Junos® OS

Services Interfaces Configuration Guide

Release

11.4

Published: 2011-11-14

Copyright © 2011, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Services Interfaces Configuration Guide Release 11.4 Copyright © 2011, Juniper Networks, Inc. All rights reserved. Revision History November 2011—R1 Junos OS 11.4 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

®

END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.

ii

Copyright © 2011, Juniper Networks, Inc.

Abbreviated Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii

Part 1
Chapter 1 Chapter 2

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5

Part 2
Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Chapter 26

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103 Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113 Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149 Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239 Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277 Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289 Summary of Intrusion Detection Service Configuration Statements . . . . 301 IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377 Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413 Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431 Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447 Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509 Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531 Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551 Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Copyright © 2011, Juniper Networks, Inc.

iii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 27 Chapter 28 Chapter 29 Chapter 30 Chapter 31 Chapter 32 Chapter 33 Chapter 34 Chapter 35 Chapter 36 Chapter 37 Chapter 38 Chapter 39

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585 Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625 PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649 Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751 Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753 Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761 PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843 Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883

Part 3
Chapter 40 Chapter 41 Chapter 42 Chapter 43 Chapter 44 Chapter 45 Chapter 46

Dynamic Application Awareness for Junos OS
Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893 Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901 Summary of Application Identification Configuration Statements . . . . . . 919 Application-Aware Access List Configuration Guidelines . . . . . . . . . . . . . 955 Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 963 Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . 975 Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 981

Part 4
Chapter 47 Chapter 48 Chapter 49

Encryption Services
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . 995 Summary of Encryption Configuration Statements . . . . . . . . . . . . . . . . . 1005

Part 5
Chapter 50 Chapter 51 Chapter 52 Chapter 53 Chapter 54 Chapter 55 Chapter 56 Chapter 57

Flow Monitoring and Discard Accounting Services
Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . 1015 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . 1019 Summary of Flow-Monitoring Configuration Statements . . . . . . . . . . . . . 1087 Flow Collection Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159 Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . 1171 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1189 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209

iv

Copyright © 2011, Juniper Networks, Inc.

Abbreviated Table of Contents

Part 6
Chapter 58 Chapter 59 Chapter 60

Link and Multilink Services
Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1233 Summary of Multilink and Link Services Configuration Statements . . . . 1271

Part 7
Chapter 61 Chapter 62 Chapter 63

Real-Time Performance Monitoring Services
Real-Time Performance Monitoring Services Overview . . . . . . . . . . . . . . . 1297 Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . 1299 Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319

Part 8
Chapter 64 Chapter 65 Chapter 66

Tunnel Services
Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . 1375

Part 9

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419

Copyright © 2011, Juniper Networks, Inc.

v

Junos 11.4 Services Interfaces Configuration Guide

vi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii
Junos Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlvii Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlviii Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xlix Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lii Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . liii

Part 1
Chapter 1

Overview
Services Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Services PIC Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2

Services Interfaces Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 5
[edit applications] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 [edit forwarding-options] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 [edit interfaces] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 [edit logical-systems] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 [edit services] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Part 2
Chapter 3

Adaptive Services
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Enabling Service Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . 43 Services Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Packet Flow Through the Adaptive Services or Multiservices PIC . . . . . . . . . . . . . 44 Stateful Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Stateful Firewall Support for Application Protocols . . . . . . . . . . . . . . . . . . . . 46 Stateful Firewall Anomaly Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Copyright © 2011, Juniper Networks, Inc.

vii

Junos 11.4 Services Interfaces Configuration Guide

Network Address Translation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Types of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 NAT Concept and Facilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 IPv4-to-IPv4 Basic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Static Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Twice NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 IPv6 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 NAT-PT with DNS ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Dynamic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Stateful NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Dual-Stack Lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Tunneling Services for IPv4-to-IPv6 Transition Overview . . . . . . . . . . . . . . . . . . . 53 6to4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Basic 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Anycast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6to4 Provider-Managed Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 DS-Lite Softwires—IPv4 over IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6rd Softwires—IPv6 over IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 IPsec Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Comparison of IPsec Services and ES Interface Configuration . . . . . . . . . . . . 58 Layer 2 Tunneling Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Voice Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Class of Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Examples: Services Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: Service Interfaces Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration . . 64 Example: Dynamic Source NAT as a Next-Hop Service . . . . . . . . . . . . . . . . . 65 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Example: BOOTP and Broadcast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 4

Applications Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring Application Protocol Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring an Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring the Network Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Configuring the ICMP Code and Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring Source and Destination Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring the Inactivity Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring an SNMP Command for Packet Matching . . . . . . . . . . . . . . . . . . 80 Configuring an RPC Program Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring the TTL Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Configuring a Universal Unique Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ALG Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Basic TCP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Basic UDP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

viii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 DCE RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ONC RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 NetShow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RPC and RPC Portmap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 RTSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 SQLNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 UNIX Remote-Shell Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Verifying the Output of ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 FTP System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 RTSP ALG Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Troubleshooting Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Log Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Junos Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Examples: Referencing the Preset Statement from the Junos Default Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Examples: Configuring Application Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 5

Summary of Applications Configuration Statements . . . . . . . . . . . . . . . . . 103
application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 application-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 application-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 icmp-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 learn-sip-register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 rpc-program-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 sip-call-hold-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 snmp-command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 ttl-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 uuid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Copyright © 2011, Juniper Networks, Inc.

ix

Junos 11.4 Services Interfaces Configuration Guide

Chapter 6

Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . 113
Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Match Direction for Stateful Firewall Rules . . . . . . . . . . . . . . . . . 114 Configuring Match Conditions in Stateful Firewall Rules . . . . . . . . . . . . . . . . 115 Configuring Actions in Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuring IP Option Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuring Stateful Firewall Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Examples: Configuring Stateful Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 7

Summary of Stateful Firewall Configuration Statements . . . . . . . . . . . . . . 123
allow-ip-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Chapter 8

Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Loading the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Configuring Memory for the Stateful Firewall Plug-In . . . . . . . . . . . . . . . . . . . . . . 137 Configuring rsh, rlogin, rexec for Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 9

Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
control-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 data-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 data-flow-affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 extension-provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 forwarding-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 hash-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 object-cache-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 package (Loading on PIC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 policy-db-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 wired-process-mem-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

x

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Chapter 10

Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . 149
Configuring Addresses and Ports for Use in NAT Rules . . . . . . . . . . . . . . . . . . . . . 151 Configuring Pools of Addresses and Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Preserve Range and Preserve Parity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Configuring Address Pools for Network Address Port Translation . . . . . . . . . 152 Round-Robin Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Port Block Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Sequential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Additional Options for NAPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Specifying Destination and Source Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Requirements for NAT Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Configuring Match Direction for NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Configuring Match Conditions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Configuring Actions in NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Configuring NAT Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Configuring Static Source Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . 162 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Configuring Static Source Translation in IPv6 Networks . . . . . . . . . . . . . . . . . . . . 165 Configuring the NAT Pool and Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Dynamic Source Address and Port Translation in IPv4 Networks . . 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks . . . . . . 174 Configuring Static Destination Address Translation in IPv4 Networks . . . . . . . . . 177 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the DNS ALG Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Configuring the NAT Pool and NAT Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Configuring the Service Set for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Configuring Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring Port Forwarding for Static Destination Address Translation . . . . . . . 190 Examples: Configuring NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation . . . . . . . . . . . . . . . . . . . . . . 193 Example: Configuring Static Source Translation in an IPv4 Network . . . 193 Example: Configuring Static Source Translation in an IPv6 Network . . . 194

Copyright © 2011, Juniper Networks, Inc.

xi

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation . . . . . 195 Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Translation for an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Example: Configuring Dynamic Address-only Source Translation . . . . . . . . . 197 Example: Configuring Dynamic Address-Only Source Translation . . . . 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Example: Configuring Static Destination Address Translation . . . . . . . . . . . 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks . . . . . . . . . . . . 199 Example: Configuring the Translation Type Between IPv6 and IPv4 Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring Source Dynamic and Destination Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Example: Configuring NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Example: Configuring Port Forwarding with Twice NAT . . . . . . . . . . . . . . . . . 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT . . . . . 216 Example: Configuring an Oversubscribed Pool with No Fallback . . . . . . . . . 217 Example: Assigning Addresses from a Dynamic Pool for Static Use . . . . . . . 217 Example: Configuring NAT Rules Without Defining a Pool . . . . . . . . . . . . . . 218 Example: Preventing Translation of Specific Addresses . . . . . . . . . . . . . . . . 219 Example: Configuring NAT for Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 219 Rendezvous Point Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Router 1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Example: NAT 44 CGN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Example: NAT Between VRFs Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion . . . 229

Chapter 11

Summary of Carrier-Grade NAT Configuration Statements . . . . . . . . . . . . 239
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 address-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 destination-port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 destined-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

xii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

dns-alg-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 dns-alg-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 filtering-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 ipv6-multicast-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 mapping-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 no-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 overload-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 overload-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 pgcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 port-forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 port-forwarding-mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 ports-per-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 remotely-controlled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 secured-port-block-allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 translated-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 translation-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 use-dns-map-for-destination-translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Chapter 12

Load Balancing Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring Load Balancing on AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring AMS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Load Balancing Network Address Translation Flows . . . . . . . . . . . . . . . . . . . 273 Example: Configuring Static Source Translation on AMS Infrastructure . . . . . . . 273

Chapter 13

Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . 277
drop-member-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . 277 enable-rejoin (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 family (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 high-availability-options (aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 279 interfaces (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 load-balancing-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . 281

Copyright © 2011, Juniper Networks, Inc.

xiii

Junos 11.4 Services Interfaces Configuration Guide

many-to-one (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 member-failure-options (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . 283 member-interface (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . 285 redistribute-all-traffic (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . 286 rejoin-timeout (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 unit (Aggregated Multiservices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 14

Intrusion Detection Service Configuration Guidelines . . . . . . . . . . . . . . . . . 289
Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Configuring Match Direction for IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Configuring Match Conditions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Configuring Actions in IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Configuring IDS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Examples: Configuring IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Chapter 15

Summary of Intrusion Detection Service Configuration Statements . . . . 301
aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 by-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 by-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 by-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 destination-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 force-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 ignore-entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 source-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syn-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

xiv

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Chapter 16

IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Minimum Security Association Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Manual SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Minimum Dynamic SA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Configuring Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Configuring Manual Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Configuring the Direction for IPsec Processing . . . . . . . . . . . . . . . . . . . . 328 Configuring the Protocol for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . 329 Configuring the Security Parameter Index . . . . . . . . . . . . . . . . . . . . . . . 329 Configuring the Auxiliary Security Parameter Index . . . . . . . . . . . . . . . . 329 Configuring Authentication for a Manual IPsec SA . . . . . . . . . . . . . . . . 329 Configuring Encryption for a Manual IPsec SA . . . . . . . . . . . . . . . . . . . . 330 Configuring Dynamic Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Clearing Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Configuring the Authentication Algorithm for an IKE Proposal . . . . . . . . . . . 333 Configuring the Authentication Method for an IKE Proposal . . . . . . . . . . . . 333 Configuring the Diffie-Hellman Group for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Encryption Algorithm for an IKE Proposal . . . . . . . . . . . . . . 334 Configuring the Lifetime for an IKE SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Example: Configuring an IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring the IKE Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Mode for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Proposals in an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Configuring the Preshared Key for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . 338 Configuring the Local Certificate for an IKE Policy . . . . . . . . . . . . . . . . . . . . 338 Configuring a Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring the Description for an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation . . . . . . . . . . 339 Example: Configuring an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Configuring IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Configuring the Authentication Algorithm for an IPsec Proposal . . . . . . . . . 341 Configuring the Description for an IPsec Proposal . . . . . . . . . . . . . . . . . . . . 342 Configuring the Encryption Algorithm for an IPsec Proposal . . . . . . . . . . . . 342 Configuring the Lifetime for an IPsec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuring the Protocol for a Dynamic SA . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring IPsec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring the Description for an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Configuring the Proposals in an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . 345 Example: Configuring an IPsec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 IPsec Policy for Dynamic Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configuring Match Direction for IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . 347 Configuring Match Conditions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . 348 Configuring Actions in IPsec Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Enabling IPsec Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Configuring Destination Addresses for Dead Peer Detection . . . . . . . . 350

Copyright © 2011, Juniper Networks, Inc.

xv

Junos 11.4 Services Interfaces Configuration Guide

Configuring or Disabling IPsec Anti-Replay . . . . . . . . . . . . . . . . . . . . . . 352 Enabling System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Specifying the MTU for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Configuring IPsec Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Configuring Dynamic Endpoints for IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 353 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Implicit Dynamic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Reverse Route Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Configuring an IKE Access Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Referencing the IKE Access Profile in a Service Set . . . . . . . . . . . . . . . . . . . . 357 Configuring the Interface Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Default IKE and IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Tracing IPsec Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Disabling IPsec Tunnel Endpoint in Traceroute . . . . . . . . . . . . . . . . . . . . . . . 359 Tracing IPsec PKI Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Configuring IPSec on the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Examples: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Example: Configuring Statically Assigned Tunnels . . . . . . . . . . . . . . . . . . . . 362 Example: Configuring Dynamically Assigned Tunnels . . . . . . . . . . . . . . . . . 364 Multitask Example: Configuring IPsec Services . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Configuring the IKE Policy (and Referencing the IKE Proposal) . . . . . . 370 Configuring the IPsec Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Configuring the IPsec Policy (and Referencing the IPsec Proposal) . . . . 371 Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Configuring IPsec Trace Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Access Profile (and Referencing the IKE and IPsec Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Chapter 17

Summary of IPsec Services Configuration Statements . . . . . . . . . . . . . . . . 377
anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 authentication-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-algorithm (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 authentication-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 auxiliary-spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 backup-remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 clear-ike-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 clear-ipsec-sas-on-pic-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 dh-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 dynamic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

xvi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 encryption-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 initiate-dead-peer-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 ipsec-inside-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 lifetime-seconds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 local-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 local-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 no-ipsec-tunnel-in-traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 perfect-forward-secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 policy (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 pre-shared-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 proposal (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 remote-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 spi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 traceoptions (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 version (IKE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Chapter 18

Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . . . . . 413
L2TP Services Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 L2TP Minimum Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Configuring L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Configuring Access Profiles for L2TP Tunnel Groups . . . . . . . . . . . . . . . . . . . 419 Configuring the Local Gateway Address and PIC . . . . . . . . . . . . . . . . . . . . . . 419 Configuring Window Size for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Configuring Timers for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Hiding Attribute-Value Pairs for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . 420

Copyright © 2011, Juniper Networks, Inc.

xvii

Junos 11.4 Services Interfaces Configuration Guide

Configuring System Logging of L2TP Tunnel Activity . . . . . . . . . . . . . . . . . . . 421 Configuring the Identifier for Logical Interfaces that Provide L2TP Services . . . . 422 Example: Configuring Multilink PPP on a Shared Logical Interface . . . . . . . 423 AS PIC Redundancy for L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Tracing L2TP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Examples: Configuring L2TP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Chapter 19

Summary of Layer 2 Tunneling Protocol Configuration Statements . . . . . 431
facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 hello-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 hide-avps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 l2tp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 local-gateway address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 maximum-send-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 ppp-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 receive-window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 retransmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 services (L2TP System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 traceoptions (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 tunnel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 tunnel-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Chapter 20

Link Services IQ Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . 447
Layer 2 Service Package Capabilities and Interfaces . . . . . . . . . . . . . . . . . . . . . . 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Configuring the Association between LSQ and SONET Interfaces . . . . . . . 450 Configuring SONET APS Interoperability with Cisco Systems FRF.16 . . . . . . 451 Restrictions on APS Redundancy for LSQ Interfaces . . . . . . . . . . . . . . . . . . 452 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS . . 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Configuring Redundant Paired LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . 453 Restrictions on Redundant LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Configuring Link State Replication for Redundant Link PICs . . . . . . . . . . . . 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery . . . . 457 Configuring CoS Scheduling Queues on Logical LSQ Interfaces . . . . . . . . . . . . . 461 Configuring Scheduler Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Configuring Scheduler Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Scheduler Shaping Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring Drop Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces . . . . . . 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces . . . . . 466 Configuring Multiclass MLPPP on LSQ Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 467

xviii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Oversubscribing Interface Bandwidth on LSQ Interfaces . . . . . . . . . . . . . . . . . . 468 Examples: Oversubscribing an LSQ Interface . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuring Guaranteed Minimum Rate on LSQ Interfaces . . . . . . . . . . . . . . . . . 473 Example: Configuring Guaranteed Minimum Rate . . . . . . . . . . . . . . . . . . . . 476 Configuring Link Services and CoS on Services PICs . . . . . . . . . . . . . . . . . . . . . . 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP . . . . . . . . . . 480 Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP . . 483 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 . . . . . . . . . . . 485 Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF.16 . . 488 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Example: Configuring an LSQ Interface for a Fractional T1 Interface Using MLPPP and LFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Examples: Configuring an LSQ Interface for a Fractional T1 Interface Using FRF.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.15 . . . . . . . . . . . 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF.12 . . . . . . . . . . . . . 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP . . . . . . . . . . . . 506

Chapter 21

Summary of Link Services IQ Configuration Statements . . . . . . . . . . . . . . 509
cisco-interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 fragmentation-maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 hot-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 link-layer-overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 lsq-failure-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 multilink-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 multilink-max-classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 no-fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 no-termination-request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 per-unit-scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 preserve-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 trigger-link-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 warm-standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Chapter 22

Voice Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configuring Services Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 522 Configuring the Logical Interface Address for the MLPPP Bundle . . . . . . . . 522 Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Configuring Delay-Sensitive Packet Interleaving . . . . . . . . . . . . . . . . . . . . . . 524

Copyright © 2011, Juniper Networks, Inc.

xix

Junos 11.4 Services Interfaces Configuration Guide

Example: Configuring Compression of Voice Traffic . . . . . . . . . . . . . . . . . . . 524 Configuring Encapsulation for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Network Interfaces for Voice Services . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring Voice Services Bundles with MLPPP Encapsulation . . . . . . . . . 526 Configuring the Compression Interface with PPP Encapsulation . . . . . . . . . 526 Examples: Configuring Voice Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Chapter 23

Summary of Voice Services Configuration Statements . . . . . . . . . . . . . . . . 531
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 compression-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 f-max-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 maximum-contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Chapter 24

Class-of-Service Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Restrictions and Cautions for CoS Configuration on Services Interfaces . . . . . . 542 Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Direction for CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring Match Conditions In CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . 544 Configuring Actions in CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Configuring Application Profiles for Use as CoS Rule Actions . . . . . . . . 546 Configuring Reflexive and Reverse CoS Rule Actions . . . . . . . . . . . . . . 546 Example: Configuring CoS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Configuring CoS Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Examples: Configuring CoS on Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 548

Chapter 25

Summary of Class-of-Service Configuration Statements . . . . . . . . . . . . . . 551
application-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 application-sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 forwarding-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 (reflexive | reverse) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

xx

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 source-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Chapter 26

Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Configuring Service Sets to be Applied to Services Interfaces . . . . . . . . . . . . . . 568 Configuring Interface Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Configuring Next-Hop Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Determining Traffic Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Interface Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Next-Hop Style Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Configuring Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Configuring IPsec Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Configuring the Local Gateway Address for IPsec Service Sets . . . . . . . . . . 574 IKE Addresses in VRF Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Configuring IKE Access Profiles for IPsec Service Sets . . . . . . . . . . . . . . . . . 575 Configuring Certification Authorities for IPsec Service Sets . . . . . . . . . . . . . 575 Configuring or Disabling Antireplay Service . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Clearing the Don’t-Fragment Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Configuring Passive-Mode Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring the Tunnel MTU Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring Service Set Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Configuring System Logging for Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Enabling Services PICs to Accept Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . 580 Tracing Services PIC Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Configuring the Adaptive Services Log Filename . . . . . . . . . . . . . . . . . . . . . . 581 Configuring the Number and Size of Adaptive Services Log Files . . . . . . . . . 581 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 582 Configuring the Trace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Example: Configuring Service Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Chapter 27

Summary of Service Set Configuration Statements . . . . . . . . . . . . . . . . . . 585
adaptive-services-pics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 allow-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 anti-replay-window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 bypass-traffic-on-exceeding-flow-limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 bypass-traffic-on-pic-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 ids-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 ike-access-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 interface-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Copyright © 2011, Juniper Networks, Inc.

xxi

Junos 11.4 Services Interfaces Configuration Guide

ipsec-vpn-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 ipsec-vpn-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 local-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 max-flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 message-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 nat-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 next-hop-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 no-anti-replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 passive-mode-tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 pgcp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 port (syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 ptsp-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (Hierarchy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 services (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 stateful-firewall-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 tcp-mss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 trusted-ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 tunnel-mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Chapter 28

Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Services Interface Naming Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Configuring the Address and Domain for Services Interfaces . . . . . . . . . . . . . . . . 614 Configuring Default Timeout Settings for Services Interfaces . . . . . . . . . . . . . . . 614 Configuring System Logging for Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 616 Enabling Fragmentation on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Applying Filters and Services to Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Configuring AS or Multiservices PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . 620 Examples: Configuring Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Chapter 29

Summary of Service Interface Configuration Statements . . . . . . . . . . . . . 625
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 cgn-pic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 clear-dont-fragment-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 dial-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 facility-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 log-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 maximum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

xxii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

open-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 post-service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 redundancy-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 service-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 services-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 session-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 tcp-tickles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Chapter 30 Chapter 31

PGCP Configuration Guidelines for the BGF Feature . . . . . . . . . . . . . . . . . . 643 Summary of PGCP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 649
administrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 administrative (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 application-data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 audit-observed-events-returns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 base-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 bgf-core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 cancel-graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 cancel-graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 cleanup-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 context-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 control-association-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 controller-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 controller-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 delivery-function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 diffserv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disable-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Copyright © 2011, Juniper Networks, Inc.

xxiii

Junos 11.4 Services Interfaces Configuration Guide

event-timestamp-notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-cold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 failover-warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 fast-update-filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 gateway-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 gateway-controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 gateway-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 graceful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Control Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 graceful (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 graceful-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 h248-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 h248-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 h248-properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 h248-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 h248-timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 hanging-termination-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 inactivity-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 inactivity-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 initial-average-ack-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 interim-ah-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ip-flow-stop-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 ipsec-transport-security-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 latch-deadlock-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 max-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 max-burst-size (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 max-concurrent-calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 maximum-fuf-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 maximum-inactivity-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 maximum-net-propagation-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-synchronization-mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 maximum-terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 maximum-waiting-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 mg-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 mg-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 mg-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 mg-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 mgc-maximum-pdu-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 mgc-originated-pending-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 mgc-provisional-response-timer-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 mgc-segmentation-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

xxiv

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 network-operator-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 no-dscp-bit-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 no-rtcp-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 normal-mg-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 normal-mgc-execution-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 notification-behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 notification-regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 overload-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 peak-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 peak-data-rate (RTCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 profile-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 profile-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 queue-limit-percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-all-commands-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 reject-new-calls-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 report-service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 request-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 rtcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 send-notification-on-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 service-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 service-change-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 service-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual BGF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 service-state (Virtual Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 source-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 state-loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 stop-detection-on-drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 sustained-data-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (All Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 sustained-data-rate (RTCP Streams) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 timerx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 tmax-retransmission-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 traffic-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

Copyright © 2011, Juniper Networks, Inc.

xxv

Junos 11.4 Services Interfaces Configuration Guide

up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-lower-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 use-wildcard-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 virtual-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 virtual-interface-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748 virtual-interface-indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 virtual-interface-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 warm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750

Chapter 32

Service Interface Pools Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 751
Configuring Service Interface Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Chapter 33

Summary of Service Interface Pools Statements . . . . . . . . . . . . . . . . . . . . . 753
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754 service-interface-pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

Chapter 34 Chapter 35

Border Signaling Gateway Configuration Guidelines . . . . . . . . . . . . . . . . . . 755 Summary of Border Signaling Gateway Configuration Statements . . . . . 761
actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 accelerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 admission-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (Border Signaling Gateway) . . . . . . . . . . . . . . . . . . . . . . 764 admission-control (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . 765 availability-check-profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 blacklist-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 data-inactivity-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 datastore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 default-media-realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 dialogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773 dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 egress-service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 embedded-spdf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777 flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 forward-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 from (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 from (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784 from (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 inactivity-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 manipulation-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 media-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 media-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 message-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

xxvi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

maximum-records-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 maximum-time-in-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 message-manipulation-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 name-resolution-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800 new-call-usage-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 new-call-usage-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 new-call-usage-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-input-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 new-transaction-output-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 new-transaction-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 new-transaction-policy-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808 on-3xx-response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 request-uri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 reverse-manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 routing-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 sbc-utils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 service-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816 service-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-interface (Service Point) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 service-point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818 service-point-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 service-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 session-trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 signaling-realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 sip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 sip-stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 term (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 term (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Call Usage Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 then (New Transaction Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 then (Service Class) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 timer-c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 transport-details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840

Copyright © 2011, Juniper Networks, Inc.

xxvii

Junos 11.4 Services Interfaces Configuration Guide

Chapter 36 Chapter 37

PTSP Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 Summary of PTSP Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 843
application-group-any . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 count-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 demux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 forward-rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846 forward-rule (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 from (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848 local-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 local-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 local-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 local-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 match-direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 remote-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853 remote-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-port-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 remote-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 remote-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 rule (Including in Rule Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858 term (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859 term (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 then (Forward Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861 then (Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862

Chapter 38

Softwire Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865
Configuring a DS-Lite Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring a 6rd Softwire Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 Configuring Softwire Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 Configuring Stateful Firewall Rules for 6rd Softwire . . . . . . . . . . . . . . . . . . . . . . 867 Configuring IPv6 Multicast Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Configuring Service Sets for Softwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 Examples: Softwire Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic DS-Lite Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 Example: Basic 6rd Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 Example: Configuring DS-Lite and 6rd in the Same Service Set . . . . . . . . . . 877

Chapter 39

Summary of Softwire Configuration Statements . . . . . . . . . . . . . . . . . . . . 883
ds-lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 rule (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 rule-set (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 softwire-concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

xxviii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

softwire-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 term (Softwire Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887 v6rd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 ipv6-multicast-interfaces (Softwire) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889

Part 3
Chapter 40

Dynamic Application Awareness for Junos OS
Dynamic Application Awareness for Junos OS Overview . . . . . . . . . . . . . . 893
IDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894 APPID Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895 AACL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 L-PDF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 Configuring Multiple IDP Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Identification of DPI-Serviced Flows . . . . . . . . . . . . . . . 897 Features that Support Application-Level Filtering . . . . . . . . . . . . . . . . . . . . 897 Best-Effort Application Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898 APPID, AACL, and L-PDF Processing in Preconvergence Scenarios . . . . . . 898 Prior to a Final or Best-Effort Application Identification . . . . . . . . . . . . 898 Upon Best-Effort Application Identification . . . . . . . . . . . . . . . . . . . . . 899 While Application Identification Is on a Best-Effort Basis . . . . . . . . . . . 899 If a Flow Ends Before an Application Identification Is Made . . . . . . . . . 899 If a Flow Ends While Application Identification on a Best-Effort Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Chapter 41

Application Identification Configuration Guidelines . . . . . . . . . . . . . . . . . . 901
Defining an Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 Configuring APPID Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 Using Stateful Firewall Rules to Identify Data Sessions . . . . . . . . . . . . . . . . . . . 906 Configuring Application Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Configuring Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908 Application Identification for Nested Applications . . . . . . . . . . . . . . . . . . . . . . . 909 Disabling Application Identification for Nested Applications . . . . . . . . . . . . . . . . 910 Configuring Global APPID Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Configuring Automatic Download of Application Package Updates . . . . . . . . . . 912 Configuring APPID Support for Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912 Configuring APPID Support for Unidirectional Traffic . . . . . . . . . . . . . . . . . . . . . . 913 Tracing APPID Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913 Configuring the APPID Log Filename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Configuring the Number and Size of APPID Log Files . . . . . . . . . . . . . . . . . . 914 Configuring Access to the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Configuring a Regular Expression for Lines to Be Logged . . . . . . . . . . . . . . . 915 Configuring the Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915 Examples: Configuring Application Identification Properties . . . . . . . . . . . . . . . . 915

Chapter 42

Summary of Application Identification Configuration Statements . . . . . . 919
address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Defining) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921 application (Including in Rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922 application-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922

Copyright © 2011, Juniper Networks, Inc.

xxix

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938 no-application-system-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 no-protocol-method . . . . . . . . . . 923 application-system-cache-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935 min-checked-bytes .4 Services Interfaces Configuration Guide application-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . 946 rule-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Port Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923 applications . . . . . . . . . . . . . . . . . . . . . . 932 index (Nested Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 max-checked-bytes . . . . . . . . . . . 938 no-application-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-clear-application-system-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Application Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940 no-signature-based . . . . . . . . . . . . . . . . . . . . . . . . . . . 943 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931 inactivity-non-tcp-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 936 nested-application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941 order . . . . . 924 chain-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928 disable-global-timeout-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937 nested-application-settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933 ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927 disable (APPID Application) . . . 931 ignore-errors . . . . . . . . . . . . . . . . . . . . . . 941 pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928 download . . . . . . . . . . . . . . . . . . . . 926 direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939 no-nested-application . . . . 935 member . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934 maximum-transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 enable-heuristics . . . . . . . . . . . . . . 933 index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947 xxx Copyright © 2011. . . . . . 925 destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924 automatic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930 idle-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945 rule (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . 929 enable-asymmetic-traffic-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929 enable-heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925 context . . . . . . . . . . . . . . . 932 inactivity-tcp-timeout . . . . . 945 rule (Including in Rule Set) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 port-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942 port-range . . . . . .

983 application-aware-access-list-fields . . . . . . . . . . . . . . . . 959 Configuring Logging of AACL Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 session-timeout (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957 Configuring Actions in AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985 Copyright © 2011. . . . . . . . 981 aacl-fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975 Configuring an L-PDF Statistics Profile . . . . . . . . . . . . . . . 966 match-direction . . . . . . . . . 973 Chapter 45 Local Policy Decision Function Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950 support-uni-directional-traffic . . . . . . . 953 Chapter 43 Application-Aware Access List Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960 Chapter 44 Summary of AACL Configuration Statements . . . . . . . . . . . . . . . . . . . 965 destination-address-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982 aacl-statistics-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 session-timeout (Application Identification) . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . 955 Configuring AACL Rules . . . . . 952 url . . . . . 976 Configuring an AACL Statistics Profile . . . . . . . . . . . . . . . . 984 file . . . . . . . . . . 952 type-of-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956 Configuring Match Conditions in AACL Rules . . . . . . . . . . . . 970 source-address-range . 975 Configuring Statistics Profiles . . . . . . 950 traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964 destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978 Tracing L-PDF Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963 application-groups . . . . . . . . . . . . . . . 949 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979 Chapter 46 Summary of L-PDF Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956 Configuring Match Direction for AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . 968 rule-set . . . . . . . . . . . . . . . . . . 966 from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 source-address . . . . . . . . . . . . . . . . . . . . . . . . xxxi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965 destination-prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951 type . . . . . . . 963 applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents session-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971 term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969 services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958 Configuring AACL Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972 then . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960 Example: Configuring AACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970 source-prefix-list . . . . . . . . . 977 Applying L-PDF Profiles to Service Sets . . . . . 964 application-group-any . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 Example: Configuring an Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Configuring an Inbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Chapter 48 Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 1001 Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012 xxxii Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Configuring an Inbound Traffic Filter . . . 1008 filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987 . . . . . . . . . 1005 backup-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993 Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005 backup-destination . . . . . . . . . . . . . . . . . . . . . . . . . 1009 ipsec-sa . . . . . . . . . . . . . . . . . . . . . 1007 family . . . . . . . . . . . . . 996 Configuring Filters for Traffic Transiting the ES PIC . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide local-policy-decision-function . . . . . . . 1011 unit . . . . . . . . . . . . . . . . 1005 address . . . . . . . . . . . . . . 1006 es-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997 Traffic Overview . . . . . . . . . . . . . . . . . . . . . . . . . 999 Applying the Outbound Traffic Filter . . . . . . . . . . 1010 tunnel . . . 986 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . 1001 Configuring an ES Tunnel Interface for a Layer 3 VPN . . . . . . . . . . . . . . . . . . . . . . . 998 Configuring an Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989 Part 4 Chapter 47 Encryption Services Encryption Overview . . . . . . . . . . . . 1001 Example: Applying the Inbound Traffic Filter to the Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 1002 Example: Configuring ES PIC Redundancy . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . policy-decision-statistics-profile statistics . . . . . . . . . . . . . . . . . 996 Configuring the MTU for Encryption Interfaces . . . . . . . . . . . . . . . . . 988 . . . . . . . . . . . . . . . . . 1002 Configuring ES PIC Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003 Chapter 49 Summary of Encryption Configuration Statements . . . . . . . . . . 1003 Configuring IPsec Tunnel Redundancy . . . . . . . . . . . . . . . 995 Specifying the Security Association Name for Encryption Interfaces . . 1006 destination . . . . . . . . . . . . 1010 source . . . . . . . . . . . . . . . . . . . . . . 997 Configuring the Security Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000 Example: Applying the Outbound Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996 Example: Configuring an Encryption Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995 Configuring Encryption Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . 1059 Configuring Port Mirroring . . . . . . . . . . . . . . . 1027 Traffic Sampling Output Format . . . . . . . . 1016 Chapter 51 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 1015 Passive Flow Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036 Example: Configuring Active Monitoring on Logical Systems . . . . . . . . . . . . . . . . . . . . . . . 1030 Example: Sampling All FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Directing Replicated Routing Engine–Based Sampling Flows to Multiple Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024 Configuring Traffic Sampling . . . . . . . . . . . . . . . . . . . 1048 Examples: Configuring Version 9 Flow Templates . . . . . . 1061 Port Mirroring with Next-Hop Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027 Configuring Traffic Sampling Output . . . . . . . . Inc. . . . 1043 Configuring the Traffic to Be Sampled . . . . . . . . . . . . . 1045 Fields Included in Each Template Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii . 1029 Example: Sampling All Traffic from a Single IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059 Configuring Tunnels . . . . . . . . . . . . . . . . . . . . . . 1029 Example: Sampling a Single SONET/SDH Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028 Tracing Traffic Sampling Operations . . . . . . . . . . . . . . . . 1051 Configuring Inline Flow Monitoring . . . . 1062 Configuring Inline Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . 1048 Configuring Sampling Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034 Directing Traffic to Flow-Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1015 Active Flow Monitoring Overview . . . . . 1037 Enabling Flow Aggregation . . . . . . . 1044 Restrictions . .Table of Contents Part 5 Chapter 50 Flow Monitoring and Discard Accounting Services Flow Monitoring and Discard Accounting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031 Configuring Flow Monitoring . . . . . . . . . . . . . . . 1047 Verification . . . . 1034 Exporting Flows . . . . . . . . . . . . . . . . . . . . . . . . . 1019 Configuring Traffic Sampling . . . . . 1024 Minimum Configuration for Traffic Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029 Traffic Sampling Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 Configuring Flow-Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Configuring Inline Flow Monitoring on MX80 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055 Directing Replicated Flows to Multiple Flow Servers . . . . . . . . . . . . . . . . . . . . . . 1063 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . 1040 Configuring Flow Aggregation to Use Version 9 Flow Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035 Example: Configuring Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Logging cflowd Flows Before Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025 Disabling Traffic Sampling . . . . . . . . . . 1026 Sampling Once . . . . . . . . . . . . . . . . . 1039 Configuring Flow Aggregation to Use Version 5 or Version 8 cflowd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1057 Directing Replicated Version 9 Flow Aggregates to Multiple Servers . . . . . . . . . . . 1046 MPLS Sampling Behavior . . . Juniper Networks. . . . . . . . . . . . 1035 Configuring Time Periods when Flow Monitoring is Active and Inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044 Configuring the Version 9 Template Properties . . . . . . . . . . . . . . . . . . . . . . . . .

. . 1092 cflowd (Flow Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1065 Examples: Configuring Port Mirroring . . . 1087 accounting . . . . . . . . . . . . . . . . . . 1095 engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084 Chapter 52 Summary of Flow-Monitoring Configuration Statements . . . . . . 1088 address . . . . . . 1099 family (Monitoring) . . . . 1102 file . 1089 aggregate-export-interval . . . . . . . . . . . . . . . . . . . . . . . 1089 aggregation . . 1111 flow-server . . . . . . 1107 flow-export-rate . . . . . . . . . . . . . . . . . . . . . . . . 1097 export-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094 disable . . . . . . . . . 1064 Configuring Port Mirroring on Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079 Example: Enabling IPv4 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106 flow-active-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 filter . . . . . . . . . . . 1066 Load Balancing Among Multiple Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104 file (Trace Options) . . . . . . . . . . . . . 1108 flow-export-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093 core-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073 Configuring Discard Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105 files . . . . . . . . . . . . 1092 cflowd (Discard Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1100 family (Port Mirroring) . . . . . . . . . . . . . . . . 1104 filename . . . . . . . . . . . . . . . . . . . . . 1113 xxxiv Copyright © 2011. . . . . . . . . . . 1109 flow-inactive-timeout . 1095 engine-type . . . . . . 1077 Passive Flow Monitoring for MPLS Encapsulated Packets . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110 flow-monitoring . . 1104 file (Sampling) . . . 1079 Removing MPLS Labels from Incoming Packets . . . 1083 Configuring Services Interface Redundancy with Flow Monitoring . . . . . . . . . . . . . . . . . 1093 destination . 1099 family (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . 1090 autonomous-system-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1112 forwarding-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1108 flow-control-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide Filter-Based Forwarding with Multiple Monitoring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076 Enabling Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096 extension-service . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098 family . . . . 1081 Example: Enabling IPv6 Passive Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1091 cflowd . . . . . . . . . . . . . . 1101 family (Sampling) . . . . . . . . 1094 disable-all-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . 1130 no-world-readable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120 interfaces . . . . . . . . . 1123 maximum-packet-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop . . . . . . . . . . . . . . . . . . . 1129 no-filter-check . . . . . . . . . . . . . . . . . . . . . . 1122 local-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135 passive-monitor-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 ipv4-template . . . . . . . . . . . 1114 input-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 output (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115 instance . . . . 1140 receive-ttl-exceeded . . . . . . . . . . . . . . . . . 1128 next-hop-group (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . 1114 input (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134 output-interface-index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 interface (Accounting or Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . 1139 rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1140 receive-options-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138 port-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 mpls-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132 output (Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130 option-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119 interface (Monitoring) . . . 1130 no-stamp . . . . . 1113 input . . 1125 mpls-ipv4-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136 pop-all-labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1122 match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141 Copyright © 2011. . . . 1129 no-core-dump . . . 1124 monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 output (Sampling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 ipv6-template . . . . . . . . . . 1123 max-packets-per-second . . . . . . . . . . . . . . . . . . . . . . . . . . 1126 multiservice-options . . . . . . . 1114 input (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128 next-hop-group (Forwarding Options) . . . 1130 no-syslog . . . 1129 no-local-dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1127 next-hop-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1120 interface (Port Mirroring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131 output . . . . . . . . . . . . . . . . . . 1132 output (Monitoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121 label-position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116 instance (Port Mirroring) . 1129 no-remote-trace (Trace Options) .Table of Contents inline-jflow . . . . . 1117 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . 1150 template (Forwarding Options) . . . . . . . . . 1172 collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 xxxvi Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164 Configuring Flow Collection Mode and Interfaces on Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Services) . . . . . . . . . . . . 1173 destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171 analyzer-address . . . . . . . . . . . . . . . . . . 1142 sample-once . . . . . . . . . . . . . . 1175 file-specification (Interface Mapping) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Transfer Logs . . . . . . 1158 world-readable . . . . . 1164 Chapter 54 Summary of Flow Collection Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173 data-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1152 unit . . . . . . . 1141 run-length . 1171 analyzer-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159 Configuring Flow Collection . Juniper Networks. . . . . . . . 1163 Sending cflowd Records to Flow Collector Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 1157 version-ipfix (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154 version9 . . . . . . . . . 1163 Configuring Retry Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143 sampling (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 file-specification (File Format) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144 sampling (Interfaces) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1155 version9 (Services) . . . . . . . . . . . . . . 1152 traceoptions . . . . . . . . . . . 1149 template . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide required-depth . . . . . . . . . . . . . . 1156 version-ipfix . . . . . . . . . . . 1148 stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172 archive-sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring Destination FTP Servers for Flow Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1162 Configuring Interface Mappings . . . . . . . . . . . . . . . . . . . . . 1150 template (Services) . . . . . . . . . . . . . . . . . . . . . . . . . 1174 filename-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161 Configuring a Packet Analyzer . . . . . . . . . . . 1153 version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1158 Chapter 53 Flow Collection Configuration Guidelines . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151 template-refresh-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146 services . 1164 Example: Configuring Flow Collection . . . . . . . . . . . . 1146 size . 1142 sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174 file-specification . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . 1187 variant . . . 1190 Intercepting IPv6 Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196 Limiting the Number of Duplicates of a Packet . . . . . . . . . . . . 1186 username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190 Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Configuring FlowTapLite . . . . . . . . . . . . . . . 1213 duplicates-dropped-periodicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213 dynamic-flow-capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Content Destination . . . . . . . . 1210 capture-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212 control-source . . . . . . . . . . . . . 1180 interface-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Flow-Tap Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214 flow-tap . . . . . . . . . . . . . . . . . . . 1184 retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 password (Flow Collector File Servers) . . 1189 Dynamic Flow Capture Architecture . . . . . . . . . . . . . . . . . . . . 1189 Liberal Sequence Windowing . . . .Table of Contents flow-collector . . . . . . . . . . . . . . . . . . . 1182 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204 Restrictions on Flow-Tap Services . . . . . . . . . . . . . . . . . . . . . . . . . . 1176 ftp . . . . . . . . . . 1187 Chapter 55 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . 1207 Chapter 57 Summary of Dynamic Flow Capture and Flow-Tap Configuration Statements . . 1180 maximum-age . . . . . . . 1184 password (Transfer Log File Servers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209 address . . . . . . . . . . . . . . . . . . . . . . 1195 Configuring Thresholds . xxxvii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193 Configuring the DFC PIC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192 Configuring the Control Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179 ftp (Transfer Log Files) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186 transfer-log-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211 content-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . 1197 Chapter 56 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1181 name-format . . . . . . . . . . . . . . . 1196 Example: Configuring Dynamic Flow Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209 allowed-destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Strengthening Flow-Tap Security . . . . . . . . . . . . . . . . . . 1185 retry-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205 Examples: Configuring Flow-Tap Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1202 Configuring the Flow-Tap Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215 Copyright © 2011. . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . 1194 Configuring System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Configuring the Flow-Tap Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191 Configuring the Capture Group . . . . . . . . . . . . . . . . . . . . . . 1185 transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178 ftp (Flow Collector Files) . . . . . . . . . . . .

. 1237 Default Settings for Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . 1217 hard-limit-target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . 1222 services . . . . . . . . . . . . . . . . . . . . . . . 1244 Configuring Point-to-Point DLCIs for MLFR FRF. 1217 hard-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225 ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233 Multilink and Link Services PICs Overview . . . . . 1234 Configuring the Number of Bundles on Link Services PICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224 source-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218 input-packet-rate-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219 max-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1245 Configuring LFI with DLCI Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1242 Configuring the Sequence Header Format on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246 xxxviii Copyright © 2011. . . . . . . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216 g-max-duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . 1242 Configuring MRRU on Multilink and Link Services Logical Interfaces .16 and MLPPP Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221 notification-targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229 Chapter 59 Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . 1220 no-syslog . . . . . . 1243 Configuring DLCIs on Link Services Logical Interfaces . 1222 service-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1246 Example: Configuring LFI with DLCI Scheduling . . . . . . . . . . . 1220 minimum-priority . . 1225 Part 6 Chapter 58 Link and Multilink Services Link and Multilink Services Overview . . . . . . 1219 interfaces . . . . . . . . . . . . . . . . . . . 1223 soft-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1244 Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218 interface . . . . 1235 Configuring the Links in a Multilink or Link Services Bundle . . . . . 1223 shared-key . . . 1238 Configuring Encapsulation for Multilink and Link Services Logical Interfaces . . . 1224 soft-limit-clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1239 Configuring the Drop Timeout Period on Multilink and Link Services Logical Interfaces . . . . . . . . . . . . . . . . . . . 1244 Configuring Multicast-Capable DLCIs for MLFR FRF. . . 1236 Multilink and Link Services Logical Interface Configuration Overview . . . . . . . . . . . . . . . 1221 pic-memory-threshold . . 1241 Configuring the Minimum Number of Active Links on Multilink and Link Services Logical Interfaces . . . . . . . 1229 Link and Multilink Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1240 Limiting Packet Payload Size on Multilink and Link Services Logical Interfaces . . . .4 Services Interfaces Configuration Guide g-duplicates-dropped-periodicity . . . . . . . . . . . . . . . . . . . . .

. . Juniper Networks. . . . . . . . . . . 1248 Default Settings for Link Services Interfaces . . . . . . . . . . . 1277 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1263 Example: Configuring Link and Voice Services Interfaces with a Combination of Bundle Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259 Examples: Configuring Link Interfaces . . 1282 interfaces . . . 1280 fragment-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1278 encapsulation (Physical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1262 Example: Configuring a Link Services Interface with MLFR FRF. . . . . . . 1278 encapsulation (Logical Interface) . . . . . . 1248 Configuring Encapsulation for Link Services Physical Interfaces . . . . . . . . . . 1252 Example: Configuring CoS on Link Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1251 Configuring CoS on Link Services Interfaces . . . . . 1275 dlci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249 Configuring Differential Delay Alarms on Link Services Physical Interfaces with MLFR FRF. . . 1274 destination . 1271 acknowledge-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1276 drop-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 n391 . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1271 acknowledge-retries . . . . 1253 Examples: Configuring Multilink Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252 CoS for Link Services Interfaces on M Series and T Series Routers . . . . . . . . . . . 1286 mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1273 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 multicast-dlci . . . . . . . . . . . . . . xxxix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261 Example: Configuring a Link Services Interface with MLPPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . 1274 bundle . . . . . . . . . . . . . . 1263 Example: Configuring a Link Services PIC with MLFR FRF. . . . . . . . . . . . . . . . . . . . 1282 interleave-fragments . . . . . . . . . . . . . . . . 1281 hello-timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1260 Example: Configuring a Link Services Interface with Two Links . . . .15 . . . . . . . . . . . . . . .16 . . . . . . . . . . . 1285 mrru . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1264 Chapter 60 Summary of Multilink and Link Services Configuration Statements . . . . . . . . . . . . 1284 mlfr-uni-nni-bundle-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1279 family . . . . . . . . . . . . . . . . 1258 Example: Configuring a Multilink Interface with MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283 lmi-type . . . . 1250 Configuring Keepalives on Link Services Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249 Configuring Acknowledgment Timers on Link Services Physical Interfaces . . . . . . . . . . . 1257 Example: Configuring a Multilink Interface with MLPPP over ATM 2 Interfaces . . . . . . . . .15 . . . . 1275 disable-mlppp-inner-ppp-pfc . . . . . . . . . 1272 action-red-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1257 Example: Configuring a Multilink Interface with MLPPP . . .Table of Contents Configuring Link Services Physical Interfaces . 1283 minimum-links . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 maximum-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1323 destination-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297 Real-Time Performance Monitoring Services Overview . . . . . 1299 Configuring BGP Neighbor Discovery Through RPM . . 1302 Configuring RPM Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319 authentication-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297 Chapter 62 Real-Time Performance Monitoring Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1330 moving-average-size . . . . . . . . . . . . . . . . . . . . . . . . . . 1289 red-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1290 t392 . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293 Part 7 Chapter 61 Real-Time Performance Monitoring Services Real-Time Performance Monitoring Services Overview . Inc. . . . . . . . . . . . . . . . . . 1326 history-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1313 Examples: Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1314 Chapter 63 Summary of Real-Time Performance Monitoring Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 max-connection-duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1322 destination-interface . . . . . 1311 Enabling RPM for the Services SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1321 data-size . . . . . . . . . . . . . . . . . . . . . 1330 xl Copyright © 2011. . . . 1289 short-sequence . . . . . . . . . . . . . . . . . . . . . . . . 1320 client-list . . . . . . . . . . . 1312 Examples: Configuring BGP Neighbor Discovery Through RPM . . . . . . . . . . . . . . . . . . . . . 1321 data-fill . . . . . . . . . . . . . . . . . . . . . . . . . . 1311 Configuring TWAMP Servers . . . . . . . . . . . . . . . . . . . 1319 bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327 logical-system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307 Configuring TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326 inactivity-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1288 n393 . 1328 maximum-connections . . . . . . . . . . . . . . . . . . . . . 1290 t391 . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324 dscp-code-point . . . .4 Services Interfaces Configuration Guide n392 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329 maximum-sessions-per-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1292 yellow-differential-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310 Configuring TWAMP Interfaces . . . . . . . . . . . . . . . . . 1328 maximum-connections-per-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303 Configuring RPM Receiver Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1291 unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325 hardware-timestamp . . 1307 Limiting the Number of Concurrent RPM Probes . . . . . . . . . . . . . . . . . 1300 Configuring Real-Time Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307 Configuring RPM Timestamping . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1346 udp . 1341 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1341 tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring Packet Reassembly . . . . . . . . . . . . . . . . . . . . . 1340 target . . . . . . . . . . . . . . . . . . . . . . . . . . 1335 probe-server . . . . . . . . . . . . . . . . . . 1343 thresholds . . . . . . 1357 Enabling Fragmentation on GRE Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1331 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Configuring a Key Number on GRE Tunnels . . . . . 1339 services . . . . . . . . . . . . . . . . . . . . . . . . . . 1333 probe-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358 Specifying an MTU Setting for the Tunnel . . . . . . 1334 probe-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Configuring Unicast Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 probe . . . . . . . . . . . . . . . . . . xli . . . . . . . . . . . . . . . . . . 1338 server . . . . . . . 1345 twamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367 Configuring Dynamic Tunnels . . . . . . . . . 1366 Configuring IPv6-over-IPv4 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1342 test-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339 server-inactivity-timeout . . . 1346 twamp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (RPM) . . . . . . . . . . . . . . . . . . . . . . . . . . 1367 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364 Configuring PIM Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364 Configuring Virtual Loopback Tunnels for VRF Table Lookup . . 1336 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1363 Configuring Tunnel Interfaces for Routing Table Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 routing-instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1347 Part 8 Chapter 64 Tunnel Services Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1353 Chapter 65 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1359 Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1337 rpm . . . . . . . . . . . . . . . . . . . . . . . . . . 1334 probe-interval . . . . . . . . . . . . . . . . . . . . . . 1340 source-address . . . . . . . . . . 1359 Configuring GRE Keepalive Time . . . . . . . . . . . . 1362 Configuring Logical Tunnel Interfaces . . . . . . . . . . . 1366 Configuring IPv4-over-IPv6 Tunnels . . 1344 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1362 Connecting Logical Systems . . . . . . . . . . 1360 Restricting Tunnels to Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . .Table of Contents one-way-hardware-timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332 port (TWAMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351 GRE Keepalive Time Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1335 probe-type . . . . . . . . . . . . . . 1351 Tunnel Services Overview . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384 routing-options . . . . . . . 1385 ttl . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . .Junos 11. . . . . . 1384 source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383 routing-instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1382 peer-unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1370 Example: Configuring an IPv6-over-IPv4 Tunnel . . . . 1377 destination-networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381 key . . . . . . . . . . . . . . . . . . . . . . . 1379 hold-time . . . . . . . . . . 1380 keepalive-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419 xlii Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369 Example: Configuring a Virtual Loopback Tunnel for VRF Table Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1383 routing-instances . . . . 1387 tunnel-type . 1376 copy-tos-to-outer-ip-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1386 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide Configuring Tunnel Interfaces on MX Series Routers . . 1378 do-not-fragment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1378 dynamic-tunnels . . . . . Inc. . . . . . . . . . . . . . . . . . . . 1382 reassemble-packets . . . . . . . . . . . . . . . 1373 Example: Configuring Keepalive for a GRE Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1374 Chapter 66 Summary of Tunnel Services Configuration Statements . . . . . . . . . . . . . . . . . . . 1375 allow-fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 destination (Tunnel Remote End) . . . . . 1376 destination . 1380 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 1381 multicast-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388 unit . . . . . . . . . . . . . . . 1370 Example: Configuring an IPv4-over-IPv6 Tunnel . . . . 1385 source-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Part 9 Index Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371 Example: Configuring Logical Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375 backup-destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368 Examples: Configuring Unicast Tunnels . . . . . . . . . . 1377 destination (Routing Instance) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . 995 Figure 11: Example: IPsec Tunnel Connecting Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018 Chapter 51 Flow Monitoring and Discard Accounting Configuration Guidelines . . . . . . . 997 Figure 12: IPsec Tunnel Redundancy . . . . . 1189 Figure 17: Dynamic Flow Capture Topology . . . . . . . . . . . . . . . . . 56 Chapter 10 Carrier-Grade NAT Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1165 Chapter 55 Dynamic Flow Capture Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Chapter 38 Softwire Configuration Guidelines . . . . . . . . . . . . . . . . 45 Figure 2: Dynamic NAT Flow . . . . . . . 1159 Figure 16: Flow Collector Interface Topology Diagram . . . . . . . . . . . . . . . . . . . . . . .List of Figures Part 2 Chapter 3 Adaptive Services Adaptive Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Chapter 16 IPsec Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 Figure 10: DS-Lite Topology . . . . . . . . . . . 52 Figure 3: Stateful NAT64 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Figure 9: IPsec Dynamic Endpoint Tunneling Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203 Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026 Chapter 53 Flow Collection Configuration Guidelines . . . 37 Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870 Part 4 Chapter 48 Encryption Services Encryption Interfaces Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xliii . . . 203 Figure 7: Configuring NAT for Multicast Traffic . . . . . . 1015 Figure 13: Passive Monitoring Application Topology . . . . . . . . . . . . . . 149 Figure 6: Configuring DNS ALGs with NAT-PT Network Topology . . . . . . . . . . . . . . 53 Figure 5: 6rd Softwire Flow . . 1019 Figure 15: Configure Sampling Rate . . . . . . . . . . . 52 Figure 4: DS-Lite Flow . . . . . . . . . . . . . . . . 1190 Chapter 56 Flow-Tap Configuration Guidelines . . . . . . . . . . . . . . . 1016 Figure 14: Active Monitoring Configuration Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Figure 18: Flow-Tap Topology . . . . . . . . . . . . Inc. . . . . . . . . . . . . 1003 Part 5 Chapter 50 Flow Monitoring and Discard Accounting Services Flow Monitoring and Discard Accounting Overview . . . . . . . . . . 219 Figure 8: NAT64 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . .Junos 11. . . . . . . . . . . . . Juniper Networks. 1236 Part 8 Chapter 65 Tunnel Services Tunnel Interfaces Configuration Guidelines . . . . . . . . . . 1371 xliv Copyright © 2011. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233 Figure 19: Multilink Interface Configuration . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . .4 Services Interfaces Configuration Guide Part 6 Chapter 59 Link and Multilink Services Link and Multilink Services Configuration Guidelines . . . . . . 1355 Figure 20: IPv6 Tunnel Connecting Two IPv4 Networks Across an IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . and Platform . .16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Table 14: System Log Message Severity Levels . . . . . 358 Chapter 18 Layer 2 Tunneling Protocol Services Configuration Guidelines . . . . . . 284 Chapter 16 IPsec Services Configuration Guidelines . . . 579 Table 16: Adaptive Services Tracing Flags . . . . . . . . . . 74 Table 7: ICMP Codes and Types Supported by Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Chapter 26 Service Set Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 Table 17: System Log Message Severity Levels . . . . . . . . . . . . . . . 277 Table 11: Behavior of Member Interface After One Multiservices PIC Fails . . . . . . 58 Chapter 4 Applications Configuration Guidelines . . . . . . . . . . . . . . . . xlv . . . . . . . . . PIC. . . . . . . . . . . . . . . 582 Chapter 28 Service Interface Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 1248 Copyright © 2011. . . . . . . . . . . 41 Table 4: Statement Equivalents for ES and AS Interfaces . . . . . . 77 Table 9: Supported RPC Services . . . . . . . . . . . . . . . . li Part 2 Chapter 3 Adaptive Services Adaptive Services Overview . . . . . 37 Table 3: AS and Multiservices PIC Services by Service Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List of Tables About This Guide . . . . . . . . . . . . . . 113 Table 10: IP Option Values . . . . . . . . 283 Table 12: Behavior of Member Interface After Two Multiservices PICs Fail . . . . . . . . . . . . . . . . 117 Chapter 13 Summary of Load Balancing Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Part 6 Chapter 59 Link and Multilink Services Link and Multilink Services Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Table 15: System Log Message Severity Levels . . . . . xlvii Table 1: Notice Icons . . . . . . . 1238 Table 20: Link Services Physical Interface Statements for MLFR FRF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Table 8: Port Names Supported by Services Interfaces . . 71 Table 5: Application Protocols Supported by Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . 1235 Table 19: Multilink and Link Services Logical Interface Statements . . . . . . . . . . . . 73 Table 6: Network Protocols Supported by Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233 Table 18: Multilink and Link Services PIC Capacities . . . . . . . . . . . . . . . . . . . . . 85 Chapter 6 Stateful Firewall Services Configuration Guidelines . . . . . . . . . . . . . . . . Juniper Networks. . li Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . 1261 Part 8 Chapter 64 Tunnel Services Tunnel Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1364 xlvi Copyright © 2011. . . . . . . 1351 Chapter 65 Tunnel Interfaces Configuration Guidelines . . . . . . . . . . . . . . .Junos 11. . . . . . . . . . 1252 Table 22: Link Services Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1355 Table 24: Methods for Configuring Egress Filtering . . . .4 Services Interfaces Configuration Guide Table 21: Link Services CoS Queues . . . . . . . . . . . . . . . 1351 Table 23: Tunnel Interface Types . . . . . . . Juniper Networks. . .

follow the Junos Release Notes. Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world.juniper. In addition. reliability. the Juniper Networks Technical Library.juniper. ® Copyright © 2011. To obtain the most current version of all Juniper Networks technical documentation. These books go beyond the technical documentation to explore the nuances of network architecture.About This Guide This preface provides the following guidelines for using the Junos OS Services Interfaces Configuration Guide: • • • • • • • • • ® Junos Documentation and Release Notes on page xlvii Objectives on page xlviii Audience on page xlviii Supported Platforms on page xlviii Using the Indexes on page xlix Using the Examples in This Manual on page xlix Documentation Conventions on page l Documentation Feedback on page lii Requesting Technical Support on page lii Junos Documentation and Release Notes For a list of related Junos documentation. xlvii . The current list can be viewed at http://www. and administration using the Junos operating system (Junos OS) and Juniper Networks devices. see the product documentation page on the Juniper Networks website at http://www. explores improving network security. Inc. All the books are for sale at technical bookstores and book outlets around the world. Juniper Networks.juniper. and availability using Junos OS configuration techniques. If the information in the latest release notes differs from the information in the documentation. see http://www.net/techpubs/software/junos/ . deployment.net/techpubs/ .net/books . published in conjunction with O'Reilly Media.

net/ . EX Series. willfully negligent. or J Series router or switch. Supported Platforms For the features described in this manual. Juniper Networks.Junos 11. T Series.4 Services Interfaces Configuration Guide Objectives This guide provides an overview of the services interfaces provided by Junos OS and describes how to configure these properties on the router. the Internet in particular. the Junos OS currently supports the following platforms: • • J Series M Series xlviii Copyright © 2011. To use this guide. MX Series. Audience This guide is designed for network administrators who are configuring and monitoring a Juniper Networks M Series. and must abide by the instructions provided by the documentation. or hostile manner. you need a broad understanding of networks in general. and network configuration. NOTE: For additional information about the Junos OS—either corrections to or information that might have been omitted from this guide—see the software release notes at http://www. Inc. . networking principles.juniper. must not conduct themselves in a careless. You must also be familiar with one or more of the following Internet routing protocols: • • • • • • • • • • • Border Gateway Protocol (BGP) Distance Vector Multicast Routing Protocol (DVMRP) Intermediate System-to-Intermediate System (IS-IS) Internet Control Message Protocol (ICMP) router discovery Internet Group Management Protocol (IGMP) Multiprotocol Label Switching (MPLS) Open Shortest Path First (OSPF) Protocol-Independent Multicast (PIM) Resource Reservation Protocol (RSVP) Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP) Personnel operating the equipment must be trained and competent.

and an index of statements and commands only. The secondary entry. use the load merge command. save the file with a name. an entry refers to a statement summary section only. In the complete index. the example is a snippet. From the HTML or PDF version of the manual. refers to the section in a configuration guidelines chapter that describes how to use the statement or command. For example. Inc. the example is a full example.conf file to the /var/tmp directory on your routing platform. the entry for a configuration statement or command contains at least two parts: • • The primary entry refers to the statement summary section.About This Guide • • • MX Series T Series EX Series Using the Indexes This reference contains two indexes: a complete index that includes topic entries. system { scripts { commit { file ex-script. These commands cause the software to merge the incoming configuration into the current candidate configuration. Using the Examples in This Manual If you want to use the examples in this manual. If the example configuration contains the top level of the hierarchy (or multiple hierarchies). xlix . Juniper Networks. and copy the file to a directory on your routing platform. you can use the load merge or the load merge relative command.conf.xsl. In this case. In this case. } } } interfaces { fxp0 { Copyright © 2011. use the load merge relative command. The example does not become active until you commit the candidate configuration. copy the following configuration to a file and name the file ex-script. copy a configuration example into a text file. In the index of statements and commands. usage guidelines. Copy the ex-script. These procedures are described in the following sections. follow these steps: 1. Merging a Full Example To merge a full example. If the example configuration does not start at the top level of the hierarchy.

conf load complete For more information about the load command.0. copy the following snippet to a file and name the file ex-script-snippet. unit 0 { family inet { address 10. and copy the file to a directory on your routing platform. . save the file with a name.conf load complete Merging a Snippet To merge a snippet. Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: [edit] user@host# edit system scripts [edit system scripts] 3.0.xsl.conf file to the /var/tmp directory on your routing platform. l Copyright © 2011. see the Junos OS CLI User Guide. Copy the ex-script-snippet.1/24.conf.Junos 11. For example. Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script. } 2. From the HTML or PDF version of the manual. Documentation Conventions Table 1 on page li defines notice icons used in this guide. copy a configuration snippet into a text file. Juniper Networks.4 Services Interfaces Configuration Guide disable. Inc. Merge the contents of the file into your routing platform configuration by issuing the load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet. } } } } 2. follow these steps: 1. commit { file ex-script-snippet.

or labels on routing platform components. Table 2: Text and Syntax Conventions Convention Bold text like this Description Represents text that you type. and directories. commands. type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the terminal screen. include the stub statement at the [edit protocols ospf area area-id] hierarchy level.About This Guide Table 1: Notice Icons Icon Meaning Informational note Description Indicates important features or instructions. Warning Alerts you to the risk of personal injury or death. files. Juniper Networks. Configure the machine’s domain name: [edit] root@# set system domain-name domain-name • Text like this Represents names of configuration statements. Identifies RFC and Internet draft titles. Copyright © 2011. • < > (angle brackets) stub <default-metric metric>. BGP Communities Attribute • • Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Enclose optional keywords or variables. configuration hierarchy levels. Identifies book names. A policy term is a named structure that defines match conditions and actions. Inc. Junos OS System Basics Configuration Guide RFC 1997. Table 2 on page li defines the text and syntax conventions used in this guide. user@host> show chassis alarms No alarms currently active • Italic text like this • • • Introduces important new terms. Caution Indicates a situation that might result in loss of data or hardware damage. li . To configure a stub area. Examples To enter configuration mode. The console port is labeled CONSOLE. interface names. Laser warning Alerts you to the risk of personal injury from a laser.

Identify a level in the configuration hierarchy. select Protocols>Ospf. . lii Copyright © 2011.Junos 11. Inc. Indicates a comment specified on the same line as the configuration statement to which it applies. comments. Enclose a variable for which you can substitute one or more values.4 Services Interfaces Configuration Guide Table 2: Text and Syntax Conventions (continued) Convention | (pipe symbol) Description Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. or fill out the documentation feedback form at https://www. If you are using e-mail. click Cancel. Examples broadcast | multicast (string1 | string2 | string3) # (pound sign) rsvp { # Required for dynamic MPLS only [ ] (square brackets) community name members [ community-ids ] Indention and braces ( { } ) . In the configuration editor hierarchy. You can send your comments to techpubs-comments@juniper.net/cgi-bin/docbugreport/ .juniper. retain.net. If you are a customer with an active J-Care or JNASC support contract. • > (bold right angle bracket) Separates levels in a hierarchy of J-Web selections. and suggestions so that we can improve the documentation. • In the Logical Interfaces box. } } } J-Web GUI Conventions Bold text like this Represents J-Web graphical user interface (GUI) items you click or select. Juniper Networks. select All Interfaces. be sure to include the following information with your comments: • • • Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). Documentation Feedback We encourage you to provide feedback. (semicolon) [edit] routing-options { static { route default { nexthop address. Identifies a leaf statement at a configuration hierarchy level. The set of choices is often enclosed in parentheses for clarity. To cancel the configuration.

net/us/en/local/pdf/resource-guides/7100059-en.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper. visit us at http://www.juniper.juniper.juniper.juniper.juniper.juniper. For international or direct-dial options in countries without toll-free numbers. Inc.net/customers/support/ Find product documentation: http://www.juniper. and Mexico). liii .net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www. use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/ Download the latest versions of software and review release notes: http://www. Product warranties—For product warranty information.juniper. visit http://www. Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • • • • Find CSC offerings: http://www.net/support/warranty/ .net/cm/ To verify service entitlement by product serial number.pdf . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www.net/support/requesting-support. • • Self-Help Online Tools and Resources For quick and easy problem resolution. Canada. review the JTAC User Guide located at http://www.html Copyright © 2011. 7 days a week. and need postsales technical support.juniper. • JTAC policies—For a complete understanding of our JTAC procedures and policies. Juniper Networks. 365 days a year. JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day. • • Use the Case Management tool in the CSC at http://www.About This Guide or are covered under warranty.net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www. you can access our tools and resources online or open a case with JTAC.net/cm/ .

Inc.4 Services Interfaces Configuration Guide liv Copyright © 2011.Junos 11. Juniper Networks. .

PART 1 Overview • • Services Interfaces Overview on page 3 Services Interfaces Configuration Statements on page 5 Copyright © 2011. 1 . Juniper Networks. Inc.

Inc. .4 Services Interfaces Configuration Guide 2 Copyright © 2011.Junos 11. Juniper Networks.

NOTE: On Juniper Networks MX Series 3D Universal Edge Routers. Inc. The suite provides functionality such as authentication of origin. such as Ethernet and SONET interfaces. For more information on these interfaces. Services interfaces that provide specific capabilities for manipulating traffic before it is delivered to its destination. • This chapter includes the following sections: • • Services PIC Types on page 3 Supported Platforms on page 4 Services PIC Types Services interfaces enable you to add services to your network incrementally. For more information about these services. • ES PIC—Provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. intrusion detection service (IDS). confidentiality. see “Adaptive Services Overview” on page 37. see the Junos OS Network Interfaces Configuration Guide. the Multiservices DPC provides essentially the same capabilities as the Multiservices PIC. The Juniper Networks Junos OS supports the following services PICs: • Adaptive services interfaces (Adaptive Services [AS] PICs and Multiservices PICs)—Enable you to perform multiple services on the same PIC by configuring a set of services and applications. You can also configure voice services and Layer 2 Tunneling Protocol (L2TP) services. 3 . and IP Security (IPsec). The AS and Multiservices PICs offer a special range of services you configure in one or more service sets: stateful firewalls. replay protection.CHAPTER 1 Services Interfaces Overview Interfaces used in router networks fall into two categories: • Networking interfaces. that primarily provide traffic connectivity. It also defines mechanisms for key generation and exchange. Copyright © 2011. data integrity. The interfaces on both platforms are configured in the same way. Network Address Translation (NAT). Juniper Networks. management of security associations. class-of-service functionality. and nonrepudiation of source.

For more information about tunnel interfaces. see “Enabling Service Packages” on page 39. Monitoring traffic allows you to perform the following tasks: • Gather and export detailed information about IPv4 traffic flows between source and destination nodes in your network. Perform discard accounting on an incoming traffic flow. or both. . For information about MS-DPC support on a specific MX Series router. • • • • For more information about flow monitoring interfaces. For more information about multilink and link services interfaces. virtual private networks (VPNs). see the appropriate PIC Guide for the platform. see the Junos OS Feature Support Reference for SRX Series and J Series Devices.Junos 11. Juniper Networks. recombine. provides a private. Tunnels connect discontinuous subnetworks and enable encryption interfaces. • Supported Platforms For information about which platforms support Adaptive Services and MultiServices PICs and their features. For information about PIC support on a specific Juniper Networks M Series Multiservice Edge Router or T Series Core Router.4 Services Interfaces Configuration Guide and support for digital certificates. Direct filtered traffic to different packet analyzers and present the data in its original format. secure path through an otherwise public network. Tunnel Services PIC—By encapsulating arbitrary packets inside a transport protocol. For more information about encryption interfaces. For information about services supported on Juniper Networks SRX Series Services Gateways and J Series Services Routers. The Junos OS supports two services PICs based on the Multilink Protocol: the Multilink Services PIC and the Link Services PIC. see Link and Multilink Properties. Sample all incoming IPv4 traffic on the monitoring interface and present the data in cflowd record format. providing a virtual link with greater bandwidth than any of the members. and sequence datagrams across multiple logical data links. Encrypt or tunnel outgoing cflowd records. intercepted IPv4 traffic. see Tunnel Properties. see the appropriate DPC Guide for the platform. and MPLS. Inc. • Monitoring Services PICs—Enable you to monitor traffic flow and export the monitored traffic. The goal of multilink operation is to coordinate multiple independent links between a fixed pair of systems. see Flow Monitoring. see “Configuring Encryption Interfaces” on page 995. 4 Copyright © 2011. • Multilink Services and Link Services PICs—Enable you to split.

include the following statements at the [edit applications] hierarchy level of the configuration: application application-name { application-protocol protocol-name.CHAPTER 2 Services Interfaces Configuration Statements This chapter shows the complete configuration statement hierarchies for configuring services interfaces. For a complete list of the Junos configuration statements. 5 . source-port port-number. sip-call-hold-timeout seconds. This chapter is organized as follows: • • • • • [edit applications] Hierarchy Level on page 5 [edit forwarding-options] Hierarchy Level on page 6 [edit interfaces] Hierarchy Level on page 8 [edit logical-systems] Hierarchy Level on page 12 [edit services] Hierarchy Level on page 12 [edit applications] Hierarchy Level To configure application protocols. Copyright © 2011. Juniper Networks. Inc. It lists all the statements that pertain to configuring services and shows their level in the configuration hierarchy. icmp-code value. learn-sip-register. your current hierarchy level is shown in the banner on the line preceding the user@host# prompt. uuid hex-value. icmp-type value. When you are configuring the Junos OS. snmp-command command. protocol type. rpc-program-number number. see the Junos OS Hierarchy and RFC Reference. inactivity-timeout value. destination-port port-number. ttl-threshold value.

6 Copyright © 2011. include the following statements at the [edit forwarding-options] hierarchy level: NOTE: For the complete [edit forwarding-options] hierarchy. accounting name { output { aggregate-export-interval seconds. engine-type number. source-destination-prefix { caida-compliant. engine-type number. } } } monitoring name { family inet { output { cflowd hostname port port-number. This listing includes only the statements used in flow monitoring and accounting services. cflowd hostname { aggregation { autonomous-system. Juniper Networks. interface interface-name { engine-id number. } autonomous-system-type (origin | peer). flow-inactive-timeout seconds. } source-prefix. see the Junos OS Routing Policy Configuration Guide.4 Services Interfaces Configuration Guide } application-set application-set-name { application application-name. } flow-active-timeout seconds. destination-prefix. protocol-port. export-format format. Inc. flow-export-destination { collector-pic. interface interface-name { engine-id number. .Junos 11. flow-active-timeout seconds. port port-number. version format. } [edit forwarding-options] Hierarchy Level To configure flow monitoring and accounting properties. source-address address. } flow-inactive-timeout seconds.

7 . run-length number. } } } next-hop-group group-name { interface interface-name { next-hop address. source-destination-prefix { caida-compliant. } family (inet | inet6) { input { rate rate. protocol-port. Copyright © 2011. run-length number. destination-prefix. } output { aggregate-export-interval seconds. } } } sampling { disable. } input { rate number. } } traceoptions { file filename { files number. run-length number. cflowd hostname { aggregation { autonomous-system. } no-filter-check. Juniper Networks. rate number. (world-readable | no-world-readable). } output { interface interface-name { next-hop address. source-address address. output-interface-index number. Inc.Chapter 2: Services Interfaces Configuration Statements input-interface-index number. family (inet | inet6 | mpls) { max-packets-per-second number. size bytes. run-length number. } } port-mirroring { input { rate rate.

include the following statements at the [edit interfaces] hierarchy level of the configuration. } } } [edit interfaces] Hierarchy Level To configure services interfaces. version format. version9 { template template-name. files number. port port-number. (stamp | no-stamp). Inc. 8 Copyright © 2011. source-address address. } flow-active-timeout seconds. NOTE: For the complete [edit interfaces] hierarchy. } file { disable.4 Services Interfaces Configuration Guide } source-prefix. source-address address. filename filename. } autonomous-system-type (origin | peer). Juniper Networks. size bytes. } (local-dump | no-local-dump). (world-readable | no-world-readable). . see the Junos OS Network Interfaces Configuration Guide. The statements can also be configured at the [edit logical-systems logical-system-name interfaces] hierarchy level. [edit interfaces] interface-name { (atm-options | fastether-options | gigether-options | sonet-options) { mpls { pop-all-labels { required-depth number. size bytes. } } traceoptions { file filename { files number. interface interface-name { engine-id number. This listing includes only the statements used in configuring services.Junos 11. engine-type number. (world-readable | no-world-readable). flow-inactive-timeout seconds.

t392 number. family family { accounting { destination-class-usage. } } compression-device interface-name. fragment-threshold bytes. maximum port-number. cisco-interoperability send-lip-remove-link-for-link-reject. Copyright © 2011. drop-timeout milliseconds. dlci dlci-identifier. } mlfr-uni-nni-bundle-options { acknowledge-retries number. } passive-monitor-mode. hello-timer milliseconds. n393 number. l2tp-interface-id name. disable-mlppp-inner-ppp-pfc. minimum-links number. unit logical-unit-number { clear-dont-fragment-bit. n392 number. action-red-differential-delay (disable-tx | remove-link). 9 . lsq-failure-options { no-termination-request. port { minimum port-number.Chapter 2: Services Interfaces Configuration Statements } } } encapsulation type. } encapsulation type. drop-timeout milliseconds. n391 number. yellow-differential-delay milliseconds. mrru bytes. lmi-type (ansi | itu). (dedicated | shared). Inc. encapsulation type. red-differential-delay milliseconds. acknowledge-timer milliseconds. maximum-contexts number <force>. } queues [ queue-numbers ]. t391 number. dial-options { ipsec-interface-id name. trigger-link-failure interface-name. Juniper Networks. copy-tos-to-outer-ip-header. compression { rtp { f-max-period number.

multicast-dlci dlci-identifier. dump-on-flow-control. multicast-only. reset-on-flow-control. mrru bytes. receive-options-packets. reassemble-packets. interleave-fragments. } } } fragment-threshold bytes. peer-unit unit-number. flow-control-options { down-on-flow-control.4 Services Interfaces Configuration Guide source-class-usage direction. } address address { destination address. } source-address address. key number. Juniper Networks. backup-destination address. } } services-options { cgn-pic. } twamp-server. tunnel { allow-fragmentation. Inc. destination destination-address. } multiservice-options { (core-dump | no-core-dump). ttl number. (syslog | no-syslog). } output { service-set service-set-names <service-filter filter-name>. ipsec-sa ipsec-sa. do-not-fragment. short-sequence.Junos 11. } bundle (ml-fpc/pic/port | ls-fpc/pic/port). service-domain (inside | outside). minimum-links number. receive-ttl-exceeded. service { input { service-set service-set-name <service-filter filter-name>. routing-instance { destination routing-instance-name. post-service-filter filter-name. 10 Copyright © 2011. sampling direction. . rpm .

log-prefix prefix-value. primary lsq-fpc/pic/port. Inc. } } so-fpc/pic/port { unit logical-unit-number { passive-monitor-mode. } } encapsulation multilink-frame-relay-uni-nni. } } rlsqnumber:number { redundancy-options { hot-standby | warm-standby. Juniper Networks. inactivity-timeout seconds. } } } rspnumber { redundancy-options { primary sp-fpc/pic/port. secondary lsq-fpc/pic/port. port port-number. syslog { host hostname { facility-override facility-name. session-limit { maximum number. ignore-errors <alg> <tcp>.Chapter 2: Services Interfaces Configuration Statements disable-global-timeout-override. } } rlsqnumber { redundancy-options { hot-standby | warm-standby. unit logical-unit-number { encapsulation multilink-frame-relay-end-to-end . secondary lsq-fpc/pic/port. } message-rate-limit messages-per-second. inactivity-non-tcp-timeout seconds. } } Copyright © 2011. open-timeout seconds. rate new-sessions-per-second. services severity-level. inactivity-tcp-timeout seconds. 11 . secondary sp-fpc/pic/port. } tcp-tickles tcp-tickles. primary lsq-fpc/pic/port. } session-timeout seconds.

Juniper Networks. logical-system-name { interfaces interface-name { interface-configuration. destination-address-range low minimum-value high maximum-value. aacl { rule rule-name { match-direction (input | output | input-output). Inc. applications [ application-names ].Junos 11. see the Junos OS Routing Protocols Configuration Guide. see the Junos OS Hierarchy and RFC Reference. } } } rule-set rule-set-name { [ rule rule-names ]. forwarding-class class-name. source-address-range low minimum-value high maximum-value. destination-prefix-list list-name. source-prefix-list list-name. destination-address address <any-unicast>. } then { (accept | discard). application-groups [ application-group-names ]. } } adaptive-services-pics { traceoptions { 12 Copyright © 2011. This listing includes only the statements documented in this manual. term term-name { from { application-group-any. For more information about logical systems. additional statements are documented in the Junos OS Subscriber Access Configuration Guide. include the following statements at the [edit services] hierarchy level of the configuration: NOTE: For the complete [edit services] hierarchy. policer policer-name. . source-address address <any-unicast>. } } [edit services] Hierarchy Level To configure services. count (application | application-group | application-group-any | none).4 Services Interfaces Configuration Guide [edit logical-systems] Hierarchy Level The following lists the statements that can be configured at the [edit logical-systems] hierarchy level that are documented in this manual.

address address-name { destination { ip address</prefix-length>. Inc. min-checked-bytes bytes. 13 . } rule rule-name { disable. idle-timeout seconds. } } source { Copyright © 2011. udp (port | range). no-application-system-cache. type-of-service service-type. nested-application nested-application-settings no-application-identification. application-groups { name [application-group-name]. Juniper Networks. flag flag. } } application-identification { application application-name { disable.Chapter 2: Services Interfaces Configuration Statements file filename <files number> <size size> <world-readable | no-world-readable> <match regex>. } disable. no-signature-based. udp [ ports-and-port-ranges ]. } application-system-cache-timeout seconds. index number. no-clear-application-system-cache. enable-heuristics. } applications { name [application-name]. } } application-group group-name { disable. } index number. no-remote-trace. max-checked-bytes bytes. port-range { tcp [ ports-and-port-ranges ]. type type. port-mapping { port-range { tcp (port | range). session-timeout seconds. profile profile-name { [ rule-set rule-set-name ].

} then { committed-burst-size bytes. flag flag. .Junos 11. udp [ ports-and-port-ranges ]. dscp (alias | do-not-change | dscp-value). committed-burst-size number-of-transactions. } rule-set rule-set-name { rule application-rule-name. reject. committed-burst-size number-of-dialogs. committed-attempts-rate dialogs-per-second. service-policies { new-call-usage-input-policies [policy-and-policy-set-names]. committed-attempts-rate transactions-per-second. service-point-type service-point-type. } traceoptions { file filename <files number> <match regex> <size size> <world-readable | no-world-readable>. } } border-signaling-gateway { gateway gateway-name { admission-control admission-control-profile { dialogs { maximum-concurrent number. } } embedded-spdf { service-class service-class-name { term term-name { from { media-type (any-media | audio | video). Juniper Networks. 14 Copyright © 2011. no-remote-trace. committed-information-rate bytes-per-second. Inc.unit-number. } } order number.4 Services Interfaces Configuration Guide ip address</prefix-length>. } transactions { maximum-concurrent number. } application application-name. } } } } service-point service-point-name { default-media-realm service-interface interface-name. port-range { tcp [ ports-and-port-ranges ]. new-call-usage-output-policies [policy-and-policy-set-names].

