be configured by using the SONET APS mechanism described in “Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS” on page 450. The paired PICs can be installed on different routers or in the same router. Inc.Junos 11. The Link Services IQ PICs must be associated with SONET link PICs. including recovery from Routing Engine failover. as a result. see the Junos OS System Basics Configuration Guide. traffic does not automatically revert back to it. . Juniper Networks. graceful Routing Engine switchover (GRES) must be enabled on the router. For more information. no impact on traffic is anticipated with Routing Engine failover. • • • • • NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds. A system log message at level LOG_ERR is generated. requiring PPP renegotiation. 452 Copyright © 2011. The switchover is not revertive: when the original hardware is restored to service. This mechanism applies to both Layer 2 and Layer 3 service packages. Each Link Services IQ PIC must be associated with a specified SONET link PIC within the same router.4 Services Interfaces Configuration Guide Restrictions on APS Redundancy for LSQ Interfaces The following restrictions apply to LSQ failure recovery: • It applies only to Link Services IQ PICs installed in M Series routers. In intrachassis recovery.

Copyright © 2011. the secondary PIC becomes active.interfaces by specifying a virtual LSQ redundancy (rlsq) interface in which the primary Link Services IQ PIC is active and a secondary PIC is on standby. 453 . If the secondary interface fails and the primary interface is active.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces You can configure failure recovery on M Series. To configure a backup lsq interface. such as T1 or E1 interfaces. NOTE: This configuration does not require the use of SONET APS for failover. The following sections provide more information: • • • • Configuring Redundant Paired LSQ Interfaces on page 453 Restrictions on Redundant LSQ Interfaces on page 454 Configuring Link State Replication for Redundant Link PICs on page 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery on page 457 Configuring Redundant Paired LSQ Interfaces The physical interface type rlsq specifies the pairings between primary and secondary lsq interfaces to enable redundancy.15 and a maximum of 10 seconds for FRF. To determine which PIC is currently active. If the primary PIC fails. but you can manually switch between the primary and secondary PICs by issuing the request interfaces (revert | switchover) rlsqnumber operational mode command. Network interfaces that do not support SONET can be used. MX Series. } For the rlsq interface.15. The secondary interface remains active even after the primary interface recovers. issue the show interfaces redundancy command. traffic processing switches to the secondary interface. It sets the requirement for the failure detection and recovery time to be less than 5 seconds. include the redundancy-options statement at the [edit interfaces rlsqnumber] hierarchy level: [edit interfaces rlsqnumber] redundancy-options { (hot-standby | warm-standby). Inc. and T Series routers that have multiple AS or Multiservices PICs and DPCs with lsq. and all LSQ processing is transferred to it. CRTP. It also provides a switch over time of 5 seconds and less for FRF.16. The hot-standby option is used with one-to-one redundancy configurations. and FRF. The behavior is revertive. Juniper Networks. FRF. It is supported with MLPPP. If the primary lsq interface fails. in which one working PIC is supported by one backup PIC.16 configurations for the LSQ interface to achieve an uninterrupted LSQ service. processing switches to the primary interface. secondary lsq-fpc/pic/port. primary lsq-fpc/pic/port. number can be from 0 through 1023.

Junos 11. primary interface lsq-0/0/0 cannot be reused in another rlsq interface as lsq-0/0/0:0. You cannot configure a Link Services IQ PIC with explicit bundle configurations and as a constituent of an rlsq interface. The FPC that contains the Link Services IQ PIC fails. A failover to the secondary PIC takes place. The secondary PIC automatically takes over processing. Juniper Networks. Inc. In this case. in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0. The primary PIC becomes active and then fails. the same physical interface cannot be reused as the primary interface for more than one rlsq interface. For example. If the primary PIC has been restored to active state. in combination with interface rlsq1 configured with primary lsq-0/0/0 • • • In addition. because the configuration must be completely restored on the backup PIC after a failure is detected. in combination with interface rlsq0:1 configured with primary lsq-0/0/0:1 • The following example combinations are not permitted: • Interface rlsq0 configured with primary lsq-0/0/0 and hot-standby. in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0. .4 Services Interfaces Configuration Guide The warm-standby option is used with redundancy configurations in which one backup PIC supports multiple working PICs. in combination with interface rlsq1:1 configured with primary lsq-0/0/0:1 Interface rlsq0 configured with primary lsq-0/0/0. in combination with interface rlsq1:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:1. processing switches to it. The following examples are permitted: • Interface rlsq0 configured with primary lsq-0/0/0 and warm-standby. nor can any of the associated logical interfaces. • 454 Copyright © 2011. or to rename the primary PIC to the secondary one in the rlsq configuration. • • • The following constraints apply to redundant LSQ configurations: • We recommend that primary and secondary PICs be configured in two different FPCs (in chassis other than M10i routers). Restrictions on Redundant LSQ Interfaces Link Services IQ PIC failure occurs under the following conditions: • The primary PIC fails to boot. Recovery times are not guaranteed. the rlsq interface does not come up and manual intervention is necessary to reboot or replace the PIC. Certain combinations of hot-standby and warm-standby configuration are not permitted and result in a configuration error. The secondary PIC then fails.

if not. Configuring Link State Replication for Redundant Link PICs Link state replication.16) are supported only with the warm-standby option. (You must configure GRES at the [edit chassis] hierarchy level. the configuration triggers a SONET APS switchover. 455 . discussed in “Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS” on page 450.Chapter 20: Link Services IQ Interfaces Configuration Guidelines • Redundant LSQ configurations provide full GRES support. Copyright © 2011. must match for the configuration to be valid: either all must be channelized. The rlsq number and its constituents. The rlsqnumber configuration becomes active only if the primary interface is active. You can issue show commands for the rlsq interface or the primary and secondary lsq interfaces. If you configure the redundancy-options statement with the hot-standby option. the primary and secondary interfaces. Since the same interface name is used for hot-standby and warm-standby. or none. If the primary and secondary Link Services IQ PICs fail and the lsq-failure-options statement is configured. the configuration must include one primary interface value and one secondary interface value. statistics on the link interfaces are not carried over following a Routing Engine switchover. Redundant LSQ support is extended to ATM network interfaces. is an addition to the SONET Automatic Protection Switching (APS) functionality that helps promote redundancy of the link PICs used in LSQ configurations. For an example of an FRF. see “Configuring LSQ Interface Redundancy for an FRF.16 configuration. see the Junos OS System Basics Configuration Guide. it is recommended that you first deactivate the interface. You cannot modify the configuration of lsq interfaces after they have been included in an active rlsq interface. Juniper Networks. the primary interface must be active. All the operational mode commands that apply to rsp interfaces also apply to rlsq interfaces. and reactivate it. Inc.15 and FRF. Redundant LSQ configurations that require MLPPP Multilink Frame Relay (FRF. and then reactivate the interface. commit the new configuration. if you modify the configuration to change this attribute.16 Bundle” on page 461. also called interface preservation. • • • • • • • • • • NOTE: Adaptive Services and Multiservices PICs in layer-2 mode (running Layer 2 services) are not rebooted when a MAC flow-control situation is detected. The rlsq interfaces also support the lsq-failure-options configuration. You cannot make changes to an active redundancy-options configuration. When the configuration is first activated. the rlsq interface waits until the primary interface comes up. You must deactivate the rlsqnumber interface configuration. for example rlsq0:0. Channelized interfaces are used with FRF-16 bundles. However. change it.