} sip { message-manipulation-rules { manipulation-rule rule-name { actions { sip-header header-field-name { field-value { modify-regular-expression regular-expression with field-value. } } } } } new-call-usage-policy policy-name { term term-name { from { contact [ contact-fields ]. } transport-details <port port-number> <ip-address ip-address> <tcp> <udp>. } then { media-policy { data-inactivity-detection { inactivity-duration seconds. reject-regular-expression regular-expression. } trace. Juniper Networks. new-transaction-output-policies[policy-and-policy-set-names]. } new-transaction-policy policy-name { term term-name { from { contact { Copyright © 2011. add-missing field-value. 15 .Chapter 2: Services Interfaces Configuration Statements new-transaction-input-policies [policy-and-policy-set-names]. add field-value. Inc. remove-regular-expression regular-expression. source-address [ ip-addresses ]. remove-all. } no-anchoring. service-class service-class-name. } request-uri [ uri-fields ]. method { method-invite. } } new-call-usage-policy-set policy-set-name { policy-name [ policy-names ]. add-overwrite field-value. } } request-uri request-uri { field-value { modify-regular-expression regular-expression with field-value.

trace. } routing-destinations { availability-check-profiles { profile-name. Inc.4 Services Interfaces Configuration Guide registration-state [ registered | not-registered ]. Juniper Networks. uri-hiding [ hidden-uri | not-hidden-uri ]. server-cluster cluster-name. method-refer. keepalive-interval { available-server seconds. } source-address [ ip-addresses ]. admission-control admission-control-profile. next-hop (request-uri | address ipv4-address | <port port-number> <transport-protocol (udp | tcp)>). } } route { egress-service-point service-point-name. regular-expression [ regular-expression ]. } request-uri { registration-state [ registered | not-registered ]. method-publish.Junos 11. } } on-3xx-response{ recursion-limit number. method-register. } 16 Copyright © 2011. } } } new-transaction-policy-set policy-set-name { policy-name [ policy-names ]. } method { method-invite. message-manipulation { forward-manipulation { manipulation-rule-name. } reverse-manipulation { manipulation-rule-name. uri-hiding [ hidden-uri | not-hidden-uri ]. method-message. unavailable-server seconds. method-subscribe. regular-expression [ regular-expression ]. . method-options. } signaling-realm signaling-realm. } then { (accept | reject).

minimum trace-level. Juniper Networks. } timers { inactive-callseconds. } servers { server-name { address ip4-address <port port-number> <transport (udp | tcp)>. } minimum trace-level. db trace-level. timer-c seconds. } framework { action trace-level. size size. handle trace-level. Inc. service-point service-point-name. memory-management trace-level. freezer trace-level. event trace-level. } } traceoptions { file { filename filename.Chapter 2: Services Interfaces Configuration Statements keepalive-method sip-options. device-monitor trace-level. server server-name { priority priority-level. memory-pool trace-level. weight weight-level. } } default-availability-check-profile profile-name. admission-control profile-name. ipc trace-level. Copyright © 2011. transaction-timeout seconds. configuration trace-level. } clusters [ cluster-name. availability-check-profile profile-name. } flag { datastore { data trace-level. keepalive-strategy (do-not-send <blackout-period seconds> | send-always < failures-before-unavailable number> < successes-before-available number | send-when-unavailable < successes-before-available number). executor trace-level. sbc-utils { common trace-level. minimum trace-level. files number. 17 . match regex.

pd-log-level (audit | exception | problem). source-address address. forwarding-class class-name. } voice { dscp (alias | bits). source-prefix-list list-name <except>.Junos 11. policy trace-level. } } } } } cos { application-profile profile-name { ftp { data { dscp (alias | bits). ips-tracing. applications [ application-names ]. term term-name { from { application-sets set-name. minimum trace-level. forwarding-class class-name. user-interface trace-level. Inc. 18 Copyright © 2011.4 Services Interfaces Configuration Guide message trace-level. per-tracing. event-tracing. } } } rule rule-name { match-direction (input | output | input-output). signaling { b2b trace-level. forwarding-class class-name. } } sip { video { dscp (alias | bits). destination-prefix-list list-name <except>. destination-address address. verbose-logging. } session-trace trace-level. b2b-wrapper trace-level. pd-log-detail (full | summary). minimum trace-level. } sip-stack { dev-logging. topology-hiding trace-level. . sip-stack-wrapper trace-level. Juniper Networks. ua trace-level.

} g-max-duplicates number. interfaces interface-name. } } } rule-set rule-set-name { rule rule-name. } duplicates-dropped-periodicity seconds. minimum-priority value. syslog. } flow-collector { analyzer-address address. service-port port-number. shared-key value. soft-limit-clear bandwidth. ttl hops. input-packet-rate-threshold rate. destinations { ftp:url { password "password". notification-targets address port port-number. hard-limit bandwidth. analyzer-id name. g-duplicates-dropped-periodicity seconds. no-syslog. hard-limit-target bandwidth. pic-memory-threshold percentage percentage. forwarding-class class-name. Juniper Networks. } } dynamic-flow-capture { capture-group client-name { content-destination identifier { address address. } control-source identifier { allowed-destinations [ destination ]. forwarding-class class-name. source-addresses [ address ]. 19 . (reflexive | reverse) { application-profile profile-name.Chapter 2: Services Interfaces Configuration Statements } then { application-profile profile-name. } syslog. } file-specification { variant variant-number { Copyright © 2011. dscp (alias | bits). dscp (alias | bits). max-duplicates number. Inc. soft-limit bandwidth.

} } retry number. transfer-log-archive { archive-sites { ftp:url { password "password". transfer { record-level number. 20 Copyright © 2011. mpls-template { label-position [ positions ]. } } filename-prefix prefix. ipv6-template. } option-refresh-rate packets packets seconds seconds. ipv4-template. } } } flow-tap { (interface interface-name | tunnel-interface interface-name). . } mpls-ipv4-template { label-position [ positions ]. template-refresh-rate packets packets seconds seconds. } } flow-monitoring { version9 { template template-name { flow-active-timeout seconds. retry-delay seconds. interface-name { collector interface-name.Junos 11. file-specification variant-number. Inc. flow-inactive-timeout seconds. } ids { rule rule-name { match-direction (input | output | input-output).4 Services Interfaces Configuration Guide data-format format. username username. file-specification variant-number. timeout seconds. Juniper Networks. maximum-age minutes. term term-name { from { application-sets set-name. } } } interface-map { collector interface-name. name-format format.

source-address (address | any-unicast) <except>. source-prefix-list list-name <except>. } } syn-cookie { mss value. destination-prefix-list list-name <except>. } (force-entry | ignore-entry).Chapter 2: Services Interfaces Configuration Statements applications [ application-names ]. } by-source { hold-time seconds. logging { syslog. } then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-number. } by-pair { maximum number. } } ipsec-vpn { clear-ike-sas-on-pic-restart. Inc. threshold rate. packets number. rate number. packets number. } session-limit { by-destination { hold-time seconds. maximum number. description description. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). maximum number. } } } } rule-set rule-set-name { rule rule-name. Juniper Networks. source-address-range low minimum-value high maximum-value <except>. clear-ipsec-sas-on-pic-restart. threshold rate. ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). 21 . destination-address (address | any-unicast) <except>. rate number. Copyright © 2011. packets number. source-prefix prefix-number | source-prefix-ipv6 prefix-number. destination-address-range low minimum-value high maximum-value<except>. rate number.

22 Copyright © 2011. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). ipsec-policy policy-name. } initiate-dead-peer-detection. remote-id { ipv4_addr [ values ]. Juniper Networks. ipv6_addr [ values ]. encryption-algorithm algorithm. dynamic { ike-policy policy-name. key_id [ values ]. } policy policy-name { description description. lifetime-seconds seconds. local-certificate identifier. ipsec-inside-interface interface-name. term term-name { from { destination-address address. protocol (ah | esp | bundle). description description. version (1 | 2). } proposals [ proposal-names ]. . backup-remote-gateway address. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). proposals [ proposal-names ]. pre-shared-key (ascii-text key | hexadecimal key). lifetime-seconds seconds.4 Services Interfaces Configuration Guide dh-group (group1 | group2 | group5 |group14). } then { anti-replay-window-size bits. source-address address. clear-dont-fragment-bit.Junos 11. perfect-forward-secrecy { keys (group1 | group2). Inc. } policy policy-name { description description. encryption-algorithm algorithm. mode (aggressive | main). } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). } } rule rule-name { match-direction (input | output).

l2tp-access-profile profile-name. } traceoptions { debug-level level. spi spi-value. } } no-anti-replay. } } } rule-set rule-set-name { rule rule-name. } protocol (ah | bundle | esp). 23 . Inc. level level. log-prefix prefix-value. remote-gateway address. local-gateway address address. size bytes. encryption { algorithm algorithm. syslog. facility-override facility-name. retransmit-interval seconds. } } tunnel-timeout seconds.Chapter 2: Services Interfaces Configuration Statements key (ascii-text key | hexadecimal key ). tunnel-mtu bytes. } } l2tp { tunnel-group name { hello-interval seconds. service-interface interface-name. } Copyright © 2011. filter { protocol name. syslog { host hostname { services severity-level. maximum-send-window packets. } flag flag. } no-ipsec-tunnel-in-traceroute. ppp-access-profile profile-name. receive-window packets. key (ascii-text key | hexadecimal key ). hide-avps. Juniper Networks. traceoptions { file { files number. } auxiliary-spi spi-value.

address-range low minimum-value high maximum-value. } then { syslog. destination-address (address | any-unicast) <except>. } port (automatic | range low minimum-value high maximum-value) { random-allocation. transport.Junos 11. } pool nat-pool-name { address ip-prefix</prefix-length>. . translated { destination-pool nat-pool-name. dns-alg-pool dns-alg-pool. source-address (address | any-unicast) <except>. Inc. interfaces interface-name { debug-level level. pgcp { hint [ hint-strings ]. } } } logging { traceoptions { file filename <files number> <size size> <world-readable | no-world-readable> <match regex>. destination-prefix destination-prefix. } } rule rule-name { match-direction (input | output). destination-prefix-list list-name <except>. overload-pool overload-pool-name. } } nat { ipv6-multicast-interfaces (all | interface-name) { disable. source-pool nat-pool-name. ports-per-session ports. applications [ application-names ]. source-prefix-list list-name <except>.4 Services Interfaces Configuration Guide flag flag. source-prefix source-prefix. translation-type { 24 Copyright © 2011. destination-address-range low minimum-value high maximum-value <except>. remotely-controlled. flag flag. Juniper Networks. dns-alg-prefix dns-alg-prefix. source-address-range low minimum-value high maximum-value <except>. overload-prefix overload-prefix. flag flag. term term-name { from { application-sets set-name.

maximum milliseconds. seconds. interim-ah-scheme { algorithm algorithm. graceful-restart { maximum-synchronization-mismatches number-of-mismatches. send-notification-on-delay. no-rtcp-check stop-detection-on-drop. } } pgcp { gateway gateway-name { cleanup-timeout seconds. } } gateway-port gateway-port. } } } } rule-set rule-set-name { rule rule-name. gateway-address gateway-address. controller-port port-number. Juniper Networks. } } h248-properties { application-data-inactivity-detection { ip-flow-stop-detection (regulated-notify | immediate-notify). Copyright © 2011. } mgc-originated-pending-limit { default number-of-messages. } use-dns-map-for-destination-translation. } data-inactivity-detection { inactivity-delay seconds.Chapter 2: Services Interfaces Configuration Statements (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 |twice-dynamic-nat-44 |twice-napt-44). inactivity-duration seconds. 25 . report-service-change { service-change-type (forced-906) | forced-910). } base-root { mg-provisional-response-timer-value { default milliseconds. } gateway-controller gateway-controller-name { controller-address ip-address. latch-deadlock-delay seconds. fast-update-filters { maximum-terms number-of-terms. minimum milliseconds. Inc. maximum-fuf-percentage percentage.

Juniper Networks. } segmentation { mg-segmentation-timer { default milliseconds. } } traffic-management { max-burst-size { default bytes-per-second. . minimum milliseconds. minimum milliseconds. maximum milliseconds. } notification-behavior { notification-regulation default (once | 0 . minimum bytes.Junos 11. maximum bytes-per-second. minimum number-of-messages. } } diffserv { dscp { default (dscp-value | alias | do-not-change). rtcp { 26 Copyright © 2011. maximum milliseconds. } } event-timestamp-notification { request-timestamp (requested | suppressed | autonomous). minimum bytes. } mgc-segmentation-timer { default milliseconds. } mgc-maximum-pdu-size { default bytes.4 Services Interfaces Configuration Guide maximum number-of-messages. } mg-maximum-pdu-size { default bytes. } normal-mg-execution-time { default milliseconds. minimum milliseconds. maximum milliseconds. Inc. maximum bytes. maximum milliseconds. minimum bytes-per-second. minimum milliseconds.100). { hanging-termination-detection { timerx seconds. } normal-mgc-execution-time { default milliseconds. maximum bytes.

maximum-inactivity-time { default 10-millisecond-units. maximum bytes-per-second. failover-warm (failover-919 | restart-902). graceful (graceful-905 | none). } } sustained-data-rate { default bytes-per-second. } } } } h248-options { audit-observed-events-returns. maximum bytes-per-second. } up { cancel-graceful (none | restart-918). Inc. } control-association-indications { disconnect { controller-failure (failover-909 | restart-902). encoding { no-dscp-bit-mirroring. minimum bytes-per-second. rtcp { (fixed-value bytes-per-second | percentage percentage). failure (forced-904 | forced-908 | none).Chapter 2: Services Interfaces Configuration Statements (fixed-value bytes-per-second | percentage percentage). rtcp { (fixed-value bytes-per-second | percentage percentage). 27 . minimum bytes-per-second. use-lower-case } service-change { context-indications { state-loss (forced-910 | forced-915 | none). } rtcp-include. Copyright © 2011. } } peak-data-rate { default bytes-per-second. minimum 10-millisecond-units. Juniper Networks. reconnect (disconnected-900 | restart-902). failover-cold (failover-920 | restart-901). maximum 10-millisecond-units. } down { administrative (forced-905 | forced-908 | none). } } inactivity-timer { inactivity-timeout { detect.

source-port source-port. Juniper Networks. default trace-level. session-mirroring { delivery-function delivery-function-name { destination-address destination-address. } } service-state (in-service | out-of-service-forced | out-of-service-graceful). } } nat-pool nat-pool-name. } rule-set rule-set-name { rule rule-name. warm (none | restart-900). maximum-waiting-delay milliseconds. source-address source-address. network-operator-id network-operator-id. } max-concurrent-calls number-of-calls.4 Services Interfaces Configuration Guide } } virtual-interface-indications { virtual-interface-down { administrative (forced-905 | forced-906 | none). } traceoptions { file <filename filename> <files number> <match regex> <size size> <world-readable | no-world-readable>. virtual-interface-up { cancel-graceful (none | restart-918). } use-wildcard-response. 28 Copyright © 2011. rtp. failure (forced-904 | forced-906 | none). . nat-pool nat-pool-name. tmax-retransmission-delay milliseconds. flag { bgf-core { common trace-level. monitor { media { rtcp. destination-port destination-port.Junos 11. } } } } h248-timers { initial-average-ack-delay milliseconds. maximum-net-propagation-delay milliseconds. graceful (graceful-905 | none). } disable-session-mirroring. rule rule-name { gateway gateway-name. Inc.

default trace-level. network-operator-id network-operator-id. ipc trace-level. configuration trace-level. applications [ application-name ]. Juniper Networks. policy trace-level. messages. } default trace-level. media-gateway trace-level. memory-management trace-level. routing-instance instance-name { service-interface interface-name. messaging trace-level. source-port source-port. } service-state (in-service | out-of-service-forced | out-of-service-graceful). } disable-session-mirroring. } } } virtual-interface interface-number { nat-pool nat-pool-name. default trace-level. source-address source-address. service-interface interface-identifier.unit-number. device-monitor trace-level. Copyright © 2011. Inc. statistics trace-level. h248-stack { control-association trace-level. 29 . } sbc-utils { common trace-level. local-prefix-list prefix-list-name <except >. } } ptsp { forward-rule rule-name { term precedence { from { application-groups [ application-group-name ]. local-address address <except>. } session-mirroring { delivery-function delivery-function-name { destination-address destination-address. user-interface trace-level. } then { forwarding-instance forwarding-instance unit-number unit-number. gate-logic trace-level. pic-broker trace-level. local-address-range low low-value high high-value <except >.Chapter 2: Services Interfaces Configuration Statements firewall trace-level. destination-port destination-port.

Junos 11. hardware-timestamp. forward-rule forward-rule-name. application-groups [ application-group-name ]. applications [ application-name ]. term precedence { from { application-group-any. probe-interval seconds. count (application | application-group | application-group-any | rule | none). } } rpm { bgp { data-fill data. remote-address address <except>. remote-ports [ value-list ]. data-size size. forwarding-class forwarding-class. moving-average-size number. routing-instances instance-name. match-direction (input | input-output | output). police policer-name. } probe owner { test test-name { data-fill data. demux (destination-address | source-address). probe-type type. data-size size. } } } rule-set rule-set-name { rule rule-name. logical-system logical-system-name <routing-instances routing-instance-name>. probe-count count. } then { (accept | discard). 30 Copyright © 2011. . protocol protocol-number. destination-port port. remote-address-range low low-value high high-value <except>. destination-port port. remote-prefix-list prefix-list-name <except>. local-port-range low low-value high high-value. remote-port-range low low-value high high-value. destination-interface interface-name. test-interval interval. Inc. dscp-code-point dscp-bits. history-size size.4 Services Interfaces Configuration Guide } } } rule rule-name { count-type (application | rule). local-ports [ value-list ]. Juniper Networks.

31 . maximum-sessions count. } } } service-set service-set-name { aacl-rules rule-name. port number. (ipsec-vpn-rules rule-names | ipsec-vpn-rule-sets rule-set-name). target (url | address). (ids-rules rule-names | ids-rule-sets rule-set-name). moving-average-size number. maximum-connections count. (nat-rules rule-names | nat-rule-sets rule-set-name). (stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name). } interface-service { service-interface interface-name. port number. } } probe-limit limit. probe-interval seconds. (pgcp-rules rule-names | pgcp-rule-sets rule-set-name). one-way-hardware-timestamp. maximum-sessions-per-connection count. probe-count count. } Copyright © 2011. } } twamp { server { authentication-mode (authenticated | encrypted | none). allow-multicast. client-list list-name { address address. routing-instance instance-name. } inactivity-timeout seconds. probe-server { tcp { destination-interface interface-name. Juniper Networks. thresholds thresholds. maximum-connections-per-client count. port number. traps traps. probe-type type. source-address address.Chapter 2: Services Interfaces Configuration Statements history-size size. } udp { destination-interface interface-name. Inc. (ptsp-rules rule-names | ptsp-rule-sets rule-set-name). test-interval interval. policy-decision-statistics-profile profile-name. extension-service service-name { provider-specific rules.

clear-dont-fragment-bit. v6rd-prefix ipv6-prefix. next-hop-service { inside-service-interface interface-name.unit-number. tunnel-mtu bytes. } service-order { forward-flow [ service-name1 service-name2 ]. flow-limit flow-limit. } } } softwire { softwire-concentrator { ds-lite ds-lite-softwire-concentrator { auto-update-mtu. } max-flows number. copy-dscp. passive-mode-tunneling. mtu-v4 mtu-v4. no-anti-replay. } syslog { host hostname { services severity-level. mtu-v6 mtu-v6. service-interface-pool name. 32 Copyright © 2011. softwire-address address. Inc. } } } ipv6-multicast-filters } stateful-firewall { rule rule-name { match-direction (input | output | input-output).unit-number.4 Services Interfaces Configuration Guide ipsec-vpn-options { anti-replay-window-size bits. facility-override facility-name. ike-access-profile profile-name. term term-name{ then { ds-lite name. trusted-ca [ ca-profile-names ]. . outside-service-interface interface-name. } v6rdv6rd-softwire-concentator{ ipv4-prefix ipv4-prefix. reverse-flow [ service-name1 service-name2 ].Junos 11. local-gateway address. } } rulerule-name { match-direction (input | output). port port-number. Juniper Networks.

Juniper Networks. source-address (address | any-unicast) <except>. allow-ip-options [ values ]. destination-address (address | any-unicast) <except>. } } } Copyright © 2011. destination-address-range low minimum-value high maximum-value <except>. source-address-range low minimum-value high maximum-value<except>. } } } rule-set rule-set-name { rule rule-name.Chapter 2: Services Interfaces Configuration Statements term term-name { from { application-sets set-name. syslog. applications [ application-names ]. } then { (accept | discard | reject). source-prefix-list list-name <except>. destination-prefix-list list-name <except>. 33 . Inc.

4 Services Interfaces Configuration Guide 34 Copyright © 2011.Junos 11. . Juniper Networks. Inc.

35 . Juniper Networks. Inc.PART 2 Adaptive Services • • • • • • Adaptive Services Overview on page 37 Applications Configuration Guidelines on page 71 Summary of Applications Configuration Statements on page 103 Stateful Firewall Services Configuration Guidelines on page 113 Summary of Stateful Firewall Configuration Statements on page 123 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines on page 135 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements on page 139 Carrier-Grade NAT Configuration Guidelines on page 149 Summary of Carrier-Grade NAT Configuration Statements on page 239 Load Balancing Configuration Guidelines on page 271 Summary of Load Balancing Configuration Statements on page 277 Intrusion Detection Service Configuration Guidelines on page 289 Summary of Intrusion Detection Service Configuration Statements on page 301 IPsec Services Configuration Guidelines on page 323 Summary of IPsec Services Configuration Statements on page 377 Layer 2 Tunneling Protocol Services Configuration Guidelines on page 413 Summary of Layer 2 Tunneling Protocol Configuration Statements on page 431 Link Services IQ Interfaces Configuration Guidelines on page 447 Summary of Link Services IQ Configuration Statements on page 509 Voice Services Configuration Guidelines on page 521 Summary of Voice Services Configuration Statements on page 531 Class-of-Service Configuration Guidelines on page 541 Summary of Class-of-Service Configuration Statements on page 551 Service Set Configuration Guidelines on page 567 Summary of Service Set Configuration Statements on page 585 Service Interface Configuration Guidelines on page 611 Summary of Service Interface Configuration Statements on page 625 • • • • • • • • • • • • • • • • • • • • • Copyright © 2011.

Juniper Networks. .Junos 11.4 Services Interfaces Configuration Guide • • • • • • • • • • PGCP Configuration Guidelines for the BGF Feature on page 643 Summary of PGCP Configuration Statements on page 649 Service Interface Pools Configuration Guidelines on page 751 Summary of Service Interface Pools Statements on page 753 Border Signaling Gateway Configuration Guidelines on page 755 Summary of Border Signaling Gateway Configuration Statements on page 761 PTSP Configuration Guidelines on page 841 Summary of PTSP Configuration Statements on page 843 Softwire Configuration Guidelines on page 865 Summary of Softwire Configuration Statements on page 883 36 Copyright © 2011. Inc.

• The M7i router includes the Adaptive Services Module (ASM). The Adaptive Services PIC with 256 megabytes (MB) of memory is supported on all M Series routers except the M320 router. Inc. which allow you to coordinate multiple services on a single PIC by configuring a set of services and applications. an integrated version of the AS PIC as an optional component. Copyright © 2011. 37 . The AS PIC is available in two versions that differ in memory size: • The Adaptive Services II PIC with 512 MB of memory is supported on all Juniper Networks M Series and T Series routers. Juniper Networks.CHAPTER 3 Adaptive Services Overview This chapter discusses the following topics: • • • • • • • • • • • • Adaptive Services Overview on page 37 Enabling Service Packages on page 39 Services Configuration Procedure on page 44 Packet Flow Through the Adaptive Services or Multiservices PIC on page 44 Stateful Firewall Overview on page 45 Network Address Translation Overview on page 48 Tunneling Services for IPv4-to-IPv6 Transition Overview on page 53 IPsec Overview on page 57 Layer 2 Tunneling Protocol Overview on page 59 Voice Services Overview on page 60 Class of Service Overview on page 60 Examples: Services Interfaces Configuration on page 61 Adaptive Services Overview The Adaptive Services (AS) and MultiServices PICs provide adaptive services interfaces. including the M320 router. The AS and MultiServices PICs offers a special range of services you configure in one or more service sets. which offers all the features of the standalone version at a reduced bandwidth.

or a similarly equipped T Series router. For more information. Currently the MultiServices DPC supports the following Layer 3 services: stateful firewall. Starting with Junos OS 11. RPM. all MX Series routers will support high availability (HA) and Network Address Translation (NAT) on AMS infrastructure. and the MultiServices 500. The following services are configured within a service set and are available only on adaptive services interfaces: • Stateful firewall—A type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic. • • 38 Copyright © 2011. For more information about supported packages. It is also possible to group several Multiservices PICs into an aggregated Multiservices (AMS) system. The MultiServices PIC is available in three versions. All versions offer enhanced performance in comparison with AS PICs. NAT. a high value in the show chassis pic “Interrupt load average” field may not mean that the PIC has reached its maximum limit of processing. To find out whether your router hardware is suitably equipped. the MultiServices 400.4 Services Interfaces Configuration Guide NOTE: To take advantage of the features available on the AS PIC. An AMS configuration eliminates the need for separate routers within a system. Intrusion detection service (IDS)—A set of tools for detecting.Junos 11. IPsec.4. See “Configuring Load Balancing on AMS Infrastructure” on page 271 for more information. see the Junos OS System Basics and Services Command Reference. it includes a subset of the functionality supported on the MultiServices PIC. and generic routing encapsulation (GRE) tunnels (including GRE key and fragmentation). which differ in memory size and performance. it also supports graceful Routing Engine switchover (GRES) and Dynamic Applicaton Awareness for Junos OS. . active flow monitoring. NOTE: The Adaptive Services and MultiServices PICs are polling based and not interrupt based. as a result. redirecting. IDS. you must install it in an Enhanced Flexible PIC Concentrator (FPC) in an M Series router equipped with an Internet Processor II application-specific integrated circuit (ASIC). use the show chassis hardware command. and preventing certain kinds of network attack and intrusion. the MultiServices 100. see “Enabling Service Packages” on page 39. MultiServices PICs are supported on M Series and T Series routers except M20 routers. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. Network Address Translation (NAT)—A security procedure for concealing host addresses on a private network behind a pool of public addresses. The MultiServices DPC is available for MX Series routers. Inc. Juniper Networks.

Both service packages are supported on all adaptive services interfaces. • NOTE: Logging of adaptive services interfaces messages to an external server by means of the fxp0 port is not supported on M Series routers. Inc. with a from statement containing input or match conditions and a then statement containing actions to be taken if the match conditions are met. Multilink Frame Relay (MLFR) user-to-network interface (UNI) network-to-network interface (NNI) (FRF. but you can enable only one service package per PIC. • The configuration for these services comprises a series of rules that you can arrange in order of precedence as a rule set. Class of service (CoS)—A subset of CoS functionality for services interfaces. Copyright © 2011. Juniper Networks.12). access to an external server is supported on a Packet Forwarding Engine interface. link fragmentation and interleaving (LFI) (FRF. and the internal Adaptive Services Module (ASM) in the M7i router. Link Services Intelligent Queuing (LSQ)—Interfaces that support Junos OS class-of-service (CoS) components. 39 . • • In addition. Voice services—A feature that uses the Compressed Real-Time Transport Protocol (CRTP) to enable voice over IP traffic to use low-speed links more effectively. Enabling Service Packages For AS PICs. Service-set definition—Allows you to configure combinations of directional rules and default settings that control the behavior of each service in the service set.Chapter 3: Adaptive Services Overview • IP Security (IPsec)—A set of tools for configuring manual or dynamic security associations (SAs) for encryption of data traffic. On a single router. The architecture does not support system logging traffic out of a management interface. The following services are also configured on the AS and MultiServices PICs. there are two service packages: Layer 2 and Layer 3. CoS BA classification is not supported on services interfaces.16). Instead. and Multilink PPP (MLPPP). Multiservices PICs. Multiservices DPCs. you can enable both service packages by installing two or more PICs on the platform. but do not use the rule set definition: • Layer 2 Tunneling Protocol (L2TP)—A tool for setting up secure tunnels using Point-to-Point Protocol (PPP) encapsulation across Layer 2 networks. Junos OS includes the following tools for configuring services: • Application protocols definition—Allows you to configure properties of application protocols that are subject to processing by router services. limited to DiffServ code point (DSCP) marking and forwarding-class assignment. with the exception of a combined package supported on the ASM. Each rule follows the structure of a firewall filter. and group the application definitions into application sets.

and T Series routers except for TX Matrix routers. see “Layer 2 Service Package Capabilities and Interfaces” on page 43 and “Layer 2 Service Package Capabilities and Interfaces” on page 448. For IPsec services. MLFR end-to-end (FRF. The Package field displays the value Layer-2 or Layer-3. link services support includes Junos OS CoS components. and multiclass MLPPP. if you configure the Layer 2 service package. To enable a service package. LFI (FRF. You do not need to manually take the PIC offline and online. MLFR UNI NNI (FRF. To determine which package an AS PIC supports. For more information about GRES. the entire PIC uses the configured package. NOTE: Changing the service package causes all state information associated with the previous service package to be lost. On the AS and Multiservices PICs. For information about services supported on SRX Series Services Gateways and J Series Services Routers.15). Table 3 on page 41 lists the services supported within each service package for each PIC and platform. For example. The services supported in each package differ by PIC and platform type. Internet Key Exchange (IKE) negotiations are not stored and must be restarted after switchover. include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level. see the Junos OS High Availability Configuration Guide. the PIC is taken offline and then brought back online immediately. You should change the service package only when there is no active traffic going to the PIC. Juniper Networks. After you commit a change in the service package. it is listed as Link Services II. MLPPP (RFC 1990).12). For more information. You enable service packages per PIC.16). MX Series. NOTE: The ASM has a default option (layer-2-3) that combines the features available in the Layer 2 and Layer 3 service packages. 40 Copyright © 2011. but Layer 2 services will restart. and specify layer-2 or layer-3: [edit chassis fpc slot-number pic pic-number adaptive-services] service-package (layer-2 | layer-3). issue the show chassis pic fpc-slot slot-number pic-slot slot-number command. not per port. . Inc. Layer 3 services should retain state after switchover. issue the show chassis hardware command: if the PIC supports the Layer 2 package. It is supported on all M Series. and if it supports the Layer 3 package. see the Junos OS Feature Support Reference for SRX Series and J Series Devices. To determine which package a Multiservices PIC supports. it is listed as Adaptive Services II.4 Services Interfaces Configuration Guide NOTE: Graceful Routing Engine switchover (GRES) is automatically enabled on all services PICs and DPCs except the ES PIC.Junos 11.

41 . T320. and T640 TX Matrix CoS Intrusion detection system (IDS) IPsec NAT Stateful firewall Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No • • • • Accounting Services: • Active monitoring Dynamic flow capture (Multiservices 400 PIC only) Yes No Yes No Yes No Yes Yes Yes No • Copyright © 2011. and T640 AS2 and Multiservices PICs TX Matrix Services Layer 2 Service Package (Only) Link Services: • ASM M7i Link services Multiclass MLPPP Yes Yes Yes Yes Yes Yes Yes Yes No No • Voice Services: • CRTP and LFI CRTP and MLPPP CRTP over PPP (without MLPPP) Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No • • Layer 3 Service Package (Only) Security Services: • M7i M7i. M10i. PIC. T320. see the Junos OS Feature Guides. and M20 AS/AS2 and Multiservices PICs M40e and M120 AS2 and Multiservices PICs M320. Table 3: AS and Multiservices PIC Services by Service Package. Juniper Networks.Chapter 3: Adaptive Services Overview NOTE: The AS PIC II for Layer 2 Service is dedicated to supporting the Layer 2 service package only. and Platform AS/AS2 PICs and Multiservices PICs M7i. M10i. and M20 M40e and M120 M320. Inc. For additional information about Layer 3 services.

Junos 11. M10i.4 Services Interfaces Configuration Guide Table 3: AS and Multiservices PIC Services by Service Package. Juniper Networks. and T640 TX Matrix RPM probe timestamping Yes Yes Yes Yes No Tunnel Services: • GRE (gr-fpc/pic/port) GRE fragmentation (clear-dont-fragment-bit) GRE key IP-IP tunnels (ip-fpc/pic/port) Logical tunnels (lt-fpc/pic/port) Multicast tunnels (mt-fpc/pic/port) PIM de-encapsulation (pd-fpc/pic/port) PIM encapsulation (pe-fpc/pic/port) Virtual tunnels (vt-fpc/pic/port) Yes Yes Yes Yes Yes Yes Yes No Yes No • • Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes No Yes No Yes Yes Yes Yes • • • • • • 42 Copyright © 2011. Inc. T320. and Platform (continued) AS/AS2 PICs and Multiservices PICs Yes Services • ASM Yes AS/AS2 and Multiservices PICs Yes (M40e only) Yes (M40e only) Yes AS2 and Multiservices PICs Yes AS2 and Multiservices PICs No Flow-tap • Passive monitoring (Multiservices 400 PIC only) Port mirroring No Yes Yes No • Yes Yes Yes Yes LNS Services: • L2TP LNS Yes Yes (M7i and M10i only) Yes (M120 only) No No Voice Services: • BGF Yes Yes Yes Yes No Layer 2 and Layer 3 Service Package (Common Features) RPM Services: • M7i M7i. . and M20 M40e and M120 M320. PIC.

ip. the configuration syntax is almost the same as for Multilink and Link Services PICs. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls. see the Junos OS Class of Service Configuration Guide. Copyright © 2011. you can configure link services.Chapter 3: Adaptive Services Overview Layer 2 Service Package Capabilities and Interfaces When you enable the Layer 2 service package. as shown in Table 3 on page 41.1. and vt are standard tunnel interfaces that are available on the AS and Multiservices PICs whether you enable the Layer 2 or the Layer 3 service package. MLPPP (RFC 1990) MLFR end-to-end (FRF. On the AS and Multiservices PICs and the ASM. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] option. mt. Interface type lsq-fpc/pic/port is the physical link services IQ (lsq) interface. lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port Interface types gr. When you enable the Layer 2 service package. pd. except that the Layer 2 service package does not support some tunnel functions.12 end-to-end fragmentation—The standard for FRF. LFI on MLPPP links..15) • • • • • For the LSQ interface on the AS and Multiservices PICs. pe. Frame Relay Fragmentation Implementation Agreement. Inc. Juniper Networks. LFI on Frame Relay links using FRF. link services include support for the following: • Junos CoS components—“Layer 2 Service Package Capabilities and Interfaces” on page 448 describes how the Junos CoS components work on link services IQ (lsq) interfaces. For more information. These tunnel interfaces function the same way for both service packages. MLFR UNI NNI (FRF. Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF.. Multilink Frame Relay UNI/NNI Implementation Agreement. the following interfaces are automatically created: gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 . see “Layer 2 Service Package Capabilities and Interfaces” on page 448 and Link and Multilink Properties.12 is defined in the specification FRF.16)—The standard for FRF.16 bundles.16.12.16 is defined in the specification FRF. 43 . For detailed information about Junos CoS components.

Inc. NAT. and stateful firewall service rules within the same service set. . the sp interface is not configurable. the packets are forwarded to the 44 Copyright © 2011. An interface service set applied at the outbound interface. and input forwarding-table filter are applied sequentially to the traffic. but you should not disable it. If an interface service set is applied. (You can configure a service set as either an interface service set or a next-hop service set. Apply the service set on an interface by including the service-set statement at the [edit interfaces interface-name unit logical-unit-number family inet service (input | output)] hierarchy level.Junos 11. Packets enter the router on the inbound interface. Juniper Networks. 4. 3.) 1. A next-hop service set applied at the forwarding table. service set. Define service rules by configuring statements at the [edit services (ids | ipsec-vpn | nat | stateful-firewall) rule] hierarchy level. NOTE: You can configure IDS. filter. Group service rule sets under a service-set definition by configuring the service-set statement at the [edit services] hierarchy level.4 Services Interfaces Configuration Guide NOTE: Interface type sp is created because it is needed by the Junos OS. although you can apply both service sets to the same PIC. Group the service rules by configuring the rule-set statement at the [edit services (ids | ipsec-vpn | nat | stateful-firewall)] hierarchy level. You must configure IPsec services in a separate service set. you can configure logical interfaces as a next-hop destination by including the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level. Alternatively. A policer. 2. For the Layer 2 service package. 2. these are all optional items in the configuration. 5. Packet Flow Through the Adaptive Services or Multiservices PIC You can optionally configure service sets to be applied at one of three points while the packets transit the router: • • • An interface service set applied at the inbound interface. postservice filter. graphically displayed in Figure 1 on page 45. The packet flow is as follows. Define application objects by configuring statements at the [edit applications] hierarchy level. service filter. Services Configuration Procedure You follow these general steps to configure services: 1.

This mechanism applies to both Layer 2 and Layer 3 service packages. the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. 4.0. For all other services. A next-hop service set can be applied to the VPN routing and forwarding (VRF) table or to inet. Juniper Networks. The optional postservice filter is applied and postprocessing takes place.0. which then forwards the traffic. and interface service set can be applied sequentially to the traffic if you have configured any of these items. Adaptive Services and MultiServices PICs employ a type of firewall called a stateful firewall. 3. 45 . an output filter. the next-hop service set can be applied to either the VRF table or to inet. output policer. On the output interface. the traffic is forwarded to the PIC for processing and sent back to the Packet Forwarding Engine. only packets matching the service filter are sent to the PIC. If it is applied. Figure 1: Packet Flow Through the Adaptive Services or MultiServices PIC NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds.Chapter 3: Adaptive Services Overview AS or MultiServices PIC for services processing and then sent back to the Packet Forwarding Engine. Packets exit the router. Inc. the next-hop service set can only be applied to the VRF table. if a service filter is also applied. Contrasted with a stateless firewall that inspects packets in isolation. NOTE: For NAT. A system log message at level LOG_ERR is generated. a stateful firewall provides an extra Copyright © 2011. packets are sent to the PIC for services processing and sent back to the Packet Forwarding Engine. 5. Stateful Firewall Overview Routers use firewalls to track and control the flow of traffic. If an interface service set is applied.

The first time the firewall discovers a match. . or ports. you can assign the value any to rule objects. the stateful firewall allows all sessions initiated from the hosts behind the interface to pass through the router. In addition to the specific values you configure. Firewall rules are directional. A rule consists of direction. Inc. You configure stateful firewalls using a powerful rule-driven conversation handling path. A flow is identified by the following five properties: • • • • • Source address Source port Destination address Destination port Protocol A typical Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) conversation consists of two flows: the initiation flow and the responder flow. which allows them to match any input value. destination address. Rules still unchecked are ignored. the AS or MultiServices PIC firewall can intelligently enforce security policies and allow only the minimal required packet traffic to flow through the firewall. Juniper Networks. Firewall rules govern whether the conversation is allowed to be established. including flows that are created during the life cycle of the conversation.4 Services Interfaces Configuration Guide layer of security by using state information derived from past communications and other applications to make dynamic control decisions for new communication attempts. the router software checks the initiation flow matching the direction specified by the rule. IP protocol value. Stateful Firewall Anomaly Checking The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing: 46 Copyright © 2011. The software checks the rules in the order in which you include them in the configuration. you can optionally negate the rule objects. the router implements the action specified by that rule. For more information. The firewall rules are configured in relation to an interface. such as an FTP conversation.Junos 11. Stateful Firewall Support for Application Protocols By inspecting the application protocol data. addresses. might consist of two control flows and many data flows. If a conversation is allowed. Stateful firewalls group relevant flows into conversations. source address. all flows within the conversation are permitted. some conversations. However. For each new conversation. source port. see “Configuring Stateful Firewall Rules” on page 114. Firewall rules are ordered. By default. and application protocol or service. Finally. destination port. which negates the result of the type-specific match.

Inc. Packet has incorrect IP options. IP header length field is too small.Chapter 3: Adaptive Services Overview • IP anomalies: • • • • • • • • IP version is not correct. Juniper Networks. Bad TCP checksum. IP total length field is shorter than header length. Bad UDP checksum. UDP header length check failed. • UDP anomalies: • • • UDP source or destination port 0. Land attack (source IP equals destination IP). IP packet length is more than 64 kilobytes (KB). IP header length is set larger than the entire packet. TCP sequence number 0 and flags 0. Bad header checksum. TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST). • TCP anomalies: • • • • • TCP port 0. Time-to-live (TTL) equals 0. • IP address anomalies: • • IP packet source is a broadcast or multicast. • Anomalies found through stateful TCP or UDP checks: Copyright © 2011. TCP sequence number 0 and FIN/PSH/RST flags set. IP fragment missed. IP fragment length error. Tiny fragment attack. 47 . Internet Control Message Protocol (ICMP) packet length error. • IP fragmentation anomalies: • • • • • IP fragment overlap.

ICMP unreachable errors for SYN packets. ICMP unreachable errors for UDP packets. including these: • • • TCP or UDP network probes and port scanning SYN flood attacks IP fragmentation-based attacks such as teardrop. including: • Concealing a set of host addresses on a private network behind a pool of public addresses. . If you employ stateful anomaly detection in conjunction with stateless detection. NAT provides the technology used to support a wide range of networking goals. SYN followed by RST packets. Non-SYN first flow packet. SYN without SYN-ACK. bonk. IDS can provide early warning for a wide range of attacks.Junos 11.4 Services Interfaces Configuration Guide • • • • • • • SYN followed by SYN-ACK packets without ACK from initiator. Packets dropped according to stateful firewall rules. and boink Network Address Translation Overview • Types of NAT on page 48 Types of NAT The types of NAT supported by the Junos OS are described in the following sections: • • • • • • • • • • NAT Concept and Facilities Overview on page 48 IPv4-to-IPv4 Basic NAT on page 49 NAT-PT on page 50 Static Destination NAT on page 50 Twice NAT on page 50 IPv6 NAT on page 51 NAT-PT with DNS ALG on page 51 Dynamic NAT on page 52 Stateful NAT64 on page 52 Dual-Stack Lite on page 52 NAT Concept and Facilities Overview Network Address Translation (NAT) is a mechanism for translating IP addresses. 48 Copyright © 2011. Juniper Networks. Inc.

“NAT-PT with DNS ALG” on page 51. For more information.. Network Address Port Translation or NAPT is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. It features a one-to-one mapping between the translated address and the destination address.4. Inc. Encapsulation of IPv4 packets into IPv6 packets using softwires—Enables packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address. Protocol translation—Allows you to assign addresses from a pool on a static or dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Juniper Networks. see “Tunneling Services for IPv4-to-IPv6 Transition Overview” on page 53. 49 . see “Dynamic NAT” on page 52. Together. Copyright © 2011. referred to as traditional NAT. • • The Junos OS supports NAT functionality described in IETF RFCs and Internet drafts. Providing a tool set for coping with IPv4 address depletion and IPV6 transition issues • The Junos OS provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks. • • Static destination translation—Allows you to make selected private servers accessible.Chapter 3: Adaptive Services Overview • Providing a security measure to protect the host addresses from direct targeting in network attacks. the mapping is configured statically. and facilitates the transit of traffic between different types of networks. It features a one-to-one mapping between the original address and the translated address. see “Basic NAT” on page 50. The multiservices Dense Port Concentrator (DPC) and multiservices PIC interfaces support the following types of traditional CGN: • Static-source translation—Allows you to hide a private network. and “Stateful NAT64” on page 52. For more information. provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses. NAPT—Both the original source address and the source port are translated. see “NAT-PT” on page 50. see “NAPT” on page 50. The translated address and port are picked up from the corresponding NAT pool. For more information. Dynamic-source translation—Includes two options: dynamic address-only source translation and network address and port translation (NAPT): • • Dynamic address-only source translation—A NAT address is picked up dynamically from a source NAT pool and the mapping from the original source address to the translated address is maintained as long as there is at least one active flow that uses this mapping. the mapping is configured statically. For more information. For more information. For more information. IPv4-to-IPv4 Basic NAT Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another. these two operations. transparent to end users. as shown in Supported NAT and SIP Standards in Standards Supported in Junos OS 11. see “Static Destination NAT” on page 50.

Basic NAT With Basic NAT.Protocol Translation (NAT-PT) and obsoleted by RFC 2766. the destination transport identifier. or ICMP query ID) of the private network into a single external address. see RFC 2663. UDP port number. RFC 2766. NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. NAT-PT NAT-Protocol Translation (NAT-PT) is an obsolete IPv4-to-IPv6 transition mechanism and is no longer recommended. and the IP and transport header checksums. In addition. NAPT can be combined with Basic NAT to use a pool of external addresses in conjunction with port translation. Reasons to Move Network Address Translator Protocol Translator (NAT-PT) to Historic Status. Using a pool of IPv4 addresses. a block of external addresses are set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. Traditional IP Network Address Translator. is fully supported by the Junos OS. TCP. The destination pool contains one address and no port configuration. and ICMP header checksums. such as IP. recommended solution. and related fields. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. For inbound packets. Basic NAT translates source IP addresses and related fields such as IP. For packets outbound from the private network. NAPT Use NAPT to enable the components of the private network to share a single external address. Twice NAT In Twice NAT. and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. Inc. For packets outbound from the private network. specified in RFC 2766. . recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes. Static Destination NAT Use static destination NAT to translate the destination address for external traffic to an address specified in a destination pool. Network Address Translation . and ICMP header checksums.Protocol Translation (NAT-PT). source transport identifier (TCP/UDP port or ICMP query ID). NAPT is supported for source addresses. specified in RFC 3022. NAT-PT. IP Network Address Translator (NAT) Terminology and Considerations. The source information to be translated can be either 50 Copyright © 2011. both the source and destination addresses are subject to translation as packets traverse the NAT router. NAPT translates the destination IP address.4 Services Interfaces Configuration Guide Traditional NAT. For more information about static destination NAT. Basic NAT translates the destination IP address and the checksums listed above. TCP. Juniper Networks. NAPT translates the source IP address.Junos 11. UDP. NAT64 is the newer. is still supported by the the Junos OS. Network Address Translation . TCP port number. UDP. For inbound packets. NAPT translates the transport identifier (for example.

51 . IPv6-to-IPv6 Network Address Translation (NAT66) is fully supported by the Junos OS. recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes. and translation type. NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. or any resource connected to the Internet or a private network. Juniper Networks. Related Documentation • • Configuring NAT Rules on page 156 Configuring NAT-PT on page 187 Copyright © 2011. pool or prefix. Network Address Translation . IP Network Address Translator (NAT) Terminology and Considerations. you must specify both a destination address and a source address for the match direction. DNS is a distributed hierarchical naming system for computers. You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall.Protocol Translation (NAT-PT). Twice NAT does not support other ALGs. and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes. is fully supported by the Junos OS. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. For example. the DNS ALG translates IPv6 addresses in DNS queries and responses to the corresponding IPv4 addresses and vice versa. IPv4 name-to-address mappings are held in the DNS with "A" queries. The DNS ALG is an application-specific agent that allows an IPv6 node to communicate with an IPv4 node and vice versa. only one of the addresses is translated. IPv6 name-to-address mappings are held in the DNS with "AAAA" queries. The Junos OS provides the following for controlling the translation of IPv4 and IPv6 DNS queries: NOTE: For IPv6 DNS queries. To configure Twice NAT. specified in RFC 2663. you would use Twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). These ALGs cannot be applied to flows created by the Packet Gateway Control Protocol (PGCP). NAT-PT with DNS ALG NAT-PT and Domain Name System (DNS) ALG are used to facilitate communication between IPv6 hosts and IPv4 hosts. By default. Using a pool of IPv4 addresses. Inc. IPv6 NAT IPv6-to-IPv6 NAT (NAT66). Twice NAT. In traditional NAT. NAT. the Twice NAT feature can affect IP. and UDP headers embedded in the payload of ICMP error messages. RFC 2766. defined in Internet draft draft-mrw-behave-nat66-01. services. TCP. When DNS ALG is employed with NAT-PT. use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.Chapter 3: Adaptive Services Overview address only or address and port. or class-of-service (CoS) rules when Twice NAT is configured in the same service set.

specified in RFC 6146. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP. Dual-Stack Lite Dual-stack lite (DS-Lite) flow is shown in Figure 4 on page 53. Figure 3: Stateful NAT64 Flow IPv6 CPE Local host IPv6 CGN Public IPv4 aggregation IPv4 Destination host g017572 NAT64 Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. Juniper Networks. NAT addresses from the pool are assigned dynamically. no changes are usually required in the IPv6 client or the IPv4 server. DNS64 is out of scope of this document because it is normally implemented as an enhancement to currently deployed DNS servers. IP Network Address Translator (NAT) Terminology and Considerations Stateful NAT64 Stateful NAT64 flow is shown in Figure 3 on page 52. you can map a private IP address (source) to a public IP address drawing from a pool of registered (public) IP addresses. For more information about dynamic address translation. or ICMP.Junos 11. in contrast with an equal-sized pool required by source static NAT. . Inc. is fully supported by the Junos OS. Stateful NAT64. 52 Copyright © 2011. When stateful NAT64 is used in conjunction with DNS64. see RFC 2663. Figure 2: Dynamic NAT Flow IPv4 CPE CGN Public IPv4 aggregation IPv4 Destination host g017571 Local host IPv4 end-user NAT dynamic NAT With dynamic NAT. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts. To allow sharing of the IPv4 server address. Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. several IPv6-only clients can share the same public IPv4 server address. NAT64 translates incoming IPv6 packets into IPv4 (and vice versa). TCP.4 Services Interfaces Configuration Guide • Example: Configuring NAT-PT on page 202 Dynamic NAT Dynamic NAT flow is shown in Figure 2 on page 52.

the softwire is deleted. Therefore. unlike a typical mesh of generic routing encapsulation (GRE) tunnels that would require you to do so. The softwire concentrator decapsulates the packets and sends them to their destination. making it a very light and scalable solution. Statistics are kept for both flows and softwires. when the number of active flows is 0. This facilitates the phased introduction of IPv6 on the Internet by providing backward compatibility with IPv4. the number of established softwires does not affect throughput. A softwire is a tunnel that is created between softwire CPE. Juniper Networks. A softwire initiator at the customer end encapsulates native packets and tunnels them to a softwire concentrator at the service provider. The scalability is only limited to the number of flows that the platform (services DPC or PIC) can support. 53 . A softwire is created when a softwire concentrator receives the first tunneled packet of a flow and prepares for flow processing. you need not maintain an interface infrastructure for each softwire.Chapter 3: Adaptive Services Overview Figure 4: DS-Lite Flow DS-Lite IPv4 in IPv6 tunnel IPv4 Destination host IPv4 end-user Local host IPv6 AFTR/CGN NAT44 IPv6 Destination host g017570 IPv6 end-user DS-Lite employs IPv4-over-IPv6 tunnels to cross an IPv6 access network to reach a carrier-grade IPv4-IPv4 NAT. When you use softwires. A softwire CPE can share a unique common internal state for multiple softwires. This topic contains the following sections: • • • 6to4 Overview on page 54 DS-Lite Softwires—IPv4 over IPv6 on page 55 6rd Softwires—IPv6 over IPv4 on page 56 Copyright © 2011. Related Documentation • • DS-Lite Softwires—IPv4 over IPv6 Configuring a DS-Lite Softwire Concentrator on page 866 Tunneling Services for IPv4-to-IPv6 Transition Overview The Junos OS enables service providers to transition to IPv6 by using softwire encapsulation and decapsulation techniques. Inc. A flow counter is maintained. Softwire addresses are not specifically configured under any physical or virtual interface. The softwire exists as long as the softwire concentrator is providing flows for routing. and scalability is independent of the number of interfaces.

this IPv4 address (192.99. which becomes the default IPv6 router (except for 2002::/16). A relay router is a 6to4 router configured to support transit routing between 6to4 addresses and pure native IPv6 addresses. Packets from the IPv6 Internet to 6to4 systems must be sent to a 6to4 relay router by normal IPv6 routing methods. . Connection of IPv6 Domains via IPv4 Clouds. since IPv6 is not required on nodes between the host and the destination. When used by a host. However. and It is normally the border router between an IPv6 site and a wide-area IPv4 network. 6to4 Anycast Router 6to4 assumes that 6to4 routers and relays are managed and configured cooperatively. Juniper Networks.1 has been allocated to send packets to a 6to4 relay router. and the host is responsible for the encapsulation of outgoing IPv6 packets and the decapsulation of incoming 6to4 packets. it is then a router. 6to4 can be used by an individual host. or by a local IPv6 network. a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. a short prefix of 192.4 Services Interfaces Configuration Guide 6to4 Overview • • • Basic 6to4 on page 54 6to4 Anycast on page 54 6to4 Provider-Managed Tunnels on page 55 Basic 6to4 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6.88. If the host is configured to forward packets for other clients. its IPv6 default gateway must be set to a 6to4 address which contains the IPv4 address of a 6to4 relay router.88. it must have a global IPv4 address connected. often a local network. and route the prefix to their 6to4 relay.1) becomes the IPv6 address 2002:c058:6301::. the Anycast address of 192.99. it is intended only as a transition mechanism and is not meant to be used permanently. In order for a 6to4 host to communicate with the native IPv6 Internet. From there they can then be sent over the IPv4 Internet to the destination. native IPv6 connectivity. A 6to4 border router is an IPv6 router supporting a 6to4 pseudointerface.88. The objective of 54 Copyright © 2011.99. The specification states that such relay routers must only advertise 2002::/16 and not subdivisions of it to prevent IPv4 routes from polluting the routing tables of IPv6 routers. In particular. To avoid the need for users to set this up manually. There are two kinds of 6to4 virtual routers: border routers and relay routers. 6to4 is described in RFC 3056.0/24 has been allocated for routes pointed at 6to4 relay routers that use this Anycast IP address. Inc. To ensure BGP routing propagation. 6to4 is especially relevant during the initial phases of deployment to full. 6to4 sites must configure a relay router to carry the outbound traffic. Note that when wrapped in 6to4 with the subnet and hosts fields set to zero. Providers willing to provide 6to4 service to their clients or peers should advertise the Anycast prefix like any other IP prefix.Junos 11.

2011. It does require an IPv4 Anycast route to be in place to a relay at 192. An Anycast Prefix for 6to4 Relay Routers. DS-Lite creates the IPv6 Copyright © 2011. RFC 6343.99. 55 . This makes the solution available for small or domestic users. 6to4 Provider-Managed Tunnels A solution to many problems associated with unmanaged Anycast 6to4 is presented in IETF informational draft draft-kuarsingh-v6ops-6to4-provider-managed-tunnel-02. defined in RFC 3068. to the IPv6 Internet. DS-Lite Softwires—IPv4 over IPv6 When an Internet service provider (ISP) begins to allocate new subscriber homes IPv6 addresses and IPv6-capable equipment. 6to4 provider-managed tunnels (PMTs) facilitate the management of 6to4 tunnels using an Anycast configuration.88. dual-stack lite (DS-Lite) provides a method for the private IPv4 addresses behind the IPv6 customer edge (CE) WAN equipment to reach the IPv4 network. even those with a single host or simple home gateway instead of a border router. 6to4 PMT enables service providers to improve 6to4 operation when network conditions provide suboptimal performance or break normal 6to4 operation. it does not require any particular user action. 6to4 PMT provides a stable provider prefix and forwarding environment by utilizing existing 6to4 relays with an added function of IPv6 prefix translation that controls the flow of return traffic.1. The 6to4 managed tunnel model behaves like a standard 6to4 service between the customer IPv6 host or gateway and the 6ot4-PMT relay (within the provider domain). Advisory Guidelines for 6to4 Deployment.Chapter 3: Adaptive Services Overview the Anycast variant. published in August. referred to as an Address Family Transition Router (AFTR).1 as the default IPv4 address for a 6to4 relay. for decapsulation. is to avoid the need for such configuration.” proposes a solution that allows providers to exercise greater control over the routing of 6to4 traffic.88. referred to as a Basic Bridging Broadband (B4). Inc. 6to 4 Provider-Managed Tunnels (PMT). The model provides an additional function which translates the source 6to4 prefix to a provider assigned prefix which is not found in 6RD [RFC5969] or traditional 6to4 operation. Traffic does not necessarily return to the same 6to4 gateway because of the the “well-known” 6to4 prefix used and advertised by all 6to4 traffic. This is achieved by defining 192. DS-Lite enables IPv4 customers to continue to access the Internet using their current hardware by using a softwire initiator. The 6to4-PMT relay provides a stateless (or stateful) mapping of the 6to4 prefix to a provider-supplied prefix by mapping the embedded IPv4 address in the 6to4 prefix to the provider prefix. That document. Juniper Networks. a “work in progress. at the customer edge to encapsulate IPv4 packets into IPv6 packets and tunnel them over an IPv6 network to a softwire concentrator. identifies a wide range of problems associated with the use of unmanaged 6to4 Anycast relay routers. The 6to4-PMT Relay shares properties with 6RD [RFC5969] by decapsulating and forwarding embedded IPv6 flows.99. Anycast 6to4 implies a default configuration for the user site. and 2002:c058:6301:: as the default IPv6 router prefix (“well-known prefix”) for a 6to4 site. within an IPv4 packet.

. DS-Lite properly handles encapsulation and decapsulation despite the presence of additional MPLS header information. A softwire is created when IPv4 packets containing IPv6 destination information are received at the softwire concentrator. NOTE: IPv6 Provider Edge (6PE). Packets coming out of the softwire can then have other services such as NAT applied on them. The Junos OS documentation generally uses the original terms when discussing configuration in order to be consistent with the command-line interface (CLI) statements used to configure DS-Lite. which decapsulates IPv6 packets and forwards them for IPv6 routing. The term softwire concentrator has been replaced by AFTR. 56 Copyright © 2011. These networks now can use multi-protocol Border Gateway Protocol (MP-BGP) to provide connectivity between the DS-Lite B4 and AFTR (or any 2 IPv6 nodes). is available for ISPs with MPLS-enabled networks.4 Services Interfaces Configuration Guide softwires that terminate on the services PIC. Inc.Junos 11. NOTE: The most recent IETF draft documentation for DS-Lite uses new terminology: • • The term softwire initiator has been replaced by B4. All of these functions are performed in a single pass of the Services PIC. For more information on DS-Lite softwires. and 500 PICs on M Series routers and on MX Series routers equipped with Multiservices Dense Port Concentrator (DPCs). 6rd Softwires—IPv6 over IPv4 6rd softwire flow is shown in Figure 5 on page 56. These packets are tunneled to a softwire concentrator residing on a multiservices DPC (branch relay). DS-Lite is supported on Multiservices 100. or MPLS-enabled IPv6. see the IETF draft Dual Stack Lite Broadband Deployments Following IPv4 Exhaustion. 400. IPv6 packets are encapsulated in IPv4 packets by a softwire initiator at the CE WAN. Juniper Networks. Figure 5: 6rd Softwire Flow IPv4 6rd Local host IPv6 end-user 6rd IPv4 in IPv6 tunnel Concentrator Destination host g017573 IPv6 The Junos OS supports a 6rd softwire concentrator on a service DPC or PIC to facilitate rapid deployment of IPv6 service to subscribers on native IPv4 CE WANs.

The SA specifies what protection policy to apply to traffic between two IP-layer entities. see RFC 5969. Related Documentation • See Network Address Translation Overview on page 48. and nonrepudiation of source. For more information on 6rd softwires. and are associated with the specific softwire that carried them in the first place. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. The softwire concentrator creates softwires as the IPv4 packets are received from the CE WAN side or IPV6 packets are received from the Internet. When the last IPv6 flow associated with a softwire ends. This simplifies configuration and there is no need to create or manage tunnel interfaces. and softwire concentrator IPv4 address. A 6rd softwire on the Services DPC is identified by the 3-tuple containing the service set ID.Chapter 3: Adaptive Services Overview In the reverse path. IPsec provides secure tunnels between two peers. and 500 PICs on M Series and T Series routers. 57 . Security Associations To use IPsec security services. confidentiality. and on MX Series platforms equipped with Multiservices DPCs. 6rd is supported on Multiservices 100. which defines mechanisms for key generation and exchange. IPsec Overview The Juniper Networks Junos OS supports IPsec. Inc. For a list of the IPsec and IKE standards supported by the Junos OS. the Junos OS also supports the Internet Key Exchange (IKE).Protocol Specification. IPsec also defines a security association and key management framework that can be used with any network layer protocol. This section discusses the following topics. data integrity. The suite provides such functionality as authentication of origin. you create SAs between hosts. • • • • IPsec on page 57 Security Associations on page 57 IKE on page 58 Comparison of IPsec Services and ES Interface Configuration on page 58 IPsec The IPsec architecture provides a security suite for the IP version 4 (IPv4) and IP version 6 (IPv6) network layers. IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -. Juniper Networks. the softwire is deleted. which provide background information about configuring IPsec. 400. IPv6 flows are also created for the encapsulated IPv6 payload. In addition to IPsec. IPv6 packets are sent to the Services DPC where they are encapsulated in IPv4 packets corresponding to the proper softwire and sent to the CE WAN. There are two types of SAs: Copyright © 2011. see the Junos OS Hierarchy and RFC Reference. and manages security associations (SAs). replay protection. CE softwire initiator IPv4 address.

This connection is then used to dynamically agree upon keys and other data used by the dynamic IPsec SA. Inc. IKE negotiates security attributes and establishes shared secrets to form the bidirectional IKE SA. Dynamic SAs require additional configuration. inbound and outbound IPsec SAs are established and the IKE SA secures the exchanges. IKE creates dynamic security associations. Table 4: Statement Equivalents for ES and AS Interfaces ES PIC Configuration [edit security ipsec] proposal {. Authenticates secure key exchange.4. Each peer must have the same configured options for communication to take place. • IKE IKE is a key management protocol that creates dynamic SAs.} [edit security ipsec] policy {. provides Perfect Forward Secrecy. it negotiates SAs for IPsec. all values.} AS and MultiServices PIC IPsec Configuration [edit services ipsec-vpn ipsec] proposal {. MX Series. IKE performs the following tasks: • • • Negotiates and manages IKE and IPsec parameters.. and T Series routers.. Starting with Junos OS Release 11. • Two versions of the IKE protocol (IKEv1 and IKEv2) are supported now. and exchanges identities.. IKE also generates keying material. including the keys. algorithms.} [edit services ipsec-vpn ipsec] policy {.. it negotiates SAs for IPsec. you configure IKE first and then the SA. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway. and require matching configurations on both ends of the tunnel. Provides mutual peer authentication by means of shared secrets (not passwords) and public keys. Manual SAs statically define the security parameter index (SPI) values. In IKE. Provides identity protection (in main mode). both IKEv1 and IKEv2 are supported by default on all M Series. With dynamic SAs. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.. and keys to be used. . The IKE SA is negotiated first and then used to protect the negotiations that determine the dynamic IPsec SAs. are static and specified in the configuration..4 Services Interfaces Configuration Guide • Manual SAs require no negotiation.} 58 Copyright © 2011..Junos 11. Comparison of IPsec Services and ES Interface Configuration Table 4 on page 58 compares the top-level configuration of IPsec features on the ES PIC interfaces and on the AS or MultiServices PIC interfaces. Juniper Networks..

.. see “Configuring Encryption Interfaces” on page 995. NOTE: Although many of the same statements and properties are valid on both platforms.. 59 . the configurations are not interchangeable.. Juniper Networks.}] [edit services ipsec-vpn ike] proposal {....} [edit security ipsec] security-association sa-manual {.} Not available Not available [edit interfaces es-fpc/pic/port] tunnel source address [edit interfaces es-fpc/pic/port] tunnel destination address For more information about configuring IPsec services on an AS or MultiServices PIC.. For more information about configuring encryption services on an ES PIC.Layer Two Tunneling Protocol (L2TP). and uses authentication to establish secure connections between the two ends of each tunnel. see IPsec Properties.}] [edit services ipsec-vpn rule rule-name] term term-name match-conditions {..} [edit services ipsec-vpn ike] policy {...Chapter 3: Adaptive Services Overview Table 4: Statement Equivalents for ES and AS Interfaces (continued) ES PIC Configuration [edit security ipsec] security-association sa-dynamic {. L2TP facilitates the tunneling of PPP packets across an intervening network in a way that is as transparent as possible to both end users and applications. Multilink PPP functionality is also supported.} then dynamic {.} AS and MultiServices PIC IPsec Configuration [edit services ipsec-vpn rule rule-name] term term-name match-conditions {..... It employs access profiles for group and individual user access.} [edit security ike] policy {.. Inc.. Layer 2 Tunneling Protocol Overview L2TP is defined in RFC 2661..} [edit services ipsec-vpn] service-set {.....} [edit services ipsec-vpn service-set set-name ipsec-vpn local-gateway address] [edit services ipsec-vpn rule rule-name] remote-gateway address [edit security ike] proposal {.. The L2TP services are supported on the following routers only: • • M7i routers with AS PICs M10i routers with AS and MultiServices 100 PICs Copyright © 2011.} then manual {.. You must commit a complete configuration for the PIC type that is installed in your router.} [edit services ipsec-vpn] rule-set {.

OC3. and MultiServices 400 PICs For more information. The component structures are described in detail in the Junos OS Class of Service Configuration Guide. Without MCML. Juniper Networks. 60 Copyright © 2011. you can configure CRTP with multiclass MLPPP (MCML). With MCML. Inc. For more information about configuring voice services. DS3. Voice services on the AS and MultiServices PICs support single-link PPP-encapsulated IPv4 traffic over the following physical interface types: ATM2. This interface uses compressed RTP (CRTP). by compressing the 40-byte IP/UDP/RTP header down to 2 to 4 bytes in most cases. see “L2TP Services Configuration Overview” on page 415. see “Configuring Link Services and CoS on Services PICs” on page 477. OC12. see Class-of-Service Properties. Voice Services Overview Adaptive services interfaces include a voice services feature that allows you to specify interface type lsq-fpc/pic/port to accommodate voice over IP (VoIP) traffic. all voice traffic belonging to a single flow is hashed to a single link in order to avoid packet ordering issues. except the M320 router. You can configure the CoS service alongside the stateful firewall and NAT services. STM1. see “Configuring Services Interfaces for Voice Services” on page 522. MCML greatly simplifies packet ordering issues that occur when multiple links are used. and you can use multiple links. For link services IQ interfaces (lsq) only. and T1. Compressing IP/UDP/RTP Headers for Low-Speed Serial Links. Voice services do not require a separate service rules configuration. An Architecture for Differentiated Services • NOTE: CoS BA classification is not supported on services interfaces.Junos 11.4 Services Interfaces Configuration Guide • M120 routers with AS. . For more information about MCML support on link services IQ interfaces. including the channelized versions of these interfaces. Standards for Differentiated Services are described in the following documents: • RFC 2474. E1. For more information about configuring CoS services. MultiServices 100. you can assign voice traffic to a high-priority class. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 2475. CRTP enables VoIP traffic to use low-speed links more effectively. which is defined in RFC 2508. E3. Voice services also support LFI on Juniper Networks M Series Multiservice Edge routers. Class of Service Overview The CoS configuration available for the AS PIC enables you to configure Differentiated Services (DiffServ) code point (DSCP) marking and forwarding-class assignment for packets transiting the AS PIC. using a similar rule structure.

1. For examples showing individual service configurations. } } } sp-1/0/0 { unit 0 { family inet { address 172. } output { service-set Firewall-Set.16. [edit] interfaces { fe-0/1/0 { unit 0 { family inet { service { input { service-set Firewall-Set.1.2/24. } } address 10. see the chapters that describe each service in detail.16.2/24. } } } fe-0/1/1 { unit 0 { family inet { filter { input Sample.3/24 { } } } } } Copyright © 2011.Chapter 3: Adaptive Services Overview Examples: Services Interfaces Configuration This section includes the following examples: • • • • • Example: Service Interfaces Configuration on page 61 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: NAT Between VRFs Configuration on page 67 Example: BOOTP and Broadcast Addresses on page 70 Example: Service Interfaces Configuration The following configuration includes all the items necessary to configure services on an interface. } address 172. 61 .1. Juniper Networks. Inc.3.

1 { port 2055.4 Services Interfaces Configuration Guide forwarding-options { sampling { input { family inet { rate 1. version 5. } } output { cflowd 10. } } } rule Rule2 { match-direction output. interface sp-1/0/0 { engine-id 1.Junos 11. . accept. Juniper Networks. engine-type 136. term 1 { from { application-sets Applications. } } } } services { stateful-firewall { rule Rule1 { match-direction input. sample. } } term accept { then { accept.3. source-address 10. Inc. } } } } firewall { filter Sample { term Sample { then { count Sample.1.2. flow-active-timeout 60.3. } flow-inactive-timeout 15. term Local { from { source-address { 62 Copyright © 2011. } then { accept.1.

} application FTP { Copyright © 2011. ids-rules Attacks.2. } } } } } nat { pool public { address-range low 172. nat-rules Private-Public. Juniper Networks. term Translate { then { translated { source-pool public. } } } applications { application ICMP { application-protocol icmp.1.32.1 high 172. } } then { accept. stateful-firewall-rules Rule2. interface-service { service-interface sp-1/0/0.2. term Match { from { application-sets Applications. Inc. port automatic. 63 .2/32.16. } then { logging { syslog. translation-type source dynamic.Chapter 3: Adaptive Services Overview 10.3. } } } } } service-set Firewall-Set { stateful-firewall-rules Rule1. } rule Private-Public { match-direction input. } } } } ids { rule Attacks { match-direction output.16.

} } } } sp-1/3/0 { unit 0 { family inet.0. } application-set Applications { application ICMP.0. application FTP.0/0 next-table inet. interface sp-1/3/0. vrf-import test-policy.20.1:37. output service-set nat-me. } } [edit routing-instances] test { interface ge-0/2/0. . routing-options { static { route 0.4 Services Interfaces Configuration Guide application-protocol ftp. Inc. service-domain inside. } unit 20 { family inet. } unit 21 { family inet. } } } [edit interfaces] ge-0/2/0 { unit 0 { family inet { service { input service-set nat-me. route-distinguisher 10. instance-type vrf. Juniper Networks. } } Example: VPN Routing and Forwarding (VRF) and Service Configuration The following example combines VPN routing and forwarding (VRF) and services configuration: [edit policy-options] policy-statement test-policy { term t1 { then reject. 64 Copyright © 2011.0. vrf-export test-policy. service-domain outside.Junos 11.255.0.58. destination-port ftp.

20. Inc. } unit 20 { family inet.Chapter 3: Adaptive Services Overview } [edit services] stateful-firewall { rule allow-any-input { match-direction input. 65 . } unit 32 { family inet. } } } } } service-set nat-me { stateful-firewall-rules allow-any-input. } rule hide-all-input { match-direction input. port automatic. nat-rules hide-all-input. } } sp-1/3/0 { unit 0 { family inet. interface-service { service-interface sp-1/3/0. term t1 { then { translated { source-pool hide-pool.100. } } } nat { pool hide-pool { address 10.58. } } } Example: Dynamic Source NAT as a Next-Hop Service The following example shows dynamic-source NAT applied as a next-hop service: [edit interfaces] ge-0/2/0 { unit 0 { family mpls.16. translation-type source dynamic. } Copyright © 2011. term t1 { then accept. Juniper Networks.

nat-rules hide-all. route-distinguisher 10.0.0. Inc. vrf-import protected-domain-policy.17:37.16. next-hop-service { inside-service-interface sp-1/3/0. interface sp-1/3/0. . } rule hide-all { match-direction input.100.32.20.0.255. } } } [edit policy-options] policy-statement protected-domain-policy { term t1 { then reject. } } } } nat { pool my-pool { address 10. term t1 { then { translated { source-pool my-pool. translation-type source dynamic. } } [edit services] stateful-firewall { rule allow-all { match-direction input.58. outside-service-interface sp-1/3/0. } } } } } service-set null-sfw-with-nat { stateful-firewall-rules allow-all. port automatic.Junos 11. instance-type vrf.20.58. Juniper Networks.0/0 next-hop sp-1/3/0. routing-options { static { route 0.20.4 Services Interfaces Configuration Guide } [edit routing-instances] protected-domain { interface ge-0/2/0. term t1 { then { accept. vrf-export protected-domain-policy. } 66 Copyright © 2011.

service-domain inside. using distinct public addresses for the source and destination NAT in this scenario: • • A host in vrf-a traverses 10.201 to reach 10.1/24.58.2 in vrf-a.58.2 in vrf-b.0.16.16. service { input service-set vrf-b-svc-set.0. } unit 20 { family inet. } } [edit routing-instances] vrf-a { Copyright © 2011.0. } } } } ge-0/3/0 { unit 0 { family inet { address 10.58.1/24. A host in vrf-b traverses 10. output service-set vrf-a-svc-set. } } } } sp-1/3/0 { unit 0 { family inet. service { input service-set vrf-a-svc-set. } unit 10 { family inet.101 to reach 10.58. 67 .0. } } [edit policy-options] policy-statement test-policy { term t1 { then reject.Chapter 3: Adaptive Services Overview } Example: NAT Between VRFs Configuration The following example configuration enables NAT between VRFs with overlapping private addresses. Inc.58. Juniper Networks. service-domain inside. [edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10. output service-set vrf-b-svc-set.58.

vrf-import test-policy.1.20. } rule vrf-a-input { match-direction input.0. route-distinguisher 10. } } } } nat { pool vrf-a-src-pool { address 10.1. Inc. Juniper Networks.0.4 Services Interfaces Configuration Guide interface ge-0/2/0. interface sp-1/3/0. routing-options { static { route 0.2. term t1 { then { translated { source-pool vrf-a-src-pool.100. term t1 { then { accept.Junos 11.0/0 next-table inet.0/0 next-table inet. } } } [edit services] stateful-firewall { rule allow-all { match-direction input-output.0. translation-type napt-44. vrf-export test-policy. instance-type vrf. vrf-export test-policy.2.0.58.10. } } } vrf-b { interface ge-0/3/0.0. instance-type vrf. } } } } rule vrf-a-output { 68 Copyright © 2011.0.0.58. port automatic.16. vrf-import test-policy.1:1. interface sp-1/3/0.0. } pool vrf-a-dst-pool { address 10. route-distinguisher 10.0.2:2. routing-options { static { route 0.2. .

} } service-set vrf-b-svc-set { stateful-firewall-rules allow-all.58. } then { translated { destination-pool vrf-b-dst-pool. interface-service { service-interface sp-1/3/0. } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all.101. Juniper Networks.10. term t1 { from { destination-address 10.Chapter 3: Adaptive Services Overview match-direction output. 69 .16. } } } } rule vrf-b-output { match-direction output. nat-rules vrf-a-output.16. Inc. term t1 { from { destination-address 10. port automatic. } then { translated { destination-pool vrf-a-dst-pool.58. translation-type destination static. nat-rules vrf-a-input.2.16. translation-type source dynamic. translation-type destination static. } } } } pool vrf-b-src-pool { address 10.58.0. Copyright © 2011. } pool vrf-b-dst-pool { address 10.58.200.201. term t1 { then { translated { source-pool vrf-b-src-pool. } rule vrf-b-input { match-direction input.

} } } } 70 Copyright © 2011. 255. } application bootp. nat-rules vrf-b-output. interface-service { service-interface sp-1/3/0. } } Example: BOOTP and Broadcast Addresses The following example supports Bootstrap Protocol (BOOTP) and broadcast addresses: [edit applications] application bootp { application-protocol bootp.255. } [edit services] stateful-firewall bootp-support { rule bootp-allow { direction input. protocol udp. .Junos 11.20. term bootp-allow { from { destination-address { any-unicast. destination-port 67. Juniper Networks.255.255. Inc. } then { accept.4 Services Interfaces Configuration Guide nat-rules vrf-b-input.

uuid hex-value.CHAPTER 4 Applications Configuration Guidelines You can define application protocols for the stateful firewall and Network Address Translation (NAT) services to use in match condition rules. Inc. source-port port-number. icmp-code value. An application protocol. icmp-type value. learn-sip-register. Juniper Networks. defines application parameters using information from network Layer 3 and above.323. sip-call-hold-timeout seconds. include the following statements at the [edit applications] hierarchy level: [edit applications] application application-name { application-protocol protocol-name. rpc-program-number number. inactivity-timeout value. or application layer gateway (ALG). snmp-command command. destination-port port-number. } This chapter includes the following sections: • • • • • • Configuring Application Protocol Properties on page 72 Configuring Application Sets on page 81 ALG Descriptions on page 81 Verifying the Output of ALG Sessions on page 88 Junos Default Groups on page 94 Examples: Configuring Application Protocols on page 101 Copyright © 2011. 71 . protocol type. } application-set application-set-name { application application-name. ttl-threshold value. Examples of such applications are FTP and H. To configure applications that are used with services.

72 Copyright © 2011. rpc-program-number number.4 Services Interfaces Configuration Guide Configuring Application Protocol Properties To configure application properties. destination-port port-number. source-port port-number. } You can group application objects by configuring the application-set statement. Inc. To configure application protocols. This section includes the following tasks for configuring applications: • • • • • • • • • Configuring an Application Protocol on page 72 Configuring the Network Protocol on page 74 Configuring the ICMP Code and Type on page 75 Configuring Source and Destination Ports on page 77 Configuring the Inactivity Timeout Period on page 80 Configuring an SNMP Command for Packet Matching on page 80 Configuring an RPC Program Number on page 80 Configuring the TTL Threshold on page 80 Configuring a Universal Unique Identifier on page 81 Configuring an Application Protocol The application-protocol statement allows you to specify which of the supported application protocols (ALGs) to configure and include in an application set for service processing. see “ALG Descriptions” on page 81. for more information.Junos 11. include the application-protocol statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] application-protocol protocol-name. protocol type. Table 5 on page 73 shows the list of supported protocols. inactivity-timeout value. see “Configuring Application Sets” on page 81. icmp-type value. . ttl-threshold value. icmp-code value. uuid hex-value. Juniper Networks. For more information about specific protocols. snmp-command command. include the application statement at the [edit applications] hierarchy level: [edit applications] application application-name { application-protocol protocol-name.

Requires the protocol statement to have the value udp or to be unspecified. Requires the protocol statement to have the value tcp or to be unspecified. Requires a rpc-program-number value. You cannot specify destination-port or source-port values. Requires a uuid value. Inc. Requires a destination-port value. – – Requires the protocol statement to have the value udp or to be unspecified. Requires the protocol statement to have the value udp or tcp. You cannot specify destination-port or source-port values. Juniper Networks. Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. Requires the protocol statement to have the value icmp or to be unspecified.Chapter 4: Applications Configuration Guidelines Table 5: Application Protocols Supported by Services Interfaces Protocol Name Bootstrap protocol (BOOTP) Distributed Computing Environment (DCE) remote procedure call (RPC) DCE RPC portmap CLI Value bootp dce-rpc Comments Supports BOOTP and dynamic host configuration protocol (DHCP). dce-rpc-portmap Domain Name System (DNS) dns Exec exec FTP ftp Internet Control Message Protocol (ICMP) IP Login NetBIOS icmp ip login netbios NetShow netshow Real-Time Streaming Protocol (RTSP) RPC User Datagram Protocol (UDP) or TCP rtsp rpc RPC port mapping rpc-portmap Shell shell SNMP snmp SQLNet sqlnet Copyright © 2011. Requires a destination-port value. Requires a destination-port value. Requires the protocol statement to have the value udp. 73 . Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires the protocol statement to have the value udp or tcp. Requires a destination-port value. Requires a destination-port or source-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires a destination-port value. Requires a destination-port value. Requires the protocol statement to have the value tcp or to be unspecified. Requires the protocol statement to have the value tcp or to be unspecified. This application protocol closes the DNS flow as soon as the DNS response is received. Requires the protocol statement to have the value tcp or to be unspecified.

These ALGs cannot be applied to flows created by the Packet Gateway Controller Protocol (PGCP). see Network Address Translation. but not the payload. Requires a destination-port value. For more information about configuring twice NAT. Configuring the Network Protocol The protocol statement allows you to specify which of the supported network protocols to match in an application definition. Table 6 on page 74 shows the list of the supported protocols. Juniper Networks. Requires a destination-port value. NAT. To configure network protocols. Table 6: Network Protocols Supported by Services Interfaces Network Protocol Type IP Security (IPsec) authentication header (AH) External Gateway Protocol (EGP) IPsec Encapsulating Security Payload (ESP) Generic routing encapsulation (GR) ICMP CLI Value ah Comments – egp esp gre icmp – – – Requires an application-protocol value of icmp. . or CoS rules when twice NAT is configured in the same service set. NAT applies only the IP address and TCP or UDP headers. Inc. You specify the protocol type as a numeric value. include the protocol statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] protocol type. for the more commonly used protocols.4 Services Interfaces Configuration Guide Table 5: Application Protocols Supported by Services Interfaces (continued) Protocol Name Trace route CLI Value traceroute Comments Requires the protocol statement to have the value udp or to be unspecified. Twice NAT does not support any other ALGs. Trivial FTP (TFTP) tftp NOTE: You can configure application-level gateways (ALGs) for ICMP and trace route under stateful firewall. text names are also supported in the command-line interface (CLI).Junos 11. Requires the protocol statement to have the value udp or to be unspecified. 74 Copyright © 2011.

Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. Copyright © 2011. for packet matching in an application definition. Juniper Networks. 75 . You can include the protocol tcp and protocol udp statements with the application statement for twice NAT configurations. To configure ICMP settings. Table 7 on page 76 shows the list of supported ICMP values. – UDP udp Virtual Router Redundancy Protocol (VRRP) vrrp For a complete list of possible numeric values. see Network Address Translation. By default. include the icmp-code and icmp-type statements at the [edit applications application application-name] hierarchy level: [edit applications application application-name] icmp-code value. Inc. and UDP headers embedded in the payload of ICMP error messages. For more information about configuring twice NAT. You can include only one ICMP code and type value. NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions. see RFC 1700. Configuring the ICMP Code and Type The ICMP code and type provide additional specification. icmp-type value. in conjunction with the network protocol. TCP.Chapter 4: Applications Configuration Guidelines Table 6: Network Protocols Supported by Services Interfaces (continued) Network Protocol Type Internet Group Management Protocol (IGMP) IP in IP OSPF Protocol Independent Multicast (PIM) Resource Reservation Protocol (RSVP) TCP CLI Value igmp Comments – ipip ospf pim rsvp tcp – – – – Requires a destination-port or source-port value unless you specify application-protocol rcp or dce-rcp. the twice NAT feature can affect IP. The application-protocol statement must have the value icmp. Assigned Numbers (for the Internet Protocol Suite).

source-quench (4). 76 Copyright © 2011. port-unreachable (3). Inc. fragmentation-needed (4). host-unreachable (1). For more information. Because the value’s meaning depends upon the associated icmp-type value. mask-reply (18). the stateful firewall rules might drop the packet because it was not seen in the input direction. network-unreachable-for-TOS (11). source-host-isolated (8). redirect-for-network (0). router-advertisement (9). protocol-unreachable (2). you can specify one of the following text synonyms (the field values are also listed). In place of the numeric value. The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0). the router executes the input firewall filter before the stateful firewall rules are run on the packet. destination-network-unknown (6). timestamp-reply (14). Juniper Networks. when the Packet Forwarding Engine sends an ICMP error message out through the interface.Junos 11. because this type of filter is executed after the stateful firewall in the input direction. host-precedence-violation (14). parameter-problem (12). timestamp (13). see the Junos OS Routing Policy Configuration Guide. required-option-missing (1) redirect: redirect-for-host (1). destination-host-unknown (7). see the Junos OS Routing Policy Configuration Guide. info-request (15). destination-network-prohibited (9). host-unreachable-for-TOS (12). you can specify one of the following text synonyms (the field values are also listed): echo-reply (0). or unreachable (3). As a result. source-route-failed (5) icmp-type Normally. info-reply (16). echo-request (8). or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service. NOTE: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules. redirect (5). . For more information. redirect-for-tos-and-host (3). Possible workarounds are to include a forwarding-table filter to perform the reject action. redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1). In place of the numeric value. precedence-cutoff-in-effect (15). time-exceeded (11). you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. mask-request (17). network-unreachable (0). you must specify icmp-type along with icmp-code. ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13). router-solicit (10). destination-host-prohibited (10).4 Services Interfaces Configuration Guide Table 7: ICMP Codes and Types Supported by Services Interfaces CLI Statement icmp-code Description This value or keyword provides more specific information than icmp-type.

for packet matching in an application definition. include the destination-port and source-port statements at the [edit applications application application-name] hierarchy level: [edit applications application application-name] destination-port value. Table 8: Port Names Supported by Services Interfaces Port Name afs bgp biff bootpc bootps cmd cvspserver dhcp domain eklogin ekshell exec finger ftp ftp-data Corresponding Port Number 1483 179 512 68 67 514 2401 67 53 2105 2106 512 79 21 20 Copyright © 2011. 77 . Normally. for constraints. Inc. To configure ports. see Table 5 on page 73. You can specify either a numeric value or one of the text synonyms listed in Table 8 on page 77. You must define one source or destination port. in conjunction with the network protocol. source-port value. Juniper Networks. you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.Chapter 4: Applications Configuration Guidelines Configuring Source and Destination Ports The TCP or UDP source and destination port provide additional specification.

.4 Services Interfaces Configuration Guide Table 8: Port Names Supported by Services Interfaces (continued) Port Name http https ident imap kerberos-sec klogin kpasswd krb-prop krbupdate kshell ldap login mobileip-agent mobilip-mn msdp netbios-dgm netbios-ns netbios-ssn nfsd nntp ntalk ntp pop3 pptp Corresponding Port Number 80 443 113 143 88 543 761 754 760 544 389 513 434 435 639 138 137 139 2049 119 518 123 110 1723 78 Copyright © 2011.Junos 11. Juniper Networks. Inc.

Copyright © 2011. 79 .Chapter 4: Applications Configuration Guidelines Table 8: Port Names Supported by Services Interfaces (continued) Port Name printer radacct radius rip rkinit smtp snmp snmptrap snpp socks ssh sunrpc syslog tacacs-ds talk telnet tftp timed who xdmcp zephyr-clt zephyr-hm Corresponding Port Number 515 1813 1812 520 2108 25 161 162 444 1080 22 111 514 65 517 23 69 525 513 177 2103 2104 For more information about matching criteria. Inc. Juniper Networks. see the Junos OS Routing Policy Configuration Guide.

the flow becomes invalid when the timer expires. include the rpc-program-number statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] rpc-program-number number. For information about specifying the application protocol. Juniper Networks. which controls the acceptable level of network penetration for trace routing. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value snmp. Configuring an SNMP Command for Packet Matching You can specify an SNMP command setting for packet matching. and trap. The supported values are get. include the ttl-threshold statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] ttl-threshold value. see “Configuring an Application Protocol” on page 72. To configure a TTL value. 80 Copyright © 2011. The default value is 30 seconds. If the software has not detected any activity during the duration.000 through 400. The range of values used for DCE or RPC is from 100. see “Configuring an Application Protocol” on page 72. Configuring the TTL Threshold You can specify a trace route time-to-live (TTL) threshold value. You can configure only one value for matching. The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value rpc. The value you configure for an application overrides any global value configured at the [edit interfaces interface-name service-options] hierarchy level. include the snmp-command statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] snmp-command value. see “Configuring Default Timeout Settings for Services Interfaces” on page 614. get-next.000. To configure a timeout period. for more information.4 Services Interfaces Configuration Guide Configuring the Inactivity Timeout Period You can specify a timeout period for application inactivity. Inc. To configure SNMP. To configure an RPC program number. include the inactivity-timeout statement at the [edit applications application application-name] hierarchy level: [edit applications application application-name] inactivity-timeout seconds. For information about specifying the application protocol. . set.Junos 11. Configuring an RPC Program Number You can specify an RPC program number for packet matching.

Chapter 4: Applications Configuration Guidelines

The application-protocol statement at the [edit applications application application-name] hierarchy level must have the value traceroute. For information about specifying the application protocol, see “Configuring an Application Protocol” on page 72.

Configuring a Universal Unique Identifier
You can specify a Universal Unique Identifier (UUID) for DCE RPC objects. To configure a UUID value, include the uuid statement at the [edit applications application application-name] hierarchy level:
[edit applications application application-name] uuid hex-value;

The uuid value is in hexadecimal notation. The application-protocol statement at the [edit applications application application-name hierarchy level must have the value dce-rpc. For information about specifying the application protocol, see “Configuring an Application Protocol” on page 72. For more information on UUID numbers, see http://www.opengroup.org/onlinepubs/9629399/apdxa.htm.

Configuring Application Sets
You can group the applications you have defined into a named object by including the application-set statement at the [edit applications] hierarchy level with an application statement for each application:
[edit applications] application-set application-set-name { application application; }

For an example of a typical application set, see “Examples: Configuring Application Protocols” on page 101.

ALG Descriptions
This section includes details about the ALGs. It includes the following:
• • • • • • • • • • • •

Basic TCP ALG on page 82 Basic UDP ALG on page 82 BOOTP on page 83 DCE RPC Services on page 83 ONC RPC Services on page 83 FTP on page 83 ICMP on page 84 NetShow on page 84 RPC and RPC Portmap Services on page 84 RTSP on page 86 SMB on page 86 SNMP on page 86

Copyright © 2011, Juniper Networks, Inc.

81

Junos 11.4 Services Interfaces Configuration Guide

• • • •

SQLNet on page 87 TFTP on page 87 Traceroute on page 87 UNIX Remote-Shell Services on page 87

Basic TCP ALG
This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates the following anomaly events and system log messages:
• • • • •

TCP source or destination port zero TCP header length check failed TCP sequence number zero and no flags are set TCP sequence number zero and FIN/PSH/RST flags are set TCP FIN/RST or SYN(URG|FIN|RST) flags set

The TCP ALG performs the following steps:
1.

When the router receives a SYN packet, the ALG creates TCP forward and reverse flows and groups them in a conversation. It tracks the TCP three-way handshake.

2. The SYN-defense mechanism tracks the TCP connection establishment state. It

expects the TCP session to be established within a small time interval (currently 4 seconds). If the TCP three-way handshake is not established in that period, the session is terminated.
3. A keepalive mechanism detects TCP sessions with nonresponsive endpoints. 4. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

Basic UDP ALG
This ALG performs basic sanity checking on UDP headers. If it finds errors. it generates the following anomaly events and system log messages:
• •

UDP source or destination port 0 UDP header length check failed

The UDP ALG performs the following steps:
1.

When it receives the first packet, the ALG creates bidirectional flows to accept forward and reverse UDP session traffic.

2. If the session is idle for more than the maximum allowed idle time (the default is

30 seconds), the flows are deleted.
3. ICMP errors are allowed only if there is a flow that matches the selector information

specified in the ICMP data.

82

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

BOOTP
The Bootstrap Protocol client retrieves its networking information from a server across the network. It sends out a general broadcast message to request the information, which is returned by the Bootstrap Protocol server. For the protocol specification, see ftp://ftp.isi.edu/in-notes/rfc951.txt. Stateful firewall support requires that you configure the BOOTP ALG on UDP server port 67 and client port 68. If the client sends a broadcast message, you should configure the broadcast address in the from statement of the service rule. NAT is not performed on the BOOTP traffic, even if the NAT rule matches the traffic. If the BOOTP relay feature is activated on the router, the remote BOOTP server is assumed to assign addresses for clients masked by NAT translation.

DCE RPC Services
DCE RPC services are mainly used by Microsoft applications. The ALG uses well-known TCP port 135 for port mapping services and uses the Universal Unique Identifier (UUID) instead of the program number to identify protocols. The main application-based DCE RPC is the Microsoft Exchange Protocol. Support for stateful firewall and NAT services requires that you configure the DCE RPC portmap ALG on TCP port 135. The DCE RPC ALG uses the TCP protocol with application-specific UUIDs.

ONC RPC Services
ONC RPC services function similarly to DCE RCP services. However, the ONC RPC ALG uses TCP/UDP port 111 for port mapping services and uses the program number to identify protocols rather than the UUID. Support for stateful firewall and NAT services requires that you configure the ONC RPC portmap ALG on TCP port 111. The ONC RPC ALG uses the TCP protocol with application-specific program numbers.

FTP
FTP is the File Transfer Protocol, specified in RFC 959. In addition to the main control connection, data connections are also made for any data transfer between the client and the server, and the host, port, and direction are negotiated through the control channel. For non-passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects. There is an additional complication: FTP represents these addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number

Copyright © 2011, Juniper Networks, Inc.

83

Junos 11.4 Services Interfaces Configuration Guide

might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets. Support for stateful firewall and NAT services requires that you configure the FTP ALG on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:

Automatically allocates data ports and firewall permissions for dynamic data connection Creates flows for the dynamically negotiated data connection Monitors the control connection in both active and passive modes Rewrites the control packets with the appropriate NAT address and port information

• • •

ICMP
The Internet Control Message Protocol (ICMP) is defined in RFC 792. The Junos stateful firewall service allows ICMP messages to be filtered by specific type or specific type code value. ICMP error packets that lack a specifically configured type and code are matched against any existing flow in the opposite direction to check for the legitimacy of the error packet. ICMP error packets that pass the filter matching are subject to NAT translation. The ICMP ALG always tracks ping traffic statefully using the ICMP sequence number. Each echo reply is forwarded only if there is an echo request with the corresponding sequence number. For any ping flow, only 20 echo requests can be forwarded without receiving an echo reply. When you configure dynamic NAT, the PING packet identifier is translated to allow additional hosts in the NAT pool to use the same identifier. Support for stateful firewall and NAT services requires that you configure the ICMP ALG if the protocol is needed. You can configure the ICMP type and code for additional filtering.

NetShow
The Microsoft protocol ms-streaming is used by NetShow, the Microsoft media server. This protocol supports several transport protocols: TCP, UDP, and HTTP. The client starts a TCP connection on port 1755 and sends the PORT command to the server. The server then starts UDP on that port to the client. Support for stateful firewall and NAT services requires that you configure the NetShow ALG on UDP port 1755.

RPC and RPC Portmap Services
The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying allowed program numbers. The ALG includes the RPC services listed in Table 9 on page 85:

84

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

Table 9: Supported RPC Services
Name
rpc-mountd

Description
Network File Server (NFS) mount daemon for details, see the UNIX man page for rpc.mountd(8). Used as part of NFS. For details, see RFC 1094. See also RFC1813 for NFS v3. Network Information Service Plus (NIS+), designed to replace NIS; it is a default naming service for Sun Solaris and is not related to the old NIS. No protocol information is available. Network lock manager.

Comments
The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nfsprog

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

rpc-nisplus

rpc-nlockmgr

The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-nlockmgr service can be allowed or blocked based on RPC program 100021. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rstat service can be allowed or blocked based on RPC program 150001. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rwall service can be allowed or blocked based on RPC program 150008. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypbind service can be allowed or blocked based on RPC program 100007. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-yppasswd service can be allowed or blocked based on RPC program 100009. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypserv service can be allowed or blocked based on RPC program 100004. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypupdated service can be allowed or blocked based on RPC program 100028. The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypxfrd service can be allowed or blocked based on RPC program 100069.

rpc-pcnfsd

Kernel statistics server. For details, see the UNIX man pages for rstatd and rpc.rstatd.

rpc-rwall

Used to write a message to users; for details, see the UNIX man page for rpc.rwalld.

rpc-ypbind

NIS binding process. For details, see the UNIX man page for ypbind.

rpc-yppasswd

NIS password server. For details, see the UNIX man page for yppasswd.

rpc-ypserv

NIS server. For details, see the UNIX man page for ypserv.

rpc-ypupdated

Network updating tool.

rpc-ypxfrd

NIS map transfer server. For details, see the UNIX man page for rpc.ypxfrd.

Copyright © 2011, Juniper Networks, Inc.

85

Junos 11.4 Services Interfaces Configuration Guide

Support for stateful firewall and NAT services that use port mapping requires that you configure the RPC portmap ALG on TCP/UDP destination port 111 and the RPC ALG for both TCP and UDP. You can specify one or more rpc-program-number values to further restrict allowed RPC protocols.

RTSP
The Real-Time Streaming Protocol (RTSP) controls the delivery of data with real-time properties such as audio and video. The streams controlled by RTSP may use RTP, but it is not required. Media may be transmitted on the same RTSP control stream. This is an HTTP-like text-based protocol, but client and server maintain session information. A session is established using the SETUP message and terminated using the TEARDOWN message. The transport (the media protocol, address, and port numbers) is negotiated in the setup and the setup-response. Support for stateful firewall and NAT services requires that you configure the RTSP ALG for TCP port 554. The ALG monitors the control connection, opens flows dynamically for media (RTP/RTSP) streams, and performs NAT address and port rewrites.

SMB
Server message block (SMB) is a popular PC protocol that allows sharing of files, disks, directories, printers, and in some cases, COM ports across a network. SMB is a client/server, request-response-based protocol. Though there are some exceptions to this, most of the communication takes place using the request reply paradigm. Servers make file systems and resources available to clients on the network. Clients can send commands (smbs) to the server that allow them to access these shared resources. SMB can run over multiple protocols, including TCP/IP, NetBEUI, and IPX/SPX. In almost all cases, the NetBIOS interface is used. Microsoft is trying to rename SMB-based networking to Windows Networking and the protocol to CIFS. The SMB protocol is undocumented, although there is a public CIFS group. For more information, refer to the following link on CIFS: ftp://ftp.microsoft.com/developr/drg/CIFS/. The SMB name service uses well-known UDP and TCP port 137, without requiring a special ALG. For NetBIOS data tunneled through UDP port 138 or TCP port 139, you must configure the NetBIOS ALG. Support for stateful firewall and NAT services requires that you configure the NetBIOS ALG on UDP port 138 and TCP port 139. For SMB name services, both TCP and UDP port 137 must be opened, without a special ALG.

SNMP
SNMP is a communication protocol for managing TCP/IP networks, including both individual network devices and aggregated devices. The protocol is defined by RFC 1157. SNMP runs on top of UDP. The Junos stateful firewall service implements the SNMP ALG to inspect the SNMP type. SNMP does not enforce stateful flow. Each SNMP type needs to be specifically enabled. Full SNMP support of stateful firewall services requires that you configure the SNMP ALG on UDP port 161. This enables the SNMP get and get-next commands, as well as their response traffic in the reverse direction: UDP port 161 enables the SNMP get-response

86

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

command. If SNMP traps are permitted, you can configure them on UDP port 162, enabling the SNMP trap command.

SQLNet
The SQLNet protocol is used by Oracle SQL servers to execute SQL commands from clients, including load balancing and application-specific services. Support of stateful firewall and NAT services requires that you configure the SQLNet ALG for TCP port 1521. The ALG monitors the control packets, opens flows dynamically for data traffic, and performs NAT address and port rewrites.

TFTP
The Trivial File Transfer Protocol (TFTP) is specified in RFC 1350. The initial TFTP requests are sent to UDP destination port 69. Additional flows can be created to get or put individual files. Support of stateful firewall and NAT services requires that you configure the TFTP ALG for UDP destination port 69.

Traceroute
Traceroute is a tool for displaying the route that packets take to a network host. It uses the IP TTL field to trigger ICMP time-exceeded messages from routers or gateways. It sends UDP datagrams to destination ports that are believed to be not in use; destination ports are numbered using the formula: + nhops – 1. The default base port is 33434. To support traceroute through the firewall, two types of traffic must be passed through:
1.

UDP probe packets (UDP destination port > 33000, IP TTL < 30)

2. ICMP response packets (ICMP type time-exceeded)

When NAT is applied, the IP address and port within the ICMP error packet also need to be changed. Support of stateful firewall and NAT services requires you to configure the Traceroute ALG for UDP destination port 33434 to 33450. In addition, you can configure the TTL threshold to prevent UDP flood attacks with large TTL values.

UNIX Remote-Shell Services
Three protocols form the basis for UNIX remote-shell services: Exec—Remote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 512. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. Login—Better known as rlogin; uses well-known TCP port 513. For details, see RFC 1282. No special firewall processing is required.

Copyright © 2011, Juniper Networks, Inc.

87

Junos 11.4 Services Interfaces Configuration Guide

Shell—Remote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 514. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string. Support of stateful firewall services requires that you configure the Exec ALG on TCP port 512, the Login ALG on TCP port 513, and the Shell ALG on TCP port 514. NAT remote-shell services require that any dynamic source port assigned be within the port range 512 to 1023. If you configure a NAT pool, this port range is reserved exclusively for remote shell applications.

Verifying the Output of ALG Sessions
This section contains examples of successful output from ALG sessions and information on system log configuration. You can compare the results of your sessions to check whether the configurations are functioning correctly.
• • •

FTP Example on page 88 RTSP ALG Example on page 91 System Log Messages on page 93

FTP Example
This example analyzes the output during an active FTP session. It consists of four different flows; two are control flows and two are data flows. The example consists of the following parts:
• • • •

Sample Output on page 88 FTP System Log Messages on page 89 Analysis on page 90 Troubleshooting Questions on page 90

Sample Output
The following is a complete sample output from the show services stateful-firewall conversations application-protocol ftp operational mode command:
user@host>show services stateful-firewall conversations application-protocol ftp Interface: ms-1/3/0, Service set: CLBJI1-AAF001 Conversation: ALG protocol: ftp Number of initiators: 2, Number of responders: 2 Flow State Dir TCP 1.1.79.2:14083 -> 2.2.2.2:21 Watch I NAT source 1.1.79.2:14083 -> 194.250.1.237:50118 TCP 1.1.79.2:14104 -> 2.2.2.2:20 Forward I NAT source 1.1.79.2:14104 -> 194.250.1.237:50119 TCP 2.2.2.2:21 -> 194.250.1.237:50118 Watch O NAT dest 194.250.1.237:50118 -> 1.1.79.2:14083 TCP 2.2.2.2:20 -> 194.250.1.237:50119 Forward O NAT dest 194.250.1.237:50119 -> 1.1.79.2:14104

Frm count 13 3 12 5

88

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

For each flow, the first line shows flow information, including protocol (TCP), source address, source port, destination address, destination port, flow state, direction, and frame count.

The state of a flow can be Watch, Forward, or Drop:

A Watch flow state indicates that the control flow is monitored by the ALG for information in the payload. NAT processing is performed on the header and payload as needed. A Forward flow forwards the packets without monitoring the payload. NAT is performed on the header as needed. A Drop flow drops any packet that matches the 5 tuple.

• •

The frame count (Frm count) shows the number of packets that were processed on that flow.

The second line shows the NAT information.
• • •

source indicates source NAT. dest indicates destination NAT.

The first address and port in the NAT line are the original address and port being translated for that flow. The second address and port in the NAT line are the translated address and port for that flow.

FTP System Log Messages
System log messages are generated during an FTP session. For more information about system logs, see “System Log Messages” on page 93. The following system log messages are generated during creation of the FTP control flow:

Rule Accept system log:
Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, Match SFW accept rule-set:, rule: ftp, term: 1

Create Accept Flow system log:
Oct 27 11:42:54 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: ftp, fe-3/3/3.0:1.1.1.2:4450 -> 2.2.2.2:21, creating forward or watch flow

System log for data flow creation:
Oct 27 11:43:30 (FPC Slot 1, PIC Slot 1) {ss_ftp}[FWNAT]: ASP_SFW_FTP_ACTIVE_ACCEPT: proto 6 (TCP) application: ftp, so-2/1/2.0:2.2.2.2:20 -> 1.1.1.2:50726, Creating FTP active mode forward flow

Copyright © 2011, Juniper Networks, Inc.

89

Junos 11.4 Services Interfaces Configuration Guide

Analysis
Control Flows The control flows are established after the three-way handshake is complete.

Control flow from FTP client to FTP server. TCP destination port is 21.
TCP 13 NAT source 1.1.79.2:14083 -> 1.1.79.2:14083 2.2.2.2:21 -> Watch I

194.250.1.237:50118

Control flow from FTP server to FTP client. TCP source port is 21.
TCP 12 NAT dest 2.2.2.2:21 -> 194.250.1.237:50118 Watch -> O

194.250.1.237:50118

1.1.79.2:14083

Data Flows A data port of 20 is negotiated for data transfer during the course of the FTP control protocol. These two flows are data flows between the FTP client and the FTP server:
TCP NAT source TCP NAT dest 1.1.79.2:14104 -> 2.2.2.2:20 Forward I 1.1.79.2:14104 -> 194.250.1.237:50119 2.2.2.2:20 -> 194.250.1.237:50119 Forward O 194.250.1.237:50119 -> 1.1.79.2:14104 3 5

Troubleshooting Questions
1.

How do I know if the FTP ALG is active?
• • •

The ALG protocol field in the conversation should display ftp. There should be a valid frame count (Frm count) in the control flows. A valid frame count in the data flows indicates that data transfer has taken place.

2. What do I need to check if the FTP connection is established but data transfer does

not take place?
• •

Most probably, the control connection is up, but the data connection is down. Check the conversations output to determine whether both the control and data flows are present.

3. How do I interpret each flow? What does each flow mean?
• • • •

FTP control flow initiator flow—Flow with destination port 21 FTP control flow responder flow—Flow with source port ;21 FTP data flow initiator flow—Flow with destination port 20 FTP data flow responder flow—Flow with source port 20

90

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

RTSP ALG Example
The following is an example of an RTSP conversation. The application uses the RTSP protocol for control connection. Once the connection is set up, the media is sent using UDP protocol (RTP). This example consists of the following:
• • •

Sample Output on page 91 Analysis on page 91 Troubleshooting Questions on page 91

Sample Output
Here is the output from the show services stateful-firewall conversations operational mode command:
user@host# show services stateful-firewall conversations Interface: ms-3/2/0, Service set: svc_set Conversation: ALG protocol: rtsp Number of initiators: 5, Number of responders: 5 Flow State Dir TCP 1.1.1.3:58795 -> 2.2.2.2:554 Watch I UDP 1.1.1.3:1028 -> 2.2.2.2:1028 Forward I UDP 1.1.1.3:1029 -> 2.2.2.2:1029 Forward I UDP 1.1.1.3:1030 -> 2.2.2.2:1030 Forward I UDP 1.1.1.3:1031 -> 2.2.2.2:1031 Forward I TCP 2.2.2.2:554 -> 1.1.1.3:58795 Watch O UDP 2.2.2.2:1028 -> 1.1.1.3:1028 Forward O UDP 2.2.2.2:1029 -> 1.1.1.3:1029 Forward O UDP 2.2.2.2:1030 -> 1.1.1.3:1030 Forward O UDP 2.2.2.2:1031 -> 1.1.1.3:1031 Forward O

Frm count 7 0 0 0 0 5 6 0 3 0

Analysis
An RTSP conversation should consist of TCP flows corresponding to the RTSP control connection. There should be two flows, one in each direction, from client to server and from server to client:
TCP TCP
• •

1.1.1.3:58795 -> 2.2.2.2:554 ->

2.2.2.2:554 Watch 1.1.1.3:58795 Watch

I O

7 5

The RTSP control connection for the initiator flow is sent from destination port 554. The RTSP control connection for the responder flow is sent from source port 554.

The UDP flows correspond to RTP media sent over the RTSP connection.

Troubleshooting Questions
1.

Media does not work when the RTSP ALG is configured. What do I do?
• •

Check RTSP conversations to see whether both TCP and UDP flows exist. The ALG protocol should be displayed as rtsp.

Copyright © 2011, Juniper Networks, Inc.

91

Junos 11.4 Services Interfaces Configuration Guide

NOTE: The state of the flow is displayed as Watch, because the ALG processing is taking place and the client is essentially “watching” or processing payload corresponding to the application. For FTP and RTSP ALG flows, the control connections are always Watch flows.

2. How do I check for ALG errors?

You can check for errors by issuing the following command. Each ALG has a separate field for ALG packet errors.
user@host# show services stateful-firewall statistics extensive Interface: ms-3/2/0 Service set: svc_set New flows: Accepts: 1347, Discards: 0, Rejects: 0 Existing flows: Accepts: 144187, Discards: 0, Rejects: 0 Drops: IP option: 0, TCP SYN defense: 0 NAT ports exhausted: 0 Errors: IP: 0, TCP: 276 UDP: 0, ICMP: 0 Non-IP packets: 0, ALG: 0 IP errors: IP packet length inconsistencies: 0 Minimum IP header length check failures: 0 Reassembled packet exceeds maximum IP length: 0 Illegal source address: 0 Illegal destination address: 0 TTL zero errors: 0, Illegal IP protocol number (0 or 255): 0 Land attack: 0 Non-IPv4 packets: 0, Bad checksum: 0 Illegal IP fragment length: 0 IP fragment overlap: 0 IP fragment reassembly timeout: 0 Unknown: 0 TCP errors: TCP header length inconsistencies: 0 Source or destination port number is zero: 0 Illegal sequence number and flags combinations: 0 SYN attack (multiple SYN messages seen for the same flow): 276 First packet not a SYN message: 0 TCP port scan (TCP handshake, RST seen from server for SYN): 0 Bad SYN cookie response: 0 UDP errors: IP data length less than minimum UDP header length (8 bytes): 0 Source or destination port number is zero: 0 UDP port scan (ICMP error seen for UDP flow): 0 ICMP errors: IP data length less than minimum ICMP header length (8 bytes): 0 ICMP error length inconsistencies: 0 Duplicate ping sequence number: 0 Mismatched ping sequence number: 0 ALG errors: BOOTP: 0, DCE-RPC: 0, DCE-RPC portmap: 0 DNS: 0, Exec: 0, FTP: 0

92

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

ICMP: 0 Login: 0, NetBIOS: 0, NetShow: 0 RPC: 0, RPC portmap: 0 RTSP: 0, Shell: 0 SNMP: 0, SQLNet: 0, TFTP: 0 Traceroute: 0

System Log Messages
Enabling system log generation and checking the system log are also helpful for ALG flow analysis. This section contains the following:
• •

System Log Configuration on page 93 System Log Output on page 94

System Log Configuration
You can configure the enabling of system log messages at a number of different levels in the Junos OS CLI. As shown in the following sample configurations, the choice of level depends on how specific you want the event logging to be and what options you want to include. For details on the configuration options, see the Junos OS System Basics Configuration Guide (system level) or the Junos OS Services Interfaces Configuration Guide (all other levels).
1.

At the topmost global level:
user@host# show system syslog file messages { any any; }

2. At the service set level:

user@host# show services service-set svc_set syslog { host local { services any; } } stateful-firewall-rules allow_rtsp; interface-service { service-interface ms-3/2/0; }
3. At the service rule level:

user@host# show services stateful-firewall rule allow_rtsp match-direction input-output; term 0 { from { applications junos-rtsp; } then { accept; syslog; }

Copyright © 2011, Juniper Networks, Inc.

93

Junos 11.4 Services Interfaces Configuration Guide

}

System Log Output
System log messages are generated during flow creation, as shown in the following examples: The following system log message indicates that the ASP matched an accept rule:
Oct 25 16:11:37 (FPC Slot 3, PIC Slot 2) {svc_set}[FWNAT]: ASP_SFW_RULE_ACCEPT: proto 6 (TCP) application: rtsp, ge-2/0/1.0:1.1.1.2:35595 -> 2.2.2.2:554, Match SFW accept rule-set: , rule: allow_rtsp, term: 0

For a complete listing of system log messages, see the Junos OS System Log Messages Reference.

Junos Default Groups
The Junos OS provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of your router. The junos-defaults group contains preconfigured statements that contain predefined values for common applications. Some of the statements must be referenced to take effect, such as applications like FTP or Telnet. Other statements are applied automatically, such as terminal settings. All of the preconfigured statements begin with the reserved name junos-.

NOTE: You can override the Junos default configuration values, but you cannot delete or edit them. If you delete a configuration, the defaults return when a new configuration is added. You cannot use the apply-groups statement with the Junos defaults group.

To view the full set of available preset statements from the Junos default group, issue the show groups junos-defaults configuration mode command. The following example displays a partial list of Junos default groups that use application protocols (ALGs).
user@host# show groups junos-defaults ... output for other groups defined at the [edit groups junos-defaults] hierarchy level ... applications { # File Transfer Protocol application junos-ftp { application-protocol ftp; protocol tcp; destination-port 21; } # Trivial File Transfer Protocol application junos-tftp { application-protocol tftp; protocol udp; destination-port 69; } # RPC port mapper on TCP

94

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-rpc-portmap-tcp { application-protocol rpc-portmap; protocol tcp; destination-port 111; } # RPC port mapper on UDP application junos-rpc-portmap-udp { application-protocol rpc-portmap; protocol udp; destination-port 111; } # IP Protocol application junos-ip { application-protocol ip; } # remote exec application junos-rexec { application-protocol exec; protocol tcp; destination-port 512; } # remote login application junos-rlogin { application-protocol login; protocol tcp; destination-port 513; } # remote shell application junos-rsh { application-protocol shell; protocol tcp; destination-port 514; } # Real-Time Streaming Protocol application junos-rtsp { application-protocol rtsp; protocol tcp; destination-port 554; } # Oracle SQL servers use this protocol to execute SQL commands # from clients, load balance, use application-specific servers, and so on. application junos-sqlnet { application-protocol sqlnet; protocol tcp; destination-port 1521; } # H.323 Protocol for audio/video conferencing protocol tcp; destination-port 1720; } # Internet Inter-ORB Protocol is used for CORBA applications. # The ORB protocol in Java virtual machine uses port 1975 as a default. protocol tcp; destination-port 1975; } # Internet Inter-ORB Protocol is used for CORBA applications.

Copyright © 2011, Juniper Networks, Inc.

95

Junos 11.4 Services Interfaces Configuration Guide

# ORBIX is a CORBA framework from Iona Technologies that uses # port 3075 as a default. protocol tcp; destination-port 3075; } # This was the original RealPlayer protocol. # RTSP is more widely used by RealPlayer, protocol tcp; destination-port 7070; } # Traceroute application application junos-traceroute { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 30; } # Traceroute application that stops at device supporting firewall # (packets with ttl > 1 will be discarded). application junos-traceroute-ttl-1 { application-protocol traceroute; protocol udp; destination-port 33435-33450; ttl-threshold 1; } # The full range of known RPC programs using UDP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-udp { application-protocol rpc; protocol udp; rpc-program-number 100001-400000; } # The full range of known RPC programs using TCP. # Specific program numbers are assigned to certain applications. application junos-rpc-services-tcp { application-protocol rpc; protocol tcp; rpc-program-number 100001-400000; } # All ICMP traffic # This can be made more restrictive by specifying ICMP type and code. application junos-icmp-all { application-protocol icmp; } # ICMP ping; the echo reply is allowed upon return. application junos-icmp-ping { application-protocol icmp; icmp-type echo-request; } # Protocol used by Windows Media Server and Windows Media Player application junos-netshow { application-protocol netshow; protocol tcp; destination-port 1755; } # NetBIOS, the networking protocol used on Windows networks;

96

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

# includes name service port, both UDP and TCP. application junos-netbios-name-udp { application-protocol netbios; protocol udp; destination-port 137; } application junos-netbios-name-tcp { protocol tcp; destination-port 137; } # NetBIOS, the networking protocol used on Windows networks; # includes datagram service port. application junos-netbios-datagram { application-protocol netbios; protocol udp; destination-port 138; } # NetBIOS, the networking protocol used on Windows networks; # includes session service port. application junos-netbios-session { protocol tcp; destination-port 139; } # DCE-RPC port mapper on TCP application junos-dce-rpc-portmap { application-protocol dce-rpc-portmap; protocol tcp; destination-port 135; } # MS Exchange requires these three UUID values. application junos-dcerpc-endpoint-mapper-service { application-protocol dce-rpc; protocol tcp; uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa; } application junos-ssh { protocol tcp; destination-port 22; } application junos-telnet { protocol tcp; destination-port 23; } application junos-smtp { protocol tcp; destination-port 25; } application junos-dns-udp { protocol udp; destination-port 53; } application junos-dns-tcp { protocol tcp; destination-port 53; } application junos-tacacs {

Copyright © 2011, Juniper Networks, Inc.

97

Junos 11.4 Services Interfaces Configuration Guide

protocol tcp; destination-port 49; } # TACACS Database Service application junos-tacacs-ds { protocol tcp; destination-port 65; } application junos-dhcp-client { protocol udp; destination-port 68; } application junos-dhcp-server { protocol udp; destination-port 67; } application junos-bootpc { protocol udp; destination-port 68; } application junos-bootps { protocol udp; destination-port 67; } application junos-http { protocol tcp; destination-port 80; } application junos-https { protocol tcp; destination-port 443; } # “ junos-algs-outbound” defines a set of all applications # requiring an ALG. Useful for defining a rule for an untrusted # network to allow trusted network users to use all the # Junos-supported ALGs initiated from the trusted network. application-set junos-algs-outbound { application junos-ftp; application junos-tftp; application junos-rpc-portmap-tcp; application junos-rpc-portmap-udp; application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-rexec; application junos-rlogin; application junos-rsh; application junos-rtsp; application junos-sqlnet; application junos-traceroute; application junos-rpc-services-udp; application junos-rpc-services-tcp; application junos-icmp-all; application junos-netshow; application junos-netbios-name-udp;

98

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

application junos-netbios-datagram; application junos-dce-rpc-portmap; application junos-dcerpc-msexchange-directory-rfr; application junos-dcerpc-msexchange-information-store; application junos-dcerpc-msexchange-directory-nsp; } # “ junos-management-inbound” represents the group of applications # that might need access to the trusted network from the untrusted # network for management purposes. # The set is intended for a UI to display management choices. # NOTE: It is not recommended that you use the entire set directly in # a firewall rule and open up firewall to all of these # applications. Also, you should always specify the source # and destination prefixes when using each application. application-set junos-management-inbound { application junos-snmp-get; application junos-snmp-get-next; application junos-snmp-response; application junos-snmp-trap; application junos-ssh; application junos-telnet; application junos-http; application junos-https; application junos-xnm-ssl; application junos-xnm-clear-text; application junos-icmp-ping; application junos-traceroute-ttl-1; } } } }

To reference statements available from the junos-defaults group, include the selected junos-default-name statement at the applicable hierarchy level. To configure application protocols, see “Configuring Application Protocol Properties” on page 72; for details about a specific protocol, see “ALG Descriptions” on page 81.

Examples: Referencing the Preset Statement from the Junos Default Group
The following example is a preset statement from the Junos default groups that is available for FTP in a stateful firewall:
[edit] groups { junos-defaults { applications { application junos-ftp { # Use FTP default configuration application-protocol ftp; protocol tcp; destination-port 21; } } }

To reference a preset Junos default statement from the Junos default groups, include the junos-default-name statement at the applicable hierarchy level. For example, to

Copyright © 2011, Juniper Networks, Inc.

99

Junos 11.4 Services Interfaces Configuration Guide

reference the Junos default statement for FTP in a stateful firewall, include the junos-ftp statement at the [edit services stateful-firewall rule rule-name term term-name from applications] hierarchy level.
[edit] services { stateful-firewall { rule my-rule { term my-term { from { applications junos-ftp; #Reference predefined statement, junos-ftp, } } } } }

The following example shows configuration of the default Junos IP ALG:
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications junos-ip; } then { accept; syslog; } } } } }

If you configure the IP ALG in the stateful firewall rule, it is matched by any IP traffic, but if there is any other more specific application that matches the same traffic, the IP ALG will not be matched. For example, in the following configuration, both the ICMP ALG and the IP ALG are configured, but traffic is matched for ICMP packets, because it is the more specific match.
[edit] services { stateful-firewall { rule r1 { match-direction input; term t1 { from { applications [ junos-ip junos-icmp-all ]; } then { accept; syslog; }

100

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Applications Configuration Guidelines

} } } }

Examples: Configuring Application Protocols
The following example shows an application protocol definition describing a special FTP application running on port 78:
[edit applications] application my-ftp-app { application-protocol ftp; protocol tcp; destination-port 78; timeout 100; # inactivity timeout for FTP service }

The following example shows a special ICMP protocol (application-protocol icmp) of type 8 (ICMP echo):
[edit applications] application icmp-app { application-protocol icmp; protocol icmp; icmp-type icmp-echo; }

The following example shows a possible application set:
[edit applications] application-set basic { http; ftp; telnet; nfs; icmp; }

The software includes a predefined set of well-known application protocols. The set includes applications for which the TCP and UDP destination ports are already recognized by stateless firewall filters.

Copyright © 2011, Juniper Networks, Inc.

101

Junos 11.4 Services Interfaces Configuration Guide

102

Copyright © 2011, Juniper Networks, Inc.

CHAPTER 5

Summary of Applications Configuration Statements
The following sections explain each of the applications configuration statements. The statements are organized alphabetically.

application
Syntax
application application-name { application-protocol protocol-name; destination-port port-number; icmp-code value; icmp-type value; inactivity-timeout value; protocol type; rpc-program-number number; snmp-command command; source-port port-number; ttl-threshold number; uuid hex-value; } [edit applications], [edit applications application-set application-set-name]

Hierarchy Level

Release Information Description Options

Statement introduced before Junos OS Release 7.4. Configure properties of an application and whether to include it in an application set.
application-name—Identifier of the application.

The remaining statements are explained separately. Usage Guidelines Required Privilege Level See “Configuring Application Protocol Properties” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

103

Junos 11.4 Services Interfaces Configuration Guide

application-protocol
Syntax Hierarchy Level Release Information
application-protocol protocol-name; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. login options introduced in Junos OS Release 7.4. ip option introduced in Junos OS Release 8.2. Identify the application protocol name. Application protocols are also called application layer gateways (ALGs).
protocol-name—Name of the protocol. The following protocols are supported: bootp dce-rpc dce-rpc-portmap dns exec ftp icmp ip login netbios netshow rpc rpc-portmap rtsp shell snmp sqlnet tftp traceroute

Description

Options

Usage Guidelines Required Privilege Level

See “Configuring an Application Protocol” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

104

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

application-set
Syntax
application-set application-set-name { application application-name; } [edit applications]

Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level

Statement introduced before Junos OS Release 7.4. Configure one or more applications to include in an application set.
application-set-name—Identifier of an application set.

See “Configuring Application Sets” on page 81. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

applications
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
applications { ... } [edit]

Statement introduced before Junos OS Release 7.4. Define the applications used in services. See Application Properties. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

105

Junos 11.4 Services Interfaces Configuration Guide

destination-port
Syntax Hierarchy Level Release Information Description
destination-port port-value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) destination port number.
port-value—Identifier for the port. For a complete list, see “Configuring Source and

Options

Destination Ports” on page 77. Usage Guidelines Required Privilege Level See “Configuring Source and Destination Ports” on page 77. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

icmp-code
Syntax Hierarchy Level Release Information Description Options
icmp-code value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Internet Control Message Protocol (ICMP) code value.
value—The ICMP code value. For a complete list, see “Configuring the ICMP Code and

Type” on page 75. Usage Guidelines Required Privilege Level See “Configuring the ICMP Code and Type” on page 75. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

106

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

icmp-type
Syntax Hierarchy Level Release Information Description Options
icmp-type value; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. ICMP packet type value.
value—The ICMP type value, such as echo or echo-reply. For a complete list, see

“Configuring the ICMP Code and Type” on page 75. Usage Guidelines Required Privilege Level See “Configuring the ICMP Code and Type” on page 75. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

inactivity-timeout
Syntax Hierarchy Level Release Information Description Options
inactivity-timeout seconds; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Inactivity timeout period, in seconds.
seconds—Length of time the application is inactive before it times out.

Default: 30 seconds Usage Guidelines Required Privilege Level See “Configuring the Inactivity Timeout Period” on page 80. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

107

Junos 11.4 Services Interfaces Configuration Guide

learn-sip-register
Syntax Hierarchy Level Release Information Description Usage Guidelines Required Privilege Level
learn-sip-register; [edit applications application application-name]

Statement introduced in Junos OS Release 7.4. Activate SIP register to accept potential incoming SIP calls. See “Configuring SIP” on page 72. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

108

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Summary of Applications Configuration Statements

protocol
Syntax Hierarchy Level Release Information Description Options
protocol type; [edit applications application application-name]

Statement introduced before Junos OS Release 7.4. Networking protocol type or number.
type—Networking protocol type. The following text values are supported: ah egp esp gre icmp igmp ipip ospf pim rsvp tcp udp vrrp

NOTE: IP version 6 (IPv6) is not supported as a network protocol in application definitions.

Usage Guidelines Required Privilege Level

See “Configuring the Network Protocol” on page 74. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Copyright © 2011, Juniper Networks, Inc.

109

Junos 11. . in seconds.000 seconds (10 hours) Usage Guidelines Required Privilege Level See “Configuring SIP” on page 72. Juniper Networks.000 Usage Guidelines Required Privilege Level See “Configuring an RPC Program Number” on page 80. Default: 7200 seconds Range: 0 through 36. Timeout period for SIP calls placed on hold. interface-control—To add this statement to the configuration.4. Range: 100. interface—To view this statement in the configuration. sip-call-hold-timeout Syntax Hierarchy Level Release Information Description Options sip-call-hold-timeout seconds. interface—To view this statement in the configuration.4. Inc. [edit applications application application-name] Statement introduced before Junos OS Release 7. Remote procedure call (RPC) or Distributed Computing Environment (DCE) value.000 through 400. seconds—Length of time the application holds a SIP call open before it times out.4 Services Interfaces Configuration Guide rpc-program-number Syntax Hierarchy Level Release Information Description Options rpc-program-number number. [edit applications application application-name] Statement introduced in Junos OS Release 7. number—RPC or DCE program value. interface-control—To add this statement to the configuration. 110 Copyright © 2011.

Usage Guidelines Required Privilege Level See “Configuring Source and Destination Ports” on page 77. Juniper Networks. source-port Syntax Hierarchy Level Release Information Description Options source-port port-number. interface—To view this statement in the configuration. [edit applications application application-name] Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. set.4. See “Configuring an SNMP Command for Packet Matching” on page 80. port-value—Identifier for the port. see “Configuring Source and Destination Ports” on page 77.4. get-next. 111 .Chapter 5: Summary of Applications Configuration Statements snmp-command Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level snmp-command command. command—Supported commands are SNMP get. For a complete list. [edit applications application application-name] Statement introduced before Junos OS Release 7. Source port identifier. Copyright © 2011. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. SNMP command format. Inc. and trap.

Specify the Universal Unique Identifier (UUID) for DCE RPC objects. Options Usage Guidelines Required Privilege Level See “Configuring the TTL Threshold” on page 80. See “Configuring a Universal Unique Identifier” on page 81.4 Services Interfaces Configuration Guide ttl-threshold Syntax Hierarchy Level Release Information Description ttl-threshold number. 112 Copyright © 2011.Junos 11. Juniper Networks. [edit applications application application-name] Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. uuid Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level uuid hex-value. number—TTL threshold value. interface—To view this statement in the configuration.4. hex-value—Hexadecimal value. . interface-control—To add this statement to the configuration.4. Inc. Specify the traceroute time-to-live (TTL) threshold value. This value sets the acceptable level of network penetration for trace routing. interface—To view this statement in the configuration. [edit applications application application-name] Statement introduced before Junos OS Release 7.

} then { (accept | discard | reject). destination-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. destination-address (address | any-unicast) <except>. } } This chapter contains the following sections: • • • Configuring Stateful Firewall Rules on page 114 Configuring Stateful Firewall Rule Sets on page 118 Examples: Configuring Stateful Firewall Rules on page 118 Copyright © 2011. allow-ip-options [ values ]. source-address (address | any-unicast) <except>. Inc. 113 . source-prefix-list list-name <except>. } } } rule-set rule-set-name { [ rule rule-names ]. source-address-range low minimum-value high maximum-value <except>. applications [ application-names ]. term term-name { from { application-sets set-name. syslog. Juniper Networks. include the stateful-firewall statement at the [edit services] hierarchy level: [edit services] stateful-firewall { rule rule-name { match-direction (input | output | input-output).CHAPTER 6 Stateful Firewall Services Configuration Guidelines To configure stateful firewall services.

destination-address-range low minimum-value high maximum-value <except>. . source-address address <except>. source-prefix-list list-name <except>. Juniper Networks. applications [ application-names ]. 114 Copyright © 2011. allow-ip-options [ values ]. include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level: [edit services stateful-firewall rule rule-name] match-direction (input | output | input-output). } then { (accept | discard | reject). The then statement is mandatory in stateful firewall rules. include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level: [edit services stateful-firewall] rule rule-name { match-direction (input | output | input-output). destination-prefix-list list-name <except>. syslog. The following sections explain how to configure the components of stateful firewall rules: • • • Configuring Match Direction for Stateful Firewall Rules on page 114 Configuring Match Conditions in Stateful Firewall Rules on page 115 Configuring Actions in Stateful Firewall Rules on page 116 Configuring Match Direction for Stateful Firewall Rules Each rule must include a match-direction statement that specifies the direction in which the rule match is applied.4 Services Interfaces Configuration Guide Configuring Stateful Firewall Rules To configure a stateful firewall rule. Inc. } } } Each stateful firewall rule consists of a set of terms. To configure where the match is applied. • then statement—Specifies the actions and action modifiers to be performed by the router software. A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. similar to a filter configured at the [edit firewall] hierarchy level. The from statement is optional in stateful firewall rules.Junos 11. source-address-range low minimum-value high maximum-value <except>. term term-name { from { application-sets set-name. destination-address address <except>.

the packet direction is output. When a packet is sent to the PIC. If you omit the from term. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. For an example. direction information is carried along with it. If the outside interface is used to direct the packet to the PIC.Chapter 6: Stateful Firewall Services Configuration Guidelines If you configure match-direction input-output. Configuring Match Conditions in Stateful Firewall Rules To configure stateful firewall match conditions. Only rules with direction information that matches the packet direction are considered. You can use either the source address or the destination address as a match condition. If no flow is found. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. During rule processing. 115 . source-prefix-list list-name <except>. Most packets result in the creation of bidirectional flows. applications [ application-names ]. destination-prefix-list list-name <except>. a flow lookup is performed. If the inside interface is used to route the packet. destination-address (address | any-unicast) <except>. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. On the PIC. source-address (address | any-unicast) <except>. sessions initiated from both directions might match this rule. With a next-hop service set. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. For more information on inside and outside interfaces. Inc. the packet direction is input. see “Examples: Configuring Stateful Firewall Rules” on page 118. Rules in this service set are considered in sequence until a match is found. Alternatively. in the same way that you would configure a firewall filter. } The source address and destination address can be either IPv4 or IPv6. which denotes matching all unicast addresses. rule processing is performed. for more information. source-address-range low minimum-value high maximum-value <except>. you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule. the stateful firewall accepts all traffic and the default protocol handlers take effect: Copyright © 2011. the packet direction is compared against rule directions. include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level: [edit services stateful-firewall rule rule-name term term-name] from { application-sets set-name. You can use the wildcard value any-unicast. destination-address-range low minimum-value high maximum-value <except>. see the Junos OS Routing Policy Configuration Guide. Juniper Networks. With an interface service set.

Transmission Control Protocol (TCP). you cannot specify these properties as match conditions. • You can also include application protocol definitions you have configured at the [edit applications] hierarchy level. UDP sends an ICMP unreachable code and TCP sends RST. for more information. . Inc.4 Services Interfaces Configuration Guide • User Datagram Protocol (UDP). include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level: [edit services stateful-firewall rule rule-name term term-name] then { (accept | discard | reject). You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. To apply one or more sets of application protocol definitions you have defined. Configuring Actions in Stateful Firewall Rules To configure stateful firewall actions. the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. IP creates a unidirectional flow. Juniper Networks. • To apply one or more specific application protocol definitions. reject—The packet is not accepted and a rejection message is returned. allow-ip-options [ values ]. include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.Junos 11. include the application-sets statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level. syslog. 116 Copyright © 2011. and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow. } You must include one of the following three possible actions: • • • accept—The packet is accepted and sent on to its destination. This statement overrides any syslog setting included in the service set or interface default configuration. discard—The packet is not accepted and is not processed further. Rejected packets can be logged or sampled. • NOTE: If you include one of the statements that specifies application protocols. see “Configuring Application Protocol Properties” on page 72.

This configuration has no effect on the discard action. You can include a range or set of numeric values. You can enter either the option name or its numeric equivalent. all packets that match the criteria specified in the from statement are subjected to additional matching criteria. NAT applies to packets with or without IP options. reject frames are not sent. only packets without IP header options are accepted. If you do not configure allow-ip-options. Juniper Networks. 117 . The IP option configuration appears only in the stateful firewall rules. in this case.iana. When a packet is dropped because it fails the IP option inspection.org/assignments/ip-parameters. or one or more of the predefined IP option settings. The event type depends on the first IP option field rejected. Table 10: IP Option Values IP Option Name any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp Numeric Value 0 130 136 131 7 148 137 68 Comment Any IP option – – – – – – – Copyright © 2011. The additional IP header option inspection applies only to the accept and reject stateful firewall actions. Network Address Translation (NAT) and intrusion detection service (IDS) are applied in the same way as to packets without IP option headers.Chapter 6: Stateful Firewall Services Configuration Guidelines Configuring IP Option Handling You can optionally configure the firewall to inspect IP header information by including the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. If an IP option packet is accepted by the stateful firewall. A packet is accepted only when all of its IP option types are configured as values in the allow-ip-options statement. Inc. the reject action has the same effect as discard. Table 10 on page 117 lists the possible values for the allow-ip-options statement. For more information. this exception event generates both IDS event and system log messages. refer to http://www. When the IP header inspection fails. When you configure this statement.

Junos 11. term 1 { from { application-sets Applications. } The router software processes the rules in the order in which you specify them in the configuration. Examples: Configuring Stateful Firewall Rules The following example show a stateful firewall configuration containing two rules. If none of the rules matches the packet. Inc. processing continues to the next rule in the rule set.3. one for input matching on a specified application set and the other for output matching on a specified source address: [edit services] stateful-firewall { rule Rule1 { match-direction input. You define each rule by specifying a rule name and configuring terms. } } term accept { then { accept. } } } rule Rule2 { match-direction output.1. .2/32. 118 Copyright © 2011. } } then { accept. you specify the order of the rules by including the rule-set statement at the [edit services stateful-firewall] hierarchy level with a rule statement for each rule: [edit services stateful-firewall] rule-set rule-set-name { rule rule-name. Juniper Networks. the router performs the corresponding action and the rule processing stops. } then { accept. term Local { from { source-address { 10. Then. If no term in a rule matches the packet.4 Services Interfaces Configuration Guide Configuring Stateful Firewall Rule Sets The rule-set statement defines a collection of stateful firewall rules that determine what actions the router software performs on packets in the data stream. the packet is dropped by default. If a term in a rule matches the packet.

4.3. Inc. applications http. The first term rejects all traffic in my-application-group that originates from the specified source address. } } term term2 { from { destination-address 10.1.3/32.3.1. Juniper Networks. The second term accepts Hypertext Transfer Protocol (HTTP) traffic from anyone to the specified destination address.2/32.3. term term1 { from { source-address 10. application-sets my-application-group.0/24. 4. You configure the prefix list at the [edit policy-options] hierarchy level: [edit] policy-options { prefix-list p1 { 1. } then { accept. and provides a detailed system log record of the rejected packets.1. 119 . } prefix-list p2 { 3. } } } The following example shows use of source and destination prefix lists. } } You reference the configured prefix list in the stateful firewall rule: [edit] services { stateful-firewall { rule r1 { Copyright © 2011.4.0/24.2. [edit services stateful-firewall] rule my-firewall-rule { match-direction input-output.1/32.3.2/32. } then { reject. This requires two separate configuration items.Chapter 6: Stateful Firewall Services Configuration Guidelines } } } } The following example has a single rule with two terms.2.2. syslog. 2.

Inc.2. } } } } } This is equivalent to the following configuration: [edit] services { stateful-firewall { rule r1 { match-direction input.2. [edit] services { stateful-firewall { rule r1 { match-direction input. term t1 { from { source-prefix-list { p1. 120 Copyright © 2011.4 Services Interfaces Configuration Guide match-direction input. . } destination-prefix-list { p2. as in the following example. In this case. 4. } destination-address { 3.4.3. } } then { accept.1.3/32. the except qualifier applies to all prefixes included in prefix list p2.1. 2.Junos 11. } } } } } You can use the except qualifier with the prefix lists.0/24. } } then { accept. term t1 { from { source-prefix-list { p1.3.1/32.0/24.4. term t1 { from { source-address { 1. Juniper Networks.

Related Documentation • • • • • • Example: BOOTP and Broadcast Addresses on page 70 Example: NAT Between VRFs Configuration on page 67 Example: Dynamic Source NAT as a Next-Hop Service on page 65 Example: VPN Routing and Forwarding (VRF) and Service Configuration on page 64 Example: Service Interfaces Configuration on page 61 Example: Configuring the uKernel Service and the Services SDK on Two PICs Copyright © 2011. Inc. } } then { accept. see the configuration examples. Juniper Networks. } } } } } For additional examples that combine stateful firewall configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables.Chapter 6: Stateful Firewall Services Configuration Guidelines } destination-prefix-list { p2 except. 121 .

Inc.4 Services Interfaces Configuration Guide 122 Copyright © 2011. Juniper Networks. .Junos 11.

Juniper Networks. Inc. 123 . The statements are organized alphabetically. Copyright © 2011.CHAPTER 7 Summary of Stateful Firewall Configuration Statements The following sections explain each of the stateful firewall services statements.

[edit services stateful-firewall rule rule-name term term-name then] Statement introduced before Junos OS Release 7. or one or more of the following predefined Options option types.4. . Inc. Configure how the stateful firewall handles IP header information. Option Name any ip-security ip-stream loose-source-route route-record router-alert strict-source-route timestamp Numeric Value 0 130 8 3 7 148 9 4 Usage Guidelines Required Privilege Level See “Configuring Actions in Stateful Firewall Rules” on page 116. interface-control—To add this statement to the configuration. 124 Copyright © 2011. Juniper Networks.4 Services Interfaces Configuration Guide allow-ip-options Syntax Hierarchy Level Release Information Description allow-ip-options [ values ].Junos 11. This statement is optional. interface—To view this statement in the configuration. value—Can be a set or range of numeric values. You can enter either the option name or its numeric equivalent.

set-name—Name of the target application set. interface—To view this statement in the configuration. application-name—Name of the target application. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7. See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. interface-control—To add this statement to the configuration. Define one or more applications to which the stateful firewall services apply. interface-control—To add this statement to the configuration. Define one or more target application sets.Chapter 7: Summary of Stateful Firewall Configuration Statements application-sets Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications-sets set-name. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7. applications Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications [ application-names ]. Inc. interface—To view this statement in the configuration.4. Juniper Networks. Copyright © 2011.4. See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. 125 .

Junos 11. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115.6. any-unicast and except options introduced in Junos OS Release 7. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 7. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. or unicast packets from rule Description Options matching.4 Services Interfaces Configuration Guide destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>. address—Destination IPv4 or IPv6 address or prefix value.5. except—(Optional) Exclude the specified address. Specify the destination address for rule matching. any-unicast—Match all unicast packets. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. 126 Copyright © 2011. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. Specify the destination address range for rule matching.6. prefix. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. Inc. interface—To view this statement in the configuration. minimum-value—Lower boundary for the IPv4 or IPv6 address range. except—(Optional) Exclude the specified address range from rule matching. . destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7.5. interface-control—To add this statement to the configuration. Juniper Networks.4. maximum-value—Upper boundary for the IPv4 or IPv6 address range.

[edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 8. interface—To view this statement in the configuration. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. • Junos OS Routing Policy Configuration Guide Copyright © 2011. interface-control—To add this statement to the configuration. Specify the destination prefix list for rule matching. 127 . Inc. except—(Optional) Exclude the specified prefix list from rule matching. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. list-name—Destination prefix list.Chapter 7: Summary of Stateful Firewall Configuration Statements destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>. Juniper Networks.2.

source-prefix-list list-name <except>. destination-address-range low minimum-value high maximum-value <except>.4 Services Interfaces Configuration Guide from Syntax from { application-sets set-name. interface—To view this statement in the configuration. destination-prefix-list list-name <except>. interface-control—To add this statement to the configuration. applications [ application-names ]. input-output—Apply the rule match bidirectionally. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. destination-address (address | any-unicast) <except>. match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output | input-output).4. 128 Copyright © 2011. Inc. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. .4. source-address (address | any-unicast) <except>.Junos 11. For information on match conditions. Specify input conditions for a stateful firewall term. source-address-range low minimum-value high maximum-value <except>. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114. } [edit services stateful-firewall rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. The remaining statements are explained separately. Specify the direction in which the rule match is applied. [edit services stateful-firewall rule rule-name] Statement introduced before Junos OS Release 7. input—Apply the rule match on the input side of the interface. output—Apply the rule match on the output side of the interface. Juniper Networks. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114.

4. term term-name { from { application-sets set-name. 129 . [edit services stateful-firewall rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. destination-address (address | any-unicast) <except>. rule-name—Identifier for the collection of terms that constitute this rule. applications [ application-names ].Chapter 7: Summary of Stateful Firewall Configuration Statements rule Syntax rule rule-name { match-direction (input | output | input-output). } } } [edit services stateful-firewall]. syslog. source-address (address | any-unicast) <except>. Inc. The remaining statements are explained separately. destination-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. source-prefix-list list-name <except>. source-address-range low minimum-value high maximum-value <except>. } then { (accept | discard | reject). Juniper Networks. Specify the rule the router uses when applying this service. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114. Copyright © 2011.

stateful-firewall—Identifies the stateful firewall set of rules statements.Junos 11. } [edit services stateful-firewall] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7.4 Services Interfaces Configuration Guide rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. rule-set-name—Identifier for the collection of rules that constitute this rule set.4. } [edit] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. Specify the rule set the router uses when applying this service. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services stateful-firewall { . Inc. interface-control—To add this statement to the configuration. interface-control—To add this statement to the configuration. . See “Configuring Stateful Firewall Rule Sets” on page 118... Juniper Networks. Define the service rules to be applied to traffic.4. interface—To view this statement in the configuration. 130 Copyright © 2011. See Stateful Firewall.

[edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 7. Inc. prefix.4. Source address for rule matching.5. Copyright © 2011. Juniper Networks. or unicast packets from rule Description Options matching. interface—To view this statement in the configuration. interface—To view this statement in the configuration.Chapter 7: Summary of Stateful Firewall Configuration Statements source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>. address—Source IPv4 or IPv6 address or prefix value. or unicast packets from rule Description Options matching. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. interface-control—To add this statement to the configuration. address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8.6.6. prefix. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. except—(Optional) Exclude the specified address. 131 . minimum-value—Lower boundary for the IPv4 or IPv6 address range. Source address range for rule matching. except—(Optional) Exclude the specified address. interface-control—To add this statement to the configuration. maximum-value—Upper boundary for the IPv4 or IPv6 address range.5. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced before Junos OS Release 7. any-unicast—Any unicast packet. any-unicast and except options introduced in Junos OS Release 7. source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>.

See “Configuring Actions in Stateful Firewall Rules” on page 116.2.4 Services Interfaces Configuration Guide source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>. interface-control—To add this statement to the configuration. [edit services stateful-firewall rule rule-name term term-name then] Statement introduced before Junos OS Release 7. [edit services stateful-firewall rule rule-name term term-name from] Statement introduced in Junos OS Release 8. . Usage Guidelines Required Privilege Level 132 Copyright © 2011. list-name—Destination prefix list. Enable system logging. Specify the source prefix list for rule matching. interface-control—To add this statement to the configuration.Junos 11. • Junos OS Routing Policy Configuration Guide syslog Syntax Hierarchy Level Release Information Description syslog. The system log information from the Adaptive Services or Multiservices PIC is passed to the kernel for logging in the /var/log directory. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in Stateful Firewall Rules” on page 115. Inc. interface—To view this statement in the configuration.4. except—(Optional) Exclude the specified prefix list from rule matching. This setting overrides any syslog statement setting included in the service set or interface default configuration. Juniper Networks. interface—To view this statement in the configuration. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.

Define the stateful firewall term properties. Usage Guidelines Required Privilege Level See “Configuring Stateful Firewall Rules” on page 114.Chapter 7: Summary of Stateful Firewall Configuration Statements term Syntax term term-name { from { application-sets set-name. interface-control—To add this statement to the configuration. 133 . applications [ application-names ]. destination-address (address | any-unicast) <except>. Juniper Networks. } } [edit services stateful-firewall rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. term-name—Identifier for the term. destination-address-range low minimum-value high maximum-value <except>. Inc. Copyright © 2011. source-address (address | any-unicast) <except>. syslog. The remaining statements are explained separately. source-prefix-list list-name <except>.4. } then { (accept | discard | reject). destination-prefix-list list-name <except>. interface—To view this statement in the configuration. source-address-range low minimum-value high maximum-value <except>.

Junos 11. Usage Guidelines Required Privilege Level Related Documentation See “Configuring Actions in Stateful Firewall Rules” on page 116. You can configure the router to accept. The other actions are optional. syslog. interface—To view this statement in the configuration. Inc. accept—Accept the traffic and send it on to its destination. Juniper Networks.4. Define the stateful firewall term actions. • Junos OS Routing Policy Configuration Guide 134 Copyright © 2011. . discard.4 Services Interfaces Configuration Guide then Syntax then { (accept | discard | reject). interface-control—To add this statement to the configuration. } [edit services stateful-firewall rule rule-name term term-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. reject—Do not accept the traffic and return a rejection message. Rejected traffic can be Options logged or sampled. discard—Do not accept traffic or process it further. The remaining statement is explained separately. or reject the targeted traffic.

object-cache-size 512. Starting with Junos OS Release 9. policy-db-size 64.5. The stateful firewall plug-in described in the following sections supports many of the features of the existing stateful firewall service that runs on the Juniper microkernel. some services will now be deployed on the Embedded Junos software platform. However. the stateful firewall service has been implemented using the embedded Junos Application Framework (eJAF). #Loads stateful firewall plug-in. To load this plug-in on the PIC. For example: user@host# show chassis fpc 0 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1. Juniper Networks. This allows such services to be coupled with third-party applications. rlogin. rexec for Stateful Firewall on page 137 Loading the Stateful Firewall Plug-In As of Junos OS Release 9. Inc.CHAPTER 8 Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines Till now. data-cores 7.5. all services run only on the Juniper microkernel software platform. include the package jservices-sfw statement at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. a stateful firewall plug-in is provided as part of the jbundle package. 135 . package jservices—sfw. This chapter contains the following sections: • • • Loading the Stateful Firewall Plug-In on page 135 Configuring Memory for the Stateful Firewall Plug-In on page 137 Configuring rsh. } } } } } Copyright © 2011.

} } } } } The following stateful firewall operational commands support the ms.1. The following example demonstrates the stateful firewall plug-in coexisting with a provider’s plug-in: [edit] services { service-set sset { stateful-firewall-rules rule1.1. • clear services stateful-firewall flows—Remove established flows from the flow table. } then { reject. interface-service { service-interface ms-0/0/0. Juniper Networks.interface: • • show services stateful-firewall flows—Display stateful firewall flow table entries. } extension-service customer-plugin. In the extensive option. Inc. .2/32. } } } rule rule2 { match-direction input.Junos 11. } then { accept. those values are all zeroes. 136 Copyright © 2011. term term1 { from { source-address { 192. term term1 { from { applications junos-ftp. service-order { forward-flow [ stateful-firewall customer-plugin ].4 Services Interfaces Configuration Guide You can load both the jservices-sfw package and a Junos SDK application package on the same PIC. For this command. other statistics appear but do not populate correctly. show services stateful-firewall statistics—Display stateful firewall statistics. only rule and ALG statistics are given. syslog. } } stateful-firewall { rule rule1 { match-direction input-output.

6000 (Juniper Networks MX Series 3D Universal Edge Routers and M120 Multiservice Edge Routers) Maximum object cache size: 1280 MB (Multiservices 400 PICs and DPCs). The remedial action is to increase the size of the policy database. Related Documentation • extension-provider on page 142 Configuring rsh. await additional review: • • Maximum number of terms (with one rule per term) per service set: 1200 Maximum number of service sets per Multiservices PIC: 4000 (Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers). By default.Chapter 8: Stateful Firewall on the Embedded Junos OS Platform Configuration Guidelines The commands are described in the Junos OS System Basics and Services Command Reference. To open the authentication flow. object-cache-size. rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. • • If the policy database is set too small. and forwarding-db-size statements when the application needs to use a large number of rules. Related Documentation • • Configuring Memory for the Stateful Firewall Plug-In on page 137 extension-provider on page 142 Configuring Memory for the Stateful Firewall Plug-In When configuring the stateful firewall internal plug-in. include the applications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level: [edit] services { stateful-firewall { rule rule1 { term term1 { from { (source-address | destination-address). applications junos-ident. rlogin. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. 137 . rlogin. the stateful firewall does not allow this authentication flow to go through. causing the total memory required to approach the size of the object cache configured. rexec for Stateful Firewall Some implementations of the rsh. The following limits. some questions remain regarding the upper limit to specify for the policy-db-size. an error message is logged in the router message file even though the commit may appear to be successful. which are specific to the stateful firewall configuration. Juniper Networks. } Copyright © 2011. 512 MB (Multiservices 100 PICs) Maximum policy database size: Still to be determined. Inc.

destination-port klogin. destination-port kshell. Juniper Networks. configure the following additional applications and include them in the stateful firewall terms: [edit] applications { application test-kerberos-kshell { Protocol tcp. } application test kerberos-klogin { protocol tcp. } } } } } To allow Kerberos-enabled rsh. Inc. } } } } } Related Documentation • Configuring Memory for the Stateful Firewall Plug-In on page 137 138 Copyright © 2011.4 Services Interfaces Configuration Guide then { accept. .Junos 11. } } services { stateful-firewall { rule rule1 { term term1 { from { applications [kerberos-klogin kerberos-kshell]. } then { accept. rlogin. rexec through the stateful firewall.

Inc. The statements are organized alphabetically. Options Range: 1 through 8 Required Privilege Level Related Documentation interface—To view this statement in the configuration. 139 . Configure control cores. At least one core must be a control core. interface-control—To add this statement to the configuration. • data-cores on page 140 Copyright © 2011. control-number—Number of control cores. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. When the number of control cores is changed. Any cores not configured as either control or data cores are treated as user cores.0. Juniper Networks. the PIC reboots. control-cores Syntax Hierarchy Level control-cores control-number.CHAPTER 9 Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements The following sections explain stateful firewall statements used in SDK applications.

it is advisable. to dedicate a minimum of five as data cores to achieve good performance.Junos 11. Juniper Networks.5.0. interface-control—To add this statement to the configuration. Adding or deleting this statement causes the PIC to reboot. Once enabled. Although it is not mandatory to dedicate any cores Options as data cores. Configure data cores.4 Services Interfaces Configuration Guide data-cores Syntax Hierarchy Level data-cores data-number. When the number of data cores is changed. data-number—Number of data cores. Required Privilege Level interface—To view this statement in the configuration. • control-cores on page 139 data-flow-affinity Syntax data-flow-affinity { hash-key (layer-3 | layer-4). depending on the nature of the application. the default behavior distributing data packets changes from a round-robin distribution to a flow affinity distribution based on a hash distribution. Range: 0 through 7 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Any cores not configured as either data or control cores are treated as user cores. Inc. Enable flow affinity distribution for packets over data CPUs on the PIC. 140 Copyright © 2011. . the PIC reboots. } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9. interface-control—To add this statement to the configuration. The statements are explained separately. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9.

[edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-providersyslog facility] Release Information Description Statement introduced in Junos OS Release 10. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks. destination—Choose one of the following options: • • Options routing-engine—Forward log messages to the Routing Engine.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements destination Syntax Hierarchy Level destination destination. 141 . you can use the set system syslog command. all messages go to the /var/log directory on the Routing Engine. Inc. a command available in the native Junos OS CLI. By default. pic-console—Forward log messages to the console of the PIC. interface-control—To add this statement to the configuration. to override the syslog settings made on the Multiservices PIC. Configure where log messages go. Enhancements to the existing infrastructure make debugging on the Multiservices PIC easier by giving the user the option of redirecting log messages. When the syslog destination statement is configured to redirect the log messages.1. • extension-provider on page 142 Copyright © 2011.

Junos 11. The statements are explained separately. object-cache-size size. Inc.4 Services Interfaces Configuration Guide extension-provider Syntax extension-provider { control-cores control-number. } [edit chassis fpc slot-number pic pic-number adaptive-services service-package] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9. destination destination. data-cores data-number. } forwarding-db-size size. Required Privilege Level interface—To view this statement in the configuration. package package-name. Juniper Networks. . data-flow-affinity { hash-key (layer-3 | layer-4). When the extension-provider statement is first configured. } } wired-process-mem-size mem-size. interface-control—To add this statement to the configuration. the PIC reboots. 142 Copyright © 2011.0. Configure an application on a PIC. policy-db-size size. syslog { facility { severity.

Configure the size of the forwarding database (FDB). in megabytes (MB). Range: 0 through 12879 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration.2. NOTE: You need to enable the forwarding-options sampling statement for the FDB to be created.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements forwarding-db-size Syntax Hierarchy Level forwarding-db-size size. Juniper Networks. When this setting is changed. Inc. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. interface-control—To add this statement to the configuration. The size of the FDB and the size of the policy database together must be smaller than the size of the object cache. • • • policy-db-size on page 146 wired-process-mem-size on page 148 object-cache-size on page 145 Copyright © 2011. 143 . Options size—Size of the FDB. the PIC reboots.

[edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider data-flow-affinity] Release Information Description Statement introduced in Junos OS Release 10. Juniper Networks.2. or layer-4. If you do not configure the hash-key statement. the hashing distribution is 5-tuple hashing. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide hash-key Syntax Hierarchy Level hash-key (layer-3 | layer-4). • extension-provider on page 142 144 Copyright © 2011. Once the data-flow-affinity statement is enabled. . and IP protocol). Inc. layer-3—3-tuple hashing (source IP address. Default Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Modifying this statement causes the PIC to reboot. Set the hashing distribution of flow affinity. you may need to choose the hashing distribution. destination IP address. This is an optional setting.Junos 11. layer-4—5-tuple hashing (3-tuple plus source and destination TCP or UDP ports).

only one data package is allowed per PIC. An error message is displayed if more than eight packages are specified. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Identify a package to be loaded on the PIC. Juniper Networks. interface-control—To add this statement to the configuration. Range: For Multiservices 100 PIC. however. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Options Configure the size of the object cache. the PIC reboots. in MB. range is 128 MB through 1280 MB. 145 . If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB. the maximum value for this statement is 512 MB. value—Amount of object cache. range is 128 MB through 512 MB.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements object-cache-size Syntax Hierarchy Level object-cache-size value. package-name—Name of the package to be loaded on the PIC. When a package is added or removed. • • • forwarding-db-size on page 143 policy-db-size on page 146 wired-process-mem-size on page 148 package (Loading on PIC) Syntax Hierarchy Level package package-name. the maximum value for this statement is 128 MB.1. When this setting is changed. If the wired-process-mem-size statement at the same hierarchy level has a value of 512 MB. Only values in increments of 128 MB are allowed. Range: For Multiservices 400 PIC. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Release Information Description Statement introduced in Junos OS Release 9. Required Privilege Level interface—To view this statement in the configuration. Inc. the PIC reboots. There can be up to eight Options packages loaded on a PIC. Copyright © 2011. interface-control—To add this statement to the configuration.

4 Services Interfaces Configuration Guide policy-db-size Syntax Hierarchy Level policy-db-size size. When this setting is changed. • • • forwarding-db-size on page 143 object-cache-size on page 145 wired-process-mem-size on page 148 146 Copyright © 2011. NOTE: At least one data core must be configured to configure the size of the policy database. . Juniper Networks.Junos 11. The size of the forwarding database and the size of the policy database together must be smaller than the size of the object cache. in megabytes (MB). Range: 0 through 1279 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration. the PIC reboots. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Configure the size of the policy database. Inc. interface-control—To add this statement to the configuration. Options size—Size of the policy database.

severity—Classification of effect on functioning. Possible values are the following options: • • • any—Include all severity levels. external. info—Events or nonerror conditions of interest. Juniper Networks. error—Error conditions that generally have less serious consequences than errors in the emergency. none—Disable logging of the associated facility to a destination. destination destination. kernel.Chapter 9: Summary of Stateful Firewall on the Embedded Junos OS Platform Configuration Statements syslog Syntax syslog { facility { severity. • alert—Conditions that require immediate correction. • • critical—Critical conditions. } } [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Hierarchy Level Release Information Statement introduced in Junos OS Release 9. and critical levels. The remaining statement is explained separately. Required Privilege Level interface—To view this statement in the configuration. Copyright © 2011.5. and pfe. such as hard errors. 147 . Enable PIC system logging to record or view system log messages on a specific PIC. • • • warning—Conditions that warrant monitoring. facility—Group of messages that are either generated by the same software process or Description Options concern a similar condition or activity. Inc. emergency—System panic or other condition that causes the routing platform to stop functioning. Possible values include the following: daemon. interface-control—To add this statement to the configuration. alert. such as a corrupted system database. notice—Conditions that are not errors but might warrant special handling. Options daemon and kernel (for facility) introduced in Junos OS Release 9.2. The system log information is passed to the kernel for logging in the /var/log directory.

4 Services Interfaces Configuration Guide wired-process-mem-size Syntax Hierarchy Level wired-process-mem-size mem-size. [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] Description Configure the size of the reserved wired process memory. . Default: 512 MB Range: 0 through 512 MB Required Privilege Level Related Documentation interface—To view this statement in the configuration.Junos 11. megabytes—Size of the reserved wired process memory. the PIC reboots. interface-control—To add this statement to the configuration. in MB. • • • • forwarding-db-size on page 143 object-cache-size on page 145 policy-db-size on page 146 wired-process-mem-size on page 148 148 Copyright © 2011. Juniper Networks. Inc. If this setting is changed. The only size you can set Options for this statement is 512 MB. You can also configure object cache.

Juniper Networks. destination-address (address | any-unicast) <except>. 149 . preserve-range. } } rule rule-name { match-direction (input | output). ports-per-session ports. } port (automatic | range low minimum-value high maximum-value) { preserve-parity. max-blocks-per-user max-blocks. Copyright © 2011.CHAPTER 10 Carrier-Grade NAT Configuration Guidelines To configure Network Address Translation (NAT) services. address-range low minimum-value high maximum-value. destination-prefix-list list-name <except>. include the nat statement at the [edit services] hierarchy level: [edit services] nat { ipv6-multicast-interfaces (all | interface-name) { disable. secured-port-block-allocation { active-block-timeout timeout-seconds. term term-name { from { application-sets set-name. } pool nat-pool-name { address ip-prefix</prefix-length>. block-size block-size. destination-address-range low minimum-value high maximum-value <except>. remotely-controlled. Inc. transport [ transport-protocols ]. pgcp { hint [ hint-strings ]. applications [ application-names ]. mapping-timeout seconds. } } random-allocation.

source-pool nat-pool-name. Inc. overload-pool overload-pool-name. source-prefix source-prefix. } } This chapter includes the following sections: • • • • • • • Configuring Addresses and Ports for Use in NAT Rules on page 151 Configuring NAT Rules on page 156 Configuring NAT Rule Sets on page 161 Configuring Static Source Translation in IPv4 Networks on page 162 Configuring Static Source Translation in IPv6 Networks on page 165 Configuring Dynamic Source Address and Port Translation in IPv4 Networks on page 168 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks on page 170 Configuring Dynamic Source Address and Port Translation for IPv6 Networks on page 173 Configuring Dynamic Address-Only Source Translation in IPv4 Networks on page 174 Configuring Static Destination Address Translation in IPv4 Networks on page 177 Configuring Port Forwarding for Static Destination Address Translation on page 179 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks on page 182 Configuring NAT-PT on page 187 • • • • • • 150 Copyright © 2011. dns-alg-prefix dns-alg-prefix. destination-pool nat-pool-name. destination-prefix destination-prefix. } syslog.Junos 11. mapping-type endpoint-independent. Juniper Networks. .4 Services Interfaces Configuration Guide source-address (address | any-unicast) <except>. source-prefix-list list-name <except>. translated { address-pooling paired. } } } rule-set rule-set-name { [ rule rule-names ]. } then { no-translation. dns-alg-pool dns-alg-pool. } use-dns-map-for-destination-translation. source-address-range low minimum-value high maximum-value <except>. overload-prefix overload-prefix. translation-type { (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64). filtering-type ndpoint-independent.

address-range low minimum-value high maximum-value. For example. To configure the information. With static destination NAT. port (automatic | range low minimum-value high maximum-value). you can also specify multiple address prefixes and address ranges in a single term. if you define the pool size as 100 addresses and the rule specifies only 80 addresses. Inc. some addresses will not be used. you can specify multiple IPv4 addresses (or prefixes) and IPv4 address ranges. the netmask or range for the from address must be smaller than or equal to the netmask or range for the destination pool address. preserve-range { } } To configure pools for traditional NAT. see “Configuring Actions in NAT Rules” on page 159. the last 20 addresses in the pool are not used. include the pool statement at the [edit services nat] hierarchy level: [edit services nat] pool nat-pool-name { address ip-prefix</prefix-length>. specify either a destination pool or a source pool. Copyright © 2011. If you define the pool to be larger than required. see the following sections: • • • • Configuring Pools of Addresses and Ports on page 151 Configuring Address Pools for Network Address Port Translation on page 152 Specifying Destination and Source Prefixes on page 155 Requirements for NAT Addresses on page 155 Configuring Pools of Addresses and Ports You can use the pool statement to define the addresses (or prefixes). Multiple destination NAT terms can share a destination NAT pool. Juniper Networks. However. For constraints on specific translation types. and ports used for Network Address Translation (NAT). preserve-parity. 151 . Up to 32 prefixes or address ranges (or a combination) can be supported within a single pool. address ranges.Chapter 10: Carrier-Grade NAT Configuration Guidelines • Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 189 Configuring Port Forwarding for Static Destination Address Translation on page 190 Examples: Configuring NAT Rules on page 193 Example: NAT 44 CGN Configurations on page 223 Example: NAT Between VRFs Configuration on page 226 Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion on page 229 • • • • • Configuring Addresses and Ports for Use in NAT Rules For information about configuring translated addresses. With static source NAT and dynamic source NAT.

Junos 11. the port allocation request fails and that session is not created. Juniper Networks. include the port range low minimum-value high maximum-value statement at the [edit services nat pool nat-pool-name] hierarchy level. the prefixes and address ranges cannot overlap between separate pools. Network Address Translation (NAT) Behavioral Requirements for Unicast UDP. if there is no available port in the range. When the preserve-range knob is configured and the incoming port falls into one of these ranges. The port statement specifies port assignment for the translated addresses.535 addresses.775. . CGN allocates a port with the same even or odd parity as the incoming port. include the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. However.259. the port allocation request fails.535) or 4. for a total of (65. defines two ranges: 0 through 1023. The failure is reflected on counters and system logging. and 1024 through 65. There is no limit on the pool size for static source NAT. If a port number of the desired parity is not available. If this knob is not configured.000 flows.000 addresses.4 Services Interfaces Configuration Guide With source static NAT. When multiple address ranges and prefixes are configured. the session is not created. The exception is some application-level gateways (ALGs). • Configuring Address Pools for Network Address Port Translation With Network Address Port Translation (NAPT). and the packet is dropped. To configure automatic assignment of ports. In an address range. followed by the address ranges. You can configure the preserve parity and preserve range options under the NAT pool definition by including the preserve-range and preserve-parity configuration statements at the [edit services nat pool poolname port hierarchy level. such as hello. Preserve Range and Preserve Parity You can configure your carrier-grade NAT (CGN) to preserve the range or parity of the packet source port when it allocates a source port for an outbound connection. the outgoing port number should correspondingly be odd or even. address ranges are limited to a maximum of 65. A dynamic NAT pool with no address port translation supports up to 65. • Preserve range—RFC 4787. Preserve parity—When the preserve-parity knob is configured. If the incoming port number is odd or even. To configure a specific range of port numbers.000 x 65. When you specify a port for dynamic source NAT. CGN allocates a port from that range only. that have special zones. Inc. the prefixes are depleted first. allocation is based on the configured port range without regard to the port range that contains the incoming port. you can configure up to 32 address ranges with up to 65.536 addresses each. 152 Copyright © 2011. the low value must be a lower number than the high value.535. but no Internet Control Message Protocol (ICMP) message is generated.

9.6:3333.9:3333. making it easier to track subscribers.9. When you use round-robin allocation. The sixth connection is allocated to the address:port 9.9. the allocation process wraps around and allocates the next unused port for addresses in the first range.2:3333. The eleventh connection is allocated to the address:port 9.9.99.9.9.8:3333. Because ports are used and reused at a very high rate. Ports are allocated randomly from the current active block. 153 . Inc. tracking subscribers using the log becomes difficult due to the large number of messages. The most recently allocated block is the current active block. The ninth connection is allocated to the address:port 9. Port Block Allocation With port block allocation.99.11:3333. New requests for NAT ports are served from the active block.9.99.99.99. carriers track their subscribers using the IP address (RADIUS or DHCP log). The fourth connection is allocated to the address:port 9. Wraparound occurs and the thirteenth connection is allocated to the address:port 9. Copyright © 2011.5:3333.9. and the carrier must track the IP address and port.9.99.12:3333.1:3333. one port is allocated from each address in a range before repeating the process for each address in the next range.1:3334. After ports have been allocated for all addresses in the last range. an IP address is shared by multiple subscribers.10:3333. • • • • • • • • • • • • • The first connection is allocated to the address:port 9.7:3333. The tenth connection is allocated to the address:port 9. The fifth connection is allocated to the address:port 9.9. which are difficult to archive and correlate.99. By enabling the allocation of ports in blocks.9.99. port block allocation can significantly reduce the number of logs.99.99. include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level.9. which is part of the NAT log. The twelfth connection is allocated to the address:port 9. The second connection is allocated to the address:port 9. The third connection is allocated to the address:port 9. If they use CGN.4:3333. The eighth connection is allocated to the address:port 9.3:3333.9.99.99.Chapter 10: Carrier-Grade NAT Configuration Guidelines The Junos OS provides several alternatives for allocating ports: • • • • Round-Robin Allocation on page 153 Port Block Allocation on page 153 Sequential on page 154 Additional Options for NAPT on page 154 Round-Robin Allocation To configure round-robin allocation for NAT pools. The seventh connection is allocated to the address:port 9. Juniper Networks.99.