especially for networks with a large number of MLPPP links. Juniper Networks. the LCP keepalive timer interval is 10 seconds and the consecutive link down count is 3. For more information about SONET APS configurations. Inc. If the active SONET PIC fails. An aggressive LCP keepalive timeout configuration can lead to LCP renegotiation during the MLPPP link switchover. • In general. networks that connect a Juniper Networks router to an ADM allow faster MLPPP link switchover than those with back-to-back Juniper Networks routers. The following constraints apply to link PIC redundancy: • APS functionality must be available on the SONET PICs and the interface configurations must be identical on both ends of the link. Channelized OC12. including Channelized OC3. To configure link state replication. Any configuration mismatch causes the commit operation to fail. All the negotiated state is replicated from the active links to the standby links to prevent link renegotiation. This feature is supported only with LSQ and SONET APS-enabled link PICs. and fully supports GRES. Enabling the interface or protocol traceoptions with a large number of MLPPP links can trigger Link Control Protocol (LCP) renegotiation during the link switchover time. one from the active (working) SONET PIC and the other from the backup (protect) SONET PIC to the same bundle.Junos 11. The MLPPP links start LCP negotiation only after a timeout of 30 seconds. include the preserve-interface statement at the [edit interfaces interface-name sonet-options aps] hierarchy level on both network interfaces: edit interfaces interface-name sonet-options aps] preserve-interface. • • • NOTE: This renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an add/drop multiplexer (ADM). see the Junos OS Network Interfaces Configuration Guide. As an example. . • NOTE: LCP renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an ADM. 456 Copyright © 2011. and Channelized STM1 intelligent queuing (IQ) PICs. links from the standby PIC are used without causing a link renegotiation. Lowering these configuration values may trigger one or more of the MLPPP links to renegotiate during the switchover time. the following configuration shows the link state replication configuration between the ports coc3-1/0/0 and coc3-2/0/0. By default. The MLPPP link switchover time difference may be significant. Link state replication supports MLPPP and PPP over Frame Relay (frame-relay-ppp) encapsulation.4 Services Interfaces Configuration Guide Link state replication provides the ability to add two sets of links.

Juniper Networks. } } } } Examples: Configuring Redundant LSQ Interfaces for Failure Recovery Configuring LSQ Interface Redundancy for MLPPP The following configuration shows that lsq-1/1/0 and lsq-1/3/0 work as a pair and the redundancy type is hot-standby. } } } rlsq0 { unit 0 { family inet { address 30.1. secondary lsq-1/3/0. Inc. #either hot-standby or warm-standby is supported } } The following example shows a related MLPPP configuration: NOTE: MLPPP protocol configuration is required for this configuration.1. interfaces { t1-/1/2/0 { unit 0 { family mlppp { bundle rlsq0. hot-standby.2/24. } } Copyright © 2011.0. } } } coc3-2/0/0 { sonet-options { aps { preserve-interface. which sets the requirement for the failure detection and recovery time to be less than 5 seconds: interfaces rlsq0 { redundancy-options { primary lsq-1/1/0. protect-circuit aps-group-1. working-circuit aps-group-1.Chapter 20: Link Services IQ Interfaces Configuration Guidelines interfaces { coc3-1/0/0 { sonet-options { aps { preserve-interface. 457 .

see the Junos OS System Basics Configuration Guide. This example uses two bundles. this example uses the [edit groups] statement. } } } ml-bundle-group-1 { interfaces { <t1-*:"[1-4]"> { encapsulation ppp. The first four T1 links (t1-*:1 through t1-*:4) form the first bundle and the last four T1 links (t1-*:5 through t1-*:8) form the second bundle.1. unit 0 { family mlppp { bundle lsq-0/1/0. Inc.0. unit 0 { family mlppp { bundle lsq-0/1/0.Junos 11. each with four T1 links. it simplifies the task and minimizes duplication. for more information. Juniper Networks. } } } } The following example shows a complete link state replication configuration for MLPPP. To minimize the duplication in the configuration. . groups { ml-partition-group { interfaces { <coc3-*> { partition 1 oc-slice 1 interface-type coc1. This type of configuration is not required.4 Services Interfaces Configuration Guide } } The following example shows a related CoS configuration: class-of-service { interfaces { rlsq0 { unit * { fragmentation-maps fr-map1. } } } } } ml-bundle-group-2 { interfaces { <t1-*:"[5-8]"> { encapsulation ppp. } <coc1-*> { partition 1-8 interface-type t1. } } } 458 Copyright © 2011.

459 . Juniper Networks.1. } t1-1/0/0:1:4 { apply-groups ml-bundle-group-1.1/32 { destination 1. family inet { address 1.2. } t1-1/0/0:1:5 { apply-groups ml-bundle-group-2. sonet-options { aps { preserve-interface.2. } t1-1/0/0:1:2 { apply-groups ml-bundle-group-1. } } } coc1-1/0/0:1 { apply-groups ml-partition-group.1.1. family inet { address 1.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } } interfaces { lsq-0/1/0 { unit 0 { encapsulation multilink-ppp.1. } t1-1/0/0:1:8 { Copyright © 2011. Inc.1.2. } t1-1/0/0:1:6 { apply-groups ml-bundle-group-2. working-circuit aps-group-1. } } } } coc3-1/0/0 { apply-groups ml-partition-group. } t1-1/0/0:1:3 { apply-groups ml-bundle-group-1. } } } unit 1 { encapsulation multilink-ppp.2.1/32 { destination 1.1. } t1-1/0/0:1:1 { apply-groups ml-bundle-group-1. } t1-1/0/0:1:7 { apply-groups ml-bundle-group-2.

} t1-2/0/0:1:1 { apply-groups ml-bundle-group-1. } 460 Copyright © 2011. secondary lsq-1/3/0. } t1-2/0/0:1:5 { apply-groups ml-bundle-group-2. Inc. } t1-2/0/0:1:8 { apply-groups ml-bundle-group-2. } t1-2/0/0:1:2 { apply-groups ml-bundle-group-1. sonet-options { aps { preserve-interface. } } } coc1-2/0/0:1 { apply-groups ml-partition-group.15 Bundle The following example shows a configuration for an FRF. Juniper Networks. } t1-2/0/0:1:6 { apply-groups ml-bundle-group-2. } t1-2/0/0:1:3 { apply-groups ml-bundle-group-1. } } Configuring LSQ Interface Redundancy for an FRF.4 Services Interfaces Configuration Guide apply-groups ml-bundle-group-2. family inet { address 30.Junos 11.1. .1/24. warm-standby. } coc3-2/0/0 { apply-groups ml-partition-group. protect-circuit aps-group-1. } t1-2/0/0:1:4 { apply-groups ml-bundle-group-1.1. #either hot-standby or warm-standby is supported } unit 0 { encapsulation multilink-frame-relay-end-to-end.15 bundle: interfaces rlsq0 { redundancy-options { primary lsq-1/2/0. } t1-2/0/0:1:7 { apply-groups ml-bundle-group-2.

encapsulation multilink-frame-relay-uni-nni. see the Junos OS Class of Service Configuration Guide. Juniper Networks.16 bundle.16 Bundle The following example shows a configuration for an FRF. If you need latency guarantees for multiclass or LFI traffic. warm-standby. } } } Configuring CoS Scheduling Queues on Logical LSQ Interfaces For link services IQ (lsq-) interfaces. Inc. redundancy-options { primary lsq-1/2/0:0.1. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level. you can specify a scheduler map for each logical unit. #either hot-standby or warm-standby is supported } unit 0 { dlci 1000. you must use channelized IQ PICs for the constituent links. Constituent links from the following PICs support latency guarantees: • • • • • Channelized E1 IQ PIC Channelized OC3 IQ PIC Channelized OC12 IQ PIC Channelized STM1 IQ PIC Channelized T3 IQ PIC Copyright © 2011. because queueing is not done at the channelized interface level on the constituent links. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level.16 bundle: interfaces rlsq0:0 { dce. family inet { address 50.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } Configuring LSQ Interface Redundancy for an FRF. 461 . If you configure a scheduler map on a bundle.1/24.1. If you configure a scheduler map on an FRF. latency-sensitive traffic might not receive the type of service that it should. The scheduler is applied to the traffic sent to an AS or Multiservices PIC running the Layer 2 link services package. A logical unit represents either an MLPPP bundle or a DLCI configured on a FRF.16 DLCI. For more information. secondary lsq-1/3/0:0. With non-IQ PICs.