Additional Options for NAPT The following options are available for NAPT.1:3333.99.99.99. • Preserving parity—Use the preserve-parity command to allocate even ports for packets with even source ports and odd ports for packets with odd source ports.9.3. the next address (in the same address-range or in the following address-range) is allocated and all its ports are selected as needed.9.2:3334.9. port { range low 3333 high 3334.4:3333.99. Juniper Networks.4 high 9.99. the ports are allocated starting from the first address in the first address-range.99.9.9.8 high 9.9.99. is allocated only when all ports for all the addresses in the first range have been used. address-range low 9.9. .9. } } In this example.99.99.99.99. Inc.Junos 11. You can then specify the following configurable options: • • • block-size max-blocks-per-user active-block-timeout Sequential With sequential allocation. In the case of the example napt pool. the next available address in the NAT pool is selected only when all the ports available from an address are exhausted. When all available ports have been used.9.99. and allocation continues from this address until all available ports have been used. address-range low 9.9.1 high 9. 154 Copyright © 2011. include the secured-port-block-allocation statement at the [edit services nat pool pool-name port hierarchy level. The NAT pool called napt in the following configuration example uses the sequential implementation: pool napt { address-range low 9. and so on. The second connection is allocated to the address:port 9.4 Services Interfaces Configuration Guide To configure port block allocation.9. address-range low 9. port 9.9. the tuple address. The third connection is allocated to the address:port 9.2:3333. • • • • The first connection is allocated to the address:port 9.1:3334.9.13.10. NOTE: This legacy implementation provides backward compatibility.99. The fourth connection is allocated to the address:port 9.6.12 high 9.

This appleis to control sessions. cannot be used for NAT translation: • • • • • • • • • 0. Inc.0.0.0. a prefix. Juniper Networks.0.0.0.0.0. Specifying Destination and Source Prefixes You can directly specify the destination or source prefix used in NAT without configuring a pool. To configure the information. 155 .255. Destination translation cannot be configured by this method.255 (broadcast) • You can specify one or more IPv4 address prefixes in the pool statement and in the from clause of the NAT rule term. see Examples: Configuring NAT Rules. } } } } Requirements for NAT Addresses You must configure a specific address.0. not data sessions. or the address-range boundaries: • The following addresses.255.255.0/32 127.0. For more information.0/4 (reserved) 255. This enables you to configure source translation from a private subnet to a public subnet without defining a rule term for each address in the subnet.0.0/4 (multicast) 240.255. When you configure static source NAT.0. while valid in inet. include the rule statement at the [edit services nat] hierarchy level: [edit services nat] rule rule-name { term term-name { then { translated { destination-prefix prefix.0/16 (martian) 192.0/16 (martian) 191. the address prefix size you configure at the [edit services nat pool pool-name] hierarchy level must be larger than the source-address • Copyright © 2011.0. assuming the original packet contains a source port in the reserved range.0/8 (loopback) 128.Chapter 10: Carrier-Grade NAT Configuration Guidelines • Preserving range—Use the preserve-range command to allocate ports within a range from 0 to 1023.0.0/24 (martian) 224.0/24 (martian) 223.255..

NAT configuration might also affect routing protocols operation. translated { address-pooling paired. applications [ application-names ]. term term-name { from { application-sets set-name. overload-pool overload-pool-name. filtering-type endpoint-independent. The source-address prefix range must also map to a single subnet or range of IPv4 or IPv6 addresses in the pool statement. } then { no-translation. dns-alg-pool dns-alg-pool. destination-pool nat-pool-name. filter-based forwarding. source-prefix-list list-name <except>. destination-prefix destination-prefix. source-prefix source-prefix. Configuring NAT Rules To configure a NAT rule. source-pool nat-pool-name. and interface addresses can be altered when routing protocols packets transit the Adaptive Services (AS) or Multiservices PIC. . because the protocol peering. source-address (address | any-unicast) <except>. it might affect forwarding path features elsewhere in your router configuration. overload-prefix overload-prefix. or other features that target specific IP addresses or prefixes. include the rule rule-name statement at the [edit services nat] hierarchy level: [edit services nat] rule rule-name { match-direction (input | output). translation-type { 156 Copyright © 2011. Pools cannot be shared. mapping-type endpoint-independent. source-address-range low minimum-value high maximum-value <except>.Junos 11. destination class usage (DCU). neighbor. Any pool addresses that are not used by the source-address prefix range are left unused. NOTE: When you include a NAT configuration that changes IP addresses. destination-address (address | any-unicast) <except>. destination-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. Inc. Juniper Networks. such as source class usage (SCU).4 Services Interfaces Configuration Guide prefix range configured at the [edit services nat rule rule-name term term-name from] hierarchy level. dns-alg-prefix dns-alg-prefix.

• then statement—Specifies the actions and action modifiers to be performed by the router software. Juniper Networks. include the match-direction statement at the [edit services nat rule rule-name] hierarchy level: [edit services nat rule rule-name] match-direction (input | output). each NAT rule consists of a set of terms. The packet direction is determined based on the following criteria: Copyright © 2011. The match direction is used with respect to the traffic flow through the Multiservices DPC and Multiservices PICs. } use-dns-map-for-destination-translation. A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. When a packet is sent to the PIC. } } } Each rule must include a match-direction statement that specifies the direction in which the match is applied. 157 . } syslog. Inc. To configure where the match is applied. similar to a firewall filter. direction information is carried along with it. The following sections explain how to configure the components of NAT rules: • • • Configuring Match Direction for NAT Rules on page 157 Configuring Match Conditions in NAT Rules on page 158 Configuring Actions in NAT Rules on page 159 Configuring Match Direction for NAT Rules Each rule must include a match-direction statement that specifies the direction in which the match is applied. In addition.Chapter 10: Carrier-Grade NAT Configuration Guidelines (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44).

see “Configuring Application Protocol Properties” on page 72: • To apply one or more specific application protocol definitions. destination-address (address | any-unicast) <except>. For an example. applications [ application-names ]. • 158 Copyright © 2011. source-address-range low minimum-value high maximum-value <except>. you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the NAT rule. see ““Configuring Service Sets to be Applied to Services Interfaces” on page 568”. for more information. see the Junos OS Routing Policy Configuration Guide. } To configure traditional NAT.4 Services Interfaces Configuration Guide • With an interface service set. include the from statement at the [edit services nat rule rule-name term term-name] hierarchy level: [edit services nat rule rule-name term term-name] from { application-sets set-name. rule processing is performed. Inc. • • Configuring Match Conditions in NAT Rules To configure NAT match conditions. the source address. On the Multiservices DPC and Multiservices PIC. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. or a range of source addresses as a match condition. in the same way that you would configure a firewall filter. see ““Examples: Configuring Stateful Firewall Rules” on page 118”. packet direction is determined by the interface used to route the packet to the Multiservices DPC or Multiservices PIC. source-prefix-list list-name <except>. All rules in the service set are considered. the packet direction is input.Junos 11. you can use the destination address. include the applications statement at the [edit services nat rule rule-name term term-name from] hierarchy level. a flow lookup is performed. destination-prefix-list list-name <except>. the packet direction is compared against rule directions. During rule processing. destination-address-range low minimum-value high maximum-value <except>. include the application-sets statement at the [edit services nat rule rule-name term term-name from] hierarchy level. the packet direction is output. If the outside interface is used to direct the packet to the PIC or DPC. . You can include application protocol definitions that you have configured at the [edit applications] hierarchy level. With a next-hop service set. If the inside interface is used to route the packet. Only rules with direction information that matches the packet direction are considered. a range of destination addresses. If no flow is found. Alternatively. For more information about inside and outside interfaces. source-address (address | any-unicast) <except>. for more information. Juniper Networks. To apply one or more sets of application protocol definitions that you have defined.

translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). destination-prefix. Juniper Networks. The destination-pool. source-prefix source-prefix. When matched rules include more than one ALG. source-pool.Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: If you include one of the statements that specifies application protocols. NAT can restore IP. } } } The no-translation statement allows you to specify addresses that you want excluded from NAT. dynamic-nat44. source-pool nat-pool-name. basic-nat44. The options are basic-nat-pt. Copyright © 2011. the more specific ALG takes effect. You can include the protocol tcp and protocol udp statements with the application statement for NAT configurations. destination-prefix destination-prefix. syslog. dnat-44. Configuring Actions in NAT Rules To configure NAT actions. The translation-type statement specifies the type of NAT used for source or destination traffic. for example. and stateful-nat64 . see “Network Address Translation Overview” on page 48. see “Configuring Addresses and Ports for Use in NAT Rules” on page 151. napt-44. the NAT rule takes precedence. napt-66. include the then statement at the [edit services nat rule rule-name term term-name] hierarchy level: [edit services nat rule rule-name term term-name] then { no-translation. for more information. The syslog statement enables you to record an alert in the system logging facility. You can configure ALGs for ICMP and trace route under stateful firewall and NAT. and source-prefix statements specify addressing information that you define by including the pool statement at the [edit services nat] hierarchy level. translated { destination-pool nat-pool-name. 159 . you cannot specify these properties as match conditions. Inc. the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. napt-pt. By default. TCP. basic-nat66. For more information. if the stateful firewall rule includes TCP and the NAT rule includes FTP. and UDP headers embedded in the payload of ICMP error messages.

Juniper Networks. • dynamic-nat44—This option implements dynamic translation of source IP addresses without port mapping. The referenced pool must include an address configuration (for address-only translation). You must define the source and destination pools of IPv4 addresses. The address is released to the pool only after all the sessions for that host expire. This option is always implemented with DNS ALG. 160 Copyright © 2011. as they originate sessions to the IPv4 hosts in an external domain and vice versa. they can share a few public IP addresses. Configure the IPv6 addresses in the from statement in both the term statements. • basic-nat-pt—This option implements translation of addresses of IPv6 hosts. The configuration is similar to the basic-nat44 implementation. Any addresses in the pool that are not matched in the destination-address value remain unused. all packets destined for the source address specified in the match condition are automatically routed to the services PIC. • basic-nat66—This option implements the static translation of source IP addresses without port mapping in IPv6 networks. and any additional requests are rejected. A NAT address assigned to a host is used for all concurrent sessions from that host. reference both the source and destination pools and configure dns-alg-prefix. You must specify a source-pool name. The size of the pool address space must be greater than or equal to the destination address space. Configure the source prefix in the then statement of the second term within the same rule. The dynamic-nat44 address-only option supports translating up to 16. or prefixes. In the then statement of the first term within the rule. Inc. The referenced pool can contain multiple addresses but you cannot specify ports for translation. even if no service set is associated with the interface. Because all the private hosts might not simultaneously create sessions. This feature enables the router to share a few public IP addresses between several private hosts. You must specify a name for the destination pool statement. The size of the address range specified in the statement must be the same as or smaller than the source pool. if it is a prefix. because a pool cannot be shared among multiple terms or rules.4 Services Interfaces Configuration Guide The implementation details of the nine options of the translation-type statement are as follows: • basic-nat44—This option implements the static translation of source IP addresses without port mapping. You must include exactly one destination-address value at the [edit services nat rule rule-name term term-name from] hierarchy level.Junos 11. but with IPv6 addresses. The requests from the source address range are assigned to the addresses in the pool until the pool is used up. NOTE: In an interface service set. as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. the size must be less than or equal to the pool prefix size. You must configure the from source-address statement in the match condition for the rule.216 addresses to a smaller size pool. You must specify either a source pool or a destination prefix. The referenced pool can contain multiple addresses.777. . • dnat-44—This option implements static translation of destination IP addresses without port mapping. ranges. You must configure one rule and define two terms.

The referenced pool must include a port configuration (for NAPT). the traffic is dropped: • Addresses specified in the from destination-address statement when you are using destination translation Addresses specified in the source NAT pool when you are using source translation • For more information on NAT methods. Then. but with IPv6 addresses. The rule meant for the DNS traffic should be DNS ALG enabled and the dns-alg-prefix statement should be configured. 161 . You must specify the IPv4 addresses used for translation at the [edit services nat pool] hierarchy level. Moreover. You must specify a name for the source-pool statement. The configuration is similar to the napt-44 implementation. If the port is configured as automatic or a port range is specified.Chapter 10: Carrier-Grade NAT Configuration Guidelines • napt-44—This option implements dynamic translation of source IP addresses with port mapping. IP Network Address Translator (NAT) Terminology and Considerations. NOTE: When configuring NAT. • napt-66—This option implements dynamic address translation of source IP addresses with port mapping for IPv6 addresses. you specify the order of the rules by including the rule-set statement at the [edit services nat] hierarchy level with a rule statement for each rule: rule-set rule-set-name { rule rule-name. If a term in a rule matches the packet. if any traffic is destined for the following addresses and does not match a NAT flow or NAT rule. you must configure two rules. } The router software processes the rules in the order in which you specify them in the configuration. This pool must be referenced in the rule that translates the IPv6 addresses to IPv4. then it implies that network address and port translation (NAPT) is used. see RFC 2663. • stateful-nat64—This option implements dynamic address and port translation for source IP addresses and prefix removal translation for destination IP addresses. Juniper Networks. You define each rule by specifying a rule name and configuring terms. You must specify a name for the source-pool statement. the prefix configured in the dns-alg-prefix statement must be used in the second rule to translate the destination IPv6 addresses to IPv4 addresses. The referenced pool must include a port configuration. one for the DNS traffic and the other for the rest of the traffic. Inc. • napt-pt—This option implements dynamic address and port translation for source and static translation of destination IP address. Configuring NAT Rule Sets The rule-set statement defines a collection of NAT rules that determine what actions the router software performs on packets in the data stream. the router performs the corresponding Copyright © 2011. Additionally.

Junos 11. [edit services nat] user@host# set rule rule-basic-nat44 match-direction input 4. If a packet is destined to a NAT pool address.1.1. the pool name is src_pool and the address is 10. Configuring Trace Options on page 164 Configuring the NAT Pool and Rule To configure the NAT pool. [edit services nat] user@host# set pool src_pool address 10. Configure the source address in the from statement. service set with service interface. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. If none of the rules match the packet. the term name is t1 and the input condition is source-address 3. and term: 1.10. Configuring the NAT Pool and Rule on page 162 2.2/32. you must configure the NAT pool and rule. Inc. This topic includes the following tasks: 1.2/32 3.1.10. In configuration mode. [edit services nat] user@host# set rule rule-basic-nat44 term t1 from source-address 3. Configuring the Service Set for NAT on page 163 3. Juniper Networks. no NAT action is performed on the packet. [edit services nat] user@host# set rule rule-basic-nat44 term term-name from from In the following example.10. Configure the NAT term action and properties of the translated traffic. [edit services nat] user@host# set pool pool name address address In the following example. [edit] user@host# edit services nat 2. Configuring Static Source Translation in IPv4 Networks To configure the translation type as basic-nat44. the NAT rule name is rule-basic-nat44 and the match direction is input.1. rule. go to the [edit services nat] hierarchy level. processing continues to the next rule in the rule set.4 Services Interfaces Configuration Guide action and the rule processing stops. Configure the NAT rule and the match direction. it is dropped.2/32.2/32 5. If no term in a rule matches the packet. .10. Configure the NAT pool with an address. [edit services nat] 162 Copyright © 2011. and trace options.

In configuration mode. Configure the translation type. 163 .1. Configure the service set.1. term t1 { from { source-address { 3.Chapter 10: Carrier-Grade NAT Configuration Guidelines user@host# set rule rule-basic-nat44 term t1 then term-action translated-property In the following example. Inc. Verify the configuration by using the show command at the [edit services nat] hierarchy level. } rule rule-basic-nat44 { match-direction input.10. [edit services] user@host# show nat { pool src_pool { address 10. the translation type is basic-nat44. Juniper Networks. } } } } } } Configuring the Service Set for NAT To configure the service set for NAT: 1. [edit] user@host# edit services 2.10. translation-type { basic-nat44. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type translation-type In the following example. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated source-pool src_pool 6. go to the [edit services] hierarchy level. } } then { translated { source-pool src_pool. the term action is translated and the property of the translated traffic is source-pool src_pool. [edit services nat] user@host# set rule rule-basic-nat44 term t1 then translated translation-type basic-nat44 7.2/32. Copyright © 2011.2/32.

interface-service { service-interface ms-1/2/0. In configuration mode. 164 Copyright © 2011.4 Services Interfaces Configuration Guide [edit services] user@host# edit service-set service-set-name In the following example. the service interface name is ms-1/2/0.Junos 11. [edit services] user@host# edit service-set s1 3. Juniper Networks. [edit services service-set s1] user@host# set interface-service service-interface service-interface-name In the following example. [edit services service-set s1] user@host# set nat-rules rule-basic-nat44 4. Configure the trace options. set the reference to the NAT rules configured at the [edit services nat] hierarchy level. . the rule name is rule-basic-nat44. For the s1 service set. Verify the configuration by using the show command at the [edit services] hierarchy level. Inc. you can configure an inline-services interface on that card: [edit] user@host# set interfaces si-0/0/0 [edit services service-set s1] user@host# set interface-service service-interface si-0/0/0 5. [edit services] user@host# show service-set s1 { nat-rules rule-basic-nat44. [edit services service-set s1] user@host# set interface-service service-interface ms-1/2/0 NOTE: If you have a Trio-based line card. Configure the service interface. [edit services service-set s1] user@host# set nat-rules rule-name In the following example. the service set name is s1. [edit] user@host# edit services adaptive-services-pics 2. } } Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. go to the [edit services adaptive-services-pics] hierarchy level.

This topic includes the following tasks: 1.2/32. Configure the NAT pool with an address.10. Copyright © 2011. [edit services] user@host# show adaptive-services-pics { traceoptions { flag all. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3. } } Configuring Static Source Translation in IPv6 Networks To configure the translation type as basic-nat66. service set with service interface. the rule name is rule-basic-nat66 and the match direction is input. and trace options. Juniper Networks. [edit] user@host# edit services nat 2.10. [edit services nat] user@host# set pool pool name address address In the following example. the pool name is src_pool and the address is 10. Configuring the Service Set for NAT on page 167 3.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. and term: 1. Configure the NAT rule and the match direction. 165 . Configure the source address in the from statement. Verify the configuration by using the show command at the [edit services] hierarchy level. Configuring the NAT Pool and Rule on page 165 2. In configuration mode. [edit services nat] user@host# set rule rule-basic-nat66 match-direction input 4.10.2/32 3. rule. Configuring Trace Options on page 167 Configuring the NAT Pool and Rule To configure the NAT pool. Inc.10. [edit services nat] user@host# set pool src_pool address 10. you must configure the NAT pool and rule. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. go to the [edit services nat] hierarchy level. the tracing parameter is all.

} rule rule-basic-nat66 { match-direction input. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type translation-type In the following example. [edit services] user@host# show nat { pool src_pool { address 10.10. Juniper Networks. term t1 { from { source-address { 10:10:10::0/96. Configure the NAT term action and properties of the translated traffic. [edit services nat] user@host# set rule rule-basic-nat66 term t1 from source-address 10:10:10::0/96 5. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then term-action translated-property In the following example. Configure the translation type. the term action is translated and the property of the translated traffic is source-pool src_pool. Inc. } } } } } } 166 Copyright © 2011.2/32.Junos 11. the translation type is basic-nat66. translation-type { basic-nat66. [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated translation-type basic-nat66 7. } } then { translated { source-pool src_pool.10.4 Services Interfaces Configuration Guide [edit services nat] user@host# set rule rule-basic-nat66 term term-name from from In the following. . [edit services nat] user@host# set rule rule-basic-nat66 term t1 then translated source-pool src_pool 6. the term name is t1 and the input condition is source-address 10:10:10::0/96. Verify the configuration by using the show command at the [edit services] hierarchy level.

Verify the configuration by using the show command at the [edit services] hierarchy level. go to the [edit services adaptive-services-pics] hierarchy level. In configuration mode. 167 . the rule name is rule-basic-nat66. [edit services service-set s1] user@host# set nat-rules rule-basic-nat66 4. Juniper Networks. [edit services service-set s1] user@host# set nat-rules rule-name In the following example. interface-service { service-interface sp-1/2/0. Inc. Configure the service interface. [edit services service-set s1] user@host# set interface-service service-interface sp-1/2/0 5. } } Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. set the reference to the NAT rules configured at the [edit services nat] hierarchy level. Configure the service set. [edit] user@host# edit services 2. [edit services] user@host# edit service-set service-set-name In the following example. In configuration mode. [edit services] user@host# edit service-set s1 3. go to the [edit services] hierarchy level. For the s1 service set. [edit services] user@host# show service-set s1 { nat-rules rule-basic-nat66. [edit services service-set s1] user@host# set interface-service service-interface service-interface-name In the following example. [edit] user@host# edit services adaptive-services-pics Copyright © 2011. the service interface name is sp-1/2/0.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the Service Set for NAT To configure the service set for NAT: 1. the service set name is s1.

the name of the service set is s1 and the name of the NAT rule is rule-napt-44. [edit] user@host# edit services 2. Verify the configuration by using the show command at the [edit services] hierarchy level. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example.4 Services Interfaces Configuration Guide 2. the name of the service interface is ms-0/1/0. Configure the trace options. Juniper Networks. Configure the service set and NAT rule. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3. the tracing parameter is all. [edit services] user@host# set service-set s1 nat-rules rule-napt-44 3. go to the [edit services] hierarchy level. [edit services] user@host# show adaptive-services-pics { traceoptions { flag all. To configure NAPT. you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv4 addresses. [edit services service-set s1 interface service] user@host# set service-interface service-interface-name In the following example. Go to the [interface-service] hierarchy level of the service set. [edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example. This translation can be configured in both IPv4 and IPv6 networks. In configuration mode. Inc. 168 Copyright © 2011. } } Configuring Dynamic Source Address and Port Translation in IPv4 Networks Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. [edit services] user@host# edit service-set s1 interface-service 4.Junos 11. This section describes the steps for configuring NAPT in IPv4 networks. . Configure the service interface. To configure the NAPT in IPv4 networks: 1.

the port type is selected as automatic. [edit services nat] user@host# set rule rule-napt-44 match-direction input term t1 then translated source-pool napt-pool translation-type napt-44 10. the name of the pool is napt-pool and the address is 10. [edit services service-set s1 interface service] user@host# top edit services nat 6. the name of the rule is rule-napt-44 and the match direction is input. the top keyword ensures that the command is run from the top of the hierarchy. [edit services nat] user@host# set pool napt-pool address 10.type In the following example. [edit services nat] user@host# set pool pool-name port port-type In the following example. [edit services service-set s1 interface service] user@host# set service-interface ms-0/1/0 5. the name of the source pool is napt-pool. [edit services nat] user@host# set pool pool-name address address In the following example. 169 . In the command. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example. or use the top keyword.10.10. Configure the port. the following command can result in an error. Juniper Networks.10. Go to the [edit services adaptive-services-pics] hierarchy level.0 7.Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: If the service interface is not present in the router. Issue the command from the top of the services hierarchy. or the specified interface is not functional.10. Configure the rule and the match direction. the action for the translated traffic. the name of the term is t1. and the translation type. [edit services nat] user@host# set rule rule-name term term-name then translated translated-action translation-type translation. Inc. Configure the term. Copyright © 2011. Configure the NAT pool with an address. the action for the translated traffic is translated.0. [edit services nat] user@host# set rule rule-napt-44 match-direction input 9. Go to the [edit services nat] hierarchy level. [edit services nat] user@host# set pool napt-pool port automatic 8. and the translation type is napt-44.

} } rule rule-napt-44 { match-direction input. . } } nat { pool napt-pool { address 10. Configure the trace options. Juniper Networks. The include the following: 170 Copyright © 2011. the tracing parameter is configured as all.10.4 Services Interfaces Configuration Guide [edit services nat] user@host# top edit services adaptive-services-pics 11. } } Related Documentation • Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196 Configuring Advanced Options for Dynamic Source Address and Port Translation in IPv4 Networks A number of configuration options provide you with greater flexibility and control when you configure dynamic source address and port translation. translation-type { napt-44. term t1 { then { translated { source-pool napt-pool.10. } } } } } } adaptive-services-pics { traceoptions { flag all. interface-service { service-interface ms-0/1/0. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example.0/32. [edit services] user@host# show service-set s1 { nat-rules rule-napt-44. Verify the configuration by using the show command at the [edit services] hierarchy level. port { automatic.Junos 11. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12. Inc.

If they don’t. Juniper Networks. the receiving endpoint might drop packets. Inc. translation-type { napt-44. When the user starts a chat window. Address pooling applies when you use a pool of addresses. For example. } address-pooling paired. it is not recognized as an authenticated session. the server will reject them. Any point-to-point (P2P) protocol that negotiates ports (assuming address stability) will benefit from address pooling paired. If RTP and RTCP IP addresses are different. } then { translated { source-pool p1. term t1 { from { applications [junos-sip junos-rtsp].Chapter 10: Carrier-Grade NAT Configuration Guidelines • address pooling—Assigning the same external address for all sessions originating from the same internal host. it is expected that they come from the same IP address. It does not imply anything about with port assignment and does not specify what connections to accept from the outside. EIF Copyright © 2011. SSL—Certain websites such as online banking require that all connections from a given host (SSL or not) come from the same IP address. when a particular chat client is first started. Use Cases for Address Pooling • Instant Messaging—The chat and control sessions of some IM clients should arrive from the same public source address. 171 . an alternate scheme should have been negotiated beforehand. If the chat session originates from a source address that is different from the authentication session. } } } } • endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF)—EIM creates address and port mapping from a private network to the public network. even after they go through NAT. • Configuration with Address Pooling Enabled rule r1-address-pooling { match-direction input. BEST PRACTICE: If a Session Initiation Protocol (SIP) client is sending Real-Time Transport Protocol (RTP) and Real-Time Control Protocol (RTCP) packets. the server rejects the chat session. it authenticates with the chat server to identify the user. a new session is established. Otherwise.

rule sip-eim { match-direction input. because EIF is configured. a host in private network opens an internet connection with source IP address and port as P1:p1 to a server. Juniper Networks. } mapping-type endpoint-independent. N1:n1. only enable EIM for the applications that need it. . it should be on a per application basis. } then { translated { source-pool p1. translation-type { source dynamic. Inc.4 Services Interfaces Configuration Guide is the exact opposite. as shown in the following example. the following mapping is created: P1:p1 ---> N1:n1 Any new connections to same or different server in the outside network that re-use same private address and port are translated to N1:n1. a translated address and port. NOTE: EIF can be configured only when EIM is configured. For example. it creates mappings from a public IP and port address to a private IP address and port. } } } } 172 Copyright © 2011. In other words. we also create another mapping for the inbound traffic: N1:n1 ---> P1:p1 BEST PRACTICE: EIM is no longer widely used because many applications can now traverse NAT and receive inbound connections over the same outbound connection and applications that need ALGs are still prevalent. When a napt-44 rule with EIM and EIF enabled is matched for this session. In addition. term t1 { from { applications junos-sip.Junos 11. is allocated to this session and because EIM is enabled. If EIM is needed.

go to the [edit services nat] hierarchy level. also specify port numbers when configuring the source pool. For information about configuring NAPT in IPv4 networks. To configure NAPT. Juniper Networks. To configure NAPT in IPv6 networks: 1. Define a service set to specify the services interface that must be used. 173 . see “Configuring Dynamic Source Address and Port Translation in IPv4 Networks” on page 168. Enter the up command to navigate to the [edit services] hierarchy level. In addition. Define the pool of IPv6 source addresses that must be used for dynamic translation. [edit services nat] user@host# up 5. [edit services nat] user@host# set pool pool name address IPv6 source addresses user@host# set pool pool name port source ports For example: [edit services nat] user@host# set pool IPV6-NAPT-Pool address 2002::1/96 user@host# set pool IPV6-NAPT-Pool port automatic 3. In configuration mode. This section describes the steps for configuring NAPT in IPv6 networks. define a term that uses napt-66 as the translation type for translating the addresses of the pool defined in the previous step. Inc. This translation can be configured in both IPv4 and IPv6 networks. you must configure a rule at the [edit services nat] hierarchy level for dynamically translating the source IPv6 addresses.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Dynamic Source Address and Port Translation for IPv6 Networks Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. For NAPT. set the match-direction statement of the rule as input. [edit] user@host# edit services nat 2. and reference the NAT rule implemented for NAPT translation. To do this. [edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated translation-type napt-66 For example: [edit services nat] user@host# set rule IPV6-NAPT-Rule match-direction input user@host# set rule IPV6-NAPT-Rule term t1 then translated source-pool IPV6-NAPT-Pool user@host# set rule IPV6-NAPT-Rule term t1 then translated translation-type napt-66 4. Copyright © 2011. Define a NAT rule for translating the source addresses.

Junos 11. you must specify a source pool name. To use dynamic NAT. and the name of the NAT rule is rule-dynamic-nat44.service service-interface services interface user@host# set service-set service-set name nat-rules rule name For example: [edit services] user@host# set service-set IPV6-NAPT-ServiceSet interface. Configure the service interface. Configure the service set and NAT rule. Juniper Networks. . [edit] user@host# edit services 2. Go to the [interface-service] hierarchy level for the service set. the name of the service set is s1.service service-interface ms-0/1/0 user@host# set service-set IPV6-NAPT-ServiceSet nat-rules IPV6-NAPT-Rule 6. Inc.4 Services Interfaces Configuration Guide [edit services] user@host# set service-set service-set name interface. [edit services] user@host# edit service-set s1 interface-service 4. Define the trace options for the adaptive services PIC. which includes an address configuration. dynamic address translation (dynamic NAT) is a mechanism to dynamically translate the destination traffic without port mapping. To configure dynamic NAT in IPv4 networks: 1. In configuration mode. go to the [edit services] hierarchy level. [edit services service-set s1 interface-service] user@host# set service-interface service-interface-name 174 Copyright © 2011. [edit services] user@host# set service-set s1 nat-rules rule-dynamic-nat44 3. [edit services] user@host# set adaptive-services-pics traceoptions flag tracing parameter For example: [edit services] user@host# set adaptive-services-pics traceoptions flag all Related Documentation • Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197 Configuring Dynamic Address-Only Source Translation in IPv4 Networks In IPv4 networks. [edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example.

[edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool source-dynamic-pool translation-type dynamic-nat44 10. Configure the source pool and the translation type. and source address. Issue the following command from the top of the services hierarchy. Go to the [edit services adaptive-services-pics] hierarchy level.0 7. the name of the pool is source-dynamic-pool.10.0 8. the following command can result in an error. Go to the [edit rule rule-dynamic-nat-44 term t1] hierarchy level.1. the name of the source pool is source-dynamic-pool and the translation type is dynamic-nat44. or the specified interface is not functional. [edit services nat] user@host# set rule rule-dynamic-nat44 match-direction input term t1 from source-address 3. the match direction is input. [edit services nat] user@host# set pool source-dynamic-pool address 10. [edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0 5. Juniper Networks. [edit services service-set s1 interface-service] user@host# top edit services nat 6. the name of the rule is rule-dynamic-nat44.10. or use the top keyword. Configure the NAT pool with an address. [edit services nat] user@host# edit rule rule-dynamic-nat44 term t1 9.1. 175 . Configure the rule. and the source address is 3.Chapter 10: Carrier-Grade NAT Configuration Guidelines In the following example. term. [edit services nat] user@host# set pool pool-name address address In the following example. the name of the service interface is ms-0/1/0. Copyright © 2011. the name of the term is t1.10.0. NOTE: If the service interface is not present in the router.0. In the following command. and the address is 10. the top keyword ensures that the command is run from the top of the hierarchy. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from source-address address In the following example. [edit services nat rule rule-dynamic-nat44 term t1] user@host# set then translated source-pool src-pool-name translation-type translation-type In the following example. Inc.1. match direction. Go to the [edit services nat] hierarchy level.1.10.

Inc. the tracing parameter is configured as all.0/24. } } } } } } adaptive-services-pics { traceoptions { flag all. Verify the configuration by using the show command at the [edit services] hierarchy level.Junos 11. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example.1. } } then { translated { destination-pool source-dynamic-pool. [edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44.1. } } Related Documentation • Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198 176 Copyright © 2011. term t1 { from { source-address { 3.0/24. translation-type { dynamic-nat44. } } nat { pool source-dynamic-pool { address 10. Configure the trace options.1.4 Services Interfaces Configuration Guide [edit services nat rule rule-dynamic-nat44 term t1] user@host# top edit services adaptive-services-pics 11. Juniper Networks. interface-service { service-interface ms-0/1/0. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12. .1. } rule rule-dynamic-nat44 { match-direction input.

[edit services] user@host# set service-set s1 nat-rules rule-dnat44 3. Configure the service set and the NAT rule. go to the [edit services] hierarchy level. [edit services] user@host# edit service-set s1 interface-service 4. Configure the service interface. 177 . destination address translation is a mechanism used to implement address translation for destination traffic without port mapping. To configure destination address translation in IPv4 networks: 1. the following command can result in an error. To use destination address translation. the size of the pool address space must be greater than or equal to the destination address space. as long as the number of NAT addresses in the pool is larger than the number of destination addresses in the from statement. Configure the NAT pool with an address. ranges. Issue the following command from the top of the services hierarchy. [edit services nat] user@host# set pool pool-name address address Copyright © 2011. [edit services service-set s1] user@host# top edit services nat 6. the name of the service interface is ms-0/1/0. In configuration mode. or use the top keyword. NOTE: If the service interface is not present in the router. Inc. which can contain multiple addresses. [edit services service-set s1 interface-service] user@host# set service-interface service-interface-name In the following example. Go to the [interface-service] hierarchy level of the service set. [edit services service-set s1 interface-service] user@host# set service-interface ms-0/1/0 5. the name of the service set is s1 and the name of the NAT rule is rule-dnat44. You must specify a name for the destination-pool statement. or prefixes. Go to the [edit services nat] hierarchy level. Juniper Networks. [edit] user@host# edit services 2. [edit services] user@host# set service-set service-set-name nat-rules rule-name In the following example. or the specified interface is not functional.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Static Destination Address Translation in IPv4 Networks In IPv4 networks.

Configure the rule. dest-pool is used as the pool name and 4.20 8.1. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name translation-type translation-type In the following example. [edit services] user@host# show service-set s1 { nat-rules rule-dnat44. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool translation-type dnat-44 10. [edit services nat] user@host# edit rule rule-dnat44 term t1 9. and the address is 20. Configure the destination pool and the translation type. } } nat { 178 Copyright © 2011. Configure the trace options. [edit services nat rule rule-dnat44 term t1] user@host# top edit services adaptive-services-pics 11.4 Services Interfaces Configuration Guide In the following example. the destination pool name is dest-pool. the match direction is input. .20. Go to the [edit services adaptive-services-pics] hierarchy level. Juniper Networks. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. the name of the term is t1. [edit services adaptive-services-pics] user@host# set traceoptions flag all 12. term.1. match direction. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example.20. the tracing parameter is configured as all. the top keyword ensures that the command is run from the top of the hierarchy. interface-service { service-interface ms-0/1/0. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20. and destination address.20. Inc.1. user@host# set pool dest-pool address 4.Junos 11. the name of the rule is rule-dnat44. In the following command.1.20.2 as the address. Verify the configuration by using the show command at the [edit services] hierarchy level. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level.2 7. and the translation type is dnat-44.

[edit services nat] user@host# set pool pool-name address address In the following example. dest-pool is used as the pool name and 4.2 Copyright © 2011.20. or address pooling-paired (AP-P).4. Port forwarding works only with the FTP application-level gateway (ALG).20/32.1. In configuration mode. 179 . user@host# set pool dest-pool address 4. translation-type { dnat-44.2 as the address.1. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway.Chapter 10: Carrier-Grade NAT Configuration Guidelines pool dest-pool { address 4. } rule rule-dnat44 { match-direction input. endpoint-independent filtering (EIF). Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure. Configure the NAT pool with an address. } } then { translated { destination-pool dest-pool. To configure destination address translation in IPv4 networks: 1. } } Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Configuring Port Forwarding for Static Destination Address Translation Starting with Junos OS Release 11. term t1 { from { destination-address { 20.1. Inc. go to the [edit services nat] hierarchy level. [edit] user@host# edit services nat 2.1. Juniper Networks.1. Port forwarding is not supported with endpoint-independent mapping (EIM). you can map an external IP address and port with an IP address and port in a private network.2/32.20.1. } } } } } } adaptive-services-pics { traceoptions { flag all.

.20. Configure the mapping for port forwarding and the translation type. and the address is 20. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44 8. and the translation type is dnat-44. the destination pool name is dest-pool. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20 5.Junos 11. term.20. [edit services nat] user@host# edit port-forwarding map1 9. the match direction is input. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low In the following example. Configure the destination port range. the name of the term is t1. [edit services nat] user@host# edit rule rule-dnat44 term t1 6. and the translation type is dnat-44.20 4. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20. Inc. Configure the rule. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool 7. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example. the name of the rule is rule-dnat44.20. [edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id 180 Copyright © 2011. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name In the following example. Configure the destination pool.4 Services Interfaces Configuration Guide 3. Configure the mapping for port forwarding. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type In the following example. match direction. the upper port range is 50 and the lower port range is 20.20. Go to the [edit services nat port-forwarding map1] hierarchy level. the port forwarding map name is map1. Juniper Networks. and destination address.20.

Chapter 10: Carrier-Grade NAT Configuration Guidelines In the following example. } rule rule-dnat44 { match-direction input. } destination-port { range low 20 high 50. Verify the configuration by using the show command at the [edit services nat] hierarchy level. Juniper Networks. } } then { port-forwarding-mappings map1.20.1. } } Copyright © 2011.1. [edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45 NOTE: • Multiple port mappings are supported with port forwarding. Inc. • The destination port should not overlap the port range configured for NAT. translation-type { dnat-44. [edit services] user@host# show nat { pool dest-pool { address 4. 181 .20. } } } } } port-forwarding map1 { destined-port 45. the destination port is 45 and the translated port is 23. 10. term t1 { from { destination-address { 20. translated-port 23.2/32. Up to 32 port maps can be configured for port forwarding. translated { destination-pool dest-pool.20/32.

Juniper Networks. Configuring the Service Set for NAT on page 186 4. Port forwarding and stateful firewall can be configured together. In configuration mode. a service set with a service interface. See “Example: Configuring Port Forwarding with Twice NAT” on page 215. [edit applications] user@host# set application application-name application-protocol application-protocol In the following example. Configuring the DNS ALG Application on page 182 2. This topic includes the following tasks: 1. Stateful firewall has precedence over port forwarding. [edit applications] user@host# set application dns-alg application-protocol dns 3. • Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Configuring Translation Type for Translation Between IPv6 and IPv4 Networks To configure the translation type as basic-nat-pt. you must configure the DNS ALG application.Junos 11. Verify the configuration by using the show command at the [edit applications] hierarchy level. Inc. Configuring Trace Options on page 187 Configuring the DNS ALG Application To configure the DNS ALG application: 1. go to the [edit applications] hierarchy level.4 Services Interfaces Configuration Guide NOTE: • A similar configuration is possible with twice NAT for IPv4. Configure the ALG to which the DNS traffic is destined at the [edit applications] hierarchy level. and trace options. } 182 Copyright © 2011. NAT pools and rules. [edit] user@host# edit applications 2. . [edit applications] user@host# show application dns-alg { application-protocol dns. the application name is dns-alg and application protocol is dns. Configuring the NAT Pool and NAT Rule on page 183 3. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term.

2/32 3. [edit services nat] user@host# set pool destination-pool-name address address In the following example. Configure the destination pool and its address. Configure the source pool and its address.1. In configuration mode.1/32.1. go to the [edit services nat] hierarchy level.1. and applications dns_alg. Configure the NAT pool and its address. the name of the NAT pool is p1 and the address is 10. [edit services nat] user@host# set pool source-pool-name address address In the following example.10. Configure the rule and the match direction. [edit] user@host# edit services nat 2.1. [edit services nat] user@host# set rule basic-nat-pt match-direction input 6.1/32 4. [edit services nat] user@host# set rule rule-basic-nat-pt term term from from In the following example.1. [edit services nat] user@host# set pool src_pool0 address 20. Juniper Networks. destination-address 4000::2/128.10. Inc. the term is t1 and the input conditions are source-address 2000::2/128. the rule name is rule-basic-nat-pt and the match direction is input. the name of the destination pool is dst_pool0 and the destination pool address is 50.2/32 5.1.1.2/32. Configure the term and the input conditions for the NAT term.10.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the NAT Pool and NAT Rule To configure the NAT pool and NAT rule: 1. [edit services nat] user@host# set pool dst_pool0 address 50.1. [edit services nat] Copyright © 2011. [edit services nat] user@host# set pool pool-name address address In the following example. [edit services nat] user@host# set rule rule-name match-direction match-direction In the following example.2/32. the name of the source pool is src_pool0 and the source pool address is 20.10. 183 . [edit services nat] user@host# set pool p1 address 10.

Juniper Networks. the translation type is basic-nat-pt. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated source-pool src_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated destination-pool dst_pool0 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated dns-alg-prefix 10:10:10::0/96 8. the term action is translated and the property of the translated traffic is source-prefix 19. [edit services nat] user@host# set rule rule-basic-nat-pt term term-name from from In the following example. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type basic-nat-pt 9. Configure the NAT term action and the properties of the translated traffic. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated source-prefix 19. the term name is t2 and the input conditions are source-address 2000::2/128 and destination-address 10:10:10::0/96.1/32.1/32 184 Copyright © 2011. destination-pool dst_pool0. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then term-action translated-property In the following example.19. .19.4 Services Interfaces Configuration Guide user@host# set rule rule-basic-nat-pt term t1 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from destination-address 4000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t1 from applications dns_alg 7. Configure the translation type.19. [edit services nat] user@host# set rule rule-basic-nat-pt term t1 then translated translation-type translation-type In the following example.19. and dns-alg-prefix 10:10:10::0/96. the term action is translated and the properties of the translated traffic are source-pool src_pool0. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then term-action translated-property In the following example. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 from source-address 2000::2/128 [edit services nat] user@host# set rule rule-basic-nat-pt term t2 from destination-address 10:10:10::0/96 10. Configure the NAT term action and the property of the translated traffic.Junos 11. Configure another term and the input conditions for the NAT term. Inc.

1. Inc. } } } } term t2 { from { source-address { 2000::2/128. the translation type is basic-nat-pt.1.1.19. destination-pool dst_pool0. } destination-address { 10:10:10::0/96. } applications dns_alg. } rule rule-basic-nat-pt { match-direction input.2/32. } pool src_pool0 { address 20.10. } pool dst_pool0 { address 50.1/32. } destination-address { 4000::2/128. } then { translated { source-pool src_pool0. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type translation-type In the following example. dns-alg-prefix 10:10:10::0/96.10.1. [edit services nat] user@host# show pool p1 { address 10. 185 .Chapter 10: Carrier-Grade NAT Configuration Guidelines 11. translation-type { basic-nat-pt. Copyright © 2011.19. Configure the translation type. [edit services nat] user@host# set rule rule-basic-nat-pt term t2 then translated translation-type basic-nat-pt 12.2/32. Juniper Networks.1/32. Verify the configuration by using the show command at the [edit services nat] hierarchy level. } } then { translated { source-prefix 19. term t1 { from { source-address { 2000::2/128.

the rule name is rule-basic-nat-pt. . } } } } } Configuring the Service Set for NAT To configure the service set for NAT: 1. } } 186 Copyright © 2011. interface-service { service-interface sp-1/2/0. Juniper Networks.4 Services Interfaces Configuration Guide translation-type { basic-nat-pt. [edit services service-set ss_dns] user@host# set nat-rules rule-basic-nat-pt 4. [edit] user@host# edit services 2. [edit services] user@host# edit service-set ss_dns 3. [edit services service-set ss_dns] user@host# set nat-rules rule-name In the following example.Junos 11. [edit services service-set ss_dns] user@host# set interface-service service-interface service-interface-name In the following example. Verify the configuration by using the show services command from the [edit] hierarchy level. the name of the service set is ss_dns. [edit services service-set ss_dns] user@host# set interface-service service-interface sp-1/2/0 5. [edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt. Inc. In configuration mode. go to the [edit services] hierarchy level. Configure the service set. Configure the service interface. Configure the service set with NAT rules. [edit services] user@host# edit service-set service-set-name In the following example. the name of service interface is sp-1/2/0.

you must configure a DNS ALG application and reference it in the first rule. } } Configuring NAT-PT To configure Network Address Translation–Protocol Translation (NAT-PT). [edit services] user@host# show adaptive-services-pics { traceoptions { flag all. A service set that references the first NAT rule or term and a multiservices interface.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring Trace Options To configure the trace options at the [edit services adaptive-services-pics] hierarchy level: 1. Before you begin configuring NAT-PT with DNS ALG. • Copyright © 2011. [edit] user@host# edit services adaptive-services-pics 2. The first NAT rule or term ensures that the DNS query and response packets are translated correctly. Juniper Networks. go to the [edit services adaptive-services-pics] hierarchy level. The Junos OS implementation is described in RFC 2766 and RFC 2694. DNS ALG is used with NAT-PT to facilitate name-to-address mapping. you must configure a Domain Name System application-level gateway (DNS ALG) application to map addresses returned in the DNS response to an IPv6 address. In configuration mode. [edit services adaptive-services-pics] user@host# set traceoptions flag all 3. network address translation can either be an address-only translation or an address and port translation. 187 . When configuring NAT-PT. [edit services adaptive-services-pics] user@host# set traceoptions flag tracing parameter In the following example. Configure the trace options. Verify the configuration by using the show command at the [edit services] hierarchy level. For this rule to work. you must have the following configured: • NAT with two rules or one rule and two terms. The second rule or term is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG application. Inc. the tracing parameter is all.

Configure the DNS session that processes packets to the DNS server: a. [edit applications] user@host# show application dns_alg { application-protocol dns. [edit applications] user@host# set application application-name application-protocol application-protocol For example: [edit applications] user@host# set application dns_alg application-protocol dns b. [edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix user@host# set then translated dns-alg-pool dns-alg-pool The following example shows the configuration of the 96-bit prefix for mapping IPv4 address to IPv6 addresses. [edit services nat rule rule-name term term-name] user@host# set from applications application-name In the following example.4 Services Interfaces Configuration Guide To configure NAT-PT with DNS ALG: 1. [edit services nat] user@host# show rule rule1 { applications dns_alg. } } } 188 Copyright © 2011. [edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96 The following sample output shows the minimum configuration of the application. } The following sample output shows the minimum configuration of the first NAT rule. Reference the ALG in the first NAT rule or term. Inc. [edit services nat rule rule1 term term1] user@host# set from applications dns_alg c. Define the DNS ALG pool or prefix for mapping IPv4 addresses to IPv6 addresses. Juniper Networks. Define the application name and specify the application protocol to use in match conditions in the first NAT rule or term. Configure the ALG to which the DNS traffic is destined at the [edit applications] hierarchy level. the application name is dns_alg.Junos 11. . } then { translated { dns-alg-prefix 10:10:10::0/96.

To configure stateful NAT64. Inc. you must configure a rule at the [edit services nat] hierarchy level for translating the source address dynamically and the destination address statically. TCP.19. and vice versa. Juniper Networks. stateful NAT64 translates incoming IPv6 packets into IPv4. several IPv6-only clients can share the same public IPv4 server address.19. To allow sharing of the IPv4 server address.1/32. In configuration mode. or ICMP. } } } } } Related Documentation • • • • Network Address Translation Overview on page 48 Example: Configuring NAT-PT on page 202 dns-alg-prefix on page 246 dns-alg-pool on page 246 Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } The following sample output shows the minimum configuration of the second NAT rule. } } then { translated { source-prefix 19. To configure stateful NAT64: 1. 189 . By allowing IPv6-only clients to contact IPv4 servers using unicast UDP. [edit services nat] user@host# show rule rule2 { term term1 { from { destination-address { 10:10:10::c0a8:108/128. [edit services nat] user@host# set pool pool name address source addresses user@host# set pool pool name port source ports For example: Copyright © 2011. go to the [edit services nat] hierarchy level: [edit] user@host# edit services nat 2. Define the pool of source addresses to be used for dynamic translation.

[edit services nat] user@host# set rule rule name match-direction input user@host# set rule rule name term term name from source-address source address user@host# set rule rule name term term name from destination-address destination address user@host# set rule rule name term term name then translated source-pool pool name user@host# set rule rule name term term name then translated destination-prefix destination prefix user@host# set rule rule name term term name then translated translation-type stateful-nat64 For example: [edit services nat] user@host# set rule stateful-nat64 match-direction input user@host# set rule stateful-nat64 term t1 from source-address 2001:DB8::0/96 user@host# set rule stateful-nat64 term t1 from destination-address 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated source-pool src-pool-nat64 user@host# set rule stateful-nat64 term t1 then translated destination-prefix 64:FF9B::/96 user@host# set rule stateful-nat64 term t1 then translated translation-type stateful-nat64 Related Documentation • Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201 Configuring Port Forwarding for Static Destination Address Translation Starting with Junos OS Release 11. go to the [edit services nat] hierarchy level. Set the match-direction statement of the rule as input. To configure destination address translation in IPv4 networks: 1.4. This allows the destination address and port of a packet to be changed to reach the right host in a Network Address Translation (NAT) gateway. Inc. endpoint-independent filtering (EIF). Juniper Networks. you can map an external IP address and port with an IP address and port in a private network. Port forwarding works only with the FTP application-level gateway (ALG). [edit] user@host# edit services nat 2.Junos 11. Port forwarding is supported only with dnat-44 and twice-napt-44 on IPv4 networks. Define a NAT rule for translating the source addresses. . or address pooling-paired (AP-P).113. Port forwarding has no support for technologies such as IPv6 rapid deployment (6rd) and dual-stack lite (DS-Lite) that offer IPv6 services over IPv4 infrastructure.4 Services Interfaces Configuration Guide [edit services nat] user@host# set pool src-pool-nat64 address 203. 190 Copyright © 2011. Configure the NAT pool with an address. Port forwarding is not supported with endpoint-independent mapping (EIM). In configuration mode. Then define a term that uses stateful-nat64 as the translation type for translating the addresses of the pool defined in the previous step.0/24 user@host# set pool src-pool-nat64 port automatic 3.0.

[edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-address address In the following example. user@host# set pool dest-pool address 4. and the translation type is dnat-44. Configure the destination port range. the name of the rule is rule-dnat44.20.1. match direction. and the address is 20. Configure the destination pool. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool 7.20 4. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20. and destination address.1. 191 .20. Configure the rule.20. [edit services nat] user@host# set rule rule-name match-direction match-direction term term-name from destination-port range range high | low In the following example. and the translation type is dnat-44. the upper port range is 50 and the lower port range is 20.1. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map1 translation-type dnat-44 8. the name of the term is t1.2 3. term. dest-pool is used as the pool name and 4.1. [edit services nat rule rule-dnat44 term t1] user@host# set then translated destination-pool dest-pool-name In the following example.2 as the address. the port forwarding map name is map1. Go to the [edit services nat port-forwarding map1] hierarchy level. Inc.20. [edit services nat rule rule-dnat44 term t1] user@host# set then port-forwarding-mappings map-name translation-type translation-type In the following example. the destination pool name is dest-pool. Configure the mapping for port forwarding and the translation type. Go to the [edit services nat rule rule-dnat44 term t1] hierarchy level. [edit services nat] user@host# set rule rule-dnat44 match-direction input term t1 from destination-port range range high 50 low 20 5.20. [edit services nat] user@host# edit rule rule-dnat44 term t1 6. [edit services nat] user@host# edit port-forwarding map1 Copyright © 2011. Juniper Networks. the match direction is input.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services nat] user@host# set pool pool-name address address In the following example.

20. 10. translated-port 23.1. translated { destination-pool dest-pool.1. the destination port is 45 and the translated port is 23. translation-type { dnat-44. [edit port-forwarding map1] user@host# set destined-port port-id user@host# set translated-port port-id In the following example.20. term t1 { from { destination-address { 20. [edit services] user@host# show nat { pool dest-pool { address 4. Verify the configuration by using the show command at the [edit services nat] hierarchy level. } rule rule-dnat44 { match-direction input.2/32. Inc. } } 192 Copyright © 2011. } } then { port-forwarding-mappings map1. } destination-port { range low 20 high 50.Junos 11. . } } } } } port-forwarding map1 { destined-port 45. [edit port-forwarding map1] user@host# set destined-port 23 user@host# set translated-port 45 NOTE: • Multiple port mappings are supported with port forwarding. Up to 32 port maps can be configured for port forwarding. Configure the mapping for port forwarding.4 Services Interfaces Configuration Guide 9.20/32. • The destination port should not overlap the port range configured for NAT. Juniper Networks.

See “Example: Configuring Port Forwarding with Twice NAT” on page 215. Port forwarding and stateful firewall can be configured together. • • • • • • Example: Configuring Static Source Translation on page 193 Example: Configuring Dynamic Source Address and Port Translation on page 195 Example: Configuring Dynamic Address-only Source Translation on page 197 Example: Configuring Static Destination Address Translation on page 199 Example: Configuring NAT in Mixed IPv4 and IPv6 Networks on page 199 Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) on page 201 Example: Configuring Source Dynamic and Destination Static Translation on page 201 Example: Configuring NAT-PT on page 202 Example: Configuring Port Forwarding with Twice NAT on page 215 Example: Configuring an Oversubscribed Pool with Fallback to NAPT on page 216 Example: Configuring an Oversubscribed Pool with No Fallback on page 217 Example: Assigning Addresses from a Dynamic Pool for Static Use on page 217 Example: Configuring NAT Rules Without Defining a Pool on page 218 Example: Preventing Translation of Specific Addresses on page 219 Example: Configuring NAT for Multicast Traffic on page 219 • • • • • • • • • Example: Configuring Static Source Translation • • • Example: Configuring Static Source Translation in an IPv4 Network on page 193 Example: Configuring Static Source Translation in an IPv6 Network on page 194 Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges on page 195 Example: Configuring Static Source Translation in an IPv4 Network The following configuration sets up one-to-one mapping between a private subnet and a public subnet. Stateful firewall has precedence over port forwarding. Inc. • Related Documentation • Example: Configuring Static Destination Address Translation on page 199 Examples: Configuring NAT Rules This section provides the following configuration examples.Chapter 10: Carrier-Grade NAT Configuration Guidelines NOTE: • A similar configuration is possible with twice NAT for IPv4. Juniper Networks. see Examples: Services Interfaces Configuration. For additional examples that combine NAT configuration with other services and with virtual private network (VPN) routing and forwarding (VRF) tables. 193 . Copyright © 2011.

interface-service { service-interface sp-1/2/0.2/32.10. Inc.2/32.1.2/32.10. term t1 { from { source-address { 10:10:10::0/96.4 Services Interfaces Configuration Guide [edit] user@host# show services service-set s1 { nat-rules rule-basic-nat44. Juniper Networks.Junos 11. [edit] user@host# show services service-set s1 { nat-rules rule-basic-nat66. . } } Example: Configuring Static Source Translation in an IPv6 Network The following example configures the translation type as basic-nat66. } } } } } } adaptive-services-pics { traceoptions { flag all.1. translation-type { basic-nat44. } rule rule-basic-nat66 { match-direction input. interface-service { service-interface ms-1/2/0. } rule rule-basic-nat44 { match-direction input. } } nat { pool src_pool { address 10. 194 Copyright © 2011.10. } } nat { pool src_pool { address 10. term t1 { from { source-address { 3.10. } } then { translated { source-pool src_pool.

10.252/30.30.1 high 20. } rule r1 { match-direction input.20. } } Example: Configuring Static Source Translation with Multiple Prefixes and Address Ranges The following configuration creates a static pool with an address prefix and an address range and uses static source NAT translation. [edit services nat] pool p1 { address 30.10.30.20. address-range low 20. Inc.2. translation-type { basic-nat66.20.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } then { translated { source-pool src_pool. } } } } Example: Configuring Dynamic Source Address and Port Translation • Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network on page 196 Example: Configuring Dynamic Source Translation for an IPv4 Network on page 196 Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network on page 197 • • Copyright © 2011. } } } } } } adaptive-services-pics { traceoptions { flag all. } } then { translated { source-pool p1. term { from { source-address { 10. translation-type basic-nat44.252/30.20. 195 . Juniper Networks.

} } rule rule-napt-44 { match-direction input. } } nat { pool napt-pool { address 10. Example: Configuring Dynamic Source Translation for an IPv4 Network The following example configures the translation type as napt-44.16. term t1 { then { translated { source-pool napt-pool.4 Services Interfaces Configuration Guide Example: Configuring Dynamic Source Address and Port Translation (NAPT) for an IPv4 Network The following example configures dynamic source (address and port) translation. port { automatic. interface-service { service-interface ms-0/1/0.0/32.10.2. .10.2. [edit services nat] pool public { address-range low 192. } } } } NOTE: The only difference between the configurations for dynamic address-only source translation and NAPT is the inclusion of the port statement for NAPT. Inc. term Translate { then { translated { source-pool public.Junos 11.32. Juniper Networks. port automatic. or NAPT. translation-type { napt-44. } 196 Copyright © 2011.16.1 high 192. translation-type napt-44. [edit services] user@host# show service-set s1 { nat-rules rule-napt-44. } rule Private-Public { match-direction input.

term term1 { then { translated { source-pool IPV6-NAPT-Pool. } } } } } } adaptive-services-pics { traceoptions { flag all. 197 . interface-service { service-interface ms-0/1/0. } } nat { pool IPV6-NAPT-Pool { address 2002::1/96. Inc. } } Example: Configuring Dynamic Source Address and Port Translation for an IPv6 Network The following example configures dynamic source (address and port) translation or NAPT for an IPv6 network. } } } Example: Configuring Dynamic Address-only Source Translation • • Example: Configuring Dynamic Address-Only Source Translation on page 198 Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network on page 198 Copyright © 2011. [edit services] user@host# show service-set IPV6-NAPT-ServiceSet { nat-rules IPV6-NAPT-Rule. port automatic. } rule IPV6-NAPT-Rule { match-direction input. translation-type { napt-66.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } } } } adaptive-services-pics { traceoptions { flag all. Juniper Networks.

. Juniper Networks. } rule rule-dynamic-nat44 { match-direction input.1.1.16.1 high 192. 198 Copyright © 2011. translation-type { dynamic-nat44.4 Services Interfaces Configuration Guide Example: Configuring Dynamic Address-Only Source Translation The following example configures dynamic address-only source translation. Inc.16. [edit services] user@host# show service-set s1 { nat-rules rule-dynamic-nat44.2.Junos 11.1. } } } } } } adaptive-services-pics { traceoptions { flag all. term Translate { then { translated { source-pool public. translation-type dynamic-nat44 .32. [edit services nat] pool public { address-range low 192. } } } } Example: Configuring Dynamic Address-Only Source Translation in an IPv4 Network The following example configures the translation type as dynamic-nat44.0/24. term t1 { from { source-address { 3.2.0/24. } } then { translated { destination-pool source-dynamic-pool. } } nat { pool source-dynamic-pool { address 10. } rule Private-Public { match-direction input. interface-service { service-interface ms-0/1/0.1.

} rule rule-dnat44 { match-direction input. [edit services] user@host# show service-set s1 { nat-rules rule-dnat44.1. Juniper Networks. translation-type { dnat-44. term t1 { from { destination-address { 20. 199 .2/32. } } Example: Configuring NAT in Mixed IPv4 and IPv6 Networks • Example: Configuring the Translation Type Between IPv6 and IPv4 Networks on page 199 Example: Configuring the Translation Type Between IPv6 and IPv4 Networks The following example configures the translation type as basic-nat-pt. [edit] user@host# show services service-set ss_dns { nat-rules rule-basic-nat-pt. } } then { translated { destination-pool dest-pool. } } nat { pool dest-pool { address 4. } Copyright © 2011. } } } } } } adaptive-services-pics { traceoptions { flag all.1.20/32. interface-service { service-interface sp-1/2/0.20.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } Example: Configuring Static Destination Address Translation The following example configures the translation type as dnat-44. Inc.20. interface-service { service-interface ms-0/1/0.

1. Juniper Networks.2/32. Inc. } applications dns_alg.19. } rule rule-basic-nat-pt { match-direction input. .1/32. term t1 { from { source-address { 2000::2/128. destination-pool dst_pool0.1/32. } } } } term t2 { from { source-address { 2000::2/128.2/32. } destination-address { 10:10:10::0/96. } destination-address { 4000::2/128.Junos 11.1. } pool src_pool0 { address 20. } } } } } } adaptive-services-pics { traceoptions { flag all.1. } } 200 Copyright © 2011. translation-type { basic-nat-pt. } pool dst_pool0 { address 50. dns-alg-prefix 10:10:10::0/96.4 Services Interfaces Configuration Guide } nat { pool p1 { address 10. } } then { translated { source-prefix 19.19.1.10.10. } then { translated { source-pool src_pool0. translation-type { basic-nat-pt.

0. port { automatic.113. } then { translated { Copyright © 2011. term my-term1 { from { source-address private. 201 . Inc. } } rule stateful-nat64 { match-direction input. Juniper Networks. term t1 { from { source-address { 2001:db8::0/96.0/24.Chapter 10: Carrier-Grade NAT Configuration Guidelines Example: Configuring Dynamic Source Address and Static Destination Address Translation (IPv6 to IPV4) The following example configures dynamic source address (IPv6-to-IPv4) and static destination address (IPv6-to-IPv4) translation: [edit services] user@host# show nat { pool src-pool-nat64 { address 203. translation-type { stateful-nat64. } } then { translated { source-pool src-pool-nat64. term2 performs destination address translation for Hypertext Transfer Protocol (HTTP) traffic from any public address to the server’s virtual IP address. The virtual server IP address is translated to an internal IP address. The translation is applied for all services. [edit services nat] rule my-nat-rule { match-direction input. } } } } } } Example: Configuring Source Dynamic and Destination Static Translation In the following configuration. destination-address public. term1 configures source address translation for traffic from any private address to any public address. } destination-address { 64:ff9b::/96. destination-prefix 64:ff9b::/96.

Junos 11. . The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG. Inc. you must configure a service set. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work. you must configure a DNS ALG application and reference it in the rule. translation-type dnat-44. and then apply the service set to the interfaces. In this example.4 Services Interfaces Configuration Guide source-pool my-pool. This example describes how to configure NAT-PAT with DNS ALG: • • • Requirements on page 202 Overview and Topology on page 202 Configuration of NAT-PT with DNS ALGs on page 204 Requirements This example uses the following hardware and software components: • • Junos OS Release 11. you must configure two NAT rules or one rule with two terms. # static destination NAT } } } } Example: Configuring NAT-PT A Domain Name System application-level gateway (DNS ALG) is used with Network Address Translation-Protocol Translation (NAT-PT) to facilitate name-to-address mapping. # my server’s virtual address application http. You can configure the DNS ALG to map addresses returned in the DNS response to an IPv6 address.168. you configure two rules. When you configure NAT-PT with DNS ALG support.3.137. # dynamic NAT with port translation } } } term my-term2 { from { destination-address 192. Juniper Networks. } then { translated { destination-pool nat-pool-name.2 A multiservices interface (ms-) Overview and Topology The following scenario shows the process of NAT-PT with DNS ALG when a laptop in an IPv6-only domain requests access to a server in an IPv4-only domain. 202 Copyright © 2011. Then. # pick address from a pool translation-type napt-44.

1/32 NAT DNS ALG session http: session SA = source address DA = destination address The Juniper Networks router in the center of the illustration performs address translation in two steps. 203 g017486 .1.1. the Juniper Networks router performs the following: • • Translates the IPv6 laptop and DNS server addresses into IPv4 addresses.1/32 DA: 10.1 translated to 1.1.example.1.1.example.com 6 Step 1: SA: 2000::2/128 translated to 40.1.1/32 DA: 40.10.example. Translates the 96-bit IPv6 www.1.1. the laptop initiates a second session using the 96-bit IPv6 address to access that server.1.Chapter 10: Carrier-Grade NAT Configuration Guidelines Figure 6: Configuring DNS ALGs with NAT-PT Network Topology Packet header: SA: 2000::2/128 DA: 4000::2/128 Payload: Request AAAA record for www.example.1/32 Payload: The AAAA request is translated to an A request Step 2: SA: 50.example.1.com 1.1.1 Packet header: SA: 50. When the DNS server responds with the A request.10::1.1/32 translated to 2000:2/128 Laptop address: 2000::2/128 DNS server address: 4000::2/128 Payload: The A response translated to an IPv6 address Step 3: SA: 2000::2/128 translated to 40. the Juniper Networks router performs the following: • • Translates the IPv4 DNS server address back into an IPv6 address.1.example.1. Copyright © 2011.1.1.1/32 DA: 4000::2/128 translated to 50.com server address.com server that is in an IPv4-only domain. After the laptop receives the IPv6 version of the www. Translates the AAAA request from the laptop into an A request so that the DNS server can provide the IPv4 address. The Juniper Networks router performs the following: • • Translates the laptop IPv4 address directly into its IPv4 address.1.1.com server address into its IPv4 address.1 www.1.com server.1.example.1/32 Payload: A response www.1 IPv4 Domain IPv6 Domain DNS Server 50.com = 1.1/32 translated to 4000::2/128 DA: 40. Translates the A request back into a AAAA request so that the laptop now has the 96-bit IPv6 address of the www.1.1. When the laptop requests a session with the www. Juniper Networks.1. Inc.1.1.

The DNS application protocol closes the DNS flow as soon as the DNS response is received. . Define the UDP destination port for additional packet matching.4 Services Interfaces Configuration Guide Configuration of NAT-PT with DNS ALGs To configure NAT-PT with DNS ALG . When you configure the DNS application protocol. To configure the DNS application: 1. in this case the domain port. Define the application name and specify the application protocol to use in match conditions in the first NAT rule. [edit applications] user@host# set application application-name destination-port value For example: [edit applications] user@host# set application dns_alg destination-port 53 204 Copyright © 2011. in this case UDP. Juniper Networks. In configuration mode. you must specify the UDP protocol as the network protocol to match in the application definition. go to the [edit applications] hierarchy level: user@host# edit applications 2. Specify the protocol to match. [edit applications] user@host# set application application-name application-protocol protocol-name For example: [edit applications] user@host# set application dns_alg application-protocol dns 3.Junos 11. Inc. perform the following tasks: • • • • • • • Configuring the Application-Level Gateway on page 204 Configuring the NAT Pools on page 205 Configuring the DNS Server Session: First NAT Rule on page 206 Configuring the HTTP Session: Second NAT Rule on page 209 Configuring the Service Set on page 211 Configuring the Stateful Firewall Rule on page 212 Configuring Interfaces on page 213 Configuring the Application-Level Gateway Step-by-Step Procedure Configure the DNS application as the ALG to which the DNS traffic is destined. [edit applications] user@host# set application application-name protocol type For example: [edit applications] user@host# set application dns_alg protocol udp 4.

Inc. Specify the name of the first pool and the IPv4 source address (laptop).1/32. } pool pool2 { address 50. The first pool includes the IPv4 address of the source. [edit services nat] user@host# set pool nat-pool-name address ip-prefix For example: [edit services nat] user@host# set pool pool2 address 50. [edit services nat] user@host# set pool nat-pool-name address ip-prefix For example: [edit services nat] user@host# set pool pool1 address 40.Chapter 10: Carrier-Grade NAT Configuration Guidelines Results [edit applications] user@host# show application dns_alg { application-protocol dns.1. } Configuring the NAT Pools Step-by-Step Procedure In this configuration. In configuration mode. user@host# edit services nat 2.1.1/32 3.1/32 Results The following sample output shows the configuration of NAT pools: [edit services nat] user@host# show pool pool1 { address 40. you configure two pools that define the addresses (or prefixes) used for NAT. To configure NAT pools: 1. destination-port 53. } Copyright © 2011.1/32. protocol udp.1. These pools define the IPv4 addresses that are translated into IPv6 addresses.1.1.1. The second pool defines the IPv4 address of the DNS server. Juniper Networks. 205 .1. Specify the name of the second pool and the IPv4 address of the DNS server.1. go to the [edit services nat] hierarchy level.

. In configuration mode. [edit services nat rule rule-name] user@host# edit term term-name For example: [edit services nat rule rule1] user@host# edit term term1 4. you must specify the direction in which traffic is matched. and the actions to take when the match conditions are met. This rule ensures that the DNS query and response packets are translated correctly. [edit services nat rule rule-name term term-name] user@host# set from source-address source-address For example: [edit services nat rule rule1 term term1] user@host# set from source-address 2000::2/128 • Specify the IPv6 destination address of the DNS server. • Specify the IPv6 source address of the device (laptop) attempting to access an IPv4 address. Specify the name of the NAT term. you must configure a DNS ALG application and reference it in the rule. [edit services nat rule rule-name term term-name] user@host# set from destination-address prefix For example: [edit services nat rule rule1 term term1] user@host# set from destination-address 4000::2/128 • Reference the DNS application to which the DNS traffic destined for port 53 is applied. To configure the first NAT rule: 1. Juniper Networks. The DNS application was configured in “Configuring the DNS ALG Application” on page 182. Inc.Junos 11. In addition. Define the match conditions for this rule. [edit services nat] user@host# edit rule rule-name For example: [edit services nat] user@host# edit rule rule1 3. the destination address of the DNS server. go to the {edit services nat] hierarchy level. user@host# edit services nat 2. Specify the name of the NAT rule. the source address of the laptop. For this rule to work. 206 Copyright © 2011.4 Services Interfaces Configuration Guide Configuring the DNS Server Session: First NAT Rule Step-by-Step Procedure The first NAT rule is applied to DNS traffic going to the DNS server.

Specify the direction in which to match traffic that meets the rule conditions. Specify the type of NAT used for source and destination traffic. • Apply the NAT pool configured for source translation. Define the DNS ALG 96-bit prefix for IPv4-to-IPv6 address mapping. use the napt-pt translation type. Juniper Networks. [edit services nat rule rule-name term term-name] user@host# set then translated source-pool nat-pool-name For example: [edit services nat rule rule1 term term1] user@host# set then translated source-pool pool1 • Apply the NAT pool configured for destination translation. Copyright © 2011. 207 . [edit services nat rule rule-name term term-name] user@host# set then translated destination-pool nat-pool-name For example: [edit services nat rule rule1 term term1] user@host# set then translated source-pool pool2 6. To achieve NAT using address and port translation (NAPT). The source and destination pools you configured in Configuring the NAT Pools are applied here. Define the actions to take when the match conditions are met. since NAT is achieved using address-only translation. the application name configured in the Configuring the DNS Application step is dns_alg: [edit services nat rule rule1 term term1] user@host# set from applications dns_alg 5. Inc. 8. [edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt For example: [edit services nat rule rule1 term term1] user@host# set then translated translation-type basic-nat-pt NOTE: In this example. [edit services nat rule rule-name term term-name] user@host# set then translated dns-alg-prefix dns-alg-prefix For example: [edit services nat rule rule1 term term1] user@host# set then translated dns-alg-prefix 10:10:10::0/96 7. the basic-nat-pt translation type is used.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services nat rule rule1 term term1] user@host# set from applications application-name In this example.

Inc. } destination-address { 4000::2/128. . [edit services nat] user@host# show rule rule1 { match-direction input. [edit services nat rule rule-name term term-name] user@host# set then syslog For example: [edit services nat rule rule1 term term1] user@host# set then syslog Results The following sample output shows the configuration of the first NAT rule that goes to the DNS server. } } } 208 Copyright © 2011. Configure system logging to record information from the services interface to the /var/log directory. translation-type { basic-nat-pt. Juniper Networks. dns-alg-prefix 10:10:10::0/96. term term1 { from { source-address { 2000::2/128.Junos 11.4 Services Interfaces Configuration Guide [edit services nat rule rule-name] user@host# set match-direction (input | output) For example: [edit services nat rule rule1] user@host# set match-direction input 9. } applications dns_alg. destination-pool pool2. } } syslog. } then { translated { source-pool pool1.

• Specify the prefix for the translation of the IPv6 source address.com). [edit services nat rule rule-name term term-name] user@host# set from destination-address prefix For example: [edit services nat rule rule2 term term1] user@host# set from destination-address 10:10:10::c0a8:108/128 4. user@host# edit services nat 2. In configuration mode. Specify the name of the NAT rule and term. 209 .com). Inc. the 96-bit prefix to prepend to the IPv4 destination address (www. go to the following hierarchy level. To configure the second NAT rule: 1. [edit services nat rule rule-name term term-name] user@host# set then translated source-prefix source-prefix For example: [edit services nat rule rule2 term term1] user@host# set then translated source-prefix 19. For this rule to work.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the HTTP Session: Second NAT Rule Step-by-Step Procedure The second NAT rule is applied to destination traffic going to the IPv4 server www. Define the match conditions for this rule: • Specify the IPv6 address of the device attempting to access the IPv4 server. you must configure the DNS ALG address map that correlates the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule.1/32 Copyright © 2011. [edit services nat] user@host# edit rule rule-name term term-name For example: [edit services nat] user@host# edit rule rule2 term term1 3. Juniper Networks.19. and the translation type.example.example. Define the actions to take when the match conditions are met. [edit services nat rule rule-name term term-name] user@host# set from source-address source-address For example: [edit services nat rule rule2 term term1] user@host# set from source-address 2000::2/128 • Specify the 96-bit IPv6 prefix to prepend to the IPv4 server address.19. In addition. you must specify the direction in which traffic is matched: the IPv4 address for the IPv6 source address (laptop). This rule ensures that NAT sessions are destined to the address mapped by the DNS ALG.

1/32.4 Services Interfaces Configuration Guide 5.Junos 11. you must use the napt-pt translation type. 6. } } then { translated { source-prefix 19. translation-type { basic-nat-pt. . term term1 { from { source-address { 2000::2/128. since NAT is achieved using address-only translation. Inc. } } } } } 210 Copyright © 2011. [edit services nat rule rule-name] user@host# set match-direction (input | output) For example: [edit services nat rule rule2] user@host# set match-direction input Results The following sample output shows the configuration of the second NAT rule: [edit services nat] user@host# show rule rule2 { match-direction input. the basic-nat-pt translation type is used. Specify the direction in which to match traffic that meets the conditions in the rule. [edit services nat rule rule-name term term-name] user@host# set then translated translation-type basic-nat-pt For example: [edit services nat rule rule2 term term1] user@host# set then translated translation-type basic-nat-pt NOTE: In this example. Juniper Networks.19.19. To achieve NAT using address and port translation (NAPT). } destination-address { 10:10:10::c0a8:108/128. Specify the type of NAT used for source and destination traffic.

211 . [edit services service-set ss user@host# set nat-rules rule1 user@host# set nat-rules rule2 6. [edit services service-set ss user@host# set stateful-firewall-rules rule1 5. [edit services service-set ss] user@host# set syslog host local services severity-level The example below includes all severity levels. In configuration mode.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the Service Set Step-by-Step Procedure This service set is an interface service set used as an action modifier across the entire services (ms-) interface. To configure the service set: 1. Specify the stateful firewall rule included in this service set. [edit services service-set ss] user@host# set nat-rules rule-name The example below references the two rules defined in this configuration example. [edit services service-set ss] user@host# set interface-service service-interface interface-name For example: [edit services service-set ss Copyright © 2011. Stateful firewall and NAT rule sets are applied to traffic processed by the services interface. Define the NAT rules included in this service set. user@host# edit services 2. [edit services service-set ss user@host# set syslog host local services any 4. Specify properties that control how system log messages are generated for the service set. go to the [edit services] hierarchy level. Juniper Networks. [edit services service-set ss] user@host# set stateful-firewall-rules rule1 severity-level The example below references the stateful firewall rule defined in Configuring the Stateful Firewall Rule. Configure an adaptive services interface on which the service is to be performed. Define a service set. [edit services] user@host# edit service-set service-set-name For example: [edit services] user@host# edit service-set ss 3. Inc.

In configuration mode. interface-service { service-interface ms-2/0/0. user@host# edit services stateful firewall 2. direction information is carried along with it. Juniper Networks. [edit services stateful-firewall rule rule-name] user@host# set match-direction (input | input-output | output) For example: [edit services stateful-firewall rule rule1] user@host# set match-direction input-output 4. When a packet is sent to the services (ms-) interface. To configure the stateful firewall rule: 1. } } stateful-firewall-rules rule1. [edit services stateful-firewall] user@host# edit rule rule-name For example: [edit services stateful-firewall] user@host# edit rule rule1 3. Specify the name of the stateful firewall term.4 Services Interfaces Configuration Guide user@host# interface-service service-interface ms-2/0/0 Only the device name is needed. } } Configuring the Stateful Firewall Rule Step-by-Step Procedure This example uses a stateful firewall to inspect packets for state information derived from past communications and other applications. The services interface must be an adaptive services interface for which you have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level in the Configuring Interfaces step. Specify the name of the stateful firewall rule. Results The following sample output shows the configuration of the service set: [edit services] user@host# show service-set ss { syslog { host local { services any. The NAT-PT router checks the traffic flow matching the direction specified by the rule. because the router software manages logical unit numbers automatically. 212 Copyright © 2011.Junos 11. Specify the direction in which traffic is to be matched. go to the [edit services stateful firewall] hierarchy level. . in this case both input and output. nat-rules rule2. Inc. nat-rules rule1.

} } } } Configuring Interfaces Step-by-Step Procedure After you have defined the service-set. In configuration mode.1/24 • Apply the service set defined in the Configuring the Service Set step. Juniper Networks. In this example. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 service input service-set ss user@host# set ge-1/0/9 unit 0 family inet6 service output service-set ss Copyright © 2011. you configure one interface on which you apply the service set for input and output traffic. go to the [edit interfaces] hierarchy level. term term1 { then { accept. Inc. Define the terms that make up this rule. you must apply services to one or more interfaces installed on the router.1. 213 .Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit services stateful-firewall rule rule-name] user@host# edit term term-name For example: [edit services stateful-firewall rule rule1] user@host# edit term term1 5. [edit services stateful-firewall rule rule-name term term-name] user@host# set then accept For example: [edit services stateful-firewall rule rule1 term term1] user@host# set then accept Results The following sample output shows the configuration of the services stateful firewall. it automatically ensures that packets are directed to the services (ms-) interface. [edit services] user@host# show stateful-firewall { rule rule1 { match-direction input-output. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet address 30.1. specify the IPv4 address. • For IPv4 traffic. To configure the interfaces: 1. Configure the interface on which the service set is applied to automatically ensure that packets are directed to the services (ms-) interface. When you apply the service set to an interface. user@host# edit interfaces 2.

4 Services Interfaces Configuration Guide • For IPv6 traffic. } } } ms-2/0/0 { services-options { syslog { host local { services any. } } Related Documentation • • • • • Network Address Translation Overview on page 48 Configuring NAT-PT on page 187 Configuring Service Sets to be Applied to Services Interfaces on page 568 Example: Configuring the uKernel Service and the Services SDK on Two PICs dns-alg-prefix on page 246 214 Copyright © 2011.Junos 11. Inc. [edit interfaces] user@host# set ms-2/0/0 services-options syslog host local services any user@host# set ms-2/0/0 unit 0 family inet user@host# set ms-2/0/0 unit 0 family inet6 Results The following sample output shows the configuration of the interfaces for this example. family inet6. } family inet6 { service { input { service-set ss.1. } output { service-set ss. . } } } unit 0 { family inet. Specify the interface properties for the services interface that performs the service.1/24.1. } } address 2000::1/64. [edit interfaces] user@host# set ge-1/0/9 unit 0 family inet6 address 2000::1/64 3. specify the IPv6 address. Juniper Networks. [edit interfaces] user@host# show ge-1/0/9 { unit 0 { family inet { address 30.

0.2/32. term t { from { destination-port { range low 1 high 57000. Inc. term t { from { destination-address { 14.0.0. The example also has stateful firewall and multiple port maps configured.2/32. translation-type { twice-napt-44. Juniper Networks. 215 . translated { destination-pool x. } } Copyright © 2011. } } stateful-firewall { rule r { match-direction input.0. } } then { reject. } } then { port-forwarding-mappings y. interface-service { service-interface sp-10/0/0. } } stateful-firewall-rules r. [edit services] user@host# show service-set in { syslog { host local { services any. nat-rules r.Chapter 10: Carrier-Grade NAT Configuration Guidelines • dns-alg-pool on page 246 Example: Configuring Port Forwarding with Twice NAT The following example configures port forwarding with twice-napt-44 as the translation type. } } } } nat { pool x { address 12. } rule r { match-direction input.0. } destination-port { range low 10 high 20000.

. } pool pat-pool { address-range low 192. } } adaptive-services-pics { traceoptions { file sp-trace.2. 216 Copyright © 2011. translating a /24 subnet to a pool of 10 addresses. translated-port 33. port automatic.12.4 Services Interfaces Configuration Guide } } } port-forwarding y { destined-port 45.16. [edit services nat] pool src-pool { address-range low 192. } then { translated { source-pool src-pool.16. Inc. translated-port 43. NAT is provided by the NAPT overload pool (pat-pool). Up to 32 port maps can be configured. When the addresses in the source pool (src-pool) are exhausted. • Related Documentation • Configuring Port Forwarding for Static Destination Address Translation on page 179 Example: Configuring an Oversubscribed Pool with Fallback to NAPT The following configuration shows dynamic address translation from a large prefix to a small pool. destined-port 55. } } NOTE: • Stateful firewall has precedence over port forwarding. flag all.Junos 11. Juniper Networks.1 high 192. destined-port 65.11 high 192. overload-pool pat-pool.0/24. } rule myrule { match-direction input.2.10.2. translated-port 23. term myterm { from { source-address 10. no traffic destined to any port between 1 and 57000 will be translated.16.1. for instance. In this example.150.2.

Chapter 10: Carrier-Grade NAT Configuration Guidelines translation-type napt-44.10. 217 .0/24.10. } } } } Example: Configuring an Oversubscribed Pool with No Fallback The following configuration shows dynamic address translation from a large prefix to a small pool.12. Inc. term t1 { from { source-address 30.10. } then { translated { translation-type dynamic-nat44. translating a /24 subnet to a pool of 10 addresses. Juniper Networks.0/24. and any additional requests are rejected.20.0/24.1 high 10.20.20.30. [edit services nat] pool my-pool { address-range low 10. source-pool my-pool. first-served basis. Each host with an assigned NAT can participate in multiple sessions. [edit services nat] pool dynamic-pool { address 20.10. } pool static-pool2 { address 20. } pool static-pool { address-range low 20. } rule src-nat { match-direction input.10.10. Sessions from the first 10 host sessions are assigned an address from the pool on a first-come. } Copyright © 2011.15/32.1. } } } } Example: Assigning Addresses from a Dynamic Pool for Static Use The following configuration statically assigns a subset of addresses that are configured as part of a dynamic pool (dynamic-pool) to two separate static pools (static-pool and static-pool2).30. } rule src-nat { match-direction input.10.20.10 high 10.10.10. term t1 { from { source-address 192.168.

10/32. [edit services nat] rule src-nat { match-direction input.20.10. } } term t3 { from { source-address 10.10. . } } } The following configuration performs NAT using the destination prefix 20. } } term t2 { from { source-address 10.0/24 without defining a pool.Junos 11. Juniper Networks. } then { translation-type basic-nat44. source-pool static-pool2.0/24.20. Inc. source-pool dynamic-pool.20.10. term t1 { from { destination-address 10. source-pool static-pool.10.10.10.10. source-prefix 20.2.10.10.4 Services Interfaces Configuration Guide then { translation-type dynamic-nat44.0/24.10.20.10. } then { translation-type basic-nat44. then { translation-type dnat44.0/32 without defining a pool. } } } Example: Configuring NAT Rules Without Defining a Pool The following configuration performs NAT using the source prefix 20. destination-prefix 20. term t1 { then { translation-type dynamic-nat44. } } } 218 Copyright © 2011. [edit services nat] rule src-nat { match-direction input.

} then { no-translation.0/27 is sent to the static NAT pool mcast_pool.24/32.20. } rule src-nat { match-direction input.10. which allows IP multicast traffic to be sent to the Multiservices PIC.254. source-pool my-pool.20.10.Chapter 10: Carrier-Grade NAT Configuration Guidelines } Example: Preventing Translation of Specific Addresses The following configuration specifies that NAT is not performed on incoming traffic from the source address 192. term t0 { from { source-address 192. port-automatic.10.1 high 10.168. Figure 7: Configuring NAT for Multicast Traffic • • Rendezvous Point Configuration on page 219 Router 1 Configuration on page 222 Rendezvous Point Configuration On the rendezvous point (RP).0/27.10. Juniper Networks.24/32. Inc. } } term t1 { then { translated { translation-type dynamic-nat44.20. all incoming traffic from the multicast source at 192.20.168. 219 .168. Dynamic NAT is performed on all other incoming traffic. } } } } Example: Configuring NAT for Multicast Traffic Figure 7 on page 219 illustrates the network setup for the following configuration. where its source is translated to 20.16. [edit services nat] pool my-pool { address-range low 10. The service set nat_ss is a next-hop service set that allows IP multicast Copyright © 2011.

254.20. } } } service-set nat_ss { allow-multicast. [edit services] nat { pool mcast_pool { address 20.Junos 11. Inc. The inside interface on the PIC is ms-1/1/0. } syslog.1. Multicast source traffic comes in on the Fast Ethernet interface fe-1/2/1.0/27.4 Services Interfaces Configuration Guide traffic to be sent to the Multiservices DPC or Multiservices PIC.0/27. Juniper Networks. } } } ms-1/1/0 { unit 0 { family inet. translation-type basic-nat44. The multiservices interface ms-1/1/0 has two logical interfaces: unit 1 is the inside interface for next-hop services and unit 2 is the outside interface for next-hop services.20. next-hop-service { inside-service-interface ms-1/1/0. nat-rules nat_rule_1.168. term 1 { from { source-address 192. } unit 1 { family inet. which has the firewall filter fbf applied to incoming traffic. } } then { translated { source-pool mcast_pool.1/30.1. } } The Gigabit Ethernet interface ge-0/3/0 carries traffic out of the RP to Router 1. service-domain inside. } rule nat_rule_1 { match-direction input.2.2. } 220 Copyright © 2011. outside-service-interface ms-1/1/0. . [edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10.1 and the outside interface is ms-1/1/0.10.

1.inet. service-domain outside. routing-options { static { route 224. which is applied to the incoming interface fe-1/2/1. To direct incoming packets to stage. } } } Multicast packets can only be directed to the Multiservices DPC or the Multiservices PIC using a next-hop service set.168.0. you must also configure a VRF.1 on the Multiservices DPC or Multiservices PIC: [edit] routing-instances stage { instance-type forwarding. In the case of NAT. [edit firewall] filter fbf { term 1 { then { routing-instance stage.0 { interface fe-1/2/1.Chapter 10: Carrier-Grade NAT Configuration Guidelines unit 2 { family inet. Juniper Networks. 221 . you configure filter-based forwarding through a firewall filter called fbf. } address 192. } } } You enable OSPF and Protocol Independent Multicast (PIM) on the Fast Ethernet and Gigabit Ethernet logical interfaces over which IP multicast traffic enters and leaves the RP.0.0/4 next-hop ms-1/1/0. Copyright © 2011.0.2) of the next-hop service set. All multicast traffic matching this route is sent to the PIC. the routing instance stage is created as a “dummy” forwarding instance.0. You also enable PIM on the outside interface (ms-1/1/0. Therefore. } } fe-1/2/1 { unit 0 { family inet { filter { input fbf. A lookup is performed in stage. Inc. which has a multicast static route that is installed with the next hop pointing to the PIC’s inside interface.254. [edit protocols] ospf { area 0.27/27. } } } The routing instance stage forwards IP multicast traffic to the inside interface ms-1/1/0.0 { passive.0.

traffic is forwarded out fe-3/0/0.0 stage. } rib-groups fbf_rib_group { import-rib [ inet. } Reverse path forwarding (RPF) checking must be disabled for the multicast group on which source NAT is applied. } } Router 1 Configuration The Internet Group Management Protocol (IGMP).0.0. interface lo0.4 Services Interfaces Configuration Guide } interface lo0. interface ge-0/3/0. } multicast { rpf-check-policy no_rpf.14. Inc.0. .inet.Junos 11. and PIM configuration on Router 1 is as follows.0 ]. Because of IGMP static group configuration. interface ge-0/3/0. Juniper Networks. the no_rpf policy disables RPF check for multicast groups belonging to 224.0/4 orlonger.0 to the routing table in the forwarding instance. interface ms-1/1/0.0.0.0/4. so that all interface routes are imported into both tables. in order for the static route in the forwarding instance stage to have a reachable next hop.0. You can disable RPF checking for specific multicast groups by configuring a policy similar to the one in the example that follows.160.2. In this case. } } pim { rp { local { address 10.255. [edit policy-options] policy-statement no_rpf { term 1 { from { route-filter 224. OSPF. [edit routing-options] interface-routes { rib-group inet fbf_rib_group.0 to the multicast receiver without receiving membership reports from host members. 222 Copyright © 2011.0. } As with any filter-based forwarding configuration. You configure routing tables inet. you must configure routing table groups so that all interface routes are copied from inet.0 as members of fbf_rib_group.0. } then reject.0 and stage.0.inet. } } interface fe-1/2/1.

1.0. Inc.0 { } } ospf { area 0. on the RP.1.0 { interface fe-3/0/0. 223 .0.20.0.0/27 next-hop 10.10.160. • • • Hardware and Software Requirements on page 223 Overview on page 224 Basic NAT44 Configuration on page 224 Hardware and Software Requirements This example requires the following hardware: • An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A domain name server (DNS) • Copyright © 2011. mcast_pool. } interface lo0.0 { passive.0.Chapter 10: Carrier-Grade NAT Configuration Guidelines [edit protocols] igmp { interface fe-3/0/0.255. interface ge-7/2/0.20.14. interface ge-7/2/0.0. [edit routing-options] static { route 20. } } interface fe-3/0/0.0. } pim { rp { static { address 10. Juniper Networks. } Example: NAT 44 CGN Configurations This example describes how to implement several NAT configurations.0. interface lo0. } } The routing option creates a static route to the NAT pool.

1/24 3. unit 0 { family inet { service { input { service-set sset2. Inc. user@host# edit chassis 2. Configure the layer 3 service package.0. Basic NAT44 Configuration Chassis Configuration Step-by-Step Procedure To configure the service PIC (FPC 5 Slot 0) with the Layer 3 service package: 1.4 Services Interfaces Configuration Guide This example uses the following software: • Junos OS Release 11. Juniper Networks. user@host# edit interfaces ge-1/3/6 [edit interfaces ge-1/3/6] user@host# set description “Public” user@host# set unit 0 family inet address 128.Junos 11. [edit chassis] user@host# set fpc 5 pic 0 adaptive-services service-package layer-3 Configuring the Interfaces Step-by-Step Procedure To configure interfaces to the private network and the public Internet.1/24 2. user@host# edit interfaces ge-5/0/0 [edit interfaces ge-5/0/0] user@host# set unit 0 family inet Results user@host# show interfaces ge-1/3/5 description Private. 1.0. . Go to the edit chassis hierarchy level. 224 Copyright © 2011.0.4 or higher Overview This example shows a complete CGN NAT44 configuration and advanced options. Define the interface to the private network. Define the interface to the public Internet. user@host# edit interfaces ge-1/3/5 [edit interfaces ge-1/3/5] user@host# set description “Private” user@host# edit unit 0 family inet [edit interfaces ge-1/3/5 unit 0 family inet] user@host# set service input service-set ss2 user@host# set service output service-set ss2 user@host# set address 9. Define the service interface for NAT processing.0.

0.0. 225 .1/24.1.0. Inc.0.0. } rule r1 { match-direction input. Configure the NAT rule. } Configuring NAT with Port Translation Step-by-Step Procedure To configure source-only dynamic NAT with port translation: 1.Chapter 10: Carrier-Grade NAT Configuration Guidelines } output { service-set sset2. Juniper Networks.0.0/24.0/16 host# set term t1 from source-address 10. user@host# edit services nat [edit services nat] user@host# set pool p1 address 129.0. unit 0 { family inet { address 128. [edit services nat] host# edit rule r1 host# set match-direction input host# set term t1 from source-address 10. } } user@host# show interfaces ge-5/0/0 unit 0 { family inet. 10.0/24 user@host# set pool p1 port automatic random-allocation 2.0. term t1 { from { source-address { 10. } } } user@host# show interfaces ge-1/3/6 description Public:.0.0/16.0.0.0.1.0/16. Configure the NAT pool. } } address 9.0/16 host# set term t1 then translated source-pool p1 translation-type dynamic-nat44 Results user@host# show services nat pool p1 { address 129.1/24. } Copyright © 2011.0.0.

16. } } 226 Copyright © 2011.0.58.58.0.201 to reach 10. [edit interfaces] ge-0/2/0 { unit 0 { family inet { address 10.2 in vrf-a. Specify the interface service.Junos 11. Inc.4 Services Interfaces Configuration Guide } then { translated { source-pool p1.1/24.58. } } } } } Configuring the Service Set Step-by-Step Procedure To configure the service set: 1. .101 to reach 10. Juniper Networks. } Example: NAT Between VRFs Configuration The following example configuration enables NAT between VRFs with overlapping private addresses. using distinct public addresses for the source and destination NAT in this scenario: • • A host in vrf-a traverses 10. [edit services service-set ss2} host# set nat-rules r1 3. A host in vrf-b traverses 10. output service-set vrf-a-svc-set.58.0. service { input service-set vrf-a-svc-set. user@host# edit services service-set ss2 2.58. interface-service { service-interface sp-5/0/0. Configure a service set. [edit services service-set ss2} host# set interface-service service-interface sp-5/0/0 Results user@host# show services service-sets sset2 nat-rules r1. Specify the NAT rule to be used.2 in vrf-b.16. translation-type { dynamic-nat44.

routing-options { static { route 0.1:1. Juniper Networks. route-distinguisher 10. routing-options { static { route 0.0.2. 227 . vrf-export test-policy. Inc.0. } } } } sp-1/3/0 { unit 0 { family inet. vrf-import test-policy.0.0.1.58.0. Copyright © 2011. } unit 10 { family inet.0/0 next-table inet.Chapter 10: Carrier-Grade NAT Configuration Guidelines } } ge-0/3/0 { unit 0 { family inet { address 10. } } [edit routing-instances] vrf-a { interface ge-0/2/0. interface sp-1/3/0. route-distinguisher 10.10. instance-type vrf. service { input service-set vrf-b-svc-set. } } [edit policy-options] policy-statement test-policy { term t1 { then reject. service-domain inside. vrf-import test-policy. } } } vrf-b { interface ge-0/3/0. } unit 20 { family inet.20.2.2:2.0. vrf-export test-policy.0. instance-type vrf.0.1. interface sp-1/3/0. service-domain inside. output service-set vrf-b-svc-set.0.1/24.0/0 next-table inet.

port automatic. } then { translated { destination-pool vrf-a-dst-pool.16. translation-type napt-44. } rule vrf-b-input { match-direction input.100.Junos 11.58. term t1 { then { translated { source-pool vrf-a-src-pool. } } } } rule vrf-a-output { match-direction output.16.58.2. } pool vrf-b-dst-pool { address 10. Inc. } pool vrf-a-dst-pool { address 10.101. 228 Copyright © 2011.0. translation-type destination static.58.58. Juniper Networks. } } } } pool vrf-b-src-pool { address 10.4 Services Interfaces Configuration Guide } } } [edit services] stateful-firewall { rule allow-all { match-direction input-output. term t1 { then { accept. } } } } nat { pool vrf-a-src-pool { address 10. } rule vrf-a-input { match-direction input.2.58.0.16.200. port automatic. . term t1 { from { destination-address 10.

This example contains the following sections: • • Requirements on page 230 Implementation on page 230 Copyright © 2011. nat-rules vrf-a-input. interface-service { service-interface sp-1/3/0. nat-rules vrf-b-input. } } service-set vrf-b-svc-set { stateful-firewall-rules allow-all.16. July 2010.58. The configuration replicates the example flow found in draft-ietf-behave-v6v4-xlate-stateful-12. } } } } rule vrf-b-output { match-direction output. nat-rules vrf-b-output. } } Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion This example configures Stateful NAT64 on an MX Series 3D Universal Edge router with a Services DPC.20. translation-type source dynamic. Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. Inc.201. 229 . Juniper Networks. translation-type destination static. term t1 { from { destination-address 10. nat-rules vrf-a-output. } then { translated { destination-pool vrf-b-dst-pool.Chapter 10: Carrier-Grade NAT Configuration Guidelines term t1 { then { translated { source-pool vrf-b-src-pool. interface-service { service-interface sp-1/3/0.10. } } } } } service-set vrf-a-svc-set { stateful-firewall-rules allow-all.

Configuration Overview and Topology Figure 8 on page 230 shows an MX Series router. Figure 8: NAT64 Topology Name server (with DNS64) IPv6 network IPv4 network Host 1 R2 Host 2 2001: DB8::1 ge-1/3/5 192.Junos 11. Inc. and the interface connected to the IPv6 network is ge-1/3/5. Juniper Networks. Also shown is a local name server with DNS64 functionality. Juniper Networks implemented stateful NAT64 in its Services Physical Interface Card (PIC) and Services Dense Port Concentrator (DPC).4 Services Interfaces Configuration Guide • • Configuration on page 230 Verifying NAT64 Operation on page 234 Requirements This functionality requires the following hardware: • An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC A name server with DNS64 • Implementation In Junos OS Release 10. which the system uses as part of the translation process.2. The system steers IPv6 packets coming from IPv6-only hosts to a Services DPC where the packets are translated to IPv4 according to the configuration. The interface connected to the IPv4 network is ge-1/3/6.2. the system sends IPv4 packets to the Services DPC where additional system processes reverse the translation and send the corresponding IPv6 packet back to the client.0. In the reverse path. . R2.1 ge-1/3/6 g040627 NAT64 Configuration To configure stateful NAT64 involves the following tasks: • • • Configuring the PIC and the Interfaces on page 231 Configuring the NAT64 Pool on page 232 Configuring the Service Set on page 233 230 Copyright © 2011. implementing NAT64 with two Gigabit Ethernet interfaces and a Services DPC. The local name server is configured with the /96 prefix assigned to the local NAT64 router.

Include the family inet (IPv4) and family inet6 (IPv6) statements at the [edit interfaces interface-name unit unit-number] hierarchy level. Copyright © 2011.Chapter 10: Carrier-Grade NAT Configuration Guidelines Configuring the PIC and the Interfaces Step-by-Step Procedure To configure the PIC and interfaces on Router R2: 1. a. 231 . slot 0. } output { service-set set_0. For details about configuring packages. Edit the chassis configuration to enable a Layer 3 service package. see the Junos OS Services Interfaces Configuration Guide. a. Juniper Networks. This example assumes that the PIC is in FPC 5. Inc. 3. The service package with its associated service package (sp-) interface is used to manipulate traffic before it is delivered to its destination. Include the IPv6 address at the [edit interfaces unit unit-number family inet6 address] hierarchy level. } } } 4. Configure the ge-1/3/6 interface connected to the IPv4 network. family inet6 { service { input { service-set set_0. [edit interfaces] ge-1/3/5 { description "IPv6-only domain". Configure a service set at the [edit interfaces interface-name unit unit-number family service input service-set] and the [edit interfaces interface-name unit unit-number family service output service-set] hierarchy levels. Configure the ge-1/3/5 interface connected to the IPv6 network. } } address 2001:DB8::1/64. Include the family inet statement at the [edit interfaces unit unit-number] hierarchy level. unit 0 { family inet. b. Configure the service package at the [edit chassis fpc pic adaptive-services] hierarchy level. } } } 2. [edit chassis] fpc 5 { pic 0 { adaptive-services { service-package layer-3. c.

113. Configure an IPv4 transport address for the pool at the [edit services nat pool pool-name] hierarchy level.0. Inc. } } } unit 0 { family inet. Router R2. Configure the services interface.1/32. [edit services nat] pool src-pool-nat64 { address 203. [edit interfaces] ge-1/3/6 { description "Internet-IPv4 domain". unit 0 { family inet { address 192.0. with the /96 prefix to represent IPv4 addresses in the IPv6 address space. Juniper Networks. You also configure one or more IPv4 transport addresses for the NAT pool. Include the IPv4 address at the [edit interfaces unit unit-number family inet] hierarchy level. Specify both the IPv4 and IPv6 address families at the [edit interfaces interface-name unit unit-number] hierarchy level. This example shows how to configure the network address translation for the IPv4 address 203. The service package associated with this interface was configured in Step 2. The service set you configure in “Configuring the Service Set” on page 233 is associated with this interface.113. . This example configures a system log for any services on the local host.Junos 11. sp-5/0/0.0. It also shows how to configure the IPv6 prefix 64:FF9B::/96. in this example.1/16. } 232 Copyright © 2011.1. log-prefix XXXXXXXX. [edit interfaces] sp-5/0/0 { services-options { syslog { host local { services any. port automatic. family inet6. } } } 5. } } Configuring the NAT64 Pool Step-by-Step Procedure Use this procedure to configure the NAT64 router.0/24. 1.4 Services Interfaces Configuration Guide b. IPv6 packets addressed to a destination address containing the /96 prefix are then routed to the IPv6 interface of the NAT router.

You also include a system log configuration. Configure the system log. Configure a NAT rule to translate the packets from the IPv6 network.Chapter 10: Carrier-Grade NAT Configuration Guidelines 2. The transport address configured in Step 1 is then specified for the translation using the /96 prefix. term t1 { from { source-address { 2001:DB8::0/96. destination-prefix 64:FF9B::/96. In this example. Juniper Networks. To configure these settings at the [edit services service-set service-set-name] hierarchy level: 1. NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule. The rule selects all traffic coming from the source address on the IPv6 network. log-prefix XXXSVC-SETYYY. } destination-address { 64:FF9B::/96. you must associate the previously configured rule (nat64) and service interface (sp-5/0/0) with the service set. 233 . } } then { translated { source-pool src-pool-nat64. } } } } } Configuring the Service Set Step-by-Step Procedure To configure the service set for the NAT service on Router R2. Inc. } } Copyright © 2011. Configure the rule at the [edit services nat rule rule-name] hierarchy level as follows: [edit services nat rule] rule nat64 { match-direction input. 2001:DB8::1/128. [edit services service-set set_0] syslog { host local { services any. only one rule is required to accomplish the address translation. translation-type { stateful-nat64.

perform these tasks: • • • Display NAT64 Flows on page 235 Display NAT64 Conversations on page 236 Display Global NAT Pool-Related Statistics on page 237 234 Copyright © 2011.Junos 11. interface-service { service-interface sp-5/0/0. On Router R2. Among others. the IPv4 destination address is fetched from the IPv6 destination address whose prefix matches the destination-prefix configured from the specified prefix length. } } 3. Juniper Networks. Associate the NAT rule and the service interface with the service set at the [edit services service-set service-set-name] hierarchy level. Inc. . • To confirm the NAT64 configuration. the IPv4 address is suffixed to the destination-prefix at the prefix length specified. NAT64-related commands leverage the existing commands for NAPT44. you can use the following CLI commands to verify your NAT64 configuration: • • • • show services stateful-firewall flows show services stateful-firewall conversations show services nat pool detail show services stateful-firewall statistics extensive In this example: • In the input direction. In the reverse or output direction. user@R2> commit check configuration check succeeds user@R2> commit Verifying NAT64 Operation You can use the following features to verify your NAT64 configuration: • • CLI commands on the router Logging You can also use a test tool that can generate IPv6 flows directed to the MX Series router. using the well-known prefix (64:FF9B::/96) as the destination. commit the configuration. [edit services ] service-set { nat-rules nat64.4 Services Interfaces Configuration Guide 2.

1:1350 NAT dest 64:ff9b::c000:201:80 -> 192. 235 .0.113.2.113.0.113.0.1:1376 Forward NAT source 192.1:1346 -> 2001:db8::3:1110 TCP 2001:db8::2:1148 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1148 -> 203.2.0.1:1428 -> 2001:db8::4:1172 TCP 192.0.2.0.1:1413 Forward NAT source 192.Chapter 10: Carrier-Grade NAT Configuration Guidelines • • Check System Logs on page 237 Verify That NAT64 Conversations Take Place on page 238 Display NAT64 Flows Purpose Display and verify that the NAT64 flows are created and contain correct network address translation.113.1:80 TCP 2001:db8::4:1146 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1146 -> 203.0.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.2.0.1:1346 Forward NAT source 192.0.0.113.0.113.2.1:1413 -> 2001:db8::4:1167 TCP 2001:db8::3:1123 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1123 -> 203.0.0.113.0.1:80 -> 203.1:80 -> 203.113.1:80 TCP 192.113.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203. the NAT source and NAT destination addresses of the Input (I) and Output (O) directions are displayed.0.113.0.1:80 -> 203.2.1:1393 -> 2001:db8::2:1157 TCP 192.0.113.113.1:1428 Forward NAT source 192.2. The NAT64 flows listed in this output are in no specific order.0.1:1393 Forward NAT source 192. use the show services stateful-firewall flows command.0.2. Inc.0.113.1:1424 NAT dest 64:ff9b::c000:201:80 -> 192.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.113.0.1:80 -> 203.1:1366 NAT dest 64:ff9b::c000:201:80 -> 192.2.2.113. Service set: set_0 Flow State TCP 2001:db8::4:1160 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::4:1160 -> 203.0.0.0.0.113.0.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.2.1: NAT dest 64:ff9b::c000:201:80 -> 192.1:80 TCP 192.1:1376 -> 2001:db8::3:1120 TCP 2001:db8::3:1136 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1136 -> 203.0.1:80 TCP 192.2.1:80 -> 203.0.2. Copyright © 2011.0.0.1:80 TCP 192. Action user@R2> show services stateful-firewall flows Interface: sp-5/0/0.0.1:1420 NAT dest 64:ff9b::c000:201:80 -> 192.0.2. Juniper Networks.2.2.1:80 -> 203.0.1:80 TCP 2001:db8::3:1110 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::3:1110 -> 203.2.0.1:1385 NAT dest 64:ff9b::c000:201:80 -> 192. To display the NAT64 flows on Router R2.1:1363 Forward Dir I Frm count 5 I 5 O 4 I 5 O 4 I 5 I 5 I 5 O 4 O 4 O 4 I 5 O 4 Meaning In the sample output.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.113.1:80 TCP 2001:db8::2:1166 ->64:ff9b::c000:201:80 Forward NAT source 2001:db8::2:1166 -> 203.113.1:1346 NAT dest 64:ff9b::c000:201:80 -> 192.0.0.2.

0. Number of responders: 1 Flow State Dir TCP 2001:db8::3:1169 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1169 -> 203.1:80 TCP 192. Juniper Networks.0.2.2.2.1:80 -> 64:ff9b::c000:201:21303 NAT dest 203.0.2.1:1580 NAT dest 64:ff9b::c000:201:80 -> 192.0.1:1621 Forward O NAT source 192.1:80 TCP 192. In contrast to the flows command that reports all flows in no specific order.Junos 11.113. .2.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.113. Service set: set_0 Conversation: ALG protocol: tcp Number of initiators: 1.1:80 TCP 192.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203. To display NAT64 conversations on Router R2.1:1523 -> 2001:db8::3:1169 Conversation: ALG protocol: tcp Number of initiators: 1.1:1551 -> 2001:db8::4:1213 Conversation: ALG protocol: tcp Number of initiators: 1.0.2. user@R2> show services stateful-firewall conversations Interface: sp-5/0/0.2.113.1:1580 -> 2001:db8::3:1188 Conversation: ALG protocol: tcp Number of initiators: 1.0.0.113. Number of responders: 1 Flow State Dir TCP 2001:db8::4:1213 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1213 -> 203. Number of responders: 1 Flow State Dir TCP 2001:db8::3:1188 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::3:1188 -> 203.113. use the show services stateful-firewall conversations command.0.1:1621 NAT dest 64:ff9b::c000:201:80 -> 192.2.1:1551 NAT dest 64:ff9b::c000:201:80 -> 192.1:1575 Frm count 5 4 Frm count 5 4 Frm count 5 4 Frm count 5 4 Frm count 5 236 Copyright © 2011.0.0.2.0.0.113.2. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1218 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1218 -> 203.0.0.113.0.0.0.0.0. the output of the conversations command groups the flows that belong to a conversation for easy troubleshooting of communication between a specific pair of hosts.4 Services Interfaces Configuration Guide Display NAT64 Conversations Purpose Action Display and verify that the NAT64 conversations (collections of related flows) are correct.1:1580 Forward O NAT source 192.1:80 -> 64:ff9b::c000:201:80 NAT dest 203.2.0.1:80 -> 203.1:1523 NAT dest 64:ff9b::c000:201:80 -> 192.113.1:80 -> 203.113.0.1:80 -> 203.1:1523 Forward O NAT source 192.2.0. Inc.0.113. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1233 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1233 -> 203.113.1:1551 Forward O NAT source 192.0.1:80 TCP 192.113.1:80 -> 203.0.113.1:1621 -> 2001:db8::2:1233 Conversation: ALG protocol: tcp Number of initiators: 1.

0. You normally use this command in conjunction with the show services stateful-firewall flows command used in “Display NAT64 Flows” on page 235.254 Port range: 512-65535.154 Meaning The sample output displays relevant statistics and information about the NAT64 pools.113. Juniper Networks.0.113.1:80 -> 203.113.0. user@R2> show services nat pool detail Interface: sp-5/0/0.0.113.0.1:80 -> 203.0.2.113.0. Translation type: static Address range: 0.113.1:1554 -> 2001:db8::2:1211 Frm count 5 4 Frm count 5 4 Meaning The sample output displays the NAT64 conversations between specific pairs of hosts.100. To display global NAT pool-related statistics on Router R2. 237 .1:80 192.1-203.2.1:80 -> 203. Check System Logs Purpose Check the system logs because the system creates detailed logs as sessions are created and deleted.2.0.2.2.155-0. Ports in use: 102.0. which displays the source and output of the translation.1:80 -> 64:ff9b::c000:201:21286 NAT dest 203.Chapter 10: Carrier-Grade NAT Configuration Guidelines NAT dest TCP 64:ff9b::c000:201:80 -> 192.0.0.1:1572 -> 2001:db8::4:1220 Conversation: ALG protocol: tcp Number of initiators: 1.1:80 TCP 192.0. Out of port errors: 0.255.1:1575 Forward O NAT source 192.1:80 TCP 192.1:1554 Forward O NAT source 192.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.2.113.100.2.1:1575 -> 2001:db8::2:1218 4 Conversation: ALG protocol: tcp Number of initiators: 1.1:1554 NAT dest 64:ff9b::c000:201:80 -> 192.1:80 -> 64:ff9b::c000:201:21367 NAT dest 203.0. Inc.0. Max ports used: 192 NAT pool: _jpool_nat64_t1_. Translation type: dynamic Address range: 203.113. Number of responders: 1 Flow State Dir TCP 2001:db8::4:1220 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::4:1220 -> 203. Copyright © 2011. use the show services nat pool detail command.113. Display Global NAT Pool-Related Statistics Purpose Action Display and verify global NAT statistics related to pool usage.1:1572 NAT dest 64:ff9b::c000:201:80 -> 192.0.1:1572 Forward O NAT source 192.2.113.0.255. Service set: set_0 NAT pool: src-pool-nat64. Number of responders: 1 Flow State Dir TCP 2001:db8::2:1211 ->64:ff9b::c000:201:80 Forward I NAT source 2001:db8::2:1211 -> 203.0.0.0.2.

.2.113.2. To verify that the NAT64 conversations are occuring on Router R2. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_CREATE_ACCEPT_FLOW: proto 6 (TCP) application: any. as follows: Oct 21 22:14:17 H1 (FPC Slot 5. destination address translates to 192. Current support for application-layer gateway (ALG) is limited to ICMP and traceroute.2.Junos 11. Juniper Networks. The first log indicates the rule and term that the packet matched.113.0.0.113. ge-1/3/5.0. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]:ASP_NAT_POOL_RELEASE: natpool release 203.1 Meaning The sample output displays the log messages that can be seen when a session is created and when a session ends.1:1593 . Related Documentation • • Stateful NAT64 Overview Example: Configuring Dual-Stack Lite for IPv6 Access 238 Copyright © 2011. Action user@R2> show services stateful-firewall conversations Interface: sp-5/0/0. destination address translates to 192. Number of responders: 1 Flow State ICMPV6 2001:db8::2 ->64:ff9b::c000:201 Watch NAT source 2001:db8::2 -> 203.1:1593[1] Oct 21 22:14:17 H1 (FPC Slot 5.1 NAT dest 64:ff9b::c000:201 -> 192.0.113.1 ICMP 192.0:2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80.0. source address and port translate to 203. The second log indicates the flow creation.0.1 Watch NAT source 192.0. user@R2> show log messages Oct 21 22:14:14 H1 (FPC Slot 5. PIC Slot 0) XXXSVC-SETYYY{set_0}[FWNAT]: ASP_SFW_DELETE_FLOW: proto 6 (TCP) application: any.0.113. Service set: set_0 Conversation: ALG protocol: icmpv6 Number of initiators: 1.1 -> 2001:db8::2 Dir I Frm count 21 O 21 Meaning The sample output displays the results of the ICMP echo test.4 Services Interfaces Configuration Guide Action When a session is created based on the example setup.1 -> 203. Verify That NAT64 Conversations Take Place Purpose Verify that the NAT64 conversations are taking place. source address and port translate to 203.1 -> 64:ff9b::c000:201 NAT dest 203.0. the system creates a log indicating the NAT pool address and port release in addition to the delete flow log. The following is sample output for an ICMP echo test (ping). use the show services stateful-firewall conversations command. creating forward or watch flow . Inc.113. two logs are provided.0. deleting forward or watch flow .0. (null)(null)2001:db8:0:0:0:0:0:1:1025 -> 64:ff9b:0:0:0:0:c000:201:80.1:1593 .2.2.1 When the sessions end.

4. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. prefix option enhanced to support IPv6 addresses in Junos OS Release 8. address Syntax Hierarchy Level Release Information address ip-prefix</prefix-length>. [edit services nat pool nat-pool-name] Statement introduced before Junos OS Release 7. Specify the NAT pool prefix value.5.CHAPTER 11 Summary of Carrier-Grade NAT Configuration Statements The following sections explain each of the Network Address Translation (NAT) statements. Juniper Networks. Inc. The statements are organized alphabetically. 239 . • Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. interface-control—To add this statement to the configuration. prefix—Specify an IPv4 or IPv6 prefix value.

When you use round-robin allocation. Juniper Networks. Specify the NAT address pooling behavior. interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide address-allocation Syntax Hierarchy Level Release Information Description address-allocation round-robin. After ports have been allocated for all addresses in the last range. interface-control—To add this statement to the configuration. . the allocation process wraps around and allocates the next unused port for addresses in the first range. interface—To view this statement in the configuration. Inc. • Configuring Actions in NAT Rules on page 159 240 Copyright © 2011.1. • Required Privilege Level Related Documentation Configuring Addresses and Ports for Use in NAT Rules on page 151 address-pooling Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation address-pooling paired. interface-control—To add this statement to the configuration. paired—Currently.Junos 11.2. the only valid setting specifies paired address pooling behavior. one port is allocated from each address in a range before repeating the process for each address in the next range. [edit services nat pool pool-name] Statement introduced in Junos OS Release 11. [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10.

minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8. Specify the NAT pool address range.4. set-name—Name of the target application set. interface—To view this statement in the configuration. Juniper Networks. Inc. 241 . • Configuring Match Conditions in NAT Rules on page 158 Copyright © 2011.5. minimum-value—Lower boundary for the IPv4 or IPv6 address range. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements address-range Syntax Hierarchy Level Release Information address-range low minimum-value high maximum-value. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. maximum-value—Upper boundary for the IPv4 or IPv6 address range. • Configuring Addresses and Ports for Use in NAT Rules on page 151 application-sets Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation applications-sets set-name. interface-control—To add this statement to the configuration. Define one or more target application sets.4. [edit services nat pool nat-pool-name] Statement introduced before Junos OS Release 7.

interface-control—To add this statement to the configuration.Junos 11.4. any-unicast—Any unicast packet. address option enhanced to support IPv6 and addresses in Junos OS Release 8.6. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. any-unicast and except options introduced in Junos OS Release 7.5. Juniper Networks. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Define one or more application protocols to which the NAT services apply. interface—To view this statement in the configuration. or unicast packets from being Description Options translated. address—Destination IPv4 or IPv6 address or prefix value. . except—(Optional) Prevent the specified address. • Configuring Match Conditions in NAT Rules on page 158 242 Copyright © 2011. prefix. Specify the destination address for rule matching. • Configuring Match Conditions in NAT Rules on page 158 destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>.4 Services Interfaces Configuration Guide applications Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation applications [ application-names ]. application-name—Name of the target application. Inc. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4.

4. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. 243 . [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 7. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. nat-pool-name—Destination pool name. minimum-value—Lower boundary for the IPv4 or IPv6 address range. Specify the destination address pool for translated traffic. interface-control—To add this statement to the configuration.6. except—(Optional) Prevent the specified address range from being translated. Juniper Networks.5. • Configuring Match Conditions in NAT Rules on page 158 destination-pool Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation destination-pool nat-pool-name. Inc. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. [edit services nat rule rule-name term term-name then translated] Statement introduced before Junos OS Release 7. Specify the destination address range for rule matching. maximum-value—Upper boundary for the IPv4 or IPv6 address range.

Inc.5. destination-prefix option enhanced to support IPv6 addresses in Junos OS Release 8. .4. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. high—Upper limit of port range for matching. Specify the destination port range for rule matching. • Configuring Port Forwarding for Static Destination Address Translation on page 179 destination-prefix Syntax Hierarchy Level Release Information destination-prefix destination-prefix. low—Lower limit of port range for matching. interface-control—To add this statement to the configuration. Specify the destination prefix for translated traffic.6. destination-prefix—IPv4 or IPv6 destination prefix value.4 Services Interfaces Configuration Guide destination-port range Syntax Hierarchy Level Release Information Description Options destination-port range high | low.Junos 11. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. • Configuring Actions in NAT Rules on page 159 244 Copyright © 2011. Juniper Networks. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 11. Required Privilege Level Related Documentation interface—To view this statement in the configuration.

[edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 8. Inc. interface-control—To add this statement to the configuration. except—(Optional) Exclude the specified prefix list from rule matching.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>.2. Juniper Networks. [edit services nat port-forwarding map-name] Statement introduced in Junos OS Release 11.4. 245 . • • Configuring Match Conditions in NAT Rules on page 158 Junos OS Routing Policy Configuration Guide destined-port Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation destined-port port id. • • port-forwarding on page 255 translated-port on page 266 Copyright © 2011. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. port id—The destination port number from where traffic will be forwarded. Specify the destination prefix list for rule matching. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. list-name—Destination prefix list. interface—To view this statement in the configuration. Specify the port from where traffic has to be forwarded. interface-control—To add this statement to the configuration.

4. Set the Domain Name System (DNS) application-level gateway (ALG) 96-bit prefix for mapping IPv4 addresses to IPv6 addresses. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10. Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface—To view this statement in the configuration. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10. interface-control—To add this statement to the configuration.Junos 11. Specify the NAT filtering behavior for sessions initiated from outside to inside. Inc. Required Privilege Level filtering-type Syntax Hierarchy Level Release Information Description Options filtering-type endpoint-independent. interface-control—To add this statement to the configuration. dns-alg-prefix Syntax Hierarchy Level Release Information Description dns-alg-prefix dns-alg-prefix. endpoint-independent—Currently. • Configuring Actions in NAT Rules on page 159 246 Copyright © 2011. Specify the Network Address Translation (NAT) pool for destination translation.4. the only valid setting specifies endpoint-independent filtering behavior.4 Services Interfaces Configuration Guide dns-alg-pool Syntax Hierarchy Level Release Information Description Required Privilege Level dns-alg-pool dns-alg-pool. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Juniper Networks. . [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10.1.

Juniper Networks. destination-address-range low minimum-value high maximum-value <except>. source-address address (address | any-unicast) <except>. Inc. For information on match conditions. interface-control—To add this statement to the configuration. 247 . see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide.4. Required Privilege Level Related Documentation interface—To view this statement in the configuration. source-address-range low minimum-value high maximum-value <except>. • Configuring NAT Rules on page 156 Copyright © 2011. } [edit services nat rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. destination-address (address | any-unicast) <except>. Specify input conditions for the NAT term.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements from Syntax from { application-sets set-name. The remaining statements are explained separately. applications [ application-names ].

To specify a list of hints. Configure a hint that enables the border gateway function (BGF) to choose a NAT pool by direction rather than by virtual interface. • Session Border Control Solutions Guide Using BGF and IMSG 248 Copyright © 2011. use the format: [ hint xx hint yy ]. Juniper Networks.Junos 11. hint-string—Alphanumeric string of up to three characters that the BGF uses to match Default Options with a termination hint located in the Direction field of a nonstandard termination ID. interface-control—To add this statement to the configuration. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide hint Syntax Hierarchy Level Release Information Description hint [ hint-strings ].0. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 9. the BGF can choose any NAT pool associated with the virtual interface. Inc. You can also include underscores (_) and hyphens (-) within the string. . The BGF matches the configured hint with a termination hint located in the Direction field of a nonstandard termination ID. When no hint is configured.

interface-name—Enable filters on a specific interface only. Juniper Networks. [edit services softwire] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 9. Specify the source NAT mapping type. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Enable multicast filters on Ethernet interfaces when IPv6 NAT is used for neighbor discovery. the only valid setting specifies endpoint-independent mapping behavior. 249 . • • Configuring IPv6 Multicast Filters on page 151 Configuring IPv6 Multicast Interfaces on page 868 mapping-type Syntax Hierarchy Level Release Information Description Options mapping-type endpoint-independent. Inc.1. endpoint-independent—Currently. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. disable—Disable filters on the specified interfaces. interface-control—To add this statement to the configuration. all—Enable filters on all interfaces. } [edit services nat]. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. [edit services nat rule rule-name term term-name then translated] Statement introduced in JUNOS Release 10. interface-control—To add this statement to the configuration.1.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements ipv6-multicast-interfaces Syntax ipv6-multicast-interfaces (all | interface-name) { disable.

interface-control—To add this statement to the configuration. Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Juniper Networks. Inc. [edit services nat rule rule-name] Statement introduced before Junos OS Release 7. • Configuring NAT Rules on page 156 no-translation Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation no-translation. Specify the direction in which the rule match is applied. output—Apply the rule match on output.4. .Junos 11.6. Specify that traffic is not to be translated. input—Apply the rule match on input. [edit services nat rule rule-name term term-name then] Statement introduced in Junos OS Release 7. • Configuring Actions in NAT Rules on page 159 250 Copyright © 2011. none interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output).

[edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. overload-prefix—Prefix value. Inc.6. interface—To view this statement in the configuration. 251 . Specify the prefix that can be used if the source pool becomes exhausted.6. • Configuring Actions in NAT Rules on page 159 Copyright © 2011. Specify an address pool that can be used if the source pool becomes exhausted. interface-control—To add this statement to the configuration. • Configuring Actions in NAT Rules on page 159 overload-prefix Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation overload-prefix overload-prefix. overload-pool-name—Name of the overload pool. Juniper Networks.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements overload-pool Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation overload-pool overload-pool-name. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. interface—To view this statement in the configuration.

hint statement added in Junos OS Release 9. remotely-controlled. interface-control—To add this statement to the configuration. } [edit services nat pool nat-pool-name] Hierarchy Level Release Information Statement introduced in Junos OS Release 8. . Juniper Networks.Junos 11. Specify that the NAT pool is used exclusively by the BGF. transport [ transport-protocols ]. remotely-controlled and ports-per-session statements added in Junos OS Release 8.4. • Description Required Privilege Level Related Documentation Session Border Control Solutions Guide Using BGF and IMSG 252 Copyright © 2011. interface—To view this statement in the configuration.5. Inc. ports-per-session ports.4 Services Interfaces Configuration Guide pgcp Syntax pgcp { hint [ hint-strings ].0.

interface-control—To add this statement to the configuration.4. address-allocation round-robin.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements pool Syntax pool nat-pool-name { address ip-prefix</prefix-length>. remotely-controlled and ports-per-session statements added in Junos OS Release 8. pgcp { hint [ hint-strings ]. • Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. remotely-controlled: transport [ transport-protocols ]. Description Options The remaining statements are explained separately. address-range low minimum-value high maximum-value. Juniper Networks. 253 . secured-port-block-allocation { active-block-timeout timeout-seconds.4. ports-per-session ports. address-allocation statement added in Junos OS Release 11.2. nat-pool-name—Identifier for the NAT address pool.5. } port (automatic | range low minimum-value high maximum-value) { preserve-parity. mapping-timeout seconds. block-size block-size. hint statement added in Junos OS Release 9. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc.0. } } } [edit services nat] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. Specify the NAT name and properties. preserve-range. pgcp statement added in Junos OS Release 8. max-blocks-per-user max-blocks.

Options Other options are described separately. max-blocks-per-user max-blocks. random-allocation statement introduced in Junos OS Release 9. preserve-parity—Allocate ports with same parity as the original port.4 Services Interfaces Configuration Guide port Syntax port (automatic | range low minimum-value high maximum-value) { preserve-parity. Required Privilege Level Related Documentation interface—To view this statement in the configuration. • Configuring Addresses and Ports for Use in NAT Rules on page 151 254 Copyright © 2011. automatic—Router-assigned port.4. preserve-range.3.Junos 11. You can configure an automatically assigned port or specify a range with minimum and maximum values. Inc. Juniper Networks. minimum-value—Lower boundary for the port range. . Hierarchy Level Release Information Description Specify the NAT pool port or range. block-size block-size. maximum-value—Upper boundary for the port range. } } [edit services nat pool nat-pool-name] port statement introduced before Junos OS Release 7. preserve-range—Preserve privileged port range after translation. interface-control—To add this statement to the configuration. secured-port-block-allocation { active-block-timeout timeout-seconds.

Specify the mapping for port forwarding. map-name—Identifier for the port forwarding mapping. Inc. Specify the name for mapping port forwarding in a Network Address Translation configuration. interface—To view this statement in the configuration.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements port-forwarding Syntax port-forwarding map-name { destined-port. port-forwarding-mappings Syntax Hierarchy Level Release Information Description port-forwarding-mappings map-name.4.4. translated-port. } [edit services nat] Hierarchy Level Release Information Description Options Required Privilege Level Statement introduced in Junos OS Release 11. [edit services nat rule rule-name term term-name then] Statement introduced in Junos OS Release 11. Copyright © 2011. interface-control—To add this statement to the configuration. 255 . interface-control—To add this statement to the configuration. Juniper Networks. Options Required Privilege Level interface—To view this statement in the configuration. map-name—Identifier for the port forwarding map.

Inc.4 Services Interfaces Configuration Guide ports-per-session Syntax Hierarchy Level Release Information Description ports-per-session ports.5. . • Session Border Control Solutions Guide Using BGF and IMSG remotely-controlled Syntax Hierarchy Level Release Information Description remotely-controlled. interface–control—To add this statement to the configuration. Juniper Networks. Configure the number of ports required to support Real-Time Transport Protocol (RTP). and forward error correction (FEC) for voice and video flows on the Multiservices PIC. Options Default: 2 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Real-Time Streaming Protocol (RTSP). [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 8.Junos 11. number-of-ports—Number of ports to enable: 2 or 4 for combined voice and video services. • Required Privilege Level Related Documentation Session Border Control Solutions Guide Using BGF and IMSG 256 Copyright © 2011. Configure the addresses and ports in a NAT pool to be remotely controlled by the gateway controller.4. interface–control—To add this statement to the configuration. interface—To view this statement in the configuration. Real-Time Control Protocol (RTCP). [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 8.

4. applications [ application-names ]. destination-prefix. source-pool nat-pool-name. translated { address-pooling paired. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc. overload-pool overload-pool. rule-name—Identifier for the collection of terms that make up this rule. interface-control—To add this statement to the configuration. mapping-type endpoint-independent. destination-prefix destination-prefix. • Configuring NAT Rules on page 156 Copyright © 2011. } } syslog. dns-alg-pool dns-alg-pool. Specify the rule the router uses when applying this service. } } } [edit services nat]. source-address-range low minimum-value high maximum-value <except>. source-address (address | any-unicast) <except>. destination-address (address | any-unicast) <except>. filtering-type endpoint-independent. Juniper Networks. destination-address-range low minimum-value high maximum-value <except>. destination-pool nat-pool-name. } then { no-translation. The remaining statements are explained separately. [edit services nat rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. term term-name { from { application-sets set-name. overload-prefix overload-prefix.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements rule Syntax rule rule-name { match-direction (input | output). source-prefix source-prefix. dns-alg-prefix dns-alg-prefix. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). 257 .

rule-set-name—Identifier for the collection of rules that constitute this rule set. Inc.4. } [edit services nat] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7.Junos 11. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. . • Configuring NAT Rule Sets on page 161 258 Copyright © 2011. Specify the rule set the router uses when applying this service. Juniper Networks.4 Services Interfaces Configuration Guide rule-set Syntax rule-set rule-set-name { [ rule rule-names ].

a new block is allocated. max-blocks-per-user max-blocks. After timeout. 259 . Any inactive block without any ports in use will be freed to the NAT pool. } [edit services nat pool pool-name port] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. in seconds. Inc.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements secured-port-block-allocation Syntax secured-port-block-allocation { active-block-timeout timeout-seconds. Default: 8 Range: 1 to 2. Options Default: 128 Range: 64 to 64. interface-control—To add this statement to the configuration. the active block transitions to inactive only when it runs out of ports and a new block is allocated. Default: 0—The default timeout of the active block is 0 (infinite). Required Privilege Level Related Documentation interface—To view this statement in the configuration.512 max-blocks—Maximum number of blocks that can be allocated to a user. even if ports are available in the active block.048 timeout-seconds—Interval. In this case. When you use block allocation.2. block-size block-size. one or more blocks of ports in a NAT pool address range are available for assignment to a subscriber. • Configuring Addresses and Ports for Use in NAT Rules on page 151 Copyright © 2011. Range: Any value greater than or equal to 120. during which a block is active. block-size—Number of ports included in a block. Juniper Networks.

address—Source IPv4 or IPv6 address or prefix value. [edit services nat rule rule-name term term-name from] Statement introduced before Junos OS Release 7. any-unicast and except options introduced in Junos OS Release 7. any-unicast—Any unicast packet. except—(Optional) Prevent the specified address or unicast packets from being translated. Define the service rules to be applied to traffic. • Configuring Match Conditions in NAT Rules on page 158 260 Copyright © 2011. Juniper Networks.5. Inc. • Network Address Translation source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>. address option enhanced to support IPv6 addresses in Junos OS Release 8.4. } [edit] Statement introduced before Junos OS Release 7.6. Specify the source address for rule matching. interface-control—To add this statement to the configuration. nat—Identifies the NAT set of rules statements. . interface-control—To add this statement to the configuration..4. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface—To view this statement in the configuration.Junos 11.4 Services Interfaces Configuration Guide services Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation services nat { .

minimum-value—Lower boundary for the IPv4 or IPv6 address range. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks. • Configuring Match Conditions in NAT Rules on page 158 source-pool Syntax Hierarchy Level Release Information Description Required Privilege Level Related Documentation source-pool nat-pool-name. • Configuring Actions in NAT Rules on page 159 Copyright © 2011.6. minimum-value and maximum-value options enhanced to support IPv6 addresses in Junos OS Release 8. maximum-value—Upper boundary for the IPv4 or IPv6 address range.5. 261 .Chapter 11: Summary of Carrier-Grade NAT Configuration Statements source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>. interface-control—To add this statement to the configuration. Inc. Specify the source address pool for translated traffic.4. Specify the source address range for rule matching. interface—To view this statement in the configuration. except—(Optional) Prevent the specified address range from being translated. interface-control—To add this statement to the configuration. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 7. [edit services nat rule rule-name term term-name then translated] Statement introduced before Junos OS Release 7.

Inc. source-prefix—IPv4 or IPv6 source prefix value.Junos 11.4 Services Interfaces Configuration Guide source-prefix Syntax Hierarchy Level Release Information source-prefix source-prefix. Specify the source prefix list for rule matching.2.6. list-name—Destination prefix list. • Configuring Actions in NAT Rules on page 159 source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>. • • Configuring Match Conditions in NAT Rules on page 158 Junos OS Routing Policy Configuration Guide 262 Copyright © 2011. [edit services nat rule rule-name term term-name from] Statement introduced in Junos OS Release 8. interface-control—To add this statement to the configuration.5. except—(Optional) Exclude the specified prefix list from rule matching. Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Specify the source prefix for translated traffic. . [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 7. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks. interface-control—To add this statement to the configuration. source-prefix option enhanced to support IPv6 addresses in Junos OS Release 8. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.

The system log information from the Multiservices PIC is passed to the kernel for logging in the /var/log directory. [edit services nat rule rule-name term term-name then] Statement introduced before Junos OS Release 7. Enable system logging.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements syslog Syntax Hierarchy Level Release Information Description syslog. 263 . • Required Privilege Level Related Documentation Configuring Actions in NAT Rules on page 159 Copyright © 2011. interface-control—To add this statement to the configuration.4. interface—To view this statement in the configuration. Juniper Networks. Inc.

Juniper Networks. source-address-range low minimum-value high maximum-value <except>. } } [edit services nat rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. source-pool nat-pool-name.4 Services Interfaces Configuration Guide term Syntax term term-name { from { application-sets set-name. } } syslog. destination-pool nat-pool-name. applications [ application-names ]. Define the NAT term properties. term-name—Identifier for the term. Inc. Required Privilege Level Related Documentation interface—To view this statement in the configuration. destination-address-range low minimum-value high maximum-value <except>. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). translated { address-pooling paired. dns-alg-pool dns-alg-pool. • Configuring NAT Rules on page 156 264 Copyright © 2011. interface-control—To add this statement to the configuration. source-address (address | any-unicast) <except>. source-prefix source-prefix.4.Junos 11. filtering-type endpoint-independent. destination-address (address | any-unicast) <except>. destination-prefix destination-prefix. mapping-type endpoint-independent. . dns-alg-prefix dns-alg-prefix. The remaining statements are explained separately. } then { no-translation.

dns-alg-prefix dns-alg-prefix. translated { address-pooling paired.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements then Syntax then { no-translation.4. } } syslog. source-prefix source-prefix. filtering-type endpoint-independent. Juniper Networks. • Configuring NAT Rules on page 156 Copyright © 2011. The remaining statements are explained separately. interface—To view this statement in the configuration. destination-pool nat-pool-name. Define the NAT term actions. source-pool nat-pool-name. Inc. 265 . mapping-type endpoint-independent. destination-prefix destination-prefix. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44). dns-alg-pool dns-alg-pool. } [edit services nat rule rule-name term term-name] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration.

• Configuring Actions in NAT Rules on page 159 266 Copyright © 2011.Junos 11. dns-alg-prefix dns-alg-prefix. interface—To view this statement in the configuration. Juniper Networks.4. interface-control—To add this statement to the configuration. Specify the port to which all traffic will be translated. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. mapping-type endpoint-independent. translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | dnat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) } } [edit services nat rule rule-name term term-name then] Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation Statement introduced before Junos OS Release 7. port id—The port number to which traffic will be translated. filtering-type endpoint-independent. source-pool nat-pool-name. Define properties for translated traffic.4 Services Interfaces Configuration Guide translated-port Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation translated-port port id. destination-pool nat-pool-name. The remaining statements are explained separately. • • port-forwarding on page 255 destined-port on page 245 translated Syntax translated { address-pooling paired. Inc. dns-alg-pool dns-alg-pool. [edit services nat port-forwarding map-name] Statement introduced in Junos OS Release 11.4. .

replacing all previous options: • • • • • • • • • basic-nat44 basic-nat66 basic-nat-pt dnat-44 dynamic-nat44 napt-44 napt-66 napt-pt stateful-nat64 twice-basic-nat-44—Option introduced in Junos OS Release 11. Juniper Networks. Copyright © 2011.4 twice-napt-44—Option introduced in Junos OS Release 11. Inc. dynamic-nat44—Translate only the source address by dynamically choosing the NAT address from the source address pool. • • • basic-nat44—Translate the source address statically (IPv4 to IPv4).Chapter 11: Summary of Carrier-Grade NAT Configuration Statements translation-type Syntax translation-type (basic-nat-pt | basic-nat44 | basic-nat66 | nat-44 | dynamic-nat44 | napt-44 | napt-66 | napt-pt | stateful-nat64 | twice-basic-nat-44 | twice-dynamic-nat-44 | twice-napt-44) [edit services nat rule rule-name term term-name then translated] Hierarchy Level Release Information Statement introduced before Junos OS Release 7.2. basic-nat66—Translate the source address statically (IPv6 to IPv6).4. The basic-nat-pt option is always implemented with DNS ALG. • napt-66—Translate the transport identifier of the IPv6 private network to a single IPv6 external address. basic-nat-pt—Translate the addresses of IPv6 hosts as they originate sessions to the IPv4 hosts in the external domain. • napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address. • • dnat-44—Translate the destination address statically (IPv4 to IPv4). The following options introduced in Junos OS Release 11. 267 .4 Description Options Specify the NAT translation types.4 twice-dynamic-nat-44—Option introduced in Junos OS Release 11.

tcp. [ transport-protocol ]—One or more transport protocols. Inc.Junos 11. • Configuring Actions in NAT Rules on page 159 transport Syntax Hierarchy Level Release Information Description Options transport [ transport-protocols ]. Juniper Networks. .4 Services Interfaces Configuration Guide • napt-pt—Bind addresses in an IPv6 network with addresses in an IPv4 network and vice versa to provide transparent routing for the datagrams traversing between the address realms. interface-control—To add this statement to the configuration. Required Privilege Level Related Documentation interface—To view this statement in the configuration. udp Syntax: One or more protocols. • twice-dynamic-nat-44—Translate the source address by dynamically choosing the NAT address from the source address pool. • stateful-nat64—Implement dynamic address and port translation for source IP addresses (IPv6-to-IPv4) and prefix removal translation for the destination IP addresses (IPv6-to-IPv4). Required Privilege Level Related Documentation interface—To view this statement in the configuration. [edit services nat pool nat-pool-name pgcp] Statement introduced in Junos OS Release 9. • twice-dynamic-napt-44—Translate the transport identifier of the IPv4 private network to a single IPv4 external address. Values: rtp-avp. • Session Border Control Solutions Guide Using BGF and IMSG 268 Copyright © 2011. Configure the BGF to select a NAT pool based on transport protocol type. interface-control—To add this statement to the configuration. Translate the destination address statically. If you specify more than one protocol. Translate the destination address statically. • twice-basic-nat-44—Translate the source and destination addresses statically (IPv4 to IPv4).2. you must enclose all protocols in brackets.

interface-control—To add this statement to the configuration. Juniper Networks. Required Privilege Level interface—To view this statement in the configuration. NOTE: This statement is deprecated and might be removed completely in a future release.4. Copyright © 2011. Enable the Domain Name System (DNS) application-level gateway (ALG) address map for destination translation. [edit services nat rule rule-name term term-name then translated] Statement introduced in Junos OS Release 10.Chapter 11: Summary of Carrier-Grade NAT Configuration Statements use-dns-map-for-destination-translation Syntax Hierarchy Level Release Information Description use-dns-map-for-destination-translation. 269 . Inc.

Juniper Networks.Junos 11.4 Services Interfaces Configuration Guide 270 Copyright © 2011. Inc. .

CHAPTER 12 Load Balancing Configuration Guidelines As of now. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. 271 . Load balancing works by hashing each packet and then redirecting the packet to the appropriate services PIC. AMS has several benefits: • Support for configuring behavior if a Multiservices PIC that is part of the AMS configuration fails Support for specifying hash keys for each service set in either direction Support for adding routes to individual PICs within the AMS system • • Configuring AMS Infrastructure AMS supports load balancing across multiple service sets. Load balancing resolves this situation by allowing distribution of ingress and egress traffic across multiple services PICs. • • Configuring Load Balancing on AMS Infrastructure on page 271 Example: Configuring Static Source Translation on AMS Infrastructure on page 273 Configuring Load Balancing on AMS Infrastructure Configuring load balancing requires an aggregated Multiservices (AMS) system. This leads to inefficient use of networking resources within a system. Inc. Juniper Networks. most router services are provisioned using service sets in Junos OS. An AMS configuration eliminates the need for separate routers within a system. high availability (HA) is supported on AMS infrastructure on all MX Series 3D Universal Edge routers.4. All ingress or egress traffic for a service set can be load balanced across different services PICs. Each service set directs traffic to a specific preconfigured services PIC only. AMS involves grouping several Multiservices PICs together. you have to configure an aggregate interface with existing services interfaces. Starting with Junos OS 11. To enable load balancing. To configure failure behavior in AMS. Load balancing can be accomplished only on MX Series 3D Universal Edge routers because services PICs require symmetric hashing to ensure that ingress and egress traffic are directed properly. include the member-failure-options statement: [edit interfaces ams1] load-balancing-options { member-failure-options { Copyright © 2011.

Junos 11. all traffic to the failed PIC is dropped. incoming-interface for ingress and outgoing-interface for egress are also available. If the drop-member-traffic statement is used. The hash keys can be configured separately for ingress and egress. . } } } If a PIC fails. destination IP. Configuring High Availability In an AMS system configured with high availability. A mams. 272 Copyright © 2011. include the high-availability-options statement: [edit interfaces ams1] load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. After an AMS interface has been configured. It is not possible to configure addresses on an AMS interface. the constituent mams. only one PIC is available as backup for all other active PICs. the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. To configure high availability.interface cannot be used as an rms interface. To support multiple applications and different types of translation. inet6 family is not supported. Presently. AMS supports only IPv4. Only mams. Network Address Translation (NAT) is the only application that runs on AMS infrastructure at this time. High availability for load balancing is configured by adding the high-availability-options statement at the [edit interfaces interface-name load-balancing-options] hierarchy level. Both options are mutually exclusive. Inc. } redistribute-all-traffic { enable-rejoin.interfaces cannot be individually configured.4 Services Interfaces Configuration Guide drop-member-traffic { rejoin-timeout rejoin-timeout. a designated Multiservices PIC acts as a backup for other active PICs that are part of the AMS system. The default configuration uses source IP.interfaces (services interfaces that are part of AMS) can be aggregated. NOTE: Unit 0 on an AMS interface cannot be configured. and the protocol for hashing. only N:1 backup for high availability is supported. the traffic to the failed PIC can be configured to be redistributed by using the redistribute-all-traffic statement at the [edit interfaces interface-name load-balancing-options member-failure-options] hierarchy level. Juniper Networks. NOTE: If member-failure-options is not explicitly configured. AMS infrastructure supports configuring hashing for each service set.

} unit 2 { family inet. The flows will be load balanced across member interfaces with this example. All flows for translation are automatically distributed to different services PICs that are part of the AMS infrastructure. [edit interfaces ams0] load-balancing-options { member-interface mams-5/0/0. Using NAT on AMS infrastructure has a few limitations: • • • NAT flows to failed PICs cannot be restored. Inc. 273 .1. the configured backup Multiservices PIC wiIl take over the NAT pool resources of the failed PIC. Configure the AMS interface ams0 with load balancing options. There is no support for IPv6 flows. Example: Configuring Static Source Translation on AMS Infrastructure This example shows a static source translation configured on an AMS interface. Twice NAT is not supported for load balancing. The hashing method selected depends on the type of NAT. In case of failure of an active Multiservices PIC. member-interface mams-5/1/0. load-balancing-options { hash-keys { ingress-key destination-ip. } } } Copyright © 2011. The plug-in runs on AMS infrastructure. Juniper Networks.Chapter 12: Load Balancing Configuration Guidelines } } } Load Balancing Network Address Translation Flows Starting with Junos OS Release 11.4. Network Address Translation (NAT) has been programmed as a plug-in and is a function of load balancing and high availability. egress-key source-ip. } Configure hashing for the service set for both ingress and egress traffic. See “Example: Configuring Static Source Translation on AMS Infrastructure” on page 273 for more details on configuring NAT flows for load balancing. [edit services service-set ss1] interface-service { service-interface ams0. } unit 1 { family inet.

[edit services] nat { pool p1 { address-range low 20. translation-type { basic-nat44. } } Configure the NAT rule and translation.1. [edit services] nat { rule r1 { match-direction input.1.1.81/32.2/32. Configure two NAT pools because you have configured two member interfaces for the AMS interface.1. } pool p2 { address 20.1.4 Services Interfaces Configuration Guide NOTE: Hashing is determined based on whether the service set is applied on the ingress or egress interface. translation-type { basic-nat44. } } } } } 274 Copyright © 2011. . term t1 { from { source-address { 20. } } } term t1 { from { source-address { 40.2/32.1.1.1.1.1. Juniper Networks.Junos 11. } } then { translated { source-pool p1. } } then { translated { source-pool p2.80.80 high 20. Inc.

275 . Inc. Juniper Networks. Related Documentation • Configuring Load Balancing on AMS Infrastructure on page 271 Copyright © 2011. Twice NAT cannot run on AMS infrastructure at this time.Chapter 12: Load Balancing Configuration Guidelines NOTE: A similar configuration can be applied for translation types dynamic-nat44 and napt-44.

Junos 11. .4 Services Interfaces Configuration Guide 276 Copyright © 2011. Inc. Juniper Networks.

drop-member-traffic (Aggregated Multiservices) Syntax drop-member-traffic { rejoin-timeout rejoin-timeout. Juniper Networks.4. interface—To view this statement in the configuration. } [edit interfaces interface-name load-balancing-options member-failure-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11.CHAPTER 13 Summary of Load Balancing Configuration Statements The following sections explain each of the load balancing and aggregated Multiservices (AMS) statements. 277 . The remaining statement is explained separately. this configuration is valid only when two or more Multiservices PICs have failed. Specify whether the broadband gateway should drop traffic to a Multiservices PIC when it fails. then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. interface-control—To add this statement to the configuration. • Required Privilege Level Related Documentation member-failure-options (Aggregated Multiservices) on page 283 Copyright © 2011. The statements are organized alphabetically. For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT). Inc. Default If this statement is not configured.

Configure protocol family information for the logical interface. [edit interfaces interface-name unit interface-unit-number] Statement introduced in Junos OS Release 11. Currently. • unit (Aggregated Multiservices) on page 287 278 Copyright © 2011. only one option. Juniper Networks. Default If you do not configure this option. is supported.4. then the failed members do not automatically rejoin the ams interface even after coming back online.Junos 11. Enable the failed member to rejoin the aggregated Multiservices (AMS) interface after the member comes back online. [edit interfaces interface-name load-balancing-options member-failure-options redistribute-all-traffic] Release Information Description Statement introduced in Junos OS Release 11. • Required Privilege Level Related Documentation redistribute-all-traffic (Aggregated Multiservices) on page 286 family (aggregated Multiservices) Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation family family. . family—Protocol family. inet (IP version 4 suite). For many-to-one (N:1) high availability (HA) for service applications like Network Address Translation (NAT). interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. Inc. interface-control—To add this statement to the configuration. this configuration allows the failed members to rejoin the pool of active members automatically.4 Services Interfaces Configuration Guide enable-rejoin (aggregated Multiservices) Syntax Hierarchy Level enable-rejoin.4.

Juniper Networks. then this configuration is optional. if only the load-balancing feature is being used. 279 . This is called floating backup. backs up one or more (N) active Multiservices PICs. it becomes the new backup. then the backup replaces it as the active Multiservices PIC. if one of the active Multiservices PICs goes down. When the failed PIC comes back up. For service applications. The remaining statements are explained separately. interface-control—To add this statement to the configuration. For many-to-one (N:1) high availability support for service applications like Network Address Translation (NAT).4. } } [edit interfaces interface-name load-balancing-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. NOTE: In both cases. Configure the high availability options for the aggregated Multiservices (AMS) interface. Inc. Required Privilege Level Related Documentation interface—To view this statement in the configuration. the preferred backup Multiservices PIC. in hot standby mode.Chapter 13: Summary of Load Balancing Configuration Statements high-availability-options (aggregated Multiservices) Syntax high-availability-options { many-to-one { preferred-backup preferred-backup. • load-balancing-options on page 281 Copyright © 2011.

} redistribute-all-traffic { enable-rejoin.Junos 11.4. The ams infrastructure is supported only in chassis with Trio-based modules and Multiservices Dense Port Concentrators (MS-DPCs). ams0 or ams1. and so on. . The remaining statements are explained separately. } unit interface-unit-number { family family. NOTE: The interfaces must be valid aggregated Multiservices interfaces (ams)—for example. } } [edit] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. Juniper Networks. } } member-interface interface-name. • Configuring Load Balancing on AMS Infrastructure on page 271 280 Copyright © 2011.4 Services Interfaces Configuration Guide interfaces (Aggregated Multiservices) Syntax interfaces interface-name { load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. and so on. interface-control—To add this statement to the configuration. ams0 or ams1. Options interface-name—Name of the aggregated Multiservices interface (ams)—for example. Required Privilege Level Related Documentation interface—To view this statement in the configuration. The AMS interface provides the infrastructure for load balancing and high availability (HA). } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout. Inc. Configure the aggregated Multiservices (AMS) interface.

Juniper Networks. } redistribute-all-traffic { enable-rejoin.4. it becomes the new backup. Required Privilege Level Related Documentation interface—To view this statement in the configuration. } } member-interface interface-name. } } member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout. This is called floating backup mode. In this case.Chapter 13: Summary of Load Balancing Configuration Statements load-balancing-options (Aggregated Multiservices) Syntax load-balancing-options { high-availability-options { many-to-one { preferred-backup preferred-backup. Inc. When the failed PIC comes back online. } [edit interfaces interface-name] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. interface-control—To add this statement to the configuration. then the backup replaces it as the active Multiservices PIC. one Multiservices PIC is the backup (in hot standby mode) for one or more (N) active Multiservices PICs. If one of the active Multiservices PICs goes down. 281 . The remaining statements are explained separately. Many-to-one (N:1) high availability mode for service applications like Network Address Translation (NAT) is supported. • interfaces on page 280 Copyright © 2011. Configure the high availability (HA) options for the aggregated Multiservices (AMS) interface.

Required Privilege Level Related Documentation interface—To view this statement in the configuration. NOTE: The preferred backup must be one of the member interfaces (mams–) that have already been configured at the [edit interfaces interface-name load-balancing-options] hierarchy level.Junos 11. The member interface format is mams-a/b/0. which is one-to-one (1:1).4. . Juniper Networks. the initial preferred backup is configured at this hierarchy level. Inc. • high-availability-options (aggregated Multiservices) on page 279 282 Copyright © 2011. where a is the Flexible PIC Concentrator (FPC) slot number and b is the PIC slot number. The remaining statements are explained separately. } [edit interfaces interface-name load-balancing-options high-availability-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. Options preferred-backup preferred-backup—Name of the preferred backup member interface. Even in the case of mobile control plane redundancy.4 Services Interfaces Configuration Guide many-to-one (Aggregated Multiservices) Syntax many-to-one { preferred-backup preferred-backup. interface-control—To add this statement to the configuration. Configure the initial preferred backup for the aggregated Multiservices (AMS) interface.

Table 11 on page 283 displays the behavior of the member interface after the failure of the first Multiservices PIC. Table 11: Behavior of Member Interface After One Multiservices PIC Fails High Availability Mode Many-to-one (N:1) high availability support for service applications Member Interface Behavior Automatically handled by the AMS infrastructure Copyright © 2011. in the unlikely event that more than one Multiservices PIC fails. NOTE: The AMS infrastructure has been designed to handle one failure automatically. Configure the possible behavior for the aggregated Multiservices (AMS) interface in case of failure of more than one active member. Juniper Networks.Chapter 13: Summary of Load Balancing Configuration Statements member-failure-options (Aggregated Multiservices) Syntax member-failure-options { drop-member-traffic { rejoin-timeout rejoin-timeout. Table 12 on page 284 displays the behavior of the member interface after the failure of two Multiservices PICs. the AMS infrastructure provides configuration options to minimize the impact on existing traffic flows. } } [edit interfaces interface-name load-balancing-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. However. 283 . Inc. } redistribute-all-traffic { enable-rejoin.4. NOTE: The drop-member-traffic configuration and the redistribute-all-traffic configuration are mutually exclusive.

However. The remaining statements are explained separately.Junos 11. then the default behavior is to drop member traffic with a rejoin timeout of 120 seconds. The second member to rejoin becomes the backup. interface—To view this statement in the configuration. the traffic is redistributed to existing active members. After a failed member rejoins. . This behavior is handled automatically by the AMS infrastructure. Default If member-failure-options are not configured. This may impact existing traffic flows.4 Services Interfaces Configuration Guide Table 12: Behavior of Member Interface After Two Multiservices PICs Fail High Availability Mode Many-to-one (N:1) high availability support for service applications Configuration drop-member-traffic rejoin-timeout Behavior when member rejoins before rejoin-timeout expires The existing traffic for the second failed member will not be redistributed to the other members. Juniper Networks. Configured Many-to-one (N:1) high availability support for service applications redistribute-all-traffic Not applicable Before rejoin. The first member to rejoin becomes an active member. Inc. • Required Privilege Level Related Documentation load-balancing-options (Aggregated Multiservices) on page 281 284 Copyright © 2011. The first member will rejoin the AMS automatically. the traffic is load-balanced afresh. the other members who are rejoining will be moved to the discard state. Behavior when member rejoins after rejoin-timeout expires The existing traffic for the second failed member will not be redistributed to the other members. interface-control—To add this statement to the configuration.

Juniper Networks. The member interface format is mams-a/b/0. interface-control—To add this statement to the configuration. Options interface-name—Name of the member interface. 285 .Chapter 13: Summary of Load Balancing Configuration Statements member-interface (Aggregated Multiservices) Syntax Hierarchy Level Release Information Description member-interface interface-name. For high availability service applications like Network Address Translation (NAT) that support many-to-one (N:1) redundancy. NOTE: The member interfaces that you specify must be members of aggregated Multiservices interfaces (mams-). • load-balancing-options (Aggregated Multiservices) on page 281 Copyright © 2011. You can configure multiple interfaces by specifying each interface in a separate statement. The remaining statements are explained separately. you can specify two or more interfaces. Specify the member interfaces for the aggregated Multiservices (AMS) interface. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4. [edit interfaces interface-name load-balancing-options] Statement introduced in Junos OS Release 11. where a is the Flexible PIC Concentrator (FPC) slot number and b is the PIC slot number. Inc.

in seconds. Configure the time by when a failed member should rejoin the aggregated Multiservices (AMS) interface automatically. If the failed member does not rejoin by the configured time. • drop-member-traffic (Aggregated Multiservices) on page 277 286 Copyright © 2011. the traffic for the failed member is automatically redistributed to the other active members. interface-control—To add this statement to the configuration. then the member is moved to the “inactive” state and the traffic meant for this member is dropped. } [edit interfaces interface-name load-balancing-options member-failure-options] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. If you do not configure a value. rejoin-timeout—Time. Enable the option to redistribute traffic of a failed active member to the other active members.4 Services Interfaces Configuration Guide redistribute-all-traffic (Aggregated Multiservices) Syntax redistribute-all-traffic { enable-rejoin. Juniper Networks.Junos 11. . Inc. The remaining statement is explained separately. interface-control—To add this statement to the configuration.4. • member-failure-options (Aggregated Multiservices) on page 283 rejoin-timeout (Aggregated Multiservices) Syntax Hierarchy Level rejoin-timeout rejoin-timeout. Required Privilege Level Related Documentation interface—To view this statement in the configuration.4. the default value of 120 seconds is used. For many-to-one (N:1) high availability support for Network Address Translation (NAT). [edit interfaces interface-name load-balancing-options member-failure-options drop-member-traffic] Release Information Description Statement introduced in Junos OS Release 11. by which a failed member must rejoin. Default Options Default: 120 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration.

4. } [edit interfaces interface-name] Hierarchy Level Release Information Description Statement introduced in Junos OS Release 11. Juniper Networks.Chapter 13: Summary of Load Balancing Configuration Statements unit (Aggregated Multiservices) Syntax unit interface-unit-number { family family. • interfaces on page 280 Copyright © 2011.384 Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Inc. Range: 1 through 16. You must configure a logical interface to be able to use the physical device. 287 . NOTE: Unit 0 is reserved and cannot be configured under the aggregated Multiservices interface (ams). The remaining statements are explained separately. Options interface-unit-number—Number of the logical unit. Configure the logical interface on the physical device.

Junos 11. . Inc. Juniper Networks.4 Services Interfaces Configuration Guide 288 Copyright © 2011.

289 .CHAPTER 14 Intrusion Detection Service Configuration Guidelines The Adaptive Services (AS) or Multiservices PIC supports a limited set of intrusion detection services (IDS) to perform attack detection. Specify thresholds for limiting the number of flows. term term-name { rule { application-sets set-name. include the ids statement at the [edit services] hierarchy level: [edit services] ids { rule rule-name { match-direction (input | output | input-output). Signature detection is not supported. and the session rate. • • • • • IDS enables you to focus attack detection and remedial actions on specific hosts or networks that you specify in the IDS terms. source-prefix-list list-name <except>. You can use IDS to perform the following tasks: • Detect various types of denial-of-service (DoS) and directed denial-of-service (DDoS) attacks. such as sudden bursts or a decline in bandwidth. } then { aggregation { Copyright © 2011. Redirect attack traffic to a collector for analysis. Prevent some types of attacks. To configure IDS. source-address (address | any-unicast) <except>. Inc. Detect attempts at network scanning and probing. destination-address-range low minimum-value high maximum-value <except>. destination-prefix-list list-name <except>. applications [ application-names ]. the packet rate. Detect anomalies in traffic patterns. source-address-range low minimum-value high maximum-value <except>. destination-address (address | any-unicast) <except>. Juniper Networks.

} by-source { hold-time seconds. } } } } rule-set rule-set-name { [ rule rule-names ]. maximum number. } } NOTE: The Junos OS uses stateful firewall settings as a basis for performing IDS. threshold rate.Junos 11. packets number. } by-pair { hold-time seconds. maximum number. threshold rate. Juniper Networks. packets number.4 Services Interfaces Configuration Guide destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. Inc. logging { syslog. } (force-entry | ignore-entry). rate number. This chapter contains the following sections: • • • Configuring IDS Rules on page 291 Configuring IDS Rule Sets on page 297 Examples: Configuring IDS Rules on page 297 290 Copyright © 2011. } } syn-cookie { mss value. . maximum number. source-prefix prefix-value | source-prefix-ipv6 prefix-value. You must commit a stateful firewall configuration in the same service set for IDS to function properly. rate number. rate number. packets number. } session-limit { by-destination { hold-time seconds.

To configure an IDS rule. maximum number. see “Configuring Stateful Firewall Rules” on page 114. } } Copyright © 2011. } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. maximum number. for more information. include the rule rule-name statement at the [edit services ids] hierarchy level: [edit services ids] rule rule-name { match-direction (input | output | input-output). rate number. destination-address-range low minimum-value high maximum-value <except>. source-address-range low minimum-value high maximum-value <except>. packets number. } by-pair { hold-time seconds. } session-limit { by-destination { hold-time seconds.Chapter 14: Intrusion Detection Service Configuration Guidelines Configuring IDS Rules IDS rules identify traffic for which you want the router software to count events. destination-prefix-list list-name <except>. maximum number. rate number. packets number. rate number. source-prefix-list list-name <except>. term term-name { from { application-sets set-name. } (force-entry | ignore-entry). Because IDS is based on stateful firewall properties. logging { syslog. packets number. Inc. you must configure at least one stateful firewall rule and include it in the service set with the IDS rules. destination-address (address | any-unicast) <except>. 291 . applications [ application-names ]. source-prefix prefix-value | source-prefix-ipv6 prefix-value. source-address (address | any-unicast) <except>. Juniper Networks. } by-source { hold-time seconds. threshold rate.

include the match-direction (input | input-output | output) statement at the [edit services ids rule rule-name] hierarchy level: [edit services ids rule rule-name] match-direction (input | output | input-output). For more information on inside and outside interfaces. 292 Copyright © 2011. The following sections describe IDS rule content in more detail: • • • Configuring Match Direction for IDS Rules on page 292 Configuring Match Conditions in IDS Rules on page 293 Configuring Actions in IDS Rules on page 294 Configuring Match Direction for IDS Rules Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface.Junos 11. If no flow is found. If you configure match-direction input-output. • then statement—Specifies the actions and action modifiers to be performed by the router software. During rule processing. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. When a packet is sent to the PIC. bidirectional rule creation is allowed. Inc. All rules in the service set are considered. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. a flow lookup is performed. If the inside interface is used to route the packet. } } } } Each IDS rule consists of a set of terms. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. similar to a filter configured at the [edit firewall] hierarchy level. the packet direction is output. threshold rate. On the AS or Multiservices PIC. A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded. With a next-hop service set. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. With an interface service set. Juniper Networks. direction information is carried along with it. .4 Services Interfaces Configuration Guide syn-cookie { mss value. Only rules with direction information that match the packet direction are considered. rule processing is performed. If the outside interface is used to direct the packet to the PIC. To configure where the match is applied. the packet direction is compared against rule directions. the packet direction is input.