and assign this scheduler to the link services IQ interface (lsq) and to each constituent link. When you configure FRF. 0. and 0 percent. and 5 percent queuing behaviors. • drop-profile-map—The random early detection (RED) drop profile. This means you should allow most of the bandwidth to be used by queue 0. 0. see “Configuring Scheduler Priority” on page 463. 5. The default scheduler transmission rate and buffer size percentages for queues 0 through 3 are 95. Because LFI and multiclass are not supported for FRF. see “Configuring Scheduler Buffer Size” on page 462. and apply it to the constituent links.16 on M Series and T Series routers.4 Services Interfaces Configuration Guide For scheduling queues on a logical interface. each queue can have a different buffer size. You can configure a custom scheduler that explicitly replicates the 95. except as noted in the following sections. 462 Copyright © 2011. • shaping-rate—The subscribed transmit rate. you can configure the following scheduler map properties at the [edit class-of-service schedulers] hierarchy level: • buffer-size—The queue size.16 bundle. as a percentage. 0. see “Configuring Drop Profiles” on page 463.Junos 11.12 on M Series and T Series routers. for more information. and 5 percent. these scheduling properties work as they do in other PICs. 0. . On a single logical interface (MLPPP or a FRF. 0. high. Juniper Networks. 0. 0. 0. as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. NOTE: On T Series and M320 routers. the traffic from each constituent link is transmitted from queue 0. for more information. • priority—The transmit priority (low. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. for more information. respectively. For link services IQ interfaces (lsq). For the constituent links of an FRF. or you can assign different scheduler maps to the various DLCIs of the bundle. you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI. strict-high). This default scheduler sends all user traffic to queue 0 and all network-control traffic to queue 3. you do not need to configure a custom scheduler. and therefore it is well suited to the behavior of FRF. lsq interfaces do not support DiffServ code point (DSCP) and DSCP-IPv6 rewrite markers. Configuring Scheduler Buffer Size You can configure the scheduler buffer size in three ways: as a temporal value.16. 0.16 DLCI).16” on page 488. Inc.16. When you configure MLPPP and FRF. and as a remainder. you should configure a single scheduler with non-zero percent transmission rates and buffer sizes for queues 0 through 3. see “Configuring Scheduler Shaping Rate” on page 463. NOTE: On T Series and M320 routers. for more information.

The queuing algorithm guarantees enough space in the transmit buffer for two MTU-sized packets. buffer size specified as buffer-size percent 20 is the same as a 40-millisecond temporal delay. If none of the DLCIs in an MLFR FRF. the queuing algorithm starts dropping packets when it queues more than a computed number of bytes. the maximum temporal value is limited to 200 milliseconds. The link services IQ implementation guarantees 200 milliseconds of buffer delay for all interfaces with T1 and higher speeds.16 DLCIs. it guarantees one second of buffer delay. only percentages are accepted. For MLPPP bundles. Each queue receives a guaranteed amount of bandwidth specified with the scheduler transmit-rate statement. Configuring Scheduler Shaping Rate You use the shaping rate to set the percentage of total bundle bandwidth that is dedicated to a DLCI. This means that absolute shaping rates are not supported on FRF. Inc. For scheduling between DLCIs in a MLFR FRF. which is the sum of constituent link speeds minus link-layer overhead. Copyright © 2011. Leftover bandwidth is distributed equally to DLCIs that do not have the shaping-rate statement included at the [edit class-of-service interfaces lsq-fpc/pic/port:channel unit logical-unit-number] hierarchy level. A shaping rate is expressed as a percentage of the aggregate bundle bandwidth. logical interface speed is equal to bundle bandwidth multiplied by the DLCI shaping rate. This number is computed by multiplying logical interface speed by the temporal value. include one or more drop profiles and attach them to a scheduler for a particular forwarding class.16 bundle. which allows adjustments in response to dynamic changes in bundle bandwidth—for example. only shaping rates based on percentage are supported. the total bandwidth is evenly divided across all DLCIs. when a link goes up or down.16 bundles.16 bundle specify a DLCI scheduler. logical interface speed is equal to the bundle bandwidth. For MLFR FRF. 463 . In all cases. For slower interfaces. To configure RED.16 bundles on link services IQ interfaces. For example. Configuring Drop Profiles You can configure random early detection (RED) on LSQ interfaces as in other CoS scenarios. The queueing algorithm evenly distributes leftover bandwidth among all queues that are configured with the buffer-size remainder statement. For link services IQ DLCIs. Buffer size percentages are implicitly converted into temporal values by multiplying the percentage by 200 milliseconds. Shaping rate percentages for all DLCIs within a bundle can add up to 100 percent or less. For more information about RED profiles. Juniper Networks. Configuring Scheduler Priority The transmit priority of each queue is determined by the scheduler and the forwarding class.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If you specify a temporal value. Absolute shaping rates are allowed for MLPPP and MLFR bundles only. NOTE: For FRF. you can configure a shaping rate for each DLCI. see the Junos OS Class of Service Configuration Guide.

Juniper Networks. Inc.. Different queues (forwarding classes) on the same logical interface can have different associated drop profiles. Drop profiles are configurable on a per-queue.15 bundle..4 Services Interfaces Configuration Guide The LSQ implementation performs tail RED. and per-TCP-bit basis. } } } NOTE: The RED profiles should be applied only on the LSQ bundles and not on the egress links that constitute the bundle. } } schedulers { be-scheduler { # Configure two drop profiles for low and high loss priority drop-profile-map loss-priority low protocol any drop-profile drop-low. It supports a maximum of 256 drop profiles per PIC.16 DLCI. The following example shows how to configure a RED profile on an LSQ interface: [edit] class-of-service { drop-profiles { drop-low { # Configure suitable drop profile for low loss priority . priority. } drop-high { # Configure suitable drop profile for high loss priority .0 { # Attach a scheduler map (that includes RED drop profiles) # to a LSQ logical interface. drop-profile-map loss-priority high protocol any drop-profile drop-high. scheduler-map schedmap. per-loss-priority. . # and transmit-rate) are already supported. # Other scheduler parameters (buffer-size. 464 Copyright © 2011. . . } } scheduler-maps { schedmap { # Best-effort queue will use be-scheduler # Other queues may use different schedulers forwarding-class be scheduler be-scheduler. } } interfaces { lsq-1/3/0....... an FRF. You can attach scheduler maps with configured RED drop profiles to any LSQ logical interface: an MLPPP bundle. or an FRF.Junos 11.

A nonencapsulated flow uses only one link. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. This statement sets the maximum size of each multilink fragment. include the no-fragmentation statement in the fragmentation map. and you can configure it to be from 1500 through 4500 bytes. By default the MRRU size is 1500 bytes. the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLPPP interface. } } } To set a per-forwarding class fragmentation threshold. Even if you do not set a maximum fragment size anywhere in the configuration.16 interface. you can specify fragmentation properties for specific forwarding classes. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: [edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { (fragment-threshold bytes | no-fragmentation). When you do not configure fragmentation properties for the queues on MLPPP interfaces. Inc. This statement specifies that an extra fragmentation header is not prepended to the packets received on this queue and that static link load balancing is used to ensure in-order packet delivery. traffic in all forwarding classes is multilink encapsulated. Copyright © 2011. then the forwarding class must be multilink encapsulated. multilink-class number. To configure fragmentation properties on a queue.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces For link services IQ (lsq-) interfaces. packets are still fragmented if they exceed the smallest maximum transmission unit (MTU) or maximum received reconstructed unit (MRRU) of all the links in the bundle. The MRRU is similar to the MTU. but is specific to link services interfaces. unless the packet size exceeds the MTU/MRRU. Juniper Networks. 465 . If you do not set a maximum fragment size anywhere in the configuration. By default. If the flow exceeds a single link. the fragmentation threshold you set at the [edit interfaces interface-name mlfr-uni-nni-bundle-options fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLFR FRF. include the fragment-threshold statement in the fragmentation map.16 interfaces. To set traffic on a queue to be nonencapsulated rather than multilink encapsulated. For MLFR FRF. For more information. Traffic on each forwarding class can be either multilink encapsulated (fragmented and sequenced) or nonencapsulated (hashed with no fragmentation). you can configure the MRRU by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level.

Instead. they are mutually exclusive.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.Junos 11. Juniper Networks. include the fragmentation-map statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces] lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name. } For configuration examples. see “Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces” on page 1245.16 DLCI. they are mutually exclusive. Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces Link-layer overhead can cause packet drops on constituent links because of bit stuffing on serial links. 466 Copyright © 2011.12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. For more information.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506 • • • • • For Link Services PIC link services (ls-) interfaces.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF. you can include either the fragment-threshold or no-fragmentation statement. you can include either the multilink-class or no-fragmentation statement. see “Configuring Multiclass MLPPP on LSQ Interfaces” on page 467. } lsq-fpc/pic/port:channel { # MLFR FRF.16 unit logical-unit-number { fragmentation-map map-name. For a given forwarding class. see the following topics: • • • Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. For more information about MCML. . fragmentation maps are not supported. you enable LFI by including the interleave-fragments statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). Bit stuffing is used to prevent data from being interpreted as control information.4 Services Interfaces Configuration Guide For a given forwarding class. Inc. To associate a fragmentation map with a multilink PPP interface or MLFR FRF.

This approach to LFI. To do this. All fragments for a single packet must be sent before the fragments from another packet are sent.6 percent. In effect. For link services IQ interfaces only. you can map each forwarding class into a separate multilink class. Juniper Networks. you can configure multiclass MLPPP (MCML).Chapter 20: Link Services IQ Interfaces Configuration Guidelines By default. In effect. The Multi-Class Extension to Multi-Link PPP. you can configure MCML. This model works as long as there is a single class of latency-sensitive traffic. Inc. MCML makes it possible to have multiple classes of latency-sensitive traffic that are carried over a single multilink bundle with bulk traffic. used on the Link Services PIC. For more information about the Link Services PIC support of LFI. 4 percent of the total bundle bandwidth is set aside for link-layer overhead. we recommend 4 percent as a safeguard. fragments from different classes cannot be interleaved. MCML allows different classes of traffic to have different latency guarantees. see “Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces” on page 1245. see RFC 4814. thus preserving priority and latency guarantees. you can configure the percentage of bundle bandwidth to be set aside for link-layer overhead. latency-sensitive traffic is encapsulated as regular PPP traffic. If you do not configure MCML. Hash and Stuffing: Overlooked Factors in Network Device Benchmarking. For link services IQ (lsq-) interfaces. 467 . You can include this statement at the following hierarchy levels: • • • [edit interfaces interface-name mlfr-uni-nni-bundle-options] [edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number] You can configure the value to be from 0 percent through 50 percent. and bulk traffic is encapsulated as multilink traffic. and there is no high-priority traffic that takes precedence over latency-sensitive traffic. as defined in RFC 2686. In most network environments. the average link-layer overhead is 1. Therefore. include the link-layer-overhead statement: link-layer-overhead percent. Configuring Multiclass MLPPP on LSQ Interfaces For link services IQ (lsq-) interfaces with MLPPP encapsulation. Nonfragmented packets can be interleaved between fragments of another packet to reduce latency seen by nonfragmented packets. which is not sufficient to carry the four-to-eight forwarding classes that are supported by M Series and T Series routers. With MCML. supports only two levels of traffic priority. Copyright © 2011. For more information.

which is referred to in RFC 2686 as “prefix elision. To configure MCML on a link services IQ interface. To specify how many multilink classes should be negotiated when a link joins the bundle. With MCML.Junos 11. issue the show interfaces lsq-fpc/pic/port. To specify the mapping of a forwarding class into a MCML class.logical-unit-number detail command. . include the multilink-max-classes statement: multilink-max-classes number. because multiclass MLPPP represents a superset of functionality. Without MCML. 468 Copyright © 2011. The number of multilink classes for each forwarding class must not exceed the number of multilink classes to be negotiated. all voice traffic belonging to a single flow is hashed to a single link to avoid packet ordering issues. The Junos OS implementation of MCML does not support compression of common header bytes. You can include this statement at the following hierarchy levels: • • [edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number] The number of multilink classes can be 1 through 8. nor is it supported. you must specify how many multilink classes should be negotiated when a link joins the bundle. and you can use multiple links. LFI is automatically enabled. include the multilink-class statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level: [edit class-of-service fragmentation-maps map-name forwarding-class class-name] multilink-class number.” MCML greatly simplifies packet ordering issues that occur when multiple links are used. When you configure multiclass MLPPP. Oversubscribing Interface Bandwidth on LSQ Interfaces The term oversubscribing interface bandwidth means configuring shaping rates (peak information rates [PIRs]) so that their sum exceeds the interface bandwidth. Juniper Networks. To view the number of multilink classes negotiated. and you must specify the mapping of a forwarding class into an MCML class. The multilink-class statement and no-fragmentation statements are mutually exclusive. The multilink class index number can be 0 through 7. you can assign voice traffic to a high-priority class. For more information about voice services support on link services IQ interfaces (lsq). Inc. see “Configuring Services Interfaces for Voice Services” on page 522.4 Services Interfaces Configuration Guide NOTE: Configuring both LFI and MCML on the same bundle is not necessary.

NOTE: You cannot oversubscribe interface bandwidth when you configure traffic shaping using the method described in Applying Scheduler Maps and Shaping Rate to DLCIs and VLANs. Any unused bandwidth is distributed equally among oversubscribed logical interfaces or DLCIs.16 bundle physical interface level addresses this limitation. Juniper Networks. because this can cause degradation in the performance of the router during congestion. Include the shaping-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] shaping-rate (percent percentage | rate). You can prevent degradation by using statistical multiplexing to ensure that the actual data traffic does not exceed the interface bandwidth. Copyright © 2011. On LSQ interfaces. and FRF.16 bundles at the logical interface level. Gigabit Ethernet IQ PICs. perform the following steps: 1.16 bundle interfaces.000. oversubscription allows you to sell more bandwidth than the interface can support. We recommend avoiding oversubscription in networks that are likely to experience congestion. you can configure the shaping rate as an absolute rate from 1000 through 160.000. you must specify shaping-rate as a percentage. some output queues can be starved if the actual data traffic exceeds the physical interface bandwidth. When configuring oversubscription for FRF. Be careful not to oversubscribe a service by too much. If the actual data traffic does not exceed the interface bandwidth. oversubscribing interface bandwidth improves network utilization. member link interface bandwidth is underutilized when there is a small proportion of traffic or no traffic at all on an individual DLCI. To configure oversubscription of an interface. thereby allowing more customers to be provisioned on a single interface. The logical interfaces (and DLCIs within an FRF. NOTE: When configuring oversubscription for FRF. 469 .Chapter 20: Link Services IQ Interfaces Configuration Guidelines On Channelized IQ PICs. you can assign traffic control profiles that apply on a physical interface basis. Support for traffic control features on the FRF. On IQ and IQ2 interfaces. When you configure oversubscription. Inc. you can configure the shaping rate as a percentage.16 bundle) can be oversubscribed when there is leftover bandwidth.16 link services IQ (lsq-) interfaces on AS and Multiservices PICs.000 bits per second. you can oversubscribe interface bandwidth.16 bundle interfaces on a physical interface basis. For networks that are not likely to experience congestion. The oversubscription is limited to the configured PIR. When you apply traffic control profiles to FRF.

For more information about CIRs. with this configuration approach. The delay-buffer rate overrides the shaping rate as the basis for the delay-buffer calculation. you can base the delay buffer calculation on a delay-buffer rate. . and the scaled shaping rate is used in the oversubscribed case. For an example showing how the delay-buffer rates are applied. This means there are no service guarantees when you configure a PIR. To do this. include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: NOTE: When configuring oversubscription for FRF. you cannot independently control the delay-buffer rate. Inc. For these interfaces. The actual delay buffer is based on the calculations described in the Junos OS Class of Service Configuration Guide. 2. as described in Step 2. In other words.4 Services Interfaces Configuration Guide Alternatively. Juniper Networks.16 bundle interfaces on a physical interface basis.000. On IQ and IQ2 interfaces. if you do not configure a delay-buffer rate. you can configure a shaping rate for a logical interface and oversubscribe the physical interface by including the shaping-rate statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs. 470 Copyright © 2011. NOTE: For channelized and Gigabit Ethernet IQ interfaces.000. you can configure the delay-buffer rate as an absolute rate from 1000 through 160. you can configure both a PIR and a CIR on an interface.Junos 11. the shaping rate (PIR) is used in the undersubscribed case. see “Configuring Guaranteed Minimum Rate on LSQ Interfaces” on page 473. the guaranteed rate (CIR) is used to assign buffers. Optionally. see “Examples: Oversubscribing an LSQ Interface” on page 472. you must specify delay-buffer-rate as a percentage. On LSQ interfaces. you can configure either a PIR or a committed information rate (CIR). the shaping-rate and guaranteed-rate statements are mutually exclusive. For LSQ interfaces. If you do not configure a guaranteed rate. For LSQ and Gigabit Ethernet IQ2 interfaces.000 bits per second. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. you can configure the delay-buffer rate as a percentage. the shaping rate or scaled shaping rate is used for delay-buffer calculations only when the delay-buffer rate is not configured. but not both. However. [edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate).