You can also include application protocol definitions that you have configured at the [edit applications] hierarchy level. applications [ application-names ]. Juniper Networks. source-address-range low minimum-value high maximum-value <except>. in the same way that you would configure a firewall filter. • To apply one or more specific application protocol definitions. you can specify a list of source or destination prefixes by including the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or source-prefix-list statement in the IDS rule. Inc. } If you omit the from statement. source-prefix-list list-name <except>. the application protocol is displayed separately in the show services ids command output. see “Configuring Application Protocol Properties” on page 72. see the Junos OS System Basics and Services Command Reference. destination-prefix-list list-name <except>. destination-address (address | any-unicast) <except>. a range of destination addresses. the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level. the software accepts all events and places them in the IDS cache for processing. or a range of source addresses as a match condition. for more information. destination-address-range low minimum-value high maximum-value <except>. source-address (address | any-unicast) <except>. include the application-sets statement at the [edit services ids rule rule-name term term-name from] hierarchy level. Alternatively. 293 . If a match occurs on an application. see the Junos OS Routing Policy Configuration Guide. see “Examples: Configuring Stateful Firewall Rules” on page 118. You can use the destination address. you cannot specify these properties as match conditions. For more information. Copyright © 2011. To apply one or more sets of application protocol definitions that you have defined. a source address. for more information. For an example.Chapter 14: Intrusion Detection Service Configuration Guidelines Configuring Match Conditions in IDS Rules To configure IDS match conditions. • NOTE: If you include one of the statements that specifies application protocols. include the applications statement at the [edit services ids rule rule-name term term-name from] hierarchy level. include the from statement at the [edit services ids rule rule-name term term-name] hierarchy level: [edit services ids rule rule-name term term-name] from { application-sets set-name. The source address and destination address can be either IPv4 or IPv6.

destination-prefix source-prefix-ipv6. maximum number. configure that value in the match conditions. packets number. source-prefix prefix-value | source-prefix-ipv6 prefix-value. rate number. such as a particular application or port. This is helpful if you want to examine all the traffic connected with a particular source or destination host. include the then statement at the [edit services ids rule rule-name term term-name] hierarchy level: [edit services ids rule rule-name term term-name] then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. } by-source { hold-time seconds. } by-pair { hold-time seconds.Junos 11. logging { syslog. packets number. } session-limit { by-destination { hold-time seconds. maximum number. include the aggregation statement at the [edit services ids rule rule-name term term-name then] hierarchy level and specify values for source-prefix. rate number. Juniper Networks. . To collect traffic with some other marker.4 Services Interfaces Configuration Guide Configuring Actions in IDS Rules To configure IDS actions. } } syn-cookie { mss value. packets number. Inc. or destination-prefix-ipv6: [edit services ids rule rule-name term term-name then] 294 Copyright © 2011. rate number. } (force-entry | ignore-entry). To configure aggregation prefixes. threshold rate. } } You can configure the following possible actions: • aggregation—The router aggregates traffic labeled with the specified source or destination prefixes before passing the events to IDS processing. maximum number. threshold rate.

rate number. even traffic that would not otherwise be counted. To configure a threshold. • logging—The event is logged in the system log file. } The value of source-prefix and destination-prefix must be an integer between 1 and 32. include the logging statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] logging { syslog. include the session-limit statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] session-limit { by-destination { hold-time seconds. } by-pair { hold-time seconds. You can use the force-entry statement to record all traffic from a suspect host. Inc. include the force-entry or ignore-entry statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] (force-entry | ignore-entry). • session-limit—The router limits open sessions when the specified threshold is reached. The logs are generated as long as the events continue. To configure logging. • (force-entry | ignore-entry)—force-entry provides a permanent spot in IDS caches for subsequent events after one event is registered. ignore-entry ensures that all IDS events are ignored. maximum number. Juniper Networks. By default. including any temporary anomalies that IDS would otherwise count as events. maximum number. IDS logs are generated once every 60 seconds for each anomaly that is reported. packets number. the IDS software does not record information about “good” packets that do not exhibit suspicious behavior. Copyright © 2011. source-prefix prefix-value | source-prefix-ipv6 prefix-value.Chapter 14: Intrusion Detection Service Configuration Guidelines aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. 295 . The value of source-prefix-ipv6 and destination-prefix-ipv6 must be an integer between 1 and 128. threshold rate. To configure an entry behavior different from the default. } You can optionally include a threshold rate to trigger the generation of system log messages. You can use this statement to disregard all traffic from a host you trust. The threshold rate is specified in events per second.

the following configuration allows 20 connections from each source address (10.1 and 10. limits are applied for each source address independently. To limit the number of sessions between a pair of IP addresses. packets number. hold-time has a value of 0. } by-source { hold-time seconds.767. If you include more than one source address in the match conditions configured at the [edit services ids rule rule-name term term-name from] hierarchy level. } then { session-limit by-source { maximum 20.147. By default. rate number. the range is 0 through 60 seconds. or applications.2). you can configure the following threshold values: • hold-time seconds—When the rate or packets measurement reaches the threshold value. stop all new flows for the specified number of seconds.1.767. Inc. The range is 1 through 32. subnets.1.4 Services Interfaces Configuration Guide packets number. Juniper Networks. configure the by-source statement.1. rate number.2. maximum number. configure the by-pair statement.Junos 11. } 296 Copyright © 2011. For example.647. not 20 connections total.1. [edit services ids rule rule-name term term-name] from { source-address 10.1. • maximum number—Maximum number of open sessions per IP address or subnet per application. • rate number—Maximum number of sessions per second per IP address or subnet per application. Once hold-time is in effect.1. The range is 4 through 2. .1. The range is 4 through 32. • packets number—Maximum number of packets per second (pps) per IP address or subnet per application. the traffic is blocked for the specified time even if the rate subsides below the specified limit. source-address 10. configure the by-destination statement. • • For each direction.1.483. } } You configure the thresholds for flow limitation based on traffic direction: • To limit the number of outgoing sessions from one internal host or subnet. The same logic applies to the applications and destination-address match conditions.1. To limit the number of incoming sessions to one external public IP address or subnet.

the router performs the corresponding action and the rule processing stops. Examples: Configuring IDS Rules The following configuration adds a permanent entry to the IDS anomaly table when it encounters a flow with the destination address 10. you must include both a threshold rate to trigger SYN-cookie activity and a Transmission Control Protocol (TCP) maximum segment size (MSS) value for TCP delayed binding. } The router software processes the rules in the order in which you specify them in the configuration. By default. 297 . Configuring IDS Rule Sets The rule-set statement defines a collection of IDS rules that determine what actions the router software performs on packets in the data stream. } If you enable SYN-cookie defenses. The threshold rate is specified in SYN attacks per second. include the syn-cookie statement at the [edit services ids rule rule-name term term-name then] hierarchy level: [edit services ids rule rule-name term term-name then] syn-cookie { mss value. You define each rule by specifying a rule name and configuring terms. They are not applied to packets discarded or rejected by stateful firewall rules. Inc. If none of the rules matches the packet. processing continues to the next rule in the rule set. the TCP MSS value is 1500. Then. To configure SYN-cookie values. For example. the IDS limit applies only to 75 percent of the traffic. threshold rate. the range is from 128 through 8192.410.Chapter 14: Intrusion Detection Service Configuration Guidelines } NOTE: IDS limits are applied to packets that are accepted by stateful firewall rules. • syn-cookie—The router activates SYN-cookie defensive mechanisms. you specify the order of the rules by including the rule-set statement at the [edit services ids] hierarchy level with a rule statement for each rule: [edit services ids] rule-set rule-set-name { rule rule-name. if the stateful firewall accepts 75 percent of the incoming traffic and the remaining 25 percent is rejected or discarded. If a term in a rule matches the packet.6. If no term in a rule matches the packet. the packet is dropped by default. Juniper Networks.2: [edit services ids] rule simple_ids { term 1 { Copyright © 2011.

syslog. logging { threshold 5. } } } match-direction input. logging { threshold 1. Juniper Networks.Junos 11. syslog. } The IDS configuration works in conjunction with the stateful firewall mechanism and relies heavily on the anomalies reported by the stateful firewall. destination-address { 10.4 Services Interfaces Configuration Guide from { destination-address 10. } } } term default { then { aggregation { source-prefix 24. } applications appl-ftp.2/32.410. } then { force-entry. term t1 { 298 Copyright © 2011.1. } syn-cookie { threshold 10.30.30. } } } match-direction input.20. } then { force-entry.2/32. 10. Inc.2/32 except. } The following example shows configuration of flow limits: [edit services ids] rule ids-all { match-direction input. The following configuration example shows this relationship: [edit services ids] rule simple_ids { term 1 { from { source-address 10.10.2/32. .6.30.

rate 100. /* IDS action aggregation */ } logging { threshold 10. maximum 10. Juniper Networks. Inc. } then { aggregation { destination-prefix 30.Chapter 14: Intrusion Detection Service Configuration Guidelines from { application-sets alg-set. packets 200. } session-limit { by-destination { hold-time 0. maximum 10. 299 . } by-pair { hold-time 0. rate 100. packets 200. maximum 10. rate 100. packets 200. } } } } } Copyright © 2011. } by-source { hold-time 5.

Junos 11. Inc.4 Services Interfaces Configuration Guide 300 Copyright © 2011. . Juniper Networks.

301 . Juniper Networks. Inc. See “Configuring IDS Rules” on page 291.4. Copyright © 2011. The statements are organized alphabetically. interface-control—To add this statement to the configuration.CHAPTER 15 Summary of Intrusion Detection Service Configuration Statements The following sections explain each of the intrusion detection service (IDS) statements. Specify the type of data to be aggregated. aggregation Syntax aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. The remaining statements are explained separately. source-prefix prefix-value | source-prefix-ipv6 prefix-value.

[edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. application-name—Name of the target application. Juniper Networks. See “Configuring Match Conditions in IDS Rules” on page 293.4 Services Interfaces Configuration Guide application-sets Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level application-sets set-name. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. set-name—Name of the target application set. interface—To view this statement in the configuration. See “Configuring Match Conditions in IDS Rules” on page 293.4. . applications Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level applications [ application-names ]. Inc. interface-control—To add this statement to the configuration.Junos 11.4. Define one or more target application sets. Define one or more applications to which IDS applies. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. 302 Copyright © 2011.

interface-control—To add this statement to the configuration. packets. or rate statements. maximum number—Maximum number of open sessions per application or IP address. Copyright © 2011. Apply limit to sessions based on numbers generated from the configured destination (IP or subnet) or application. } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7.Chapter 15: Summary of Intrusion Detection Service Configuration Statements by-destination Syntax by-destination { hold-time seconds. Juniper Networks. packets number. hold-time seconds—Length of time for which to stop all new flows once the rate of events Options exceeds the threshold set by one or more of the maximum. Inc. rate number—Maximum number of sessions per second per application or IP address. maximum number. 303 . packets number—Maximum peak packets per second per application or IP address.4. interface—To view this statement in the configuration. rate number. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294.

packets.4 Services Interfaces Configuration Guide by-pair Syntax by-pair { hold-time seconds. rate number. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. packets number—Maximum peak packets per second per application or IP address. 304 Copyright © 2011. maximum number—Maximum number of open sessions per application or IP address. Inc. . rate number—Maximum number of sessions per second per application or IP address. hold-time seconds—Length of time for which to stop all new flows once the rate of events exceeds the threshold set by one or more of the maximum. or rate statements. interface-control—To add this statement to the configuration. Juniper Networks. packets number.4. maximum number. Apply limit to paired stateful firewall and NAT flows (forward and reverse). } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7.Junos 11. interface—To view this statement in the configuration.

packets number—Maximum peak packets per second per application or IP address.4. rate number. maximum number. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. packets number. maximum number—Maximum number of open sessions per application or IP address. } [edit services ids rule rule-name term term-name then session-limit] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. packets. Juniper Networks.Chapter 15: Summary of Intrusion Detection Service Configuration Statements by-source Syntax by-source { hold-time seconds. rate number—Maximum number of sessions per second per application or IP address. hold-time seconds—Length of time for which to stop all new flows once the rate of events Options exceeds the threshold set by one or more of the maximum. Apply limit to sessions based on numbers generated from the configured source (IP or subnet) or application. Inc. 305 . interface-control—To add this statement to the configuration. or rate statements. interface—To view this statement in the configuration. Copyright © 2011.

address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. except—(Optional) Exempt the specified address range from rule matching. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide destination-address Syntax Hierarchy Level Release Information destination-address (address | any-unicast) <except>. Inc. interface—To view this statement in the configuration. Specify the destination address for rule matching. Juniper Networks. except—(Optional) Exempt the specified address. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 7. or unicast packets from rule Description Options matching. destination-address-range Syntax Hierarchy Level Release Information destination-address-range low minimum-value high maximum-value <except>.6. .5. interface—To view this statement in the configuration.4. Specify the destination address range for rule matching. maximum-value—Upper boundary for the IPv4 or IPv6 address range.5. 306 Copyright © 2011. address—Destination IPv4 or IPv6 address or prefix value. any-unicast—Any unicast packet.Junos 11. minimum-value—Lower boundary for the IPv4 or IPv6 address range. prefix. interface-control—To add this statement to the configuration. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293.

Copyright © 2011. Range: 1 through 32 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. interface-control—To add this statement to the configuration. Juniper Networks.4. prefix-value—Integer value. Range: 1 through 128 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. [edit services ids rule rule-name term term-name then aggregation] Statement introduced before Junos OS Release 7. [edit services ids rule rule-name term term-name then aggregation] Statement introduced in Junos OS Release 8. Inc. Specify the prefix value for destination IPv6 address aggregation. interface—To view this statement in the configuration. prefix-value—Integer value. destination-prefix-ipv6 Syntax Hierarchy Level Release Information Description Options destination-prefix-ipv6 prefix. 307 . interface—To view this statement in the configuration.Chapter 15: Summary of Intrusion Detection Service Configuration Statements destination-prefix Syntax Hierarchy Level Release Information Description Options destination-prefix prefix-value. interface-control—To add this statement to the configuration.5. Specify the prefix value for destination IPv4 address aggregation.

interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. . [edit services ids rule rule-name term term-name then] Statement introduced before Junos OS Release 7. • Junos OS Routing Policy Configuration Guide force-entry Syntax Hierarchy Level Release Information Description (force-entry | ignore-entry). Inc.2. Juniper Networks. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level.4 Services Interfaces Configuration Guide destination-prefix-list Syntax Hierarchy Level Release Information Description destination-prefix-list list-name <except>. 308 Copyright © 2011. list-name—Destination prefix list. • ignore-entry—Ensure that all IDS events are ignored. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 8.4. interface-control—To add this statement to the configuration. Specify handling of entries in the IDS events cache: • force-entry—Ensure that the entry has a permanent place in the IDS cache after one event is registered.Junos 11. Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. except—(Optional) Exclude the specified prefix list from rule matching. interface—To view this statement in the configuration. Specify the destination prefix list for rule matching. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in IDS Rules” on page 293.

The remaining statements are explained separately. destination-address (address | any-unicast) <except>. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. source-address-range low minimum-value high maximum-value <except>. interface-control—To add this statement to the configuration. Copyright © 2011. interface—To view this statement in the configuration. interface—To view this statement in the configuration. ignore-entry See force-entry logging Syntax logging { syslog. source-address (address | any-unicast) <except>.4. Inc.4. interface-control—To add this statement to the configuration. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. See “Configuring Actions in IDS Rules” on page 294. Set logging values for this IDS term. threshold rate. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. Specify input conditions for the IDS term. For information on match conditions. } [edit services ids rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. applications [ application-names ]. Juniper Networks.Chapter 15: Summary of Intrusion Detection Service Configuration Statements from Syntax from { application-sets set-name. The remaining statements are explained separately. 309 . destination-address-range low minimum-value high maximum-value <except>.

output—Apply the rule match on output. mss Syntax Hierarchy Level Release Information Description mss value.4. [edit services ids rule rule-name] Statement introduced before Junos OS Release 7. input-output—Apply the rule match bidirectionally. Juniper Networks. interface—To view this statement in the configuration. value—MSS value. interface-control—To add this statement to the configuration.4. . Options Default: 1500 Range: 128 through 8192 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. [edit services ids rule rule-name term term-name then syn-cookie] Statement introduced before Junos OS Release 7.Junos 11. Inc.4 Services Interfaces Configuration Guide match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output | input-output). interface—To view this statement in the configuration. 310 Copyright © 2011. Specify the maximum segment size (MSS) value used in Transmission Control Protocol (TCP) delayed binding. input—Apply the rule match on input. Specify the direction in which the rule match is applied. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. interface-control—To add this statement to the configuration.

packets number. } by-source { hold-time seconds. } session-limit { by-destination { hold-time seconds. source-address (address | any-unicast) <except>. 311 . maximum number. rate number. packets number. rate number. } } syn-cookie { mss value. Juniper Networks. maximum number. destination-address-range low minimum-value high maximum-value <except>. } by-pair { hold-time seconds. Inc. logging { syslog. } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. source-prefix prefix-value | source-prefix-ipv6 prefix-value. term term-name { from { application-sets set-name. } } } } [edit services ids]. rate number. threshold rate. applications [ application-names ]. } (force-entry | ignore-entry). destination-address (address | any-unicast) <except>. maximum number. source-address-range low minimum-value high maximum-value <except>. threshold rate.Chapter 15: Summary of Intrusion Detection Service Configuration Statements rule Syntax rule rule-name { match-direction (input | output | input-output). [edit services ids rule-set rule-set-name] Hierarchy Level Copyright © 2011. packets number.

Juniper Networks. interface-control—To add this statement to the configuration.Junos 11. interface-control—To add this statement to the configuration. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services ids { . rule-set-name—Identifier for the collection of rules that constitute this rule set.. Specify the rule the router uses when applying this service. interface—To view this statement in the configuration. interface—To view this statement in the configuration. } [edit] Statement introduced before Junos OS Release 7. rule-name—Identifier for the collection of terms that constitute this rule. . Specify the rule set the router uses when applying this service. } [edit services ids] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. Define the service rules to be applied to traffic. See “Configuring IDS Rules” on page 291. See “Configuring IDS Rules” on page 291. ids—Identifies the IDS set of rules statements.4 Services Interfaces Configuration Guide Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7.4. See “Configuring IDS Rule Sets” on page 297.. Inc.4. interface-control—To add this statement to the configuration. rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. 312 Copyright © 2011.4.

See “Configuring Actions in IDS Rules” on page 294. maximum number. The remaining statements are described separately. rate number. Enable flow limitation by configuring thresholds on source. } by-source { hold-time seconds. Inc.Chapter 15: Summary of Intrusion Detection Service Configuration Statements session-limit Syntax session-limit { by-destination { hold-time seconds. destination. or stateful firewall and network address translation (NAT) paired traffic flows. 313 . interface—To view this statement in the configuration. rate number. } } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. rate number. maximum number. packets number. } by-pair { hold-time seconds. Options Usage Guidelines Required Privilege Level Copyright © 2011. packets number.4. packets number. maximum number. Juniper Networks. interface-control—To add this statement to the configuration.

Inc.6. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 7. any-unicast—Any unicast packet. Specify the source address range for rule matching. source-address-range Syntax Hierarchy Level Release Information source-address-range low minimum-value high maximum-value <except>. . address option enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. prefix.4.4 Services Interfaces Configuration Guide source-address Syntax Hierarchy Level Release Information source-address (address | any-unicast) <except>. interface-control—To add this statement to the configuration. maximum-value—Upper boundary for the IPv4 or IPv6 address range.Junos 11. Specify the source address for rule matching. 314 Copyright © 2011. interface-control—To add this statement to the configuration.5. minimum-value—Lower boundary for the IPv4 or IPv6 address range. Description Options Usage Guidelines Required Privilege Level See “Configuring Match Conditions in IDS Rules” on page 293. or unicast packets from rule Description Options matching. Juniper Networks. [edit services ids rule rule-name term term-name from] Statement introduced before Junos OS Release 7. except—(Optional) Exempt the specified address range from rule matching. interface—To view this statement in the configuration. except—(Optional) Exempt the specified address.5. address—Source IPv4 or IPv6 address or prefix value. minimum-value and maximum-value options enhanced to support IPv4 and IPv6 addresses in Junos OS Release 8. interface—To view this statement in the configuration.

315 . prefix-value—Integer value. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. [edit services ids rule rule-name term term-name then aggregation] Statement introduced in Junos OS Release 8. Inc. Range: 1 through 128 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. Juniper Networks. prefix-value—Integer value. [edit services ids rule rule-name term term-name then aggregation] Statement introduced before Junos OS Release 7. Range: 1 through 32 Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294. Specify the prefix value for source IPv6 address aggregation.Chapter 15: Summary of Intrusion Detection Service Configuration Statements source-prefix Syntax Hierarchy Level Release Information Description Options source-prefix prefix-value. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. source-prefix-ipv6 Syntax Hierarchy Level Release Information Description Options source-prefix-ipv6 prefix-value.4. Copyright © 2011.5. Specify the prefix value for source IPv4 address aggregation.

2. } [edit services ids rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. Options Usage Guidelines Required Privilege Level Related Documentation See “Configuring Match Conditions in IDS Rules” on page 293. interface-control—To add this statement to the configuration. Juniper Networks. The remaining statements are described separately.4 Services Interfaces Configuration Guide source-prefix-list Syntax Hierarchy Level Release Information Description source-prefix-list list-name <except>. except—(Optional) Exclude the specified prefix list from rule matching. . Options Usage Guidelines Required Privilege Level 316 Copyright © 2011. By default. interface—To view this statement in the configuration. interface—To view this statement in the configuration. [edit services ids rule rule-name term term-name from] Statement introduced in Junos OS Release 8. list-name—Destination prefix list. You configure the prefix list by including the prefix-list statement at the [edit policy-options] hierarchy level. Inc. See “Configuring Actions in IDS Rules” on page 294. • Junos OS Routing Policy Configuration Guide syn-cookie Syntax syn-cookie { mss value.Junos 11. threshold rate. Specify the source prefix list for rule matching. SYN-cookie techniques are not applied. Enable SYN-cookie defenses against SYN attacks. interface-control—To add this statement to the configuration.4.

Enable system logging. interface-control—To add this statement to the configuration. See “Configuring Actions in IDS Rules” on page 294. Usage Guidelines Required Privilege Level Copyright © 2011. Juniper Networks. [edit services ids rule rule-name term term-name then logging] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. Inc.Chapter 15: Summary of Intrusion Detection Service Configuration Statements syslog Syntax Hierarchy Level Release Information Description syslog.4. 317 . The system log information from the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory.

4 Services Interfaces Configuration Guide term Syntax term term-name { from { application-sets set-name. source-address-range low minimum-value high maximum-value <except>.Junos 11. } then { aggregation { destination-prefix prefix-value | destination-prefix-ipv6 prefix-value. source-address (address | any-unicast) <except>. } (force-entry | ignore-entry). logging { syslog. rate number. Juniper Networks. maximum number. . } } } [edit services ids rule rule-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. packets number. rate number. rate number. } by-pair { hold-time seconds. threshold rate. Define the IDS term properties. applications [ application-names ]. maximum number. maximum number. packets number. threshold rate. } } syn-cookie { mss value. Inc. source-prefix prefix-value | source-prefix-ipv6 prefix-value. packets number. } by-source { hold-time seconds. } session-limit { by-destination { hold-time seconds. destination-address-range low minimum-value high maximum-value <except>.4. 318 Copyright © 2011. destination-address (address | any-unicast) <except>.

interface—To view this statement in the configuration.Chapter 15: Summary of Intrusion Detection Service Configuration Statements Options term-name—Identifier for the term. Usage Guidelines Required Privilege Level See “Configuring IDS Rules” on page 291. The remaining statements are explained separately. Copyright © 2011. Juniper Networks. Inc. interface-control—To add this statement to the configuration. 319 .

. packets number. rate number. source-prefix prefix-number | source-prefix-ipv6 prefix-value. } by-pair { hold-time seconds. Inc. } by-source { hold-time seconds. maximum number. threshold rate. interface—To view this statement in the configuration. 320 Copyright © 2011. packets number. interface-control—To add this statement to the configuration. packets number. } session-limit { by-destination { hold-time seconds.4. rate number. } } syn-cookie { mss value. maximum number. } (force-entry | ignore-entry). The remaining statements are explained separately. See “Configuring IDS Rules” on page 291. } } [edit services ids rule rule-name term term-name] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. Define the IDS term actions. threshold rate. Juniper Networks. maximum number.Junos 11.4 Services Interfaces Configuration Guide then Syntax then { aggregation { destination-prefix prefix-number | destination-prefix-ipv6 prefix-value. logging { syslog. rate number.

Usage Guidelines Required Privilege Level See “Configuring Actions in IDS Rules” on page 294.Chapter 15: Summary of Intrusion Detection Service Configuration Statements threshold Syntax Hierarchy Level threshold rate. [edit services ids rule rule-name term term-name then logging]. Copyright © 2011. [edit services ids rule rule-name term term-name then syn-cookie] Release Information Description Options Statement introduced before Junos OS Release 7.4. Juniper Networks. rate—SYN-cookie defense number of SYN attacks per second. rate—Logging threshold number of events per second. interface-control—To add this statement to the configuration. Specify the threshold for logging or applying SYN-cookie defenses. Inc. 321 . interface—To view this statement in the configuration.

. Inc.4 Services Interfaces Configuration Guide 322 Copyright © 2011.Junos 11. Juniper Networks.

lifetime-seconds seconds. encryption-algorithm algorithm. dh-group (group1 | group2 | group5 | group14). authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). description description. } policy policy-name { description description. perfect-forward-secrecy { Copyright © 2011. Juniper Networks. mode (aggressive | main). local-certificate identifier. 323 . lifetime-seconds seconds. proposals [ proposal-names ]. description description. } } } ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). remote-id { any-remote-id. ipv6_addr [ values ]. encryption-algorithm algorithm. version (1 | 2). Inc. ipv4_addr [ values ].CHAPTER 16 IPsec Services Configuration Guidelines To configure IP Security (IPsec) services. key_id [ values ]. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). } policy policy-name { description description. pre-shared-key (ascii-text key | hexadecimal key). clear-ipsec-sas-on-pic-restart. protocol (ah | esp | bundle). include the following statements at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] clear-ike-sas-on-pic-restart.

Inc. } flag flag. encryption { algorithm algorithm.4 Services Interfaces Configuration Guide keys (group1 | group2). } 324 Copyright © 2011. } auxiliary-spi spi-value. } initiate-dead-peer-detection. source-address address. } } no-anti-replay. dynamic { ike-policy policy-name. level level. ipsec-policy policy-name. } proposals [ proposal-names ]. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). key (ascii-text key | hexadecimal key). . } protocol (ah | bundle | esp). } then { anti-replay-window-size bits. backup-remote-gateway address.Junos 11. spi spi-value. } no-ipsec-tunnel-in-traceroute. ipsec-inside-interface interface-name. clear-dont-fragment-bit. } } rule rule-name { match-direction (input | output). Juniper Networks. key (ascii-text key | hexadecimal key). size bytes. syslog. remote-gateway address. } } } rule-set rule-set-name { [ rule rule-names ]. term term-name { from { destination-address address. tunnel-mtu bytes. traceoptions { file { files number.

key (ascii-text key | hexadecimal key). Juniper Networks. you must include at least the following statements at the [edit services ipsec-vpn] hierarchy level: Copyright © 2011. spi spi-value. you must include at least the following statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). } Minimum Dynamic SA Configuration To define a dynamic SA configuration. 325 . Inc. } encryption { algorithm algorithm.Chapter 16: IPsec Services Configuration Guidelines This chapter includes the following sections: • • • • • • • • • • • • • Minimum Security Association Configurations on page 325 Configuring Security Associations on page 326 Configuring IKE Proposals on page 332 Configuring IKE Policies on page 335 Configuring IPsec Proposals on page 341 Configuring IPsec Policies on page 343 IPsec Policy for Dynamic Endpoints on page 346 Configuring IPsec Rules on page 346 Configuring IPsec Rule Sets on page 353 Configuring Dynamic Endpoints for IPsec Tunnels on page 353 Tracing IPsec Operations on page 358 Configuring IPSec on the Services SDK on page 360 Examples: Configuring IPsec Services on page 361 Minimum Security Association Configurations The following sections show the minimum configurations necessary to set up security associations (SAs) for IPsec services: • • Minimum Manual SA Configuration on page 325 Minimum Dynamic SA Configuration on page 325 Minimum Manual SA Configuration To define a manual SA configuration. } protocol (ah | esp | bundle). key (ascii-text key | hexadecimal key).

You can configure two types of SAs: • Manual—Requires no negotiation. authentication-method pre-shared-keys. MX Series. which allow • 326 Copyright © 2011. both IKEv1 and IKEv2 are supported by default on all M Series.4. version (1 | 2). are static and specified in the configuration. As a result. all values. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. including the keys. } policy policy-name { proposals [ ike-proposal-names ]. Juniper Networks. and T Series routers. The dynamic SA includes one or more proposal statements. For information about how to configure a manual SA. pre-shared-key (ascii-text key | hexadecimal key). see “Configuring Manual Security Associations” on page 327. each peer must have the same configured options for communication to take place. } } NOTE: • Starting with Junos OS Release 11. Dynamic—Specifies proposals to be negotiated with the tunnel peer. mode (aggressive | main). you create an SA between hosts. Inc. Configuring Security Associations To use IPsec services. protocol (ah | esp | bundle). The version statement under the [edit services ipsec-vpn ike policy name] hierarchy allows you to configure the specific IKE version to be supported. encryption-algorithm algorithm. } proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. } } ipsec { policy policy-name { proposals [ ipsec-proposal-names ]. • You must also include the ipsec-policy statement at the [edit services ipsec-vpn rule rule-name term term-name then dynamic] hierarchy level. The mode statement under the [edit services ipsec-vpn ike policy name] hierarchy is required only if the version option is set to 1.4 Services Interfaces Configuration Guide [edit services ipsec-vpn] ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). . dh-group (group1 | group2 | group5 |group14). encryption-algorithm algorithm.Junos 11.

key (ascii-text key | hexadecimal key). your configuration fails to commit. each peer must have the same configured options for communication to take place. Inc. } auxiliary-spi auxiliary-spi-value. do the following: • • • • Configuring the Direction for IPsec Processing on page 328 Configuring the Protocol for a Manual IPsec SA on page 329 Configuring the Security Parameter Index on page 329 Configuring the Auxiliary Security Parameter Index on page 329 Copyright © 2011. dynamic or tunnel mode IPsec SAs are not supported for OSPFv3. For information about how to configure a dynamic SA. key (ascii-text key | hexadecimal key). For more information about OSPF authentication and other OSPF properties. all values. To configure a manual IPsec security association. including the keys.Chapter 16: IPsec Services Configuration Guidelines you to prioritize a list of protocols and algorithms to be negotiated with the peer. spi spi-value. As a result. However. encryption { algorithm algorithm. Configuring Manual Security Associations Manual SAs require no negotiation. are static and specified in the configuration. This section includes the following topics: • • • Configuring Manual Security Associations on page 327 Configuring Dynamic Security Associations on page 331 Clearing Security Associations on page 332 NOTE: Both OSPFv2 and OSPFv3 support IPsec authentication. 327 . see the Junos OS Routing Protocols Configuration Guide. include statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). Juniper Networks. see “Configuring Dynamic Security Associations” on page 331. } To configure manual SA statements. } protocol (ah | esp | bundle). If you add SAs into OSPFv3 by including the ipsec-sa statement at the [edit protocols ospf3 area area-number interface interface-name] hierarchy level.

spi 24576. key ascii-text 23456789012345678901234. To configure the direction of IPsec processing. spi 16384. key ascii-text 12345678901234567890abcd. } } direction outbound { protocol esp.. encryption { algorithm 3des-cbc. include the direction statement at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual] direction (inbound | outbound | bidirectional) { . } } Example: Using the Same Configuration for the Inbound and Outbound Directions Define one set of algorithms. keys. . authentication { algorithm hmac-md5-96. Juniper Networks.Junos 11. } } 328 Copyright © 2011. } Example: Using Different Configuration for the Inbound and Outbound Directions Define different algorithms. and security parameter index values for each direction: [edit services ipsec-vpn rule rule-name term term-name then manual] direction inbound { protocol esp. keys. you configure the inbound and outbound options. Inc. key ascii-text 123456789012abcd. encryption { algorithm 3des-cbc. If you want to define different algorithms.. spi 20001. or security parameter index (SPI) values for each direction. and security parameter index values that is valid in both directions: [edit services ipsec-vpn rule rule-name term term-name then manual] direction bidirectional { protocol ah.4 Services Interfaces Configuration Guide • • Configuring Authentication for a Manual IPsec SA on page 329 Configuring Encryption for a Manual IPsec SA on page 330 Configuring the Direction for IPsec Processing The direction statement specifies inbound or outbound IPsec processing. If you want the same attributes in both directions. use the bidirectional option. keys.

uses AH authentication and ESP encryption. include the authentication statement and specify an authentication algorithm and a key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: Copyright © 2011. The AH protocol is used for strong authentication. bundle.639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] auxiliary-spi auxiliary-spi-value. esp. Juniper Networks. Configuring the Auxiliary Security Parameter Index Use the auxiliary SPI when you configure the protocol statement to use the bundle option. Inc. include the spi statement and specify a value (from 256 through 16. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. include the auxiliary-spi statement and specify a value (from 256 through 16.639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] spi spi-value. 329 . it does not use ESP authentication because AH provides stronger authentication of IP packets. NOTE: Each manual SA must have a unique SPI and protocol combination. To configure the SPI. NOTE: Each manual SA must have a unique SPI and protocol combination. To configure the IPsec protocol. The sending host uses the SPI to identify and select which SA to use to secure every packet. A third option. Configuring Authentication for a Manual IPsec SA To configure an authentication algorithm. include the protocol statement and specify the ah.Chapter 16: IPsec Services Configuration Guidelines Configuring the Protocol for a Manual IPsec SA IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). or bundle option at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] protocol (ah | bundle | esp). Use the auxiliary SPI when you configure the protocol statement to use the bundle option. To configure the auxiliary SPI. Configuring the Security Parameter Index An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host.

its key size is 64 bits long. • hexadecimal—Hexadecimal key. the key contains 20 ASCII characters. With the hmac-sha1-96 option. the key contains 16 ASCII characters. • hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and a 96-bit digest. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. It produces a 160-bit authenticator value and a 96-bit digest. } The algorithm can be one of the following: • hmac-md5-96—Hash algorithm that authenticates packet data. 330 Copyright © 2011. the key contains 32 hexadecimal characters.Junos 11. Inc. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. With the hmac-sha1-96 option. With the hmac-md5-96 option. include the encryption statement and specify an algorithm and key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] encryption { algorithm algorithm. key (ascii-text key | hexadecimal key). . Configuring Encryption for a Manual IPsec SA To configure IPsec encryption. • 3des-cbc—Encryption algorithm that has a block size of 24 bytes.4 Services Interfaces Configuration Guide [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] authentication { algorithm (hmac-md5-96 | hmac-sha1-96). its key size is 192 bits long. key (ascii-text key | hexadecimal key). Juniper Networks. The key can be one of the following: • ascii-text—ASCII text key. With the hmac-md5-96 option. the key contains 40 hexadecimal characters. } The algorithm can be one of the following: • des-cbc—Encryption algorithm that has a block size of 8 bytes.

and the second 8 bytes should be the same as the third 8 bytes. The key can be one of the following: • ascii-text—ASCII text key. With the des-cbc option. the first 8 bytes should differ from the second 8 bytes. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. 2. follow these steps: 1. the key contains 8 ASCII characters. Configure Internet Key Exchange (IKE) proposals and IKE policies associated with these proposals. NOTE: You cannot configure encryption when you use the AH protocol. so DES remains the recommended option. Inc. The dynamic SA includes one or more proposals. Associate an SA with an IPsec policy by configuring the dynamic statement. The AES-CBC Cipher Algorithm and Its Use with IPsec. If you configure an authentication proposal but do not include the encryption statement. see “Configuring IPsec Policies” on page 343. Configuring Dynamic Security Associations You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. For reference information on AES encryption. With the 3des-cbc option. see RFC 3602. see “Configuring IKE Policies” on page 335 and “Configuring IKE Proposals” on page 332. For more information about IPsec policies and proposals. The AES encryption algorithms use a software implementation that has much lower throughput. Copyright © 2011. For more information about IKE policies and proposals. the result is NULL encryption. If you configure no specific authentication or encryption values. With the des-cbc option. Juniper Networks. the key contains 16 hexadecimal characters. The Internet Key Exchange (IKE). see RFC 2409. which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer. Certain applications expect this result. For 3des-cbc. With the 3des-cbc option. Configure IPsec proposals and an IPsec policy associated with these proposals.Chapter 16: IPsec Services Configuration Guidelines NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. the key contains 24 ASCII characters. To enable a dynamic SA. • hexadecimal—Hexadecimal key. 331 . the key contains 48 hexadecimal characters. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. 3.

Junos 11. clear-ipsec-sas-on-pic-restart. dh-group (group1 | group2 | group5 |group14). . To configure an IKE proposal. and then the SA. [edit services ipsec-vpn rule rule-name term term-name then] dynamic { ike-policy policy-name. include the clear-ike-sas-on-pic-restart or clear-ipsec-sas-on-pic-restart statement at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] clear-ike-sas-on-pic-restart. encryption-algorithm algorithm. all the IKE or IPsec SAs corresponding to the tunnels in the PIC will be cleared when the PIC restarts or goes offline. include the proposal statement and specify a name at the [edit services ipsec-vpn ike] hierarchy level: [edit services ipsec-vpn ike] proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). } 332 Copyright © 2011. IKE creates the dynamic SAs and negotiates them for IPsec. Inc. Configuring IKE Proposals Dynamic security associations (SAs) require IKE configuration. authentication-method (dsa-signatures | pre-shared-key | rsa-signatures). With dynamic SAs. the attributes in at least one configured IPsec and IKE proposal must match those of its peer. After you add this statement to the configuration. The ike-policy statement is optional unless you use the preshared key authentication method. you configure IKE first. You can configure one or more IKE proposals. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. Clearing Security Associations You can set up the router software to clear IKE or IPsec SAs automatically when the corresponding services PIC restarts or is taken offline. To configure this property. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer. Juniper Networks. include the dynamic statement and specify an IPsec policy name at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. lifetime-seconds seconds.4 Services Interfaces Configuration Guide To configure a dynamic SA. } NOTE: If you want to establish a dynamic SA. ipsec-policy policy-name.

The authentication method can be one of the following: • • dsa-signatures—Digital Signature Algorithm pre-shared-keys—A key derived from an out-of-band mechanism.Chapter 16: IPsec Services Configuration Guidelines This section includes the following topics: • • • • • • Configuring the Authentication Algorithm for an IKE Proposal on page 333 Configuring the Authentication Method for an IKE Proposal on page 333 Configuring the Diffie-Hellman Group for an IKE Proposal on page 334 Configuring the Encryption Algorithm for an IKE Proposal on page 334 Configuring the Lifetime for an IKE SA on page 335 Example: Configuring an IKE Proposal on page 335 Configuring the Authentication Algorithm for an IKE Proposal To configure the authentication algorithm for an IKE proposal. NOTE: For reference information on Secure Hash Algorithms (SHAs). Configuring the Authentication Method for an IKE Proposal To configure the authentication method for an IKE proposal. sha1—Produces a 160-bit digest. see Internet draft draft-eastlake-sha2-02. include the authentication-method statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). Juniper Networks. sha-256—Produces a 256-bit digest.txt. 333 . The authentication algorithm can be one of the following: • • • md5—Produces a 128-bit digest. Inc. include the authentication-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] authentication-algorithm (md5 | sha1 | sha-256). Secure Hash Algorithms (SHA and HMAC-SHA) (expires July 2006). the key authenticates the exchanges • rsa-signatures—Public key algorithm (supports encryption and digital signatures) Copyright © 2011.

4 Services Interfaces Configuration Guide Configuring the Diffie-Hellman Group for an IKE Proposal Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys. To configure the Diffie-Hellman group for an IKE proposal. • des-cbc—Cipher block chaining encryption algorithm with a key size of 8 bytes. 334 Copyright © 2011. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. The group can be one of the following: • group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Inc. However. Using a Diffie-Hellman group based on a greater number of bits results a more secure IKE tunnel than using a group based on fewer bits. . its key size is 56 bits long. its key size is 192 bits long. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. • group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Configuring the Encryption Algorithm for an IKE Proposal To configure the encryption algorithm for an IKE proposal. • group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. include the encryption-algorithm statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] encryption-algorithm algorithm. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. include the dh-group statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] dh-group (group1 | group2 | group5 |group14). Juniper Networks. The encryption algorithm can be one of the following: • 3des-cbc—Cipher block chaining encryption algorithm with a key size of 24 bytes. this additional security entails additional processing time.Junos 11. • group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

for more information. The range is from 180 through 86. the IKE SA lifetime is 3600 seconds. The Internet Key Exchange (IKE). encryption-algorithm 3des-cbc. include the lifetime-seconds statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level: [edit services ipsec-vpn ike proposal proposal-name] lifetime-seconds seconds. IPsec proposals use a different mechanism. the result is NULL encryption. 335 . Certain applications expect this result. To configure the lifetime for an IKE SA. Juniper Networks. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. see “Configuring the Lifetime for an IPsec SA” on page 342. Inc. By default.400 seconds. For 3des-cbc. it is replaced by a new SA (and SPI) or the IPsec connection is terminated. } Configuring IKE Policies An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. the first 8 bytes should differ from the second 8 bytes. it defines the preshared Copyright © 2011.Chapter 16: IPsec Services Configuration Guidelines NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. If you configure an authentication proposal but do not include the encryption statement. there is only one SA lifetime value. NOTE: For IKE proposals. Configuring the Lifetime for an IKE SA The lifetime-seconds statement sets the lifetime of an IKE SA. It defines a peer address and the proposals needed for that connection. and the second 8 bytes should be the same as the third 8 bytes. authentication-algorithm sha1. dh-group group1. so DES remains the recommended option. specified by the Junos OS. see RFC 2409. Depending on which authentication method is used. The AES encryption algorithms use a software implementation that has much lower throughput. Example: Configuring an IKE Proposal Configure an IKE proposal: [edit services ipsec-vpn ike] proposal ike-proposal { authentication-method pre-shared-keys. If you configure no specific authentication or encryption values. When the IKE SA expires.

the Junos OS rejects all IKEv1 negotiations. During the IKE negotiation. if only IKEv1 is supported. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. local-certificate identifier. ipv6_addr [ values ]. Juniper Networks. However. the Junos OS rejects IKEv2 negotiations. proposals [ proposal-names ]. You can configure the specific IKE phase to be supported for the negotiation. version (1 | 2). from first to last. include the policy statement and specify a policy name at the [edit services ipsec-vpn ike] hierarchy level: [edit services ipsec-vpn ike] policy policy-name { description description. and the remote peer tries to find a match. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use. ipv4_addr [ values ]. pre-shared-key (ascii-text key | hexadecimal key).Junos 11. } } This section includes the following topics: • • • • Configuring the IKE Phase on page 337 Configuring the Mode for an IKE Policy on page 337 Configuring the Proposals in an IKE Policy on page 337 Configuring the Preshared Key for an IKE Policy on page 338 336 Copyright © 2011. you configure one or more IKE proposals. it accepts connections from both IKEv1 and IKEv2. IKE looks for an IKE policy that is the same on both peers. Starting with Junos OS Release 11. If the lifetimes are not identical. MX Series. The key management process (kmd) daemon determines which version of IKE is used in a negotiation. To configure an IKE policy. prioritized proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). First. both IKEv1 and IKEv2 are supported by default on all M Series.4 Services Interfaces Configuration Guide key for the given peer or the local certificate. the shorter lifetime between the two policies (from the host and peer) is used. then you associate these proposals with an IKE policy. If kmd is the IKE initiator. . key_id [ values ]. Similarly. and T Series routers. it uses IKEv1 by default and retains the configured version for negotiations. remote-id { any-remote-id. mode (aggressive | main). Inc. If kmd is the IKE responder. You can create multiple. The configured preshared key must also match its peer.4. The peer that initiates the negotiation sends all its policies to the remote peer. if only IKEv2 is supported.

Main mode uses six messages. You can configure the specific IKE phase to be supported for the negotiation. and does not provide identity protection. Similarly. By default. the Junos OS rejects IKEv2 negotiations. aggressive mode uses half the number of messages. 337 . MX Series. Configuring the Proposals in an IKE Policy The IKE policy includes a list of one or more proposals associated with an IKE policy. To configure the mode for an IKE policy. Inc.) Main mode also allows a peer to hide its identity. has less negotiation power. include the version statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] version (1 | 2). and T Series routers.4. The peer can use the aggressive or main mode to start IKE negotiation. Juniper Networks. (These three steps are IKE SA negotiation. if only IKEv2 is supported. include the mode statement and specify aggressive or main at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] mode (aggressive | main). Aggressive mode also establishes an authenticated IKE SA and keys. To configure the proposals in an IKE policy. if only IKEv1 is supported. and authentication of the peer. a Diffie-Hellman exchange. in three exchanges. both IKEv1 and IKEv2 are supported by default on all M Series. However. see “Example: Configuring an IKE Policy” on page 340. Configuring the IKE Phase Starting with Junos OS Release 11. main mode is enabled. NOTE: The mode configuration is required only if the version option is set to 1.Chapter 16: IPsec Services Configuration Guidelines • • • • Configuring the Local Certificate for an IKE Policy on page 338 Configuring the Description for an IKE Policy on page 339 Configuring Local and Remote IDs for IKE Phase 1 Negotiation on page 339 Example: Configuring an IKE Policy on page 340 For an example of an IKE policy configuration. the remote peer accepts the mode sent by the peer. Configuring the Mode for an IKE Policy IKE policy has two modes: aggressive and main. the Junos OS rejects all IKEv1 negotiations. However. to establish the IKE SA. include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: Copyright © 2011. To configure the IKE phase used.

the key contains 8 ASCII characters. With the 3des-cbc option. the distinct service sets provide logical separation of one set of IKE sessions from another. Configuring the Local Certificate for an IKE Policy When you include the authentication-method rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level. which must match that of its peer. Inc. . With the des-cbc option.Junos 11. include 338 Copyright © 2011. You must also specify the identity of the certification authority by configuring the ca-profile statement at the [edit security pki] hierarchy level. include the pre-shared-key statement and a key at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] pre-shared-key (ascii-text key | hexadecimal key). see the Junos OS System Basics Configuration Guide.4 Services Interfaces Configuration Guide proposals [ proposal-names ]. the key contains 24 ASCII characters. the key contains 16 hexadecimal characters. IKE policy preshared keys authenticate peers. for more information. The preshared key can be an ASCII text (alphanumeric) key or a hexadecimal key. To configure the preshared key in an IKE policy. using different local gateway addresses. see “Configuring the Authentication Method for an IKE Proposal” on page 333. To configure the local certificate for an IKE policy. the key contains 48 hexadecimal characters. With the 3des-cbc option. You can use the configured profiles to establish a set of trusted certification authorities for use with a particular service set. For complete examples of digital certificate configuration. The key can be one of the following: • ascii-text—ASCII text key. public key infrastructure (PKI) digital certificates authenticate peers. include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] local-certificate identifier. for more information. Configuring it in an IKE policy allows you the flexibility of using a separate certificate with each remote peer if that is needed. With the des-cbc option. You must identify a local certificate that is sent to the peer during the IKE authentication phase. Configuring the Preshared Key for an IKE Policy When you include the authentication-method pre-shared-keys statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level. You must manually configure a preshared key. or virtualization. see “Configuring the Authentication Method for an IKE Proposal” on page 333. see the Junos OS Feature Guides. The local-certificate statement specifies the identifier used to obtain the end entity’s certificate from the certification authority. for more information. • hexadecimal—Hexadecimal key. This enables you to configure separate service sets for individual clients to whom you are providing IP services. Juniper Networks. To configure the set of trusted certification authorities.

Inc. For details. Copyright © 2011. it checks the certificate signature and validity. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. 339 . For more information. you include statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL. see “Configuring IPsec Service Sets” on page 573. The remote gateway address in which this policy is defined is added by default. To use the CA certificate revocation list. include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level. Juniper Networks. the local gateway address is used. include the description statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] description description. see the Junos OS System Basics Configuration Guide. When a participating peer uses a digital certificate. If the local-id statement is omitted. You can also specify remote gateway identifiers for which the IKE policy is used. By default. certificate verification fails and the IPsec tunnel is not established. Configuring a Certificate Revocation List A certificate revocation list (CRL) contains a list of digital certificates that have been cancelled before their expiration date. if the router either cannot access the Lightweight Directory Access Protocol (LDAP) URL or retrieve a valid certificate revocation list.Chapter 16: IPsec Services Configuration Guidelines the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level: [edit services service-set service-set-name ipsec-vpn-options] trusted-ca ca-profile. To specify one or more local IDs. include the local-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). certificate revocation list verification is enabled. To override this behavior and permit the authentication of the IPsec peer when the CRL is not downloaded. Configuring Local and Remote IDs for IKE Phase 1 Negotiation You can optionally specify local identifiers for use in IKE phase 1 negotiation. NOTE: By default. Configuring the Description for an IKE Policy To specify an optional text description for an IKE policy.

1.1.1. } The any-remote-id option allows any remote address to connect. authentication-algorithm md5. Inc. } proposal proposal-3 { authentication-method rsa-signatures.1. proposals [ proposal-2 proposal-3 ] pre-shared-key hexadecimal 0102030abbcd. . mode aggressive. ipv6_addr [ values ]. Example: Configuring an IKE Policy Define two IKE policies: policy 10. Juniper Networks.1.1.2 and policy 10. proposals [ proposal-1 proposal-2 ].1.Junos 11. lifetime-seconds 10000.1. authentication-algorithm sha1. local-key-pair private-public-key-file.1 { local-certificate certificate-file-name. } policy 10. see “Configuring Dynamic Endpoints for IPsec Tunnels” on page 353. lifetime-seconds 10000. ipv4_addr [ values ]. Each policy is associated with proposal-1 and proposal-2. This option is supported only in dynamic endpoints configurations and cannot be configured along with specific values. include the remote-id statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level: [edit services ipsec-vpn ike policy policy-name] remote-id { any-remote-id.2 { mode main. lifetime-seconds 1000. } 340 Copyright © 2011. dh-group group2. authentication-algorithm md5. key_id [ values ]. dh-group group2. dh-group group1. encryption-algorithm des-cbc. encryption-algorithm 3des-cbc. pre-shared-key ascii-text example-pre-shared-key. [edit services ipsec-vpn] ike { proposal proposal-1 { authentication-method pre-shared-keys. encryption-algorithm des-cbc. For more information about dynamic endpoint configurations. The following configuration uses only IKEv1 for negotiation. } policy 10. } proposal proposal-2 { authentication-method pre-shared-keys.4 Services Interfaces Configuration Guide To specify one or more remote IDs.1.

lifetime-seconds seconds. description description. Configuring IPsec Proposals An IPsec proposal lists protocols and algorithms (security services) to be negotiated with the remote IPsec peer. Inc.Chapter 16: IPsec Services Configuration Guidelines } NOTE: Updates to the current IKE proposal and policy configuration are not applied to the current IKE SA. If you want the new updates to take immediate effect. include the proposal statement and specify an IPsec proposal name at the [edit services ipsec-vpn ipsec] hierarchy level: [edit services ipsec-vpn ipsec] proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). updates are applied to new IKE SAs. protocol (ah | esp | bundle). encryption-algorithm algorithm. It produces a 128-bit digest. } This section discusses the following topics: • • • • • Configuring the Authentication Algorithm for an IPsec Proposal on page 341 Configuring the Description for an IPsec Proposal on page 342 Configuring the Encryption Algorithm for an IPsec Proposal on page 342 Configuring the Lifetime for an IPsec SA on page 342 Configuring the Protocol for a Dynamic SA on page 343 Configuring the Authentication Algorithm for an IPsec Proposal To configure the authentication algorithm for an IPsec proposal. Only 96 bits are used for authentication. include the authentication-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] authentication-algorithm (hmac-md5-96 | hmac-sha1-96). 341 . For information about how to clear the current IKE security association. see the Junos OS System Basics and Services Command Reference. To configure an IPsec proposal. Juniper Networks. Copyright © 2011. you must clear the existing IKE security associations so that they will be reestablished with the changed configuration. The authentication algorithm can be one of the following: • hmac-md5-96—Hash algorithm that authenticates packet data.

which is derived from the hard lifetime. The soft lifetime. The AES encryption algorithms use a software implementation that has much lower throughput.4 Services Interfaces Configuration Guide • hmac-sha1-96—Hash algorithm that authenticates packet data. include the encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] encryption-algorithm algorithm. its key size is 192 bits long. and the second 8 bytes should be the same as the third 8 bytes. If you configure no specific authentication or encryption values. the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. Juniper Networks. For 3des-cbc. its key size is 48 bits long. Configuring the Encryption Algorithm for an IPsec Proposal To configure encryption algorithm for an IPsec proposal. two types of lifetimes are used: hard and soft. so DES remains the recommended option. the first 8 bytes should differ from the second 8 bytes. The encryption algorithm can be one of the following: • 3des-cbc—Encryption algorithm that has a block size of 24 bytes. • • • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. Only 96 bits are used for authentication. If you configure an authentication proposal but do not include the encryption statement. • des-cbc—Encryption algorithm that has a block size of 8 bytes. It produces a 160-bit digest. informs the IPsec key management system that the SA is about to expire. see RFC 2409. 342 Copyright © 2011.Junos 11. The hard lifetime specifies the lifetime of the SA. Inc. Configuring the Lifetime for an IPsec SA When a dynamic IPsec SA is created. include the description statement at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] description description. . Certain applications expect this result. The Internet Key Exchange (IKE). the result is NULL encryption. NOTE: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys. Configuring the Description for an IPsec Proposal To specify an optional text description for an IPsec proposal.

First. Responder: Soft lifetime = Hard lifetime – 90 seconds. To configure the hard lifetime value. The soft lifetime values are as follows: • • Initiator: Soft lifetime = Hard lifetime – 135 seconds. The bundle option uses AH authentication and ESP encryption. The peer that initiates the negotiation sends all its policies to the remote peer. include the protocol statement and specify the ah. If the lifetimes are not identical. You can create multiple. you configure one or more IPsec proposals.Chapter 16: IPsec Services Configuration Guidelines This allows the key management system to negotiate a new SA before the hard lifetime expires. prioritized IPsec proposals at each peer to ensure that at least one proposal matches a remote peer’s proposal. or both. esp. IPsec looks for a proposal that is the same on both peers.400 seconds. then you associate these proposals with an IPsec policy. The ESP protocol can support authentication. AH also authenticates the IP packet. IPsec uses two protocols to protect IP traffic: ESP and AH. include the lifetime-seconds statement and specify the number of seconds at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] lifetime-seconds seconds. During the IPsec negotiation. A match is made when both policies from the two peers have a proposal that contains the same configured attributes. The AH protocol is used for strong authentication. To configure the protocol for a dynamic SA. Inc. it does not use ESP authentication because AH provides stronger authentication of IP packets. and the remote peer tries to find a match. You can prioritize a list of proposals used by IPsec in the policy statement by listing the proposals you want to use. The range is from 180 through 86. from first to last. The default lifetime is 28. Configuring IPsec Policies An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. Juniper Networks. Configuring the Protocol for a Dynamic SA The protocol statement sets the protocol for a dynamic SA. the shorter lifetime between the two policies (from the host and peer) is used. 343 . encryption.800 seconds. Copyright © 2011. or bundle option at the [edit services ipsec-vpn ipsec proposal proposal-name] hierarchy level: [edit services ipsec-vpn ipsec proposal proposal-name] protocol (ah | esp | bundle). It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection.

Configuring Perfect Forward Secrecy PFS provides additional security by means of a Diffie-Hellman shared secret value. previous and subsequent keys are secure because they are not derived from previous keys. To configure PFS. • group2—Specifies that IKE use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. 344 Copyright © 2011. } The key can be one of the following: • group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.Junos 11. With PFS. at the [edit services ipsec-vpn ipsec] hierarchy level: [edit services ipsec-vpn ipsec] policy policy-name { description description. } proposals [ proposal-names ]. This statement is optional. include the policy statement. Inc. . } This section includes the following topics related to configuring an IPsec policy: • • • • Configuring the Description for an IPsec Policy on page 344 Configuring Perfect Forward Secrecy on page 344 Configuring the Proposals in an IPsec Policy on page 345 Example: Configuring an IPsec Policy on page 345 Configuring the Description for an IPsec Policy To specify an optional text description for an IPsec policy. perfect-forward-secrecy { keys (group1 | group2 | group5 | group14). if one key is compromised. include the description statement at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] description description. and specify the policy name and one or more proposals to associate with the policy. Juniper Networks.4 Services Interfaces Configuration Guide To configure an IPsec policy. include the perfect-forward-secrecy statement and specify a Diffie-Hellman group at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] perfect-forward-secrecy { keys (group1 | group2 | group5 | group14).

but require more processing time.. Juniper Networks. include the proposals statement and specify one or more proposal names at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level: [edit services ipsec-vpn ipsec policy policy-name] proposals [ proposal-names ]. encryption-algorithm 3des-cbc. authentication-algorithm hmac-md5-96. The higher numbered groups provide more security than the lowered numbered groups. that is associated with two proposals (dynamic-1 and dynamic-2): [edit services ipsec-vpn ipsec] proposal dynamic-1 { protocol esp. } NOTE: Updates to the current IPsec proposal and policy configuration are not applied to the current IPsec SA. lifetime-seconds 6000. updates are applied to new IPsec SAs. } proposal dynamic-2 { protocol esp. Configuring the Proposals in an IPsec Policy The IPsec policy includes a list of one or more proposals associated with an IPsec policy. you must clear the existing IPsec security associations so that they will be reestablished with the changed configuration. • group14—Specifies that IKE use the 2048-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. authentication-algorithm hmac-sha1-96. } proposals [ dynamic-1 dynamic-2 ]. For information about how to clear the current IPsec security association. 345 . To configure the proposals in an IPsec policy.Chapter 16: IPsec Services Configuration Guidelines • group5—Specifies that IKE use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. } policy dynamic-policy-1 { perfect-forward-secrecy { keys group1. Example: Configuring an IPsec Policy Define an IPsec policy. Copyright © 2011. dynamic policy-1. If you want the new updates to take immediate effect. encryption-algorithm 3des-cbc. Inc. lifetime-seconds 6000. see the Junos OS System Basics and Services Command Reference.

backup-remote-gateway address. For more information about configuring IPsec policy.Junos 11. in which the remote ends of tunnels do not have a statically assigned IP address. 346 Copyright © 2011. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). } auxiliary-spi spi-value.4 Services Interfaces Configuration Guide IPsec Policy for Dynamic Endpoints An IPsec policy for dynamic endpoints defines a combination of security parameters (IPsec proposals) used during IPsec negotiation between dynamic peer security gateways. encryption { algorithm algorithm. any policy proposed by the dynamic peer is accepted. Juniper Networks. The peer that initiates the negotiation sends all its policies to the remote peer. see “Configuring IPsec Policies” on page 343. If the lifetimes are not identical. ipsec-inside-interface interface-name. . } initiate-dead-peer-detection. ipsec-policy policy-name. key (ascii-text key | hexadecimal key). clear-dont-fragment-bit. If no policy is set. source-address address. During the IPsec negotiation. theIPsec policy looks for an IPsec proposal that is the same on both peers. dynamic { ike-policy policy-name. A match is made when the policies from the two peers have a proposal that contains the same configured attributes. and the remote peer tries to find a match. term term-name { from { destination-address address. Related Documentation • Configuring IPsec Policies on page 343 Configuring IPsec Rules To configure an IPsec rule. Inc. include the rule statement and specify a rule name at the [edit services ipsec-vpn] hierarchy level: [edit services ipsec-vpn] rule rule-name { match-direction (input | output). } then { anti-replay-window-size bits. the shorter lifetime between the two policies (from the host and peer) is used.

a flow lookup is performed. tunnel-mtu bytes. similar to a firewall filter. Juniper Networks. The following sections explain how to configure the components of IPsec rules: • • • Configuring Match Direction for IPsec Rules on page 347 Configuring Match Conditions in IPsec Rules on page 348 Configuring Actions in IPsec Rules on page 349 Configuring Match Direction for IPsec Rules Each rule must include a match-direction statement that specifies whether the match is applied on the input or output side of the interface.Chapter 16: IPsec Services Configuration Guidelines key (ascii-text key | hexadecimal key). Copyright © 2011. • then statement—Specifies the actions and action modifiers to be performed by the router software. the packet direction is output. If no flow is found. 347 . } } } Each IPsec rule consists of a set of terms. If the inside interface is used to route the packet. For more information on inside and outside interfaces. rule processing is performed. The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. include the match-direction (input | output) statement at the [edit services ipsec-vpn rule rule-name] hierarchy level: [edit services ipsec-vpn rule rule-name] match-direction (input | output). } } no-anti-replay. When a packet is sent to the PIC. If the outside interface is used to direct the packet to the PIC. All rules in the service set are considered. To configure where the match is applied. With an interface service set. direction information is carried along with it. Inc. syslog. packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568. packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied. spi spi-value. remote-gateway address. With a next-hop service set. the packet direction is input. During rule processing. On the AS or Multiservices PIC. } protocol (ah | bundle | esp). A term consists of the following: • from statement—Specifies the match conditions and applications that are included and excluded.

For next-hop-style service sets only. you can configure multiple adaptive services logical interfaces with the service-domain inside statement and use one of them to configure the ipsec-inside-interface statement. see the Junos OS Routing Policy Configuration Guide. Inc.4 Services Interfaces Configuration Guide the packet direction is compared against rule directions. To use IPv6 ANY (0::0/128) as either source or destination address. As a result.2 as inside and outside interfaces. because all flows within this tunnel use the same security association (SA) and packet selectors do not play a significant role. these tunnels will use packet-based IPsec.0/0 (IPv4 ANY) is used. IPsec services support both IPv4 and IPv6 address formats. source-address address. A special situation is provided by a term containing an “any-any” match condition (usually because the from statement is omitted).1 and . the ipsec-inside-interface statement allows you to assign a logical interface to the tunnels established as a result of this match condition. . include the from statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name] from { destination-address address. } You can use either the source address or the destination address as a match condition. If you do not specifically configure either the source address or destination address. 348 Copyright © 2011. for more information. you must configure it explicitly. The Junos OS evaluates the criteria you configure in the from statement. the default value 0. Configuring Match Conditions in IPsec Rules To configure the match conditions in an IPsec rule. For more information. a flow is not needed.0. If multiple link-type tunnels are configured within the same next-hop-style service set.Junos 11. the ipsec-inside-interface value enables the rule lookup module to distinguish a particular tunnel from other tunnels in case the source and destination addresses for all of them are 0. The inside-service-interface statement that you can configure at the [edit services service-set name next-hop-service] hierarchy level allows you to specify . Only rules with direction information that match the packet direction are considered. Juniper Networks. If there is an any-any match in a tunnel. ipsec-inside-interface interface-name. which can be used for other tunnels that need a flow-based service. However. This strategy saves some flow resources on the PIC. NOTE: When you configure the ipsec-inside-interface statement.0. in the same way that you would configure a firewall filter.0. interface-style service sets are not supported.0/0 (ANY-ANY).0. see “Configuring Service Sets to be Applied to Services Interfaces” on page 568 and Interface Properties.

Missing selectors in the from clause result in a packet-based IPsec service.. a mixture of flowless and flow-based IPsec is supported within a service set. include the then statement at the [edit services ipsec-vpn rule rule-name term term-name] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name] then { anti-replay-window-size bits. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). Juniper Networks. services { ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10. For link-type tunnels.. dynamic { ike-policy ike_policy. encryption { Copyright © 2011.0. flow-based service is provided to all the tunnels. Inc. For non link-type tunnels..1. clear-dont-fragment-bit. backup-remote-gateway address.1. } initiate-dead-peer-detection. dynamic { ike-policy policy-name.Chapter 16: IPsec Services Configuration Guidelines The following configuration example shows an any-any tunnel configuration with no from statement in term-1. as well as to dynamic tunnels with any-any matching in both dedicated and shared mode. } . } auxiliary-spi spi-value. } } } match-direction input. ipsec-policy ipsec_policy. } Flowless IPsec service is provided to link-type tunnels with an any-any matching. If a service set includes some terms with any-any matching and some terms with selectors in the from clause. Configuring Actions in IPsec Rules To configure actions in an IPsec rule. if a service set contains both any-any terms and selector-based terms. packet-based service is provided for the any-any tunnels and flow-based service is provided for the other tunnels with selectors. key (ascii-text key | hexadecimal key). 349 .. ipsec-policy policy-name.

tunnel-mtu bytes. for more information. } } no-anti-replay. Setting the clear-dont-fragment-bit statement clears the Don’t Fragment (DF) bit in the packet header. . the default MTU value is 1500 regardless of the interface MTU setting.Junos 11. You configure a manual SA by including the manual statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. Configuring Destination Addresses for Dead Peer Detection To specify the remote address to which the IPsec traffic is directed. regardless of the packet size. Juniper Networks. If the packet size exceeds the tunnel maximum transmission unit (MTU) value. For IPsec tunnels. include the remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] 350 Copyright © 2011. syslog. Inc. remote-gateway address. include the clear-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] clear-dont-fragment-bit. see “Configuring Dynamic Security Associations” on page 331.4 Services Interfaces Configuration Guide algorithm algorithm. } The principal IPsec actions are to configure a dynamic or manual SA: • You configure a dynamic SA by including the dynamic statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level and referencing policies you have configured at the [edit services ipsec-vpn ipsec] and [edit services ipsec-vpn ike] hierarchy levels. key (ascii-text key | hexadecimal key). the packet is fragmented before encapsulation. see “Configuring Manual Security Associations” on page 327. • You can configure the following additional properties: • • • • • Enabling IPsec Packet Fragmentation on page 350 Configuring Destination Addresses for Dead Peer Detection on page 350 Configuring or Disabling IPsec Anti-Replay on page 352 Enabling System Log Messages on page 352 Specifying the MTU for IPsec Tunnels on page 352 Enabling IPsec Packet Fragmentation To enable fragmentation of IP version 4 (IPv4) packets in IPsec tunnels. for more information. spi spi-value. } protocol (ah | bundle | esp).

If the DPD protocol determines that the primary remote gateway address is no longer reachable. A global timer polls all tunnels every 10 seconds and the Adaptive Services (AS) or Multiservices Physical Interface Card (PIC) sends a message listing any inactive tunnels. it tries the failover six times. This configuration enables the router to initiate DPD Hellos when a backup IPsec gateway does not exist and clean up the IKE and IPsec SAs in case the IKE peer is not reachable. Inc. the backup tunnel is in standby mode. 2. However. two retries are sent at 2-second intervals. To specify a backup remote address. Configuring the backup-remote-gateway statement enables the dead peer detection (DPD) protocol. 4. the router takes the following steps to failover to the backup address: 1. 3. It then stops failing over and reverts to the original configuration. If there is no incoming traffic from a peer during a defined interval of 10 seconds. Juniper Networks. Failover takes place if the tunnel is declared dead or there is an IPsec Phase 1 negotiation timeout.Chapter 16: IPsec Services Configuration Guidelines remote-gateway address. The primary tunnel is put in standby mode and the backup becomes active. which monitors the tunnel state and remote peer availability. The monitoring behavior is the same as described for the backup-remote-gateway statement. the tunnel is declared dead and IKE and IPsec SAs are cleaned up. If the negotiation to the backup tunnel times out. and then the tunnel is declared dead. with the primary tunnel active and the backup in standby mode. If both peers are down. You can also enable triggering of DPD Hello messages without configuring a backup remote gateway by including the initiate-dead-peer-detection statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] initiate-dead-peer-detection. a new tunnel is established to the backup address. The adaptive services message triggers the DPD protocol to send a hello message to the peer. These two statements support both IPv4 and IPv6 address formats. the router detects a tunnel as inactive. If no acknowledgment is received. a new tunnel is established to the backup address. Copyright © 2011. the router switches back to the primary tunnel. When the primary tunnel defined by the remote-gateway statement is active. include the backup-remote-gateway statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] backup-remote-gateway address. when you configure initiate-dead-peer-detection without a backup remote gateway address and the DPD protocol determines that the primary remote gateway address is no longer reachable. If a tunnel becomes inactive. If the DPD protocol determines that the primary remote gateway address is no longer reachable. 351 .

To disable the IPsec antireplay feature. the software internally sets the antireplay window size for AS PICs to 1024 bits even if the configured value of the anti-replay-window-size is larger. Occasionally this can cause interoperability issues with other vendors’ equipment. antireplay service is enabled. Specifying the MTU for IPsec Tunnels To configure a specific maximum transmission unit (MTU) value for IPsec tunnels. include the no-anti-replay statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] no-anti-replay. NOTE: The tunnel-mtu setting is the only place you need to configure an MTU value for IPsec tunnels. the commit succeeds and no error message is produced. The default value is 64 bits for AS PICs and 128 bits for Multiservices PICs and DPCs. Enabling System Log Messages To record an alert in the system logging facility. As a result.Junos 11. if the maximum antireplay window size exceeds 1024 for AS PICs. By default.4 Services Interfaces Configuration Guide For more information on the DPD protocol. . whereas Multiservices PICs and DPCs can support a maximum replay window size of 4096 bits. include the syslog statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] syslog. However. the key management process (kmd) is unable to differentiate between the service interface types. include the anti-replay-window-size statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] anti-replay-window-size bits. Inc. anti-replay-window-size can take values in the range from 64 through 4096 bits. Inclusion of an mtu setting at the [edit interfaces sp-fpc/pic/port unit logical-unit-number family inet] hierarchy level is not supported. When the software is committing an IPsec configuration . see RFC 3706. 352 Copyright © 2011. include the tunnel-mtu statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level: [edit services ipsec-vpn rule rule-name term term-name then] tunnel-mtu bytes. Configuring or Disabling IPsec Anti-Replay To configure the size of the IPsec antireplay window. A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers. Juniper Networks. AS PICs can support a maximum replay window size of 1024 bits.

Each tunnel allocates a service interface from a pool of interfaces configured for the dynamic peers. see “Configuring the Mode for an IKE Policy” on page 337. If none of the rules matches the packet. the router performs the corresponding action and the rule processing stops. This section includes the following topics: • • • • • • • Authentication Process on page 354 Implicit Dynamic Rules on page 354 Reverse Route Insertion on page 355 Configuring an IKE Access Profile on page 355 Referencing the IKE Access Profile in a Service Set on page 357 Configuring the Interface Identifier on page 357 Default IKE and IPsec Proposals on page 358 Copyright © 2011. Configuring Dynamic Endpoints for IPsec Tunnels IPsec tunnels can also be established using dynamic peer security gateways. Link-type or routed tunnels use dedicated mode. in which the remote ends of tunnels do not have a statically assigned IP address. establishment of the tunnel relies on using IKE main mode with either preshared global keys or digital certificates that accept any remote identification value. If a term in a rule matches the packet. Juniper Networks. processing continues to the next rule in the rule set.Chapter 16: IPsec Services Configuration Guidelines Configuring IPsec Rule Sets The rule-set statement defines a collection of IPsec rules that determine what actions the router software performs on packets in the data stream. Both policy-based and link-type tunnels are supported: • • Policy-based tunnels used shared mode. 353 . you specify the order of the rules by including the rule-set statement at the [edit services ipsec-vpn] hierarchy level with a rule statement for each rule: [edit services ipsec-vpn] rule-set rule-set-name { rule rule-name. For more information on IKE policy modes. You define each rule by specifying a rule name and configuring terms. } The router software processes the rules in the order in which you specify them in the configuration. the packet is dropped by default. Routing protocols can be configured to run on these service interfaces to learn routes over the IPsec tunnel that is used as a link in this scenario. Since the remote address is not known and might be pulled from an address pool each time the remote host reboots. Then. If no term in a rule matches the packet. Inc.

Dynamic rules are matched after the rule match for static rules has failed. static rules are always matched first. Juniper Networks. This rule is used to encrypt traffic directed to one of the end hosts in the phase 2 proxy identity. 354 Copyright © 2011. If preshared key authentication is used. This key is the one configured in the IKE access profile referenced by the service set. and the local router accepts any proxy identities sent by the peer. the key management process (kmd) creates a dynamic rule for the accepted phase 2 proxy and applies it on the local AS or Multiservices PIC. You can configure proxy identities by including the allowed-proxy-pair statement in the IKE access profile. the local router uses the global preshared key for authentication. Implicit Dynamic Rules After successful negotiation with the dynamic peer. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. The source and destination addresses are specified by the accepted proxy. If you do not configure the allowed-proxy-pair statement. If no entry matches. the local router matches the peer’s source address against any explicitly configured preshared keys in that service set. The dynamic rule includes an ipsec-inside-interface value. The match-direction value is input for next-hop-style service sets.Junos 11. Phase 2 of the authentication matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. the negotiation is rejected. When a packet is received for a service set. If a match is not found. Inc. When seeking the preshared key for the peer. it is performed in the order configured. the preshared key is global for a service set. The source-address and destination-address values are accepted from the proxy ID. Implicit proposals contain a list of all the supported transforms that the local router expects from all the dynamic peers. Rule lookup for static tunnels is unaffected by the presence of a dynamic rule.0. it is created by the key management process (kmd). Both IPv4 and IPv6 addresses are accepted. the router builds the dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.0/0)-ANY is applied. which is the interface name assigned to the dynamic tunnel. . but you must configure all IPv6 addresses manually.0. The local router uses the default IKE and IPsec policies to match the proposals sent by the remote peer to negotiate the security association (SA) values. the default value ANY(0. NOTE: You do not configure this rule. Once the phase 2 negotiation completes successfully.4 Services Interfaces Configuration Guide Authentication Process The remote (dynamic peer) initiates the negotiations with the local (Juniper Networks) router.

you can include the ike-policy statement to reference an IKE policy you define with either specific identification values or a wildcard (the any-remote-id option). Configuring an IKE Access Profile You can configure only one tunnel profile per service set for all dynamic peers. see “Configuring Destination Addresses for Dead Peer Detection” on page 350. Each route is created based on the remote proxy network and mask sent by the peer and is inserted in the relevant route table after successful phase 1 and phase 2 negotiations. Each protocol has its own statement hierarchy within the client statement to configure protocol-specific attribute value pairs. [edit access] profile profile-name { client * { ike { Copyright © 2011.0. for more information on access profiles. The configured preshared key in the profile is used for IKE authentication of all dynamic peers terminating in that service set.0. The route preference for each static reverse route is 1. In this case you can run routing protocols over the IPsec tunnel to learn routes and add static routes for the traffic you want to be protected over this tunnel. Inc. For next-hop-style service sets.0/0). NOTE: Reverse route insertion takes place only for tunnels to dynamic peers. The following is the configuration at the [edit access] hierarchy level. No routes are added if the accepted remote proxy address is the default (0. If these interfaces are present in a VPN routing and forwarding (VRF) instance. see “Configuring IKE Policies” on page 335.0. You configure the IKE policy at the [edit services ipsec-vpn ike] hierarchy level. The route table in which to insert these routes depends on where the inside-service-interface location is listed. for more information. These routes are added only for next-hop-style service sets. Juniper Networks. 355 . The IKE tunnel profile specifies all the information needed to complete the IKE negotiation. Reverse Route Insertion Static routes are automatically inserted into the route table for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities. otherwise. This value is necessary to avoid conflict with similar routes that might be added by the routing protocol process (rpd). For more information on DPD. see the Junos OS System Basics Configuration Guide. the reverse routes include next hops pointing to the locations specified by the inside-service-interface statement.Chapter 16: IPsec Services Configuration Guidelines Response to dead peer detection (DPD) hello messages takes place the same way with dynamic peers as with static peers. but only one client configuration is allowed for each profile. then routes are added to the corresponding VRF table. Initiating DPD hello messages from dynamic peers is not supported. the routes are added to inet. Alternatively.

Junos 11. By default.0. Inc. • pre-shared-key—Key used to authenticate the dynamic peer during IKE phase 1 negotiation. interface-id <string-value>.0/0 local 0. the IKE policy defines which remote identification values are allowed. The client value * (wildcard) means that configuration within this profile is valid for all dynamic peers terminating within the service set accessing this profile. the phase 2 IKE negotiation fails. . Both IPv4 and IPv6 address formats are supported in this configuration. but there are no default IPv6 addresses. for more information. • ipsec-policy—Name of the IPsec policy that defines the IPsec policy information for the session. You can configure the value either in hexadecimal or ascii-text format. Juniper Networks. any policy proposed by the dynamic peer is accepted. • interface-id—Interface identifier. can contain a wildcard value any-remote-id for use in dynamic endpoint configurations only. ipsec-policy ipsec-policy. the IP address is used to identify a tunnel peer to get the preshared key information. You define the IPsec policy at the [edit services ipsec-vpn ipsec policy policy-name] hierarchy level. 356 Copyright © 2011. In digital certificate mode. • ike-policy—Policy that defines the remote identification values corresponding to the allowed dynamic peers. You must specify even 0::0/0.4 Services Interfaces Configuration Guide allowed-proxy-pair { remote remote-proxy-address local local-proxy-address. remote 0. the remote peer supplies its network address (remote) and its peer’s network address (local). } } } NOTE: For dynamic peers. } pre-shared-key (ascii-text key-string | hexadecimal key-string). the Junos OS supports the IKE main mode with either the preshared key method of authentication or an IKE access profile that uses a local digital certificate. • The following statements make up the IKE profile: • allowed-proxy-pair—During phase 2 IKE negotiation. If no policy is set. a mandatory attribute used to derive the logical service interface information for the session. this statement must include the list of possible combinations. Since multiple dynamic tunnels are authenticated through the same mechanism.0. This key is known to both ends through an out-of-band secure mechanism. see “Configuring IKE Policies” on page 335.0/0 is used if no values are configured. It is a mandatory value. • In preshared key mode. ike-policy policy-name.0. If the dynamic peer does not present a valid combination.0.

Configuring the Interface Identifier You can configure an interface identifier for a group of dynamic peers. but not both. outside-service-interface interface-name.Chapter 16: IPsec Services Configuration Guidelines Referencing the IKE Access Profile in a Service Set To complete the configuration. NOTE: Only one interface identifier can be specified at a time. } next-hop-service { inside-service-interface interface-name. This profile is used to negotiate IKE and IPsec security associations with dynamic peers only. include the ike-access-profile statement at the [edit services service-set name ipsec-vpn-options] hierarchy level: [edit services service-set name] ipsec-vpn-options { local-gateway address. which specifies which adaptive services logical interface(s) take part in the dynamic IPsec negotiation. All interfaces referenced by the ipsec-inside-interface statement within a service set must belong to the same VRF instance. By assigning the same interface identifier to multiple logical interfaces. 357 . You can reference only one access profile in each service set. you must configure a separate service set for each VRF instance. NOTE: If you configure an IKE access profile in a service set. you can create a pool of interfaces for this purpose. include the ipsec-interface-id statement and the dedicated or shared statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level: [edit interfaces interface-name unit logical-unit-number dial-options] ipsec-interface-id identifier. ike-access-profile profile-name. Copyright © 2011. Specifying the interface identifier in the dial-options statement makes this logical interface part of the pool identified by the ipsec-interface-id statement. Inc. } The ike-access-profile statement must reference the same name as the profile statement you configured for IKE access at the [edit access] hierarchy level. You can include the ipsec-interface-id statement or the l2tp-interface-id statement. no other service set can share the same local-gateway address. To configure an interface identifier. Also. (dedicated | shared). you need to reference the IKE access profile configured at the [edit access] hierarchy level. Juniper Networks. To do this.

800 seconds (8 hours) Tracing IPsec Operations Trace operations track IPsec events and record them in a log file in the /var/log directory. group2. Table 13: Default IKE and IPsec Proposals for Dynamic Negotiations Statement Name Implicit IKE Proposal authentication-method dh-group authentication-algorithm encryption-algorithm lifetime-seconds pre-shared keys group1. To trace IPsec operations. the first value is the default. Default IKE and IPsec Proposals The software includes implicit default IKE and IPsec proposals to match the proposals sent by the dynamic peers. ah. which is necessary when you are configuring an IPsec link-type tunnel. For more information on IKE proposals.4 Services Interfaces Configuration Guide If you configure shared mode. aes-192. sha-256 3des-cbc. hmac-md5-96 3des-cbc. see “Configuring IPsec Proposals” on page 341. The values are shown in Table 13 on page 358. des-cbc. By default. this file is named /var/log/kmd. md5.Junos 11. group5. Inc. You must include the dedicated statement when you specify an ipsec-interface-id value. aes-128. NOTE: RSA certificates are not supported with dynamic endpoint configuration. aes-256 28. aes-192. Juniper Networks. . group14 sha1. see “Configuring IKE Proposals” on page 332. aes-256 3600 seconds Values Implicit IPsec Proposal protocol authentication-algorithm encryption-algorithm lifetime-seconds esp. aes-128. des-cbc. bundle hmac-sha1-96. if more than one value is shown. The dedicated statement specifies that the logical interface is used in a dedicated mode. include the traceoptions statement at the [edit services ipsec-vpn] hierarchy level: 358 Copyright © 2011. for more information on IPsec proposals. it enables one logical interface to be shared across multiple tunnels.

The following values are supported: • • • • • • all—Match all levels. an ICMP time exceeded message is not generated. Disabling IPsec Tunnel Endpoint in Traceroute If you include the no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level. The level statement sets the key management process (kmd) tracing level. policy-manager—Trace policy manager processing. verbose—Match verbose messages. info–Match informational messages. routing-socket—Trace routing socket messages. the IPsec tunnel is not treated as a next hop and TTL is not decremented.Chapter 16: IPsec Services Configuration Guidelines [edit services ipsec-vpn] traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>. warning—Match warning messages. } You can specify the following IPsec tracing flags: • • • • • • • • • • all—Trace everything. parse—Trace configuration processing. database—Trace security associations database events. 359 . Juniper Networks. certificates—Trace certificates events. general—Trace general events. if the TTL reaches zero. notice—Match conditions that should be handled specially. flag flag. [edit services ipsec-vpn] no-ipsec-tunnel-in-traceroute. timer—Trace internal timer events. snmp—Trace SNMP operations. level level. Copyright © 2011. no-remote-trace. Also. Inc. error—Match error conditions. ike—Trace IKE module processing.

You can use the no-ipsec-tunnel-in-traceroute statement in specific scenarios in which the IPsec tunnel should not be treated as a next hop and passive mode is not desired. IPSec on the Services SDK has the following limitations: • IPSec on the Services SDK supports only policies negotiated between dynamic peer security gateways in which the remote ends of tunnels do not have a statically assigned IP address (Dynamic Endpoints). flag flag (all | certificate-verification | enrollment | online-crl-check). routing-socket—Trace routing socket messages. database—Trace security associations database events. To trace IPsec PKI operations. Configuring IPSec on the Services SDK Starting with Junos OS Release 11. . } You can specify the following PKI tracing flags: • • • • • • • • • • all—Trace everything. T Series and MX Series routers with Multiservices 100. general—Trace general events.Junos 11. IPSec on the Services SDK is supported on all M Series. timer—Trace internal timer events. 360 Copyright © 2011. include the traceoptions statement at the [edit security pki] hierarchy level: [edit security pki] traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>. IPSec is supported by the Services SDK. Juniper Networks. parse—Trace configuration processing. this file is named /var/log/pkid. snmp—Trace SNMP operations.4 Services Interfaces Configuration Guide NOTE: This functionality is also provided by the passive-mode-tunneling statement described in “Configuring IPsec Service Sets” on page 573. policy-manager—Trace policy manager processing. Multiservices 400 PICs. By default. and Multiservices DPCs. Tracing IPsec PKI Operations Trace operations track IPsec PKI events and record them in a log file in the /var/log directory.4. ike—Trace IKE module processing. certificates—Trace certificates events. Inc.

} } } } } Configure the inside and outside interfaces for next-hop-style service sets: service-set abc { next-hop-service { inside-service-interface ms-0/2/0. package-name in the package package-name statement is jservices-ipsec. and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the IPSec plugin on the Services SDK. see the SDK Applications Configuration Guide and Command Reference. • To enable IPSec for the Services SDK on the adaptive services interface.1. package jservices-crypto-base. data-cores 7. The following example shows how to enable IPSec for the Services SDK on the adaptive services interface: chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1. # Name and logical unit number of the service interface associated with the service set applied inside the network. } } Examples: Configuring IPsec Services See the following sections: • • • Example: Configuring Statically Assigned Tunnels on page 362 Example: Configuring Dynamically Assigned Tunnels on page 364 Multitask Example: Configuring IPsec Services on page 369 Copyright © 2011. package jservices-ipsec.Chapter 16: IPsec Services Configuration Guidelines • Encapsulating Security Payload (ESP) is the only protocol that is supported for protecting IP traffic. Inc. policy-db-size 64. For more information about the Services SDK. policy-db-size. object-cache-size 1280. Juniper Networks. # Name and logical unit number of the service interface associated with the service set applied outside the network.2. configure the object-cache-size. 361 . outside-service-interface ms-0/2/0. IPSec on the Services SDK does not support IPv6.