you can enable large buffer sizes to be configured. include the q-pic-large-buffer statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level: [edit chassis fpc slot-number pic pic-number] q-pic-large-buffer. the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. Optionally. include the scheduler-map statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name. Instead. If bandwidth becomes available (because another logical interface is deleted or deactivated. Juniper Networks. Inc. 471 . On a two-port Gigabit Ethernet IQ PIC. that logical interface receives a delay-buffer rate of zero. For information about configuring schedulers and scheduler maps. delay-buffer rates should not far exceed the service rate of the logical interface. Copyright © 2011. the delay-buffer rate for each logical interface with no configured delay-buffer rate is equal to: (remaining delay-buffer rate * shaping rate) / (sum of shaping rates) The remaining delay-buffer rate is equal to: (interface speed) – (sum of configured delay-buffer rates) 3. Though some amount of extra buffering might be desirable for burst absorption. For more information. When you include this statement. To enable scheduling on logical interfaces. the configured delay-buffer-rate is reevaluated and implemented if possible. so you should be cautious when using the delay-buffer-rate statement. the maximum number of VLANs supported is 768 on a single-port Gigabit Ethernet IQ PIC. 5. the configured delay-buffer rate is not implemented for the last logical interface that you configure. include the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name ] per-unit-scheduler. This restriction does not eliminate the possibility of packet aging. 4. If you do not include this statement. If you do not configure a delay-buffer rate or a guaranteed rate. see the Junos OS Class of Service Configuration Guide. In other words. such as voice traffic. If you configure delay-buffer rates so that the sum exceeds the port speed. To help prevent this problem. and a warning message is displayed in the CLI. or the port speed is increased).Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring large buffers on relatively low-speed links can cause packet aging. the maximum number is 384. see the Junos OS Class of Service Configuration Guide. To assign a scheduler map to the logical interface. We recommend restricted buffers for delay-sensitive traffic. To do this. the delay-buffer size is more restricted. the logical interface receives a delay-buffer rate in proportion to the shaping rate and the remaining delay-buffer rate available.

Juniper Networks. or virtual-channel-group. Inc. include the no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] no-per-unit-scheduler. 7. include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name. } unit 1 { output-traffic-control-profile tc_1. } } } class-of-service { traffic-control-profiles { tc_0 { shaping-rate percent 100. . To enable scheduling for FRF. Examples: Oversubscribing an LSQ Interface Oversubscribing an LSQ Interface with Scheduling Based on the Logical Interface Apply a traffic-control profile to a logical interface representing a DLCI on an FRF.16 bundles physical interfaces. interfaces { lsq-1/3/0:0 { per-unit-scheduler. To apply the traffic-scheduling profile to the logical interface.4 Services Interfaces Configuration Guide 6. see the Junos OS Class of Service Configuration Guide. For a table that shows how the bandwidth and delay buffer are allocated in various configurations. } } 472 Copyright © 2011.Junos 11. shaping-rate. adaptive-shaper. guaranteed-rate percent 40. delay-buffer-rate percent 80. } unit 1 { dlci 200. You cannot include the output-traffic-control-profile statement in the configuration if any of the following statements are included in the logical interface configuration: scheduler-map. } } interfaces { lsq-1/3/0 { unit 0 { output-traffic-control-profile tc_0. guaranteed-rate percent 60. unit 0 { dlci 100.16 bundle. } tc_1 { shaping-rate percent 80.

delay-buffer-rate percent 10.16 bundle: interfaces { lsq-0/2/0:0 { no-per-unit-scheduler. } } interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc. shaping-rate percent 60. } rlsq_scheduler1 { transmit-rate percent 40.18.18. } } } class-of-service { traffic-control-profiles { rlsq_tc { scheduler-map rlsq. Juniper Networks. also known as a committed information rate (CIR).16 link services IQ (LSQ) interfaces on AS and Multiservices PICs. family inet { address 18. } } schedulers { rlsq_scheduler { transmit-rate percent 20. This allows you to specify a guaranteed rate for each logical interface.2/24. encapsulation multilink-frame-relay-uni-nni. priority low. Channelized IQ PICs. you can configure guaranteed bandwidth. priority high.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } Oversubscribing an LSQ Interface with Scheduling Based on the Physical Interface Apply a traffic-control profile to the physical interface representing an FRF. } } } scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler. 473 . } } Configuring Guaranteed Minimum Rate on LSQ Interfaces On Gigabit Ethernet IQ PICs. and FRF. Inc. The guaranteed rate is a minimum. forwarding-class expedited-forwarding scheduler rlsq_scheduler1. If excess physical Copyright © 2011. unit 0 { dlci 100.

For LSQ and Gigabit Ethernet IQ2 interfaces. For an example showing how the delay-buffer rates are applied. 474 Copyright © 2011. On IQ and IQ2 interfaces. the commit operation does not fail. 2.000. On LSQ interfaces. For more information about CIRs.000 bits per second. Inc. see the Junos OS Class of Service Configuration Guide. the shaping-rate and guaranteed-rate statements are mutually exclusive. This means there are no service guarantees when you configure a PIR. but the software automatically decreases the rates so that the sum of the guaranteed rates is equal to the available bundle bandwidth. For these interfaces. perform the following steps: 1. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs. Juniper Networks. Optionally. NOTE: For channelized and Gigabit Ethernet IQ interfaces. On LSQ interfaces. see “Example: Configuring Guaranteed Minimum Rate” on page 476. or the bundle bandwidth for LSQ interfaces. Include the guaranteed-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] guaranteed-rate (percent percentage | rate).000. you can configure the guaranteed rate as an absolute rate from 1000 through 160.000. you can configure both a PIR and a CIR on an interface. you can configure either a PIR or a committed information rate (CIR). you can base the delay buffer calculation on a delay-buffer rate. the logical interface receives more than the guaranteed rate provisioned for the interface. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. you can configure the delay-buffer rate as a percentage.000 bits per second. To do this. On IQ and IQ2 interfaces. To configure a guaranteed minimum rate. The actual delay buffer is based on the calculations described in tables in the Junos OS Class of Service Configuration Guide. If the sum of the guaranteed rates exceeds the interface or bundle bandwidth. but not both. .4 Services Interfaces Configuration Guide interface bandwidth is available for use. You cannot provision the sum of the guaranteed rates to be more than the physical interface bandwidth. you can configure the delay-buffer rate as an absolute rate from 1000 through 160. include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate).000.Junos 11. you can configure the guaranteed rate as a percentage.

To assign a scheduler map to the logical interface. see the Junos OS Class of Service Configuration Guide. include the scheduler-map statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name. If at a later time the guaranteed rate of the logical interface can be met. or the scaled shaping rate if the interface is oversubscribed. For more information. include the q-pic-large-buffer statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level: [edit chassis fpc slot-number pic pic-number] q-pic-large-buffer. that logical interface receives a delay-buffer rate of 0. a delay-buffer rate of 0. that logical interface receives a delay-buffer rate of 0. 3. the delay-buffer calculation is based on the guaranteed rate. To help prevent this problem. it is implemented. 475 . the shaping rate if no guaranteed rate is configured. all other logical interfaces on that port that do not have a guaranteed rate configured receive a delay-buffer rate of 0. To enable large buffer sizes to be configured. the configured delay-buffer rate is reevaluated and if the delay-buffer rate is within the remaining bandwidth.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If you do not include the delay-buffer-rate statement. Inc. If any logical interface has a configured guaranteed rate. or the port speed is increased). Juniper Networks. but in some cases can be bursty and therefore needs a large buffer. Though some amount of extra buffering might be desirable for burst absorption. consequently. This can be useful when the traffic flow might not require much bandwidth in general. If the guaranteed rate of a logical interface cannot be implemented. so you should be cautious when using the delay-buffer-rate statement. Configuring large buffers on relatively low-speed links can cause packet aging. the configured delay-buffer-rate is reevaluated and implemented if possible. For information about configuring schedulers and scheduler maps. even if the configured delay-buffer rate is within the interface speed. If you configure delay-buffer rates so that the sum exceeds the port speed. If you do not specify a shaping rate or a guaranteed rate. see the Junos OS Class of Service Configuration Guide. and a warning message is displayed in the CLI. the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. If you do not include this statement. the configured delay-buffer rate is not implemented for the last logical interface that you configure. If bandwidth becomes available (because another logical interface is deleted or deactivated. You can configure a rate for the delay buffer that is higher than the guaranteed rate. 4. delay-buffer rates should not far exceed the service rate of the logical interface. Copyright © 2011. This restriction does not eliminate the possibility of packet aging. the logical interface receives a minimal delay-buffer rate and minimal bandwidth equal to 4 MTU-sized packets. the delay-buffer size is more restricted. This is because the absence of a guaranteed rate configuration corresponds to a guaranteed rate of 0 and. Instead.

Inc. include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name. # 500 Kbps is less than 8 x 64 Kbps } tc-profile4 { guaranteed-rate 500k. a delay-buffer rate of 500 Kbps is specified. scheduler-map sched-map3. the maximum number is 383. # 500 Kbps is less than 8 x 64 Kbps scheduler-map sched-map4. include the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name ] per-unit-scheduler. Juniper Networks. see the Junos OS Class of Service Configuration Guide. The 2-second value is based on the following calculation: delay-buffer-rate < [8 x 64 Kbps]): 2 seconds of delay-buffer-rate For more information about this calculation. When you include this statement. are provisioned with a guaranteed minimum of 750 Kbps and 500 Kbps. } } class-of-service { traffic-control-profiles { tc-profile3 { guaranteed-rate 750k. The actual delay buffers allocated to each logical interface are 2 seconds of 500 Kbps. the delay buffer is based on the guaranteed rate setting. respectively. Example: Configuring Guaranteed Minimum Rate Two logical interface units. 0 and 1. chassis { fpc 3 { pic 0 { q-pic-large-buffer. For logical unit 1. } } interface t1-3/0/1 { unit 0 { 476 Copyright © 2011. For logical unit 0. To apply the traffic-scheduling profile to the logical interface.4 Services Interfaces Configuration Guide 5. delay-buffer-rate 500k.Junos 11. To enable scheduling on logical interfaces. On a two-port Gigabit Ethernet IQ PIC. . the maximum number of VLANs supported is 767 on a single-port Gigabit Ethernet IQ PIC. 6. } } } interfaces { t1-3/0/1 { per-unit-scheduler.

2. the entire PIC uses the configured package. Inc. You enable service packages per PIC. minimum-links number. or bundle. include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level. Enable the Layer 2 service package. To enable the Layer 2 service package. family inet { address address.logical-unit-number. family mlppp { bundle lsq-fpc/pic/port. 477 . For more information about AS or Multiservices PIC service packages. not per port.16 bundle by combining constituent links into a virtual link. } } } Configuring Link Services and CoS on Services PICs To configure link services and CoS on an AS or Multiservices PIC. } unit 1 { output-traffic-control-profile tc-profile4. link-layer-overhead percent. Configuring an MLPPP Bundle To configure an MLPPP bundle. mrru bytes. Juniper Networks. you must perform the following steps: 1. fragment-threshold bytes. configure constituent links and bundle properties by including the following statements in the configuration: [edit interfaces interface-name unit logical-unit-number] encapsulation ppp. } For more information about these statements. Copyright © 2011. When you enable the Layer 2 service package. and specify layer-2: [edit chassis fpc slot-number pic pic-number adaptive-services] service-package layer-2. short-sequence. } [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds. see “Enabling Service Packages” on page 39 and “Layer 2 Service Package Capabilities and Interfaces” on page 448. Configure a multilink PPP or FRF. see the Link and Multilink Properties. encapsulation multilink-ppp.Chapter 20: Link Services IQ Interfaces Configuration Guidelines output-traffic-control-profile tc-profile3.

Juniper Networks. MLFR FRF. configure a fragmentation map. configure a scheduler map.4 Services Interfaces Configuration Guide Configuring an MLFR FRF. dce. see Link and Multilink Properties.16 uses channels as logical units. family inet { address address.16 Bundle To configure an MLFR FRF. mrru bytes. lmi-type (ansi | itu). drop-timeout milliseconds. mlfr-uni-nni-options { acknowledge-retries number. unit logical-unit-number { family mlfr-uni-nni { bundle lsq-fpc/pic/port:channel. action-red-differential-delay (disable-tx | remove-link). see the Junos OS System Basics Configuration Guide. } unit logical-unit-number { dlci dlci-identifier. 3. For MLFR FRF. and apply the fragmentation map to each bundle. [edit interfaces interface-name ] encapsulation multilink-frame-relay-uni-nni.16 bundle. yellow-differential-delay milliseconds. hello-timer milliseconds.Junos 11. red-differential-delay milliseconds. acknowledge-timer milliseconds. To configure CoS components for each multilink bundle. enable per-unit scheduling on the interface. } } For more information about the mlfr-uni-nni-bundles statement. minimum-links number. } } For more information about MLFR UNI NNI properties.16. . t391 number. Inc. Include the following statements: [edit interfaces] 478 Copyright © 2011. apply the scheduler to each queue. encapsulation multilink-frame-relay-uni-nni. link-layer-overhead percent. t392 number. configure constituent links and bundle properties by including the following statements in the configuration: [edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number. n391 number. fragment-threshold bytes. you must configure one end as data circuit-terminating equipment (DCE) by including the following statements at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level. n393 number. n392 number.

scheduler-map map-name.16 unit logical-unit-number { # Scheduler map provides scheduling information for # the queues within a single DLCI. transmit-rate (percent percentage | rate | remainder) <exact>. } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name. shaping-rate percent percent. } } lsq-fpc/pic/port:channel { # MLFR FRF. priority priority-level. } } fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. # Enables per-unit scheduling on the bundle } [edit class-of-service] interfaces { lsq-fpc/pic/port { # Multilink PPP unit logical-unit-number { scheduler-map map-name. } } } Associate a fragmentation map with a multilink PPP interface or MLFR FRF. # Applies scheduler map to each queue } } lsq-fpc/pic/port:channel { # MLFR FRF. Juniper Networks.16 unit logical-unit-number { fragmentation-map map-name.16 DLCI by including the following statements at the [edit class-of-service] hierarchy level: interfaces { lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name. } Copyright © 2011. } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). no-fragmentation. Inc. } forwarding-classes { queue queue-number class-name priority (high | low). 479 .Chapter 20: Link Services IQ Interfaces Configuration Guidelines lsq-fpc/pic/port { per-unit-scheduler.

0. assign a single scheduler map to the link services IQ interface (lsq) and to each constituent link. and the remaining queues are serviced in proportion to weights you configure. include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] hierarchy level: [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] bundle lsq-fpc/pic/port. and 0 percent. The NxT1 bundle is called a logical interface. 0. 0. A scheduler removes packets from the queues according to a scheduling policy. 0. } The logical link services IQ interface represents the MLPPP bundle. Inc. for MLPPP.4 Services Interfaces Configuration Guide Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP To configure an NxT1 bundle using MLPPP. and assign this scheduler to the link services IQ interface (lsq) and to each constituent link. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. NOTE: For M320 and T Series routers. but the configuration for E1 interfaces is similar. To aggregate T1 links into a an MLPPP bundle. To configure the link services IQ interface properties. NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. Typically. short-sequence. For the MLPPP bundle. 0. For MLPPP. minimum-links number. and 5 percent bandwidth for the transmission rate and buffer size of queues 0. 2. family inet { address address. fragment-threshold bytes. 5. you should configure a single scheduler with nonzero percent transmission rates and buffer sizes for queues 0 through 3. 1. as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP” on page 483. link-layer-overhead percent.Junos 11. a routing adjacency. mrru bytes. 0. include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level: [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds. there are four associated queues on M Series routers and eight associated queues on M320 and T Series routers. and 3. are not adequate when you configure LFI or multiclass traffic.logical-unit-number. 480 Copyright © 2011. because it can represent. Juniper Networks. . for example. These instructions apply to T1 interfaces. encapsulation multilink-ppp. The default schedulers for M Series and T Series routers. you designate one queue to have strict priority. 0. Therefore. you aggregate N different T1 links into a bundle. which assign 95.