} } } sp-3/1/0 { unit 0 { family inet { address 10. service-domain inside. encapsulation cisco-hdlc. } } [edit policy-options] policy-statement vpn-export { then { community add vpn-comm.6.6.7.6/32. unit 0 { family inet { address 10. unit 0 { family inet { address 10. . encapsulation cisco-hdlc.Junos 11.7. } } unit 1 { family inet.21. Juniper Networks. } unit 2 { family inet. } } } so-2/2/0 { description "teller so-0/2/0". Inc. service-domain outside. [edit routing-instances] 362 Copyright © 2011. } } policy-statement vpn-import { term a { from community vpn-comm. no-keepalives. demonstrating the usage of next-hop service sets and dynamic SA configuration: [edit interfaces] so-0/0/0 { no-keepalives. then accept.4 Services Interfaces Configuration Guide Example: Configuring Statically Assigned Tunnels Following is the configuration of the provider edge (PE) router.7/32. accept.1/16. } } community vpn-comm members target:100:20.1.

vrf-export vpn-export. route-distinguisher 192.2.2.1. Juniper Networks.1.0.0. Inc. } } } [edit services] ipsec-vpn { rule rule-1 { term term-1 { then { remote-gateway 10.1. 363 .11. # Inside sp interface interface so-0/0/0.8.0. vrf-import vpn-import.1. } ike { policy ike-policy { pre-shared-key ascii-text "$9$ExmcSeMWxdVYBI". interface sp-3/1/0. routing-options { static { route 10.1. outside-service-interface sp-3/1/0. Copyright © 2011.2.Chapter 16: IPsec Services Configuration Guidelines vrf { instance-type vrf.2.11. } } } match-direction input. route 10.21.0.1.1/32 next-hop sp-3/1/0. route 10. dynamic { ike-policy ike-policy.0. } } Following is an example for configuring multiple link-type tunnels to static peers using a single next-hop style service set: services ipsec-vpn { rule demo-rule { term term-0 { from { ipsec-inside-interface sp-0/0/0.0. } } } service-set service-set-1 { ipsec-vpn { local-gateway 10. next-hop-service { inside-service-interface sp-3/1/0.0/0 next-hop so-0/0/0.2.21.1/32 next-hop so-0/0/0.1:1.168.1. } then { remote-gateway 10. } ipsec-vpn-rules rule-1.8.

outside-service-interface sp-0/0/0. dynamic { ike-policy demo-ike-policy.1.2. } unit 1 { family inet. } unit 2 { family inet.3. } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-0/0/0. service-domain inside.1. } unit 4 { family inet. } ipsec-vpn-options { local-gateway 10.3. service-domain inside. } then { remote-gateway 10. } ipsec-rules demo-rule.3.4 Services Interfaces Configuration Guide dynamic { ike-policy demo-ike-policy.1.Junos 11. Juniper Networks. service-domain outside.3.1. } } } term term-1 { from { ipsec-inside-interface sp-0/0/0. service-domain inside. } } Example: Configuring Dynamically Assigned Tunnels The following examples are based on this network configuration (see Figure 9 on page 365): 364 Copyright © 2011. } } interfaces sp-0/0/0 { unit 0 { family inet. . } } } } match-direction input. Inc. } unit 3 { family inet.

0. Configuring a Next-Hop Style Service Set with Link-Type Tunnels access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 0. 365 . Inc.Chapter 16: IPsec Services Configuration Guidelines • A local network N-1 behind security gateway SG-1.16.2.3.0/0 local 0. Copyright © 2011.1. outside-service-interface sp-1/0/0.3.1.0.0. • Figure 9: IPsec Dynamic Endpoint Tunneling Topology The examples in this section show the following configurations: • • Configuring a Next-Hop Style Service Set with Link-Type Tunnels on page 365 Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels on page 367 NOTE: All the configurations are given for the Juniper Networks router terminating dynamic endpoint connections. ike-access-profile demo-ike-access-profile.1.3. # ANY to ANY } pre-shared-key { ascii-text keyfordynamicpeers.3.0/0. } ipsec-vpn-options { local-gateway 10. a Juniper Networks router terminating static as well as dynamic peer endpoints.1. Two remote peer routers that obtain addresses from an ISP pool and run RFC-compliant IKE. The tunnel termination address on SG-1 is 10.0/24.2.2.0.0/24 and resides behind security gateway SG-2 with tunnel termination address 10.1.1 and the local network address is 172. Remote network N-2 has address 172.16. Juniper Networks. } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0. } interface-id demo-ipsec-interface-id.2.1.16.0/24 and resides behind security gateway SG-3 with tunnel termination address 10.2. Remote network N-3 has address 172.1.

service-domain inside. dial-options { ipsec-interface-id demo-ipsec-interface-id. } unit 2 { family inet.Junos 11. dedicated. dedicated. } } } } The following results are obtained: • Reverse routes inserted after successful negotiation: None • Routes learned by routing protocol: 172.16. service-domain inside.0/24 • Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 366 Copyright © 2011. interfaces { sp-0/0/0 { unit 0 { family inet. dial-options { ipsec-interface-id demo-ipsec-interface-id.3. You do not need to configure IKE or IPsec proposals explicitly.4 Services Interfaces Configuration Guide } } } } NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. service-domain outside.16. . } unit 3 { family inet. Inc.0/24 172. } } unit 4 { family inet. } unit 1 { family inet.2. service-domain inside. Juniper Networks.

3 term: term-1 local-gateway-address : 10.0/0 destination-address : 0.1.2.1.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.0/0 ipsec-inside-interface: sp-0/0/0.0.0/24. } } } services { service-set demo-service-set { next-hop-service { inside-service-interface sp-1/0/0.0/0 destination-address : 0. } } NOTE: Including the ike-access-profile statement enables the software to incorporate implicit proposals for dynamic endpoint authentication. #N-3 <==> #N-1 } pre-shared-key { ascii-text keyfordynamicpeers.0. You do not need to configure IKE or IPsec proposals explicitly.0.1.0. interfaces { sp-0/0/0 { unit 0 { family inet. service-domain inside.1.0.0/0 ipsec-inside-interface: sp-0/0/0.3 #Tunnel termination address on SG-3 source-address : 0.2. #N-2 <==> #N-1 remote 172.0.1.Chapter 16: IPsec Services Configuration Guidelines term: term-0 local-gateway-address : 10. } unit 1 { family inet.0.1.0/24 local 172. } interface-id demo-ipsec-interface-id.0.1.2.2. } ike-access-profile demo-ike-access-profile.1.16. outside-service-interface sp-1/0/0.3.1. Juniper Networks.16. Inc.3.0/24 local 172.16. 367 .1.3.4 match-direction: input Configuring a Next-Hop Style Service-Set with Policy-Based Tunnels access { profile demo-access-profile client * { ike { allowed-proxy-pair { remote 172.16.2 #Tunnel termination address on SG-2 source-address : 0. } ipsec-vpn-options { local-gateway 10.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.0/24. Copyright © 2011.

. Inc.1.16.3.3 match-direction: input 368 Copyright © 2011. service-domain inside.1 #Tunnel termination address on SG-1 remote-gateway-address: 10.3 #Tunnel termination address on SG-3 source-address : 172.0 routing-instances { demo-vrf { instance-type vrf.4 Services Interfaces Configuration Guide } unit 2 { family inet... Juniper Networks.1.0.0: ..0/24 ipsec-inside-interface: sp-0/0/0..1.. .1.3 term: term-1 local-gateway-address : 10.16.0/24 destination-address : 172.2.1. # Routing instance 172. } } } } # VRF configuration.0. > via sp-0/0/0.16..2.3. if not inet.11.3 172.3 • Dynamic implicit rules created after successful negotiation: rule: junos-dynamic-rule-0 term: term-0 local-gateway-address : 10.0/24 destination-address : 172.12. mode shared. dial-options { ipsec-interface-id demo-ipsec-interface-id.2.Junos 11.1.1.3. interface sp-0/0/0. } unit 3 { family inet. > via sp-0/0/0...0/24 *[Static/1]. service-domain outside.16.3.0/24 ipsec-inside-interface: sp-0/0/0.inet.2 #Tunnel termination address on SG-2 source-address : 172.1 #Tunnel termination address on SG-1 remote-gateway-address: 10. } } The following results are obtained: • Reverse routes injected after successful negotiation: demo-vrf.. interface sp-0/0/0.0/24 *[Static/1].

To define the IKE proposaI: 1. which is sha1 in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-algorithm sha1 5. Configuring the Access Profile (and Referencing the IKE and IPsec Policies) on page 373 8. This topic includes the following tasks: 1. Configure the authentication algorithm. Configuring IPsec Trace Options on page 373 7. Juniper Networks. The configuration involves defining an IKE policy. For more information about IKE proposals. see “Configuring IKE Proposals” on page 332.Chapter 16: IPsec Services Configuration Guidelines Multitask Example: Configuring IPsec Services The following example-based instructions show how to configure IPsec services. and service sets. Configure the Diffie-Hellman Group and specify a name—for example. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. In configuration mode. Configuring the IKE Policy (and Referencing the IKE Proposal) on page 370 3. Inc. Configuring the IPsec Proposal on page 370 4. which is aes-256-cbc in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal encryption-algorithm aes-256-cbc The following sample output shows the configuration of the IKE proposal: [edit services ipsec-vpn] user@host# show ike proposal test-IKE-proposal { Copyright © 2011. which is pre-shared keys in this example: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal authentication-method pre-shared-keys 3. Configure the encryption algorithm. Configuring the IKE Proposal on page 369 2. Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) on page 374 Configuring the IKE Proposal The IKE proposal configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. group1: [edit services ipsec-vpn] user@host# set ike proposal test-IKE-proposal dh-group group1 4. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) on page 372 6. IPsec rules. Configure the authentication method. an IPsec policy. Configuring the IPsec Policy (and Referencing the IPsec Proposal) on page 371 5. 369 . trace options.

main: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy mode main 3.255. see “Configuring IPsec Proposals” on page 341. go to the following hierarchy level: user@host# edit services ipsec-vpn 370 Copyright © 2011.168. Inc. In configuration mode.4 Services Interfaces Configuration Guide authentication-method pre-shared-keys. } Configuring the IPsec Proposal The IPsec proposal configuration defines the protocols and algorithms (security services) that are required to negotiate with the remote IPsec peer. To define the IPsec proposal: 1. pre-shared-key ascii-text TEST. and other security parameters used during IKE negotiation. For more information about IPsec proposals. Configure the IKE first phase mode—for example. see “Configuring IKE Policies” on page 335.Junos 11. dh-group group1. 192. local-id ipv4_addr 192. authentication-algorithm sha1. Juniper Networks.168. addresses. Configure the proposal. . which is test-IKE-proposal in this example: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy proposals test-IKE-proposal 4. In configuration mode. For more information about IKE policies. Configure the preshared key in ASCII text format.255. To define the IKE policy and reference the IKE proposal: 1.2. encryption-algorithm aes-256-cbc.168. } Configuring the IKE Policy (and Referencing the IKE Proposal) The IKE policy configuration defines the proposal.255. go to the following hierarchy level: user@host# edit services ipsec-vpn 2.2 5. which is TEST in this example: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy pre-shared-key ascii-text TEST The following sample output shows the configuration of the IKE policy: [edit services ipsec-vpn] user@host# show ike policy test-IKE-policy { mode main. proposals test-IKE-proposal. Configure the local identification with an IPv4 address—for example.2: [edit services ipsec-vpn] user@host# set ike policy test-IKE-policy local-id ipv4_addr 192. mode.

group1: [edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy perfect-forward-secrecy keys group1 3. which is aes-256-cbc in this example: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal encryption-algorithm aes-256-cbc The following sample output shows the configuration of the IPsec proposal: [edit services ipsec-vpn] user@host# show ike proposal test-IPsec-proposal { protocol esp. In configuration mode. Configure the IPsec protocol for the proposal—for example. Configure the keys for perfect forward secrecy in the IPsec policy—for example. Inc. It defines PFS and the proposals needed for the connection. esp: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal protocol esp 3. To define the IPsec policy and reference the IPsec proposal: 1. encryption-algorithm aes-256-cbc. Configure a set of IPsec proposals in the IPsec policy—for example.Chapter 16: IPsec Services Configuration Guidelines 2. Juniper Networks. Copyright © 2011. which is hmac-sha1-96 in this example: [edit services ipsec-vpn] user@host# set ipsec proposal test-IPsec-proposal authentication-algorithm hmac-sha1-96 4. For more information about IPsec policies. see “Configuring IPsec Policies” on page 343. authentication-algorithm hmac-sha1-96. } Configuring the IPsec Policy (and Referencing the IPsec Proposal) The IPsec policy configuration defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. Configure the encryption algorithm for the proposal. 371 . go to the following hierarchy level: user@host# edit services ipsec-vpn 2. test-IPsec-proposal: [edit services ipsec-vpn] user@host# set ipsec policy test-IPsec-policy proposals test-IPsec-proposal The following sample output shows the configuration of the IPsec policy: [edit services ipsec-vpn] user@host# show ipsec policy test-IPsec-policy perfect-forward-secrecy { keys group1. Configure the authentication algorithm for the proposal.

168. 192. go to the following hierarchy level: user@host# edit services ipsec-vpn 2.0. Juniper Networks. input: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule match-direction input The following sample output shows the configuration of the IPsec rule: [edit services ipsec-vpn] user@host# show rule test-IPsec-rule term 10 { from { destination-address { 192.255.255.0. The configuration also consists of a set of terms that specify the match conditions and applications that are included and excluded and also specify the actions and action modifiers to be performed by the router software.168. Configure a dynamic security association for IKE proposal for the IPsec term in the IPsec rule. To define the IPsec rule and reference the IKE and IPsec policies: 1. .Junos 11.168. In configuration mode. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies) The IPsec rule configuration defines the direction that specifies whether the match is applied on the input or output side of the interface.0 4. Configure a dynamic security association for IKE policy for the IPsec term in the IPsec rule. Inc.2/32 3. which is test-IPsec-proposal in this example: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ipsec-policy test-IPsec-policy 6.0.2/32: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 from destination-address 192.4 Services Interfaces Configuration Guide } proposals test-IPsec-proposal. which is test-IKE-policy in this example: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then dynamic ike-policy test-IKE-policy 5. Configure the IP destination address for the IPsec term in the IPsec rule—for example. For more information about IPsec rules. see “Configuring IPsec Rules” on page 346.0: [edit services ipsec-vpn] user@host# set rule test-IPsec-rule term 10 then remote-gateway 0. } } then { 372 Copyright © 2011. Configure the remote gateway address for the IPsec term in the IPsec rule—for example. Configure a direction for which the rule match is being applied in the IPsec rule—for example.255.0.2/32. 0.

0. Configuring IPsec Trace Options The IPsec trace options configuration tracks IPsec events and records them in a log file in the /var/log directory. Configure all the tracing parameters with the option all in this example: [edit services ipsec-vpn] user@host# set traceoptions flag all The following sample output shows the configuration of the IPsec trace options: [edit services ipsec-vpn] user@host# show traceoptions file ipsec. 373 . For more information about access profile. By default. dynamic { ike-policy test-IKE-policy. Configure the IKE policy—for example. In this example. flag all. Inc. Configure the trace file.0.0. In configuration mode.0/24 remote 10.0.0. see “Tracing IPsec Operations” on page 358.0/24 is the IP address for remote proxy identity: [edit access] user@host# set profile IKE-profile-TEST client * ike allowed-proxy-pair local 10. this file is named /var/log/kmd.0. go to the following hierarchy level: user@host# edit services ipsec-vpn 2. Juniper Networks. To define the access profile and reference the IKE and IPsec policies: 1.0. go to the following hierarchy level: user@host# [edit access] 2.log in this example: [edit services ipsec-vpn] user@host# set traceoptions file ipsec.1.log 3.Chapter 16: IPsec Services Configuration Guidelines remote-gateway 0.0.0/24 is the IP address for local proxy identity and 10. } } } match-direction input. ipsec-policy test-IPsec-policy. which is ipsec.0.1.0/24 3. test-IKE-policy: Copyright © 2011. Configuring the Access Profile (and Referencing the IKE and IPsec Policies) The access profile configuration defines the access profile and references the IKE and IPsec policies.log. In configuration mode. To define the IPsec trace options: 1. For more information about IPsec rules. 10. Configure the list of local and remote proxy identity pairs with the allowed-proxy-pair option. see Configuring an IKE Access Profile.

To define the service set configuration with the next-hop service sets and IPsec VPN options: 1. . Configure the identity of logical service interface pool.2: [edit services] user@host# set service-set TEST ipsec-vpn-options local-gateway 192.2 4. sp-1/2/0. which is TEST-intf in this example: [edit access] user@host# set profile IKE-profile-TEST client * ike interface-id TEST-intf The following sample output shows the configuration of the access profile: [edit access] user@host# show profile IKE-profile-TEST { client * { ike { allowed-proxy-pair local 10. In configuration mode.168. see “Configuring IPsec Service Sets” on page 573. test-IPsec-policy: [edit access] user@host# set profile IKE-profile-TEST client * ike ipsec-policy test-IPsec-policy 5. # new statement interface-id TEST-intf.Junos 11. ike-policy test-IKE-policy.2: [edit services] user@host# set service-set TEST next-hop-service outside-service-interface sp-1/2/0. For more information about IPsec service sets. Configure a service set with parameters for next hop service interfaces for the outside network—for example.255. sp-1/2/0. 192.1.255.1 3. Configure the IPsec policy—for example.0/24. ipsec-policy test-IPsec-policy. Inc.2 374 Copyright © 2011.0/24 remote 10.0.0.168.4 Services Interfaces Configuration Guide [edit access] user@host# set profile IKE-profile-TEST client * ike ike-policy test-IKE-policy 4. go to the following hierarchy level: user@host# [edit services] 2.0. Juniper Networks.1: [edit services] user@host# set service-set TEST next-hop-service inside-service-interface sp-1/2/0. Configure the IPsec VPN options with the address and routing instance for the local gateway—for example. } } } Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule) The service set configuration defines IPsec service sets that require additional specifications and references the IKE profile and the IPsec rule. Configure a service set with parameters for next hop service interfaces for the inside network—for example.

Inc. Copyright © 2011.Chapter 16: IPsec Services Configuration Guidelines 5.2. which is IKE-profile-TEST in this example: [edit services] user@host# set service-set TEST ipsec-vpn-options ike-access-profile IKE-profile-TEST 6. ike-access-profile IKE-profile-TEST. which is test-IPsec-rule in this example: [edit services] user@host# set service-set TEST ipsec-vpn-rules test-IPsec-rule The following sample output shows the configuration of the service set configuration referencing the IKE profile and the IPsec rule: [edit services]user@host# show service-set TEST next-hop-service { inside-service-interface sp-1/2/0.2.1. outside-service-interface sp-1/2/0. Configure a service set with IPsec VPN rules. Configure the IPsec VPN options with the IKE access profile for dynamic peers. 375 . } ipsec-vpn-rules test-IPsec-rule. } ipsec-vpn-options { local-gateway 192.168. Juniper Networks.255.

. Inc. Juniper Networks.4 Services Interfaces Configuration Guide 376 Copyright © 2011.Junos 11.

[edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 10. Inc. in bits. 377 . Default: 64 bits (AS PICs). admin—To view this statement in the configuration. Specify the size of the IPsec antireplay window.CHAPTER 17 Summary of IPsec Services Configuration Statements The following sections explain each of the IP Security (IPsec) services statements. The statements are organized alphabetically. Juniper Networks. Copyright © 2011. bits—Size of the antireplay window. admin-control—To add this statement to the configuration. anti-replay-window-size Syntax Hierarchy Level Release Information Description Options anti-replay-window-size bits. 128 bits (Multiservices PICs and DPCs) Range: 64 through 4096 bits Usage Guidelines Required Privilege Level See “Configuring or Disabling IPsec Anti-Replay” on page 352.0.

Juniper Networks. hmac-sha1-96—Produces a 160-bit digest. } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Usage Guidelines Required Privilege Level See “Configuring Authentication for a Manual IPsec SA” on page 329. the key is 32 hexadecimal characters. Configure IPsec authentication parameters for a manual security association (SA). admin—To view this statement in the configuration. for hmac-sha1-96. 378 Copyright © 2011. . the key is 16 ASCII characters.Junos 11. The key can be one of the following: • ascii-text key—ASCII text key. Inc. the key is 20 ASCII characters. key (ascii-text key | hexadecimal key). algorithm—Hash algorithm that authenticates packet data. • hexadecimal key—Hexadecimal key. For hmac-md5-96. admin-control—To add this statement to the configuration. The algorithm can be one of the following: • • hmac-md5-96—Produces a 128-bit digest. key—Type of authentication key. For hmac-md5-96. the key is 40 hexadecimal characters.4 Services Interfaces Configuration Guide authentication Syntax authentication { algorithm (hmac-md5-96 | hmac-sha1-96). for hmac-sha1-96.4.

Configure the IPsec hash algorithm that authenticates packet data. admin—To view this statement in the configuration.4. md5—Produces a 128-bit digest. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. hmac-md5-96—Produces a 128-bit digest. Inc. admin-control—To add this statement to the configuration. Description Options Usage Guidelines Required Privilege Level See “Configuring the Authentication Algorithm for an IKE Proposal” on page 333. admin-control—To add this statement to the configuration.Chapter 17: Summary of IPsec Services Configuration Statements authentication-algorithm See the following sections: • • authentication-algorithm (IKE) on page 379 authentication-algorithm (IPsec) on page 379 authentication-algorithm (IKE) Syntax Hierarchy Level Release Information authentication-algorithm (md5 | sha1 | sha-256). Configure the Internet Key Exchange (IKE) hash algorithm that authenticates packet data. admin—To view this statement in the configuration. Juniper Networks. sha1—Produces a 160-bit digest. sha-256—Produces a 256-bit digest. Copyright © 2011.4. authentication-algorithm (IPsec) Syntax Hierarchy Level Release Information Description Options authentication-algorithm (hmac-md5-96 | hmac-sha1-96). 379 . [edit services ipsec-vpn ipsec proposal ipsec-proposal-name] Statement introduced before Junos OS Release 7. Usage Guidelines Required Privilege Level See “Configuring the Authentication Algorithm for an IPsec Proposal” on page 341. sha-256 option added in Junos OS Release 7.6. hmac-sha1-96—Produces a 160-bit digest.

auxiliary-spi Syntax Hierarchy Level Release Information Description auxiliary-spi spi-value. Usage Guidelines Required Privilege Level See “Configuring the Authentication Method for an IKE Proposal” on page 333. see “Configuring the Security Parameter Index” on page 329 and spi. rsa-signatures—Public key algorithm (supports encryption and digital signatures).4 Services Interfaces Configuration Guide authentication-method Syntax Hierarchy Level Release Information Description Options authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). admin-control—To add this statement to the configuration.4. . Required Privilege Level 380 Copyright © 2011. Use the auxiliary SPI when you configure the protocol statement to use the bundle option. admin—To view this statement in the configuration.639 Usage Guidelines See “Configuring the Auxiliary Security Parameter Index” on page 329. pre-shared-keys—A key derived from an out-of-band mechanism. admin-control—To add this statement to the configuration.4. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. Configure an auxiliary Security Parameter Index (SPI) for a manual SA. Inc. Configure an IKE authentication method. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Statement introduced before Junos OS Release 7. the key authenticates the exchange. Juniper Networks.Junos 11. Range: 256 through 16. dsa-signatures—Digital signature algorithm (DSA). spi-value—An arbitrary value that uniquely identifies which SA to use at the receiving host Options (the destination address in the packet). For information about SPI. admin—To view this statement in the configuration.

Juniper Networks.4. Usage Guidelines Required Privilege Level Copyright © 2011. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU). See “Configuring Actions in IPsec Rules” on page 349. Configuring this statement also enables the dead peer detection (DPD) protocol.4. admin-control—To add this statement to the configuration. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. address—Backup remote IPv4 or IPv6 address. admin—To view this statement in the configuration. Define the backup remote address to which the IPsec traffic is directed when the primary remote gateway is down. Options Usage Guidelines Required Privilege Level See “Configuring Destination Addresses for Dead Peer Detection” on page 350.Chapter 17: Summary of IPsec Services Configuration Statements backup-remote-gateway Syntax Hierarchy Level Release Information Description backup-remote-gateway address. the packet is fragmented before encapsulation. Clear the Don’t Fragment (DF) bit on all IP version 4 (IPv4) packets entering the IPsec tunnel. clear-dont-fragment-bit Syntax Hierarchy Level Release Information Description clear-dont-fragment-bit. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. 381 . Inc.

Junos 11.4 Services Interfaces Configuration Guide clear-ike-sas-on-pic-restart Syntax Hierarchy Level Release Information Description clear-ike-sas-on-pic-restart. interface-control—To add this statement to the configuration. See “Clearing Security Associations” on page 332. See “Clearing Security Associations” on page 332.5. Inc. interface—To view this statement in the configuration. Juniper Networks. Clear IKE security associations (SAs) when the corresponding PIC restarts or is taken offline. interface—To view this statement in the configuration.2. . Usage Guidelines Required Privilege Level clear-ipsec-sas-on-pic-restart Syntax Hierarchy Level Release Information Description clear-ipsec-sas-on-pic-restart. Clear IPsec security associations (SAs) when the corresponding PIC restarts or is taken offline. interface-control—To add this statement to the configuration. [edit services ipsec-vpn] Statement introduced in Junos OS Release 8. [edit services ipsec-vpn] Statement introduced in Junos OS Release 9. Usage Guidelines Required Privilege Level 382 Copyright © 2011.

Chapter 17: Summary of IPsec Services Configuration Statements description Syntax Hierarchy Level description description. Inc. [edit services ipsec-vpn ike proposal proposal-name]. 383 . Specify the text description for an IKE or IPsec policy or proposal. admin—To view this statement in the configuration.4. See “Configuring the Description for an IKE Policy” on page 339. [edit services ipsec-vpn ike policy policy-name]. and “Configuring the Description for an IPsec Policy” on page 344. Juniper Networks. admin-control—To add this statement to the configuration. See “Configuring Match Conditions in IPsec Rules” on page 348. interface-control—To add this statement to the configuration.4. Specify the destination address for rule matching. address—Destination IP address. interface—To view this statement in the configuration. Required Privilege Level destination-address Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level destination-address address. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced before Junos OS Release 7. [edit services ipsec-vpn ipsec policy policy-name]. Copyright © 2011. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Description Usage Guidelines Statement introduced before Junos OS Release 7. “Configuring the Description for an IPsec Proposal” on page 342.

group14—2048-bit. [edit services ipsec-vpn ike proposal proposal-name] Statement introduced before Junos OS Release 7. Options Usage Guidelines Required Privilege Level See “Configuring the Diffie-Hellman Group for an IKE Proposal” on page 334. . admin—To view this statement in the configuration.4 Services Interfaces Configuration Guide dh-group Syntax Hierarchy Level Release Information Description dh-group (group1 | group2 | group5 |group14). admin-control—To add this statement to the configuration. Inc. 384 Copyright © 2011.Junos 11.4. group5—1536-bit. group2—1024-bit. Configure the IKE Diffie-Hellman prime modulus group to use for performing the new Diffie-Hellman exchange. group1—768-bit. Juniper Networks.

Specify the direction in which manual SAs are applied. Copyright © 2011. key (ascii-text key | hexadecimal key). The remaining statements are explained separately. Inc. interface—To view this statement in the configuration. authentication { algorithm (hmac-md5-96 | hmac-sha1-96). Juniper Networks. 385 . } encryption { algorithm algorithm. Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. auxiliary-spi spi-value. } } [edit services ipsec-vpn rule rule-name term term-name then manual] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. key (ascii-text key | hexadecimal key). spi spi-value. interface-control—To add this statement to the configuration.4. bidirectional—Apply the SA in both directions. inbound—Apply the SA on inbound traffic. outbound—Apply the SA on outbound traffic.Chapter 17: Summary of IPsec Services Configuration Statements direction Syntax direction (inbound | outbound | bidirectional) { protocol (ah | bundle | esp).

This statement is optional for the non-preshared-key authentication method. 386 Copyright © 2011. ipsec-policy policy-name. This statement is optional and the default policy is used if none is supplied. For digital signature-based authentication.Junos 11. ike-policy policy-name—Name of the IKE policy. Inc. } [edit services ipsec-vpn rule rule-name term term-name then] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7.4. admin—To view this statement in the configuration. Usage Guidelines Required Privilege Level See “Configuring Dynamic Security Associations” on page 331. ipsec-policy policy-name—Name of the IPsec policy. this statement is optional and the default policy is used if none is supplied. Define a dynamic IPsec SA. admin-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide dynamic Syntax dynamic { ike-policy policy-name. . Juniper Networks.

in hexadecimal characters.6. 24 ASCII characters aes-256-cbc option. 32 hexadecimal characters Copyright © 2011. aes-192-cbc. aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. 24 ASCII characters aes-128-cbc option.4. The algorithm can be one of the following: • • • • • Description Options des-cbc—Has a block size of 8 bytes (64 bits). aes-128-cbc. The key can be one of the following: • ascii-text—ASCII text key. key—Type of encryption key. and the second 8 bytes should be the same as the third 8 bytes. NOTE: For 3des-cbc. 3des-cbc—Has a block size of 8 bytes (64 bits). for the different encryption options: • • • • • • des-cbc option. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. Inc. Configure an encryption algorithm and key for manual SA. Juniper Networks. key (ascii-text key | hexadecimal key). the key size is 48 bits long. 32 ASCII characters hexadecimal—Hexadecimal key. 16 ASCII characters aes-192-cbc option. the key size is 192 bits long. for the different encryption options: • • • des-cbc option. Following are the key lengths. 8 ASCII characters 3des-cbc option. algorithm—Type of encryption algorithm. the first 8 bytes should differ from the second 8 bytes. 48 hexadecimal characters aes-128-cbc option. 16 hexadecimal characters 3des-cbc option. in ASCII characters.Chapter 17: Summary of IPsec Services Configuration Statements encryption Syntax encryption { algorithm algorithm. 387 . and aes-256-cbc options added in Junos OS Release 7. Following are the key lengths. } [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

system—To view this statement in the configuration. [edit services ipsec-vpn ike proposal proposal-name]. and aes-256-cbc options added in Junos OS Release 7. aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm. Configure an IKE or IPsec encryption algorithm. 64 hexadecimal characters Usage Guidelines Required Privilege Level See “Configuring Encryption for a Manual IPsec SA” on page 330. admin—To view this statement in the configuration. 48 hexadecimal characters aes-256-cbc option.4. admin-control—To add this statement to the configuration. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Statement introduced before Junos OS Release 7. des-cbc—Has a block size of 8 bytes. Inc.Junos 11. Description Options Usage Guidelines See “Configuring the Encryption Algorithm for an IKE Proposal” on page 334 and “Configuring the Encryption Algorithm for an IPsec Proposal” on page 342. . Juniper Networks.4 Services Interfaces Configuration Guide • • aes-192-cbc option. the key size is 192 bits long. aes-128-cbc. aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm. aes-192-cbc. system-control—To add this statement to the configuration. aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm. the key size is 48 bits long. Required Privilege Level 388 Copyright © 2011. encryption-algorithm Syntax Hierarchy Level encryption-algorithm algorithm. 3des-cbc—Has a block size of 24 bytes.6.

Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. 389 . Juniper Networks. see the description of firewall filter match conditions in the Junos OS Routing Policy Configuration Guide. source-address address.Chapter 17: Summary of IPsec Services Configuration Statements from Syntax from { destination-address address.4. Copyright © 2011. ipsec-inside-interface interface-name. Specify input conditions for the IPsec term. interface—To view this statement in the configuration. Inc. For information on match conditions. interface-control—To add this statement to the configuration. The remaining statements are explained separately. } [edit services ipsec-vpn rule rule-name term term-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7.

local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). system—To view this statement in the configuration. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures).4. system-control—To add this statement to the configuration.Junos 11. } } } [edit services ipsec-vpn] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. version (1 | 2). description description. The statements are explained separately. proposals [ proposal-names ]. remote-id { any-remote-id. local-certificate identifier. ipv6_addr [ values ]. Juniper Networks. encryption-algorithm algorithm. ipv4_addr [ values ]. Configure IKE. pre-shared-key (ascii-text key | hexadecimal key). Inc. key_id [ values ]. } policy policy-name { description description. 390 Copyright © 2011. . mode (aggressive | main).4 Services Interfaces Configuration Guide ike Syntax ike { proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). lifetime-seconds seconds. Usage Guidelines Required Privilege Level See “Configuring IKE Proposals” on page 332 and “Configuring IKE Policies” on page 335. dh-group (group1 | group2 | group5 |group14).

lifetime-seconds seconds. } } [edit services ipsec-vpn] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. • Usage Guidelines Required Privilege Level Related Documentation backup-remote-gateway on page 381 ipsec Syntax ipsec { proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96). Usage Guidelines Required Privilege Level See “Configuring Security Associations” on page 326. } policy policy-name { description description. system-control—To add this statement to the configuration. protocol (ah | esp | bundle). perfect-forward-secrecy { keys (group1 | group2). [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 9. Enable triggering of dead peer detection (DPD) Hello messages to the remote peer for the specified tunnel. system-control—To add this statement to the configuration.Chapter 17: Summary of IPsec Services Configuration Statements initiate-dead-peer-detection Syntax Hierarchy Level Release Information Description initiate-dead-peer-detection. Juniper Networks. Inc. Configure IPsec.2. 391 . system—To view this statement in the configuration. See “Configuring Destination Addresses for Dead Peer Detection” on page 350. system—To view this statement in the configuration. The statements are explained separately. } proposals [ proposal-names ]. description description. encryption-algorithm algorithm. Copyright © 2011.4.

seconds—Lifetime Default: 3600 seconds (IKE). Options Usage Guidelines See “Configuring Match Conditions in IPsec Rules” on page 348 or “Configuring Dynamic Endpoints for IPsec Tunnels” on page 353.Junos 11. system-control—To add this statement to the configuration. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced in Junos OS Release 7. Configure the lifetime of an IKE or IPsec SA. Required Privilege Level 392 Copyright © 2011. [edit services ipsec-vpn ipsec proposal proposal-name] Release Information Description Options Statement introduced before Junos OS Release 7. .4. This value is also implicitly generated in dynamic endpoint tunneling.4 Services Interfaces Configuration Guide ipsec-inside-interface Syntax Hierarchy Level Release Information Description ipsec-inside-interface interface-name.400 Usage Guidelines See “Configuring the Lifetime for an IKE SA” on page 335 and “Configuring the Lifetime for an IPsec SA” on page 342. system—To view this statement in the configuration. [edit services ipsec-vpn ike proposal proposal-name]. Inc. interface-control—To add this statement to the configuration.800 seconds (IPsec) Range: 180 through 86. Required Privilege Level lifetime-seconds Syntax Hierarchy Level lifetime-seconds seconds. Specify the interface name for next-hop-style service sets. 28. interface—To view this statement in the configuration. This statement is optional.4. interface-name—Service interface for internal network. Juniper Networks.

key_id identifier—Key identification value. system-control—To add this statement to the configuration. ipv4_addr ipv4-address—IPv4 address identification value. This statement is optional.5. ipv6_addr ipv6-address—IPv6 address identification value.Chapter 17: Summary of IPsec Services Configuration Statements local-certificate Syntax Hierarchy Level Release Information Description local-certificate identifier. [edit services ipsec-vpn ike policy policy-name] Statement introduced in Junos OS Release 7.6. Inc. ipv6_addr option added in Junos OS Release 7. [edit services ipsec-vpn ike policy policy-name] Statement introduced before Junos OS Release 7. Options Usage Guidelines Required Privilege Level See “Configuring the Local Certificate for an IKE Policy” on page 338. Name of the certificate that needs to be sent to the peer during the IKE authentication phase. Description Options Usage Guidelines Required Privilege Level See “Configuring Local and Remote IDs for IKE Phase 1 Negotiation” on page 339. system-control—To add this statement to the configuration. 393 . identifier—Name of certificate. Juniper Networks. local-id Syntax Hierarchy Level Release Information local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). Copyright © 2011.4. system—To view this statement in the configuration. Specify local identifiers for IKE Phase 1 negotiation. system—To view this statement in the configuration.

key (ascii-text key | hexadecimal key).4. The remaining statements are explained separately. interface-control—To add this statement to the configuration. admin-control—To add this statement to the configuration. . Define a manual IPsec SA. admin—To view this statement in the configuration. } auxiliary-spi spi-value.Junos 11. Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. protocol (ah | esp | bundle). Usage Guidelines Required Privilege Level See “Configuring Manual Security Associations” on page 327. match-direction Syntax Hierarchy Level Release Information Description Options match-direction (input | output). encryption { algorithm algorithm. interface—To view this statement in the configuration. Inc. output—Apply the rule match on output. Specify the direction in which the rule match is applied. key (ascii-text key | hexadecimal key). Juniper Networks.4. 394 Copyright © 2011. input—Apply the rule match on input. [edit services ipsec-vpn rule rule-name] Statement introduced before Junos OS Release 7.4 Services Interfaces Configuration Guide manual Syntax manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). } spi spi-value. } } [edit services ipsec-vpn rule rule-name term term-name then] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7.

Define an IKE policy mode. These three steps include the IKE SA negotiation. Juniper Networks. main aggressive—Takes half the number of messages of main mode. and authentication of the peer. Usage Guidelines Required Privilege Level See “Configuring the Mode for an IKE Policy” on page 337. has less negotiation power. 395 . system-control—To add this statement to the configuration. which occasionally causes interoperability issues for security associations.Chapter 17: Summary of IPsec Services Configuration Statements mode Syntax Hierarchy Level Release Information Description Default Options mode (aggressive | main). no-anti-replay Syntax Hierarchy Level Release Information Description no-anti-replay. main—Uses six messages. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. admin-control—To add this statement to the configuration. to establish the IKE SA. Also provides identity protection. admin—To view this statement in the configuration. Inc. Disable IPsec antireplay service.4. Usage Guidelines Required Privilege Level Copyright © 2011. and does not provide identity protection.4. system—To view this statement in the configuration. See “Configuring or Disabling IPsec Anti-Replay” on page 352. a Diffie-Hellman exchange. [edit services ipsec-vpn ike policy policy-name] Statement introduced before Junos OS Release 7. in three peer-to-peer exchanges.

Usage Guidelines Required Privilege Level perfect-forward-secrecy Syntax perfect-forward-secrecy { keys (group1 | group2 |group5 |group14).0.4 Services Interfaces Configuration Guide no-ipsec-tunnel-in-traceroute Syntax Hierarchy Level Release Information Description no-ipsec-tunnel-in-traceroute. the ICMP time exceeded message will not be generated. Disables displaying the IPsec tunnel endpoint in the trace route output. . admin—To view this statement in the configuration. Juniper Networks. 396 Copyright © 2011. [edit services ipsec-vpn] Statement introduced in Junos OS Release 10.4. admin—To view this statement in the configuration. group14—2048-bit. group5—1536-bit.Junos 11. Inc. See “Configuring or Disabling IPsec Anti-Replay” on page 352. Define Perfect Forward Secrecy (PFS). group2—1024-bit. This statement is optional. Creates single-use keys. } [edit services ipsec-vpn ipsec policy policy-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. admin-control—To add this statement to the configuration. The key can be one of the following: • • • • group1—768-bit. If the TTL becomes zero. keys—Type of Diffie-Hellman prime modulus group that IKE uses when performing the new Diffie-Hellman exchange. admin-control—To add this statement to the configuration. The IPsec tunnel is not treated as a next hop and TTL is not decremented. Usage Guidelines Required Privilege Level See “Configuring Perfect Forward Secrecy” on page 344.

remote-id { any-remote-id. Define an IKE policy. version (1 | 2). policy-name—IKE policy name.Chapter 17: Summary of IPsec Services Configuration Statements policy See the following sections: • • policy (IKE) on page 397 policy (IPsec) on page 398 policy (IKE) Syntax policy policy-name { description description. } } [edit services ipsec-vpn ike] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. proposals [ proposal-names ]. key_id [ values ]. local-certificate identifier. 397 . ipv4_addr [ values ]. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration. Juniper Networks.4. local-id (ipv4_addr ipv4-address | ipv6-addr ipv6-address | key-id identifier). The remaining statements are explained separately. Inc. Copyright © 2011. mode (aggressive | main). Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335. pre-shared-key (ascii-text key | hexadecimal key). ipv6_addr [ values ].

The remaining statements are explained separately. . Inc. } [edit services ipsec-vpn ipsec] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. policy-name—IPsec policy name. admin-control—To add this statement to the configuration. [edit services ike policy policy-name] Statement introduced before Junos OS Release 7. admin-control—To add this statement to the configuration.4. key—Value of preshared key. hexadecimal—Hexadecimal key.4. Define a preshared key for an IKE policy.4 Services Interfaces Configuration Guide policy (IPsec) Syntax policy policy-name { description description. 398 Copyright © 2011. Juniper Networks. admin—To view this statement in the configuration. Usage Guidelines Required Privilege Level See “Configuring IPsec Policies” on page 343. The key can be one of the following: • • ascii-text—ASCII text key. Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335. } proposals [ proposal-names ]. pre-shared-key Syntax Hierarchy Level Release Information Description Options pre-shared-key (ascii-text key | hexadecimal key). Define an IPsec policy. admin—To view this statement in the configuration. perfect-forward-secrecy { keys (group1 | group2).Junos 11.

Copyright © 2011. Inc. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration. lifetime-seconds seconds. proposal-name—IKE proposal name. authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures). Juniper Networks. 399 . dh-group (group1 | group2 | group5 |group14).4.Chapter 17: Summary of IPsec Services Configuration Statements proposal See the following sections: • • proposal (IKE) on page 399 proposal (IPsec) on page 400 proposal (IKE) Syntax proposal proposal-name { authentication-algorithm (md5 | sha1 | sha-256). The remaining statements are explained separately. Define an IKE proposal for a dynamic SA. description description. Usage Guidelines Required Privilege Level See “Configuring IKE Proposals” on page 332. } [edit services ipsec-vpn ike] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. encryption-algorithm algorithm.

protocol (ah | esp | bundle).4. admin—To view this statement in the configuration. encryption-algorithm algorithm. Required Privilege Level 400 Copyright © 2011. Usage Guidelines Required Privilege Level See “Configuring IPsec Proposals” on page 341.4 Services Interfaces Configuration Guide proposal (IPsec) Syntax proposal proposal-name { authentication-algorithm (hmac-md5-96 | hmac-sha1-96).Junos 11. lifetime-seconds seconds. [edit services ipsec-vpn ike policy policy-name]. } [edit services ipsec-vpn ipsec] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. proposals Syntax Hierarchy Level proposals [ proposal-names ].4. . Define an IPsec proposal for a dynamic SA. admin—To view this statement in the configuration. proposal-names—List of IKE or IPsec proposal names. admin-control—To add this statement to the configuration. Define a list of proposals to include in the IKE or IPsec policy. The remaining statements are explained separately. [edit services ipsec-vpn ipsec policy policy-name] Release Information Description Options Usage Guidelines Statement introduced before Junos OS Release 7. Juniper Networks. Inc. description description. See “Configuring the Proposals in an IKE Policy” on page 337 and “Configuring the Proposals in an IPsec Policy” on page 345. proposal-name—IPsec proposal name. admin-control—To add this statement to the configuration.

Usage Guidelines Required Privilege Level See “Configuring the Protocol for a Manual IPsec SA” on page 329. 401 . [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Release Information Description Options Statement introduced before Junos OS Release 7. See “Configuring Actions in IPsec Rules” on page 349.4. Copyright © 2011. Juniper Networks. address—Remote IPv4 or IPv6 address.Chapter 17: Summary of IPsec Services Configuration Statements protocol Syntax Hierarchy Level protocol (ah | esp | bundle). remote-gateway Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level remote-gateway address. admin—To view this statement in the configuration. [edit services ipsec-vpn ipsec proposal proposal-name]. ah—Authentication Header protocol. Inc.4. Define an IPsec protocol for a dynamic or manual SA. bundle—AH and ESP protocol. Define the remote address to which the IPsec traffic is directed. esp—Encapsulating Security Payload protocol. admin-control—To add this statement to the configuration. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration.

any-remote-id option added in Junos OS Release 8. 402 Copyright © 2011.4 Services Interfaces Configuration Guide remote-id Syntax remote-id { any-remote-id.6. admin-control—To add this statement to the configuration. Define the remote identification values to which the IKE policy applies. This option is supported only in Description Options dynamic endpoints configurations and cannot be configured along with specific values. key_id [ values ]—Define one or more key identification values. key_id [ values ]. ipv6_addr [ values ]—Define one or more IPv6 address identification values. Inc. ipv4_addr [ values ]—Define one or more IPv4 address identification values. Juniper Networks.Junos 11. any-remote-id—Allow any remote address to connect. Usage Guidelines Required Privilege Level See “Configuring Local and Remote IDs for IKE Phase 1 Negotiation” on page 339. . admin—To view this statement in the configuration. ipv6_addr [ values ].2. ipv4_addr [ values ]. ipv6_addr option added in Junos OS Release 7. } [edit services ipsec-vpn ikepolicy policy-name] Hierarchy Level Release Information Statement introduced before Junos OS Release 7.4.

manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96).4. The remaining statements are explained separately. syslog. backup-remote-gateway address. } } } [edit services ipsec-vpn].Chapter 17: Summary of IPsec Services Configuration Statements rule Syntax rule rule-name { match-direction (input | output). dynamic { ike-policy policy-name. Specify the rule the router uses when applying this service. encryption { algorithm algorithm. 403 . } initiate-dead-peer-detection. source-address address. Juniper Networks. spi spi-value. } } no-anti-replay. ipsec-policy policy-name. term term-name { from { destination-address address. Inc. tunnel-mtu bytes. key (ascii-text key | hexadecimal key). [edit services ipsec-vpn rule-set rule-set-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. Copyright © 2011. remote-gateway address. rule-name—Identifier for the collection of terms that comprise this rule. key (ascii-text key | hexadecimal key). } then { anti-replay-window-size bits. } protocol (ah | bundle | esp). } auxiliary-spi spi-value. ipsec-inside-interface interface-name. clear-dont-fragment-bit.

. services Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services ipsec-vpn { . . rule-set-name—Identifier for the collection of rules that constitute this rule set. See IPsec Properties.Junos 11.. Juniper Networks.4 Services Interfaces Configuration Guide Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. Define the service rules to be applied to traffic. interface—To view this statement in the configuration.4. rule-set Syntax rule-set rule-set-name { [ rule rule-names ]. 404 Copyright © 2011.4. interface—To view this statement in the configuration. Specify the rule set the router uses when applying this service. See “Configuring IPsec Rule Sets” on page 353. } [edit] Statement introduced before Junos OS Release 7. } [edit services ipsec-vpn] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Inc. ipsec-vpn—IPsec set of rules statements. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

Juniper Networks.4.Chapter 17: Summary of IPsec Services Configuration Statements source-address Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level source-address address. Specify the source address for rule matching. [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] Statement introduced before Junos OS Release 7. address—Source IP address.4. Inc. system-control—To add this statement to the configuration. interface—To view this statement in the configuration. Range: 256 through 16. Usage Guidelines Required Privilege Level See “Configuring the Security Parameter Index” on page 329. 405 . spi-value—An arbitrary value that uniquely identifies which SA to use at the receiving host (the destination address in the packet). Configure the SPI for an SA. spi Syntax Hierarchy Level Release Information Description Options spi spi-value. system—To view this statement in the configuration. interface-control—To add this statement to the configuration. Copyright © 2011. [edit services ipsec-vpn rule rule-name term term-name from] Statement introduced before Junos OS Release 7.639 NOTE: Use the auxiliary SPI when you configure the protocol statement to use the bundle option. See “Configuring Match Conditions in IPsec Rules” on page 348.

interface—To view this statement in the configuration. Juniper Networks.4. . Usage Guidelines Required Privilege Level 406 Copyright © 2011.4 Services Interfaces Configuration Guide syslog Syntax Hierarchy Level Release Information Description syslog. The system log information for the Adaptive Services or Multiservices Physical Interface Card (PIC) is passed to the kernel for logging in the /var/log directory. See “Configuring Actions in IPsec Rules” on page 349. interface-control—To add this statement to the configuration. Inc. Enable system logging. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced before Junos OS Release 7.Junos 11.

} } no-anti-replay. spi spi-value. Copyright © 2011. ipsec-inside-interface interface-name. Usage Guidelines Required Privilege Level See “Configuring Match Direction for IPsec Rules” on page 347. Inc. } protocol (ah | bundle | esp). ipsec-policy policy-name. syslog. dynamic { ike-policy policy-name. } initiate-dead-peer-detection. } } [edit services ipsec-vpn rule rule-name] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. backup-remote-gateway address. tunnel-mtu bytes. source-address address. Juniper Networks. remote-gateway address. 407 . encryption { algorithm algorithm. key (ascii-text key | hexadecimal key). } then { anti-replay-window-size bits. interface—To view this statement in the configuration. The remaining statements are explained separately. interface-control—To add this statement to the configuration. term-name—Identifier for the term. } auxiliary-spi spi-value. key (ascii-text key | hexadecimal key).Chapter 17: Summary of IPsec Services Configuration Statements term Syntax term term-name { from { destination-address address. manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). clear-dont-fragment-bit. Define the IPsec term properties.4.

} } no-anti-replay.4 Services Interfaces Configuration Guide then Syntax then { anti-replay-window-size bits. Inc. remote-gateway address. See “Configuring Match Direction for IPsec Rules” on page 347. spi spi-value. . } [edit services ipsec-vpn rule rule-name term term-name] Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level Statement introduced before Junos OS Release 7. backup-remote-gateway address.Junos 11. interface—To view this statement in the configuration. syslog. dynamic { ike-policy policy-name. ipsec-policy policy-name. 408 Copyright © 2011. Juniper Networks. The remaining statements are explained separately. } protocol (ah | bundle | esp). } initiate-dead-peer-detection. Define the IPsec term actions. clear-dont-fragment-bit. encryption { algorithm algorithm. tunnel-mtu bytes. key (ascii-text key | hexadecimal key). manual { direction (inbound | outbound | bidirectional) { authentication { algorithm (hmac-md5-96 | hmac-sha1-96). interface-control—To add this statement to the configuration. key (ascii-text key | hexadecimal key). } auxiliary-spi spi-value.4.

5. Juniper Networks. Description Options Range: 2 through 1000 flag flag—Tracing operation to perform: • • • • • • • • • • all—Trace everything. timer—Trace internal timer events. By default. level level—Key management process (kmd) tracing level.Chapter 17: Summary of IPsec Services Configuration Statements traceoptions Syntax traceoptions { file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>. general—Trace general events. } [edit services ipsec-vpn] Hierarchy Level Release Information Statement introduced in Junos OS Release 7. 409 . policy-manager—Trace policy manager processing. Copyright © 2011. warning—Match warning messages. database—Trace security associations database events. files number—Maximum number of trace data files. parse—Trace configuration processing. notice—Match conditions that should be handled specially. level level. Configure IPsec tracing operations. no-remote-trace. info–Match informational messages. ike—Trace IKE module processing.0. Inc. messages are written to /var/log/kmd. level option added in Junos OS Release 10. The following values are supported: • • • • • • all—Match all levels. flag flag. error—Match error conditions. routing-socket—Trace routing socket messages. certificates—Trace certificates that apply to the IPsec service set. verbose—Match verbose messages. snmp—Trace SNMP operations.

Juniper Networks. interface-control—To add this statement to the configuration. Usage Guidelines Required Privilege Level See “Tracing IPsec Operations” on page 358. 410 Copyright © 2011. Inc.Junos 11.4 Services Interfaces Configuration Guide size bytes—Maximum trace file size. interface—To view this statement in the configuration. .

file filename—Name of the file to receive the output of the tracing operation. online-crl-check—Trace PKI online certificate revocation list (CRL) events. When the maximum number is reached. it is renamed pkid. To specify more than one trace option. size maximum-file-size—(Optional) Maximum size of each trace file. The world-readable option enables any user to read the file. and so on. } [edit security pki] Hierarchy Level Description Configure security public key infrastructure (PKI) trace options. you must also specify a maximum file size with the size option. files number—(Optional) Maximum number of trace files. use the no-world-readable option. include multiple flag statements: all—Trace with all flags enabled. enrollment—PKI certificate enrollment tracing. To specify more than one trace operation. the oldest trace file is overwritten. until the maximum number of trace files is reached. 411 . Copyright © 2011. Trace option output is recorded in the /var/log/pkid file. include multiple flag statements. you must specify a filename. match regular-expression—(Optional) Refine the output to include lines that contain the regular expression. then pkid. certificate-verification—Trace PKI certificate verification events. To include the file statement. If you specify a maximum number of files. Enclose the Options name within quotation marks. When a trace file (for example.1. Inc. pkid) reaches its maximum size. you also must specify a maximum number of trace files with the files number option. If you specify a maximum file size.Chapter 17: Summary of IPsec Services Configuration Statements traceoptions (PKI) Syntax traceoptions { file filename <files number> <match regular-expression> <size maximum-file-size> <world-readable | no-world-readable>. in kilobytes (KB). Range: 2 through 1000 files Default: 2 files flag—Trace operation to perform. log files can be accessed only by the user who configures the tracing operation.0. To explicitly set the default behavior. flag flag. Default: 1024 KB world-readable | no-world-readable—(Optional) By default. Juniper Networks.

Configure the Internet Key Exchange (IKE) version that is used to negotiate dynamic SAs for IPSec. • mtu on page 1287 version (IKE) Syntax Hierarchy Level Release Information Description version ( 1 | 2). tunnel-mtu Syntax Hierarchy Level Release Information Description Options tunnel-mtu bytes. Statement introduced in Junos OS Release 11. bytes—MTU size. Maximum transmission unit (MTU) size for IPsec tunnels. Juniper Networks. 2—Uses IKEv2. interface—To view this statement in the configuration. trace-control—To add this statement to the configuration. 1—Uses IKEv1. [edit services ipsec-vpn rule rule-name term term-name then] Statement introduced in Junos OS Release 7. Options Usage Guidelines Required Privilege Level See “Configuring IKE Policies” on page 335.4 Services Interfaces Configuration Guide Required Privilege Level trace—To view this statement in the configuration. [edit services ipsec-vpn ike policy policy-name]. 412 Copyright © 2011.5. interface-control—To add this statement to the configuration.Junos 11. admin-control—To add this statement to the configuration. admin—To view this statement in the configuration. .4. Default: 1500 bytes Range: 256 through 9192 bytes Usage Guidelines Required Privilege Level Related Documentation See “Specifying the MTU for IPsec Tunnels” on page 352. Inc.

Multiple L2TP PPP sessions can share the same remote peer IP address. • If you configure Multilink PPP. the traffic switches to the next-to-last session or bundle to come up. 413 . facility-override facility-name. If another session or bundle E subsequently comes up and has the same address.CHAPTER 18 Layer 2 Tunneling Protocol Services Configuration Guidelines The Layer 2 Tunneling Protocol (L2TP) enables you to set up client services for establishing Point-to-Point Protocol (PPP) tunnels across a network and negotiating Multilink PPP if it is implemented. maximum-send-window packets. C. multiple sessions can share the same remote IP address. the same remote IP address can be shared across multiple bundles. syslog { host hostname { services severity-level. If D goes down. For example. Copyright © 2011. receive-window packets. l2tp-access-profile profile-name. include the l2tp statement at the [edit services] hierarchy level: [edit services] l2tp { tunnel-group group-name { hello-interval seconds. ppp-access-profile profile-name. because the IP address negotiation takes place on the bundle rather than on each session. B. • The last session or bundle to come up accomplishes the traffic transfer. which enables you to set up redundant sessions between the same links. service-interface interface-name. To configure L2TP services. and so forth. the traffic switches over to it. Juniper Networks. traffic switches over to C. D initially handles the data transfer. if four sessions or bundles labeled A. local-gateway address address. hide-avps. Inc. and D share the same remote IP address and come up in alphabetical order. When this session or bundle goes down. If Multilink PPP is not configured. retransmit-interval seconds.

interfaces interface-name { debug-level level. } traceoptions { debug-level level. and M120 routers. flag flag. You configure other components of this feature at the [edit access] and [edit interfaces] hierarchy levels. M10i. see the Junos OS System Basics Configuration Guide or the Junos OS Network Interfaces Configuration Guide. filter { protocol name. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access. } } } NOTE: L2TP configurations on Adaptive Services and Multiservices PICs are supported only on M7i. . Juniper Networks. } } tunnel-timeout seconds. Those configurations are summarized in this chapter. for more information. see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide. This chapter contains the following sections: • • • • • • • L2TP Services Configuration Overview on page 415 L2TP Minimum Configuration on page 416 Configuring L2TP Tunnel Groups on page 418 Configuring the Identifier for Logical Interfaces that Provide L2TP Services on page 422 AS PIC Redundancy for L2TP Services on page 424 Tracing L2TP Operations on page 424 Examples: Configuring L2TP Services on page 426 414 Copyright © 2011. } flag flag.4 Services Interfaces Configuration Guide log-prefix prefix-value.Junos 11. Inc.

• [edit access profile profile-name client name l2tp] Tunnel profiles are defined at the [edit access] hierarchy level. you must configure a RADIUS service at the [edit access radius-server] hierarchy level. Sessions can use either shared or dedicated logical interfaces. • [edit access profile profile-name client name ppp] User profiles are defined at the [edit access] hierarchy level. the Adaptive Services (AS) Physical Interface Card (PIC) that processes data for the sessions in this tunnel group. see the Junos OS System Basics Configuration Guide.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines L2TP Services Configuration Overview The statements for configuring L2TP services are found at the following hierarchy levels: • [edit services l2tp tunnel-group group-name] The L2TP tunnel-group statement identifies an L2TP instance or L2TP server. a session must use a dedicated logical interface. Inc. Juniper Networks. 415 . The interface identifier associates a user session with a logical interface. NOTE: For more information about configuring properties at the [edit access] hierarchy level. and other attributes for configuring window sizes and timer values. These client profiles are used when local authentication is specified. Copyright © 2011. Associated statements specify the local gateway address on which incoming tunnels and sessions are accepted. multilink negotiation and fragmentation. and other L2TP attributes in these profiles. To run routing protocols. • [edit interfaces sp-fpc/pic/port unit logical-unit-number dial-options] The dial-options statement includes configuration for the l2tp-interface-id statement and the shared/dedicated flag. see L2TP for Subscriber Access Overview in the Junos Subscriber Access Configuration Guide. Tunnel clients are defined with authentication. references to L2TP and PPP access profiles. User clients are defined with authentication and other PPP attributes in these profiles. For information about L2TP LAC and LNS configurations on MX Series routers for subscriber access. • [edit access radius-server address] When you configure authentication-order radius at the [edit access profile profile-name] hierarchy level.

you must perform at least the following tasks: • Define a tunnel group at the [edit services l2tp] hierarchy level with the following attributes: • • • • • l2tp-access-profile—Profile name for the L2TP tunnel.255. and configure another logical interface with family inet and the dial-options statement. • The following example shows a minimum interfaces configuration for L2TP: [edit interfaces] ge-0/3/0 { unit 0 { family inet { address 10. The following example shows a minimum configuration for a tunnel group with trace options: [edit services l2tp] tunnel-group finance-lns-server { l2tp-access-profile westcoast_bldg_1_tunnel. } service-interface sp-1/3/0. protocol ppp. Configure the AS PIC interface with unit 0 family inet defined for IP service.58. local-gateway { address 10. for example ge-0/3/0. Optionally. } traceoptions { flag all. protocol radius. service-interface—AS PIC interface for the L2TP service.129. } } 416 Copyright © 2011. protocol l2tp.255. filter { protocol udp. ppp-access-profile—Profile name for the L2TP user. local-gateway—Address for the L2TP tunnel. ppp-access-profile westcoast_bldg_1. .4 Services Interfaces Configuration Guide L2TP Minimum Configuration To configure L2TP services. Inc.Junos 11. Juniper Networks. } } • At the [edit interfaces] hierarchy level: • Identify the physical interface at which L2TP tunnel packets enter the router.21.129/28. you can configure traceoptions for debugging purposes.

} } • At the [edit access] hierarchy level: • Configure a tunnel profile. If RADIUS is used as the authentication method. Each client specifies a unique L2TP Access Concentrator (LAC) name with an interface-id value that matches the one configured on the AS PIC interface unit. Previously. } family inet. it needs to be defined. } } profile westcoast_bldg_1_tunnel { client production { l2tp { interface-id test. • • NOTE: When the L2TP Network Server (LNS) is configured with RADIUS authentication.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines } sp-1/3/0 { unit 0 { family inet. Juniper Networks. you can define a group profile for common attributes. the default behavior is to accept the preferred RADIUS-assigned IP address. Inc. for example keepalive 0 to turn off keepalive messages. port. Configure a user profile. The following example shows a minimum profiles configuration for L2TP: [edit access] group-profile westcoast_users { ppp { keepalive 0. and authentication data shared between the router and the RADIUS server. 417 . • Optionally. the default behavior was to accept and install the nonzero peer IP address that came into the IP-Address option of the IPCP Configuration Request packet. shared. } } Copyright © 2011. # SECRET-DATA } user-group-profile westcoast_users. shared-secret "$9$n8HX6A01RhlvL1R". } unit 20 { dial-options { l2tp-interface-id test. Define the RADIUS server with an IP address. shared-secret is authentication between the LAC and the L2TP Network Server (LNS).

65. To identify the tunnel group. } NOTE: If you delete a tunnel group or mark it inactive. all L2TP sessions using those settings are terminated. l2tp-access-profile profile-name. all L2TP sessions in that tunnel group are terminated. service-interface interface-name. retransmit-interval seconds.63 { port 1812. secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5". and other properties to use in creating a tunnel. } radius-server { 192. include the tunnel-group statement at the [edit services l2tp] hierarchy level: tunnel-group group-name { hello-interval seconds. new tunnels you establish will use the updated values but existing tunnels and sessions are not affected. log-prefix prefix-value.4 Services Interfaces Configuration Guide profile westcoast_bldg_1 { authentication-order radius. syslog { host hostname { services severity-level. .Junos 11. # SECRET-DATA } } Configuring L2TP Tunnel Groups To establish L2TP service on a router. hide-avps.168. local-gateway address address. This following sections explain how to configure L2TP tunnel groups: • • • Configuring Access Profiles for L2TP Tunnel Groups on page 419 Configuring the Local Gateway Address and PIC on page 419 Configuring Window Size for L2TP Tunnels on page 420 418 Copyright © 2011. facility-override facility-name. Juniper Networks. ppp-access-profile profile-name. Inc. } } tunnel-timeout seconds. receive-window packets. maximum-send-window packets. you need to identify an L2TP tunnel group and specify a number of values that define which access profiles. If you change or delete other statements at the [edit services l2tp tunnel-group group-name] hierarchy level. If you change the value of the local-gateway address or the service-interface statement. interface addresses.

Configuring the Local Gateway Address and PIC When you configure an L2TP group. To associate the profiles with a tunnel group. which validates all L2TP connection requests to the specified local gateway address PPP access profile. Inc. see the Junos OS System Basics Configuration Guide. A profile example is included in “Examples: Configuring L2TP Services” on page 426. include the service-interface statement at the [edit services l2tp tunnel-group group-name] hierarchy level: service-interface sp-fpc/pic/port. ppp-access-profile profile-name. which validates all PPP session requests through L2TP tunnels established to the local gateway address • For more information on configuring the profiles. You can optionally specify the logical unit number along with the service interface. Dynamic class-of-service (CoS) functionality is supported on L2TP LNS sessions or L2TP sessions with ATM VCs. include the local-gateway statement at the [edit services l2tp tunnel-group group-name] hierarchy level: local-gateway address address.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines • • • Configuring Timers for L2TP Tunnels on page 420 Hiding Attribute-Value Pairs for L2TP Tunnels on page 420 Configuring System Logging of L2TP Tunnel Activity on page 421 Configuring Access Profiles for L2TP Tunnel Groups To validate L2TP connections and session requests. 419 . NOTE: If you change the local gateway address or the service interface configuration. • To configure the AS PIC. as long as the L2TP session is configured to use an IQ2 PIC on Copyright © 2011. you set up access profiles by configuring the profile statement at the [edit access] hierarchy level. Juniper Networks. you must also define a local address for the L2TP tunnel connections and the AS PIC that processes the requests: • To configure the local gateway IP address. the unit is used as a logical interface representing PPP sessions negotiated using this profile. all L2TP sessions using those settings are terminated. You need to configure two types of profiles: • L2TP tunnel access profile. If specified. include the l2tp-access-profile and ppp-access-profile statements at the [edit services l2tp tunnel-group group-name] hierarchy level: l2tp-access-profile profile-name.

Juniper Networks. include the hello-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level: hello-interval seconds.Junos 11. Inc. To change the window size. Hiding Attribute-Value Pairs for L2TP Tunnels Once an L2TP tunnel has been established and the connection authenticated. . If you configure a value of 0. To change the window size. no hello messages are sent. To configure a different value. the interval length is 120 seconds. include the maximum-send-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level: maximum-send-window packets. For more information. the interval length is 60 seconds. the maximum is 16 packets. By default. • The maximum-send window size limits the other end’s receive window size. include the hide-avps statement at the [edit services l2tp tunnel-group group-name] hierarchy level: 420 Copyright © 2011. it assumes that the connection with the remote peer has been lost and deletes the tunnel. To configure a different value. By default. By default. include the retransmit-interval statement at the [edit services l2tp tunnel-group group-name] hierarchy level: retransmit-interval seconds.4 Services Interfaces Configuration Guide the egress interface. the retransmit interval length is 30 seconds. the maximum is 32 packets. Configuring Timers for L2TP Tunnels You can configure the following timer values that regulate L2TP tunnel processing: • Hello interval—If the server does not receive any messages within a specified time interval. this information is not hidden. • Retransmit interval—By default. By default. Configuring Window Size for L2TP Tunnels You can configure the maximum window size for packet processing at each end of the L2TP tunnel: • The receive window size limits the number of concurrent packets the server processes. The information is transmitted in the receive window size attribute-value pair. see the Junos OS Class of Service Configuration Guide. include the receive-window statement at the [edit services l2tp tunnel-group group-name] hierarchy level: receive-window packets. the router software sends a hello message to the tunnel’s remote peer. • Tunnel timeout—If the server cannot send any data through the tunnel within a specified time interval. include the tunnel-timeout statement at the [edit services l2tp tunnel-group group-name] hierarchy level: tunnel-timeout seconds. information is encoded by means of attribute-value pairs. By default. To configure a different value. To hide the attribute-value pairs once the shared secret is known.

facility-override facility-name. To gather information about an Copyright © 2011. You can specify only one system logging hostname. 421 . } } Configure the host statement with a hostname or IP address that specifies the system log target server. Table 14 on page 421 lists the severity levels that you can specify in configuration statements at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level. The levels from emergency through info are in order from highest severity (greatest effect on functioning) to lowest. Juniper Networks. the hostname must be reachable from the same routing instance to which the initial data packet (that triggered session establishment) is delivered. To configure interface-wide default system logging values. Inc. set the level to warning. For external system log servers. alert. include the syslog statement at the [edit services l2tp tunnel-group group-name] hierarchy level: syslog { host hostname { services severity-level. Table 14: System Log Message Severity Levels Severity Level any emergency alert Description Includes all severity levels System panic or other condition that causes the router to stop functioning Conditions that require immediate correction. and critical levels Conditions that warrant monitoring Conditions that are not errors but might warrant special handling Events or nonerror conditions of interest critical error warning notice info We recommend setting the system logging severity level to error during normal operation. log-prefix prefix-value. To monitor PIC resource usage.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines hide-avps. The hostname local directs system log messages to the Routing Engine. such as hard drive errors Error conditions that generally have less serious consequences than errors in the emergency. such as a corrupted system database Critical conditions. Configuring System Logging of L2TP Tunnel Activity You can specify properties that control how system log messages are generated for L2TP services.

see the Junos OS System Log Messages Reference. and local0 through local7. • You can configure multiple logical interfaces with the same interface identifier. all L2TP sessions running on that interface are terminated. Juniper Networks. M10i. For more information on configuring access profiles. set the level to notice for a specific service set. include the log-prefix statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level: log-prefix prefix-text. To configure the logical interface. Inc. it can represent only one session at a time. 422 Copyright © 2011. include the l2tp-interface-id statement at the [edit access profile name ppp] hierarchy level. You must configure the logical interface to be dedicated or shared. For more information about system log messages. daemon. NOTE: If you delete the dial-options statement settings configured on a logical interface. to be used as a pool for several users. and M120 routers only. include the l2tp-interface-id statement at the [edit interfaces interface-name unit logical-unit-number dial-options] hierarchy level: l2tp-interface-id name. Configuring the Identifier for Logical Interfaces that Provide L2TP Services You can configure L2TP services on adaptive services interfaces on M7i. include the facility-override statement at the [edit services l2tp tunnel-group group-name syslog host hostname] hierarchy level: facility-override facility-name. ftp.Junos 11. . A shared logical interface can have multiple sessions. (dedicated | shared). user. kernel.4 Services Interfaces Configuration Guide intrusion attack when an intrusion detection system error is detected. To use one particular facility code for all logging to the specified system log host. The l2tp-interface-id name configured on the logical interface must be replicated at the [edit access profile name] hierarchy level: • For a user-specific identifier. The supported facilities include: authorization. If a logical interface is dedicated. set the level to info. To debug a configuration or log Network Address Translation (NAT) events. include the l2tp-interface-id statement at the [edit access profile name l2tp] hierarchy level. see the Junos OS System Basics Configuration Guide. For a group identifier. To specify a text prefix for all logging to this system log host.

1. Inc.65. Juniper Networks.1. # SECRET-DATA } } } profile u { authentication-order radius. } unit 0 { family inet. local-gateway { address 10. } } } access { profile t { client test { l2tp { interface-id test.63 { port 1812. ppp-access-profile u. Copyright © 2011. } traceoptions { flag all. debug-level packet-dump. secret "$9$Vyb4ZHkPQ39mf9pORlexNdbgoZUjqP5".Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines Example: Configuring Multilink PPP on a Shared Logical Interface Multilink PPP is supported on either shared or dedicated logical interfaces. multilink. shared-secret "$9$n8HX6A01RhlvL1R". shared. } radius-server { 192. } unit 20 { dial-options { l2tp-interface-id test. The following example can be used to configure many multilink bundles on a single shared interface: interfaces { sp-1/3/0 { traceoptions { flag all.70. } family inet. # SECRET-DATA } } } services { l2tp { tunnel-group 1 { l2tp-access-profile t. } service-interface sp-1/3/0. 423 .168.

respectively. it remains in standby and does not preempt the secondary AS PIC. the secondary PIC becomes active. although the protocol state needs to be reestablished. Recovery times are not guaranteed. see Tracing L2TP Operations for Subscriber Access. protocol ppp.4 Services Interfaces Configuration Guide filter { protocol l2tp. However. include the traceoptions statement at the [edit services l2tp] hierarchy level: 424 Copyright © 2011. issue the show interfaces redundancy command. and all service processing is transferred to it. you specify a redundancy services PIC (rsp) interface in which the primary AS PIC is active and a secondary AS PIC is on standby. For more information. If the primary AS PIC is restored. you need to manually restore the services to the primary PIC. } } } } AS PIC Redundancy for L2TP Services L2TP services support AS PIC redundancy. because the configuration must be completely restored on the backup PIC after a failure is detected. in which one backup PIC supports multiple working PICs. protocol radius. see the Junos OS Interfaces Command Reference. Inc. the only service option supported is warm standby. NOTE: This topic refers to tracing L2TP LNS operations on M Series routers. To trace L2TP operations. NOTE: On L2TP. Tracing L2TP Operations Tracing operations track all AS PIC operations and record them in a log file in the /var/log directory. The tunnels and sessions are torn down upon switchover and need to be restarted by the LAC and PPP client. By default. . configuration is preserved and available on the new active PIC. To configure redundancy. To determine which PIC is currently active. you can issue the request interfaces (revert | switchover) command to manually switch between primary and secondary L2TP interfaces.Junos 11. see “Examples: Configuring L2TP Services” on page 426. see “Configuring AS or Multiservices PIC Redundancy” on page 620. this file is named /var/log/l2tpd. For information on operational mode commands. As with the other AS PIC services that support warm standby. To trace L2TP LAC operations on MX Series routers. Juniper Networks. For an example configuration. If the primary AS PIC fails.

You can also configure traceoptions for L2TP on a specific adaptive services interface. file <filename> <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>. RADIUS. 425 . You can specify a trace level for PPP. To configure a trace level. Inc. To configure per-interface tracing. filter { protocol name. configuration—Trace configuration events.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines traceoptions { debug-level level. include the interfaces statement at the [edit services l2tp traceoptions] hierarchy level: Copyright © 2011. routing-socket—Trace routing socket events. interfaces interface-name { debug-level severity. no-remote-trace. protocol—Trace routing protocol events. rpd—Trace routing protocol process events. } flag flag. To configure filters. include the filter protocol statement at the [edit services l2tp traceoptions] hierarchy level and specify one or more of the following protocol values: • • • • ppp l2tp radius udp To implement filtering by protocol name. user-name username. you must also configure either flag protocol or flag all. } You can specify the following L2TP tracing flags: • • • • • all—Trace everything. include the debug-level statement at the [edit services l2tp traceoptions] hierarchy level and specify one of the following values: • • • detail—Detailed debug information error—Errors only packet-dump—Packet decoding information You can filter by protocol. Juniper Networks. L2TP. and User Datagram Protocol (UDP) tracing. } level (all | error | info | notice | verbose | warning). flag flag.

or extensive. primary-dns 192.2. • • • packet-dump—Dump each packet’s content based on debug level.5.168. protocol—Trace L2TP.2.Junos 11. } NOTE: Implementing traceoptions consumes CPU resources and affects the packet processing performance. idle-timeout 15.4 Services Interfaces Configuration Guide interfaces interface-name { debug-level level.65. which provides complete PIC debug information. but the options are slightly different from the general L2TP traceoptions. } address-pool customer_b { address-range low 10. .4.65.1.65. primary-dns 192.2.2. error. 426 Copyright © 2011. ipc—Trace L2TP Inter-Process Communication (IPC) messages between the PIC and the Routing Engine.1. idle-timeout 20.1 high 10. You can specify the debug-level and flag statements for the interface.2.1/32.168.168.168. You specify the debug level as detail. } group-profile sunnyvale_users { ppp { framed-pool customer_a. flag flag. secondary-dns 192.1.168. Inc.3. interface-id west.3. primary-wins 192. The following flags are available: • • all—Trace everything.6. secondary-dns 192. } } group-profile eastcoast_users { ppp { framed-pool customer_b. Juniper Networks.7.65.65. system—Trace packet processing on the PIC. secondary-wins 192.65.65.168. PPP. primary-wins 192.168. and multilink handling. Examples: Configuring L2TP Services Configure L2TP with multiple group and user profiles and a pool of logical interfaces for concurrent tunnel sessions: [edit access] address-pool customer_a { address 10.

interface-id west_shared. 427 .168. interface-id west_shared. primary-dns 192. } authentication-order password. interface-id east. } group-profile sunnyvale_tunnel. Inc.1. } } group-profile sunnyvale_tunnel { l2tp { maximum-sessions-per-tunnel 100. Juniper Networks. } } profile sunnyvale_bldg_1 { client white { chap-secret "$9$3s2690IeK8X7VKM7VwgaJn/Ctu1hclv87Ct87".168. ppp-authentication chap. # SECRET-DATA ppp { idle-timeout 22. } } [edit services] l2tp { tunnel-group finance-lns-server { l2tp-access-profile sunnyvale_bldg_1_tunnel.65.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines secondary-wins 192. # SECRET-DATA group-profile sunnyvale_users. } client production { l2tp { shared-secret "$9$R2QErv8X-goGylVwg4jiTz36/t0BEleWFnRhrlXxbs2aJDHqf3nCP5". Copyright © 2011. interface-id east.12. } client blue { chap-secret "$9$eq1KWxbwgZUHNdjqmTF3uO1Rhr-dsoJDNd". ppp-authentication chap. framed-ip-address 10. } group-profile sunnyvale_users. interface-id east_shared. } group-profile sunnyvale_tunnel.65.12. } profile sunnyvale_bldg_1_tunnel { client test { l2tp { shared-secret "$9$r3HKvLg4ZUDkX7JGjif5p0BIRS8LN". # SECRET-DATA maximum-sessions-per-tunnel 75.8.12/32. } } group-profile east_tunnel { l2tp { maximum-sessions-per-tunnel 125.

dedicated. dedicated. } family inet. } } [edit interfaces sp-1/3/0] unit0 { family inet. } unit 12 { dial-options { l2tp-interface-id east. } unit 21 { dial-options { l2tp-interface-id west. dedicated. } unit 40 { dial-options { 428 Copyright © 2011. local-gateway { address 10. receive-window 1500.4 Services Interfaces Configuration Guide ppp-access-profile sunnyvale_bldg_1. tunnel-timeout 55. } unit 10 { dial-options { l2tp-interface-id foo-user.Junos 11.1.117. } traceoptions { flag all. } family inet. Juniper Networks. } service-interface sp-1/3/0. hello-interval 15. } family inet. } unit 11 { dial-options { l2tp-interface-id east. } unit 30 { dial-options { l2tp-interface-id west_shared. } family inet. dedicated. maximum-send-window 1200. Inc. . retransmit-interval 5.3. } family inet. shared.

} family inet. secondary sp-1/3/0. } unit 0 { family inet. Juniper Networks. } } } Copyright © 2011. } unit 11 { dial-options { l2tp-interface-id east_shared. shared. Inc. } Configure L2TP redundancy: interfaces { rsp0 { redundancy-options { primary sp-0/0/0. shared. } family inet.Chapter 18: Layer 2 Tunneling Protocol Services Configuration Guidelines l2tp-interface-id east_shared. 429 .

4 Services Interfaces Configuration Guide 430 Copyright © 2011. .Junos 11. Inc. Juniper Networks.

Copyright © 2011. Juniper Networks. Inc. Valid entries include: authorization daemon ftp kernel local0 through local7 user Usage Guidelines Required Privilege Level See “Configuring System Logging of L2TP Tunnel Activity” on page 421.4. facility-override Syntax Hierarchy Level Release Information Description Options facility-override facility-name.CHAPTER 19 Summary of Layer 2 Tunneling Protocol Configuration Statements The following sections explain each of the Layer 2 Tunneling Protocol (L2TP) statements. The statements are organized alphabetically. Override the default facility for system log reporting. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7. 431 . facility-name—Name of the facility that overrides the default assignment. interface—To view this statement in the configuration. interface-control—To add this statement to the configuration.

• • (M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces hide-avps Syntax Hierarchy Level Release Information Description hide-avps. in seconds. Juniper Networks. even if the secret information is known. interface—To view this statement in the configuration.Junos 11. interface-control—To add this statement to the configuration.4. • Required Privilege Level Related Documentation Hiding Attribute-Value Pairs for L2TP Tunnels on page 420 432 Copyright © 2011. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7.4. Inc.4. Specify the keepalive timer for L2TP tunnels. NOTE: This statement is not supported for L2TP LNS on MX Series routers. after which the server sends a hello message if no messages Description Options are received.4 Services Interfaces Configuration Guide hello-interval Syntax Hierarchy Level Release Information hello-interval seconds. Support for MX Series routers introduced in Junos OS Release 11. Default Attribute-value pairs that can be hidden are exposed. . Not all subordinate statements are supported for L2TP LNS on MX Series routers. seconds—Interval. Hide L2TP attribute-value pairs if the secret shared between the two ends of the tunnel is known. Default: 60 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. A value of 0 means that no hello messages are sent.

4. hostname—Name of the system logging utility host machine. Specify the profile used to validate all L2TP connection requests to the local gateway address. interface—To view this statement in the configuration. Description Options Required Privilege Level Related Documentation interface—To view this statement in the configuration. Support for MX Series routers introduced in Junos OS Release 11. } [edit services l2tp tunnel-group group-name syslog] Hierarchy Level Release Information Description Options Statement introduced before Junos OS Release 7. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. log-prefix prefix-value.4.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements host Syntax host hostname { services severity-level. This can be the local Routing Engine or an external server address. Specify the hostname for the system logging utility. 433 . The remaining statements are explained separately. Usage Guidelines Required Privilege Level See “Configuring System Logging of L2TP Tunnel Activity” on page 421. interface-control—To add this statement to the configuration. Juniper Networks. • • (M Series routers) Configuring Access Profiles for L2TP Tunnel Groups on page 419 (MX Series routers) Configuring an L2TP Access Profile on the LNS Copyright © 2011. interface-control—To add this statement to the configuration. profile-name—Identifier for the L2TP connection profile.4. l2tp-access-profile Syntax Hierarchy Level Release Information l2tp-access-profile profile-name. facility-override facility-name. Inc.

this address matches the remote gateway address configured in the LAC tunnel profile. Inc.4. interface-control—To add this statement to the configuration. address—Local IP address. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7. See “Configuring System Logging of L2TP Tunnel Activity” on page 421. • • • (M7i. (M Series routers) Configuring L2TP Tunnel Groups on page 418 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces log-prefix Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level log-prefix prefix-value. Specify the local (LNS) IP address for L2TP tunnel. interface—To view this statement in the configuration.4. . 434 Copyright © 2011. Set the system logging prefix value. Required Privilege Level Related Documentation interface—To view this statement in the configuration. prefix-value—System logging prefix value. M10i.4.Junos 11. M120 routers) Configuring the Local Gateway Address and PIC on page 419. corresponds to the IP address that is used by LACs to identify Description Options the LNS. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. When the LAC is an MX Series router. Juniper Networks. Support for MX Series routers introduced in Junos OS Release 11.4 Services Interfaces Configuration Guide local-gateway address Syntax Hierarchy Level Release Information local-gateway address address. interface-control—To add this statement to the configuration.

Inc. 435 . • Configuring Window Size for L2TP Tunnels on page 420 ppp-access-profile Syntax Hierarchy Level Release Information Description ppp-access-profile profile-name.4. interface-control—To add this statement to the configuration.4. Options packets—Maximum number of packets the send window can hold at one time. interface-control—To add this statement to the configuration. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. which limits the remote end’s receive window size. NOTE: This statement is not supported for L2TP LNS on MX Series routers. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. • Configuring Access Profiles for L2TP Tunnel Groups on page 419 Copyright © 2011. NOTE: This statement is not supported for L2TP LNS on MX Series routers. Default: 32 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Specify the size of the send window for L2TP tunnels. Juniper Networks. Specify the profile used to validate all Point-to-Point Protocol (PPP) session requests through L2TP tunnels established to the local gateway address. interface—To view this statement in the configuration. Options Required Privilege Level Related Documentation profile-name—Identifier for the PPP profile.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements maximum-send-window Syntax Hierarchy Level Release Information Description maximum-send-window packets.

NOTE: This statement is not supported for L2TP LNS on MX Series routers.Junos 11. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. Specify the size of the receive window for L2TP tunnels. NOTE: This statement is not supported for L2TP LNS on MX Series routers. in seconds. Default: 30 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. . Inc. interface-control—To add this statement to the configuration.4 Services Interfaces Configuration Guide receive-window Syntax Hierarchy Level Release Information Description receive-window packets.4.4. Default: 16 Required Privilege Level Related Documentation interface—To view this statement in the configuration. Juniper Networks. • Configuring Window Size for L2TP Tunnels on page 420 retransmit-interval Syntax Hierarchy Level Release Information Description retransmit-interval seconds. after which the server retransmits data if no acknowledgment is received. interface-control—To add this statement to the configuration. Specify the maximum retransmit interval for L2TP tunnels. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. which limits the number of packets the server processes concurrently. Options packets—Maximum number of packets the receive window can hold at one time. Options seconds—Interval. • Configuring Timers for L2TP Tunnels on page 420 436 Copyright © 2011.