To configure packet fragmentation handling on a queue. priority priority-level. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level: [edit interfaces lsq-fpc/pic/port] per-unit-scheduler. Inc. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. } } forwarding-classes { queue queue-number class-name. To configure and apply the scheduling policy. include the following statements at the [edit class-of-service] hierarchy level: [edit class-of-service] interfaces { t1-fpc/pic/port unit logical-unit-number { scheduler-map map-name. a strict-high-priority queue might starve the other three queues because traffic in a strict-high priority queue is transmitted before any other queue is serviced. } } } Copyright © 2011. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues. Each queue can be designated as either multilink encapsulated or nonencapsulated. } } For link services IQ interfaces. no-fragmentation. 481 . independently of the other. After the scheduler removes a packet from a queue. } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name. as described in the Junos OS Class of Service Configuration Guide. The action depends on whether the packet came from a multilink encapsulated queue (fragmented and sequenced) or a nonencapsulated queue (hashed with no fragmentation). transmit-rate (rate | percent percentage | remainder) <exact>. } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). By default. traffic in all forwarding classes is multilink encapsulated.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If the bundle has more than one link. Juniper Networks. a certain action is taken. multilink-class number.

For more information about fragmentation maps. and you can configure it to be from 1500 through 4500 bytes. the software computes the hash based on up to five MPLS labels. the software splits the packet into two or more fragments. For MPLS. destination address. If the packet exceeds the minimum link MTU. . When a packet is removed from a nonencapsulated queue. and IP protocol. For more information.Junos 11. If you do not include the fragment-threshold statement in the fragmentation map. Inc. Because there is no MLPPP header. The MRRU is similar to the MTU. When a packet is removed from a multilink-encapsulated queue. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. All other considerations are equal. we recommend that you configure all queues to be multilink encapsulated. The MLPPP header contains a sequence number field. include the no-fragmentation statement in the fragmentation map. see “Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces” on page 465.4 Services Interfaces Configuration Guide For NxT1 bundles using MLPPP. the software places the packet on one of the N different T1 links. as well as source and destination IP addresses. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). The link is chosen on a packet-by-packet basis to balance the load across the various T1 links. If you do not set a maximum fragment size anywhere in the configuration. see “Configuring Multiclass MLPPP on LSQ Interfaces” on page 467. and therefore 482 Copyright © 2011. the software gives the packet an MLPPP header. which is filled with the next available sequence number from a counter. or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level. The outgoing link for each fragment is selected independently of all other fragments. there is no sequence number information. For UDP and TCP the software computes the hash based on the source and destination ports. For IP. To avoid packet reordering. the software must take special measures to avoid packet reordering. the software computes the hash based on source address. Even if you do not set a maximum fragment size anywhere in the configuration. By default the MRRU size is 1500 bytes. If you choose to set traffic on a queue to be nonencapsulated rather than multilink encapsulated. which are assigned consecutive multilink sequence numbers. Therefore. Therefore. This guarantees that all packets belonging to the same TCP/UDP flow always pass through the same T1 link. the byte-wise load balancing used in multilink-encapsulated queues is superior to the flow-wise load balancing used in nonencapsulated queues. The software then places the packet on one of the N different T1 links. or four MPLS labels and the IP header. Juniper Networks. packets are fragmented if they exceed the smallest MTU of all the links in the bundle. For more information about MCML. The link is determined by hashing the values in the header. You do this by including the fragment-threshold statement in the configuration. it is transmitted with a plain PPP header. but is specific to link services interfaces. the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] hierarchy level is the default for all forwarding classes.

} [edit class-of-service] Copyright © 2011. the software accepts the packet in the order in which it arrives and makes no attempt to reassemble or reorder the packet.Chapter 20: Link Services IQ Interfaces Configuration Guidelines cannot be reordered. unit 0 { family mlppp { bundle lsq-1/3/0. family inet { address 10. # This adds t1-0/0/0 to the specified bundle. 483 . If there are many flows. link-layer-overhead 0. However.3.1. The router at the far end gathers packets from all the T1 links. The N different T1 interfaces link to another router. the sequence number field is used to put the packet back into sequence number order. mrru 4500. unit 0 { family mlppp { bundle lsq-1/3/0. Juniper Networks. Inc. fragment-threshold 128. short-sequence. } } } lsq-1/3/0 { unit 1 { # This is the virtual link that concatenates multiple T1s. encapsulation multilink-ppp.5. } } } [edit interfaces] t1-0/0/0 { encapsulation ppp. it does not guarantee that the load on the various T1 links is balanced. drop-timeout 1000. Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP [edit chassis] fpc 1 { pic 3 { adaptive-services { service-package layer-2. which can be from Juniper Networks or another vendor. If a packet has an MLPPP header.2.4/24. } } [edit interfaces] lsq-1/3/0 { per-unit-scheduler.1. minimum-links 2. the load is usually balanced. } } } t1-0/0/1 { encapsulation ppp. If the packet has a plain PPP header.

} } schedulers { af-scheduler { transmit-rate percent 30. } forwarding-classes { queue 0 be. forwarding-class nc scheduler nc-scheduler. priority low.Junos 11. buffer-size percent 40. } t1-0/0/1 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. forwarding-class be scheduler be-scheduler. queue 2 af. buffer-size percent 5. buffer-size percent 30. queue 3 nc. priority strict-high. } } fragmentation-maps { fragmap-1 { forwarding-class be { fragment-threshold 180. } be-scheduler { transmit-rate percent 25.4 Services Interfaces Configuration Guide interfaces { lsq-1/3/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. } scheduler-maps { sched-map1 { forwarding-class af scheduler af-scheduler. # voice queue } nc-scheduler { transmit-rate percent 5. forwarding-class ef scheduler ef-scheduler. Inc. } } t1-0/0/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. } forwarding-class ef { 484 Copyright © 2011. priority low. Juniper Networks. } ef-scheduler { transmit-rate percent 40. . buffer-size percent 25. queue 1 ef. priority high.

NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. mrru bytes. mlfr-uni-nni-options { acknowledge-retries number.Chapter 20: Link Services IQ Interfaces Configuration Guidelines fragment-threshold 100. dce. a routing adjacency. To aggregate T1 links into an FRF.fpc/pic/port:channel] encapsulation multilink-frame-relay-uni-nni. 485 . These instructions apply to T1 interfaces. The NxT1 bundle carries a potentially large number of Frame Relay PVCs. Each DLCI is called a logical interface. action-red-differential-delay (disable-tx | remove-link). you aggregate N different T1 links into a bundle. link-layer-overhead percent. acknowledge-timer milliseconds.16.16 To configure an NxT1 bundle using FRF. [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] bundle lsq-fpc/pic/port:channel. n392 number. Juniper Networks.16 bundle.fpc/pic/port:channel] hierarchy level: [edit interfaces lsq. Copyright © 2011. hello-timer milliseconds. for example. n391 number. include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic slot-number] hierarchy level and include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] hierarchy level: [edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number. To configure the link services IQ interface properties. fragment-threshold bytes. include the following statements at the [edit interfaces lsq. lmi-type (ansi | itu). } } } [edit interfaces] lsq-1/3/0 { unit 0 { fragmentation-map fragmap-1. Inc. because it can represent. } } Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. minimum-links number. identified by their DLCIs. but the configuration for E1 interfaces is similar. drop-timeout milliseconds.