• (M7i. and M120 routers)Configuring the Local Gateway Address and PIC on page 419 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces • Copyright © 2011. M10i. 437 . Inc. Either the service interface configuration or the service device pool configuration can be used for dynamic LNS sessions. M10i. si-fpc/pic/port—On MPCs on MX Series routers. Specify the service interface responsible for handling L2TP processing. Description NOTE: On MX Series routers.4. Required Privilege Level Related Documentation interface—To view this statement in the configuration. interface-control—To add this statement to the configuration. Juniper Networks. Options interface-name—Name of the service interface.4. the service interface configuration is required for static LNS sessions.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements service-interface Syntax Hierarchy Level Release Information service-interface interface-name. and M120 routers. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. The interface type depends on the line card as follows: • • sp-fpc/pic/port—On AS or Multiservices PICs on M7i. Option si-fpc/pic/port introduced in Junos OS Release 11.

Define the service properties to be applied to traffic.Junos 11. l2tp—Identifies the L2TP set of services statements. interface-control—To add this statement to the configuration..4. interface—To view this statement in the configuration. Juniper Networks. . See “L2TP Services Configuration Overview” on page 415. 438 Copyright © 2011.. } [edit] Statement introduced before Junos OS Release 7. Inc.4 Services Interfaces Configuration Guide services See the following sections: • • services (Hierarchy) on page 438 services (L2TP System Logging) on page 439 services (Hierarchy) Syntax Hierarchy Level Release Information Description Options Usage Guidelines Required Privilege Level services l2tp { .

any—Matches any level.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements services (L2TP System Logging) Syntax Hierarchy Level Release Information Description Options services severity-level. interface-control—To add this statement to the configuration. info—Informational messages. [edit services l2tp tunnel-group group-name syslog host hostname] Statement introduced before Junos OS Release 7. Juniper Networks. emergency—Panic conditions.4. 439 . • Configuring System Logging of L2TP Tunnel Activity on page 421 Copyright © 2011. Inc. error—Error conditions. notice—Conditions that require special handling. Specify the system logging severity level. warning—Warning messages. severity-level—Assigns a severity level to the facility. critical—Critical conditions. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Valid entries include: • • • • • • • • alert—Conditions that should be corrected immediately.

} } [edit services l2tp tunnel-group group-name] Hierarchy Level Release Information Description Statement introduced before Junos OS Release 7. interface-control—To add this statement to the configuration. Juniper Networks. Inc. System log information is passed to the kernel for logging in the /var/log/l2tpd directory. interface—To view this statement in the configuration.4 Services Interfaces Configuration Guide syslog Syntax syslog { host hostname { services severity-level.4. facility-override facility-name.Junos 11. • Configuring System Logging of L2TP Tunnel Activity on page 421 440 Copyright © 2011. log-prefix prefix-value. . Configure the generation of system log messages for L2TP services. NOTE: This statement is not supported for L2TP LNS on MX Series routers. Options Required Privilege Level Related Documentation The remaining statements are described separately.

Define tracing operations for L2TP processes. All files are placed in the directory /var/log. file filename <files number> <match regular-expression > <size maximum-file-size> <world-readable | no-world-readable>. L2TP.4. If you specify a maximum number of files. } level (all | error | info | notice | verbose | warning). this option does not Description Options apply to L2TP on MX Series routers: • • • detail—Trace detailed debug information. no-remote-trace. error—Trace error information. flag flag. files number—(Optional) Maximum number of trace files to create before overwriting the oldest one.4. Inc. 441 . and UDP. user-name username. Support for L2TP LAC on MX Series routers introduced in Junos OS Release 10. packet-dump—Trace packet decoding information. } flag flag. debug-level level—Trace level for PPP. filter { protocol name. Range: 2 through 1000 Default: 3 files filter protocol name—Additional filter for the specified protocol. Juniper Networks.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements traceoptions (L2TP) Syntax traceoptions { debug-level level. Support for L2TP LNS on MX Series routers introduced in Junos OS Release 11. interfaces interface-name { debug-level level. Enclose the name within quotation marks. file filename—Name of the file to receive the output of the tracing operation. } [edit services l2tp] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. RADIUS. you also must specify a maximum file size with the size option.4. this option does not apply to L2TP on MX Series routers: • • • l2tp ppp radius Copyright © 2011.

Inc. You can include the following flags: • • • • • • • • • • • • • • • • • • • • • all—Trace all operations. session-db—Trace session database interactions. . message—Trace message processing code. transmit-packets—Trace transmitted L2TP packets. flag flag—Tracing operation to perform. 442 Copyright © 2011. this option does not apply to L2TP on MX Series routers. parse—Trace parsing events. routing-process—Trace routing process interactions.Junos 11. memory—Trace memory management code. protocol—Trace L2TP events. init—Trace daemon initialization. states—Trace state machine events. include multiple flag statements. general—Trace general events. events—Trace interface events. packet-error—Trace packet error events.4 Services Interfaces Configuration Guide • udp filter user-name username—Additional filter for the specified username. receive-packets—Trace received L2TP packets. To specify more than one tracing operation. configuration—Trace configuration events. tunnel—Trace tunnel events. routing-socket—Trace routing socket events. gres—Trace GRES events. timer—Trace timer events. ipc-rx—Trace IPC receive events. ipc-tx—Trace IPC transmit events. Juniper Networks.

error—Match error conditions. ipc—Trace L2TP Inter-Process Communication (IPC) messages between the PIC and the Routing Engine. size maximum-file-size—(Optional) Maximum size of each trace file. • debug-level level—Trace level for the interface. the number entered is treated as bytes. you can include a suffix to the number to indicate kilobytes (KB). sizem to specify MB. system—Trace packet processing on the PIC. error—Trace error information. you also must specify a maximum number of trace files with the files option. If you specify a maximum file size. PPP. include multiple flag statements. and multilink handling. or sizeg to specify GB Range: 10240 through 1073741824 world-readable—(Optional) Enable unrestricted file access. level—Specify level of tracing to perform. This option does not apply to L2TP on MX Series routers. 443 . By default. or gigabytes (GB). Juniper Networks.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements interfaces interface-name—Apply L2TP traceoptions to a specific services interface. notice—Match notice messages about conditions requiring special handling. flag flag—Tracing operation to perform for the interface. To specify more than one tracing operation. This option does not apply to L2TP on MX Series routers. this option does not apply to L2TP on MX Series routers: • • • • detail—Trace detailed debug information. match regular-expression—(Optional) Refine the output to include lines that contain the regular expression. Copyright © 2011. • • • packet-dump—Dump each packet content based on debug level. no-world-readable—(Optional) Disable unrestricted file access. extensive—Trace all PIC debug information. info—Match informational messages. You can include the following flags: • • all—Trace everything. protocol—Trace L2TP. verbose—Match verbose messages. Syntax: sizek to specify KB. megabytes (MB). warning—Match warning messages. no-remote-trace—Disable remote tracing. Inc. You can specify any of the following levels: • • • • • • all—Match all levels. Alternatively.

. Inc. see Tracing L2TP Operations on page 424 • 444 Copyright © 2011. trace-control—To add this statement to the configuration. see Tracing L2TP Operations for Subscriber Access For information about L2TP tracing on M Series routers.Junos 11. • For information about L2TP tracing on MX Series routers.4 Services Interfaces Configuration Guide Required Privilege Level Related Documentation trace—To view this statement in the configuration. Juniper Networks.

Juniper Networks. log-prefix prefix-value. Options group-name—Identifier for the tunnel group. Required Privilege Level Related Documentation interface—To view this statement in the configuration. tunnel-timeout seconds. service-device-pool pool-name. receive-window packets. 445 . local-gateway address address. See individual statement topics for more detailed support information. hide-avps. Inc. The remaining statements are explained separately. Description NOTE: Subordinate statement support depends on the platform.Chapter 19: Summary of Layer 2 Tunneling Protocol Configuration Statements tunnel-group Syntax tunnel-group group-name { aaa-access-profile profile-name. maximum-send-window packets. retransmit-interval seconds. ppp-access-profile profile-name. } [edit services l2tp] Hierarchy Level Release Information Statement introduced before Junos OS Release 7.4 Specify the L2TP tunnel properties. service-device-pool. dynamic-profile. dynamic-profile profile-name. } } tos-reflect. interface-control—To add this statement to the configuration. and tos-reflect statements introduced in Junos OS Release 11. hello-interval seconds. facility-override facility-name. M10i. and M120 routers) Configuring L2TP Tunnel Groups on page 418 MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces Copyright © 2011. syslog { host hostname { services severity-level.4. • • (M71. service-interface interface-name. l2tp-access-profile profile-name. Support for MX Series routers and the aaa-access-profile.

Juniper Networks.4.Junos 11. • • (M Series routers) Configuring Timers for L2TP Tunnels on page 420 (MX Series routers) Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces 446 Copyright © 2011. Support for MX Series routers introduced in Junos OS Release 11. interface-control—To add this statement to the configuration.4. Specify the maximum downtime for an L2TP tunnel. Inc. seconds—Interval after which the tunnel is terminated if no data can be sent. [edit services l2tp tunnel-group name] Statement introduced before Junos OS Release 7. Description Options Default: 120 seconds Required Privilege Level Related Documentation interface—To view this statement in the configuration. . after which the tunnel is terminated because the connection is presumed to have been lost.4 Services Interfaces Configuration Guide tunnel-timeout Syntax Hierarchy Level Release Information tunnel-timeout seconds.

NOTE: The Link Services II PIC offers the same functionality as the Layer 2 service package on AS or Multiservices PICs. see other chapters in this manual and the Junos OS Feature Guides.16 DLCI. the Link Services II PIC. The important difference is that LSQ interfaces fully support Junos class of service (CoS) components. This chapter describes the Layer 2 service package and the CoS and failure recovery capabilities of LSQ interfaces. an FRF.15 bundle. the internal Adaptive Services Module in the M7i platform. which are described in “Multilink and Link Services Logical Interface Configuration Overview” on page 1237. LSQ interfaces are similar to link services interfaces. and the Multiservices PIC.CHAPTER 20 Link Services IQ Interfaces Configuration Guidelines You can configure link services intelligent queuing (IQ) (LSQ or lsq-) interfaces on the Adaptive Services (AS) PIC. Juniper Networks. 447 . Each logical interface is a Multilink Point-to-Point Protocol (MLPPP) bundle. The AS or Multiservices PIC has a limit of 1023 logical interfaces. Inc. or an FRF. This chapter contains the following sections: • • Layer 2 Service Package Capabilities and Interfaces on page 448 Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS on page 450 Configuring LSQ Interface Redundancy in a Single Router Using SONET APS on page 452 Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces on page 453 Configuring CoS Scheduling Queues on Logical LSQ Interfaces on page 461 Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces on page 465 Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces on page 466 Configuring Multiclass MLPPP on LSQ Interfaces on page 467 Oversubscribing Interface Bandwidth on LSQ Interfaces on page 468 • • • • • • • Copyright © 2011. For detailed information about Layer 3 services.

For more information. .12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.Junos 11.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506 • • • • • Layer 2 Service Package Capabilities and Interfaces As described in “Enabling Service Packages” on page 39. it adds overhead to the CPU. When you enable the Layer 2 service package. see “Configuring Delay-Sensitive Packet Interleaving” on page 524 and “Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces” on page 465. Juniper Networks. Data compression using the compressed Real-Time Transport Protocol (CRTP) for use in voice over IP (VoIP) transmission.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF. the AS or Multiservices PIC supports link services. link services include the following: • Junos CoS components—“Configuring CoS Scheduling Queues on Logical LSQ Interfaces” on page 461 describes how the Junos CoS components work on link services IQ (lsq) interfaces. you can configure the AS or Multiservices PIC and the internal ASM in the M7i platform to use either the Layer 2 or the Layer 3 service package.4 Services Interfaces Configuration Guide • • • • • Configuring Guaranteed Minimum Rate on LSQ Interfaces on page 473 Configuring Link Services and CoS on Services PICs on page 477 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. Inc. • NOTE: On LSQ interfaces. Because T3 network interfaces support only one link per bundle. For detailed information about Junos CoS components. • 448 Copyright © 2011. all multilink traffic for a single bundle is sent to a single processor. If CRTP is enabled on the bundle. • Link fragment interleaving (LFI) on Frame Relay links using FRF.12 end-to-end fragmentation—The standard for FRF. LFI on Multilink Point-to-Point Protocol (MLPPP) links. On the AS or Multiservices PIC and the ASM. Frame Relay Fragmentation Implementation Agreement.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF.12 is defined in the specification FRF. see the Junos OS Class of Service Configuration Guide. make sure you configure a fragmentation map for compressed traffic on these interfaces and specify the no-fragmentation option.12.

Multiclass extension to MLPPP—The standard is defined in the specification RFC 2686.16)—The standard for FRF. Multilink Frame Relay UNI/NNI Implementation Agreement. For the Layer 2 service package. Interface types lsq-fpc/pic/port:0 through lsq-fpc/pic/port:N represent FRF. These interface types are created when you include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level. 449 . Juniper Networks. The PPP Multilink Protocol (MP). • • • For the LSQ interface on the AS or Multiservices PIC.. The Multi-Class Extension to Multi-Link PPP.15 is defined in the specification FRF. End-to-End Multilink Frame Relay Implementation Agreement. except that the Layer 2 service package does not support some tunnel functions. Interface type lsq-fpc/pic/port is the physical link services IQ interface (lsq). For more information about tunnel interfaces. as shown in Table 5 on page 24. Inc. lsq-fpc/pic/port:N mt-fpc/pic/port pd-fpc/pic/port pe-fpc/pic/port sp-fpc/pic/port vt-fpc/pic/port Interface types gr. and vt are standard tunnel interfaces that are available on the AS or Multiservices PIC whether you enable the Layer 2 or the Layer 3 service package. ip. When you enable the Layer 2 service package on the AS or Multiservices PIC. see Tunnel Properties. see “Configuring CoS Scheduling Queues on Logical LSQ Interfaces” on page 461.Chapter 20: Link Services IQ Interfaces Configuration Guidelines • Multilink Frame Relay (MLFR) end-to-end (FRF. mt.16. pd. the following interfaces are automatically created: gr-fpc/pic/port ip-fpc/pic/port lsq-fpc/pic/port lsq-fpc/pic/port:0 . Multilink Frame Relay (MLFR) UNI NNI (FRF. pe. For more information. These tunnel interfaces function the same way for both service packages. but you should not disable it. MLPPP—The standard for MLPPP is defined in the specification RFC 1990.16 is defined in the specification FRF.16 bundles.. the sp interface is not configurable. The primary difference is the use of the interface-type descriptor lsq instead of ml or ls.15. the configuration syntax is almost the same as for Multilink and Link Services PICs.1. Copyright © 2011.15)—The standard for FRF. NOTE: Interface type sp is created because it is needed by the Junos OS.

For more information about these properties. Backup router includes interfaces oc3-2/2/0 and lsq-3/2/0. . SONET APS provides stateless failure recovery. consider the following network scenario: • • Primary router includes interfaces oc3-0/2/0 and lsq-1/1/0. you can configure the bandwidth statement.4 Services Interfaces Configuration Guide NOTE: On DS0.Junos 11. The failure conditions are: • • • • Failure of Link Services IQ PIC Failure of FPC that hosts the Link Services IQ PIC Failure of Packet Forwarding Engine Failure of chassis The guidelines for configuring SONET APS are described in the Junos OS Network Interfaces Configuration Guide. framing. Inc. see the Junos OS Network Interfaces Configuration Guide. Juniper Networks. } } For example. the associated SONET PIC triggers recovery to the backup circuit and its associated AS or Multiservices PIC. E1. but the router does not use the bandwidth value if the interfaces are included in an MLPPP or MLFR bundle. or T1 interfaces in LSQ bundles. If one of the following conditions for APS failure is met. Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS Link services IQ (lsq-) interfaces that are paired with SONET PICs can use the Automatic Protection Switching (APS) configuration already available on SONET networks to provide failure recovery. include the lsq-failure-options statement at the [edit interfaces] hierarchy level: lsq-fpc/pic/port { lsq-failure-options { no-termination-request. and byte-encoding of the interface. The bandwidth is calculated internally according to the time slots. 450 Copyright © 2011.16 on page 451 Restrictions on APS Redundancy for LSQ Interfaces on page 452 Configuring the Association between LSQ and SONET Interfaces To configure the association between AS or Multiservices PICs hosting link services IQ interfaces and the SONET interfaces. [ trigger-link-failure interface-name ]. The following sections describe how to configure failover properties: • • • Configuring the Association between LSQ and SONET Interfaces on page 450 Configuring SONET APS Interoperability with Cisco Systems FRF. if it is configured on SONET interfaces in separate chassis and each SONET PIC is paired with an AS or Multiservices PIC in the same chassis.

[edit interfaces interface-name ppp-options] no-termination-request. include the no-termination-request statement at the [edit interfaces interface-name ppp-options] hierarchy level. To inhibit the router from sending PPP termination-request messages to the remote host if a link PIC fails.16. } } NOTE: You must configure the lsq-failure-options statement on the primary router only. To inhibit the router from sending PPP termination-request messages to the remote host if the Link Services IQ PIC fails. Juniper Networks.16 Juniper Networks routers configured with APS might not interoperate correctly with Cisco FRF. Copyright © 2011. This functionality is supported on link PICs as well. To enable interoperation. with oc3-0/2/0 as the working circuit and oc3-2/2/0 as the protect circuit. include the cisco-interoperability statement at the [edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] hierarchy level: [edit interfaces lsq-fpc/pic/port mlfr-uni-nni-bundle-options] cisco-interoperability send-lip-remove-link-for-link-reject. Include the trigger-link-failure statement to extend failure to the LSQ PICs: interfaces lsq-1/1/0 { lsq-failure-options { trigger-link-failure oc3-0/2/0. The configuration is not supported on the backup router. on the following PICs: • • • • Channelized OC3 IQ PICs Channelized OC12 IQ PICs Channelized STM1 IQ PICs Channelized STM4 IQ PICs Configuring SONET APS Interoperability with Cisco Systems FRF. Inc. include the no-termination-request statement at the [edit interfaces lsq-fpc/pic/port lsq-failure-options] hierarchy level: [edit interfaces lsq-fpc/pic/port lsq-failure-options] no-termination-request. The send-lip-remove-link-for-link-reject option prompts the router to send a Link Integrity Protocol remove link when it receives an add-link rejection message. PPP over Frame Relay. and MLPPP interfaces only. The no-termination-request statement is supported only with MLPPP and SONET APS configurations and works with PPP. 451 .Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configure SONET APS.

both interchassis and intrachassis recovery are supported Failure recovery is stateless. except for M320 routers. in other words. Normal APS switchover and PIC-triggered APS switchover can be distinguished only by checking the system log messages. • • • • • NOTE: When an AS PIC experiences persistent back pressure as a result of high traffic volume for 3 seconds. as a result. In intrachassis recovery. including recovery from Routing Engine failover. graceful Routing Engine switchover (GRES) must be enabled on the router. 452 Copyright © 2011. see the Junos OS System Basics Configuration Guide. Each Link Services IQ PIC must be associated with a specified SONET link PIC within the same router. no impact on traffic is anticipated with Routing Engine failover. This mechanism applies to both Layer 2 and Layer 3 service packages. Juniper Networks.4 Services Interfaces Configuration Guide Restrictions on APS Redundancy for LSQ Interfaces The following restrictions apply to LSQ failure recovery: • It applies only to Link Services IQ PICs installed in M Series routers. NOTE: For complete intrachassis recovery. but PIC failover results in PPP renegotiation.Junos 11. not on MLFR channelized units. route flapping and loss of link state is expected in interchassis recovery. traffic does not automatically revert back to it. Configuring LSQ Interface Redundancy in a Single Router Using SONET APS Stateless switchover from one Link Services IQ PIC to another within the same router can be configured by using the SONET APS mechanism described in “Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS” on page 450. The paired PICs can be installed on different routers or in the same router. A system log message at level LOG_ERR is generated. You must configure the failure-options statement on physical LSQ interfaces. The switchover is not revertive: when the original hardware is restored to service. The Link Services IQ PICs must be associated with SONET link PICs. requiring PPP renegotiation. . Inc. the condition triggers an automatic core dump and reboot of the PIC to help clear the blockage. For more information.

Copyright © 2011. secondary lsq-fpc/pic/port. but you can manually switch between the primary and secondary PICs by issuing the request interfaces (revert | switchover) rlsqnumber operational mode command. processing switches to the primary interface. To determine which PIC is currently active. If the primary lsq interface fails. MX Series. such as T1 or E1 interfaces.interfaces by specifying a virtual LSQ redundancy (rlsq) interface in which the primary Link Services IQ PIC is active and a secondary PIC is on standby. FRF. To configure a backup lsq interface. and FRF. The following sections provide more information: • • • • Configuring Redundant Paired LSQ Interfaces on page 453 Restrictions on Redundant LSQ Interfaces on page 454 Configuring Link State Replication for Redundant Link PICs on page 455 Examples: Configuring Redundant LSQ Interfaces for Failure Recovery on page 457 Configuring Redundant Paired LSQ Interfaces The physical interface type rlsq specifies the pairings between primary and secondary lsq interfaces to enable redundancy. It sets the requirement for the failure detection and recovery time to be less than 5 seconds. number can be from 0 through 1023. and T Series routers that have multiple AS or Multiservices PICs and DPCs with lsq.15. If the primary PIC fails. the secondary PIC becomes active. It also provides a switch over time of 5 seconds and less for FRF. NOTE: This configuration does not require the use of SONET APS for failover. } For the rlsq interface. If the secondary interface fails and the primary interface is active. Network interfaces that do not support SONET can be used. CRTP. The hot-standby option is used with one-to-one redundancy configurations. primary lsq-fpc/pic/port. Inc. in which one working PIC is supported by one backup PIC. issue the show interfaces redundancy command.16 configurations for the LSQ interface to achieve an uninterrupted LSQ service.16. include the redundancy-options statement at the [edit interfaces rlsqnumber] hierarchy level: [edit interfaces rlsqnumber] redundancy-options { (hot-standby | warm-standby). traffic processing switches to the secondary interface. and all LSQ processing is transferred to it. It is supported with MLPPP. The secondary interface remains active even after the primary interface recovers. 453 .15 and a maximum of 10 seconds for FRF. Juniper Networks.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring LSQ Interface Redundancy in a Single Router Using Virtual Interfaces You can configure failure recovery on M Series. The behavior is revertive.

in combination with interface rlsq1:1 configured with primary lsq-0/0/0:1 Interface rlsq0 configured with primary lsq-0/0/0. You cannot configure a Link Services IQ PIC with explicit bundle configurations and as a constituent of an rlsq interface.Junos 11. in combination with interface rlsq1:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:1. in combination with interface rlsq0:1 configured with primary lsq-0/0/0:1 • The following example combinations are not permitted: • Interface rlsq0 configured with primary lsq-0/0/0 and hot-standby. Inc. The secondary PIC then fails. Juniper Networks. in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0. If the primary PIC has been restored to active state. Certain combinations of hot-standby and warm-standby configuration are not permitted and result in a configuration error. Restrictions on Redundant LSQ Interfaces Link Services IQ PIC failure occurs under the following conditions: • The primary PIC fails to boot. in combination with interface rlsq0:0 configured with primary lsq-0/0/0:0 Interface rlsq0:0 configured with primary lsq-0/0/0:0. the rlsq interface does not come up and manual intervention is necessary to reboot or replace the PIC. processing switches to it. The secondary PIC automatically takes over processing. primary interface lsq-0/0/0 cannot be reused in another rlsq interface as lsq-0/0/0:0. the same physical interface cannot be reused as the primary interface for more than one rlsq interface. Recovery times are not guaranteed. because the configuration must be completely restored on the backup PIC after a failure is detected. The FPC that contains the Link Services IQ PIC fails. In this case. • • • The following constraints apply to redundant LSQ configurations: • We recommend that primary and secondary PICs be configured in two different FPCs (in chassis other than M10i routers). nor can any of the associated logical interfaces.4 Services Interfaces Configuration Guide The warm-standby option is used with redundancy configurations in which one backup PIC supports multiple working PICs. The primary PIC becomes active and then fails. • 454 Copyright © 2011. For example. . or to rename the primary PIC to the secondary one in the rlsq configuration. The following examples are permitted: • Interface rlsq0 configured with primary lsq-0/0/0 and warm-standby. A failover to the secondary PIC takes place. in combination with interface rlsq1 configured with primary lsq-0/0/0 • • • In addition.

The rlsqnumber configuration becomes active only if the primary interface is active. is an addition to the SONET Automatic Protection Switching (APS) functionality that helps promote redundancy of the link PICs used in LSQ configurations. The rlsq number and its constituents. • • • • • • • • • • NOTE: Adaptive Services and Multiservices PICs in layer-2 mode (running Layer 2 services) are not rebooted when a MAC flow-control situation is detected. if not. change it. also called interface preservation. statistics on the link interfaces are not carried over following a Routing Engine switchover. You can issue show commands for the rlsq interface or the primary and secondary lsq interfaces. Since the same interface name is used for hot-standby and warm-standby. the configuration triggers a SONET APS switchover. see “Configuring LSQ Interface Redundancy for an FRF. the primary and secondary interfaces. and reactivate it. or none. discussed in “Configuring LSQ Interface Redundancy Across Multiple Routers Using SONET APS” on page 450. and then reactivate the interface. All the operational mode commands that apply to rsp interfaces also apply to rlsq interfaces. 455 . the rlsq interface waits until the primary interface comes up. (You must configure GRES at the [edit chassis] hierarchy level.Chapter 20: Link Services IQ Interfaces Configuration Guidelines • Redundant LSQ configurations provide full GRES support. if you modify the configuration to change this attribute. must match for the configuration to be valid: either all must be channelized. Redundant LSQ configurations that require MLPPP Multilink Frame Relay (FRF. You cannot make changes to an active redundancy-options configuration. If the primary and secondary Link Services IQ PICs fail and the lsq-failure-options statement is configured. For an example of an FRF. You must deactivate the rlsqnumber interface configuration. Redundant LSQ support is extended to ATM network interfaces.16) are supported only with the warm-standby option. commit the new configuration.16 configuration. You cannot modify the configuration of lsq interfaces after they have been included in an active rlsq interface. However. Configuring Link State Replication for Redundant Link PICs Link state replication. the primary interface must be active. Juniper Networks. Copyright © 2011.15 and FRF. Inc. for example rlsq0:0. see the Junos OS System Basics Configuration Guide.16 Bundle” on page 461. The rlsq interfaces also support the lsq-failure-options configuration. When the configuration is first activated. Channelized interfaces are used with FRF-16 bundles. it is recommended that you first deactivate the interface. the configuration must include one primary interface value and one secondary interface value. If you configure the redundancy-options statement with the hot-standby option.

especially for networks with a large number of MLPPP links. and fully supports GRES. The MLPPP link switchover time difference may be significant. the following configuration shows the link state replication configuration between the ports coc3-1/0/0 and coc3-2/0/0. An aggressive LCP keepalive timeout configuration can lead to LCP renegotiation during the MLPPP link switchover. links from the standby PIC are used without causing a link renegotiation. • • • NOTE: This renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an add/drop multiplexer (ADM). The following constraints apply to link PIC redundancy: • APS functionality must be available on the SONET PICs and the interface configurations must be identical on both ends of the link. include the preserve-interface statement at the [edit interfaces interface-name sonet-options aps] hierarchy level on both network interfaces: edit interfaces interface-name sonet-options aps] preserve-interface. the LCP keepalive timer interval is 10 seconds and the consecutive link down count is 3. All the negotiated state is replicated from the active links to the standby links to prevent link renegotiation. see the Junos OS Network Interfaces Configuration Guide. • NOTE: LCP renegotiation is more likely to take place for configurations with back-to-back Juniper Networks routers than in networks in which a Juniper Networks router is connected to an ADM. and Channelized STM1 intelligent queuing (IQ) PICs. Link state replication supports MLPPP and PPP over Frame Relay (frame-relay-ppp) encapsulation. By default. As an example. one from the active (working) SONET PIC and the other from the backup (protect) SONET PIC to the same bundle. Enabling the interface or protocol traceoptions with a large number of MLPPP links can trigger Link Control Protocol (LCP) renegotiation during the link switchover time. 456 Copyright © 2011. To configure link state replication. . networks that connect a Juniper Networks router to an ADM allow faster MLPPP link switchover than those with back-to-back Juniper Networks routers. The MLPPP links start LCP negotiation only after a timeout of 30 seconds.Junos 11. This feature is supported only with LSQ and SONET APS-enabled link PICs.4 Services Interfaces Configuration Guide Link state replication provides the ability to add two sets of links. For more information about SONET APS configurations. Channelized OC12. Lowering these configuration values may trigger one or more of the MLPPP links to renegotiate during the switchover time. Juniper Networks. If the active SONET PIC fails. • In general. Inc. Any configuration mismatch causes the commit operation to fail. including Channelized OC3.

interfaces { t1-/1/2/0 { unit 0 { family mlppp { bundle rlsq0. #either hot-standby or warm-standby is supported } } The following example shows a related MLPPP configuration: NOTE: MLPPP protocol configuration is required for this configuration.Chapter 20: Link Services IQ Interfaces Configuration Guidelines interfaces { coc3-1/0/0 { sonet-options { aps { preserve-interface. Inc.1. secondary lsq-1/3/0. } } } coc3-2/0/0 { sonet-options { aps { preserve-interface. } } Copyright © 2011.1. protect-circuit aps-group-1. working-circuit aps-group-1. 457 .0.2/24. } } } } Examples: Configuring Redundant LSQ Interfaces for Failure Recovery Configuring LSQ Interface Redundancy for MLPPP The following configuration shows that lsq-1/1/0 and lsq-1/3/0 work as a pair and the redundancy type is hot-standby. Juniper Networks. } } } rlsq0 { unit 0 { family inet { address 30. which sets the requirement for the failure detection and recovery time to be less than 5 seconds: interfaces rlsq0 { redundancy-options { primary lsq-1/1/0. hot-standby.

} <coc1-*> { partition 1-8 interface-type t1. This type of configuration is not required. this example uses the [edit groups] statement.Junos 11.0.4 Services Interfaces Configuration Guide } } The following example shows a related CoS configuration: class-of-service { interfaces { rlsq0 { unit * { fragmentation-maps fr-map1. The first four T1 links (t1-*:1 through t1-*:4) form the first bundle and the last four T1 links (t1-*:5 through t1-*:8) form the second bundle. } } } } } ml-bundle-group-2 { interfaces { <t1-*:"[5-8]"> { encapsulation ppp. } } } 458 Copyright © 2011. it simplifies the task and minimizes duplication. Inc. To minimize the duplication in the configuration. . groups { ml-partition-group { interfaces { <coc3-*> { partition 1 oc-slice 1 interface-type coc1. unit 0 { family mlppp { bundle lsq-0/1/0. This example uses two bundles. for more information. see the Junos OS System Basics Configuration Guide. } } } } The following example shows a complete link state replication configuration for MLPPP. each with four T1 links. unit 0 { family mlppp { bundle lsq-0/1/0. } } } ml-bundle-group-1 { interfaces { <t1-*:"[1-4]"> { encapsulation ppp.1. Juniper Networks.

family inet { address 1.1. } t1-1/0/0:1:8 { Copyright © 2011.1/32 { destination 1. } t1-1/0/0:1:6 { apply-groups ml-bundle-group-2. } } } unit 1 { encapsulation multilink-ppp. } } } } coc3-1/0/0 { apply-groups ml-partition-group. } t1-1/0/0:1:2 { apply-groups ml-bundle-group-1. Inc. family inet { address 1.1. } t1-1/0/0:1:5 { apply-groups ml-bundle-group-2. sonet-options { aps { preserve-interface. working-circuit aps-group-1.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } } interfaces { lsq-0/1/0 { unit 0 { encapsulation multilink-ppp.1. } t1-1/0/0:1:7 { apply-groups ml-bundle-group-2.2. } t1-1/0/0:1:3 { apply-groups ml-bundle-group-1.1.1.2.1.2. } t1-1/0/0:1:1 { apply-groups ml-bundle-group-1.2. } } } coc1-1/0/0:1 { apply-groups ml-partition-group. 459 . Juniper Networks.1/32 { destination 1. } t1-1/0/0:1:4 { apply-groups ml-bundle-group-1.

} t1-2/0/0:1:2 { apply-groups ml-bundle-group-1. } t1-2/0/0:1:7 { apply-groups ml-bundle-group-2. } coc3-2/0/0 { apply-groups ml-partition-group.1. sonet-options { aps { preserve-interface. } t1-2/0/0:1:3 { apply-groups ml-bundle-group-1. protect-circuit aps-group-1. } t1-2/0/0:1:5 { apply-groups ml-bundle-group-2. } } Configuring LSQ Interface Redundancy for an FRF. Inc.15 Bundle The following example shows a configuration for an FRF.1. family inet { address 30. secondary lsq-1/3/0. Juniper Networks.15 bundle: interfaces rlsq0 { redundancy-options { primary lsq-1/2/0. warm-standby. } t1-2/0/0:1:1 { apply-groups ml-bundle-group-1. } t1-2/0/0:1:8 { apply-groups ml-bundle-group-2. } t1-2/0/0:1:4 { apply-groups ml-bundle-group-1.4 Services Interfaces Configuration Guide apply-groups ml-bundle-group-2. } } } coc1-2/0/0:1 { apply-groups ml-partition-group.Junos 11.1/24. } 460 Copyright © 2011. . } t1-2/0/0:1:6 { apply-groups ml-bundle-group-2. #either hot-standby or warm-standby is supported } unit 0 { encapsulation multilink-frame-relay-end-to-end.

because queueing is not done at the channelized interface level on the constituent links.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } Configuring LSQ Interface Redundancy for an FRF. warm-standby. Constituent links from the following PICs support latency guarantees: • • • • • Channelized E1 IQ PIC Channelized OC3 IQ PIC Channelized OC12 IQ PIC Channelized STM1 IQ PIC Channelized T3 IQ PIC Copyright © 2011. latency-sensitive traffic might not receive the type of service that it should. 461 .1.1/24. A logical unit represents either an MLPPP bundle or a DLCI configured on a FRF. Inc. For more information. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level. The scheduler is applied to the traffic sent to an AS or Multiservices PIC running the Layer 2 link services package. If you configure a scheduler map on an FRF.16 Bundle The following example shows a configuration for an FRF. family inet { address 50. #either hot-standby or warm-standby is supported } unit 0 { dlci 1000.16 bundle: interfaces rlsq0:0 { dce. } } } Configuring CoS Scheduling Queues on Logical LSQ Interfaces For link services IQ (lsq-) interfaces. With non-IQ PICs. If you need latency guarantees for multiclass or LFI traffic.16 bundle. you must use channelized IQ PICs for the constituent links.16 DLCI. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level. see the Junos OS Class of Service Configuration Guide. you can specify a scheduler map for each logical unit. redundancy-options { primary lsq-1/2/0:0. Juniper Networks. secondary lsq-1/3/0:0. encapsulation multilink-frame-relay-uni-nni.1. If you configure a scheduler map on a bundle.

0. . Configuring Scheduler Buffer Size You can configure the scheduler buffer size in three ways: as a temporal value. • shaping-rate—The subscribed transmit rate. When you configure MLPPP and FRF. On a single logical interface (MLPPP or a FRF. high. see “Configuring Drop Profiles” on page 463.16 DLCI). and 5 percent.16 on M Series and T Series routers. each queue can have a different buffer size. NOTE: On T Series and M320 routers. for more information. 462 Copyright © 2011.12 on M Series and T Series routers. these scheduling properties work as they do in other PICs. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. for more information. as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. When you configure FRF. the traffic from each constituent link is transmitted from queue 0. For the constituent links of an FRF.16” on page 488. NOTE: On T Series and M320 routers. 0.Junos 11. 0. and 0 percent.16. see “Configuring Scheduler Priority” on page 463. The default scheduler transmission rate and buffer size percentages for queues 0 through 3 are 95. For link services IQ interfaces (lsq). or you can assign different scheduler maps to the various DLCIs of the bundle. see “Configuring Scheduler Buffer Size” on page 462. see “Configuring Scheduler Shaping Rate” on page 463. and apply it to the constituent links. as a percentage. This means you should allow most of the bandwidth to be used by queue 0. 0. 0. This default scheduler sends all user traffic to queue 0 and all network-control traffic to queue 3. and assign this scheduler to the link services IQ interface (lsq) and to each constituent link.16 bundle. You can configure a custom scheduler that explicitly replicates the 95. 0. respectively. Juniper Networks.16. and therefore it is well suited to the behavior of FRF. • priority—The transmit priority (low. 0. you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI.4 Services Interfaces Configuration Guide For scheduling queues on a logical interface. 5. you do not need to configure a custom scheduler. for more information. except as noted in the following sections. for more information. Because LFI and multiclass are not supported for FRF. and as a remainder. Inc. lsq interfaces do not support DiffServ code point (DSCP) and DSCP-IPv6 rewrite markers. you should configure a single scheduler with non-zero percent transmission rates and buffer sizes for queues 0 through 3. and 5 percent queuing behaviors. 0. 0. • drop-profile-map—The random early detection (RED) drop profile. you can configure the following scheduler map properties at the [edit class-of-service schedulers] hierarchy level: • buffer-size—The queue size. strict-high).

This number is computed by multiplying logical interface speed by the temporal value. you can configure a shaping rate for each DLCI. it guarantees one second of buffer delay. For slower interfaces.16 DLCIs. The link services IQ implementation guarantees 200 milliseconds of buffer delay for all interfaces with T1 and higher speeds. the queuing algorithm starts dropping packets when it queues more than a computed number of bytes. only percentages are accepted. when a link goes up or down. The queuing algorithm guarantees enough space in the transmit buffer for two MTU-sized packets.16 bundle. Shaping rate percentages for all DLCIs within a bundle can add up to 100 percent or less. only shaping rates based on percentage are supported. the total bandwidth is evenly divided across all DLCIs. the maximum temporal value is limited to 200 milliseconds. This means that absolute shaping rates are not supported on FRF. which is the sum of constituent link speeds minus link-layer overhead. Inc. For scheduling between DLCIs in a MLFR FRF. Leftover bandwidth is distributed equally to DLCIs that do not have the shaping-rate statement included at the [edit class-of-service interfaces lsq-fpc/pic/port:channel unit logical-unit-number] hierarchy level. A shaping rate is expressed as a percentage of the aggregate bundle bandwidth. For example. Absolute shaping rates are allowed for MLPPP and MLFR bundles only.16 bundle specify a DLCI scheduler. For link services IQ DLCIs. see the Junos OS Class of Service Configuration Guide. Configuring Scheduler Shaping Rate You use the shaping rate to set the percentage of total bundle bandwidth that is dedicated to a DLCI. Juniper Networks.16 bundles.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If you specify a temporal value. buffer size specified as buffer-size percent 20 is the same as a 40-millisecond temporal delay. The queueing algorithm evenly distributes leftover bandwidth among all queues that are configured with the buffer-size remainder statement. which allows adjustments in response to dynamic changes in bundle bandwidth—for example. logical interface speed is equal to bundle bandwidth multiplied by the DLCI shaping rate. For MLFR FRF.16 bundles on link services IQ interfaces. Configuring Scheduler Priority The transmit priority of each queue is determined by the scheduler and the forwarding class. Copyright © 2011. logical interface speed is equal to the bundle bandwidth. To configure RED. Configuring Drop Profiles You can configure random early detection (RED) on LSQ interfaces as in other CoS scenarios. For MLPPP bundles. Each queue receives a guaranteed amount of bandwidth specified with the scheduler transmit-rate statement. include one or more drop profiles and attach them to a scheduler for a particular forwarding class. NOTE: For FRF. In all cases. Buffer size percentages are implicitly converted into temporal values by multiplying the percentage by 200 milliseconds. If none of the DLCIs in an MLFR FRF. For more information about RED profiles. 463 .

or an FRF. Inc..16 DLCI. You can attach scheduler maps with configured RED drop profiles to any LSQ logical interface: an MLPPP bundle. priority. } } scheduler-maps { schedmap { # Best-effort queue will use be-scheduler # Other queues may use different schedulers forwarding-class be scheduler be-scheduler. It supports a maximum of 256 drop profiles per PIC. } drop-high { # Configure suitable drop profile for high loss priority . scheduler-map schedmap. . . . 464 Copyright © 2011... The following example shows how to configure a RED profile on an LSQ interface: [edit] class-of-service { drop-profiles { drop-low { # Configure suitable drop profile for low loss priority . } } interfaces { lsq-1/3/0.. per-loss-priority. # Other scheduler parameters (buffer-size. # and transmit-rate) are already supported... Juniper Networks. } } schedulers { be-scheduler { # Configure two drop profiles for low and high loss priority drop-profile-map loss-priority low protocol any drop-profile drop-low. drop-profile-map loss-priority high protocol any drop-profile drop-high.Junos 11.15 bundle.0 { # Attach a scheduler map (that includes RED drop profiles) # to a LSQ logical interface.4 Services Interfaces Configuration Guide The LSQ implementation performs tail RED. Drop profiles are configurable on a per-queue.. Different queues (forwarding classes) on the same logical interface can have different associated drop profiles.. } } } NOTE: The RED profiles should be applied only on the LSQ bundles and not on the egress links that constitute the bundle. an FRF. and per-TCP-bit basis.

unless the packet size exceeds the MTU/MRRU. The MRRU is similar to the MTU.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces For link services IQ (lsq-) interfaces. For more information. but is specific to link services interfaces. packets are still fragmented if they exceed the smallest maximum transmission unit (MTU) or maximum received reconstructed unit (MRRU) of all the links in the bundle. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: [edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { (fragment-threshold bytes | no-fragmentation).16 interface. To configure fragmentation properties on a queue. the fragmentation threshold you set at the [edit interfaces interface-name mlfr-uni-nni-bundle-options fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLFR FRF. you can specify fragmentation properties for specific forwarding classes. multilink-class number. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. Traffic on each forwarding class can be either multilink encapsulated (fragmented and sequenced) or nonencapsulated (hashed with no fragmentation). Juniper Networks. By default. Inc. If the flow exceeds a single link. If you do not set a maximum fragment size anywhere in the configuration. } } } To set a per-forwarding class fragmentation threshold. When you do not configure fragmentation properties for the queues on MLPPP interfaces. traffic in all forwarding classes is multilink encapsulated. the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number fragment-threshold] hierarchy level is the fragmentation threshold for all forwarding classes within the MLPPP interface. A nonencapsulated flow uses only one link. Even if you do not set a maximum fragment size anywhere in the configuration.16 interfaces. To set traffic on a queue to be nonencapsulated rather than multilink encapsulated. 465 . include the fragment-threshold statement in the fragmentation map. This statement sets the maximum size of each multilink fragment. then the forwarding class must be multilink encapsulated. and you can configure it to be from 1500 through 4500 bytes. This statement specifies that an extra fragmentation header is not prepended to the packets received on this queue and that static link load balancing is used to ensure in-order packet delivery. Copyright © 2011. you can configure the MRRU by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level. For MLFR FRF. include the no-fragmentation statement in the fragmentation map. By default the MRRU size is 1500 bytes.

} For configuration examples. Reserving Bundle Bandwidth for Link-Layer Overhead on LSQ Interfaces Link-layer overhead can cause packet drops on constituent links because of bit stuffing on serial links. see “Configuring Multiclass MLPPP on LSQ Interfaces” on page 467.12 on page 495 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. For more information about MCML.12 on page 504 Configuring LSQ Interfaces for ATM2 IQ Interfaces Using MLPPP on page 506 • • • • • For Link Services PIC link services (ls-) interfaces. you enable LFI by including the interleave-fragments statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). include the fragmentation-map statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces] lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name. . Juniper Networks. they are mutually exclusive. Inc. To associate a fragmentation map with a multilink PPP interface or MLFR FRF. you can include either the multilink-class or no-fragmentation statement. } lsq-fpc/pic/port:channel { # MLFR FRF. Instead.16 DLCI. see the following topics: • • • Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP on page 480 Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF.16 on page 485 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using MLPPP and LFI on page 490 Configuring LSQ Interfaces for Single Fractional T1 or E1 Interfaces Using FRF. see “Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces” on page 1245. 466 Copyright © 2011.15 on page 502 Configuring LSQ Interfaces for T3 Links Configured for Compressed RTP over MLPPP on page 503 Configuring LSQ Interfaces as T3 or OC3 Bundles Using FRF. Bit stuffing is used to prevent data from being interpreted as control information. you can include either the fragment-threshold or no-fragmentation statement.16 unit logical-unit-number { fragmentation-map map-name.4 Services Interfaces Configuration Guide For a given forwarding class. For a given forwarding class. For more information.Junos 11. fragmentation maps are not supported. they are mutually exclusive.

as defined in RFC 2686. include the link-layer-overhead statement: link-layer-overhead percent. In effect. latency-sensitive traffic is encapsulated as regular PPP traffic.Chapter 20: Link Services IQ Interfaces Configuration Guidelines By default. used on the Link Services PIC. For link services IQ (lsq-) interfaces. you can map each forwarding class into a separate multilink class. This model works as long as there is a single class of latency-sensitive traffic. you can configure MCML. which is not sufficient to carry the four-to-eight forwarding classes that are supported by M Series and T Series routers. If you do not configure MCML. MCML makes it possible to have multiple classes of latency-sensitive traffic that are carried over a single multilink bundle with bulk traffic. For link services IQ interfaces only. supports only two levels of traffic priority. 4 percent of the total bundle bandwidth is set aside for link-layer overhead. and bulk traffic is encapsulated as multilink traffic. the average link-layer overhead is 1. For more information about the Link Services PIC support of LFI. fragments from different classes cannot be interleaved. Hash and Stuffing: Overlooked Factors in Network Device Benchmarking. This approach to LFI. and there is no high-priority traffic that takes precedence over latency-sensitive traffic. 467 . Copyright © 2011. Nonfragmented packets can be interleaved between fragments of another packet to reduce latency seen by nonfragmented packets. we recommend 4 percent as a safeguard. In most network environments. see “Configuring Delay-Sensitive Packet Interleaving on Link Services Logical Interfaces” on page 1245.6 percent. All fragments for a single packet must be sent before the fragments from another packet are sent. Inc. you can configure multiclass MLPPP (MCML). you can configure the percentage of bundle bandwidth to be set aside for link-layer overhead. You can include this statement at the following hierarchy levels: • • • [edit interfaces interface-name mlfr-uni-nni-bundle-options] [edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number] You can configure the value to be from 0 percent through 50 percent. The Multi-Class Extension to Multi-Link PPP. Therefore. In effect. To do this. Configuring Multiclass MLPPP on LSQ Interfaces For link services IQ (lsq-) interfaces with MLPPP encapsulation. see RFC 4814. Juniper Networks. For more information. thus preserving priority and latency guarantees. With MCML. MCML allows different classes of traffic to have different latency guarantees.

With MCML. which is referred to in RFC 2686 as “prefix elision. all voice traffic belonging to a single flow is hashed to a single link to avoid packet ordering issues.Junos 11. You can include this statement at the following hierarchy levels: • • [edit interfaces interface-name unit logical-unit-number] [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number] The number of multilink classes can be 1 through 8. nor is it supported. you must specify how many multilink classes should be negotiated when a link joins the bundle.4 Services Interfaces Configuration Guide NOTE: Configuring both LFI and MCML on the same bundle is not necessary. For more information about voice services support on link services IQ interfaces (lsq). see “Configuring Services Interfaces for Voice Services” on page 522. Oversubscribing Interface Bandwidth on LSQ Interfaces The term oversubscribing interface bandwidth means configuring shaping rates (peak information rates [PIRs]) so that their sum exceeds the interface bandwidth. and you can use multiple links. The multilink class index number can be 0 through 7. issue the show interfaces lsq-fpc/pic/port. To specify how many multilink classes should be negotiated when a link joins the bundle.” MCML greatly simplifies packet ordering issues that occur when multiple links are used. include the multilink-max-classes statement: multilink-max-classes number. you can assign voice traffic to a high-priority class. 468 Copyright © 2011. To view the number of multilink classes negotiated. Juniper Networks. To specify the mapping of a forwarding class into a MCML class. To configure MCML on a link services IQ interface. The number of multilink classes for each forwarding class must not exceed the number of multilink classes to be negotiated. include the multilink-class statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level: [edit class-of-service fragmentation-maps map-name forwarding-class class-name] multilink-class number. Without MCML. because multiclass MLPPP represents a superset of functionality. . and you must specify the mapping of a forwarding class into an MCML class. The Junos OS implementation of MCML does not support compression of common header bytes. When you configure multiclass MLPPP. The multilink-class statement and no-fragmentation statements are mutually exclusive. LFI is automatically enabled. Inc.logical-unit-number detail command.

Be careful not to oversubscribe a service by too much. oversubscribing interface bandwidth improves network utilization. you can configure the shaping rate as an absolute rate from 1000 through 160. NOTE: You cannot oversubscribe interface bandwidth when you configure traffic shaping using the method described in Applying Scheduler Maps and Shaping Rate to DLCIs and VLANs.000 bits per second. 469 . Support for traffic control features on the FRF. If the actual data traffic does not exceed the interface bandwidth.Chapter 20: Link Services IQ Interfaces Configuration Guidelines On Channelized IQ PICs.000. you can assign traffic control profiles that apply on a physical interface basis. Any unused bandwidth is distributed equally among oversubscribed logical interfaces or DLCIs.16 bundle interfaces. On LSQ interfaces. perform the following steps: 1. Gigabit Ethernet IQ PICs. Include the shaping-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] shaping-rate (percent percentage | rate). Copyright © 2011. When you configure oversubscription. you can configure the shaping rate as a percentage. You can prevent degradation by using statistical multiplexing to ensure that the actual data traffic does not exceed the interface bandwidth. The logical interfaces (and DLCIs within an FRF. When you apply traffic control profiles to FRF.16 bundles at the logical interface level. For networks that are not likely to experience congestion.16 bundle interfaces on a physical interface basis. Juniper Networks. Inc. The oversubscription is limited to the configured PIR. On IQ and IQ2 interfaces. To configure oversubscription of an interface. thereby allowing more customers to be provisioned on a single interface. you can oversubscribe interface bandwidth. and FRF. oversubscription allows you to sell more bandwidth than the interface can support. because this can cause degradation in the performance of the router during congestion.16 link services IQ (lsq-) interfaces on AS and Multiservices PICs. NOTE: When configuring oversubscription for FRF. When configuring oversubscription for FRF. some output queues can be starved if the actual data traffic exceeds the physical interface bandwidth. member link interface bandwidth is underutilized when there is a small proportion of traffic or no traffic at all on an individual DLCI.000. We recommend avoiding oversubscription in networks that are likely to experience congestion.16 bundle) can be oversubscribed when there is leftover bandwidth.16 bundle physical interface level addresses this limitation. you must specify shaping-rate as a percentage.

Inc. If you do not configure a guaranteed rate. you can configure both a PIR and a CIR on an interface. 2. see “Configuring Guaranteed Minimum Rate on LSQ Interfaces” on page 473. but not both. you can configure a shaping rate for a logical interface and oversubscribe the physical interface by including the shaping-rate statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level. see “Examples: Oversubscribing an LSQ Interface” on page 472. For more information about CIRs. as described in Step 2. On IQ and IQ2 interfaces. and the scaled shaping rate is used in the oversubscribed case.000. you cannot independently control the delay-buffer rate. you must specify delay-buffer-rate as a percentage. To do this. The actual delay buffer is based on the calculations described in the Junos OS Class of Service Configuration Guide. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs.4 Services Interfaces Configuration Guide Alternatively. Optionally. In other words. For LSQ and Gigabit Ethernet IQ2 interfaces. the shaping-rate and guaranteed-rate statements are mutually exclusive. NOTE: For channelized and Gigabit Ethernet IQ interfaces. [edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate). you can configure either a PIR or a committed information rate (CIR). . if you do not configure a delay-buffer rate. include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: NOTE: When configuring oversubscription for FRF. 470 Copyright © 2011. Juniper Networks. with this configuration approach. the guaranteed rate (CIR) is used to assign buffers.000 bits per second.000. the shaping rate (PIR) is used in the undersubscribed case.Junos 11. On LSQ interfaces. you can configure the delay-buffer rate as an absolute rate from 1000 through 160. the shaping rate or scaled shaping rate is used for delay-buffer calculations only when the delay-buffer rate is not configured.16 bundle interfaces on a physical interface basis. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. For an example showing how the delay-buffer rates are applied. This means there are no service guarantees when you configure a PIR. you can configure the delay-buffer rate as a percentage. However. you can base the delay buffer calculation on a delay-buffer rate. For these interfaces. The delay-buffer rate overrides the shaping rate as the basis for the delay-buffer calculation. For LSQ interfaces.

For information about configuring schedulers and scheduler maps. see the Junos OS Class of Service Configuration Guide. Copyright © 2011. 5. the logical interface receives a delay-buffer rate in proportion to the shaping rate and the remaining delay-buffer rate available. Optionally. Though some amount of extra buffering might be desirable for burst absorption. the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. the maximum number of VLANs supported is 768 on a single-port Gigabit Ethernet IQ PIC. If you configure delay-buffer rates so that the sum exceeds the port speed. and a warning message is displayed in the CLI. If you do not include this statement. For more information. Instead. In other words. To assign a scheduler map to the logical interface. This restriction does not eliminate the possibility of packet aging. To help prevent this problem. so you should be cautious when using the delay-buffer-rate statement. you can enable large buffer sizes to be configured. To do this. delay-buffer rates should not far exceed the service rate of the logical interface. or the port speed is increased). the configured delay-buffer rate is not implemented for the last logical interface that you configure. the delay-buffer size is more restricted. include the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name ] per-unit-scheduler. If you do not configure a delay-buffer rate or a guaranteed rate.Chapter 20: Link Services IQ Interfaces Configuration Guidelines Configuring large buffers on relatively low-speed links can cause packet aging. If bandwidth becomes available (because another logical interface is deleted or deactivated. When you include this statement. such as voice traffic. 471 . We recommend restricted buffers for delay-sensitive traffic. the delay-buffer rate for each logical interface with no configured delay-buffer rate is equal to: (remaining delay-buffer rate * shaping rate) / (sum of shaping rates) The remaining delay-buffer rate is equal to: (interface speed) – (sum of configured delay-buffer rates) 3. see the Junos OS Class of Service Configuration Guide. Inc. that logical interface receives a delay-buffer rate of zero. On a two-port Gigabit Ethernet IQ PIC. include the q-pic-large-buffer statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level: [edit chassis fpc slot-number pic pic-number] q-pic-large-buffer. To enable scheduling on logical interfaces. the configured delay-buffer-rate is reevaluated and implemented if possible. include the scheduler-map statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name. Juniper Networks. the maximum number is 384. 4.

adaptive-shaper. You cannot include the output-traffic-control-profile statement in the configuration if any of the following statements are included in the logical interface configuration: scheduler-map. include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name. } tc_1 { shaping-rate percent 80. . Juniper Networks. shaping-rate. include the no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name] no-per-unit-scheduler. Inc. or virtual-channel-group.4 Services Interfaces Configuration Guide 6. } unit 1 { output-traffic-control-profile tc_1. } } } class-of-service { traffic-control-profiles { tc_0 { shaping-rate percent 100. delay-buffer-rate percent 80. To apply the traffic-scheduling profile to the logical interface. guaranteed-rate percent 40. To enable scheduling for FRF. 7.16 bundles physical interfaces. } } 472 Copyright © 2011. For a table that shows how the bandwidth and delay buffer are allocated in various configurations.Junos 11. interfaces { lsq-1/3/0:0 { per-unit-scheduler. Examples: Oversubscribing an LSQ Interface Oversubscribing an LSQ Interface with Scheduling Based on the Logical Interface Apply a traffic-control profile to a logical interface representing a DLCI on an FRF. see the Junos OS Class of Service Configuration Guide. } unit 1 { dlci 200. guaranteed-rate percent 60. unit 0 { dlci 100.16 bundle. } } interfaces { lsq-1/3/0 { unit 0 { output-traffic-control-profile tc_0.

Channelized IQ PICs. Juniper Networks. forwarding-class expedited-forwarding scheduler rlsq_scheduler1. and FRF.18. priority high. The guaranteed rate is a minimum. } rlsq_scheduler1 { transmit-rate percent 40.18. Inc. priority low. } } } class-of-service { traffic-control-profiles { rlsq_tc { scheduler-map rlsq.2/24. unit 0 { dlci 100. family inet { address 18. 473 . If excess physical Copyright © 2011. This allows you to specify a guaranteed rate for each logical interface.Chapter 20: Link Services IQ Interfaces Configuration Guidelines } } Oversubscribing an LSQ Interface with Scheduling Based on the Physical Interface Apply a traffic-control profile to the physical interface representing an FRF. you can configure guaranteed bandwidth. shaping-rate percent 60. } } Configuring Guaranteed Minimum Rate on LSQ Interfaces On Gigabit Ethernet IQ PICs. } } schedulers { rlsq_scheduler { transmit-rate percent 20. } } } scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler. encapsulation multilink-frame-relay-uni-nni.16 bundle: interfaces { lsq-0/2/0:0 { no-per-unit-scheduler. also known as a committed information rate (CIR).16 link services IQ (LSQ) interfaces on AS and Multiservices PICs. } } interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc. delay-buffer-rate percent 10.

but not both.000. To do this.000. 474 Copyright © 2011. you can configure the delay-buffer rate as an absolute rate from 1000 through 160. On LSQ interfaces. see the Junos OS Class of Service Configuration Guide. the shaping-rate and guaranteed-rate statements are mutually exclusive. On IQ and IQ2 interfaces.000. but the software automatically decreases the rates so that the sum of the guaranteed rates is equal to the available bundle bandwidth. Juniper Networks. The actual delay buffer is based on the calculations described in tables in the Junos OS Class of Service Configuration Guide. This means there are no service guarantees when you configure a PIR. This restriction does not apply to Gigabit Ethernet IQ2 PICs or link services IQ (LSQ) interfaces on AS or Multiservices PICs. To configure a guaranteed minimum rate. Optionally. On IQ and IQ2 interfaces. You cannot provision the sum of the guaranteed rates to be more than the physical interface bandwidth. the logical interface receives more than the guaranteed rate provisioned for the interface. 2. include the delay-buffer-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] delay-buffer-rate (percent percentage | rate).4 Services Interfaces Configuration Guide interface bandwidth is available for use. If the sum of the guaranteed rates exceeds the interface or bundle bandwidth. you can configure either a PIR or a committed information rate (CIR). you can configure the delay-buffer rate as a percentage.000 bits per second. you can base the delay buffer calculation on a delay-buffer rate. Inc. For an example showing how the delay-buffer rates are applied. On LSQ interfaces. NOTE: For channelized and Gigabit Ethernet IQ interfaces. you can configure the guaranteed rate as a percentage. or the bundle bandwidth for LSQ interfaces. You cannot configure some logical interfaces to use a shaping rate and others to use a guaranteed rate. the commit operation does not fail. you can configure both a PIR and a CIR on an interface. see “Example: Configuring Guaranteed Minimum Rate” on page 476. you can configure the guaranteed rate as an absolute rate from 1000 through 160. For these interfaces.000. For LSQ and Gigabit Ethernet IQ2 interfaces.Junos 11. For more information about CIRs. . Include the guaranteed-rate statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] guaranteed-rate (percent percentage | rate). perform the following steps: 1.000 bits per second.

include the scheduler-map statement at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level: [edit class-of-service traffic-control-profiles profile-name] scheduler-map map-name. This restriction does not eliminate the possibility of packet aging. the configured delay-buffer-rate is reevaluated and implemented if possible. a delay-buffer rate of 0. all other logical interfaces on that port that do not have a guaranteed rate configured receive a delay-buffer rate of 0. consequently. Copyright © 2011. If the guaranteed rate of a logical interface cannot be implemented. If you do not specify a shaping rate or a guaranteed rate. Though some amount of extra buffering might be desirable for burst absorption. If at a later time the guaranteed rate of the logical interface can be met. so you should be cautious when using the delay-buffer-rate statement. If bandwidth becomes available (because another logical interface is deleted or deactivated. Inc. To enable large buffer sizes to be configured. it is implemented. the delay-buffer size is more restricted. Instead. To help prevent this problem. the shaping rate if no guaranteed rate is configured. the software requires that the sum of the delay-buffer rates be less than or equal to the port speed. This can be useful when the traffic flow might not require much bandwidth in general. Configuring large buffers on relatively low-speed links can cause packet aging. but in some cases can be bursty and therefore needs a large buffer. or the port speed is increased). the configured delay-buffer rate is not implemented for the last logical interface that you configure. that logical interface receives a delay-buffer rate of 0. that logical interface receives a delay-buffer rate of 0. If any logical interface has a configured guaranteed rate. Juniper Networks. include the q-pic-large-buffer statement at the [edit chassis fpc slot-number pic pic-number] hierarchy level: [edit chassis fpc slot-number pic pic-number] q-pic-large-buffer. even if the configured delay-buffer rate is within the interface speed. the delay-buffer calculation is based on the guaranteed rate. delay-buffer rates should not far exceed the service rate of the logical interface. If you configure delay-buffer rates so that the sum exceeds the port speed. or the scaled shaping rate if the interface is oversubscribed.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If you do not include the delay-buffer-rate statement. If you do not include this statement. 4. You can configure a rate for the delay buffer that is higher than the guaranteed rate. see the Junos OS Class of Service Configuration Guide. see the Junos OS Class of Service Configuration Guide. 3. For more information. 475 . the configured delay-buffer rate is reevaluated and if the delay-buffer rate is within the remaining bandwidth. the logical interface receives a minimal delay-buffer rate and minimal bandwidth equal to 4 MTU-sized packets. For information about configuring schedulers and scheduler maps. This is because the absence of a guaranteed rate configuration corresponds to a guaranteed rate of 0 and. To assign a scheduler map to the logical interface. and a warning message is displayed in the CLI.

4 Services Interfaces Configuration Guide 5. include the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level: [edit interfaces interface-name ] per-unit-scheduler.Junos 11. delay-buffer-rate 500k. # 500 Kbps is less than 8 x 64 Kbps scheduler-map sched-map4. Inc. To apply the traffic-scheduling profile to the logical interface. the maximum number of VLANs supported is 767 on a single-port Gigabit Ethernet IQ PIC. } } interface t1-3/0/1 { unit 0 { 476 Copyright © 2011. To enable scheduling on logical interfaces. } } class-of-service { traffic-control-profiles { tc-profile3 { guaranteed-rate 750k. the delay buffer is based on the guaranteed rate setting. a delay-buffer rate of 500 Kbps is specified. The 2-second value is based on the following calculation: delay-buffer-rate < [8 x 64 Kbps]): 2 seconds of delay-buffer-rate For more information about this calculation. When you include this statement. . } } } interfaces { t1-3/0/1 { per-unit-scheduler. chassis { fpc 3 { pic 0 { q-pic-large-buffer. are provisioned with a guaranteed minimum of 750 Kbps and 500 Kbps. respectively. 0 and 1. 6. On a two-port Gigabit Ethernet IQ PIC. the maximum number is 383. see the Junos OS Class of Service Configuration Guide. The actual delay buffers allocated to each logical interface are 2 seconds of 500 Kbps. include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level: [edit class-of-service interfaces interface-name unit logical-unit-number] output-traffic-control-profile profile-name. Juniper Networks. Example: Configuring Guaranteed Minimum Rate Two logical interface units. For logical unit 1. scheduler-map sched-map3. For logical unit 0. # 500 Kbps is less than 8 x 64 Kbps } tc-profile4 { guaranteed-rate 500k.

link-layer-overhead percent.logical-unit-number. not per port. Configure a multilink PPP or FRF.Chapter 20: Link Services IQ Interfaces Configuration Guidelines output-traffic-control-profile tc-profile3. To enable the Layer 2 service package. the entire PIC uses the configured package. you must perform the following steps: 1. Enable the Layer 2 service package. mrru bytes. } unit 1 { output-traffic-control-profile tc-profile4. You enable service packages per PIC. } [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds. see the Link and Multilink Properties. Inc. and specify layer-2: [edit chassis fpc slot-number pic pic-number adaptive-services] service-package layer-2. } } } Configuring Link Services and CoS on Services PICs To configure link services and CoS on an AS or Multiservices PIC. 2. see “Enabling Service Packages” on page 39 and “Layer 2 Service Package Capabilities and Interfaces” on page 448. short-sequence. family inet { address address. fragment-threshold bytes. Configuring an MLPPP Bundle To configure an MLPPP bundle. configure constituent links and bundle properties by including the following statements in the configuration: [edit interfaces interface-name unit logical-unit-number] encapsulation ppp. Juniper Networks. encapsulation multilink-ppp. family mlppp { bundle lsq-fpc/pic/port. or bundle. 477 . minimum-links number. Copyright © 2011.16 bundle by combining constituent links into a virtual link. } For more information about these statements. For more information about AS or Multiservices PIC service packages. When you enable the Layer 2 service package. include the service-package statement at the [edit chassis fpc slot-number pic pic-number adaptive-services] hierarchy level.

fragment-threshold bytes. For MLFR FRF. Inc. and apply the fragmentation map to each bundle. } unit logical-unit-number { dlci dlci-identifier. see Link and Multilink Properties. mlfr-uni-nni-options { acknowledge-retries number.4 Services Interfaces Configuration Guide Configuring an MLFR FRF. t392 number. Juniper Networks. Include the following statements: [edit interfaces] 478 Copyright © 2011. family inet { address address. t391 number. 3. n392 number. } } For more information about the mlfr-uni-nni-bundles statement. .16 bundle. configure a scheduler map. unit logical-unit-number { family mlfr-uni-nni { bundle lsq-fpc/pic/port:channel. } } For more information about MLFR UNI NNI properties. you must configure one end as data circuit-terminating equipment (DCE) by including the following statements at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level. action-red-differential-delay (disable-tx | remove-link). n391 number.16 Bundle To configure an MLFR FRF. drop-timeout milliseconds. acknowledge-timer milliseconds.Junos 11. yellow-differential-delay milliseconds. [edit interfaces interface-name ] encapsulation multilink-frame-relay-uni-nni. MLFR FRF. red-differential-delay milliseconds. dce.16 uses channels as logical units. link-layer-overhead percent. enable per-unit scheduling on the interface. configure constituent links and bundle properties by including the following statements in the configuration: [edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number. hello-timer milliseconds. see the Junos OS System Basics Configuration Guide. To configure CoS components for each multilink bundle. encapsulation multilink-frame-relay-uni-nni. lmi-type (ansi | itu). mrru bytes. minimum-links number. apply the scheduler to each queue. n393 number. configure a fragmentation map.16.

transmit-rate (percent percentage | rate | remainder) <exact>. # Enables per-unit scheduling on the bundle } [edit class-of-service] interfaces { lsq-fpc/pic/port { # Multilink PPP unit logical-unit-number { scheduler-map map-name. } Copyright © 2011. } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). } forwarding-classes { queue queue-number class-name priority (high | low). 479 . } } lsq-fpc/pic/port:channel { # MLFR FRF. scheduler-map map-name.16 unit logical-unit-number { fragmentation-map map-name. priority priority-level. Juniper Networks. shaping-rate percent percent.16 DLCI by including the following statements at the [edit class-of-service] hierarchy level: interfaces { lsq-fpc/pic/port { unit logical-unit-number { # Multilink PPP fragmentation-map map-name. # Applies scheduler map to each queue } } lsq-fpc/pic/port:channel { # MLFR FRF. } } fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. no-fragmentation. } } } Associate a fragmentation map with a multilink PPP interface or MLFR FRF. Inc.16 unit logical-unit-number { # Scheduler map provides scheduling information for # the queues within a single DLCI. } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name.Chapter 20: Link Services IQ Interfaces Configuration Guidelines lsq-fpc/pic/port { per-unit-scheduler.

For the MLPPP bundle. 0. These instructions apply to T1 interfaces. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. a routing adjacency. Juniper Networks.logical-unit-number. because it can represent. assign a single scheduler map to the link services IQ interface (lsq) and to each constituent link. and 5 percent bandwidth for the transmission rate and buffer size of queues 0. and 3. but the configuration for E1 interfaces is similar. include the following statements at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level: [edit interfaces lsq-fpc/pic/port unit logical-unit-number] drop-timeout milliseconds. include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] hierarchy level: [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlppp] bundle lsq-fpc/pic/port. for MLPPP. 480 Copyright © 2011. A scheduler removes packets from the queues according to a scheduling policy. 0. fragment-threshold bytes. Therefore. NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. mrru bytes. short-sequence. } The logical link services IQ interface represents the MLPPP bundle. 0. Inc. as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP” on page 483. 2. To aggregate T1 links into a an MLPPP bundle. there are four associated queues on M Series routers and eight associated queues on M320 and T Series routers. family inet { address address. and the remaining queues are serviced in proportion to weights you configure. To configure the link services IQ interface properties. 0. you aggregate N different T1 links into a bundle. 0. and assign this scheduler to the link services IQ interface (lsq) and to each constituent link.Junos 11. 1. 0. 5. Typically. The default schedulers for M Series and T Series routers. 0. encapsulation multilink-ppp. The NxT1 bundle is called a logical interface. for example. and 0 percent. minimum-links number. For MLPPP. which assign 95. are not adequate when you configure LFI or multiclass traffic. you designate one queue to have strict priority.4 Services Interfaces Configuration Guide Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using MLPPP To configure an NxT1 bundle using MLPPP. NOTE: For M320 and T Series routers. link-layer-overhead percent. . you should configure a single scheduler with nonzero percent transmission rates and buffer sizes for queues 0 through 3.

} } For link services IQ interfaces. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues. The action depends on whether the packet came from a multilink encapsulated queue (fragmented and sequenced) or a nonencapsulated queue (hashed with no fragmentation). } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). traffic in all forwarding classes is multilink encapsulated. a strict-high-priority queue might starve the other three queues because traffic in a strict-high priority queue is transmitted before any other queue is serviced. independently of the other. Inc. include the following statements at the [edit class-of-service] hierarchy level: [edit class-of-service] interfaces { t1-fpc/pic/port unit logical-unit-number { scheduler-map map-name. } } forwarding-classes { queue queue-number class-name. Juniper Networks. a certain action is taken. } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name. To configure packet fragmentation handling on a queue. no-fragmentation. By default. transmit-rate (rate | percent percentage | remainder) <exact>.Chapter 20: Link Services IQ Interfaces Configuration Guidelines If the bundle has more than one link. After the scheduler removes a packet from a queue. 481 . multilink-class number. priority priority-level. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port] hierarchy level: [edit interfaces lsq-fpc/pic/port] per-unit-scheduler. } } } Copyright © 2011. To configure and apply the scheduling policy. Each queue can be designated as either multilink encapsulated or nonencapsulated. as described in the Junos OS Class of Service Configuration Guide.

You do this by including the fragment-threshold statement in the configuration. The MRRU is similar to the MTU. For more information about MCML. and therefore 482 Copyright © 2011. By default the MRRU size is 1500 bytes. the software gives the packet an MLPPP header. For more information. the software computes the hash based on up to five MPLS labels. we recommend that you configure all queues to be multilink encapsulated. To avoid packet reordering. and you can configure it to be from 1500 through 4500 bytes. Because there is no MLPPP header. include the no-fragmentation statement in the fragmentation map. Inc. For MPLS. the software must take special measures to avoid packet reordering. you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] hierarchy level. . The outgoing link for each fragment is selected independently of all other fragments. Therefore. there is no sequence number information. The software then places the packet on one of the N different T1 links. If you do not include the fragment-threshold statement in the fragmentation map. and IP protocol. For IP. If the packet exceeds the minimum link MTU. the software computes the hash based on source address. Even if you do not set a maximum fragment size anywhere in the configuration. which are assigned consecutive multilink sequence numbers. All other considerations are equal. but is specific to link services interfaces. as well as source and destination IP addresses. the software places the packet on one of the N different T1 links. The link is chosen on a packet-by-packet basis to balance the load across the various T1 links. the software splits the packet into two or more fragments. Therefore. see “Configuring CoS Fragmentation by Forwarding Class on LSQ Interfaces” on page 465. If you choose to set traffic on a queue to be nonencapsulated rather than multilink encapsulated. which is filled with the next available sequence number from a counter. The link is determined by hashing the values in the header. or if a queue has a fragment threshold configured at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level.4 Services Interfaces Configuration Guide For NxT1 bundles using MLPPP. packets are fragmented if they exceed the smallest MTU of all the links in the bundle. The MLPPP header contains a sequence number field. If you do not set a maximum fragment size anywhere in the configuration. or four MPLS labels and the IP header. see “Configuring Multiclass MLPPP on LSQ Interfaces” on page 467. destination address. the fragmentation threshold you set at the [edit interfaces interface-name unit logical-unit-number] hierarchy level is the default for all forwarding classes. Juniper Networks. When a packet is removed from a nonencapsulated queue. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. the byte-wise load balancing used in multilink-encapsulated queues is superior to the flow-wise load balancing used in nonencapsulated queues. it is transmitted with a plain PPP header. You use the multilink-class statement to map a forwarding class into a multiclass MLPPP (MCML). For UDP and TCP the software computes the hash based on the source and destination ports. This guarantees that all packets belonging to the same TCP/UDP flow always pass through the same T1 link. When a packet is removed from a multilink-encapsulated queue. For more information about fragmentation maps.Junos 11.

Chapter 20: Link Services IQ Interfaces Configuration Guidelines cannot be reordered.3. The router at the far end gathers packets from all the T1 links. unit 0 { family mlppp { bundle lsq-1/3/0. # This adds t1-0/0/0 to the specified bundle.2. If there are many flows. the software accepts the packet in the order in which it arrives and makes no attempt to reassemble or reorder the packet. mrru 4500.4/24.1. Inc. 483 . the load is usually balanced. } [edit class-of-service] Copyright © 2011. } } } t1-0/0/1 { encapsulation ppp. link-layer-overhead 0. the sequence number field is used to put the packet back into sequence number order. it does not guarantee that the load on the various T1 links is balanced. drop-timeout 1000. Example: Configuring an LSQ Interface as an NxT1 Bundle Using MLPPP [edit chassis] fpc 1 { pic 3 { adaptive-services { service-package layer-2. unit 0 { family mlppp { bundle lsq-1/3/0. minimum-links 2. which can be from Juniper Networks or another vendor. If the packet has a plain PPP header.1. If a packet has an MLPPP header. However. encapsulation multilink-ppp. } } } [edit interfaces] t1-0/0/0 { encapsulation ppp. Juniper Networks. family inet { address 10. } } [edit interfaces] lsq-1/3/0 { per-unit-scheduler. fragment-threshold 128. } } } lsq-1/3/0 { unit 1 { # This is the virtual link that concatenates multiple T1s.5. The N different T1 interfaces link to another router. short-sequence.

priority low. priority high. queue 2 af. } } schedulers { af-scheduler { transmit-rate percent 30. } } t1-0/0/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. priority strict-high. . # voice queue } nc-scheduler { transmit-rate percent 5. } forwarding-classes { queue 0 be. } forwarding-class ef { 484 Copyright © 2011.4 Services Interfaces Configuration Guide interfaces { lsq-1/3/0 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. forwarding-class be scheduler be-scheduler.Junos 11. Inc. buffer-size percent 30. buffer-size percent 40. } scheduler-maps { sched-map1 { forwarding-class af scheduler af-scheduler. queue 1 ef. buffer-size percent 5. forwarding-class ef scheduler ef-scheduler. queue 3 nc. Juniper Networks. } ef-scheduler { transmit-rate percent 40. buffer-size percent 25. } be-scheduler { transmit-rate percent 25. forwarding-class nc scheduler nc-scheduler. priority low. } t1-0/0/1 { # multilink PPP constituent link unit 0 { scheduler-map sched-map1. } } fragmentation-maps { fragmap-1 { forwarding-class be { fragment-threshold 180.

fragment-threshold bytes. n392 number. Inc.fpc/pic/port:channel] encapsulation multilink-frame-relay-uni-nni. lmi-type (ansi | itu). Each DLCI is called a logical interface. link-layer-overhead percent. Copyright © 2011.Chapter 20: Link Services IQ Interfaces Configuration Guidelines fragment-threshold 100.16 bundle. because it can represent. 485 . mlfr-uni-nni-options { acknowledge-retries number. drop-timeout milliseconds. for example. a routing adjacency.16 To configure an NxT1 bundle using FRF. Juniper Networks. NOTE: Link services IQ interfaces support both T1 and E1 physical interfaces. dce. minimum-links number. include the mlfr-uni-nni-bundles statement at the [edit chassis fpc slot-number pic slot-number] hierarchy level and include the bundle statement at the [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] hierarchy level: [edit chassis fpc slot-number pic slot-number] mlfr-uni-nni-bundles number. To configure the link services IQ interface properties. hello-timer milliseconds. [edit interfaces t1-fpc/pic/port unit logical-unit-number family mlfr-uni-nni] bundle lsq-fpc/pic/port:channel. n391 number. identified by their DLCIs. The NxT1 bundle carries a potentially large number of Frame Relay PVCs. } } Configuring LSQ Interfaces as NxT1 or NxE1 Bundles Using FRF. } } } [edit interfaces] lsq-1/3/0 { unit 0 { fragmentation-map fragmap-1. action-red-differential-delay (disable-tx | remove-link). acknowledge-timer milliseconds. To aggregate T1 links into an FRF. mrru bytes. you aggregate N different T1 links into a bundle. include the following statements at the [edit interfaces lsq.16. but the configuration for E1 interfaces is similar.fpc/pic/port:channel] hierarchy level: [edit interfaces lsq. These instructions apply to T1 interfaces.

as shown in “Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. The remaining queues are serviced in proportion to weights you configure. 0. and 5 percent. t391 number. For M Series and T Series routers. On the link services IQ interface. you can assign a single scheduler map to the link services IQ interface (lsq) and to each link services IQ DLCI. 0. 5. as described in the Junos OS Class of Service Configuration Guide. For FRF.Junos 11. and 0 percent. 0. 0. } unit logical-unit-number { dlci dlci-identifier.16. A scheduler removes packets from the queues according to a scheduling policy. 0. 0. Juniper Networks.16.16. Inc.16 bundle. family inet { address address. 0. For the constituent links of an FRF. If the bundle has more than one link. red-differential-delay milliseconds. a strict-high-priority queue might starve the other three queues because traffic in a strict-high-priority queue is transmitted before any other queue is serviced. 0. 0. Because LFI and multiclass are not supported for FRF. and therefore are well suited to the behavior of FRF. } } The link services IQ channel represents the FRF.16” on page 488. you can configure a custom scheduler that explicitly replicates the 95. Four queues are associated with each DLCI. This implementation is unlike the standard Junos CoS implementation in which a strict-high-priority queue does round-robin with high-priority queues. These default schedulers send all user traffic to queue 0 and all network-control traffic to queue 3. If desired. t392 number. This means you should allow most of the bandwidth to be used by queue 0. you typically designate one queue to have strict priority. yellow-differential-delay milliseconds. the default schedulers’ transmission rate and buffer size percentages for queues 0 through 3 are 95. . include the following statements at the [edit class-of-service] hierarchy level: 486 Copyright © 2011. NOTE: For M320 and T Series routers. the default scheduler transmission rate and buffer size percentages for queues 0 through 7 are 95. To configure and apply the scheduling policy. you do not need to configure a custom scheduler. and 5 percent queuing behavior. and apply it to the constituent links.4 Services Interfaces Configuration Guide n393 number.16 bundle. the traffic from each constituent link is transmitted from queue 0. you must include the per-unit-scheduler statement at the [edit interfaces lsq-fpc/pic/port:channel] hierarchy level: [edit interfaces lsq-fpc/pic/port:channel] per-unit-scheduler. For link services IQ interfaces. or you can assign different scheduler maps to the various DLCIs of the bundle.

which is filled with the next available sequence number from a counter.16 header contains a sequence number field. the serialization delay is small enough so that you do not need to use explicit LFI. } scheduler-maps { map-name { forwarding-class class-name scheduler scheduler-name. the software gives the packet an FRF. only multilink encapsulated (fragmented and sequenced) queues are supported. you should not use slow links.Chapter 20: Link Services IQ Interfaces Configuration Guidelines [edit class-of-service] interfaces { lsq-fpc/pic/port:channel { unit logical-unit-number { scheduler-map map-name. 487 . At T1 speeds and above. Copyright © 2011. Juniper Networks. Inc.16 header. if you want to carry voice or any other latency-sensitive traffic. transmit-rate (rate | percent percentage | remainder) <exact>. Therefore. } } To configure packet fragmentation handling on a queue. This is the default queuing behavior for all forwarding classes.16.16 traffic.16 traffic.16 does not allow for nonencapsulated traffic because the protocol requires that all packets carry the fragmentation header. If a large packet is split into multiple fragments. When a packet is removed from a multilink-encapsulated queue. you cannot include the no-fragmentation statement at the [edit class-of-service fragmentation-maps map-name forwarding-class class-name] hierarchy level for FRF. } } } For FRF. } } } forwarding-classes { queue queue-number class-name. priority priority-level. For FRF. The link is chosen on a packet-by-packet basis to balance the load across the various T1 links. The software then places the packet on one of the N different T1 links. include the fragmentation-maps statement at the [edit class-of-service] hierarchy level: [edit class-of-service] fragmentation-maps { map-name { forwarding-class class-name { fragment-threshold bytes. } } schedulers { scheduler-name { buffer-size (percent percentage | remainder | temporal microseconds). The FRF. the fragments must have consecutive sequential numbers. FRF.

If you do not include the fragment-threshold statement in the fragmentation map. Example: Configuring an LSQ Interface as an NxT1 Bundle Using FRF. see “Configuring MRRU on Multilink and Link Services Logical Interfaces” on page 1242. you can configure the maximum received reconstructed unit (MRRU) by including the mrru statement at the [edit interfaces lsq-fpc/pic/port unit logical-unit-number] or [edit interfaces interface-name mlfr-uni-nni-bundle-options] hierarchy level. the software splits the packet into two or more fragments. The N different T1 interfaces link to another router. } mlfr-uni-nni-bundles 2. Even if you do not set a maximum fragment size anywhere in the configuration.16 header. For more information. the MRRU size is 1500 bytes. unit 0 { family mlfr-uni-nni { bundle lsq-1/3/0:1. which