Juniper Networks. . This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues. the traffic from each constituent link is transmitted from queue 0.16. and 5 percent queuing behavior. yellow-differential-delay milliseconds. To configure and apply the scheduling policy. 0.16” on page 488.4 Services Interfaces Configuration Guide n393 number. Because LFI and multiclass are not supported for FRF. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level: [edit interfaces lsq-fpc/pic/port:channel] per-unit-scheduler. This means you should allow most of the bandwidth to be used by queue 0. as described in the Junos OS Class of Service Configuration Guide. On the link services IQ interface.16 bundle. These default schedulers send all user traffic to queue 0 and all network-control traffic to queue 3.Junos 11. The remaining queues are serviced in proportion to weights you configure. Inc. the default schedulers’ transmission rate and buffer size percentages for queues 0 through 3 are 95. family inet { address address. include the following statements at the [edit class-of-service] hierarchy level: 486 Copyright © 2011.16 bundle. 0. t392 number. } } The link services IQ channel represents the FRF. 0. NOTE: For M320 and T Series routers. If the bundle has more than one link. a strict-high-priority queue might starve the other three queues because traffic in a strict-high-priority queue is transmitted before any other queue is serviced. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. 0.16. and 0 percent. and apply it to the constituent links. you do not need to configure a custom scheduler. you typically designate one queue to have strict priority. and 5 percent. 0. you can configure a custom scheduler that explicitly replicates the 95. If desired. Four queues are associated with each DLCI. or you can assign different scheduler maps to the various DLCIs of the bundle. 0. 0. you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI. 0. } unit logical-unit-number { dlci dlci-identifier. t391 number. For link services IQ interfaces. For FRF. For the constituent links of an FRF. red-differential-delay milliseconds.16. as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. 5. 0. For M Series and T Series routers. A scheduler removes packets from the queues according to a scheduling policy. and therefore are well suited to the behavior of FRF.

} scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: [edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. } } } For FRF. Therefore. which is filled with the next available sequence number from a counter. When a packet is removed from a multilink-encapsulated queue. } } } forwarding-classes { queue queue-number class-name. the software gives the packet an FRF. FRF. 487 . transmit-rate (rate | percent percentage | remainder) <exact>.Chapter 20: Link Services IQ Interfaces Configuration Guidelines [edit class-of-service] interfaces { lsq-fpc/pic/port:channel { unit logical-unit-number { scheduler-map map-name. The link is chosen on a packet-by-packet basis to balance the load across the various T1 links.16 traffic. the serialization delay is small enough so that you do not need to use explicit LFI. The FRF. } } To configure packet fragmentation handling on a queue. Copyright © 2011. the fragments must have consecutive sequential numbers. The software then places the packet on one of the N different T1 links. you cannot include the no-fragmentation statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level for FRF.16 traffic. you should not use slow links. priority priority-level.16 header contains a sequence number field. For FRF.16 header. only multilink encapsulated (fragmented and sequenced) queues are supported. At T1 speeds and above.16. This is the default queuing behavior for all forwarding classes. Inc. Juniper Networks. } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). if you want to carry voice or any other latency-sensitive traffic.16 does not allow for nonencapsulated traffic because the protocol requires that all packets carry the fragmentation header. If a large packet is split into multiple fragments.

. which can be from Juniper Networks or another vendor. } mlfr-uni-nni-bundles 2.16 with multiple CoS scheduler maps: [edit chassis fpc 1 pic 3] adaptive-services { service-package layer-2. } } } 488 Copyright © 2011.16 Configure an NxT1 bundle using FRF.16 bundles. Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. the software splits the packet into two or more fragments. packets are fragmented if they exceed the smallest MTU of all the links in the bundle. the sequence number field is used to put the packet back into sequence number order. and you can configure it to be from 1500 through 4500 bytes. Inc. the MRRU size is 1500 bytes. which are assigned consecutive multilink sequence numbers. unit 0 { family mlfr-uni-nni { bundle lsq-1/3/0:1.4 Services Interfaces Configuration Guide If the packet exceeds the minimum link MTU. you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level. By default.16 header. The N different T1 interfaces link to another router.Junos 11. Juniper Networks. If you do not set a maximum fragment size anywhere in the configuration. The outgoing link for each fragment is selected independently of all other fragments. If you do not include the fragment-threshold statement in the fragmentation map. or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level. # Creates channelized LSQ interfaces/FRF. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. The MRRU is similar to the MTU but is specific to link services interfaces. The router at the far end gathers packets from all the T1 links. [edit interfaces] t1-0/0/0 { encapsulation multilink-frame-relay-uni-nni. the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level is the default for all forwarding classes. Because each packet has an FRF. For more information. unit 0 { family mlfr-uni-nni { bundle lsq-1/3/0:1. } } } t1-0/0/1 { encapsulation multilink-frame-relay-uni-nni. Even if you do not set a maximum fragment size anywhere in the configuration.

mrru 3000.20. } } schedulers { af-scheduler-lsq0 { transmit-rate percent 60. } } unit 2 { dlci 69. } be-scheduler-lsq0 { transmit-rate percent 30. encapsulation multilink-frame-relay-uni-nni. } Copyright © 2011.40/24. } sched-map-lsq1 { forwarding-class af scheduler af-scheduler-lsq1.4/24.2. fragment-threshold 64. forwarding-class ef scheduler ef-scheduler-lsq1. Inc. # One end needs to be configured as DCE. family inet { address 10. forwarding-class nc scheduler nc-scheduler-lsq0. minimum-links 2. forwarding-class be scheduler be-scheduler-lsq0.30. buffer-size percent 30. forwarding-class nc scheduler nc-scheduler-lsq1. priority low. forwarding-class be scheduler be-scheduler-lsq1. dce.5.40/24.20. } } [edit class-of-service] scheduler-maps { sched-map-lsq0 { forwarding-class af scheduler af-scheduler-lsq0. family inet { address 10. mlfr-uni-nni-bundle-options { drop-timeout 180. } unit 0 { dlci 26.Chapter 20: Link Services IQ Interfaces Configuration Guidelines lsq-1/3/0:1 { # Bundle link consisting of t1-0/0/0 and t1-0/0/1 per-unit-scheduler.3. priority low. link-layer-overhead 0. buffer-size percent 60. } } unit 1 { dlci 42. # Each logical unit maps a single DLCI. 489 . Juniper Networks. hello-timer 180.30. forwarding-class ef scheduler ef-scheduler-lsq0. family inet { address 10.

buffer-size percent 15. } nc-scheduler-lsq1 { transmit-rate percent 5. buffer-size percent 5.16 unit 0 { scheduler-map sched-map-lsq0. } af-scheduler-lsq1 { transmit-rate percent 50. Juniper Networks. To associate a fractional T1 490 Copyright © 2011. } } interfaces { lsq-1/3/0:1 { # MLFR FRF. A scheduler removes packets from the queues according to a scheduling policy.4 Services Interfaces Configuration Guide ef-scheduler-lsq0 { transmit-rate percent 5. priority high. To configure a single fractional T1 interface using MLPPP and LFI.Junos 11. priority strict-high. priority low. priority high. buffer-size percent 50. because it can represent. a routing adjacency. and the remaining queues are serviced in proportion to weights you configure. } nc-scheduler-lsq0 { transmit-rate percent 5. it is called a logical interface. priority low. The logical link services IQ interface represents the MLPPP bundle. buffer-size percent 30. . } } Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI When you configure a single fractional T1 interface. } be-scheduler-lsq1 { transmit-rate percent 30. Four queues are associated with the logical interface. you associate one DS0 (fractional T1) interface with a link services IQ interface. you designate one queue to have strict priority. Typically. buffer-size percent 5. } unit 1 { scheduler-map sched-map-lsq1. buffer-size percent 5. } ef-scheduler-lsq1 { transmit-rate percent 15. Inc. priority strict-high. for example.

and 0 percent. 0. assign a single scheduler map to the link services IQ (lsq) interface and to each constituent link. 0. These instructions apply to T1 interfaces. } For MLPPP. Inc. minimum-links number. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. as shown in “Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI” on page 493. 0. 0. Juniper Networks. NOTE: For M320 and T Series routers. and 5 percent bandwidth for the transmission rate and buffer size of queues 0. 0.Chapter 20: Link Services IQ Interfaces Configuration Guidelines interface with a link services IQ interface. Therefore. NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. 491 . include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level: [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds. you should configure a single scheduler with nonzero percent transmission rates and buffer sizes for queues 0 through 3. short-sequence. 0. Copyright © 2011. To configure and apply the scheduling policy. include the bundle statement at the [edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlppp] hierarchy level: [edit interfaces ds-fpc/pic/port:channel unit logical-unit-number family mlppp] bundle lsq-fpc/pic/port. 5. To configure the link services IQ interface properties. and assign this scheduler to the link services IQ (lsq) interface and to ea